I'm using the following network device configuration on the outside interfaces:
eth0: unencrypted Internet traffic
eth1: all IPsec Internet traffic for site-to-site VPNs
Both devices are connected on the same Ethernet switch.
The reason for this: I want to have dedicated traffic analysis for all IPsec traffic and a simple and safe reject rule for all RFC1918 private networks coming in or sending out wrongly via eth0. I additional want to have an own IP address for the IPsec gateway and as IPsec cannot be used on a device alias, this seems to be the only solution.
Is this configuration technically allowed? I'm wondering, as sometimes a "tcpdump -i eth0" shows response packets from requests going out over eth1 IPsec.
This thread was automatically locked due to age.
