[Openswan Users] Tunnels come up, but not all traffic goesthrough

Herbert Xu herbert at gondor.apana.org.au
Fri Jun 11 10:41:04 CEST 2004


On Thu, Jun 10, 2004 at 01:25:40PM -0400, Michael Richardson wrote:
> 
> # permit LAN-C to connect to special server at 1.19:
> iptables -A INPUT -i ipsec0 -s 192.168.2.0/24 -d 192.168.1.19/32 -j ACCEPT
> iptables -A INPUT -i ipsec0 -s 192.168.3.0/24 -d 192.168.1.19/32 -j DROP
> 
> .... (appologies for syntax error)
> 
>   Now, if one simply "change all references to ipsec0 to eth1", then one
> has just permitted traffic from the outside to arrive on eth1, unencrypted.

No you haven't.  As long as your IPsec connection is routed/up, there
will be a policy in the kernel policy engine that says any traffic
matching those criteria must be encrypted using IPsec.  Any traffic
from 192.168.2.0/24 to 192.168.1.0/24 which comes in clear from
*any* interface will be dropped.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email:  Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt


More information about the Users mailing list