If your default route is not a single host, you may find leftnexthop cannot express it. Fortunately, the _updown script for adding and removing the routes can be customized. Rather than modify /lib/ipsec/_updown, set leftupdown (or rightupdown) to the path of your modified copy.
This example uses a router which has a default route spread over three T1 links. The normal default route looks like this:
ip route add default proto static scope global \ nexthop via 10.0.0.177 dev wp1ppp weight 1 \ nexthop via 10.0.0.181 dev wp2ppp weight 1 \ nexthop via 10.0.0.185 dev wp3ppp weight 1
In order to make any connections over these links, the interfaces setting in ipsec.conf must have an ipsec interface for each T1 interface:
config setup interfaces="ipsec0=wp1ppp ipsec1=wp2ppp ipsec2=wp3ppp"
Then in a connection, override the _updown script:
conn goes-over-multiple-interfaces leftupdown=/lib/ipsec/updown-custom leftnexthop=127.0.0.2 # this is not respected but it must be set to something # ...
Finally, the changes to /lib/ipsec/_updown made in /lib/ipsec/updown-custom:
#-------------------------------------------------------------------------
# mask2bits function, returns the number of bits in the netmask parameter.
# borrowed from http://www.stearns.org/samlib/samlib-0.1/samlib
#-------------------------------------------------------------------------
#No external apps needed.
mask2bits () {
case $1 in
255.255.255.255) echo 32 ;;
255.255.255.254) echo 31 ;;
255.255.255.252) echo 30 ;;
255.255.255.248) echo 29 ;;
255.255.255.240) echo 28 ;;
255.255.255.224) echo 27 ;;
255.255.255.192) echo 26 ;;
255.255.255.128) echo 25 ;;
255.255.255.0) echo 24 ;;
255.255.254.0) echo 23 ;;
255.255.252.0) echo 22 ;;
255.255.248.0) echo 21 ;;
255.255.240.0) echo 20 ;;
255.255.224.0) echo 19 ;;
255.255.192.0) echo 18 ;;
255.255.128.0) echo 17 ;;
255.255.0.0) echo 16 ;;
255.254.0.0) echo 15 ;;
255.252.0.0) echo 14 ;;
255.248.0.0) echo 13 ;;
255.240.0.0) echo 12 ;;
255.224.0.0) echo 11 ;;
255.192.0.0) echo 10 ;;
255.128.0.0) echo 9 ;;
255.0.0.0) echo 8 ;;
254.0.0.0) echo 7 ;;
252.0.0.0) echo 6 ;;
248.0.0.0) echo 5 ;;
240.0.0.0) echo 4 ;;
224.0.0.0) echo 3 ;;
192.0.0.0) echo 2 ;;
128.0.0.0) echo 1 ;;
0.0.0.0) echo 0 ;;
*) echo 32 ;;
esac
} #End of mask2bits
# this replaces the default doroute() function
# example for multipath default route by John K. Hohm <jhohm@provinet.com>
doroute() {
PLUTO_PEER_CLIENT_BITS=`mask2bits $PLUTO_PEER_CLIENT_MASK`
# note that this uses the ipsec devices instead of the wp?ppp devices
ip route $1 $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_BITS \
nexthop via 10.0.0.177 dev ipsec0 weight 1 \
nexthop via 10.0.0.181 dev ipsec1 weight 1 \
nexthop via 10.0.0.185 dev ipsec2 weight 1
}
Note that this example, since it uses equal cost multipath, requires the use of the ip command from iproute2?.
