[Openswan Users] How to do packet filtering without ipsec interfaces?

[Andreas Stallmann]

Hello out there,

I have some question, which was probably asked a million of times in 
many different ways before, but for some reasons, I'm blinded, and do 
not find an answer to it, or perhaps I'm just looking in the wrong places.

I allready had a look into the wiki - but my problem does not seem to be 
covered.

In the good old times of super-freeswan and kernel 2.4 I was a happy 
user of ipsec interfaces. These allowed me to define rules like that:

Any -> firewall (ipsec related protocols) : Allow
Any (traffic coming from the ipsec-interfaces) -> internal net (http, 
https, ftp): Allow

This, filtering traffic based on the fact, that it came from the ipsec 
interface and thus was "authenticated" somehow, is something I miss in 
the current OpenSWAN implementation.

I can't use IP-Adresses for the filtering, because my clients are 
roadwarriors with ever changeing IPs.

Yes, I know, I could compile the ipsec-Module. But this is only a 
theoretical solution, 'cause it won't compile against any of the 2.6 
kernels I have tested. Using a 2.4 kernel would be a measure of last 
reason, if everything else fails.

So - any further ideas how I can solve my problem? Here's the question:

How can I assure, that only traffic, which was at first authenticated 
via IPSEC, can use *specific* services in my local net?

Thanks a lot,

Andreas
-- 
dawin GmbH - Andreas Stallmann - Consultant