[Openswan dev] [PATCH] Incorrect automatic route via ipsec0

Roel van Meer rolek at bokxing.nl
Wed Oct 20 10:09:02 EDT 2010


Harald Jenny writes:

>> >> minimal ipsec.conf with which I can reproduce my issue:
>> >> ---/---
>> >> version 2.0
>> >> config setup
>> >>    interfaces="ipsec0=eth1"
>> >>    oe=off
>> >>    protostack=klips
>> >> ---/---
>> > 
>> > I miss a conn defintion in here - Paul does this trigger a bug in adding
>> > connections?
>> 
>> This is the smallest config file I can reproduce the issue with. Adding conn 
>> definitions does not change it. The problem is not related to routes for 
>> conns, but it is related to the routes that get installed when ip addresses 
>> are assigned to the ipsec device. That's why I posted the config without any 
>> conn definitions. I just tried to keep things as clear as possible. Sorry if 
>> I added to the confusion.
> 
> Looks very weird to me as I use almost the same config section...

In my other posts I already explained the problem is caused by kernel 
patches I am carrying.
  
>> I'm starting to believe I'm 
>> missing something very obvious here. I almost can't believe this is an 
>> openswan problem if I'm the only one that gets bitten by it.
> 
> I guess there is something with interferes with KLIPS.

Yep, the alternative routes code does. Although it doesn't interfere 
with KLIPS directly. It changes the routing logic so the routes that 
get added when the ipsec device comes up are a problem. It's very similar to 
the ubuntu route metric problem.

>> which solves my problem, since the kernel now always picks the correct 
>> route for traffic to the link network.
> 
> I'm currently running the old startscript here and it works for me :-/.

Yes, it works for me too with an unpatched kernel.
Thanks for checking though.

Regards,

roel



More information about the Dev mailing list