From ca4a14ae83a1b00b792530dc328eae164d3f66e6 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Fri, 19 Apr 2013 14:27:31 +0200 Subject: kernel-pfkey: when installing a route for a virtual IP, use its interface When installing a route over a tun device for a virtual IP, the route must be set over the tun, not the IKE interface. --- src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c') diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index 5d059cf2b..1aa7a6a99 100644 --- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -1923,9 +1923,10 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this, { route_entry_t *route, *old; host_t *host, *src, *dst; + bool is_virtual; if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface, - in->dst_ts, &host, NULL) != SUCCESS) + in->dst_ts, &host, &is_virtual) != SUCCESS) { return FALSE; } @@ -1942,6 +1943,14 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this, .dst_net = chunk_clone(policy->src.net->get_address(policy->src.net)), ); + /* if the IP is virtual, we install the route over the interface it has + * been installed on. Otherwise we use the interface we use for IKE, as + * this is required for example on Linux. */ + if (is_virtual) + { + src = route->src_ip; + } + /* get interface for route, using source address */ if (!hydra->kernel_interface->get_interface(hydra->kernel_interface, src, &route->if_name)) -- cgit v1.2.3