My cousin and I are thinking about setting up a VPN between our two home networks. We have some strange requirements, though. Each network will be using a Linux machine (RH or SuSE) as a router, which will perform NAT for all clients on our respective internal networks. What we want to do is set up a P2P VPN between these two Linux machines such that we are on the same logical network. We would like to implement this using IPSEC, if possible, so that we don't have to worry about security issues with PPTP.

Basically, the thing that throws a wrench in the works is that we want to be on the same subnet. We want to have broadcasts traverse the VPN. Essentially, the setup we're looking for will have each Linux machine running in promiscuous mode and forwarding every bit of traffic through the VPN that is destined for the internal network. As long as we're both using switches instead of hubs (which we are) the through traffic shouldn't be too heavy.

Is this possible? Perhaps there's a way to do this with FreeS/WAN?

I'm by no means a VPN guru, but I can venture some edumacated guesses with my limited knowledge of IPSEC:

For starters, I think IPSEC only deals with the upper layer protocols, past the MAC layer, which broadcasts are performed on. From what I can tell, broadcasting to the MAC address of all FF's can not be routed. That's why you can use a bridge to make two collision domains.

There are two types of broadcasting: MAC address based broadcasting (all FF's like I mentioned earlier), and broacast IP addresses, like 192.168.1.255 (a class C broadcast address). You should be able to broadcast to the IP address, a Layer 3 protocol, but I doubt you can forward the MAC broadcasts. I think this is so ARP doesn't eat up bandwidth-- if you generate a lot of inter-LAN traffic, like 2 machines on a single side of the VPN communicate a lot, every time either system has to send an ARP request to correlate an IP address with a MAC, each of those ARP packets would have to traverse the VPN. That may not be a lot of traffic on each switch, but that could result in a massive amount of traffic on the line connecting the two halves of the network.