[Openswan Users] X509 DN filtering
John A. Sullivan III
john.sullivan at nexusmgmt.com
Tue Aug 24 19:34:36 CEST 2004
On Tue, 2004-08-24 at 18:27, Paul Wouters wrote:
> On Tue, 24 Aug 2004, Marc Spiegelman wrote:
>
> > I am trying to figure out a solution so roadwarriors can only connect to their designated VPN concentrator but VPN concentrators can all connect to each other. I was wondering if there is a configuration in openswan so I can limit which certificates are allowed to connect. I was thinking the distinguished name could be used but I don't know if openswan is capable of this kind of filtering. If so, does anyone have any examples? Does anyone have any other ideas to meet my objective?
>
> >From Andreas his X509 documentation:
>
> The IPsec policy defined above can now be enforced with the following three
> IPsec security associations:
>
> conn sales
> right=%any
> rightid="C=CH, O=ACME, OU=Sales, CN=*"
> rightsubnetwithin=10.1.0.0/24 # Sales DHCP range
> leftsubnet=10.0.0.0/24 # Sales subnet
>
> conn research
> right=%any
> rightid="C=CH, O=ACME, OU=Research, CN=*"
> rightsubnetwithin=10.1.1.0/24 # Research DHCP range
> leftsubnet=10.0.1.0/24 # Research subnet
>
> conn web
> right=%any
> rightid="C=CH, O=ACME, OU=*, CN=*"
> rightsubnetwithin=10.1.0.0/23 # Remote access DHCP range
> leftsubnet=10.0.2.100/32 # Web server
> rightprotoport=tcp # TCP protocol only
> leftprotoport=tcp/http # TCP port 80 only
<snip>
One can take this even further by capturing the DN in the updown script
and dynamically altering the iptables rules. That's how we do it in
ISCS.
Is it still a limitation in port selectors that the port restriction
only applies to the protocol used to establish the tunnel but any
traffic can use the tunnel once the tunnel is established? That may have
been changed long ago but I've been away from *swan for a while - John
--
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan at nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net
More information about the Users
mailing list