[Openswan dev] Routes and BGP was: Re: [Openswan Users] Openswan on Fedora 9
Michael H. Warfield
mhw at WittsEnd.com
Wed Jun 11 12:08:08 EDT 2008
On Wed, 2008-06-11 at 11:52 -0400, Paul Wouters wrote:
> On Wed, 11 Jun 2008, Michael H. Warfield wrote:
>
> > This is very true and I understand that, from the gateway's standpoint,
> > this is handled as a security policy match, not a route. True that
> > "netkey" per se doesn't require those routes but there are other players
> > in the game that might need them.
> >
> > 2.4.x seems to instantiate routes while 2.6.x does not. Currently,
> > where I have 2.4.9 on one side of a tunnel and 2.6.14 on the other, I
> > see routes instantiated on the 2.4.9 side pointing toward the 2.6.14
> > side but not the other. That's a change and it does break some things.
> >
> > Specifically, anyone doing dynamic routing ala BGP, OSPF, ISIS, or RIP
> > is in for a nasty surprise. Right now, on one of my gateways, when the
> > VPN is up, the routes are instantiated and BGP advertises those routes
> > to other nodes on that subnet in iBGP (there's a complicated reason for
> > using a heavy weight like BGP instead or RIP or OSPF having to do with
> > my ISP and is not relevant here) and out to my ISP on eBGP. So, while
> > netkey doesn't need the routes, the router daemons do. How do I
> > maintain the older behavior? Is this something that's going to have to
> > be managed in the scripts?
> >
> > I'm trying to figure out how I would hook this in before I get burned
> > by it.
> I believe if you add leftsourceip=, you will get your route, even on netkey.
Cool! I do indeed! Many thanks!
> Paul
> _______________________________________________
Mike
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/dev/attachments/20080611/96968184/attachment.bin
More information about the Dev
mailing list