[Openswan Users] IPSec connection and dynamic routing against a PaloAlto Networks device
Roberto Suarez Soto
roberto.suarez.soto at gmail.com
Tue Aug 23 11:59:56 EDT 2011
El 08/19/2011 04:06 PM, Paul Wouters escribió:
> Yes, RIP is your problem..... RIP should be long uhm....dead
What can I say. The other option was OSPF, and it didn't work either :-)
> RIP messages (If I remember correctly from my teens) are broadcasts, and these
> won't go over the tunnel period. If you mean traffic routed via routes
> spread by RIP, then you have to ensure traffic policies cover all possible
> routes into ipsec. IPsec is not a virtual ethernet device.
Well, you can also use RIP in unicast mode. At least, that's how I have
it working in another context. But I don't think it matters, because in that
case there's a real interface with the IP addresses that are used for RIP
packets. In this one, the IP addresses of the RIP neighbors belong to the
subnets behind the IPSec peers. So no cookie.
> No, you cannot just route add -net without an IPsec policy. It will get
> dropped.
> Howeverm, using KLIPS you would at least be able to see which packets are
> dropped. NETKEY offers no such functionality.
So, would KLIPS be the only option? I've seen the other link you've
posted about a hack for Juniper interaction but it really doesn't apply here.
Thanks in advance,
--
Roberto Suarez Soto Man is a dark animal
More information about the Users
mailing list