On Fri, 31 Oct 2025 at 01:12, Skye Dobson <[email protected]> wrote: > > Rocky 9 packaged RPMs don't go beyond libreswan 4.15 so I downloaded 5.3 > as a tarball and compiled from source. > > After bringing up the connection, ipsec showroute returns an error: > > # ipsec showroute 2404:9400:3:0:216:3eff:fee8:a03 > ipsec showroute: 2404:9400:3:0:216:3eff:fee8:a03: source failed
Sorry, I should have mentioned --debug, as in: ipsec showroute --debug 2404:9400:3:0:216:3eff:fee8:a03 and to run it before the connection establishes (even without pluto running). It runs the code used to resolve %defaultroute. > So I hacked the _updown script to dump the relevant variables passed in: (there's also the undocumented debug=updown which runs the script with -v -x.) > > If I hard code 'left' and 'leftnexttop' into the conn description in lieu > of %defaultroute (which works okay), the only difference to above > variables is > > PLUTO_NEXT_HOP=2403:5805:3555::1 > > which is the global routable IP through outbound interface eth0 > > It seems that with %defaultroute, PLUTO_NEXT_HOP is being correctly > determined as fe80::a691:b1ff:fed4:dc56 (link-local IP of the outbound > interface eth0) but the source device is being forced to eth1 (internal) > > #ip -6 ro li > 2404:9400:3:0:216:3eff:fee8:a03 via fe80::a691:b1ff:fed4:dc56 dev eth1 > src 2403:5805:3555:10::1 metric 1024 pref medium > > If I manually delete that incorrect route and create the same except > using dev eth0 then everything works happily. It's sounding a lot like breakage in the %defaultroute code. _______________________________________________ Swan mailing list -- [email protected] To unsubscribe send an email to [email protected]
