[Openswan Users] Routes and BGP was: Re: Openswan on Fedora 9
paul at xelerance.com
Wed Jun 11 11:52:10 EDT 2008
On Wed, 11 Jun 2008, Michael H. Warfield wrote:
> This is very true and I understand that, from the gateway's standpoint,
> this is handled as a security policy match, not a route. True that
> "netkey" per se doesn't require those routes but there are other players
> in the game that might need them.
> 2.4.x seems to instantiate routes while 2.6.x does not. Currently,
> where I have 2.4.9 on one side of a tunnel and 2.6.14 on the other, I
> see routes instantiated on the 2.4.9 side pointing toward the 2.6.14
> side but not the other. That's a change and it does break some things.
> Specifically, anyone doing dynamic routing ala BGP, OSPF, ISIS, or RIP
> is in for a nasty surprise. Right now, on one of my gateways, when the
> VPN is up, the routes are instantiated and BGP advertises those routes
> to other nodes on that subnet in iBGP (there's a complicated reason for
> using a heavy weight like BGP instead or RIP or OSPF having to do with
> my ISP and is not relevant here) and out to my ISP on eBGP. So, while
> netkey doesn't need the routes, the router daemons do. How do I
> maintain the older behavior? Is this something that's going to have to
> be managed in the scripts?
> I'm trying to figure out how I would hook this in before I get burned
> by it.
I believe if you add leftsourceip=, you will get your route, even on netkey.
More information about the Users