[Openswan Users] What does openswan/netkey by way of a default route?

Paul Wouters paul at xelerance.com
Wed Mar 10 00:31:34 EST 2010

On Tue, 9 Mar 2010, Whit Blauvelt wrote:

> Can someone either explain or point me to what openswan/netkey
> expects/requires by way of a default route?

There are a few reasons why openswan might need to know a default route

1) when using left/right=%defaultroute to bind to the proper interface
    for the IKE daemon
2) For KLIPS, where the IPsec stack actually obtains packets via routing,
    and thus routing matters (it uses two "half routes" to grab all packets)
    (NETKEY grabs packets differently, and should not be depending on routing)
3) I belive some corner cases require NETKEY to know the default gateway
    and routing too. I believe only when using subnets (eg "extruded
    network"). Perhaps when using left/rightsourceip=. See _updown.netkey

I *think* a non-specified nexthop setting assumes a left/rightnexthop=%defaultroute,
which then might again imply needing a default route.

> Went over and looked at Strongswan, and that's far, far less documented.
> Scarey. Has the world gone so strongly over to using either appliances or
> OpenVPN that Linux IPsec is just fading away?

Nobody pays for documentation. I'd gladly accept donations in the form of money
or students or time to remedy this. The man pages should be up to date (we do
spend the time on that) and there is a wealth of information in the users at openswan.org
mailing list archive - though by now often with dead links too.


More information about the Users mailing list