[Openswan Users] Routes and BGP was: Re: Openswan on Fedora 9
Michael H. Warfield
mhw at WittsEnd.com
Wed Jun 11 09:38:59 EDT 2008
Say Paul,
Need to discuss this one little point a little bit deeper...
On Tue, 2008-05-20 at 00:07 -0400, Paul Wouters wrote:
> On Mon, 19 May 2008, Michael H. Warfield wrote:
>
> > I looked further and it seems I was wrong when I thought everything was
> > working when I specified the certificate subject. It looks like pluto
> > is completing negotiations but then none of the routes appear on the
> > 2.6.09 side and I can't ping from the 2.4.9 side (where the routes did
> > appear).
> netkey does not require routes on the system, you will not see them.
This is very true and I understand that, from the gateway's standpoint,
this is handled as a security policy match, not a route. True that
"netkey" per se doesn't require those routes but there are other players
in the game that might need them.
2.4.x seems to instantiate routes while 2.6.x does not. Currently,
where I have 2.4.9 on one side of a tunnel and 2.6.14 on the other, I
see routes instantiated on the 2.4.9 side pointing toward the 2.6.14
side but not the other. That's a change and it does break some things.
Specifically, anyone doing dynamic routing ala BGP, OSPF, ISIS, or RIP
is in for a nasty surprise. Right now, on one of my gateways, when the
VPN is up, the routes are instantiated and BGP advertises those routes
to other nodes on that subnet in iBGP (there's a complicated reason for
using a heavy weight like BGP instead or RIP or OSPF having to do with
my ISP and is not relevant here) and out to my ISP on eBGP. So, while
netkey doesn't need the routes, the router daemons do. How do I
maintain the older behavior? Is this something that's going to have to
be managed in the scripts?
I'm trying to figure out how I would hook this in before I get burned
by it.
> Paul
Mike
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20080611/2f7345ec/attachment.bin
More information about the Users
mailing list