Lars Eggert wrote:
> I don't think we have the same definition of "the IPSec tunnel problem."
> Mine is "tunnel mode SAs aren't interfaces, and IPsec duplicates
> encapsulation and firewalling techniques that are (better) handled
> outside IPsec", see draft-touch-ipsec-vpn.
>
> Having or not having a default route won't matter, since you'll have
> more specific routes that match before the default route would be picked.
As you say, SA's are not interfaces. Try pinging over the link
from hosts on either side of the tunnel, e.g.:
10.0.1.15/8<--->10.0.1.1/8 10.0.2.1/8<---->10.0.2.11/8
public IP #1<----------->public IP #2
Ping #1 <----------------------------> works
Ping #2 <------------------------------------------->broken
Get rid of the default route, and ping #2 starts working.
-- Terry
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
