OPNsense Forum

English Forums => Virtual private networks => Topic started by: mgoerke on December 01, 2023, 01:41:13 am

Title: How can I view the IPSec VPN routes in kernel routing table?
Post by: mgoerke on December 01, 2023, 01:41:13 am

Hello,

my IPSec-VPN (OPNsense 23.7.9) works fine,
i can ping the remote network.

My question: How can i see the kernel routing entry for the remote VPN networks?
route show <remote network>
and
netstat -rn
will show the default route instead the route through the VPN IPSec.

Perhaps this is a policy based route on strongswan?

Thanks.

Morris

Title: Re: How can I view the IPSec VPN routes in kernel routing table?
Post by: glasi on December 19, 2023, 07:37:45 pm

Generally IPsec processing is based on policies. After regular route lookups are done the OS kernel consults its SPD (Security Policy Database) for a matching policy and if one is found that is associated with an IPsec SA (Security Association) the packet is processed (e.g. encrypted and sent as ESP packet).

Depending on the operating system it is also possible to configure route-based VPNs. Here IPsec processing does not (only) depend on negotiated policies but may e.g. be controlled by routing packets to a specific interface.

[...]

https://docs.strongswan.org/docs/5.9/features/routeBasedVpn.html

Title: Re: How can I view the IPSec VPN routes in kernel routing table?
Post by: schnipp on December 21, 2023, 05:27:01 pm

Quote from: mgoerke on December 01, 2023, 01:41:13 am

[...]
will show the default route instead the route through the VPN IPSec.

Perhaps this is a policy based route on strongswan?

Probably, you mean the traffic selectors in the security policy database (SPD) for deciding whether traffic has to be redirected to an IPsec tunnel.
Use the following command in the terminal window:

Code: [Select]

root@opnsenset:~ # setkey -DP