[Swan] Basic netkey routing issue
Tuomo Soini
tis at foobar.fi
Thu Mar 15 10:03:32 UTC 2018
On Wed, 14 Mar 2018 10:18:18 -0400 (EDT)
Paul Wouters <paul at nohats.ca> wrote:
> > The tunnels are established successfully.
>
> > ping: sendto: Network is unreachable
>
> The problem is that the packet is lost before it hits the IPsec
> machinery.
> So I guess, it would be nice if the updown script could auto-detect
> that there is no routing to the remote subnet, and add one in that
> case.
That would work but I don't like the complexity this would add.
> Tuomo, do you think that can be done safely?
Actually this is a kernel bug and should be fixed inside kernel. While
xfrm overrides routing, no route check doesn't check if there is tunnel
before sending "Network is unreachable" icmp.
--
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
More information about the Swan
mailing list