[Openswan Users] Openswan+Kernel_2.6
David Clymer
dclyme at hrcsb.org
Tue Sep 28 10:06:53 CEST 2004
Thus quoth Christian Tardif:
> To: Openswan Users <users at openswan.org>
> From: Christian Tardif <christian.tardif at servinfo.ca>
> Subject: Re: [Openswan Users] Openswan+Kernel_2.6
>
> On Mon, 2004-09-27 at 22:28, Alexander Samad wrote:
> > Yes the ine ipsecX interface have dissappeared, the packets now travel
> > out the normal interface they would go
> >
> > The new stack uses the same config file with some minor chanegs
>
> OK but then, how will I get the IP I should get from the other hand ? I
> must misunderstand something here... Let's say I'm on the Net, and I'm
> reaching (via IPSEC) an internal LAN which network is 192.168.3.0/24.
> Isn't it supposed to give me, somehow, an IP Address on this private
> subnet ?
>
The following iptables rules will allow you to identify VPN traffic from various VPN networks
when using the "native" IPSec stack
# Generic VPN - Roadwarrior connections. You cant differentiate between RW clients at this point
/sbin/iptables --table mangle --append PREROUTING --protocol esp --jump MARK --set-mark 1
# branch office VPN
/sbin/iptables --table mangle --append PREROUTING --protocol esp --source 11.22.33.44 --jump MARK --set-mark 2
# another branch office VPN
/sbin/iptables --table mangle --append PREROUTING --protocol esp --source 44.11.22.33 --jump MARK --set-mark 3
# Roadwarrior 1
/sbin/iptables --table filter --append FORWARD --in-interface eth1 --match mark --mark 1 --source 192.168.0.1 --jump roadwarrior1rules
# Roadwarrior 2
/sbin/iptables --table filter --append FORWARD --in-interface eth1 --match mark --mark 1 --source 192.168.0.2 --jump roadwarrior2rules
# branch office 1
/sbin/iptables --table filter --append FORWARD --in-interface eth1 --match mark --mark 2 --source 192.168.1.0/24 --jump branchoffice1rules
# branch office 2
/sbin/iptables --table filter --append FORWARD --in-interface eth1 --match mark --mark 3 --source 192.168.2.0/24 --jump branchoffice2rules
Its not as nice as the ipsecX interfaces, but it does the job, as far as I can tell.
-davidc
More information about the Users
mailing list