[Openswan Users] ipsec and iptables

Andy fs at globalnetit.com
Wed Jan 25 11:34:03 CET 2006

On Wed, 2006-01-25 at 13:27 +0100, Ruben CL wrote:
> Hi all!I would like to use both ipsec and iptables for my vpn. 

You're telling us what you want IPsec to do. But what do you want
iptables to do for you? I don't see how it's relevant here.

> I would like the traffic between my networks were encrypted only for
> mail and web. All the other traffic it would be plaintext.

(a) - don't do this. See
http://www.freeswan.org/freeswan_trees/freeswan-2.04/doc/ipsec.html#traffic.resist for some good reasons for that.

(b) - if you must do it, one approach may be to restrict the traffic
that must be encrypted to some specific systems. So, for example, you
cold have a mail server at each site and only permit mail to be
exchanged through those servers. Then you can build a tunnel between
those machines. Similarly for web traffic, you'd probably need to use a
web proxy for that.
Alternatively, you may be able to use prococol/port selectors
(<left/right>protoport=...) in combination with passthrough conns. Not
something I've tried -  maybe someone else here has some advice on that?

(c) - don't do it. Really.

> Can anyone help me? Thanks
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
Andy <fs at globalnetit.com>

More information about the Users mailing list