[Openswan Users] WINS resolution and firewall ruleset for ipsec0
Paul Overton
paul at trusted-management.com
Wed Dec 8 11:22:07 CET 2004
If you are using KLIPS on Kernal 2.4.x, then you can create an Iptables rule
to accept anything from ipsec0, this somewhat depends upon how much you
trust your authentication. In my case I have used X509 certificates, to
provide that level of authentication.
I would generally not recommend this course of action if you have any doubt
over who and what services are likely to be received through the ipsec0
interface.
Your assumption that only authenticated traffic is present on this interface
is correct. This relates to the creation of the Security Association between
the client/server involved.
On the WINS problem, I have found it necessary on win2k clients to manually
insert the address of the WINS server into the local configuration, this
assumes that you are running a WINS proxy on your Linix server, or that you
have suitable Iptables rules to allow your decrypted traffic to enter your
local network.
Hope this helps
Regards Paul
-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org]On
Behalf Of Craig Schneider
Sent: 08 December 2004 10:40
To: users at openswan.org
Subject: [Openswan Users] WINS resolution and firewall ruleset for
ipsec0
Hi Guys
Was just wondering if in my firewall ruleset I can have a default policy
of ACCEPT for ipsec0?
Am I correct in asumming that only once authenticated will traffic be
allowed to traverse this interface? And communication will be encrypted?
I am also having a problem with WINS resolution across my VPN/L2TP link,
any ideas? I have use the ms-wins and ms-dns settings in options.l2tpd.
Any help would be appreciated.
Thanks
Kind regards
Craig
_______________________________________________
Users mailing list
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.
More information about the Users
mailing list