[Openswan dev] [PATCH] Incorrect automatic route via ipsec0

Roel van Meer rolek at bokxing.nl
Tue Oct 19 06:22:38 EDT 2010

Paul Wouters writes:

>> surely there's someone with an opinion on this?
>> If I need to give more information, please let me know.
> - _startklips is set to be updated to use the ip command

Ok, no need for a patch for that, then.

> - routing into an ipsecX device, even for packets that have no SA, should
>    fall through to the regular route if the value of failureshunt= is not
>    changed from its default.

Let me see if I understand you correctly: If I have a host ( on a 
network, and it has these two routes: dev eth1 proto kernel scope link src dev ipsec0 proto kernel scope link src

then even if the kernel selects the route through ipsec0 for the 
network, the packets should ultimately leave via eth1?

>>> So my questions are:
>>> - is this intentional?
>>> - If so, why?
> From git commit 99634880325
>      ipsecX route metric fix for Ubuntu 10.04

Ok, thanks.

>>> - And in that case, how can I configure openswan in such a way that traffic
>>> to my local net is routed through eth1, not ipsec0? (I'd rather not change
>>> my routing or use hacks like adding postpluto commands..)
> I am not sure why you would need this?

I seem to need this because creating the ipsec0 device also installs a net 
route via the ipsec0 device, which causes my local network to become 
unreachable. Removing the extra route on ipsec0 fixed that.

Said otherwise: I am not sure why I would need that route and it breaks my 
setup, so I was curious why it was there in the first place.

(I'm aware that this is starting to be more appropriate for users@, so feel 
free to reply to that list of you want.)



More information about the Dev mailing list