[Openswan Users] different flow but one target
Andy
fs at globalnetit.com
Mon Aug 29 11:22:05 CEST 2005
Another possibility - if you have additional addresses available, you
could route the traffic flows over separate address pairs. Then only the
flow matching the tunnel policy would be subject to the IPsec rules.
It should be fairly easy to select the flows using iproute2 policy
routing.
On Mon, 2005-08-29 at 15:55 +0200, david wrote:
> Yes, in fact it's a question of power, since one side of the VPN is very light.
> So I have got data needing to be encrypted and signaling data which
> must be transmitted in clear.
>
> I m going to test portselectors.
>
> Do you know if it is possible to choose a range of port for a defined protocol ?
>
> rgds
> david
>
> 2005/8/29, Paul Wouters <paul at xelerance.com>:
> > On Mon, 29 Aug 2005, david wrote:
> >
> > > I ve got an openswan VPN between two hosts but I wonder if it is
> > > possible to make data transit between them without passing through
> > > the VPN (but this one being still up).
> > >
> > > In fact I would like to be able to send some kind of data via the VPN
> > > and some other not via the VPN
> >
> > That is very difficult, since the VPN policies will be instructed to
> > delete all plaintext traffic if an IPsec SA is up. You might be able to
> > do it using portselectors, so try and set left and rightprotoport for
> > the ports you want encrypted. But I wouldn't be surprised if it still
> > dropped all other traffic.
> >
> > The real question here is why would you want this. Your routers do not have
> > enough CPU? What algorithms are you using?
> >
> > > Maybe something to change in ipsec.conf ?
> >
> > Nope
> >
> > Paul
> >
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>
--
Andy <fs at globalnetit.com>
More information about the Users
mailing list