[Openswan dev] IPsec over IPv6 including 6to4 ... some success, and some documentation opportunities
Anthony Tong
atong at TrustedCS.com
Wed Oct 1 12:32:05 EDT 2008
John Denker wrote:
> 3) When using kernel IPsec, it is allowable and often
> advantageous to specify "interfaces=%none". This ought
> to be prominently documented somewhere. And if you ask
> me, it ought to be the default when using kernel IPsec.
> And connections ought to be routed using the actual route,
> not the "defaultroute". This is easy to do using
> "ip route get to ....". I have scripts that do this, but
> it ought to become the standard built-in behavior.
I have modifications too for 2.4.x to handle the ipv6 routes, but
there is an issue with route cleanups that I havent had time
to look at closely and I am not even sure whether openswan is the
culprit. os is rhel5.
When openswan shuts down and runs its corresponding route deletes
some ipv6 routes dont go away. The ip -6 route del work fine but I think
something bumped the refcount on the route (and it wasnt from the
openswan helper script changes) so it takes an extra delete to get rid
of it.
I know this is kinda vague and on older software revisions, it's been a
while. Out of curiosity, have you looked at your ip -6 route after a
openswan shutdown.. anything odd?
More information about the Dev
mailing list