[Openswan Users] Openswan+Kernel_2.6

David Clymer dclyme at hrcsb.org
Tue Sep 28 10:06:53 CEST 2004


Thus quoth Christian Tardif:
> To: Openswan Users <users at openswan.org>
> From: Christian Tardif <christian.tardif at servinfo.ca>
> Subject: Re: [Openswan Users] Openswan+Kernel_2.6
> 
> On Mon, 2004-09-27 at 22:28, Alexander Samad wrote: 
> > Yes the ine ipsecX interface have dissappeared, the packets now travel
> > out the normal interface they would go
> > 
> > The new stack uses the same config file with some minor chanegs
> 
> OK but then, how will I get the IP I should get from the other hand ?  I
> must misunderstand something here...   Let's say I'm on the Net, and I'm
> reaching (via IPSEC) an internal LAN which network is 192.168.3.0/24.
> Isn't it supposed to give me, somehow, an IP Address on this private
> subnet ?
> 

The following iptables rules will allow you to identify VPN traffic from various VPN networks
when using the "native" IPSec stack

# Generic VPN - Roadwarrior connections. You cant differentiate between RW clients at this point
/sbin/iptables --table mangle --append PREROUTING --protocol esp --jump MARK --set-mark 1
# branch office VPN
/sbin/iptables --table mangle --append PREROUTING --protocol esp --source 11.22.33.44 --jump MARK --set-mark 2
# another branch office VPN
/sbin/iptables --table mangle --append PREROUTING --protocol esp --source 44.11.22.33 --jump MARK --set-mark 3

# Roadwarrior 1
/sbin/iptables --table filter --append FORWARD --in-interface eth1 --match mark --mark 1 --source 192.168.0.1 --jump roadwarrior1rules 
# Roadwarrior 2 
/sbin/iptables --table filter --append FORWARD --in-interface eth1 --match mark --mark 1 --source 192.168.0.2 --jump roadwarrior2rules 

# branch office 1
/sbin/iptables --table filter --append FORWARD --in-interface eth1 --match mark --mark 2 --source 192.168.1.0/24 --jump branchoffice1rules
# branch office 2 
/sbin/iptables --table filter --append FORWARD --in-interface eth1 --match mark --mark 3 --source 192.168.2.0/24 --jump branchoffice2rules


Its not as nice as the ipsecX interfaces, but it does the job, as far as I can tell.

-davidc


More information about the Users mailing list