Re: linux-ipsec: Notes from _trying_ to install & configure Linux FreeS/WAN...

On Thu, 26 Nov 1998, Richard Guy Briggs wrote:
> > > I'm thinking the nexthop parameter should disappear and the automatic I/F

No, unfortunately that is not the case. If the default route will do, then okay... but that is essentially never right if the other subnet is using private addresses, as many VPNs will. And an explicit route gets deleted as part of our tunnel setup, and is *not* restored at teardown, so that's a reason why an explicit route might not be present. Another is that the security-conscious may not want to set up a route which could send cleartext packets across the public network, even briefly.

Sure, *sometimes* there will be an existing route which can be copied. But sometimes not; I can't depend on it. And I definitely can't insist that the user always create one.

> > Actually, you can verify this easily enough with a stock tcpdump -- if the

If you invoke ping with "-p feedfacedeadbeef", then it's pretty easy to tell at a glance whether a hex dump is cleartext or not. I've done this for testing.

                                                          Henry Spencer
                                                       henry@spsystems.net
                                                     (henry@zoo.toronto.edu)