AW: [Openswan Users] openswan and firewall problems

Steffen Andreas (sna) sna at zhwin.ch
Thu May 26 18:16:57 CEST 2005 

You'll find an example on how to use ESP marks under the link

  http://www.strongswan.org/uml/testresults/net2net-cert/

Have a look at the iptables rules listed in the console.log.
The latest strongswan-2.4.2 release comes with an

  _updown_espmark template

which can be used in *swan as an updown script that automatically 
inserts a firewall rule that opens the firewall for tunnelled 
traffic but checks for the presence of the ESP mark in the 
decapsulated IP packets.

Regards

Andreas

-----Ursprüngliche Nachricht-----
Von: users-bounces at openswan.org [mailto:users-bounces at openswan.org] Im Auftrag von Massimo Mazzoldi
Gesendet: Donnerstag, 26. Mai 2005 10:50
An: users at openswan.org
Betreff: [Openswan Users] openswan and firewall problems

Hi, all...
I've been working for a long time with freeswan ...
to handle security for bridge wireless connections.

Having two security gateways on both side of the bridge was the best solution
to decide what connections were to accept or to drop.

That is if traffic from the tunnel is forwarded ... otherwise blocked. ;-)

On kernel 2.4 e klips... this was easy because I had ethX and ipsecX interfaces.

On 2.6?

I tried to use openswan 2.3.0...with klips... but I'm having a little stability
problem...

according to users, it seems that the tunnel goes down once every two weeks...

What solution can you suggest me?

Will upgrading to 2.3.1 solve my problem... 
or is it better to switch to netkey ipsec?

If I switch I need to change firewall rules ... not having any more ipsec
interface...

I read about using MARK on iptables to divide encripted allowed from not
allowed traffic in FORWARD rules...
...any example on how to do this?

...even a link to some documentation is welcome!!! :-)

Thanks a lot to everybody
Massimo

=======================================================================
Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===

Content Security by MailMarshal
-------------- next part --------------
A non-text attachment was scrubbed...
Name: _updown_espmark.in
Type: application/octet-stream
Size: 13892 bytes
Desc: _updown_espmark.in
Url : http://lists.openswan.org/pipermail/users/attachments/20050526/c6065aba/_updown_espmark-0001.obj

More information about the Users mailing list