[Openswan dev] Re: [Users] Traffic Selector selects Bignet before Smallnet / TS (fwd)

Paul Wouters paul at xtdnet.nl
Wed Mar 10 17:01:55 CET 2004

This user has two ipsec sa's which overlap, one for 10/8 and one
for a /24 within that range. Now I don't think using ipsec in 
such a way is clever at all, but I was wondering if it was an
easy change to do pick smaller networks over bigger ones. Or is
this based on ohter issues like when the connection got --up'ed ?

---------- Forwarded message ----------
Date: Wed, 10 Mar 2004 15:27:23 +0000
From: skyper <skyper at segfault.net>
To: users at lists.freeswan.org
Subject: Re: [Users] Traffic Selector selects Bignet before Smallnet / TS

> The Unix routing tables will pass it up to FreeS/WAN, but then FreeS/WAN 
> still has to select which network to send it off to, and is picking the 
> larger one - makes sense.
> Paul's suggestion of binding multiple ipsecX interfaces seems to make the 
> most sense.

That didnt work. After reading some source i found out that freeswan handles
different ipsecX interfaces the same. Different ipsecX interfaces are remains
when the freeswan-development started.

I came up with a badly hack. I SNAT the source ip of one network to so that freeswan can distinguish it on the peer side.

Anyway, a bad design that the TS selects the largest network first instead
of the smallest.

PGP: dig @segfault.net skyper axfr|grep TX|cut -f2 -d\"|sort|cut -f2 -d\;
FreeS/WAN Users mailing list
users at lists.freeswan.org

More information about the Dev mailing list