[Openswan Users] R: R: Multiple interfaces ipsec/l2tp vpn openswan 2.6.26 [SOLVED]
Tuomo Soini
tis at foobar.fi
Wed Jun 30 05:01:34 EDT 2010
Paul Wouters wrote:
> On Tue, 29 Jun 2010, Federico Viel wrote:
>
>> This is(was) the problem
>
> I'll wait on Tuomo's comments here. He knows this magic best....
>
> Paul
>
>>
>> On
>> /usr/lib/ipsec/_updown.netkey
>> .....
>> 1 # old: route via pluto_interface
>> 2 # parms2="$parms2 dev ${PLUTO_INTERFACE%:*} $IPROUTEARGS"
>> 3
>> 4 # new: route via proper interface according to routing table
>> 5 if [ "$1" = "del" ]; then
>> 6 PLUTO_PEER_INTERFACE=`ip -o route get $PLUTO_PEER_CLIENT | sed
>> "s/^.*de$
>> 7 else
>> 8 PLUTO_PEER_INTERFACE=`ip -o route get $PLUTO_PEER | sed "s/^.*dev
>> \([^ $
>> 9 fi
>> 10 if [ -z "$PLUTO_PEER_INTERFACE" ]; then
>> 11 PLUTO_PEER_INTERFACE=$PLUTO_INTERFACE
>> 12 fi
>> 13 parms2="$parms2 dev ${PLUTO_PEER_INTERFACE%:*} $IPROUTEARGS"
>> ...
>>
>>
>> Commenting lines 5,6,7,8,9 solved the problem.
>>
>>
>>
>> Maybe this is a "issue" to fix? (in openswan 2.4.6 _updown script works
>> fine)
>>
>> The question now is: Why net2net connections work without this patch?
>> Thank you.
>>
This was a change which was done to force route via correct interface.
That means your routig configuration is not correct if this doesn't
work. Routing should always point to same interface packet arrived from.
I use shorewall based multi-isp setup and this works ok there, Shorewall
das packet marking trickery to make sure route out is via same interface
initial contact was from.
--
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
More information about the Users
mailing list