Quoting Les Mikesell <lesmikesell at gmail.com>: > On Fri, 2005-08-05 at 11:13, Aleksandar Milivojevic wrote: > >> Anyhow, the more I work with native Linux IPSec, the more it seems to me >> decision not to assign virtual interface (like ipsec* or tun*, like >> some other >> VPN implementations do) to tunnels was a mistake (maybe current way looks >> cleaner to kernel developer, but the old way was way simpler to manage for >> system administrator). > > Can you fix this the way it is commonly done in routers? That is, > configure a GRE tunnel as the end points to get a real-looking > interface that you can route over, do multicast, etc., and then > push the GRE packets through ipsec. I've wondered if this would > work between a Linux box and a Cisco router but never had time to > test it. (I have done GRE tunnels and multicast, just not the > ipsec part). Well, I did some preliminary testing, and basically it seems to be working between two CentOS boxes. For testing, I've created GRE tunnel between two boxes, and then configured IPSec in transport mode between their external interfaces. Then pinged from one to another using addresses of local interfaces. Ping worked, and tcpdump showed ESP packets happily flying around. Now, this works between two CentOS boxes (kernel 2.6.9-11.EL). If the same thing works between two Cisco routers, and GRE and IPSec on their own work between Cisco and Linux, I'd say there's good chance that GRE+IPSec will work too. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.