[Openswan Users] ipsec and iptables
Shi Lang
shilang at greenpacket.com
Thu Jan 26 12:35:37 CET 2006
Hi paul,
leftprotport=6/25, 5/25
does it a correct format? If I want both.
Thanks
Regards,
Shi Lang
-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Paul Wouters
Sent: Thursday, January 26, 2006 12:35 PM
To: Andy
Cc: users at lists.openswan.org
Subject: Re: [Openswan Users] ipsec and iptables
On Wed, 25 Jan 2006, Andy wrote:
> > It is easier and better to encrypt everything.
> > if you really dont want that, you can use leftprotoport=5/25 for email
> > and leftprotoport=5/80 for web. (and the same for rightprotoport.
>
> Shouldn't that be 6/25 & 6/80 - TCP is protocol 6, right?
Yes. It should be six. Well spotted :)
> If he uses that approach, won't all other traffic get dropped?
You have to add a passthrough conn from ip to ip. Then the ports get
encrypred (more speicific match) and the rest gets passed through.
conn a-b-mail
left=a.x.x.x
right=b.x.x.x
leftprotport=6/25
rightprotport=6/25
auth=rsasig
auto=start
conn a-b-passthrough
left=a.x.x.x
right=b.x.x.x
auth=never
type=passthrough
auto=route
But this would not allow packets from a high port to 25, only from
port 25 to port 25, which might not be enough. So perhaps you
need leftprotoport=6/%any and rightprotoport=6/25 and then a second
conn for the other way around.
Again, don't try this at home. Just encrypt everything.
Paul
_______________________________________________
Users mailing list
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
More information about the Users
mailing list