Am 20.12.2010 um 17:23 schrieb Stuart Henderson:
OpenBSD's IPsec implementation (like most of the earlier implementations) exclusively uses flows rather than route table entries. As they aren't in the routing table at all, you can't redistribute them from there into routing protocols as you'd like to do.
I see.
You could either add a dummy default route (iirc even a blackhole route should be fine e.g. route add -inet6 localhost -blackhole) and announce that into your routing protocols
I tried this, and it really says no longer "no route" (on the router), and shows up on the other endpoint as blocked ip6 traffic: ------- block in on enc0: p4FF35948.dip.t-dialin.net > foo.bar.blah.net: [| ip6] (ttl 59, id 13963, len 76) ------- In my pf.conf, I have: "pass in quick on enc0 proto ipencap". Need I allow something like ip6encap? As this is an ip6 in ip4 ipsec tunnel, I thought, ipencap would be enough. There is another basic issue: On my router (at the internal vpn side) I can't ping6 my own ip6 address (neither link local nor global). I guess this will be resolved, when I resolve the default route issue? Axel --- [email protected] PGP-Key:29E99DD6 +49 151 2300 9283 computing @ chaos claudius
