Am 19.07.2011 um 21:45 schrieb Markus Friedl:
> All OpenBSD versions should have this problem as it's due to the way how
> IPsec-flows are encoded in the routing table and I could not find and easy
> fix.
Does this explain, why I can't reach A from B and vice versa?
Internet
+-+-+
| D |
+-+-+
| ::
| 0.0.0.0
IPsec
| fda3:bdf5:7e29::/60
--+ | 10.1.3.128/25
+-+-+-+
fda3:bdf5:7e29:1::/64 +----+ C +----+ fda3:bdf5:7e29:2::/64
10.1.2/24 | +-----+ | 10.1.3.128/25
+-+-+ +-+-+
| A | | B |
+---+ +---+
Traffic from A goes to D (and loops there until timex) instead to B.
Even CARP heartbeat goes back to default route instead of going out
at its parent interface.
>
>
> On Tue, Jul 19, 2011 at 2:28 PM, Pawel Wieleba <[email protected]>
>>> Synopsis: [ipsec routing] IP frame is sent to the wrong IPSEC peer
when
> using srcnat, but it should be routed to the network with the most narrow
> netmask.
Axel
---
PGP-Key:29E99DD6 b� +49 151 2300 9283 b� computing @ chaos claudius
