On Tue, 20 Sep 2016, Reuben Farrelly wrote:
Here's after a clean reboot:
lightning ~ # ip route
default via 139.162.51.1 dev eth0 metric 3
127.0.0.0/8 dev lo scope host
127.0.0.0/8 via 127.0.0.1 dev lo
139.162.51.0/24 dev eth0 proto kernel scope link src 139.162.51.249
lightning ~ #
The VTI won't come up though. It fails, as towards the end of the
negotiation the box loses connectivity with the peer and from the Cisco's
perspective never completes negotiation - so I had to add a route to cover
the peer's public subnet:
1.0.0.0/8 via 139.162.51.1 dev eth0
My guess is this would resolve your issue:
diff --git a/programs/_updown.netkey/_updown.netkey.in
b/programs/_updown.netkey/_updown.netkey.in
index 3031ac5..2fd1a83 100644
--- a/programs/_updown.netkey/_updown.netkey.in
+++ b/programs/_updown.netkey/_updown.netkey.in
@@ -481,9 +481,6 @@ doroute() {
case "${PLUTO_PEER_CLIENT}" in
"0.0.0.0/0")
- # need to provide route that eclipses default, without
- # replacing it.
- it="ip route $1 0.0.0.0/1 ${parms2} && ip route $1
128.0.0.0/1 ${parms2}"
;;
*)
it="ip route $1 ${parms} ${parms2}"
We should probably check for the conn doing VTI and skip it in that
case.
Can you test this and let me know?
Paul
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
