[Openswan Users] Tunnels come up, but not all traffic goesthrough
Matt Harrell
matt at mattharrell.net
Wed Jun 9 22:53:01 CEST 2004
Indeed. I discovered this with some research into handling the new
IPsec in iptables. I now have everything working beautifully!
Thanks.
Herbert Xu wrote:
>Michael Richardson <mcr at sandelman.ottawa.on.ca> wrote:
>
>
>>>>>>>"Matt" == Matt Harrell <matt at mattharrell.net> writes:
>>>>>>>
>>>>>>>
>> Matt> I should have mentioned that. I did change all references to
>> Matt> ipsec0 to eth1 (external NIC) in my iptables rules. Is that
>> Matt> all there is to it?
>>
>> No. You have likely caused yourself a security hole.
>>
>> You can not firewall IPsec things with 2.6 kernels, without patches.
>>
>>
>
>This is bullshit. You *can* firewall IPsec traffic just fine with
>2.6. It is also unlikely to have caused security holes as the
>kernel policy engine ensures that all traffic matching the selector
>of the SAs must be protected by the specified SAs.
>
>What you can't do easily is NATing or and other similar operations
>on IPsec.
>
>
--
Matt Harrell
matt at mattharrell.net
http://www.mattharrell.net
More information about the Users
mailing list