Change Details

```charon { install_routes = 0 }``` Must be added to a `/etc/strongswan.d/` configuration file or VTI intended traffic is sent unencrypted over the default route. I'm unsure how this affects non-VTI tunnels or if it can be specifically targeted at VTI tunnels. Before change (sniff from middle routers shows unencrypted ICMP): ``` rt01# ping 172.16.37.2 PING 172.16.37.2 (172.16.7.2) 56(84) bytes of data. From 10.7.20.254: icmp_seq=2 Redirect Host(New nexthop: 10.7.20.252) From 10.7.20.254: icmp_seq=3 Redirect Host(New nexthop: 10.7.20.252) rt01# traceroute 172.16.37.2 traceroute to 172.16.37.2 (172.16.37.2), 30 hops max, 60 byte packets 1 10.7.20.254 (10.7.20.254) 0.449 ms 0.411 ms 0.385 ms^C [edit] rt01# run sh ip route Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - ISIS, B - BGP, > - selected route, * - FIB route S>* 0.0.0.0/0 [1/0] via 10.7.20.254, eth1 ... C>* 172.16.37.0/30 is directly connected, vti0 <--- IPsec VTI ... ``` After change: ``` rt01# sudo sh -c "echo 'charon {install_routes = 0}' > /etc/strongswan.d/charon_vti.conf" [edit] rt01# cat /etc/strongswan.d/charon_vti.conf charon {install_routes = 0} [edit] rt01# run restart vpn Restarting IPsec process.. rt01# ping 172.16.37.2 PING 172.16.37.2 (172.16.37.2) 56(84) bytes of data. 64 bytes from 172.16.37.2: icmp_seq=1 ttl=64 time=74.9 ms 64 bytes from 172.16.37.2: icmp_seq=2 ttl=64 time=77.9 ms ```

```charon { install_routes = 0 }``` Must be added to a `/etc/strongswan.d/` configuration file or VTI intended traffic is sent unencrypted over the default route. I'm unsure how this affects non-VTI tunnels or if it can be specifically targeted at VTI tunnels. Before change (sniff from middle routers shows unencrypted ICMP): ``` rt01# ping 172.16.37.2 PING 172.16.37.2 (172.16.37.2) 56(84) bytes of data. From 10.7.20.254: icmp_seq=2 Redirect Host(New nexthop: 10.7.20.252) From 10.7.20.254: icmp_seq=3 Redirect Host(New nexthop: 10.7.20.252) rt01# traceroute 172.16.37.2 traceroute to 172.16.37.2 (172.16.37.2), 30 hops max, 60 byte packets 1 10.7.20.254 (10.7.20.254) 0.449 ms 0.411 ms 0.385 ms^C [edit] rt01# run sh ip route Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - ISIS, B - BGP, > - selected route, * - FIB route S>* 0.0.0.0/0 [1/0] via 10.7.20.254, eth1 ... C>* 172.16.37.0/30 is directly connected, vti0 <--- IPsec VTI ... ``` After change: ``` rt01# sudo sh -c "echo 'charon {install_routes = 0}' > /etc/strongswan.d/charon_vti.conf" [edit] rt01# cat /etc/strongswan.d/charon_vti.conf charon {install_routes = 0} [edit] rt01# run restart vpn Restarting IPsec process.. rt01# ping 172.16.37.2 PING 172.16.37.2 (172.16.37.2) 56(84) bytes of data. 64 bytes from 172.16.37.2: icmp_seq=1 ttl=64 time=74.9 ms 64 bytes from 172.16.37.2: icmp_seq=2 ttl=64 time=77.9 ms ```

```charon { install_routes = 0 }``` Must be added to a `/etc/strongswan.d/` configuration file or VTI intended traffic is sent unencrypted over the default route. I'm unsure how this affects non-VTI tunnels or if it can be specifically targeted at VTI tunnels. Before change (sniff from middle routers shows unencrypted ICMP): ``` rt01# ping 172.16.37.2 PING 172.16.37.2 (172.16.37.2) 56(84) bytes of data. From 10.7.20.254: icmp_seq=2 Redirect Host(New nexthop: 10.7.20.252) From 10.7.20.254: icmp_seq=3 Redirect Host(New nexthop: 10.7.20.252) rt01# traceroute 172.16.37.2 traceroute to 172.16.37.2 (172.16.37.2), 30 hops max, 60 byte packets 1 10.7.20.254 (10.7.20.254) 0.449 ms 0.411 ms 0.385 ms^C [edit] rt01# run sh ip route Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - ISIS, B - BGP, > - selected route, * - FIB route S>* 0.0.0.0/0 [1/0] via 10.7.20.254, eth1 ... C>* 172.16.37.0/30 is directly connected, vti0 <--- IPsec VTI ... ``` After change: ``` rt01# sudo sh -c "echo 'charon {install_routes = 0}' > /etc/strongswan.d/charon_vti.conf" [edit] rt01# cat /etc/strongswan.d/charon_vti.conf charon {install_routes = 0} [edit] rt01# run restart vpn Restarting IPsec process.. rt01# ping 172.16.37.2 PING 172.16.37.2 (172.16.37.2) 56(84) bytes of data. 64 bytes from 172.16.37.2: icmp_seq=1 ttl=64 time=74.9 ms 64 bytes from 172.16.37.2: icmp_seq=2 ttl=64 time=77.9 ms ```