Strongswan: Where does it set the routes?



  • Hi,

    where can I see and modify the routes (in my case ipv6 routes) which are automatically set by strongswan?  (preferably in the shell)

    Thanks a lot!

    Cheers,
    4920441


  • Rebel Alliance Developer Netgate

    strongSwan doesn't actually use "routes" on FreeBSD, there are SPD entries that define which traffic combinations are interesting for IPsec and the kernel grabs them directly.

    If you want to see these entries from the shell, look at "setkey -DP"

    From the GUI They are under Status > IPsec on the SPD tab



  • Hi,

    thanks for that hint.

    Can I change them somehow?

    I think that solves my problem described here….

    https://forum.pfsense.org/index.php?topic=119347.0

    But I cannot simply change the SADs the ::0/0 part because the it should be some kind of policy based routing.

    I got a LAN with (lets say) 2001:fat:babe::/64
    and a DMZ with (lets say) 2a01:face::/56 which "comes" with the IPSec Tunnel.

    Everything from the DMZ schould be routed via the IPSec Tunnel, thats why the SPDs are ::0/0 -> 2a01:face::/56  and 2a01:face::/56 ->  ::0/0.

    But If a packet arrives from the local Lan 2001:fat:babe::/64  it is not directly routed in the IPSec 2a01:face::/56 Network and never arrives there.

    I put up some static routes in the pfsense gui but that does not work - only in the moment the IPSec tunnel is stopped - then the local DMZ (without Uplink and set routes from Strongswan) it works…. but that does not really help:-)

    Would be nice if you got some further advice

    Thanks a lot!

    Cheers,

    4920441


Log in to reply