Do not install routes for pluto.

There are some incompatibilities with e.g. passthrough policies.
Pluto installs required source routes via updown script.

diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 25878addfd5cb2f29ff76f746dcb0bf89735f099..5b869e78ba73f0c6b44123250c15f608d2e998d2 100644 (file)
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -2171,6 +2171,11 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
                                                                                                  hydra->daemon),
        );
 
+       if (streq(hydra->daemon, "pluto"))
+       {       /* no routes for pluto, they are installed via updown script */
+               this->install_routes = FALSE;
+       }
+
        /* disable lifetimes for allocated SPIs in kernel */
        fd = open("/proc/sys/net/core/xfrm_acq_expires", O_WRONLY);
        if (fd)

diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index b4e64b61fc0dab6aab3a2058e1fe1169235fcc54..f5786447b1c8b827e9b62331d7145111a500693f 100644 (file)
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -2137,6 +2137,11 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
                                                                                                  hydra->daemon),
        );
 
+       if (streq(hydra->daemon, "pluto"))
+       {       /* no routes for pluto, they are installed via updown script */
+               this->install_routes = FALSE;
+       }
+
        /* create a PF_KEY socket to communicate with the kernel */
        this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
        if (this->socket <= 0)