<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.E-MailFormatvorlage17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=DE-CH link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span lang=EN-US>Hello all<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>I have a weird problem, that Pluto is adding a second ip rule, even if the rule is already there.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>I thought, this happens in the _updown-Script, but even with this minimal configuration, the rule will be added:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>config setup<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> charonstart=no<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> plutostart=yes<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> charondebug=none<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> plutodebug=all<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Before ipsec start:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US># ip rule<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>0: from all lookup local<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>100: from all lookup main<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>140: from 10.10.2.0/24 lookup wan0<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>141: from 10.100.2.0/24 lookup wan1<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>300: from all lookup wan0<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>After ipsec start:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US># ip rule<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>0: from all lookup local<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>100: from all lookup main<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>100: from all lookup main<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>140: from 10.10.2.0/24 lookup wan0<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>141: from 10.100.2.0/24 lookup wan1<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>300: from all lookup wan0<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Strongswan was compiled with “--with-routing-table=254 --with-routing-table-prio=100" (254 is “main”).<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US># ipsec version<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Linux strongSwan U4.5.3/K2.6.35.10-SMP<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Institute for Internet Technologies and Applications<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>University of Applied Sciences Rapperswil, Switzerland<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>See 'ipsec --copyright' for copyright information.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Why is this behavior and where in the pluto sourcecode does the ip rule addition happen? Is it added with netlink?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>This is the log output:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>2011-11-04 09:34:19 chgut2fw01 pluto[26284]: listening on interfaces:<o:p></o:p></span></p><p class=MsoNormal>2011-11-04 09:34:19 chgut2fw01 pluto[26284]: eth0<o:p></o:p></p><p class=MsoNormal>2011-11-04 09:34:19 chgut2fw01 pluto[26284]: 172.16.20.2<o:p></o:p></p><p class=MsoNormal>2011-11-04 09:34:19 chgut2fw01 pluto[26284]: 172.16.200.1<o:p></o:p></p><p class=MsoNormal>2011-11-04 09:34:19 chgut2fw01 pluto[26284]: 172.16.20.1<o:p></o:p></p><p class=MsoNormal>2011-11-04 09:34:19 chgut2fw01 pluto[26284]: eth1<o:p></o:p></p><p class=MsoNormal>2011-11-04 09:34:19 chgut2fw01 pluto[26284]: 10.10.2.2<o:p></o:p></p><p class=MsoNormal>2011-11-04 09:34:19 chgut2fw01 pluto[26284]: 10.10.2.4<o:p></o:p></p><p class=MsoNormal>2011-11-04 09:34:19 chgut2fw01 pluto[26284]: 10.10.2.5<o:p></o:p></p><p class=MsoNormal>2011-11-04 09:34:19 chgut2fw01 pluto[26284]: 10.10.2.6<o:p></o:p></p><p class=MsoNormal>2011-11-04 09:34:19 chgut2fw01 pluto[26284]: 10.10.2.10<o:p></o:p></p><p class=MsoNormal>2011-11-04 09:34:19 chgut2fw01 pluto[26284]: eth2<o:p></o:p></p><p class=MsoNormal>2011-11-04 09:34:19 chgut2fw01 pluto[26284]: 10.10.2.130<o:p></o:p></p><p class=MsoNormal>2011-11-04 09:34:19 chgut2fw01 pluto[26284]: 10.10.2.129<o:p></o:p></p><p class=MsoNormal>2011-11-04 09:34:19 chgut2fw01 pluto[26284]: eth3<o:p></o:p></p><p class=MsoNormal>2011-11-04 09:34:19 chgut2fw01 pluto[26284]: 10.100.2.2<o:p></o:p></p><p class=MsoNormal>2011-11-04 09:34:19 chgut2fw01 pluto[26284]: 10.100.2.4<o:p></o:p></p><p class=MsoNormal>2011-11-04 09:34:19 chgut2fw01 pluto[26284]: 10.100.2.5<o:p></o:p></p><p class=MsoNormal>2011-11-04 09:34:19 chgut2fw01 pluto[26284]: 10.100.2.6<o:p></o:p></p><p class=MsoNormal>2011-11-04 09:34:19 chgut2fw01 pluto[26284]: 10.100.2.10<o:p></o:p></p><p class=MsoNormal><span lang=EN-US>2011-11-04 09:34:19 chgut2fw01 pluto[26284]: received netlink error: Address family not supported by protocol (97)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>2011-11-04 09:34:19 chgut2fw01 pluto[26284]: unable to create IPv6 routing table rule<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>2011-11-04 09:34:19 chgut2fw01 pluto[26284]: | plugin 'kernel-netlink': loaded successfully<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>2011-11-04 09:34:19 chgut2fw01 pluto[26284]: | plugin 'resolve': loaded successfully<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>2011-11-04 09:34:19 chgut2fw01 pluto[26284]: loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>2011-11-04 09:34:19 chgut2fw01 pluto[26284]: | inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>2011-11-04 09:34:19 chgut2fw01 pluto[26284]: including NAT-Traversal patch (Version 0.6c) [disabled]<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>2011-11-04 09:34:19 chgut2fw01 pluto[26284]: | finish_pfkey_msg: SADB_REGISTER message 1 for AH<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>2011-11-04 09:34:19 chgut2fw01 pluto[26284]: | 02 07 00 02 02 00 00 00 01 00 00 00 ac 66 00 00<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>2011-11-04 09:34:19 chgut2fw01 ipsec_starter[26283]: pluto (26284) started after 20 ms<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Thanks.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Best regards<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Elmar<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>____________________________<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>Elmar Vonlanthen<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>Solution Engineer<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>Dipl. Ing. Informatik FH<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>United Security Providers AG<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>Stauffacherstrasse 65/15<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>CH-3014 Bern<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>Phone: +41 31 959 02 02<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>Fax: +41 31 959 02 59<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>Direct: +41 31 959 02 85<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>Mobile: +41 79 242 25 07<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>Mail: elmar.vonlanthen(at)united-security-providers.ch<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif"'>Web: <a href="http://www.united-security-providers.ch/">http://www.united-security-providers.ch</a><o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>