[Swan] vti - route script fails with wrong address
Heiko Helmle
heiko.helmle at horiba.com
Fri Jul 20 10:31:41 UTC 2018
Hello list,
i ugpraded the libreswan packages to 3.25 from the Libreswan repositories, as there seemed to be a revamped _updown.netkey script in the package...
but it still fails with a wrong route target while trying to route it.
Is this supposed to fail? Is the routing command really supposed to use PLUTO_NEXTHOP in a vti configuration? Because only the real interface sees PLUTO_NEXTHOP - the vti device uses PLUTO_PEER as PtP-Remote-IP.
If the script used PLUTO_PEER instead, it might work?
Still confused...
Best Regards
Heiko
Von: Swan <swan-bounces at lists.libreswan.org> Im Auftrag von Heiko Helmle
Gesendet: Freitag, 6. Juli 2018 14:22
An: swan at lists.libreswan.org
Betreff: [Swan] vti - route script fails with wrong address
Hello Libreswan-Users,
i'm having trouble trying out vti-based tunnels.
I'm using libreswan-3.23-5.el7_5.x86_64 - (from the CentOS repos).
Connection is roughly this:
Left = %defaultroute
Leftsourcip, leftsubnet and rightsubnet are defined
Vti-interface and mark are defined.
Ipsec auto -add works, but
Ipsec auto -route fails:
route-client output: /usr/libexec/ipsec/_updown.netkey: doroute "ip route replace (rightsubnet) via (defaultroute) dev (vti-interface) src (leftsourceip)" failed (RTNETLINK answers: Network is unreachable)
The script is trying to use the (real) interface's default route as a routing target on the vti device - and fails.
Could anyone point me where I'd have to look closer? Or is vti only supposed to work with left/rightsubnet set to 0.0.0.0?
Best Regards
Heiko
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180720/b53491dd/attachment-0001.html>
More information about the Swan
mailing list