[Swan] Various problems with VTI on Gentoo (with Cisco IOS as a client)
Paul Wouters
paul at nohats.ca
Fri Sep 23 00:09:21 UTC 2016
On Tue, 20 Sep 2016, Reuben Farrelly wrote:
> Here's after a clean reboot:
>
> lightning ~ # ip route
> default via 139.162.51.1 dev eth0 metric 3
> 127.0.0.0/8 dev lo scope host
> 127.0.0.0/8 via 127.0.0.1 dev lo
> 139.162.51.0/24 dev eth0 proto kernel scope link src 139.162.51.249
> lightning ~ #
>
> The VTI won't come up though. It fails, as towards the end of the
> negotiation the box loses connectivity with the peer and from the Cisco's
> perspective never completes negotiation - so I had to add a route to cover
> the peer's public subnet:
>
> 1.0.0.0/8 via 139.162.51.1 dev eth0
My guess is this would resolve your issue:
diff --git a/programs/_updown.netkey/_updown.netkey.in
b/programs/_updown.netkey/_updown.netkey.in
index 3031ac5..2fd1a83 100644
--- a/programs/_updown.netkey/_updown.netkey.in
+++ b/programs/_updown.netkey/_updown.netkey.in
@@ -481,9 +481,6 @@ doroute() {
case "${PLUTO_PEER_CLIENT}" in
"0.0.0.0/0")
- # need to provide route that eclipses default, without
- # replacing it.
- it="ip route $1 0.0.0.0/1 ${parms2} && ip route $1
128.0.0.0/1 ${parms2}"
;;
*)
it="ip route $1 ${parms} ${parms2}"
We should probably check for the conn doing VTI and skip it in that
case.
Can you test this and let me know?
Paul
More information about the Swan
mailing list