[Openswan Users] how can i exclude multiple subnets from one side

Ken Bantoft ken at xelerance.com
Tue Sep 21 23:20:28 CEST 2004

On Sun, 19 Sep 2004, Herbert Xu wrote:

> On Sun, Sep 19, 2004 at 07:37:33AM -0400, Ted Kaczmarek wrote:
> > 
> > So you create another tunnel statement specifying what to bypass in a
> > previously configured tunnel. So it will then just take the default
> > route in the table if their is not a more specific route?
> It has nothing to do with routing.  I'm not familiar enough with KLIPS
> but I'd expect the following to apply to it as well as 26sec which I
> can vouch for.
> This will get added as a policy (or eroute in KLIPS terminology) with
> a priority that is above the policy with the bigger rightsubnet.
> So any traffic going towards that subnet will match this policy (unless
> there is another one that's even more specific), hence bypassing IPsec.
> So with KLIPS even if your route says that the packet should go through
> ipsecX I'd still expect it to go out unencapsulated.  Can someone who
> has read the KLIPS code confirm this?

With =passthrough, KLIPS does not put the packet out ipsec0, so while it 
acts like routing, and looks sort-of like routing (you will have a route 
in the table) it will behave like you described.

Ken Bantoft			VP Business Development
ken at xelerance.com		Xelerance Corporation
sip://toronto.xelerance.com	http://www.xelerance.com

The future is here. It's just not evenly distributed yet. 
        -- William Gibson

More information about the Users mailing list