showing esp tunnels in routing table
Sam Leffler
sam at errno.com
Wed Sep 6 08:56:57 PDT 2006
Eric W. Bates wrote:
>
> Phil Regnauld wrote:
>> Eric W. Bates (ericx_lists) writes:
>>> When you establish an esp tunnel, the subnets on the remote end of the
>>> tunnel do not seem to appear in either "netstat -nr" or 'route get
>>> xxx.xxx.xxx.xxx'
>>>
>>> Is there a way to display those routes other than using setkey to dump
>>> the SPD's?
>> No, because there are no routes. The IPSec layer "hijacks" the packets
>> and they are encapsulated before the routing table gets a chance
>> to see them.
>>
>> You would have to setup transport ESP + gif/gre tunnels to see routing
>> entries.
>
> Apparently, openbsd's implementation of netstat allows one to view ESP
> 'flows' (I believe that is how they refer to them) by examining the
> family 'encap'
>
> netstat -rnf encap
>
> We have no such equivalent?
openbsd integrated the SAD w/ the routing table; something I've wanted
to do forever.
Sam
More information about the freebsd-net
mailing list