On Thu, 2011-07-21 at 13:05 -0400, Ryan Whelan wrote: > The issue is that IPSec is protecting a GRE tunnel and if IPSec fails > for some reason, GRE will be happy to work without it; tunnelling > everything in the clear. I was just hoping to put some kind of fail > safe in place so if IPSec stopped working or failed to start, > unencrypted traffic wouldn't be transmitted. You could create a private loopback address on each endpoint, and use those loopback addresses in the encryption policy. The only way the loopback addresses can reach each other is while the IPsec associations are up. Then set up the GRE tunnel with the loopbacks as its endpoints. That way, when the IPsec tunnel is down, GRE will no longer be happy to work without it. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
