[Openswan Users] Problem of routing under openswan
Herbert Xu
herbert at gondor.apana.org.au
Wed Jun 30 10:13:04 CEST 2004
mcr at xelerance.com wrote:
>
> You can't do that with 26sec, because the SPD is yet-another-firewall,
> and it is applied before the routing is.
>
> The openswan team disagrees with seperating security and routing. There
> should be only one firewall, and it should include routing as well.
Well I personally disagree with your position.
IPsec is about authentication, while firewalling is about authorisation.
Authentication should be performed regardless of which interface the
packet arrived on.
> You may be able to write SPD entries for the parts you do not want to
> go through the tunnel, and mark them as pass.
Yes you can. I made a typo in the excerpt that I gave earlier in
this thread, so let me give the corrected version:
conn workaround
left=192.168.4.1
leftsubnet=10.2.0.0/16
right=192.168.4.2
rightsubnet=10.3.0.0/16
type=passthrough
auto=route
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
More information about the Users
mailing list