[Openswan Users] dynamic routing protocols with NETKEY

Andrew Lemin andrew.lemin at monitorsoft.com
Sat Feb 21 14:13:05 EST 2009

Hi Simon,

Cheers for your suggestion.

What do you mean by kernel routes exactly?


Please bear in mind that this is a 2.6.x Vanilla Kernel using NETKEY and,
not, KLIPS as in the old 2.4.x kernels. Therefore there are no ipsecX
interfaces to create routes for. Instead NETKEY performs policy matching
instead of route matching.


If this is what you meant, how can I show the 'kernel' routes if these are
not the same as 'route -n'.







Hi !
    The vpn routes are established as kernel routes and can be redistributed
quite easily using OSPF/BGP.
        Thanks !

- Simon Charles - 




I have been trying to research for any possible method to get dynamic
routing working to advertise VPN routes when using NETKEY.


So far I have found nothing!

I just don't understand why NETKEY does not provide a way of exporting
established VPN policies as routes to allow dynamic routing protocols to
work. Surely this is a HUGE deal and I can't be the only one with this


PS. KLIPS is not an option, I am stuck with NETKEY.


Would it be possible to use the command 'ip xfrm state' in a script to
create dummy routes when can then in turn be advertised?


Thank you in advance.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090221/6e382afb/attachment.html 

More information about the Users mailing list