[Openswan Users] IPSec connection and dynamic routing against a PaloAlto Networks device

Roberto Suarez Soto roberto.suarez.soto at gmail.com
Tue Aug 23 11:59:56 EDT 2011

El 08/19/2011 04:06 PM, Paul Wouters escribió:

> Yes, RIP is your problem..... RIP should be long uhm....dead

     What can I say. The other option was OSPF, and it didn't work either :-)

> RIP messages (If I remember correctly from my teens) are broadcasts, and these
> won't go over the tunnel period. If you mean traffic routed via routes
> spread by RIP, then you have to ensure traffic policies cover all possible
> routes into ipsec. IPsec is not a virtual ethernet device.

     Well, you can also use RIP in unicast mode. At least, that's how I have 
it working in another context. But I don't think it matters, because in that 
case there's a real interface with the IP addresses that are used for RIP 
packets. In this one, the IP addresses of the RIP neighbors belong to the 
subnets behind the IPSec peers. So no cookie.

> No, you cannot just route add -net without an IPsec policy. It will get 
> dropped.
> Howeverm, using KLIPS you would at least be able to see which packets are
> dropped. NETKEY offers no such functionality.

     So, would KLIPS be the only option? I've seen the other link you've 
posted about a hack for Juniper interaction but it really doesn't apply here.

     Thanks in advance,

     Roberto Suarez Soto                  Man is a dark animal

More information about the Users mailing list