> -----BEGIN PGP SIGNED MESSAGE-----
>
> Has anyone else seen this behaviour? Alexey especially must know...
>
> I am getting the following unexpected behaviour with FreeS/WAN IPSEC
> stopped (userspace keying daemon Pluto not running and interfaces
> unconfigured), but statically linked into the kernel:
>
> Manually issuing the commands:
>
> ipsec tncfg --attach --virtual ipsec0 --physical eth0
> ifconfig ipsec0 <eth0addr> netmask <eth0netmask> broadcast <eth0broadcast>
>
> will automatically add the route to <eth0subnet> via ipsec0 *in
> addition to* the existing route to <eth0subnet> via eth0. The first
> command is the FreeS/WAN IPSEC command to attach a virtual device to a
> physical device. Furthermore, I am not able to delete the extra
> route.
To delete the route use the ip utility from Alexey. First look at the
"real" route table entry using 'ip route' which effectively does an 'ip
route show table 254'.
> Eh? This does not happen under 2.0.xx series kernels. Why does it
> happen under 2.2.xx? This is not wanted, we want to add the routes
> ourselves to likely unrelated destinations.
You should not. The ip utility and friends provide full policy based
routing which is more powerfull than Cisco's IOS. There are many things
now possible within the routing structure that were never possible under
2.0.
> How does the kernel routing table decide to which route to send the
> packet if there are two with the same net/mask specification? Metric?
Really you do need to look at the 'ip route' output and you will see the
difference.
> ...The more I beat my head on this stuff, the more it has
> to go in favour of the ipchains/netfilter model... <shaking head>
That would be preferred. One of the main problems I have with the
FreeS/Wan model is the insistance on controlling the route table which is
an incorrect way of approaching the problem. The Linux 2.1 and higher
kernels have a MUCH broader control mechanism for routing structures
including policy based routing. So I can issue commands to the effect of:
This user on this machine from this ip address on this port will be
encrypted and sent to destination x while the other port from the same
user on the same machine with the same ip address will be transported to
destination y unencrypted.
That is not possible today with FreeS/Wan due to the route manipulations
among other hacks.
> slainte mhath, RGB
> - --
> The first Ottawa Linux Symposium was a huge success! <ottawalinuxsymposium.org>
> This SunRayce was a wet one! DroughtRelief_99? -- <www.sunrayce.com/sunrayce/>
> Richard Guy Briggs -- PGP key available Auto-Free Ottawa! Canada
> <http://www.conscoop.ottawa.on.ca/rgb/> </www.flora.org/afo/>
> Prevent Internet Wiretapping! -- FreeS/WAN:<www.xs4all.nl/~freeswan>
> Thanks for voting Green! -- <green.ca> Marillion:<www.marillion.co.uk>
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3i
> Charset: noconv
>
> iQCVAwUBN8IFLd+sBuIhFagtAQG0jgP+NGKjoaEsWk18dx3PSyj+DynDuT7deQRv
> 21En6AQC2rsGsGxqiOM86ozhJssQ3SacCFMJ6j+HN+m1phPHuzQKBXeOFTiePg05
> Z6noidIJxDjtSQvGDFG3bvndlKC0RXf9+FowLffMS+0o1sp1B8iH7hjXFSYsNgLJ
> 1mwMUla2UMY=
> =+lXs
> -----END PGP SIGNATURE-----
ip is available in the IPROUTE2 utility suite. Master site is:
ftp://ftp.inr.ac.ru/ip-routing
Mirrors all over including:
http://www.linuxgrill.com/anonymous/fire/alexey
--------------------------------------------------
Matthew G. Marsh, President
Paktronix Systems LLC
1506 North 59th Street
Omaha NE 68104
Phone: (402) 932-7250
Email: mgm@paktronix.com
WWW: http://www.paktronix.com
--------------------------------------------------
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/