On Fri, 2005-08-05 at 14:16, Aleksandar Milivojevic wrote:
Can you fix this the way it is commonly done in routers? That is, configure a GRE tunnel as the end points to get a real-looking interface that you can route over, do multicast, etc., and then push the GRE packets through ipsec. I've wondered if this would work between a Linux box and a Cisco router but never had time to test it. (I have done GRE tunnels and multicast, just not the ipsec part).
Well, I did some preliminary testing, and basically it seems to be working between two CentOS boxes. For testing, I've created GRE tunnel between two boxes, and then configured IPSec in transport mode between their external interfaces. Then pinged from one to another using addresses of local interfaces. Ping worked, and tcpdump showed ESP packets happily flying around.
Now, this works between two CentOS boxes (kernel 2.6.9-11.EL). If the same thing works between two Cisco routers, and GRE and IPSec on their own work between Cisco and Linux, I'd say there's good chance that GRE+IPSec will work too.
This should give you an interface that looks real enough to run zebra with rip or ospf and at least in theory it should work the same with a cisco at the other end.