From 4ba5ea407bb8a4afc295d0fb3e80c8e1cff410bb Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 11 Mar 2016 19:09:54 +0100
Subject: [PATCH] kernel-netlink: Use interface to next hop for shunt policies

Using the source address to determine the interface is not correct for
net-to-net shunts between two interfaces on which the host has IP addresses
for each subnet.
---
 .../plugins/kernel_netlink/kernel_netlink_ipsec.c  | 23 ++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index be0756d..46f94bd 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -2335,19 +2335,22 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 
 			/* get the interface to install the route for. If we have a local
 			 * address, use it. Otherwise (for shunt policies) use the
-			 * routes source address. */
+			 * route's source address. */
 			iface = ipsec->dst;
 			if (iface->is_anyaddr(iface))
 			{
-				iface = route->src_ip;
-			}
-			/* install route via outgoing interface */
-			if (!charon->kernel->get_interface(charon->kernel, iface,
-											   &route->if_name))
-			{
-				policy_change_done(this, policy);
-				route_entry_destroy(route);
-				return SUCCESS;
+				iface = ipsec->dst;
+				if (iface->is_anyaddr(iface))
+				{
+					iface = route->src_ip;
+				}
+				if (!charon->kernel->get_interface(charon->kernel, iface,
+												   &route->if_name))
+				{
+					policy_change_done(this, policy);
+					route_entry_destroy(route);
+					return SUCCESS;
+				}
 			}
 
 			if (policy->route)
-- 
2.7.4