Hello,
my IPSec-VPN (OPNsense 23.7.9) works fine,
i can ping the remote network.
My question: How can i see the kernel routing entry for the remote VPN networks?
route show <remote network>
and
netstat -rn
will show the default route instead the route through the VPN IPSec.
Perhaps this is a policy based route on strongswan?
Thanks.
Morris
Generally IPsec processing is based on policies. After regular route lookups are done the OS kernel consults its SPD (Security Policy Database) for a matching policy and if one is found that is associated with an IPsec SA (Security Association) the packet is processed (e.g. encrypted and sent as ESP packet).
Depending on the operating system it is also possible to configure route-based VPNs. Here IPsec processing does not (only) depend on negotiated policies but may e.g. be controlled by routing packets to a specific interface.
[...]
https://docs.strongswan.org/docs/5.9/features/routeBasedVpn.html
Quote from: mgoerke on December 01, 2023, 01:41:13 AM
[...]
will show the default route instead the route through the VPN IPSec.
Perhaps this is a policy based route on strongswan?
Probably, you mean the traffic selectors in the security policy database (SPD) for deciding whether traffic has to be redirected to an IPsec tunnel.
Use the following command in the terminal window:
root@opnsenset:~ # setkey -DP