From owner-freebsd-hackers  Tue Aug 13 16:44:30 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C441837B400
	for <hackers@freebsd.org>; Tue, 13 Aug 2002 16:44:28 -0700 (PDT)
Received: from avocet.mail.pas.earthlink.net (avocet.mail.pas.earthlink.net [207.217.120.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5640343E70
	for <hackers@freebsd.org>; Tue, 13 Aug 2002 16:44:23 -0700 (PDT)
	(envelope-from tlambert2@mindspring.com)
Received: from pool0032.cvx40-bradley.dialup.earthlink.net ([216.244.42.32] helo=mindspring.com)
	by avocet.mail.pas.earthlink.net with esmtp (Exim 3.33 #1)
	id 17elKc-0005NI-00; Tue, 13 Aug 2002 16:44:10 -0700
Message-ID: <3D599992.7C954D42@mindspring.com>
Date: Tue, 13 Aug 2002 16:43:14 -0700
From: Terry Lambert <tlambert2@mindspring.com>
X-Mailer: Mozilla 4.79 [en] (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Lars Eggert <larse@ISI.EDU>
Cc: Les Biffle <les@safety.net>, hackers@freebsd.org
Subject: Re: IP routing question
References: <200208131813.g7DIDiH14643@ns3.safety.net> <3D599416.5CDE92D9@mindspring.com> <3D599679.5090507@isi.edu>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

Lars Eggert wrote:
> I don't think we have the same definition of "the IPSec tunnel problem."
> Mine is "tunnel mode SAs aren't interfaces, and IPsec duplicates
> encapsulation and firewalling techniques that are (better) handled
> outside IPsec", see draft-touch-ipsec-vpn.
> 
> Having or not having a default route won't matter, since you'll have
> more specific routes that match before the default route would be picked.

As you say, SA's are not interfaces.  Try pinging over the link
from hosts on either side of the tunnel, e.g.:

10.0.1.15/8<--->10.0.1.1/8		10.0.2.1/8<---->10.0.2.11/8
		public IP #1<----------->public IP #2

Ping #1    <---------------------------->		works
Ping #2    <------------------------------------------->broken

Get rid of the default route, and ping #2 starts working.

-- Terry

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message