[Openswan dev] [PATCH] Incorrect automatic route via ipsec0
Roel van Meer
rolek at bokxing.nl
Tue Oct 19 06:22:38 EDT 2010
Paul Wouters writes:
>> surely there's someone with an opinion on this?
>> If I need to give more information, please let me know.
>
> - _startklips is set to be updated to use the ip command
Ok, no need for a patch for that, then.
> - routing into an ipsecX device, even for packets that have no SA, should
> fall through to the regular route if the value of failureshunt= is not
> changed from its default.
Let me see if I understand you correctly: If I have a host (1.2.3.4) on a
network 1.2.3.0/24, and it has these two routes:
1.2.3.0/24 dev eth1 proto kernel scope link src 1.2.3.4
1.2.3.0/24 dev ipsec0 proto kernel scope link src 1.2.3.4
then even if the kernel selects the route through ipsec0 for the 1.2.3.0/24
network, the packets should ultimately leave via eth1?
>>> So my questions are:
>>> - is this intentional?
>>> - If so, why?
>
> From git commit 99634880325
>
> ipsecX route metric fix for Ubuntu 10.04
Ok, thanks.
>>> - And in that case, how can I configure openswan in such a way that traffic
>>> to my local net is routed through eth1, not ipsec0? (I'd rather not change
>>> my routing or use hacks like adding postpluto commands..)
>
> I am not sure why you would need this?
I seem to need this because creating the ipsec0 device also installs a net
route via the ipsec0 device, which causes my local network to become
unreachable. Removing the extra route on ipsec0 fixed that.
Said otherwise: I am not sure why I would need that route and it breaks my
setup, so I was curious why it was there in the first place.
(I'm aware that this is starting to be more appropriate for users@, so feel
free to reply to that list of you want.)
Regards,
roel
More information about the Dev
mailing list