[Openswan dev] VPN policie and Protocol selector
david
david2005.p at gmail.com
Mon Sep 12 14:46:06 CEST 2005
2005/9/7, Paul Wouters <paul at xelerance.com>:
> On Tue, 6 Sep 2005, david wrote:
>
> >> >> Write a policy of "type=passthrough" for the other protocols.
> >>
> >> david> Would this type of policy enable me to not discard the other
> >> david> protocols but also to let them pass outside of the VPN ?
> >>
> >> Yes.
> >> if you don't discard them, then they will be forwarded in the clear.
> >
> > thx michael
> >
> > This is exactly what I want to do.
> >
> > But I don't know how to write this policy and where (in ipsec.conf ?)
> > Could you give me an example or an URL where I can find It ?
>
> something like:
>
> conn pass-all-udp
> left=%defaultroute
> right=%any
> rightsubnet=0.0.0.0/0
> type=passthrough
> leftprotoport=17/%any
> auto=route
>
> (17 is the udp protocol number, see /etc/protocols)
>
> Paul
>
So I ve configured the ends of the VPN like this :
HostA :
conn testvpn
left=195.212.109.203
leftcert=user02cert.crt
right=195.212.109.202
rightid="C=fr, ST=idf, ....."
type=passthrough
leftprotoport=1
rightprotoport=1
auto=route
HostB:
conn testvpn
left=195.212.109.202
leftcert=user01cert.crt
right=%any
rightcert=%cert
type=passthrough
leftprotoport=1/%any
rightprotoport=1/%any
auto=route
Those 2 hosts are directly linked for tests and there is no subnet
behind them. When the HostA establishes the VPN with HostB, the VPN
goes up but only icmp traffic can use it. Other traffics are simply
discarded...and I don't want that.
So what's wrong or missed ?
rgds
david
More information about the Dev
mailing list