[Openswan dev] [PATCH] Incorrect automatic route via ipsec0

Harald Jenny harald at a-little-linux-box.at
Tue Oct 19 16:33:19 EDT 2010

On Tue, Oct 19, 2010 at 01:34:00PM -0400, Paul Wouters wrote:
> On Tue, 19 Oct 2010, Roel van Meer wrote:
> >> - routing into an ipsecX device, even for packets that have no SA, should
> >>    fall through to the regular route if the value of failureshunt= is not
> >>    changed from its default.
> >
> > Let me see if I understand you correctly: If I have a host ( on a
> > network, and it has these two routes:
> >
> > dev eth1 proto kernel scope link src
> > dev ipsec0 proto kernel scope link src
> >
> > then even if the kernel selects the route through ipsec0 for the
> > network, the packets should ultimately leave via eth1?
> Yes, unless you have failureshunt=drop, OR you have a tunnel definition for
> -> somewhere that is in a %hold state (each loaded, but not up)

Doing the second thing reminds me of shooting myself in the foot...

> > I seem to need this because creating the ipsec0 device also installs a net
> > route via the ipsec0 device, which causes my local network to become
> > unreachable. Removing the extra route on ipsec0 fixed that.
> >
> > Said otherwise: I am not sure why I would need that route and it breaks my
> > setup, so I was curious why it was there in the first place.
> >
> > (I'm aware that this is starting to be more appropriate for users@, so feel
> > free to reply to that list of you want.)
> Routing is how we get packets into the klips ipsec.ko kernel module for
> encrypting. (netkey has its own special hooks with their own set of problems)
> You might be right that you don't need the route. I was not aware this was
> added because of ifconfig use. David is expected to update _startklips for
> 2.6.32 now that we released 2.6.31. So your issue might be solved in git over
> the next few days.

David if you need testing for a new script just call me.

> Paul

Kind regards

> _______________________________________________
> Dev mailing list
> Dev at openswan.org
> http://lists.openswan.org/mailman/listinfo/dev

More information about the Dev mailing list