> iptables -A INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT > iptables -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT > > Thus no plaintext packets should leave the VPN endpoint.
That's probably the best solution for now. The problem with the virtual IP approach is that the route has to be changed to the new interface, even when the IP is bound to a dummy interface. And there we currently have the same delete/add race condition we had with the policies. Regards, Tobias _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
