>
>
> A nit: while there is no reason you shouldn't put all that stuff in the
%default
> conn, I would find is more rational to put it into some other conn name
> and use "also=" get it.
ack.
>
> > I am using left=198.64.133.69 as left, do you mean use eth0 as the
> >interface?
>
> yes, that is what I'm saying.
> Specifying 133.70 as your nexthop isn't going to work because it is
> local. Perhaps if you specified another unused address on that network.
Oops, the nexthop that was causing the problem is 198.64.129.1. I was
trying 133.70 as a last gasp. So you are saying that I can't have a default
route to a different subnet than the ip I want to IPSEC over(apologies if I
am being thick here).
>
> The key is that you need to permit "_updown" to write a proper "route"
> command that will cause packets to travel via the ipsec0 device, rather
than
> via the eth0 device, so that IPsec gets a whack at things.
> You could always hack the _updown script (make a copy first) so that it
> always does the right thing.
I did take a look, but must admit I don't understand what is going on with
netmasks/routes to 128.0.0.0 etc..
Mike.
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:13 CEST