Reply to Strongswan: Where does it set the routes? on Thu, 13 Oct 2016 05:20:32 GMT

4920441 — Thu, 13 Oct 2016 05:20:32 GMT

Hi,

thanks for that hint.

Can I change them somehow?

I think that solves my problem described here….

https://forum.pfsense.org/index.php?topic=119347.0

But I cannot simply change the SADs the ::0/0 part because the it should be some kind of policy based routing.

I got a LAN with (lets say) 2001:fat:babe::/64
and a DMZ with (lets say) 2a01:face::/56 which "comes" with the IPSec Tunnel.

Everything from the DMZ schould be routed via the IPSec Tunnel, thats why the SPDs are ::0/0 -> 2a01:face::/56 and 2a01:face::/56 -> ::0/0.

But If a packet arrives from the local Lan 2001:fat:babe::/64 it is not directly routed in the IPSec 2a01:face::/56 Network and never arrives there.

I put up some static routes in the pfsense gui but that does not work - only in the moment the IPSec tunnel is stopped - then the local DMZ (without Uplink and set routes from Strongswan) it works…. but that does not really help:-)

Would be nice if you got some further advice

Thanks a lot!

Cheers,

4920441

Reply to Strongswan: Where does it set the routes? on Mon, 10 Oct 2016 20:29:21 GMT

jimp — Mon, 10 Oct 2016 20:29:21 GMT

strongSwan doesn't actually use "routes" on FreeBSD, there are SPD entries that define which traffic combinations are interesting for IPsec and the kernel grabs them directly.

If you want to see these entries from the shell, look at "setkey -DP"

From the GUI They are under Status > IPsec on the SPD tab