[Openswan Users] Problem of routing under openswan

mcr at xelerance.com mcr at xelerance.com
Mon Jun 28 17:37:10 CEST 2004


-----BEGIN PGP SIGNED MESSAGE-----


Hi, it appears that you have tunnels that overlap with more specific
routing table entries.

You can't do that with 26sec, because the SPD is yet-another-firewall,
and it is applied before the routing is.

The openswan team disagrees with seperating security and routing. There
should be only one firewall, and it should include routing as well. 

(KAME does it "to spec", but RFC2401 is way too specific. I argued about
this in vain for 7 years. rfc2401bis is better) 

You may be able to write SPD entries for the parts you do not want to
go through the tunnel, and mark them as pass.

- --
]     "Elmo went to the wrong fundraiser" - The Simpson         |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQOCBdIqHRg3pndX9AQHtDwQAyxRpITOMQ+htRwlUEIwXjZM1xOib/WwY
rluv5jLGHlheIyGvJ4AIfYzMQG1+5oJDE04JH1LFZdBxWJwwUiPDCv9m4zvwFDF+
9shQd49e6o457+Bm4HtLh0SmhZn27dKQIBNlPYKN4uQ56bKwTrT6pOc4vc5leXAF
wX+6Z12sWf0=
=jDWh
-----END PGP SIGNATURE-----


More information about the Users mailing list