[Openswan Users] Cisco IP Redirect and L2TP
Nico Baggus
mlfreeswan at noci.xs4all.nl
Wed Dec 5 15:12:38 EST 2007
> > So maybe it is possible to define some kind of packethandling on the
> > openswan-box? the "no ip redirect" setting on the cisco is done for
> > security reasons and should not be disabled for always.
>
> What does "ip redirect" do? Does it alter other settings on the cisco?
>
Redirect means that a a Cisco send an ICMP packet back to tell the previous
hop at what MAC address the actual interface is if the interfaces are on the
SAME LAN.
EXTERNAL NET LAN
---------------[router/MODEM]---------+------------------+
[CISCO] [OTHERDEV]
--------------+
Internal net.
In this case when the the modem has a Route for all internal addresses to
the CISCO. When the device in one case actual is OTHERDEV and the CISCO knows
that a part is behind the OTHERDEV, then the CISCO will send a ICMP REDIRECT
back.
Containing a reference to the intended target.
Without redirect no traffic will pass to OTHERDEV.
If the Router/Modem doesn't handle ICMP redirect you have a problem when on
the EXTERNAL NET.
In short,
This condition exists if the Router/Modem doesn;'t known about ICMP Rirects [
broken implementation] It should act on them or issue a message that it is
unable to route upstream.
And the ROUTING on the Router/Modem is not configured to correctly address the
OTHERDEV.
RFC 792, ICMP Type 5
HIH,
Kind Regards,
Nico Baggus
More information about the Users
mailing list