[Openswan Users] Tunnels come up, but not all traffic goesthrough

Nate Carlson natecars at natecarlson.com
Thu Jun 10 10:21:22 CEST 2004


On Thu, 10 Jun 2004, Herbert Xu wrote:
> This is bullshit.  You *can* firewall IPsec traffic just fine with 2.6.  
> It is also unlikely to have caused security holes as the kernel policy
> engine ensures that all traffic matching the selector of the SAs must be
> protected by the specified SAs.
> 
> What you can't do easily is NATing or and other similar operations on
> IPsec.

Just for the sake of reference, how would you, for example, tag all data 
that is coming in via IPSec and going out to your internal network (eth1)? 
With klips, it's easy:

iptables -I FORWARD -i ipsec0 -o eth1 <...>

With 26sec, I'm not aware of a way to do it besides tagging on IP address; 
the hard part is you don't always know the remote IP (roadwarriors and 
such). If there is a simple way to do it, I'd love to hear about it!

------------------------------------------------------------------------
| nate carlson | natecars at natecarlson.com | http://www.natecarlson.com |
|       depriving some poor village of its idiot since 1981            |
------------------------------------------------------------------------


More information about the Users mailing list