[Openswan dev] vrf aware ipsec
Michael Richardson
mcr at sandelman.ottawa.on.ca
Thu Apr 28 17:52:44 CEST 2005
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Anish" == Anish Verma <averma at netd.com> writes:
Anish> I was thinking more from implementation perspective.
It certainly can be implemented.
The key is that one doesn't use the SPD, but rather the nfmark to
decide which is which. One has to also use the nfmark to do proper
routing.
At the IKE level, one has to introduce new customized traffic
selectors, something that is already in IKEv2.
Anish> But I think using just ipsec it's not possible to solve the
Anish> problem. One solution can be create two gre interface on both
Anish> security gateways and use each one to create tunnel for one
Anish> vrf clients.
Yes, but that doesn't deal with the fact that there is but one routing
table by default.
- --
] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [
] mcr @ xelerance.com Now doing IPsec training, see |net architect[
] http://www.sandelman.ca/mcr/ www.xelerance.com/training/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQnFNG4qHRg3pndX9AQGuOQQAqalkpoDjXuQ58ioyqMwJPbJbhImdisuV
XjUXNUjzkY+oV5b2dgCb5cp+bwEMWCdqT/sM/6kwYUN8RGZxNYKE8IZA9xyb4hDP
0EVNpVR9l517rWN+LwQoYGrqWw17qaJyr8LKPjx/jexyqceqtfiYuB0X+8YDEqTZ
67TAlaLmIhk=
=wyzT
-----END PGP SIGNATURE-----
More information about the Dev
mailing list