[Openswan Users] how can i exclude multiple subnets from one
side
Ken Bantoft
ken at xelerance.com
Tue Sep 21 23:20:28 CEST 2004
On Sun, 19 Sep 2004, Herbert Xu wrote:
> On Sun, Sep 19, 2004 at 07:37:33AM -0400, Ted Kaczmarek wrote:
> >
> > So you create another tunnel statement specifying what to bypass in a
> > previously configured tunnel. So it will then just take the default
> > route in the table if their is not a more specific route?
>
> It has nothing to do with routing. I'm not familiar enough with KLIPS
> but I'd expect the following to apply to it as well as 26sec which I
> can vouch for.
>
> This will get added as a policy (or eroute in KLIPS terminology) with
> a priority that is above the policy with the bigger rightsubnet.
> So any traffic going towards that subnet will match this policy (unless
> there is another one that's even more specific), hence bypassing IPsec.
>
> So with KLIPS even if your route says that the packet should go through
> ipsecX I'd still expect it to go out unencapsulated. Can someone who
> has read the KLIPS code confirm this?
With =passthrough, KLIPS does not put the packet out ipsec0, so while it
acts like routing, and looks sort-of like routing (you will have a route
in the table) it will behave like you described.
--
Ken Bantoft VP Business Development
ken at xelerance.com Xelerance Corporation
sip://toronto.xelerance.com http://www.xelerance.com
The future is here. It's just not evenly distributed yet.
-- William Gibson
More information about the Users
mailing list