r...@kunde003-wan:~# cat /etc/hostname.ip.tun0 192.168.100.2 192.168.100.1 tsrc 213.172.123.138 tdst 82.100.214.138 router up r...@kunde003-wan:~# cat /etc/inet/ipsecinit.conf {tunnel ip.tun0 negotiate tunnel laddr 0.0.0.0/0 raddr 192.168.100.0/30} ipsec {encr_algs 3des encr_auth_algs sha1 sa shared} {tunnel ip.tun1 negotiate tunnel laddr 0.0.0.0/0 raddr 103.0.0.0/24} ipsec {encr_algs 3des encr_auth_algs sha1 sa shared}The current config doesn't reflect my actual requirement (i.e. reaching the LAN 120.0.0.0/24 behind the remote router). For now I'm concerned to get OSPF working, hence I tailored the ipsec config to guarantee reachability between the tunnel interfaces.
OK, so what gets to the tunnel to be forwarded is controlled by your routing table.
What is actually allowed over the tunnel at that point is controlled by IPsec policy.
Your policies allow anything from any local address, but don't allow outbound multicast.
You can have multiple policy lines per tunnel, so try to add one to allow the multicast addresses in the raddr clause. 224.0.0.5 is currently not allowed with your policy.
-paul _______________________________________________ networking-discuss mailing list [email protected]
