On Thursday 2011-07-21 21:01, Steven Kath wrote: >On Thu, 2011-07-21 at 13:05 -0400, Ryan Whelan wrote: >> The issue is that IPSec is protecting a GRE tunnel and if IPSec fails >> for some reason, GRE will be happy to work without it; tunnelling >> everything in the clear. I was just hoping to put some kind of fail >> safe in place so if IPSec stopped working or failed to start, >> unencrypted traffic wouldn't be transmitted. > >You could create a private loopback address on each endpoint, and use >those loopback addresses in the encryption policy. The only way the >loopback addresses can reach each other is while the IPsec associations >are up. Then set up the GRE tunnel with the loopbacks as its endpoints. >That way, when the IPsec tunnel is down, GRE will no longer be happy to >work without it. What I thought of was the use of veth, such that you have a way to distinguish between a packet that remained unencrypted, or one that is yet to possibly get encrypted. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
