[Openswan Users] Multiple left

Trevor Benson tbenson at a-1networks.com
Thu Jun 10 18:48:05 CEST 2004


Sorry to clutter it all up, usually typing these in between calls and
testing..

So if I use X.509 for authentication.  And I define 2 interfaces for
ipsec0 and ipsec1 in the interfaces line. Then in ipsec.conf if left is
the local openswan system. And lets say right is a Windows XP client.  I
can leave left blank, and not specify what IP address the openswan
connection requires? Since I have 2 separate ipsec interfaces possible,
and right I could make 0.0.0.0/0 or I could make it a single IP?

Thanks,
Trevor Benson

> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: Thursday, June 10, 2004 4:23 PM
> To: Trevor Benson
> Cc: users at lists.openswan.org
> Subject: Re: [Openswan Users] Multiple left
> 
> On Thu, 10 Jun 2004, Trevor Benson wrote:
> 
> > Can left= have more then one address? That way a single tunnel, with
a
> > cert could have lets say 2 IP addresses allowed for a roadwarrior
> > tunnel? Instead of just making it dynamic and allowing all?  And or
a
> > firewall with 2 interfaces, 1 for internet and 1 for wireless
clients
> > could allow either local interface to be used for that tunnel?
> 
> If you want to "authenticate" (and I use the word losely here) based
on
> IP address, then you need to have one. If you do other authentication,
> based on rsakey, x.509 certs or xauth, then you dont care which iis
used
> at all.
> 
> So seperate the IP restrictions from the ipsec authentication. If you
> only want two ip's to be able to establish ipsec tunnels, use firewall
> rules for that.
> 
> Paul
> --
> 
> <Reverend> IRC is just multiplayer notepad.
> 
> 




More information about the Users mailing list