Re: Using Julian Anastasov's 'routes' patches on 2.4 kernel in conjunction with IPSec

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tuesday 26 June 2007 00:40, Julian Anastasov wrote:
> 	May be you have to replace your _updown script with one that
> supports "ip route" and "ip rule" commands instead of the old "route"
> tool. By this way you can use "ip rule ... from LNET to RNET"
> to properly route traffic for the negotiated subnets. If I remember
> correctly, the default _updown script does not consider negotiated
> LNET at all. As for routes patch, it will prefer NOARP devices when
> the neighbours on ARP device are not marked as reachable in ARP cache.
> So, it is risky to rely on wrong routes, especially after routes patch
> is applied.
>
> Regards
>
> --
> Julian Anastasov <ja@xxxxxx>

The _updown script is only called when a tunnel is brough up or down, but the 
problem I am having is not related to a tunnel, but to routing before any 
tunnel gets established.
I mean that even a configuration with only one tunnel that is listening is 
creating problems because both StrongSWAN and OpenSWAN add IP addresses on 
the ipsecN interface that are identical to the ones on the real interface 
(ethN). I think the problem is related to the presence of the ipsecN 
interface in KLIPS (linux-2.4). On 2.6 kernels there is no such interface and 
consequently there is no "conflict". Is there any real solution to this 
problem? 
On the other hand, my understanding of the solution you gave me (inserting a 
rule "from LNET to RNET") is that it can be applied once the tunnel is up. 
However, would you care to elaborate more on this case as well?

Cheers,
Seba.
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux