[Openswan dev] [PATCH] Incorrect automatic route via ipsec0

Harald Jenny harald at a-little-linux-box.at
Wed Oct 20 10:09:26 EDT 2010


On Tue, Oct 19, 2010 at 07:21:36PM -0400, Paul Wouters wrote:
> On Wed, 20 Oct 2010, Roel van Meer wrote:
> 
> > Something else just occurred to me. We do carry Julian Anastasov's
> > advanced routing patches. Maybe they are the cause why normal packets routed
> > into ipsec0 get blackholed. I'll build a kernel without those patches and
> > see if that will make a difference.
> 
> Ahh yes. that would be good to know.
> 
> > Just so I can fully understand this: I understand the need for routing
> > packets via ipsec0 for networks that appear in tunnel definitions, but in
> > what scenario would it be necessary to route traffic for other networks via
> > ipsec0?
> 
> it depends on sourceip= and/or subnets= options.
> 
> eg imagine 1.2.3.0/24 <-> 5.6.7.0/24, or even a 0.0.0.0/0 subnet.
> 
> > Well, I spoke too soon when I blamed ifconfig. Sorry about that. Reviewing
> > the updated _startklips script you posted taught me that both ip and
> > ifconfig add the route when used in identical ways.
> 
> > That also means the new _startklips behaves identical to the old one, so the
> > problem I'm having is still there. Thank you for posting it, though.
> 
> That's also good to know.

Paul one question: Would the code changes of Roel rise any problem in the KLIPS
start mechanism? If not it sounds to me like the implementation would be more
"generic" that the current and therefore may avoid future problems in this
field too?

> 
> Paul

Kind regards
Harald

> _______________________________________________
> Dev mailing list
> Dev at openswan.org
> http://lists.openswan.org/mailman/listinfo/dev


More information about the Dev mailing list