[Openswan Users] L2TP/IPSEC & DSL ppp interface assignment

Lewis Shobbrook lshobbrook at fasttrack.net.au
Wed Mar 16 13:26:59 CET 2005


Hi Trevor,
Thanks for the reply.
> >
> > > > connection that traditionally occupies the ppp0 device and is 
> > > > firewalled in reference to this drops out.  In the mean
> > >
> > > time while the
> > >
> > > > connection is down we get an L2TP/IPSEC VPN connection
> > >
> > > coming in which
> > >
> > > > then occupies the ppp0, when the DSL service comes back 
> online it 
> > > > takes the next available ppp interface such as ppp1. The
> > >
> > > firewall is
> > >
> > > > configured differently for this connection and this can
> > >
> > > cause service
> > >
> > > > and security issues. Is there anyway to assign or 
> reserve the ppp 
> > > > interface to prevent this from happening?
> > >
> > > I believe you can use 'ppp+' in iptables to denoate 'any ppp 
> > > device'.
> >
> > The issue is being able to apply differentiated rules.
> > One being a DSL connection which requires heavy 
> restrictions while the 
> > l2tp require mostly open rules. If the rules are applied 
> universally 
> > against the generic ppp device, with differentiation based 
> on source 
> > IP range and  ! (not) from source IP range, then with revese path 
> > filtering off, you'd be increasing your security risks.  It 
> does solve 
> > one problem though. Cheers,
> >
> > Lewis
> 
> The ip-up script is called - after ppp has established a 
> connection - with the 
> Local-IP, Remote-IP the Interface-Name etc. On a RedHat box 
> these parameters 
> are passed to ip-up.local. You could use that to determine 
> what firewall 
> rules should be set. If after the link comes up you modify or 
> replace a 
> restrictive set of rules that might help you.

The problem here would be that I'd require connection specific rules
added.  
As it currently stands I've not been able to get ppp to apply any
connection specific scripts on Debian unstable, even though the
documentation states it can. 
This will be a nice solution once the connection specific issue has been
rectified.
Cheers,

Lewis


More information about the Users mailing list