We need to remember which IP addresses do not support OE, or else we would try those addresses indefinitely. Of course, they also have to be timed out, because otherwise we would end up with a very big list of IP addresses to remember. The following table lists the OE state information we have to keep for all these IP addresses or networks.
|
Description |
---|---|
|
Packets going to these network ranges need to be trapped and checked for possible OE IPsec processing. |
|
Packets going to these network ranges already have an IPsec tunnel established. |
|
Packets going to these network ranges should be sent in the clear without attempting OE |
|
Packets going to these network ranges need to wait. OE is being attempted currently, or OE has been misconfigured. |
These states, with the exception of trap
, are the same states used for regular IPsec tunnels. State information can be seen with the ipsec
eroute
command. pass
eroutes are expired after a certain time, so...