cisco vpn because of ipsec over tcp

Benjamin LaHaise bcrl at kvack.org
Thu Nov 17 16:10:03 UTC 2011


On Wed, Nov 16, 2011 at 12:49:41PM +0000, David Woodhouse wrote:
> We *have* had Cisco's IPSec over TCP working; it's not particularly
> difficult. However, we never really worked out how to make it work
> nicely on Linux; the kernel really *really* wants to eat all TCP packets
> and will give a TCP RST to any connection it doesn't think is open. Any
> mechanism to effectively operate TCP in userspace, which is what we need
> to do, would be very much frowned upon.

Why not use a tun/tap interface set up with a private ip address which the 
vpn application causes to be masqueraded by the host?  That should work and 
be portable across all kernel versions.

		-ben


More information about the devel mailing list