From f22add05f6cccaae85eee4d99044d45f418b0989 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 26 Jun 2014 16:38:28 +0200
Subject: [PATCH] kernel-pfkey: Use address in TS to determine interface for
 shunt routes

---
 .../plugins/kernel_pfkey/kernel_pfkey_ipsec.c     | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 5715476e17..e1a58aa94f 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -2230,19 +2230,22 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this,
 	{
 		route->gateway = hydra->kernel_interface->get_nexthop(
 									hydra->kernel_interface, dst, -1, src);
+
+		/* if the IP is virtual, we install the route over the interface it has
+		 * been installed on. Otherwise we use the interface we use for IKE, as
+		 * this is required for example on Linux. */
+		if (is_virtual)
+		{
+			src = route->src_ip;
+		}
 	}
 	else
 	{	/* for shunt policies */
 		route->gateway = hydra->kernel_interface->get_nexthop(
 									hydra->kernel_interface, policy->src.net,
 									policy->src.mask, route->src_ip);
-	}
 
-	/* if the IP is virtual, we install the route over the interface it has
-	 * been installed on. Otherwise we use the interface we use for IKE, as
-	 * this is required for example on Linux. */
-	if (is_virtual)
-	{
+		/* we don't have a source address, use the address we found */
 		src = route->src_ip;
 	}
 
-- 
2.47.2