Re: [Users] Traffic Selector selects Bignet before Smallnet / TS
paul at xtdnet.nl
Wed Mar 10 17:01:55 CET 2004
This user has two ipsec sa's which overlap, one for 10/8 and one
for a /24 within that range. Now I don't think using ipsec in
such a way is clever at all, but I was wondering if it was an
easy change to do pick smaller networks over bigger ones. Or is
this based on ohter issues like when the connection got --up'ed ?
---------- Forwarded message ----------
Date: Wed, 10 Mar 2004 15:27:23 +0000
From: skyper <skyper at segfault.net>
To: users at lists.freeswan.org
Subject: Re: [Users] Traffic Selector selects Bignet before Smallnet / TS
> The Unix routing tables will pass it up to FreeS/WAN, but then FreeS/WAN
> still has to select which network to send it off to, and is picking the
> larger one - makes sense.
> Paul's suggestion of binding multiple ipsecX interfaces seems to make the
> most sense.
That didnt work. After reading some source i found out that freeswan handles
different ipsecX interfaces the same. Different ipsecX interfaces are remains
when the freeswan-development started.
I came up with a badly hack. I SNAT the source ip of one network to
10.1.1.254 so that freeswan can distinguish it on the peer side.
Anyway, a bad design that the TS selects the largest network first instead
of the smallest.
PGP: dig @segfault.net skyper axfr|grep TX|cut -f2 -d\"|sort|cut -f2 -d\;
FreeS/WAN Users mailing list
users at lists.freeswan.org
More information about the Dev