[Openswan dev] IPsec over IPv6 including 6to4 ... some success, and some documentation opportunities

Anthony Tong atong at TrustedCS.com
Wed Oct 1 12:32:05 EDT 2008

John Denker wrote:
  > 3) When using kernel IPsec, it is allowable and often
>  advantageous to specify "interfaces=%none".  This ought
>  to be prominently documented somewhere.  And if you ask
>  me, it ought to be the default when using kernel IPsec.
>  And connections ought to be routed using the actual route,
>  not the "defaultroute".  This is easy to do using 
>  "ip route get to ....".  I have scripts that do this, but
>  it ought to become the standard built-in behavior.

I have modifications too for 2.4.x to handle the ipv6 routes, but
there is an issue with route cleanups that I havent had time
to look at closely and I am not even sure whether openswan is the 
culprit. os is rhel5.

When openswan shuts down and runs its corresponding route deletes
some ipv6 routes dont go away. The ip -6 route del work fine but I think 
something bumped the refcount on the route (and it wasnt from the 
openswan helper script changes) so it takes an extra delete to get rid 
of it.

I know this is kinda vague and on older software revisions, it's been a 
while. Out of curiosity, have you looked at your ip -6 route after a 
openswan shutdown.. anything odd?

More information about the Dev mailing list