From owner-freebsd-hackers  Tue Aug 13 16:20:52 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 608DB37B400
	for <hackers@freebsd.org>; Tue, 13 Aug 2002 16:20:50 -0700 (PDT)
Received: from scaup.mail.pas.earthlink.net (scaup.mail.pas.earthlink.net [207.217.120.49])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0D94543E6A
	for <hackers@freebsd.org>; Tue, 13 Aug 2002 16:20:50 -0700 (PDT)
	(envelope-from tlambert2@mindspring.com)
Received: from pool0032.cvx40-bradley.dialup.earthlink.net ([216.244.42.32] helo=mindspring.com)
	by scaup.mail.pas.earthlink.net with esmtp (Exim 3.33 #1)
	id 17ekxw-0003wS-00; Tue, 13 Aug 2002 16:20:44 -0700
Message-ID: <3D599416.5CDE92D9@mindspring.com>
Date: Tue, 13 Aug 2002 16:19:50 -0700
From: Terry Lambert <tlambert2@mindspring.com>
X-Mailer: Mozilla 4.79 [en] (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Les Biffle <les@safety.net>
Cc: Lars Eggert <larse@ISI.EDU>, hackers@freebsd.org
Subject: Re: IP routing question
References: <200208131813.g7DIDiH14643@ns3.safety.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

Les Biffle wrote:
> > You could use the draft-touch-ipsec-vpn-04.txt together with ipfw rules,
> > but then you say you don't want to look at IP addresses...
> 
> I'm happy to look at outside addresses, just not the ones on the inside.
> I would also consider matching up endpoint (VPN gateway or "outside")
> address and SPI to know which SA a packet is arriving on, for the
> inbound-through-tunnel direction, and then use the vlan interface name
> to help select the departing tunnel, if possible.
> 
> > So no, I don't see how it can be done under your constraints.
> 
> Well, not perhaps without some nethacks in the kernel.  I've certainly
> done that before, but would prefer something more vanilla.


One short answer is to not set a default route, per se.

I know this is ugly, but it fixes the IPSec tunnel problem.

-- Terry

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message