ip ro add 192.168.2.0/24 via 10.2.0.1 dev ethx src 192.168.1.1 the spd policies will then match and encrypt the traffic. this is the same solution like you have to do for the freeswan ipsec stack. for me it works... Alexander Kotelnikov (sacha@xxxxxxxxxxx) schrieb: > > >>>>> On Mon, 05 Dec 2005 06:08:30 +0100 > >>>>> "AU" == Andreas Unterkircher <unki@xxxxxxxxxxxx> wrote: > AU> > AU> Alexander Kotelnikov schrieb: > >> Ok, I would not ask all this if I have no problem with > >> tunnelling. With configuration like described above, where multihomed > >> maches have ip-addresses (192.168.1.1, 10.1.0.1) and (192.168.2.1, > >> 10.2.0.1) tunneling works for all machines, but these two > >> routers. This happenes becase if we send a packet from 10.1.0.1 into > >> 192.168.2/24 this packet does not come to ipsec, but is pushed to > >> default gateway, if it exists. In other words, local generated packets > >> do not come through prerouting or something. > >> > AU> You have to add a route on 10.1.0.1 to make sure packets which belong to > AU> 192.168.2.0/24 have > AU> a src address of 192.168.1.1. > > Very funny, how do you imagine this could be done? > > -- > Alexander Kotelnikov > Saint-Petersburg, Russia > > _______________________________________________ > LARTC mailing list > LARTC@xxxxxxxxxxxxxxx > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
