[Openswan dev] Routes and BGP was: Re: [Openswan Users] Openswan on Fedora 9

Michael H. Warfield mhw at WittsEnd.com
Wed Jun 11 12:08:08 EDT 2008


On Wed, 2008-06-11 at 11:52 -0400, Paul Wouters wrote:
> On Wed, 11 Jun 2008, Michael H. Warfield wrote:
> 
> > 	This is very true and I understand that, from the gateway's standpoint,
> > this is handled as a security policy match, not a route.  True that
> > "netkey" per se doesn't require those routes but there are other players
> > in the game that might need them.
> >
> > 	2.4.x seems to instantiate routes while 2.6.x does not.  Currently,
> > where I have 2.4.9 on one side of a tunnel and 2.6.14 on the other, I
> > see routes instantiated on the 2.4.9 side pointing toward the 2.6.14
> > side but not the other.  That's a change and it does break some things.
> >
> > 	Specifically, anyone doing dynamic routing ala BGP, OSPF, ISIS, or RIP
> > is in for a nasty surprise.  Right now, on one of my gateways, when the
> > VPN is up, the routes are instantiated and BGP advertises those routes
> > to other nodes on that subnet in iBGP (there's a complicated reason for
> > using a heavy weight like BGP instead or RIP or OSPF having to do with
> > my ISP and is not relevant here) and out to my ISP on eBGP.  So, while
> > netkey doesn't need the routes, the router daemons do.  How do I
> > maintain the older behavior?  Is this something that's going to have to
> > be managed in the scripts?
> >
> > 	I'm trying to figure out how I would hook this in before I get burned
> > by it.

> I believe if you add leftsourceip=, you will get your route, even on netkey.

	Cool!  I do indeed!  Many thanks!

> Paul
> _______________________________________________

	Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/dev/attachments/20080611/96968184/attachment.bin 


More information about the Dev mailing list