[Swan] ipsec-interface with auto=ondemand
Cesare Leonardi
celeonar at gmail.com
Sat Feb 6 17:14:29 UTC 2021
Hello, just to try the "ipsec-interface" parameter, that I've never used
before, I've added "ipsec-interface=yes" to a working VPN (Libreswan
4.2) and I've noted that it has trouble with "auto=ondemand".
In that case, as soon I start the ipsec service, I see something like
that in the log:
=====
"test": route-host output: /usr/libexec/ipsec/_updown.xfrm: doroute "ip
-4 route replace 192.168.1.0/24 dev ipsec1" failed (Cannot find device
"ipsec1")
=====
The message is right, because in that moment the ipsec1 interface
doesn't exist, as reported by "ip link".
If I trigger traffic to bring the VPN up, it starts as expected, the
ipsec1 interface is created but clearly I cannot reach the other end,
since the corresponding route is not there.
If I change to "auto=start", everything is ok: VPN works, the ipsec1
interface is there and also its route.
So it seems that the ipsec1 interface is created too late for the
ondemand case.
If it helps, my connection is something like that:
=====
conn test
auto=ondemand
authby=rsasig
ipsec-interface=yes
leftid=@left
left=192.168.10.55
leftrsasigkey=xyz...
rightid=@right
right=1.2.3.4
rightsubnet=192.168.1.0/24
rightrsasigkey=abc...
dpdaction=restart
dpddelay=10
dpdtimeout=30
=====
Cesare.
More information about the Swan
mailing list