On 2010/12/20 13:12, Axel Rau wrote: > Hi all, > > besides some other, I have these ipsec routes on my (routing) CARPed > tunnel endpoint pair (netstat -rn):
OpenBSD's IPsec implementation (like most of the earlier implementations) exclusively uses flows rather than route table entries. As they aren't in the routing table at all, you can't redistribute them from there into routing protocols as you'd like to do. You could either add a dummy default route (iirc even a blackhole route should be fine e.g. route add -inet6 localhost -blackhole) and announce that into your routing protocols (the traffic would still get matched by this flow assuming the source address is ok). Otherwise you'll have to do something like gre-over-ipsec so you can get a real route table entry. > -------- > Encap: > Source Port Destination Port Proto > SA(Address/Proto/Type/Direction) > ... > default 0 2001:1234:2:10::/60 0 0 1.2.3.40/ > esp/use/in > 2001:1234:2:10::/60 0 default 0 0 1.2.3.40/ > esp/require/out > ... > -------- > How can I announce this as ipv6 default route in the connected nets > (some /64 subnets from the above /60)? > I have tried route6d and ospf6d without success. > My ipv6 sysctls are: > -------- > net.inet6.ip6.forwarding=1 > net.inet6.ip6.redirect=1 > net.inet6.ip6.hlim=64 > net.inet6.ip6.mrtproto=103 > net.inet6.ip6.maxfragpackets=200 > net.inet6.ip6.accept_rtadv=0 > net.inet6.ip6.keepfaith=0 > net.inet6.ip6.log_interval=5 > net.inet6.ip6.hdrnestlimit=10 > net.inet6.ip6.dad_count=1 > net.inet6.ip6.auto_flowlabel=1 > net.inet6.ip6.defmcasthlim=1 > net.inet6.ip6.kame_version=OpenBSD-current > net.inet6.ip6.use_deprecated=1 > net.inet6.ip6.rr_prune=5 > net.inet6.ip6.v6only=1 > net.inet6.ip6.maxfrags=200 > net.inet6.ip6.mforwarding=0 > net.inet6.ip6.multipath=0 > net.inet6.ip6.multicast_mtudisc=0 > net.inet6.ip6.neighborgcthresh=2048 > net.inet6.ip6.maxifprefixes=16 > net.inet6.ip6.maxifdefrouters=16 > net.inet6.ip6.maxdynroutes=4096 > net.inet6.ip6.dad_pending=0 > net.inet6.icmp6.rediraccept=1 > net.inet6.icmp6.redirtimeout=600 > net.inet6.icmp6.nd6_prune=1 > net.inet6.icmp6.nd6_delay=5 > net.inet6.icmp6.nd6_umaxtries=3 > net.inet6.icmp6.nd6_mmaxtries=3 > net.inet6.icmp6.nd6_useloopback=1 > net.inet6.icmp6.nodeinfo=1 > net.inet6.icmp6.errppslimit=100 > net.inet6.icmp6.nd6_maxnudhint=0 > net.inet6.icmp6.mtudisc_hiwat=1280 > net.inet6.icmp6.mtudisc_lowat=256 > net.inet6.icmp6.nd6_debug=0 > net.inet6.divert.recvspace=65636 > net.inet6.divert.sendspace=65636 > -------- > This is 4.8 stable on i386. > > Any help welcome, > Axel > --- > [email protected] PGP-Key:29E99DD6 +49 151 2300 9283 computing @ > chaos claudius
