On Tuesday 26 June 2007 00:40, Julian Anastasov wrote:
> May be you have to replace your _updown script with one that
> supports "ip route" and "ip rule" commands instead of the old "route"
> tool. By this way you can use "ip rule ... from LNET to RNET"
> to properly route traffic for the negotiated subnets. If I remember
> correctly, the default _updown script does not consider negotiated
> LNET at all. As for routes patch, it will prefer NOARP devices when
> the neighbours on ARP device are not marked as reachable in ARP cache.
> So, it is risky to rely on wrong routes, especially after routes patch
> is applied.
>
> Regards
>
> --
> Julian Anastasov <ja@ssi.bg>
The _updown script is only called when a tunnel is brough up or down, but the
problem I am having is not related to a tunnel, but to routing before any
tunnel gets established.
I mean that even a configuration with only one tunnel that is listening is
creating problems because both StrongSWAN and OpenSWAN add IP addresses on
the ipsecN interface that are identical to the ones on the real interface
(ethN). I think the problem is related to the presence of the ipsecN
interface in KLIPS (linux-2.4). On 2.6 kernels there is no such interface and
consequently there is no "conflict". Is there any real solution to this
problem?
On the other hand, my understanding of the solution you gave me (inserting a
rule "from LNET to RNET") is that it can be applied once the tunnel is up.
However, would you care to elaborate more on this case as well?
Cheers,
Seba.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
|