<itojun@iijlab.net> wrote:

> >> The latter sounds the most general, so it might be the best way to go.
>       in IPv4 code, rt_ifa is used for selecting source address for a
>       particular routing entry.  route -ifa should be sufficient.

For some reason I don't understand yet, it does not work on my setup.

LOCAL_ADDR: local address
REMOTE_ADDR: VPN gateway address
DEFAULT_GW: defaut gateway
INTERNAL_ADDR: the private internal address we should use when sending
any data in the IPsec tunnel

After phase1 SA has gone up, I do this:
 
ifconfig lo0 alias ${INTERNAL_ADDR}
route delete default
route add ${REMOTE_ADDR} ${DEFAULT_GW} -ifa ${LOCAL_ADDR}
route add default ${DEFAULT_GW} -ifa ${INTERNAL_ADDR}
echo "spdadd ${INTERNAL_ADDR}/32 0.0.0.0/0 any \
      -P out ipsec esp/tunnel/${LOCAL_ADDR}-${REMOTE_ADDR}/require;
      spdadd 0.0.0.0/0 ${INTERNAL_ADDR}/32 any \
      -P in ipsec esp/tunnel/${REMOTE_ADDR}-${LOCAL_ADDR}/require;
" | setkey -c

I have a printf in ip_output that shows me the source address of
packets. ping produces packets that come from ${INTERNAL_ADDR}, but
telnet produces packets that come from ${LOCAL_ADDR}, and thus they
don't go into the Ipsec tunnel and get dropped by the IPsec SPD.

Conclusion: -ifa doesn't really work here. Because -ifa is not
documented, I don't know if -ifa is buggy and shoud be fixed, or if -ifa
is not intended for that use. So where should I look now?

-- 
Emmanuel Dreyfus
Il y a 10 sortes de personnes dans le monde: ceux qui comprennent 
le binaire et ceux qui ne le comprennent pas.
manu@netbsd.org