Terry Lambert wrote: > Lars Eggert wrote: > >>I don't think we have the same definition of "the IPSec tunnel problem." >>Mine is "tunnel mode SAs aren't interfaces, and IPsec duplicates >>encapsulation and firewalling techniques that are (better) handled >>outside IPsec", see draft-touch-ipsec-vpn. >> >>Having or not having a default route won't matter, since you'll have >>more specific routes that match before the default route would be picked. > > > As you say, SA's are not interfaces. Try pinging over the link > from hosts on either side of the tunnel, e.g.: > > 10.0.1.15/8<--->10.0.1.1/8 10.0.2.1/8<---->10.0.2.11/8 > public IP #1<----------->public IP #2 > > Ping #1 <----------------------------> works > Ping #2 <------------------------------------------->broken > > Get rid of the default route, and ping #2 starts working.
That looks like a routing issue on the tunnel endpoint that's independent from IPsec - what's in the routing table? Lars -- Lars Eggert <[EMAIL PROTECTED]> USC Information Sciences Institute
smime.p7s
Description: S/MIME Cryptographic Signature
