Hello all,
I am having a puzzlement combining ProxyARP and IPsec. Specificially, I
want to take a single address from a local LAN and extend it via IPsec
to another site.
Unfortunately IPsec tunnels, unlike all other tunnels, don't have
pseudo-devices associated with them. I understand this to be from
desire of uniformity with the other modes of IPsec, but this is one of
many cases where it causes problems.
Specifically, Linux will not ProxyARP for an address unless it has a
route for it, *and* that route either has a DNAT marking or points to a
different interface than the input interface:
net/ipv4/arp.c:
855 } else if (IN_DEV_FORWARD(in_dev)) {
856 if ((rt->rt_flags&RTCF_DNAT) ||
857 (addr_type == RTN_UNICAST &&
rt->u.dst.dev != dev &&
^^^^^^^^^^^^^^^^^^^^
858 (arp_fwd_proxy(in_dev, rt) ||
pneigh_lookup(&arp_tbl, &tip, dev, 0)))) {
However, since IPsec tunnels don't have interfaces associated with it,
the route to the other side of the IPsec tunnel with point to the same
interface (there is, elsewhere, a security policy associated with the
address), and this selection will fail.
Does anyone know of a trick around this issue?
-hpa
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
