From e811659323a9ebb723dde65ebef5efb57d8ee689 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Thu, 8 Mar 2018 18:34:50 +0100 Subject: [PATCH] kernel-pfkey: Add option to install routes via internal interface On FreeBSD, enabling this selects the correct source IP when sending packets from the gateway itself. --- conf/plugins/kernel-pfkey.opt | 10 ++++++++++ .../plugins/kernel_pfkey/kernel_pfkey_ipsec.c | 10 +++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/conf/plugins/kernel-pfkey.opt b/conf/plugins/kernel-pfkey.opt index ec05215d3..0e347bebb 100644 --- a/conf/plugins/kernel-pfkey.opt +++ b/conf/plugins/kernel-pfkey.opt @@ -5,3 +5,13 @@ charon.plugins.kernel-pfkey.events_buffer_size = 0 Because events are received asynchronously installing e.g. lots of policies may require a larger buffer than the default on certain platforms in order to receive all messages. + +charon.plugins.kernel-pfkey.route_via_internal = no + Whether to use the internal or external interface in installed routes. + + Whether to use the internal or external interface in installed routes. + The internal interface is the one where the IP address contained in the + local traffic selector is located, the external interface is the one over + which the destination address of the IPsec tunnel can be reached. + This is not relevant if virtual IPs are used, for which a TUN device is + created that's used in the routes. diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index 79abe587a..80c484b47 100644 --- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -219,6 +219,11 @@ struct private_kernel_pfkey_ipsec_t */ bool install_routes; + /** + * whether to install the route via internal interface + */ + bool route_via_internal; + /** * mutex to lock access to the PF_KEY socket */ @@ -2361,7 +2366,7 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this, /* if the IP is virtual, we install the route over the interface it has * been installed on. Otherwise we use the interface we use for IKE, as * this is required for example on Linux. */ - if (is_virtual) + if (is_virtual || this->route_via_internal) { free(route->if_name); route->if_name = NULL; @@ -3164,6 +3169,9 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create() .install_routes = lib->settings->get_bool(lib->settings, "%s.install_routes", TRUE, lib->ns), + .route_via_internal = lib->settings->get_bool(lib->settings, + "%s.plugins.kernel-pfkey.route_via_internal", + FALSE, lib->ns), ); if (streq(lib->ns, "starter"))