charon { install_routes = 0 }
Must be added to a /etc/strongswan.d/ configuration file or VTI intended traffic is sent unencrypted over the default route.
I'm unsure how this affects non-VTI tunnels or if it can be specifically targeted at VTI tunnels.
Before change (sniff from middle routers shows unencrypted ICMP):
rt01# ping 172.16.37.2 PING 172.16.37.2 (172.16.37.2) 56(84) bytes of data. From 10.7.20.254: icmp_seq=2 Redirect Host(New nexthop: 10.7.20.252) From 10.7.20.254: icmp_seq=3 Redirect Host(New nexthop: 10.7.20.252) rt01# traceroute 172.16.37.2 traceroute to 172.16.37.2 (172.16.37.2), 30 hops max, 60 byte packets 1 10.7.20.254 (10.7.20.254) 0.449 ms 0.411 ms 0.385 ms^C [edit] rt01# run sh ip route Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - ISIS, B - BGP, > - selected route, * - FIB route S>* 0.0.0.0/0 [1/0] via 10.7.20.254, eth1 ... C>* 172.16.37.0/30 is directly connected, vti0 <--- IPsec VTI ...
After change:
rt01# sudo sh -c "echo 'charon {install_routes = 0}' > /etc/strongswan.d/charon_vti.conf" [edit] rt01# cat /etc/strongswan.d/charon_vti.conf charon {install_routes = 0} [edit] rt01# run restart vpn Restarting IPsec process.. rt01# ping 172.16.37.2 PING 172.16.37.2 (172.16.37.2) 56(84) bytes of data. 64 bytes from 172.16.37.2: icmp_seq=1 ttl=64 time=74.9 ms 64 bytes from 172.16.37.2: icmp_seq=2 ttl=64 time=77.9 ms