<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7226.0">
<TITLE>Re: [Openswan Users] Multiple aliases per IF, bind to one</TITLE>
</HEAD>
<BODY>
<DIV id=idOWAReplyText31432 dir=ltr>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2>Marciej,</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2>This particular machine has
100+ aliases on eth0. I do indeed have config setup with interface
ipsec0=eth0 in place as well as the particular IP in the individual
configs. But when I do a netstat I see that ipsec is listening on all
interfaces on all IP's.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr>udp
0 0
198.22.33.36:4500
0.0.0.0:*
<BR>udp
0 0
198.22.33.37:4500
0.0.0.0:*
<BR>udp
0 0
198.22.33.38:4500
0.0.0.0:*
<BR>... <skip another 90
entries><BR>udp
0 0
198.22.33.122:4500
0.0.0.0:*
<BR></DIV>
<DIV dir=ltr>The problem is that these additional aliases are NAT'd internal to
a DMZ. We noticed a problem with this beause we have a service running on
port 4500 on one of the internal machines and IPSEC caused some problems with
this. We've overcome those problems but basically we only want IPSEC to
listen on those IP's that we want.</DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr>Does this make sense? Is it possible to limit it in this way
with OpenSwan? I think this is also good practice to limit to what you
want from both a security and resource standpoint.</DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr>Gary Smith</DIV></DIV>
<DIV dir=ltr><BR>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Maciej Bogucki
[mailto:maciej.bogucki@artegence.com]<BR><B>Sent:</B> Thu 6/9/2005 12:53
AM<BR><B>To:</B> Gary W. Smith<BR><B>Cc:</B>
users@lists.openswan.org<BR><B>Subject:</B> Re: [Openswan Users] Multiple
aliases per IF, bind to one<BR></FONT><BR></DIV>
<DIV>
<P><FONT size=2>> One of my firewalls has multiple interface aliases
(numbering more than 10)<BR>> and when I do a netstat I can see that OpenSwan
is bound to all of them.<BR>> How can I force it to bind to a particular IP
address? I've looked around<BR>> the Wiki but didn't find the
answer.<BR><BR>Here You have an example how can You do this:<BR><BR>config
setup<BR> interfaces="ipsec0=eth1"<BR>conn
test_conn<BR> left=Your_IP_here<BR><BR>Best
Regards<BR>Maciej Bogucki<BR><BR>--<BR>PGP key: <A
href="http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x9F74A406">http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x9F74A406</A><BR>Key
fingerprint = 6E44 9A4A 8743 9936 1E92 A0B4 F2A8 87F7 9F74
A406<BR><BR></FONT></P></DIV>
</BODY>
</HTML>