hello,
the setkey manual page says:
add [-46n] src dst protocol spi [extensions] algorithm ... ;
Add an SAD entry. add can fail with multiple reasons, including
when the key length does not match the specified algorithm.
...
extensions
take some of the following:
-m mode Specify a security protocol mode for use. mode is
one of following: transport, tunnel or any. The
default value is any.
however, by default the security associations end up with
mode=transport according to setkey -D. they also end up with mode=transport
if i specify "-m any". this is obviously wrong.
so i have to specify "-m tunnel" to get tunnel mode to work. it took me
a while to figure this out since i was staring at
http://www.netbsd.org/Documentation/network/ipsec/#sample_leaftunnel
and just getting "network is unreachable"...
this is with linux 2.6.0 and ipsec-tools 0.2.2-8 from debian.
-- erno
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
