Lars Eggert wrote: > Terry Lambert wrote: > > As you say, SA's are not interfaces. Try pinging over the link > > from hosts on either side of the tunnel, e.g.: > > > > 10.0.1.15/8<--->10.0.1.1/8 10.0.2.1/8<---->10.0.2.11/8 > > public IP #1<----------->public IP #2 > > > > Ping #1 <--------------------------> works > > Ping #2 <----------------------------------------->broken > > > > Get rid of the default route, and ping #2 starts working. > > That looks like a routing issue on the tunnel endpoint that's > independent from IPsec - what's in the routing table?
Now? Not a default route, that's for sure... 8-) 8-) ;^). I traced the problem down to the cloning of routes, and given the opacity of the code, and the fact I had a workaround avaiable, didn't bother chasing it further. The response packets got *back* to 10.0.1.1, but 10.0.1.1 did not forward them on the local net to 10.0.1.15, but pushed them out the default interface instead. -- Terry To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message