[Openswan Users] IPSec/Netkey interaction with IPTables/Netfilter

Tuomo Soini tis at foobar.fi
Tue Aug 16 20:51:17 CEST 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nigel Metheringham wrote:
> I'm using openswan 2.3.1 on a 2.6.9-11.EL (thats a Centos 4.1/RHEL 4.1)
> kernel.

I'm running openswan-2.4.0dr8 with 2.6.9-11.EL and 2.4.21-32.0.1.EL kernels.

> Any references to articles and people that have worked through this pain
> would be helpful :-)
> 
> 	Nigel.

My solution is to use patched _updown script which has hook to
dynamically change firewalling.

You can check current versions of my rpm from:

ftp://ftp.foobar.fi/pub/foobar/linux/3.2/updates/SRPMS/shorewall-2.4.2-11.foo.src.rpm
ftp://ftp.foobar.fi/pub/foobar/linux/3.2/updates/SRPMS/openswan-2.4.0-0.dr8.2.foo.src.rpm

My openswan rpm has patch which allows attaching remote network to
pre-defined firewall zone (shorewall terminology) so that I can just add
to conn definitions:

	leftupdown="ipsec _updown shorewall vpn"

So that when ipsec is up, pre-defined vpn zone is used forfor
firewalling IPsec vpn traffic.

so taht I can allow traffic from vpn to loc zone and loc to vpn zone but
 drop traffic from net to loc and only allow certain traffic from loc to
net zone.

- --
Tuomo Soini <tis at foobar.fi>
Linux and network services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Foobar - http://enigmail.mozdev.org

iD8DBQFDAhmETlrZKzwul1ERAh54AJ9vokg3tQ6AtHYIm1qduNcIMExgsACgmAOR
+ObFBog/BfeOtRQwjiDW4XY=
=O4Sy
-----END PGP SIGNATURE-----


More information about the Users mailing list