[Openswan Users] IPSec connection and dynamic routing against a PaloAlto Networks device

Paul Wouters paul at xelerance.com
Fri Aug 19 10:06:10 EDT 2011

On Thu, 18 Aug 2011, Roberto Suarez Soto wrote:

> 	And here comes the problem. The RIP traffic that comes from the PaloAlto

Yes, RIP is your problem..... RIP should be long uhm....dead

RIP messages (If I remember correctly from my teens) are broadcasts, and these
won't go over the tunnel period. If you mean traffic routed via routes
spread by RIP, then you have to ensure traffic policies cover all possible
routes into ipsec. IPsec is not a virtual ethernet device.

> device uses the local IP of its "IPSec tunnel" (no idea of what it means),
> which is, of course, from a network that I can't route anywhere (let's say
> "EE.EE.EE.EE". So I can see packets from that IP through the IPSec link, but
> can't reply to them because I don't know where to send them.

If they NAT with some proxy IP, then yes, you cannot see individual IPs

> 	If I used KLIPS, I guess I could just route EE.EE.EE.EE/32 through some
> ipsec* device; but alas, I'm using NETKEY. So I'm stuck because I can't
> communicate with the PaloAlto device in any way to send it RIP information.

No, you cannot just route add -net without an IPsec policy. It will get dropped.
Howeverm, using KLIPS you would at least be able to see which packets are
dropped. NETKEY offers no such functionality.


More information about the Users mailing list