This is a follow up to this question of me. (Still on Debian 7.8)
The problem isn't really IPSec related or anything, because I can't even ping the remote host with the "correct" source IP (through ping -I eth1:ipsec).
Here are the necessary infos:
inet xxx.xxx.xxx.94/24 brd xxx.xxx.xxx.255 scope global eth1
inet xxx.xxx.xxx.92/29 brd xxx.xxx.xxx.95 scope global secondary eth1:ipsec
I want my connections to use the default gw and standard IP of eth1: .94 but one connection to a remote host to use eth1:ipsec: .92.
I believe this is a routing problem, so I added a routing rule table:
0: from all lookup local
2: from all to xxx.xxx.xxx.21 lookup 17
32766: from all lookup main
32767: from all lookup default
and 17 has:
xxx.xxx.xxx.21 via xxx.xxx.xxx.91 dev eth1 src xxx.xxx.xxx.92
But even now, if I ping the packets got the source IP of .94 (even with ping -I eth1:ipsec or -I xxx.xxx.xxx.92):
xxx.xxx.xxx.94 > xxx.xxx.xxx.21: ICMP echo request, id 20865, seq 9, length 64
IP xxx.xxx.xxx.21 > xxx.xxx.xxx.94: ICMP echo reply, id 20865, seq 9, length 64
Also SNATting the packets via iptables doesn't do anything, still wrong source IP.
...I'm completely lost here.
After several painful days of debugging and routing and routing tables and a fuming head, I gave up and reconfigured all IPSec clients under my direct control to use the .92 IP and everything works as expected now.
I'm still at a loss for why I couldn't sourceroute or SNAT the packets...time for some serious testing in my testing environment (I suspect some crazy incompatibility between IP aliasing, pacemaker and routing tables or something like that, or just plain stupidity).