<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.6944.0">
<TITLE>Re: [Openswan Users] X509 DN filtering</TITLE>
</HEAD>
<BODY>
<DIV id=idOWAReplyText11744 dir=ltr>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2>Thanks much for your quick
responses. I keep hearing about all kinds of documentation but I can never
find it. Can you point me to it?</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>Thanks</FONT></DIV></DIV>
<DIV dir=ltr><BR>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> John A. Sullivan III
[mailto:john.sullivan@nexusmgmt.com]<BR><B>Sent:</B> Tue 8/24/2004 3:34
PM<BR><B>To:</B> Paul Wouters<BR><B>Cc:</B> Marc Spiegelman;
users@lists.openswan.org<BR><B>Subject:</B> Re: [Openswan Users] X509 DN
filtering<BR></FONT><BR></DIV>
<DIV>
<P><FONT size=2>On Tue, 2004-08-24 at 18:27, Paul Wouters wrote:<BR>> On Tue,
24 Aug 2004, Marc Spiegelman wrote:<BR>><BR>> > I am trying to figure
out a solution so roadwarriors can only connect to their designated VPN
concentrator but VPN concentrators can all connect to each other. I was
wondering if there is a configuration in openswan so I can limit which
certificates are allowed to connect. I was thinking the distinguished name
could be used but I don't know if openswan is capable of this kind of
filtering. If so, does anyone have any examples? Does anyone have
any other ideas to meet my objective?<BR>><BR>> >From Andreas his X509
documentation:<BR>><BR>> The IPsec policy defined above can now be
enforced with the following three<BR>> IPsec security
associations:<BR>><BR>> conn
sales<BR>>
right=%any<BR>>
rightid="C=CH, O=ACME, OU=Sales,
CN=*"<BR>>
rightsubnetwithin=10.1.0.0/24 # Sales DHCP
range<BR>>
leftsubnet=10.0.0.0/24 # Sales
subnet<BR>><BR>> conn
research<BR>>
right=%any<BR>>
rightid="C=CH, O=ACME, OU=Research,
CN=*"<BR>>
rightsubnetwithin=10.1.1.0/24 # Research DHCP
range<BR>>
leftsubnet=10.0.1.0/24 #
Research subnet<BR>><BR>> conn
web<BR>>
right=%any<BR>>
rightid="C=CH, O=ACME, OU=*,
CN=*"<BR>>
rightsubnetwithin=10.1.0.0/23 # Remote access DHCP
range<BR>>
leftsubnet=10.0.2.100/32 # Web
server<BR>>
rightprotoport=tcp
# TCP protocol
only<BR>>
leftprotoport=tcp/http #
TCP port 80 only<BR><snip><BR>One can take this even further by capturing
the DN in the updown script<BR>and dynamically altering the iptables
rules. That's how we do it in<BR>ISCS.<BR>Is it still a limitation in port
selectors that the port restriction<BR>only applies to the protocol used to
establish the tunnel but any<BR>traffic can use the tunnel once the tunnel is
established? That may have<BR>been changed long ago but I've been away from
*swan for a while - John<BR>--<BR>John A. Sullivan III<BR>Chief Technology
Officer<BR>Nexus Management<BR>+1
207-985-7880<BR>john.sullivan@nexusmgmt.com<BR>---<BR>If you are interested in
helping to develop a GPL enterprise class<BR>VPN/Firewall/Security device
management console, please visit<BR><A
href="http://iscs.sourceforge.net">http://iscs.sourceforge.net</A><BR><BR></FONT></P></DIV>
</BODY>
</HTML>