[Openswan Users] MODVERSIONS & interfaces

Carlos G Mendioroz tron at huapi.ba.ar
Wed Oct 6 12:59:28 CEST 2004

Paul Wouters wrote:

> On Wed, 6 Oct 2004, Carlos G Mendioroz wrote:
>> just a quick question, hope you don't mind...
> I'd prefer the list, so others might have a chance to answer and offload
> my work.

Sure, sorry.

>> if a packet is presented to an ipsecX interface, which does not match 
>> a connection, will it be sent in the clear via the paired interface ?
> It will be dropped. There must always be an ipsec policy associated with
> a packet. So 'route add somerange/24 dev ipsec0 will just result in dropped
> packets, unless you have a connection that includes somerange (eg
>> netA1 --gwA ... gwB-- netB
>> netA2 --|
>> and you have an IPSEC tunnel from netA1 to netB, gwA initiates 
>> encryption of a netA1 to netB packet because of a route pointing to 
>> ipsecX interface for destination netB.
>> So what happens to netA1 tp netB traffic ?
> I assume you meant netA2 in the last line. You must add an ipsec tunnel for
> netA2-netB on gwA and gwB

Yes, I meant netA2. But I want that to be on the clear.
So I guess one has to play tricks with routing to get netA2 to netB 
traffic not hitting the ipsecX interface.

> Paul

Carlos G Mendioroz  <tron at huapi.ba.ar>  LW7 EQI  Argentina

More information about the Users mailing list