On Mon, Jul 17, 2006 at 05:25:38PM -0600, Stephen Bosch wrote:
>
> route add -host 192.168.0.57 -interface enc0
>
> I get this response:
>
> route: enc0: bad address
-interface actually takes an address:
---
If the destination is directly reachable via an interface requiring no
intermediary system to act as a gateway, the -interface modifier should
be specified; the gateway given is the address of this host on the common
network, indicating the interface to be used for transmission.
---
iow, it derives the iface based on what iface the addr you give it
lives on.
> Even though a security association for the target address exists on
> enc0. Unfortunately, the device is not passing traffic to 192.168.0.57.
>
> I assume I need to add a route -- but is this even necessary?
you will need to add a route to the other end of the tunnel
so that traffic that originates on the local endpoint destined
for an addr matching the remote addrspec (Destination in netstat
-rnf encap) goes over the tunnel.
if traffic originates on the local host and a matching route
is found in the inet (or inet6, i suppose) table, that route
is taken. if you have a default route, that will catch it
(probably undesired), so you need an inet route to make it
match something more specific than the default route in the
inet table.
traffic traversing the host (forwarded datagrams) will match
the ipsec flows before they get looked up against the encap
table (if this is not literally correct, it is the behaviour
i've observed) and thus do not need a route.
i think over time there have been a boatload of posts about
this (probably even one by me) behaviour, but it might be
a bit tricky to know what you're looking for.
--
jared
[ openbsd 3.9-current GENERIC ( jun 22 ) // i386 ]
