[Swan] ipsec-interface with auto=ondemand
Paul Wouters
paul at nohats.ca
Sat Feb 6 23:03:30 UTC 2021
On Sat, 6 Feb 2021, Cesare Leonardi wrote:
> Hello, just to try the "ipsec-interface" parameter, that I've never used
> before, I've added "ipsec-interface=yes" to a working VPN (Libreswan 4.2) and
> I've noted that it has trouble with "auto=ondemand".
>
> In that case, as soon I start the ipsec service, I see something like that in
> the log:
> =====
> "test": route-host output: /usr/libexec/ipsec/_updown.xfrm: doroute "ip -4
> route replace 192.168.1.0/24 dev ipsec1" failed (Cannot find device
> "ipsec1")
> =====
We need to look at fixing this bug.
One work around for this is can be to define the ipsec1 interface
outside of pluto (eg via systemd/NM) so that the device is always
present - irrespective of whether libreswan is running.
Paul
More information about the Swan
mailing list