<p dir="ltr">Sure, sorry about that.<br>
Thanks alot !</p>
<div class="gmail_quote">On Jan 18, 2014 1:26 AM, "Simon Deziel" <<a href="mailto:simon@xelerance.com">simon@xelerance.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On 14-01-17 06:19 PM, Idan Freiberg wrote:<br>
> can i drop non-ipsec connections without using iptables?<br>
><br>
> (like racoon do)<br>
<br>
What happens if racoon dies and the IPsec connection goes out?<br>
<br>
It would start leaking traffic in plain text. That's when iptables'<br>
extra protection can be handy.<br>
<br>
Simon<br>
<br>
P.S.: Please reply to the mailing list directly as others might be<br>
interested by your thread.<br>
<br>
> On Jan 17, 2014 4:42 AM, "Simon Deziel" <<a href="mailto:simon@xelerance.com">simon@xelerance.com</a><br>
> <mailto:<a href="mailto:simon@xelerance.com">simon@xelerance.com</a>>> wrote:<br>
><br>
> If your IPsec connection alive, the iptables rules are not needed as the<br>
> kernel will make sure to encrypt any packets between both peers. This is<br>
> not something racoon or Openswan does, it's the kernel directly.<br>
><br>
> The iptables rules are there to prevent any communication if your IPsec<br>
> connections accidentally dies or something like that.<br>
><br>
> Simon<br>
><br>
> On 14-01-16 02:15 AM, Idan Freiberg wrote:<br>
> > Thanks alot!<br>
> ><br>
> > As far as I remember *racoon *daemon isn't relying on iptables for<br>
> > dropping unsecured connections.<br>
> > As far as i understnad, openswan isn't dealing with that, can you<br>
> accept ?<br>
> ><br>
> ><br>
> > On Thu, Jan 16, 2014 at 4:02 AM, Simon Deziel <<a href="mailto:simon@xelerance.com">simon@xelerance.com</a><br>
> <mailto:<a href="mailto:simon@xelerance.com">simon@xelerance.com</a>><br>
> > <mailto:<a href="mailto:simon@xelerance.com">simon@xelerance.com</a> <mailto:<a href="mailto:simon@xelerance.com">simon@xelerance.com</a>>>> wrote:<br>
> ><br>
> > Hi Idan,<br>
> ><br>
> > You can set your connection to use "auto=route" or<br>
> "auto=start". This<br>
> > will keep the IPsec connection ready to secure the<br>
> communication between<br>
> > the 2 peers.<br>
> ><br>
> > You can supplement this with some iptables rules like those:<br>
> ><br>
> > iptables -A OUTPUT -m policy --dir out --pol ipsec --strict \<br>
> > --proto esp --mode transport -d <Other_IP> -j ACCEPT<br>
> > iptables -A OUTPUT -d <Other_IP> -j REJECT<br>
> ><br>
> > iptables -A INPUT -m policy --dir in --pol ipsec --strict \<br>
> > --proto esp --mode transport -s <Other_IP> -j ACCEPT<br>
> > iptables -A INPUT -s <Other_IP> -j REJECT<br>
> ><br>
> > The REJECT rules could also be used with "--pol none". I'd<br>
> recommend<br>
> > reading man 8 iptables for more ideas on how to tweak those rules.<br>
> ><br>
> > HTH,<br>
> > Simon<br>
> ><br>
> > On 14-01-15 08:18 PM, Idan Freiberg wrote:<br>
> > > hello all!<br>
> > ><br>
> > > i'm trying to restrict connections to my centos box , so<br>
> just windows<br>
> > > clients with a coresponding PSK will be able to communicate with<br>
> > my box.<br>
> > ><br>
> > > In windows , Ipsec rule can be defined as REQUIRE IPSEC<br>
> rule, which<br>
> > > means non ipsec traffic will dropped automatically (clear<br>
> traffic)<br>
> > ><br>
> > > I find it hard to configure a REQUIRE Like rule with Openswan.<br>
> > ><br>
> > > p.s. i am using ipsec in transport mode, not tunnel mode.<br>
> > ><br>
> > > Any help will be appreciated.<br>
> > > Idan.<br>
> > ><br>
> > ><br>
> > ><br>
> > > _______________________________________________<br>
> > > <a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a> <mailto:<a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a>><br>
> <mailto:<a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a> <mailto:<a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a>>><br>
> > > <a href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>
> > > Micropayments:<br>
> > <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
> > > Building and Integrating Virtual Private Networks with Openswan:<br>
> > ><br>
> ><br>
> <a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
> > ><br>
> ><br>
> > _______________________________________________<br>
> > <a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a> <mailto:<a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a>><br>
> <mailto:<a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a> <mailto:<a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a>>><br>
> > <a href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>
> > Micropayments:<br>
> <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
> > Building and Integrating Virtual Private Networks with Openswan:<br>
> ><br>
> <a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
> ><br>
> ><br>
> ><br>
> ><br>
> > --<br>
> > Idan Freiberg<br>
> > Mobile: <a href="tel:%2B972-52-2925213" value="+972522925213">+972-52-2925213</a> <tel:%2B972-52-2925213><br>
><br>
> _______________________________________________<br>
> <a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a> <mailto:<a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a>><br>
> <a href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>
> Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
> Building and Integrating Virtual Private Networks with Openswan:<br>
> <a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
><br>
<br>
_______________________________________________<br>
<a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a><br>
<a href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
</blockquote></div>