[Openswan Users] ipsec & multicast over gre
Michael Jurney
mikej at datasynapse.com
Tue Oct 4 17:16:17 CEST 2005
Michael Jurney wrote:
> Paul Wouters wrote:
>
>>
>> Yup. Ken did a talk about enterprise VPN's at Linux Kongress in 2003:
>>
>> http://www.xelerance.com/talks/lk2003/
>
>
>
> Thank you for the pointer. There's one thing I'm not sure of,
> though: Am I setting up a tunnel between the inside and outside
> interfaces of each gateway, between the inside interfaces of both
> gateways, or between the outside interfaces of both gateways?
>
> Given:
> openswan1
> ----------------------
> {172.16.32.0/24}--| (eth1) 172.16.32.1 |
> | 10.1.1.100 (eth0) |--+
> ---------------------- |
> |
> {untrusted network}
> openswan2 |
> --------------------- |
> | 10.2.2.100 (eth0) |----+
> {172.16.8.0/24}--| (eth1) 172.16.8.1 |
> ---------------------
>
> I want broadcast traffic from 172.16.32.0/24 entering eth1 on
> openswan1 to emit from eth1 on openswan2 onto the segment for
> 172.16.8.0/24 (and vice-versa).
With off-list assistance, I've worked out the proper ipsec/gre
configuration, and I'm now moving traffic through GRE-then-Ipsec between
the 172.16.32.0/24 and 172.16.8.0/24 networks. Broadcast packets
originating on one, however, are not being retransmitted. I'm back to
wondering whether iptables DNAT is what's required for this to work.
Should I take broadcast packets arriving in the PREROUTING chain from
eth1 and DNAT them to the broadcast address of the other network?
--
Michael D. Jurney
Sysadmin, DataSynapse
mikej at datasynapse.com
p: 212.842.8860
View the DataSynapse email disclaimer here:
<http://www.datasynapse.com/legal/emailprivacy.jsp>
More information about the Users
mailing list