[Openswan dev] [PATCH] Incorrect automatic route via ipsec0
harald at a-little-linux-box.at
Tue Oct 19 16:29:34 EDT 2010
On Tue, Oct 19, 2010 at 12:22:38PM +0200, Roel van Meer wrote:
> Paul Wouters writes:
> >> surely there's someone with an opinion on this?
> >> If I need to give more information, please let me know.
> > - _startklips is set to be updated to use the ip command
> Ok, no need for a patch for that, then.
> > - routing into an ipsecX device, even for packets that have no SA, should
> > fall through to the regular route if the value of failureshunt= is not
> > changed from its default.
> Let me see if I understand you correctly: If I have a host (22.214.171.124) on a
> network 126.96.36.199/24, and it has these two routes:
> 188.8.131.52/24 dev eth1 proto kernel scope link src 184.108.40.206
> 220.127.116.11/24 dev ipsec0 proto kernel scope link src 18.104.22.168
> then even if the kernel selects the route through ipsec0 for the 22.214.171.124/24
> network, the packets should ultimately leave via eth1?
Hmmm I'm kind of unsure how this scenario should work...
> >>> So my questions are:
> >>> - is this intentional?
> >>> - If so, why?
> > From git commit 99634880325
> > ipsecX route metric fix for Ubuntu 10.04
> Ok, thanks.
> >>> - And in that case, how can I configure openswan in such a way that traffic
> >>> to my local net is routed through eth1, not ipsec0? (I'd rather not change
> >>> my routing or use hacks like adding postpluto commands..)
> > I am not sure why you would need this?
> I seem to need this because creating the ipsec0 device also installs a net
> route via the ipsec0 device, which causes my local network to become
> unreachable. Removing the extra route on ipsec0 fixed that.
Well what exactly are you trying to do?
> Said otherwise: I am not sure why I would need that route and it breaks my
> setup, so I was curious why it was there in the first place.
> (I'm aware that this is starting to be more appropriate for users@, so feel
> free to reply to that list of you want.)
> Dev mailing list
> Dev at openswan.org
More information about the Dev