[Openswan Users] MODVERSIONS & interfaces
Carlos G Mendioroz
tron at huapi.ba.ar
Wed Oct 6 12:59:28 CEST 2004
Paul Wouters wrote:
> On Wed, 6 Oct 2004, Carlos G Mendioroz wrote:
>
>> just a quick question, hope you don't mind...
>
>
> I'd prefer the list, so others might have a chance to answer and offload
> my work.
Sure, sorry.
>
>> if a packet is presented to an ipsecX interface, which does not match
>> a connection, will it be sent in the clear via the paired interface ?
>
>
> It will be dropped. There must always be an ipsec policy associated with
> a packet. So 'route add somerange/24 dev ipsec0 will just result in dropped
> packets, unless you have a connection that includes somerange (eg 0.0.0.0)
>
>> netA1 --gwA ... gwB-- netB
>> netA2 --|
>>
>> and you have an IPSEC tunnel from netA1 to netB, gwA initiates
>> encryption of a netA1 to netB packet because of a route pointing to
>> ipsecX interface for destination netB.
>> So what happens to netA1 tp netB traffic ?
>
>
> I assume you meant netA2 in the last line. You must add an ipsec tunnel for
> netA2-netB on gwA and gwB
Yes, I meant netA2. But I want that to be on the clear.
So I guess one has to play tricks with routing to get netA2 to netB
traffic not hitting the ipsecX interface.
>
> Paul
--
Carlos G Mendioroz <tron at huapi.ba.ar> LW7 EQI Argentina
More information about the Users
mailing list