Can't understand, why ipsec-tools did not work with interfaces.
Imagine this network:
totaly about 30 networks-----/
all networks are stub
- leased line, but I must encrypt all traffic between router1 and router2.
I'ts easy when all stub networks talk with remote networks, that's rules to encrypt on router1:
and other 29 networks - total 60 rules.
But those networks can't communicate with each others networks via router1. To resolve this I have to make rules like this:
this rules must be first rules.
That's 4 additional rules for 2 networks.
for 30 networks it's 2*(29+28+27...+2)=868 rules total
That's pretty dirty...
It can be much better if spdadd rules can handle interface.
like router1 interface eth0 with 184.108.40.206
So I do not need to make "-P in none" policies.
I know that I can make it much better making gre tunnel between router1 and router2 and in policy just make 2 rules:
spdadd 220.127.116.11 18.104.22.168 any -P out ipsec esp/transport//require;
spdadd 22.214.171.124 126.96.36.199 any -P in ipsec esp/transport///require;
And make routing work to move packets via gre tunnel.
Yeah, it's better.
But in cisco it's not required, I just configure cryptomap on interface, so others interfaces just excluded from ipsec policy checks.
What you think about it?