[Openswan Users] how can i exclude multiple subnets from one side

Herbert Xu herbert at gondor.apana.org.au
Sun Sep 19 22:42:49 CEST 2004


On Sun, Sep 19, 2004 at 07:37:33AM -0400, Ted Kaczmarek wrote:
> 
> So you create another tunnel statement specifying what to bypass in a
> previously configured tunnel. So it will then just take the default
> route in the table if their is not a more specific route?

It has nothing to do with routing.  I'm not familiar enough with KLIPS
but I'd expect the following to apply to it as well as 26sec which I
can vouch for.

This will get added as a policy (or eroute in KLIPS terminology) with
a priority that is above the policy with the bigger rightsubnet.
So any traffic going towards that subnet will match this policy (unless
there is another one that's even more specific), hence bypassing IPsec.

So with KLIPS even if your route says that the packet should go through
ipsecX I'd still expect it to go out unencapsulated.  Can someone who
has read the KLIPS code confirm this?
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt


More information about the Users mailing list