Hello. I wonder how just correct couple of spdadd commands like spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec esp/tunnel/10.1.0.1-10.2.0.1/require; spdadd 192.168.2.0/24 192.168.1.0/24 any -P in ipsec esp/tunnel/10.2.0.1-10.1.0.1/require; makes _routing_ of packets from 192.168.1/24 into 192.168.2/24. If I understand correctly how it works on *BSD, these commands with make already tunneled traffic enrypted, routing is done before and besides ipsec SA and SP databases. On routing happens just like miracle. Ok, I would not ask all this if I have no problem with tunnelling. With configuration like described above, where multihomed maches have ip-addresses (192.168.1.1, 10.1.0.1) and (192.168.2.1, 10.2.0.1) tunneling works for all machines, but these two routers. This happenes becase if we send a packet from 10.1.0.1 into 192.168.2/24 this packet does not come to ipsec, but is pushed to default gateway, if it exists. In other words, local generated packets do not come through prerouting or something. -- Alexander Kotelnikov Saint-Petersburg, Russia _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc