[Openswan Users] Windows vpn clients

Jacco de Leeuw jacco2 at dds.nl
Wed Sep 7 20:20:07 CEST 2005


John A. Sullivan III wrote:

> We found that L2TP makes securing the data in the tunnel very difficult.
> By default, when a RoadWarrior connects to an ISCS system, we
> dynamically change the firewall rules based upon their X.509 DN.  Thus,
> we can implement very granular access controls on RoadWarriors based
> upon their departments, for example.
> 
> When L2TP is involved, we lose that control.  The packets are passed to
> the PPP server, are assigned a virtual IP address and from there,
> everyone looks the same.  We have not seen an easy way to preserve the
> granular security we achieve by bypassing L2TP.

What if you assign *static* virtual IP addresses to users? Then every
user has his own internal IP address (assuming there is no shortage of
those). Plus, the firewall rules can be static. They do not have to be
changed dynamically.

Alternatively, you could use /etc/ppp/auth-up (man pppd) to dynamically
change the firewall rules for a particular user on interface pppXXX.

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl
                     Mosquitos suck


More information about the Users mailing list