* Stuart Henderson <s...@spacehopper.org> [2010-01-12 17:02:39]: > Their examples are using route-based VPNs (http://kb.juniper.net/KB4124, > RFC3884), I'm not sure whether this is entirely possible here with our > ipsec (policy-based), but you could try setting up tunnels between the > gif tunnel endpoints i.e. 1.2.3.4 and 72.21.209.225, and a second between > 1.2.3.4 and 72.21.209.193. These would take place of the tunnels between > 192.168.23/24 and 10/24 (traffic between these networks would be routed > in the usual way, taking the gif interfaces as point-to-point links).
RFC3884 uses transport mode to secure the already encapsulated traffic whereas I have to use tunnel mode. This is a shame as this method would work fine on OpenBSD, I remember doing it previously with another network. Any attempts to negotiate a transport mode SA are refused and when I tried your suggestion of creating an SA between just the tunnel endpoints, it was successfully negotiated but the packets just get dropped by the remote end. I'll post on Amazon's forums and see if there's any plan to support the RFC3884 style way of doing this. Cheers Matt
