[Openswan Users] Broadcasts from roadwarrior

Brian Candler B.Candler at pobox.com
Sun Apr 9 08:53:59 CEST 2006

On Sun, Apr 09, 2006 at 07:47:19AM +0100, Brian Candler wrote:
> AFAIK, IPSEC cannot be used to protect broadcast traffic.

Actually, I forgot an option. If you set up a software bridge at both ends
of the link, and then at both ends add an interface which does etherip
encapsulation (RFC3378) and then protect these encapsulated packets using
IPSEC, the software bridges will forward any ethernet frames (broadcasts and

This is normally used for site-to-site bridging, but you might be able to
get it to work for road warriors.

It's likely to be inefficient, firstly because of MTU/fragmentation issues
(which can't be handled using layer 3 path MTU discovery), and secondly
because every single broadcast frame will be forwarded over the WAN -
including ARP and DHCP. But perhaps that's what you actually want.

You'd better trust your road warriors though. Giving remote layer 2 access
to your LAN allows all kinds of trickery (such as ARP spoofing).



More information about the Users mailing list