H. Peter Anvin <hpa@zytor.com> wrote: > > The Linux 2.6 ipsec code gets rid of virtual interfaces for IPSec. > This is clearly The Right Thing for transport mode or AH, but it > increasingly seems to me that it's The Wrong Thing for tunnel-mode > ESP. I'm sorry but you're mistaken. You would've encountered exactly the same problem under KLIPS. > I know there is work underway to deal with the netfilter issue, but > the routing/address selection issue also seems like a problem. How > should this be dealt with? This is an issue that the KM (e.g., openswan) should deal with by adding a route with the appropriate source address. In fact, openswan already deals with it. What you want to do is set leftsourceip/rightsourceip. Unfortunately this isn't currently documented in ipsec.conf.5. If you have a moment please send a patch to dev@lists.openswan.org and document this feature. BTW, for issues like this you should also post to users@lists.openswan.org. Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
