[Openswan Users] How to accept only VPN traffic

Rolf Offermanns roffermanns at sysgo.com
Mon Jan 3 09:28:14 CET 2005

Axel Mueller wrote:
> I'm using OpenSwan to encrypt WLAN traffic. Using FreeSwan on a 2.4 
> linux machine I used to accept DHCP trafiic on the WLAN interface but 
> blocked everything else. WLAN traffic besides DHCP was only accepted on 
> the ipsec0 interface.
> Using OpenSwan on 2.6 kernel now (without klips) there is no ipsec0 
> interface anmore. Not a big problem I thought: Open port 500 on WLAN 
> interface, accept all traffic using protocol 50 and 51 and block 
> everything else. However, even though ipsec is up and running, traffic 
> from VPN client to VPN gateway still goes directly to destination port 
> (e.g. DNS to 53, HTTP to 80, etc.).

Hi Axel!
There was an article in the german "Linux Magazin" (12/04 I think) that described the changes in FW
configuration for ipsec 2.4 and 2.6.

IIRC the flow of the packets has changed completely. In 2.6 (native IPSEC) the packets
traverse the incoming interface (WLAN in your case) two times. First encrypted and then
again decrypted. The solution for only allowing the decrypted packets to the normal ports (53,80,etc.)
was to first mark the encrypted packets (iptables MARK target) and then in the second run check the
decrypted packets for this marks.


Rolf Offermanns <roffermanns at sysgo.com>
SYSGO AG     Tel.: +49-6136-9948-0
Am Pfaffenstein 14   Fax: +49-6136-9948-10
55270 Klein-Winternhein  http://www.sysgo.com

More information about the Users mailing list