There are several settings in /etc/strongswan.d/charon.conf that should be configurable.
install_routes and install_virtual_ip in particular have defaults that tend to cause me grief.
Description
Description
Details
Details
- Difficulty level
- Normal (likely a few hours)
- Version
- 20160524 nightly build
- Is it a breaking change?
- Unspecified (possibly destroys the router)
- Issue type
- Unspecified (please specify)
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | sarthurdev | T2816 Rewrite IPsec scripts with the new XML/Python approach | |||
| Resolved | FEATURE REQUEST | dmbaturin | T71 Add virtual IP and route installation policy options for IPsec | ||
| Resolved | BUG | dmbaturin | T628 StrongSwan requires configuration change for proper routing over VTI. |
Event Timeline
Comment Actions
install_routes sets a default route in table 220. If this happens on both ends of the tunnel you end up with a circular route.
install_virtual_ip attempts to install an address on the local interface for the ip used in the tunnel
Comment Actions
abferm, could you work out which other settings would be typically employed w/ a syntax proposal. This way we would implement all at once (saving time).
Comment Actions
The full list of options is available here https://wiki.strongswan.org/projects/strongswan/wiki/StrongswanConf
I can search around and see if I can find any examples of people changing these options and figure out which are commonly used.
As far as syntax, how does putting them in a subsection of "vpn ipsec" called 'daemon' sound, ie: 'set vpn ipsec daemon install_routes no"
Comment Actions
I've found examples of people setting accept_unencrypted_mainmode_messages, cisco_unity, ikesa_table_segments, ikesa_table_size, and init_limit_half_open.
However, reading through the descriptions many of the options sound useful. It shouldn't be too hard to implement all of them, should it?