So, I'm in the middle of trying to get a freakin' ipsec gateway working, and I've run into an ugly problem.
It *appears* that the functionality of publishing arbitrary ARP responses has been changed and is now shunted through proxy ARP. Backstory: Ipsec can be coerced (with much swearing) into handling things using routing rather than passing everything through the iptables masquerading module. Except, the resulting ip_vtiX interfaces don't use ARP, so the box isn't about to do ARP replies to hosts trying to talk *back* to the VPN clients. In the past I've just slapped some static published entries for the affected IP addresses with the arp command and the box would happily respond to ARP WHO-HAS for 1.2.3.4 or whatever address I wanted. Setting aside for the moment the fact that `ip neigh` is about as pleasant to work with as a coked-up honey badger, static published entries just *don't appear to result in responses to other querying hosts on the network anymore* using either mechanism. Does anyone know a workaround for this mess? ...although I'd really like to know who decided it was for the best that proxy arp be used as a last-minute sanity check on published ARP entries. -- Sent from an actual computer. -- -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en --- You received this message because you are subscribed to the Google Groups "NLUG" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/nlug-talk/CACnnd_F9Uaev99mmVo%3DdtXRmB83h6fACNNJt9utnvEL%3Dqk417g%40mail.gmail.com.
