[CentOS] making a route sticky
Aleksandar Milivojevic
alex at milivojevic.org
Fri Aug 5 19:16:14 UTC 2005
Quoting Les Mikesell <lesmikesell at gmail.com>:
> On Fri, 2005-08-05 at 11:13, Aleksandar Milivojevic wrote:
>
>> Anyhow, the more I work with native Linux IPSec, the more it seems to me
>> decision not to assign virtual interface (like ipsec* or tun*, like
>> some other
>> VPN implementations do) to tunnels was a mistake (maybe current way looks
>> cleaner to kernel developer, but the old way was way simpler to manage for
>> system administrator).
>
> Can you fix this the way it is commonly done in routers? That is,
> configure a GRE tunnel as the end points to get a real-looking
> interface that you can route over, do multicast, etc., and then
> push the GRE packets through ipsec. I've wondered if this would
> work between a Linux box and a Cisco router but never had time to
> test it. (I have done GRE tunnels and multicast, just not the
> ipsec part).
Well, I did some preliminary testing, and basically it seems to be working
between two CentOS boxes. For testing, I've created GRE tunnel between two
boxes, and then configured IPSec in transport mode between their external
interfaces. Then pinged from one to another using addresses of local
interfaces. Ping worked, and tcpdump showed ESP packets happily flying
around.
Now, this works between two CentOS boxes (kernel 2.6.9-11.EL). If the same
thing works between two Cisco routers, and GRE and IPSec on their own work
between Cisco and Linux, I'd say there's good chance that GRE+IPSec will work
too.
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
More information about the CentOS
mailing list