Description
When strongSwan installing passthrough routes into table 220, it may use a wrong next-hop address. This leads to a situation when a router losing connectivity to local subnets.
How to reproduce
Configuration:
set interfaces ethernet eth0 address 'dhcp' set interfaces ethernet eth1 address '10.10.200.1/24' set vpn ipsec esp-group ESP1 proposal 1 encryption 'aes256' set vpn ipsec esp-group ESP1 proposal 1 hash 'sha256' set vpn ipsec ike-group IKE1 proposal 1 encryption 'aes256' set vpn ipsec ike-group IKE1 proposal 1 hash 'sha256' set vpn ipsec ipsec-interfaces interface 'eth0' set vpn ipsec site-to-site peer 192.168.2.2 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 192.168.2.2 authentication pre-shared-secret 'secret' set vpn ipsec site-to-site peer 192.168.2.2 connection-type 'initiate' set vpn ipsec site-to-site peer 192.168.2.2 default-esp-group 'ESP1' set vpn ipsec site-to-site peer 192.168.2.2 ike-group 'IKE1' set vpn ipsec site-to-site peer 192.168.2.2 local-address 'any' set vpn ipsec site-to-site peer 192.168.2.2 tunnel 1 local prefix '10.10.200.0/24' set vpn ipsec site-to-site peer 192.168.2.2 tunnel 1 remote prefix '0.0.0.0/0'
Routing table 220 after IPSec connection:
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP, F - PBR, f - OpenFabric, > - selected route, * - FIB route, q - queued route, r - rejected route VRF default table 220: K>* 0.0.0.0/0 [0/0] via 192.168.1.254, eth0, src 10.10.200.1, 00:04:52 K>* 10.10.200.0/24 [0/0] via 192.168.1.254, eth0, src 10.10.200.1, 00:04:52
Because this table has priority over the main table, a router cannot communicate with 10.10.200.0/24.
How to fix
The issue was fixed in strongSwan 5.8.3 (commit bbedad7). Instead of simple route newer versions create throw routes:
vyos@vyos:~$ sudo ip r show type throw table 220 throw 10.10.200.0/24 proto static
And traffic to the local network goes using the main route table.