[Openswan Users] L2TP/IPSEC & DSL ppp interface assignment

Lewis Shobbrook lshobbrook at fasttrack.net.au
Mon Mar 14 13:36:27 CET 2005


Thanks for the reply Paul
> 
> > connection that traditionally occupies the ppp0 device and is 
> > firewalled in reference to this drops out.  In the mean 
> time while the 
> > connection is down we get an L2TP/IPSEC VPN connection 
> coming in which 
> > then occupies the ppp0, when the DSL service comes back online it 
> > takes the next available ppp interface such as ppp1. The 
> firewall is 
> > configured differently for this connection and this can 
> cause service 
> > and security issues. Is there anyway to assign or reserve the ppp 
> > interface to prevent this from happening?
> 
> I believe you can use 'ppp+' in iptables to denoate 'any ppp device'.

The issue is being able to apply differentiated rules. 
One being a DSL connection which requires heavy restrictions while the
l2tp require mostly open rules. 
If the rules are applied universally against the generic ppp device,
with differentiation based on source IP range and  ! (not) from source
IP range, then with revese path filtering off, you'd be increasing your
security risks.  It does solve one problem though.
Cheers,

Lewis


More information about the Users mailing list