[Swan] dev lo route error

[Nick Howitt]

In Oguz' Yilmaz's case he appears to have a right specified 
(right=RIGHT_EXT_IP) and a leftnexthop (leftnexthop=LEFT_EXT_GW) rathr 
than right=%any and no leftnexthop. :(

We have hit some minor odd issues - ipsec auto --status does not give 
any info on phase2alg unless it is specified. It may also fail if it is 
specified with the hash function e.g. aes256-sha1 but I need to test 
further and my time for testing is very limited. But this should all be 
for another thread......

Nick

On 04/01/2013 16:17, Paul Wouters wrote:
>
> On Fri, 4 Jan 2013, Nick Howitt wrote:
>
>> A few of us are trying to develop a front end for this/Openswan in 
>> ClearOS, and one person has tried LibreSwan and he got the same
>> thing. If you look in Oguz Yilmaz's log you will see:
>
> Neat! Keep us in the loop?
>
>> Jan  2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #2: route-client
>> output: /usr/libexec/ipsec/_updown.netkey: doroute `ip route replace
>> 192.168.2.0/24 via 10.46.1.5 dev lo  src 10.46.1.5\' failed (RTNETLINK
>> answers: No such process)
>>
>> The tester's comment is "The only bad news is that the 
>> /usr/libexec/ipsec/_updown.netkey appears to have been modified, such 
>> that the
>> local route from the gateway fails as it attempts to use the 'lo' 
>> interface rather than the default route... still investigating why
>> this differs between packages"
>
> You'll see the new code in programs/addconn/addconn.c that is
> responsible for that.
>
> When no leftnexthop= is specified, we try to determine it based on the
> routing table. In openswan it was always based on the defaultroute, eg
> the default gateway.
>
> There seems to be an issue with this code in some circumstances. I
> believe this might be because if you ask the kernel for the gateway
> of "0.0.0.0" (right=%any) it might give you 127.0.0.1 with dev lo...
>
> Paul