[Openswan dev] [PATCH] Incorrect automatic route via ipsec0

Harald Jenny harald at a-little-linux-box.at
Tue Oct 19 16:29:34 EDT 2010


On Tue, Oct 19, 2010 at 12:22:38PM +0200, Roel van Meer wrote:
> Paul Wouters writes:
> 
> >> surely there's someone with an opinion on this?
> >> If I need to give more information, please let me know.
> > 
> > - _startklips is set to be updated to use the ip command
> 
> Ok, no need for a patch for that, then.
> 
> > - routing into an ipsecX device, even for packets that have no SA, should
> >    fall through to the regular route if the value of failureshunt= is not
> >    changed from its default.
> 
> Let me see if I understand you correctly: If I have a host (1.2.3.4) on a 
> network 1.2.3.0/24, and it has these two routes:
> 
> 1.2.3.0/24 dev eth1 proto kernel scope link src 1.2.3.4
> 1.2.3.0/24 dev ipsec0 proto kernel scope link src 1.2.3.4
> 
> then even if the kernel selects the route through ipsec0 for the 1.2.3.0/24 
> network, the packets should ultimately leave via eth1?

Hmmm I'm kind of unsure how this scenario should work...

> 
> >>> So my questions are:
> >>> - is this intentional?
> >>> - If so, why?
> > 
> > From git commit 99634880325
> > 
> >      ipsecX route metric fix for Ubuntu 10.04
> 
> Ok, thanks.
> 
> >>> - And in that case, how can I configure openswan in such a way that traffic
> >>> to my local net is routed through eth1, not ipsec0? (I'd rather not change
> >>> my routing or use hacks like adding postpluto commands..)
> > 
> > I am not sure why you would need this?
> 
> I seem to need this because creating the ipsec0 device also installs a net 
> route via the ipsec0 device, which causes my local network to become 
> unreachable. Removing the extra route on ipsec0 fixed that.

Well what exactly are you trying to do?

> 
> Said otherwise: I am not sure why I would need that route and it breaks my 
> setup, so I was curious why it was there in the first place.
> 
> (I'm aware that this is starting to be more appropriate for users@, so feel 
> free to reply to that list of you want.)
> 
> Regards,
> 
> roel

Kind regards
Harald

> _______________________________________________
> Dev mailing list
> Dev at openswan.org
> http://lists.openswan.org/mailman/listinfo/dev


More information about the Dev mailing list