[Openswan Users] Multiple aliases per IF, bind to one

Gary W. Smith gary at primeexalia.com
Thu Jun 9 12:56:37 CEST 2005


Marciej,
 
This particular machine has 100+ aliases on eth0.  I do indeed have config setup with interface ipsec0=eth0 in place as well as the particular IP in the individual configs.  But when I do a netstat I see that ipsec is listening on all interfaces on all IP's.
 
udp        0      0 198.22.33.36:4500       0.0.0.0:*                           
udp        0      0 198.22.33.37:4500        0.0.0.0:*                           
udp        0      0 198.22.33.38:4500        0.0.0.0:*                           
... <skip another 90 entries>
udp        0      0 198.22.33.122:4500       0.0.0.0:*                           

The problem is that these additional aliases are NAT'd internal to a DMZ.  We noticed a problem with this beause we have a service running on port 4500 on one of the internal machines and IPSEC caused some problems with this.  We've overcome those problems but basically we only want IPSEC to listen on those IP's that we want.
 
Does this make sense?  Is it possible to limit it in this way with OpenSwan?  I think this is also good practice to limit to what you want from both a security and resource standpoint.
 
Gary Smith

________________________________

From: Maciej Bogucki [mailto:maciej.bogucki at artegence.com]
Sent: Thu 6/9/2005 12:53 AM
To: Gary W. Smith
Cc: users at lists.openswan.org
Subject: Re: [Openswan Users] Multiple aliases per IF, bind to one



> One of my firewalls has multiple interface aliases (numbering more than 10)
> and when I do a netstat I can see that OpenSwan is bound to all of them.
> How can I force it to bind to a particular IP address?  I've looked around
> the Wiki but didn't find the answer.

Here You have an example how can You do this:

config setup
    interfaces="ipsec0=eth1"
conn test_conn
     left=Your_IP_here

Best Regards
Maciej Bogucki

--
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x9F74A406
Key fingerprint = 6E44 9A4A 8743 9936 1E92  A0B4 F2A8 87F7 9F74 A406



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050609/ede34470/attachment.htm


More information about the Users mailing list