> >> I would like the AnyConnect machine to behave like a gateway for the > >> IP phones - basically all the traffic from eth1 to go through > >> cscotun0. In other words, to behave like a Cisco ASA device (which is > >> a site to site VPN). > >> > >> My first thought was that a bridge between cscotun0 and eth1 would > >> suffice but this fails short - I think because the VPN interface is > >> tun. > >> > >> I know I am expressing poorly what I am looking for, please bear with > >> me. > > > > I'm assuming that the Phone expects to use DHCP to acquire an IP > > address? If so and if the VPN software you are using is incapable of > > creating/using a tap device, I see no way to accomplish your goal. > > You could try running dhcrelay on your local interface and specify the > DHCP server from the VPN. By setting the proxy arp flag on the local > interface (echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp), you might > be able to get the phone to work (if the phone doesn't depend on > broadcast for anything except DHCP).
Wow, thanks! That is a nice thing to know. The phone needs DHCP indeed and AnyConnect is just tun (and, what's more seems to use its own SSL brew). Regards, a. -- Neu: GMX FreeDSL Komplettanschluss mit DSL 6.000 Flatrate + Telefonanschluss für nur 17,95 Euro/mtl.!* http://dsl.gmx.de/?ac=OM.AD.PD003K11308T4569a ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
