[Bug 255678] security/strongswan cant add routes via RTM_ADD via PF_ROUTE socket

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 01 Jun 2021 09:54:44 +0000
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255678

--- Comment #17 from Tobias Brunner <tobias_at_strongswan.org> ---
> The expected behaviour is that for this route, the system will consider 213.80.11.16 directly reachable via igb0, correct?

Not exactly. The end goal is to install a route that causes the kernel to
select the "internal" IP address (192.168.5.10 on igb0) as source when reaching
the remote VPN subnet (10.11.12.0/24).  Because the IPsec policy is between
192.168.5.0/24 and 10.11.12.0/24, selecting the address on the external
interface (213.80.111.176) would cause the traffic to get sent unprotected
(unless there was a second IPsec policy that covered traffic between that IP
and the remote subnet).

By default, strongSwan installs the route for the remote subnet via outbound
interface (i.e. over which the IKE peer is reachable). However, like the
default route, this would cause the IP on the "external" interface
(213.80.111.176) to get selected as source. So we added an option
(charon.plugins.kernel-pfkey.route_via_internal) that causes the installation
of the route via "internal" interface (the next hop is still the one to reach
the IKE peer, though, maybe we should remove that?). As Martin reported, this
worked previously.

For comparison, on Linux, we install a route for the remote subnet via external
interface but we set the RTA_PREFSRC attribute to the internal IP address,
which causes it to get selected when traffic to the remote subnet is generated
(we also install that route in a separate routing table that takes precedence
over the main table and allows us to even override the default route without
conflicts). AFAIK, there is nothing similar on FreeBSD.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Received on Tue Jun 01 2021 - 09:54:44 UTC

Original text of this message