[Openswan Users] dynamic routing protocols with NETKEY

simon charles charlessimon at hotmail.com
Mon Feb 23 10:36:09 EST 2009

Hi Andy !
    It would be helpful if you could post your configuration files and the output of  "route -n"  after your vpn comes up.

- Simon Charles - 

From: andrew.lemin at monitorsoft.com
To: charlessimon at hotmail.com; users at openswan.org
Subject: RE: [Openswan Users] dynamic routing protocols with NETKEY
Date: Sat, 21 Feb 2009 19:13:05 +0000

Hi Simon,

Cheers for your suggestion.

What do you mean by kernel routes exactly?


Please bear in mind that this is a 2.6.x Vanilla Kernel using
NETKEY and, not, KLIPS as in the old 2.4.x kernels. Therefore there are no
ipsecX interfaces to create routes for. Instead NETKEY performs policy matching
instead of route matching.


If this is what you meant, how can I show the ‘kernel’
routes if these are not the same as ‘route –n’.







Hi !

    The vpn routes are established as kernel routes and can be
redistributed quite easily using OSPF/BGP.

        Thanks !

- Simon Charles - 



have been trying to research for any possible method to get dynamic routing
working to advertise VPN routes when using NETKEY.


far I have found nothing!

just don't understand why NETKEY does not provide a way of exporting
established VPN policies as routes to allow dynamic routing protocols to work.
Surely this is a HUGE deal and I can't be the only one with this problem.


KLIPS is not an option, I am stuck with NETKEY.


it be possible to use the command 'ip xfrm state' in a script to create dummy
routes when can then in turn be advertised?


you in advance.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090223/f24a91f1/attachment.html 

More information about the Users mailing list