kernel-pfkey: when installing a route for a virtual IP, use its interface

When installing a route over a tun device for a virtual IP, the route must
be set over the tun, not the IKE interface.

1 files changed, 10 insertions, 1 deletions

diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 5d059cf2b..1aa7a6a99 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1923,9 +1923,10 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this,
 {
 	route_entry_t *route, *old;
 	host_t *host, *src, *dst;
+	bool is_virtual;
 
 	if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
-										in->dst_ts, &host, NULL) != SUCCESS)
+									in->dst_ts, &host, &is_virtual) != SUCCESS)
 	{
 		return FALSE;
 	}
@@ -1942,6 +1943,14 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this,
 		.dst_net = chunk_clone(policy->src.net->get_address(policy->src.net)),
 	);
 
+	/* if the IP is virtual, we install the route over the interface it has
+	 * been installed on. Otherwise we use the interface we use for IKE, as
+	 * this is required for example on Linux. */
+	if (is_virtual)
+	{
+		src = route->src_ip;
+	}
+
 	/* get interface for route, using source address */
 	if (!hydra->kernel_interface->get_interface(hydra->kernel_interface,
 												src, &route->if_name))