[Openswan dev] [PATCH] Incorrect automatic route via ipsec0
Harald Jenny
harald at a-little-linux-box.at
Tue Oct 19 16:33:19 EDT 2010
On Tue, Oct 19, 2010 at 01:34:00PM -0400, Paul Wouters wrote:
> On Tue, 19 Oct 2010, Roel van Meer wrote:
>
> >> - routing into an ipsecX device, even for packets that have no SA, should
> >> fall through to the regular route if the value of failureshunt= is not
> >> changed from its default.
> >
> > Let me see if I understand you correctly: If I have a host (1.2.3.4) on a
> > network 1.2.3.0/24, and it has these two routes:
> >
> > 1.2.3.0/24 dev eth1 proto kernel scope link src 1.2.3.4
> > 1.2.3.0/24 dev ipsec0 proto kernel scope link src 1.2.3.4
> >
> > then even if the kernel selects the route through ipsec0 for the 1.2.3.0/24
> > network, the packets should ultimately leave via eth1?
>
> Yes, unless you have failureshunt=drop, OR you have a tunnel definition for
> 1.2.3.0/24 -> somewhere that is in a %hold state (each loaded, but not up)
Doing the second thing reminds me of shooting myself in the foot...
>
> > I seem to need this because creating the ipsec0 device also installs a net
> > route via the ipsec0 device, which causes my local network to become
> > unreachable. Removing the extra route on ipsec0 fixed that.
> >
> > Said otherwise: I am not sure why I would need that route and it breaks my
> > setup, so I was curious why it was there in the first place.
> >
> > (I'm aware that this is starting to be more appropriate for users@, so feel
> > free to reply to that list of you want.)
>
> Routing is how we get packets into the klips ipsec.ko kernel module for
> encrypting. (netkey has its own special hooks with their own set of problems)
>
> You might be right that you don't need the route. I was not aware this was
> added because of ifconfig use. David is expected to update _startklips for
> 2.6.32 now that we released 2.6.31. So your issue might be solved in git over
> the next few days.
David if you need testing for a new script just call me.
>
> Paul
Kind regards
Harald
> _______________________________________________
> Dev mailing list
> Dev at openswan.org
> http://lists.openswan.org/mailman/listinfo/dev
More information about the Dev
mailing list