[Openswan Users] RE: Routes on ipsec instead of physical interface when interfaces go down and then up.

Ilona Regev iregev at mrv.co.il
Wed Mar 16 15:30:05 CET 2005


Another option is  to set the route that is added for the interface with a
metric of 99.
i.e. if ipsec0=eth0 with ip, then the route 
Destination   Gateway Genmask        Flags  Metric  Ref  Iface *    U       99        0     ipsec0.

With the metric at this value, then once the interface goes down and then
back up, the routes will be added to eth0 instead of ipsec0.

Does anyone know how this route is added? 
Is it added automatically by the kernel when ipsec0 is attached to eth0 or
is it done specifically by the application somewhere - and if so, does
someone know where?

Any help will be appreciated.

-----Original Message-----
From: Paul Wouters [mailto:paul at xtdnet.nl] 
Sent: Monday, March 14, 2005 11:15 PM
To: Ilona Regev; Paul Wouters
Cc: users at openswan.org
Subject: Re: [Openswan Users]

On Mon, 14 Mar 2005, Ilona Regev wrote:

> The problem begins when my physical interface goes down and then comes 
> up again.
> After the interface comes up, I map the ipsec interface using the 
> 'ipsec tncfg' command and that's fine.
> My problem is, that routes that were previously on the physical 
> interfaces are now on the ipsec interface (I read somewhere that this 
> is because the kernel looks for the first interface with a matching IP 
> - which happens to be the ipsec interface).

Yes, that is a known problem. Luckilly this mostly happens to leave nodes on
ADSL/Cable with one VPN going out, or on machines with only a few static
It's usually the pppX interface that vanishes and comes back in these cases.
(The same could happen with pcmcia/pccard systems, but those are also
usually setup to restart networking including vpns upon re-insert)

> Since many of my routes are dynamic (learnt via some routing 
> protocol), I cannot manually set them each time (and its not just the 
> default gateway that needs to be set).

That's a bgger problem then.

> The interface to be set to is also not a fixed interface (could vary 
> according to the setup).

One work around I can imagine is to seperate the ppp0 interface from the
ipsec machine. Perhaps using a bridged setup with another ethernet segment
would work? I've never tried this approach though.


More information about the Users mailing list