[Openswan Users] X509 DN filtering
marc at itu.net
Tue Aug 24 16:48:44 CEST 2004
Thanks much for your quick responses. I keep hearing about all kinds of documentation but I can never find it. Can you point me to it?
From: John A. Sullivan III [mailto:john.sullivan at nexusmgmt.com]
Sent: Tue 8/24/2004 3:34 PM
To: Paul Wouters
Cc: Marc Spiegelman; users at lists.openswan.org
Subject: Re: [Openswan Users] X509 DN filtering
On Tue, 2004-08-24 at 18:27, Paul Wouters wrote:
> On Tue, 24 Aug 2004, Marc Spiegelman wrote:
> > I am trying to figure out a solution so roadwarriors can only connect to their designated VPN concentrator but VPN concentrators can all connect to each other. I was wondering if there is a configuration in openswan so I can limit which certificates are allowed to connect. I was thinking the distinguished name could be used but I don't know if openswan is capable of this kind of filtering. If so, does anyone have any examples? Does anyone have any other ideas to meet my objective?
> >From Andreas his X509 documentation:
> The IPsec policy defined above can now be enforced with the following three
> IPsec security associations:
> conn sales
> rightid="C=CH, O=ACME, OU=Sales, CN=*"
> rightsubnetwithin=10.1.0.0/24 # Sales DHCP range
> leftsubnet=10.0.0.0/24 # Sales subnet
> conn research
> rightid="C=CH, O=ACME, OU=Research, CN=*"
> rightsubnetwithin=10.1.1.0/24 # Research DHCP range
> leftsubnet=10.0.1.0/24 # Research subnet
> conn web
> rightid="C=CH, O=ACME, OU=*, CN=*"
> rightsubnetwithin=10.1.0.0/23 # Remote access DHCP range
> leftsubnet=10.0.2.100/32 # Web server
> rightprotoport=tcp # TCP protocol only
> leftprotoport=tcp/http # TCP port 80 only
One can take this even further by capturing the DN in the updown script
and dynamically altering the iptables rules. That's how we do it in
Is it still a limitation in port selectors that the port restriction
only applies to the protocol used to establish the tunnel but any
traffic can use the tunnel once the tunnel is established? That may have
been changed long ago but I've been away from *swan for a while - John
John A. Sullivan III
Chief Technology Officer
john.sullivan at nexusmgmt.com
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users