[CentOS] Openswan 2.4.6rc5 under CentOS 4.3
Aleksandar Milivojevic
alex at milivojevic.org
Thu Aug 17 11:39:24 UTC 2006
Bas Rijniersce wrote:
> Not having an ipsec interface caused me quite a bit of trouble before. So I
> really want KLIPS.
Well, yes, the routing can get a bit non-intuitive and a bit harder to
figure out when using native IPSec...
If the other side supports GRE, you can configure the tunnel using GRE,
than place it into IPSec. Not ideal solution, but that way you'll get
virtual interfaces and conventional routing if you really want/need that
tunnel has its own virtual interface. You'd create GRE tunnel between A
and B (external addresses of your VPN endpoints), create IPSec policy
that traffic between A and B has to be encrypted (the "place GRE tunnel
into IPSec" part), than simply route traffic into GRE interfaces. I've
used it, it works.
If you go with GRE+IPSec, and you also have firewall on VPN endpoint,
you'd want to use IPSec in tunnel mode. Otherwise transport mode will
suffice.
More information about the CentOS
mailing list