[Openswan Users] Success with broadcast through GRE

[Michael Jurney]

Christopher Malott wrote:

> Just a question from somebody who doesn't spend much time working with 
> this....but....
>
> Why couldn't you establish a GRE over IPSEC tunnel, instead of IPSEC 
> over GRE? Then just modify the Openswan Up/Down scripts to establish 
> the tunnel automatically when you bring the SA up? Then you wouldn't 
> have to worry about the unencrypted traffic shooting around until 
> somebody noticed the IPSEC link was dead.....
>
> This was noted a few years ago in the FreeS/Wan days by Ken Bantoft. 
> Here is a link to the original thread.
>
> http://www2.frell.ambush.de/archives/freeswan-users/6297.html
>
> Maybe I'm missing something?


It's easier to think about the GRE tunnel being the transit method, and 
the encryption being an overlay between the gateways.  Remember that I 
had to do GRE in the first place because I need to be able to let 
machines on one subnet send the broadcast address of the other network, 
which a pure ipsec tunnel won't allow.  I initially tried doing 
something like having an ipsec tunnel connecting the two subnets, then a 
gre tunnel connecting the internal interface and the ipsec interface, 
but I wasn't able to get broadcast traffic through the remote gateway.  
It just seemed overly complicated for what I wanted.  This way is much 
cleaner:

GRE tunnel moves traffic between subnets, with or without openswan.
Openswan encrypts traffic between gateways, with or without GRE.

-- 
Michael D. Jurney
Sysadmin, DataSynapse
mikej at datasynapse.com
p: 212.842.8860

View the DataSynapse email disclaimer here:
<http://www.datasynapse.com/legal/emailprivacy.jsp>