[Openswan Users] Tunnels come up, but not all traffic goesthrough

[Herbert Xu]

On Fri, Jun 11, 2004 at 11:40:27AM -0400, Michael Richardson wrote:
>     >> # permit LAN-C to connect to special server at 1.19: iptables -A
>     >> INPUT -i ipsec0 -s 192.168.2.0/24 -d 192.168.1.19/32 -j ACCEPT
>     >> iptables -A INPUT -i ipsec0 -s 192.168.3.0/24 -d 192.168.1.19/32
>     >> -j DROP
> 
>     Herbert> No you haven't.  As long as your IPsec connection is
>     Herbert> routed/up, there will be a policy in the kernel policy
>     Herbert> engine that says any traffic matching those criteria must
>     Herbert> be encrypted using IPsec.  Any traffic from 192.168.2.0/24
>     Herbert> to 192.168.1.0/24 which comes in clear from *any* interface
>     Herbert> will be dropped.
> 
>   Oh, and you still didn't accomplish the goal of restricting access to
> 192.168.1.19/32, unless you also make that part of the SPD.

Yes you have.  The netfilter system still applies.  So let me repeat
myself.  All traffic from 192.168.3.0/24 to 192.168.1.19 in the clear
will be dropped by 26sec.  All traffic from 192.168.3.0/24 to
192.168.1.19 that's encrypted properly will be dropped by the iptables
rule even if they pass the kernel policy engine.

Well it would have had you placed the rule in the right chain.  The
INPUT chain only processes traffic for the localhost.  So you should've
put it into FORWARD.

>   I still don't get why 26sec introduced yet-another-firewall into the
> kernel.

Huh? The whole idea of IPsec is to do the task of authenitcation and
let the netfilter system do the authorisation instead.

I apologise for being overly aggressive on this.  But I think it is
quite important that we don't give people incorrect information about
the new IPsec stack.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email:  Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt