I am using strongswan to establish an ipsec connection in tunnel mode. When the client connects to the gateway, strongswan receives a new ipv6 address assigned to the client from the server. All traffic send to the tunneled network is then send from this ip6 address.
The ipv6 address is assigned to the client's wlp61s0
interface as, for example,2222:33:8085:cf0:1:2:f6e5:a5d0/128
. My understanding of the xfrm state
and the xfrm policy
command is that they only store information about the security Associations (SA) and policies respectively, which select the used SA based on the source and destination address.
But how does the client kernel know that when the client sends information to the target network, e.g. 2222::/16
, that it should use a certain source address? And where can I retrieve this information about the current routes?
Best Answer
https://docs.strongswan.org/docs/5.9/howtos/introduction.html#_routing tells:
(And it's also using priority 220 to lookup table 220.)
So for IPv6 this should be seen with:
or
for the policy routing part.
plus:
for the routing table part.
To know what decision is taken by the kernel without having to think about it, one can ask the kernel what would be the decision. For example:
will tell among other pieces of information the chosen source address, the chosen interface, the gateway if any and (if not the main table) the chosen routing table.
Please also note that IPv6 has a quite complex but well documented way to select source addresses when not explicitly overridden in (main) routes, routing rules/routing tables: RFC 6724: Default Address Selection for Internet Protocol Version 6 (IPv6) 5. Source Address Selection