Re: kern/50978: Default gateway does not work with IPsec

[christos%zoulas.com@localhost (Christos Zoulas)]

The following reply was made to PR kern/50978; it has been noted by GNATS.

From: christos%zoulas.com@localhost (Christos Zoulas)
To: gnats-bugs%NetBSD.org@localhost, kern-bug-people%netbsd.org@localhost, 
	gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost
Cc: 
Subject: Re: kern/50978: Default gateway does not work with IPsec
Date: Fri, 18 Mar 2016 09:49:13 -0400

 On Mar 18,  1:30pm, frank%phoenix.owl.de@localhost (frank%phoenix.owl.de@localhost) wrote:
 -- Subject: kern/50978: Default gateway does not work with IPsec
 
 Now that I think about it more, this is probably "by design". Let's
 say that you are with your home machine and you want to create an
 IPSEC tunnel to work. You get assigned an IP address to connect to
 the work VPN. At this point the assumption is that all traffic
 should go through that VPN, because you could run into security
 issues (your machine bridging work with the rest of the internet
 for example). This is also how other VPNs work (routing all traffic
 through the tunnel) as opposed to a split horizon approach, where
 only the traffic destined for the tunnel goes there. This probably has
 to do with the weak vs. strong host model:
 
 https://technet.microsoft.com/en-us/magazine/2007.09.cableguy.aspx
 http://osdir.com/ml/netbsd.devel.network/2005-12/msg00080.html
 
 TL;DR net.inet.ip.checkinterface might do what you want.
 
 christos