kernel-pfkey: when installing a route for a virtual IP, use its interface

When installing a route over a tun device for a virtual IP, the route must
be set over the tun, not the IKE interface.

diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 5d059cf2be4dd8d1115fcafeb1473873939fe371..1aa7a6a99e7db1c866a50bce3b31c8c740d3eab8 100644 (file)
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1923,9 +1923,10 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this,
 {
        route_entry_t *route, *old;
        host_t *host, *src, *dst;
+       bool is_virtual;
 
        if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
-                                                                               in->dst_ts, &host, NULL) != SUCCESS)
+                                                                       in->dst_ts, &host, &is_virtual) != SUCCESS)
        {
                return FALSE;
        }
@@ -1942,6 +1943,14 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this,
                .dst_net = chunk_clone(policy->src.net->get_address(policy->src.net)),
        );
 
+       /* if the IP is virtual, we install the route over the interface it has
+        * been installed on. Otherwise we use the interface we use for IKE, as
+        * this is required for example on Linux. */
+       if (is_virtual)
+       {
+               src = route->src_ip;
+       }
+
        /* get interface for route, using source address */
        if (!hydra->kernel_interface->get_interface(hydra->kernel_interface,
                                                                                                src, &route->if_name))