Re: IPSEC tunnel w/o default route --was: Re: How to propagate default route from ipsec?

Sun, 06 Mar 2011 19:30:46 -0800 

Note that enc(4) and thus ipsec(4) never sees traffic that does not
precisely match your flows.

Thanks,

Penned by Axel Rau on 20110306 17:03.06, we have:
| Hi,
|
| while doing a test set-up I'm coming back to a similar issue:
|
| I have an IPSEC tunnel, connecting 2 IPv6 networks (LAN1 and LAN2):
| +---+          +---+           +---+          +---+
| | A +-- LAN1 --+ B +-- IPSEC --+ C +-- LAN2 --+ D |
| +---+          +-+-+           +-+-+          +---+
| ------------
| flow esp in from fda3:bdf5:7e29:1::/64 to fda3:bdf5:7e29:2::/64 \
|       peer 10.0.2.1 srcid client dstid gw type use
| flow esp out from fda3:bdf5:7e29:2::/64 to fda3:bdf5:7e29:1::/64 \
|       peer 10.0.2.1 srcid client dstid gw type require
| ------------
| On both tunnel ends, routing to the remote net does not work.
| I'm announcing the remote prefix via rtadvd on both LANS and
| receive traffic from A/D, directed to remote net at B/C.
| Neither B nor C forward this traffic to the tunnel.
| Like in the default route case, I have at B/C a static route to
| the remote net pointing at localhost.
|
| Does it matter that there is no IPv6 default route at all
| in this setup?
| What can I do to get the routing work?
|
|
| Am 20.12.2010 um 17:23 schrieb Stuart Henderson:
|
| >On 2010/12/20 13:12, Axel Rau wrote:
| >>Hi all,
| >>
| >>besides some other, I have these ipsec routes on my (routing) CARPed
| >>tunnel endpoint pair (netstat -rn):
| >
| >OpenBSD's IPsec implementation (like most of the earlier
| >implementations) exclusively uses flows rather than route table
| >entries. As they aren't in the routing table at all, you can't
| >redistribute them from there into routing protocols as you'd
| >like to do.
| >
| >You could either add a dummy default route (iirc even a blackhole
| >route should be fine e.g. route add -inet6 localhost -blackhole)
| >and announce that into your routing protocols (the traffic would
| >still get matched by this flow assuming the source address is
| >ok). Otherwise you'll have to do something like gre-over-ipsec
| >so you can get a real route table entry.
|
|
| Axel
| ---
| PGP-Key:29E99DD6  b +49 151 2300 9283  b computing @ chaos claudius

--
Todd Fries .. [email protected]

 _____________________________________________
|                                             \  1.636.410.0632 (voice)
| Free Daemon Consulting, LLC                 \  1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com             \  1.866.792.3418 (FAX)
| 2525 NW Expy #525, Oklahoma City, OK 73112  \  sip:[email protected]
| "..in support of free software solutions."  \  sip:[email protected]
 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

              37E7 D3EB 74D0 8D66 A68D  B866 0326 204E 3F42 004A
                        http://todd.fries.net/pgp.txt

Reply via email to