CIDR, ipsec flows and routing

["Peter Walker" <peter@talarian.com>]

Folks

	I am not sure if this is a bug report, a feature request or a call for
help, but here goes ....

Basically I am having a routing problem and I am not sure what the answer
is.

Here is my network situation

Work  (Dual ether OpenBSD 2.6 beta)

	Using 10.0.0.0/16 (Currently only 10.1-5 are in use
	External net is a.b.c.d/24

At home (Dual ether OpenBSD 2.6 beta)

	Using 10.128.1.0/24
	External net is p.q.r.s/29

Other nets will be

	Using nets 10.128.2.0/24 upwards
	and will have their own external nets

What I originally set up was an ipsec flow from my home network to work
with a matrix of flows between

work
	10.0.0.0/8 and a.b.c.d/24

home
	10.128.1.0/24 and p.q.r.s/29

>From what I remember from my CIDR reading the most specific route should be
the one used where there is a conflict.  ie if a router has routes for
10.0.0.0/8 and 10.128.1.0/24 then packets for hosts in the 10.128.1.0 net
should take the route specified by the 24 bit subnet. 

Although I could have just set up the flows specifying the work network as
10.0.0.0/9 I thought that specifying /8 would be a simple way of allowing
routing between the various remote nets.

As anybody who has actually read this far will have figured, this isnt what
is happening for me. My IPSEC host is trying to route packets intended for
the directly connected 10.128.1.x net through the ipsec flows.

netstat -rn shows all of the routes expected.  
"route show 10.128.1.1" states that the next hop should be through xl1
which is the correct interface.

So my questions are.

	Am I trying to do something really stupid?
	Is this a bug or am I misunderstanding how things should work?
	Should I just give up on this idea, and try another approach?
	Is there a way I could make this work?

Thanks in advance

	Peter