Chris Liljenstolpe wrote:
> I have read through the mailing list and the discussions about dynamic
> routing on a firewall being a bad thing, and in that pure role, I agree,
> I don't want my firewall listening to route advertisments from untrusted
> sources. However, this is also a VPN box, and in that role, it would be
> very usefull to have routes advertised through the VPN tunnels. So how
> about Zebra, and then an option to bind it only to certain interfaces?
One problem: route advertisements do not play well with generic IPsec
tunnels. Cisco, for example, recommends that you implement a GRE tunnel
(encrypted and/or authenticated with IPsec) if you need to send eg RIP
or OSPF over the internet.
phil at brutsche dot us