When in a system does not exist IP address from network configured as a local prefix in IPSec tunnel, strongSwan does not install route into table 220.
An example:
set interfaces ethernet eth0 address '192.168.50.1/24' set vpn ipsec esp-group ESP1 pfs 'dh-group14' set vpn ipsec esp-group ESP1 proposal 10 encryption 'aes256' set vpn ipsec esp-group ESP1 proposal 10 hash 'sha256' set vpn ipsec ike-group IKE1 key-exchange 'ikev2' set vpn ipsec ike-group IKE1 proposal 10 dh-group '2' set vpn ipsec ike-group IKE1 proposal 10 encryption 'aes256' set vpn ipsec ike-group IKE1 proposal 10 hash 'sha256' set vpn ipsec ipsec-interfaces interface 'eth0' set vpn ipsec site-to-site peer 192.168.50.2 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 192.168.50.2 authentication pre-shared-secret 'secret' set vpn ipsec site-to-site peer 192.168.50.2 default-esp-group 'ESP1' set vpn ipsec site-to-site peer 192.168.50.2 ike-group 'IKE1' set vpn ipsec site-to-site peer 192.168.50.2 local-address '192.168.50.1' set vpn ipsec site-to-site peer 192.168.50.2 tunnel 1 local prefix '192.168.34.0/24' set vpn ipsec site-to-site peer 192.168.50.2 tunnel 1 remote prefix '192.168.35.0/24' vyos@vyos01:~$ show ip route table 220 vyos@vyos01:~$
Now add IP address from 192.168.34.0/24 to any interface and reboot:
set interfaces dummy dum1 address 192.168.34.1/24 vyos@vyos01:~$ show ip route table 220 Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP, F - PBR, f - OpenFabric, > - selected route, * - FIB route, q - queued route, r - rejected route VRF default table 220: K>* 192.168.35.0/24 [0/0] via 192.168.50.2, eth0, src 192.168.34.1, 00:00:07
This can lead to uncontrolled encrypted data path flows.