[Openswan Users]
How to do packet filtering without ipsec interfaces?
Andreas Stallmann
stallmann at dawin.de
Fri Feb 3 15:04:52 CET 2006
Hello out there,
I have some question, which was probably asked a million of times in
many different ways before, but for some reasons, I'm blinded, and do
not find an answer to it, or perhaps I'm just looking in the wrong places.
I allready had a look into the wiki - but my problem does not seem to be
covered.
In the good old times of super-freeswan and kernel 2.4 I was a happy
user of ipsec interfaces. These allowed me to define rules like that:
Any -> firewall (ipsec related protocols) : Allow
Any (traffic coming from the ipsec-interfaces) -> internal net (http,
https, ftp): Allow
This, filtering traffic based on the fact, that it came from the ipsec
interface and thus was "authenticated" somehow, is something I miss in
the current OpenSWAN implementation.
I can't use IP-Adresses for the filtering, because my clients are
roadwarriors with ever changeing IPs.
Yes, I know, I could compile the ipsec-Module. But this is only a
theoretical solution, 'cause it won't compile against any of the 2.6
kernels I have tested. Using a 2.4 kernel would be a measure of last
reason, if everything else fails.
So - any further ideas how I can solve my problem? Here's the question:
How can I assure, that only traffic, which was at first authenticated
via IPSEC, can use *specific* services in my local net?
Thanks a lot,
Andreas
--
dawin GmbH - Andreas Stallmann - Consultant
More information about the Users
mailing list