Are these throw routes managed by systemd-networkd (i.e. there's a corresponding .network file for them)? I'm guessing there is not and that StrongSwan is managing them separately. systemd-networkd by default will remove unmanaged routes unless told otherwise. There are two settings that can prevent this, KeepConfiguration= (from the systemd.network man page) and ManageForeignRoutingPolicyRules=/ManageForeignRoutes= (from the networkd.conf man page).
Hope that helps,
Anita
On Tue, Dec 21, 2021 at 2:57 AM Robert Dahlem <Robert.Dahlem@xxxxxxx> wrote:
Hi,
I'm running on Debian Bullseye, systemd 247.
StrongSwan 5.9.1 (an IPsec implementation) establishes throw routes in
table 220 when activating the bypass-lan plugin.
Basically that means: you have a VPN tunnel giving you a prioritized
default route through the VPN gateway but you can still reach systems in
local networks. It looks like this:
# ip a
...
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
...
inet 192.168.1.160/24 brd 192.168.1.255 scope global dynamic ens18
inet 172.29.254.11/32 scope global ens18
3: ens19: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
...
inet 192.168.180.2/24 brd 192.168.180.255 scope global ens19
4: vmbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state
UP group default qlen 1000
inet 10.10.10.1/24 brd 10.10.10.255 scope global vmbr1
...
# ip rule
0: from all lookup local
220: from all lookup 220
32766: from all lookup main
32767: from all lookup default
# ip route sh table 220
default via 192.168.1.1 dev ens18 proto static src 172.29.254.11
throw 10.10.10.0/24 proto static
throw 192.168.1.0/24 proto static
throw 192.168.180.0/24 proto static
Any outgoing traffic goes through table 220 where the default route
points to the VPN tunnel. Without the throw routes traffic for local
networks would be sent through the VPN tunnel too.
Now the problem: when I restart networkd, the throw routes get removed:
# systemctl restart systemd-networkd
# ip route sh table 220
default via 192.168.1.1 dev ens18 proto static src 172.29.254.11
Of course now I can no longer reach the local networks.
I run networkd with "Environment=SYSTEMD_LOG_LEVEL=debug", so I get this
in the log:
# grep throw /var/log/syslog | cut -d " " -f 6- | grep -v lo: \
| sed 's!src: n/a, gw: n/a, prefsrc: n/a, scope: global, !!'
Remembering route: dst: 192.168.180.0/24, table: 220, proto: static,
type: throw
Remembering route: dst: 192.168.1.0/24, table: 220, proto: static, type:
throw
Remembering route: dst: 10.10.10.0/24, table: 220, proto: static, type:
throw
Removing route: dst: 192.168.180.0/24, table: 220, proto: static, type:
throw
Removing route: dst: 10.10.10.0/24, table: 220, proto: static, type: throw
Removing route: dst: 192.168.1.0/24, table: 220, proto: static, type: throw
Removing route: dst: 192.168.180.0/24, table: 220, proto: static, type:
throw
Removing route: dst: 10.10.10.0/24, table: 220, proto: static, type: throw
Removing route: dst: 192.168.1.0/24, table: 220, proto: static, type: throw
Removing route: dst: 192.168.180.0/24, table: 220, proto: static, type:
throw
Removing route: dst: 10.10.10.0/24, table: 220, proto: static, type: throw
Removing route: dst: 192.168.1.0/24, table: 220, proto: static, type: throw
Forgetting route: dst: 192.168.180.0/24, table: 220, proto: static,
type: throw
Forgetting route: dst: 10.10.10.0/24, table: 220, proto: static, type: throw
Forgetting route: dst: 192.168.1.0/24, table: 220, proto: static, type:
throw
At first, networkd remembers the throw routes, then it removes and
forgets them. Why is that and how can I prevent it from doing so?
(Actually, the problem is a bit more complex and has to do with
disappearing throw routes when interfaces come up "late", i.e. WIFI
interfaces. I tried to show the behavior in a simple test case.)
Regards,
Robert
