On Tuesday 26 June 2007 00:40, Julian Anastasov wrote: > May be you have to replace your _updown script with one that > supports "ip route" and "ip rule" commands instead of the old "route" > tool. By this way you can use "ip rule ... from LNET to RNET" > to properly route traffic for the negotiated subnets. If I remember > correctly, the default _updown script does not consider negotiated > LNET at all. As for routes patch, it will prefer NOARP devices when > the neighbours on ARP device are not marked as reachable in ARP cache. > So, it is risky to rely on wrong routes, especially after routes patch > is applied. > > Regards > > -- > Julian Anastasov <ja@xxxxxx> The _updown script is only called when a tunnel is brough up or down, but the problem I am having is not related to a tunnel, but to routing before any tunnel gets established. I mean that even a configuration with only one tunnel that is listening is creating problems because both StrongSWAN and OpenSWAN add IP addresses on the ipsecN interface that are identical to the ones on the real interface (ethN). I think the problem is related to the presence of the ipsecN interface in KLIPS (linux-2.4). On 2.6 kernels there is no such interface and consequently there is no "conflict". Is there any real solution to this problem? On the other hand, my understanding of the solution you gave me (inserting a rule "from LNET to RNET") is that it can be applied once the tunnel is up. However, would you care to elaborate more on this case as well? Cheers, Seba. _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
