[Openswan Users] ipsec and iptables
Paul Wouters
paul at xelerance.com
Thu Jan 26 05:34:40 CET 2006
On Wed, 25 Jan 2006, Andy wrote:
> > It is easier and better to encrypt everything.
> > if you really dont want that, you can use leftprotoport=5/25 for email
> > and leftprotoport=5/80 for web. (and the same for rightprotoport.
>
> Shouldn't that be 6/25 & 6/80 - TCP is protocol 6, right?
Yes. It should be six. Well spotted :)
> If he uses that approach, won't all other traffic get dropped?
You have to add a passthrough conn from ip to ip. Then the ports get
encrypred (more speicific match) and the rest gets passed through.
conn a-b-mail
left=a.x.x.x
right=b.x.x.x
leftprotport=6/25
rightprotport=6/25
auth=rsasig
auto=start
conn a-b-passthrough
left=a.x.x.x
right=b.x.x.x
auth=never
type=passthrough
auto=route
But this would not allow packets from a high port to 25, only from
port 25 to port 25, which might not be enough. So perhaps you
need leftprotoport=6/%any and rightprotoport=6/25 and then a second
conn for the other way around.
Again, don't try this at home. Just encrypt everything.
Paul
More information about the Users
mailing list