Date: Tue, 13 Aug 2002 16:43:14 -0700 From: Terry Lambert <tlambert2@mindspring.com> To: Lars Eggert <larse@ISI.EDU> Cc: Les Biffle <les@safety.net>, hackers@freebsd.org Subject: Re: IP routing question Message-ID: <3D599992.7C954D42@mindspring.com> References: <200208131813.g7DIDiH14643@ns3.safety.net> <3D599416.5CDE92D9@mindspring.com> <3D599679.5090507@isi.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Lars Eggert wrote: > I don't think we have the same definition of "the IPSec tunnel problem." > Mine is "tunnel mode SAs aren't interfaces, and IPsec duplicates > encapsulation and firewalling techniques that are (better) handled > outside IPsec", see draft-touch-ipsec-vpn. > > Having or not having a default route won't matter, since you'll have > more specific routes that match before the default route would be picked. As you say, SA's are not interfaces. Try pinging over the link from hosts on either side of the tunnel, e.g.: 10.0.1.15/8<--->10.0.1.1/8 10.0.2.1/8<---->10.0.2.11/8 public IP #1<----------->public IP #2 Ping #1 <----------------------------> works Ping #2 <------------------------------------------->broken Get rid of the default route, and ping #2 starts working. -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D599992.7C954D42>