[Swan] ipsec-interface with auto=ondemand
celeonar at gmail.com
Sat Feb 6 17:14:29 UTC 2021
Hello, just to try the "ipsec-interface" parameter, that I've never used
before, I've added "ipsec-interface=yes" to a working VPN (Libreswan
4.2) and I've noted that it has trouble with "auto=ondemand".
In that case, as soon I start the ipsec service, I see something like
that in the log:
"test": route-host output: /usr/libexec/ipsec/_updown.xfrm: doroute "ip
-4 route replace 192.168.1.0/24 dev ipsec1" failed (Cannot find device
The message is right, because in that moment the ipsec1 interface
doesn't exist, as reported by "ip link".
If I trigger traffic to bring the VPN up, it starts as expected, the
ipsec1 interface is created but clearly I cannot reach the other end,
since the corresponding route is not there.
If I change to "auto=start", everything is ok: VPN works, the ipsec1
interface is there and also its route.
So it seems that the ipsec1 interface is created too late for the
If it helps, my connection is something like that:
More information about the Swan