[Openswan dev] [PATCH] Incorrect automatic route via ipsec0
harald at a-little-linux-box.at
Tue Oct 19 16:33:19 EDT 2010
On Tue, Oct 19, 2010 at 01:34:00PM -0400, Paul Wouters wrote:
> On Tue, 19 Oct 2010, Roel van Meer wrote:
> >> - routing into an ipsecX device, even for packets that have no SA, should
> >> fall through to the regular route if the value of failureshunt= is not
> >> changed from its default.
> > Let me see if I understand you correctly: If I have a host (18.104.22.168) on a
> > network 22.214.171.124/24, and it has these two routes:
> > 126.96.36.199/24 dev eth1 proto kernel scope link src 188.8.131.52
> > 184.108.40.206/24 dev ipsec0 proto kernel scope link src 220.127.116.11
> > then even if the kernel selects the route through ipsec0 for the 18.104.22.168/24
> > network, the packets should ultimately leave via eth1?
> Yes, unless you have failureshunt=drop, OR you have a tunnel definition for
> 22.214.171.124/24 -> somewhere that is in a %hold state (each loaded, but not up)
Doing the second thing reminds me of shooting myself in the foot...
> > I seem to need this because creating the ipsec0 device also installs a net
> > route via the ipsec0 device, which causes my local network to become
> > unreachable. Removing the extra route on ipsec0 fixed that.
> > Said otherwise: I am not sure why I would need that route and it breaks my
> > setup, so I was curious why it was there in the first place.
> > (I'm aware that this is starting to be more appropriate for users@, so feel
> > free to reply to that list of you want.)
> Routing is how we get packets into the klips ipsec.ko kernel module for
> encrypting. (netkey has its own special hooks with their own set of problems)
> You might be right that you don't need the route. I was not aware this was
> added because of ifconfig use. David is expected to update _startklips for
> 2.6.32 now that we released 2.6.31. So your issue might be solved in git over
> the next few days.
David if you need testing for a new script just call me.
> Dev mailing list
> Dev at openswan.org
More information about the Dev