[Openswan dev] [PATCH] Incorrect automatic route via ipsec0
Roel van Meer
rolek at bokxing.nl
Tue Oct 19 06:22:38 EDT 2010
Paul Wouters writes:
>> surely there's someone with an opinion on this?
>> If I need to give more information, please let me know.
> - _startklips is set to be updated to use the ip command
Ok, no need for a patch for that, then.
> - routing into an ipsecX device, even for packets that have no SA, should
> fall through to the regular route if the value of failureshunt= is not
> changed from its default.
Let me see if I understand you correctly: If I have a host (126.96.36.199) on a
network 188.8.131.52/24, and it has these two routes:
184.108.40.206/24 dev eth1 proto kernel scope link src 220.127.116.11
18.104.22.168/24 dev ipsec0 proto kernel scope link src 22.214.171.124
then even if the kernel selects the route through ipsec0 for the 126.96.36.199/24
network, the packets should ultimately leave via eth1?
>>> So my questions are:
>>> - is this intentional?
>>> - If so, why?
> From git commit 99634880325
> ipsecX route metric fix for Ubuntu 10.04
>>> - And in that case, how can I configure openswan in such a way that traffic
>>> to my local net is routed through eth1, not ipsec0? (I'd rather not change
>>> my routing or use hacks like adding postpluto commands..)
> I am not sure why you would need this?
I seem to need this because creating the ipsec0 device also installs a net
route via the ipsec0 device, which causes my local network to become
unreachable. Removing the extra route on ipsec0 fixed that.
Said otherwise: I am not sure why I would need that route and it breaks my
setup, so I was curious why it was there in the first place.
(I'm aware that this is starting to be more appropriate for users@, so feel
free to reply to that list of you want.)
More information about the Dev