[Openswan dev] [PATCH] Incorrect automatic route via ipsec0

Harald Jenny harald at a-little-linux-box.at
Mon Oct 18 14:07:33 EDT 2010 

Sounds to me like Ubuntu made a change which simply breaks a script... I'm
running Debian on some machines without any such issues.

On Mon, Oct 18, 2010 at 04:26:04PM +0200, Roel van Meer wrote:
> Hi list,
> 
> surely there's someone with an opinion on this?
> If I need to give more information, please let me know.
> 
> Regards,
> 
> roel
> 
> > I'm noticing a problem with my routing after starting openswan with klips. 
> > After starting, I have the same routes for my ipsec0 device as for eth1 (the 
> > associated physical device). Since both routes have also the same metric, a 
> > route lookup for locally connected devices returns a route through the 
> > ipsec0 device, not a route through the eth1 device.
> > 
> > I've noticed that the _startklips script contains the section below, where 
> > the route metric is updated if the original route has a specified metric, 
> > but this is not done if the original route has metric 0.
> > 
> > ---/ original _startklips snippet /---
> > # configure the device
> > ifconfig $virt inet $phys_addr $phys_type $phys_otheraddr netmask $phys_mask mtu $phys_mtu
> > 
> > # do we have to fix the route metric for this device?
> > maxmetric=$(ip route show $phys_otheraddr/$phys_mask | sed -n -e 's/.*metric \([0-9]\+\)/\1/p' | sort -n | tail -n1)
> > if [ -n "$maxmetric" ] ; then
> >         # If there are other none-zero-metric routes that match this spec
> >         # (the case on Ubuntu 10.04, Lucid) then move the route to the end.
> >         newmetric=$(( $maxmetric + 1))
> >         oldroute=$(ip route show $phys_otheraddr/$phys_mask dev $virt)
> >         ip route del $oldroute dev $virt
> >         ip route add $oldroute dev $virt metric $newmetric
> > fi
> > ---//---
> > 
> > So my questions are:
> > - is this intentional?
> > - If so, why?
> > - And in that case, how can I configure openswan in such a way that traffic 
> > to my local net is routed through eth1, not ipsec0? (I'd rather not change 
> > my routing or use hacks like adding postpluto commands..)
> > 
> > Attached is a patch to 2.6.29 _startklips that changes its behaviour to 
> > also update the new route metric if there are existing routes with metric 0.
> > 
> > As a related question: the use of ifconfig for setup of the virtual device 
> > causes this route to be added automatically. Wouldn't it be cleaner to use 
> > ip link and ip addr calls for this? Then we can add the correct route 
> > ourselves, instead of changing what we automatically got and maybe didn't 
> > like. If you want, I could make a patch for this too.
> > 
> > Regards,
> > 
> > roel
> > 
> _______________________________________________
> Dev mailing list
> Dev at openswan.org
> http://lists.openswan.org/mailman/listinfo/dev

More information about the Dev mailing list