Hello! > I'm thinking that David definitely has a point about having a usability > problem, though. All other kind of tunnels have endpoint devices > associated with them, and that would make all these kinds of problems go > away,
Yes, when you deal with sane practical setups, this approach is the only reasonable one. Unfortunately, IPsec is not something totally sane and practical :-), "security gateway" case is small part of it and "routing" viewpoint clashes fatally with another requirements. Pure result is that we use approach where it is possible to do everything with some efforts, rather than approach which is simple and intuitive, but does not allow to do many things. It is possible to simulate simple life, creating "ipsecX" devices with disabled xfrm and route all the tunnels there. That would be handy. I would just advice to rename one of dummy devices to "ipsec0" and route all the IPsec tunnels there. It is also simple. What's about iptables, I am sorry, it is too flexible to control IPsec. :-) One day, someone with enough of energy and stamina will make flow cache to unify all the kinds of policy rules. Until that day, you have to tune all three policy sets (routing, ipsec and iptables) separately and take care of the cases, when one set has to cheat another. :-) Alexey - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
