[CentOS] Openswan 2.4.6rc5 under CentOS 4.3

Aleksandar Milivojevic alex at milivojevic.org
Thu Aug 17 11:39:24 UTC 2006


Bas Rijniersce wrote:

> Not having an ipsec interface caused me quite a bit of trouble before. So I
> really want KLIPS.

Well, yes, the routing can get a bit non-intuitive and a bit harder to 
figure out when using native IPSec...

If the other side supports GRE, you can configure the tunnel using GRE, 
than place it into IPSec.  Not ideal solution, but that way you'll get 
virtual interfaces and conventional routing if you really want/need that 
tunnel has its own virtual interface.  You'd create GRE tunnel between A 
and B (external addresses of your VPN endpoints), create IPSec policy 
that traffic between A and B has to be encrypted (the "place GRE tunnel 
into IPSec" part), than simply route traffic into GRE interfaces.  I've 
used it, it works.

If you go with GRE+IPSec, and you also have firewall on VPN endpoint, 
you'd want to use IPSec in tunnel mode.  Otherwise transport mode will 
suffice.




More information about the CentOS mailing list