[Openswan dev] [PATCH] Incorrect automatic route via ipsec0

Paul Wouters paul at xelerance.com
Tue Oct 19 13:34:00 EDT 2010

On Tue, 19 Oct 2010, Roel van Meer wrote:

>> - routing into an ipsecX device, even for packets that have no SA, should
>>    fall through to the regular route if the value of failureshunt= is not
>>    changed from its default.
> Let me see if I understand you correctly: If I have a host ( on a
> network, and it has these two routes:
> dev eth1 proto kernel scope link src
> dev ipsec0 proto kernel scope link src
> then even if the kernel selects the route through ipsec0 for the
> network, the packets should ultimately leave via eth1?

Yes, unless you have failureshunt=drop, OR you have a tunnel definition for -> somewhere that is in a %hold state (each loaded, but not up)

> I seem to need this because creating the ipsec0 device also installs a net
> route via the ipsec0 device, which causes my local network to become
> unreachable. Removing the extra route on ipsec0 fixed that.
> Said otherwise: I am not sure why I would need that route and it breaks my
> setup, so I was curious why it was there in the first place.
> (I'm aware that this is starting to be more appropriate for users@, so feel
> free to reply to that list of you want.)

Routing is how we get packets into the klips ipsec.ko kernel module for
encrypting. (netkey has its own special hooks with their own set of problems)

You might be right that you don't need the route. I was not aware this was
added because of ifconfig use. David is expected to update _startklips for
2.6.32 now that we released 2.6.31. So your issue might be solved in git over
the next few days.


More information about the Dev mailing list