From: Ken Bantoft (ken_at_freeswan.ca)
Date: Sun Jan 12 2003 - 22:00:02 CET
-----BEGIN PGP SIGNED MESSAGE-----
On 12 Jan 2003, Fraser Campbell wrote:
> Ken Bantoft <ken_at_freeswan.ca> writes:
>
> > There's probably a few other ways of doing it - find a way to get a single
> > path between the two sites, and then run IPsec over that.
>
> I often wish that Freeswan would handle encryption/authentication and nothing
> else, leaving the user to manually setup any routes that they want ... of
> course that might be counter the RFCs.
You'd be bypassing the entire idea of IPSec policies :) That being said,
you *can* do what you suggest (which is what I do) using GRE. Use GRE
over an IPSec tunnel between two hosts, and then route whatever you want
over it. I run ospf/bgp over the GRE tunnel to dynamically route stuff
over my VPN. Handy when I bring online a new subnet, since I don't have
to do any VPN configs. Not the most secure configuation, since a rogue
network that manages to inject a route would get access to more of my
network that I might like, but if that happens I'd got bigger issues to
worry about ;)
> Thanks for the info, if I come up with anything that I think people might
> find useful I'll followup with details.
Much appreciated.
- --
Ken Bantoft The Unoffical FreeS/WAN Site:
ken_at_freeswan.ca http://www.freeswan.ca
PGP Key: finger ken_at_bantoft.org
Dijkstra probably hates me.
-- Linus Torvalds, in kernel/sched.c
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBPiHXVViWUusaxGxpAQH1rQP/WIKSkxEa0fAwv57dNNWbo4deLlCXOuQw
WY7kjPDAHodOicPosVtY35xBWqYuvvg5zCwq7RnQT9cGWwh/izZhUUD7U7ceIxZg
Rzd2MUmKBPngAisJzkqjfm/ISU6aWgjbtoV5IzHFhHxpdy39tVZH8jCc8Ss2eik6
HmifKCkklls=
=QDm2
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Tue Jan 14 2003 - 05:21:14 CET