From owner-freebsd-hackers Tue Aug 13 17: 9:31 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C35B937B400 for ; Tue, 13 Aug 2002 17:09:29 -0700 (PDT) Received: from falcon.mail.pas.earthlink.net (falcon.mail.pas.earthlink.net [207.217.120.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 68CEB43E42 for ; Tue, 13 Aug 2002 17:09:29 -0700 (PDT) (envelope-from tlambert2@mindspring.com) Received: from pool0032.cvx40-bradley.dialup.earthlink.net ([216.244.42.32] helo=mindspring.com) by falcon.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 17elj1-00025Z-00; Tue, 13 Aug 2002 17:09:24 -0700 Message-ID: <3D599F7D.D64008AC@mindspring.com> Date: Tue, 13 Aug 2002 17:08:29 -0700 From: Terry Lambert X-Mailer: Mozilla 4.79 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Lars Eggert Cc: Les Biffle , hackers@freebsd.org Subject: Re: IP routing question References: <200208131813.g7DIDiH14643@ns3.safety.net> <3D599416.5CDE92D9@mindspring.com> <3D599679.5090507@isi.edu> <3D599992.7C954D42@mindspring.com> <3D599D00.8070807@isi.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Lars Eggert wrote: > Terry Lambert wrote: > > As you say, SA's are not interfaces. Try pinging over the link > > from hosts on either side of the tunnel, e.g.: > > > > 10.0.1.15/8<--->10.0.1.1/8 10.0.2.1/8<---->10.0.2.11/8 > > public IP #1<----------->public IP #2 > > > > Ping #1 <--------------------------> works > > Ping #2 <----------------------------------------->broken > > > > Get rid of the default route, and ping #2 starts working. > > That looks like a routing issue on the tunnel endpoint that's > independent from IPsec - what's in the routing table? Now? Not a default route, that's for sure... 8-) 8-) ;^). I traced the problem down to the cloning of routes, and given the opacity of the code, and the fact I had a workaround avaiable, didn't bother chasing it further. The response packets got *back* to 10.0.1.1, but 10.0.1.1 did not forward them on the local net to 10.0.1.15, but pushed them out the default interface instead. -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message