[Openswan Users] Problem of routing under openswan
Dominique Blas
ml at blas.net
Wed Jun 30 04:01:54 CEST 2004
Le mercredi 30 Juin 2004 01:13, vous avez écrit :
> mcr at xelerance.com wrote:
> >
> > You can't do that with 26sec, because the SPD is yet-another-firewall,
> > and it is applied before the routing is.
> >
> > The openswan team disagrees with seperating security and routing. There
> > should be only one firewall, and it should include routing as well.
>
> Well I personally disagree with your position.
>
> IPsec is about authentication, while firewalling is about authorisation.
> Authentication should be performed regardless of which interface the
> packet arrived on.
I've had no position about this by now (neither at this time of the night) maybe in a few days if I have time.
> > You may be able to write SPD entries for the parts you do not want to
> > go through the tunnel, and mark them as pass.
>
> Yes you can. I made a typo in the excerpt that I gave earlier in
> this thread, so let me give the corrected version:
>
> conn workaround
> left=192.168.4.1
> leftsubnet=10.2.0.0/16
> right=192.168.4.2
> rightsubnet=10.3.0.0/16
> type=passthrough
> auto=route
I corrected on my own,
thanks again.
Best,
db
>
> Cheers,
More information about the Users
mailing list