[Openswan Users] Routes and BGP was: Re: Openswan on Fedora 9

Paul Wouters paul at xelerance.com
Wed Jun 11 11:52:10 EDT 2008

On Wed, 11 Jun 2008, Michael H. Warfield wrote:

> 	This is very true and I understand that, from the gateway's standpoint,
> this is handled as a security policy match, not a route.  True that
> "netkey" per se doesn't require those routes but there are other players
> in the game that might need them.
> 	2.4.x seems to instantiate routes while 2.6.x does not.  Currently,
> where I have 2.4.9 on one side of a tunnel and 2.6.14 on the other, I
> see routes instantiated on the 2.4.9 side pointing toward the 2.6.14
> side but not the other.  That's a change and it does break some things.
> 	Specifically, anyone doing dynamic routing ala BGP, OSPF, ISIS, or RIP
> is in for a nasty surprise.  Right now, on one of my gateways, when the
> VPN is up, the routes are instantiated and BGP advertises those routes
> to other nodes on that subnet in iBGP (there's a complicated reason for
> using a heavy weight like BGP instead or RIP or OSPF having to do with
> my ISP and is not relevant here) and out to my ISP on eBGP.  So, while
> netkey doesn't need the routes, the router daemons do.  How do I
> maintain the older behavior?  Is this something that's going to have to
> be managed in the scripts?
> 	I'm trying to figure out how I would hook this in before I get burned
> by it.

I believe if you add leftsourceip=, you will get your route, even on netkey.


More information about the Users mailing list