[Openswan Users] IPSec/Netkey interaction with IPTables/Netfilter
Tuomo Soini
tis at foobar.fi
Tue Aug 16 20:51:17 CEST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Nigel Metheringham wrote:
> I'm using openswan 2.3.1 on a 2.6.9-11.EL (thats a Centos 4.1/RHEL 4.1)
> kernel.
I'm running openswan-2.4.0dr8 with 2.6.9-11.EL and 2.4.21-32.0.1.EL kernels.
> Any references to articles and people that have worked through this pain
> would be helpful :-)
>
> Nigel.
My solution is to use patched _updown script which has hook to
dynamically change firewalling.
You can check current versions of my rpm from:
ftp://ftp.foobar.fi/pub/foobar/linux/3.2/updates/SRPMS/shorewall-2.4.2-11.foo.src.rpm
ftp://ftp.foobar.fi/pub/foobar/linux/3.2/updates/SRPMS/openswan-2.4.0-0.dr8.2.foo.src.rpm
My openswan rpm has patch which allows attaching remote network to
pre-defined firewall zone (shorewall terminology) so that I can just add
to conn definitions:
leftupdown="ipsec _updown shorewall vpn"
So that when ipsec is up, pre-defined vpn zone is used forfor
firewalling IPsec vpn traffic.
so taht I can allow traffic from vpn to loc zone and loc to vpn zone but
drop traffic from net to loc and only allow certain traffic from loc to
net zone.
- --
Tuomo Soini <tis at foobar.fi>
Linux and network services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Foobar - http://enigmail.mozdev.org
iD8DBQFDAhmETlrZKzwul1ERAh54AJ9vokg3tQ6AtHYIm1qduNcIMExgsACgmAOR
+ObFBog/BfeOtRQwjiDW4XY=
=O4Sy
-----END PGP SIGNATURE-----
More information about the Users
mailing list