Quoting Feizhou <feizhou@xxxxxxxxxxxx>:
>
>>> ip route add 192.168.1.0/24 via 1.2.3.4 src 192.168.2.1
>
>> The network scripts are prepared for this. Create a file called
>> /etc/sysconfig/network-scripts/route-<devicename> with content
>> "192.168.1.0/24 via 1.2.3.4 src 192.168.2.1" (the ip route add is
>> executed by the network script automatically). You can read about that
>> in /usr/share/doc/initscripts*/sysconfig.txt.
>
> ADDRESS0=192.168.1.0
> NETMASK0=255.255.255.0
> PREFIX=255.255.255.0
> GATEWAY0=1.2.3.4
I know how to setup static routes, but thanks anyhow ;-)
The problem is, you can't force "src" arguement for ip route command using
routes-* file(s). And the only purpuse of those routes is the "src" arguement
(the route itself is never used, since there's IPSec policy for that
network in
place, forcing packets to be tunneled). The second problem is that correct
parameters for the route are calculated by ifup-ipsec script (not the one in
current initscripts package, the one that will be part of CentOS 4.2). So
basically, the route-* files are more or less useless here.
Anyhow, it seems that some other stuff needs to be reset for IPSEC VPN (like
IPSec policies), so doing ifup of the VPNs was the only way to guarantee they
get up when network connection is restored (plus current initscripts
attempt to
initialize IPSEC before they initialize xDSL, which doesn't quiet work).
Anyhow, the more I work with native Linux IPSec, the more it seems to me
decision not to assign virtual interface (like ipsec* or tun*, like some other
VPN implementations do) to tunnels was a mistake (maybe current way looks
cleaner to kernel developer, but the old way was way simpler to manage for
system administrator).
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
