[Openswan Users] WINS resolution and firewall ruleset for ipsec0

John A. Sullivan III jsullivan at opensourcedevelopmentcorp.com
Wed Dec 8 09:36:01 CET 2004

On Wed, 2004-12-08 at 05:39, Craig Schneider wrote:
> Hi Guys
> Was just wondering if in my firewall ruleset I can have a default policy
> of ACCEPT for ipsec0?
> Am I correct in asumming that only once authenticated will traffic be
> allowed to traverse this interface? And communication will be encrypted?
You certainly can do that.  In fact, that is the way we propagate
extended, out-of-band user authentication throughout the WAN in the ISCS
network management project (http://iscs.sourceforge.net) while
maintaining a very small footprint on the gateways.  One can require
various sorts of user authentication before one can place traffic in the
tunnel and then any other gateway can trust that packets coming off the
tunnel have been authenticated by some sort of sophisticated
authentication mechanism.

However, we usually also place access control restrictions on the
tunnels.  In today's environment where phishing, SPAM and wireless
intrusion can posture an attacker on the inside of the network with
ease, we need to protect against intruders on the inside.  Without
access control on the ipsec interfaces, our WANs our wide open to
compromise once someone has breached any one office.  This can create
some very complex and rapidly changing rule sets.  Managing that is the
primary purpose of ISCS but it can be done manually.  Good luck - John
John A. Sullivan III
Open Source Development Corporation
Financially sustainable open source development

More information about the Users mailing list