[Openswan dev] ip_hdr discrepancies

Sybille Ebert sybille.ebert at gmx.net
Wed Dec 24 05:19:52 EST 2008

>> Now the "shunt SA of DROP or no eroute" is gone, but I get:
>> klips_debug:ipsec_xmit_send: ip_route_output failed with error code -22,
>> dropped

I am not an expert, but from the logs I would assume that the packed
gets encrypted, but cannot be output because ip_route_output_key fails.
I have confirmed that I have the correct route ("ip route ls") and that
the packet destination address matches rightsubnet. I have tried pinging
from inside network as well as from gateway itself (by setting
leftsourceip or by manually assigning IP to ipsec0). I've tried to
create routes manually. Yet, nothing helps. If I change to netkey, all
these scenarios work (meaning I can see ESP packet being sent with tcpdump).

So I've tracked down this error. ipsec_xmit_send calls this:

error = ip_route_output_key(&ixs->route, &fl);

...which is...

int ip_route_output_key(struct rtable **rp, struct flowi *flp)
	return ip_route_output_flow(rp, flp, NULL, 0);

So, my best guess is that the problem actually occurs here:

int ip_route_output_flow(struct rtable **rp, struct flowi *flp, struct
sock *sk, int flags)
	int err;

	if ((err = __ip_route_output_key(rp, flp)) != 0)
		return err;

	if (flp->proto) {
		if (!flp->fl4_src)
			flp->fl4_src = (*rp)->rt_src;
		if (!flp->fl4_dst)
			flp->fl4_dst = (*rp)->rt_dst;
		err = __xfrm_lookup((struct dst_entry **)rp, flp, sk, flags);
		if (err == -EREMOTE)
			err = ipv4_dst_blackhole(rp, flp, sk);

		return err;

	return 0;

Hope it helps.


More information about the Dev mailing list