> <sarcasm> > > What I great idea. Now I just have to get every host I want to > interoperate with to support a nonstandard configuration. The scary > part is that if I motivate it with "Linux is too stupid to handle > standard tunnel-mode IPsec" I might actually get away with it. > > </sarcasm>
Linux handles tunnel-mode IPsec in the same way that most IPsec vendors did and many still do. For example, Cisco IOS has pages and pages of documentation about how to combine IPsec with GRE in order to support securely running OSPF between sites, precisely because its IPsec didn't offer a virtual interface. However, Cisco (along with Netscreen/Juniper and Fortinet) now additionally support IPsec that uses a virtual interface and so you have a choice of using an interface or not as you see fit. I would be useful if Linux offered the option but code talks and I'm not offering a patch so I'm not in a position to complain about what Linux currently supports. > Really... if saying our configuration is so screwed up that we have to > run a different over-wire protocol isn't an admission of failure I don't If you use ipip the over-wire protocol is identical, see RFC 3884 section 3.1 or you can test it right now using manual keying (remote side uses tunnel mode, your side uses transport + ipip). To use IKE pluto would need to be hacked a bit, though most of the changes could be handled via a updown script. > know what is. I suspect this contributes to the growth in OpenVPN as well. Haven't you heard, SSL based VPNs are the future :-) -- VGER BF report: U 0.947229 - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
