[Openswan Users] Blocking an ipsec using X509 DN

Paul Wouters paul at xelerance.com
Tue Oct 10 23:13:35 EDT 2006


On Tue, 10 Oct 2006, Diego Woitasen wrote:

>  I have a VPN concentrator with Openswan with Openswan peers using
> X509 authentication. I need block some peers for some time using the
> Distinguish Name, but i don't know how. Using CRL is not an option
> because the block must be temporary.
>
> I'm trying with this but the peers continue passing traffic anyway:
>
> conn blocked668
>         type=reject

reject does not exist.

>         left=172.17.0.60
>         rightsubnet=10.22.160.0/24
>         right=%any
>         rightid="C=AR, ST=BUENOS AIRES, L=Ciudad Autonoma de Buenos
> Aires, O=Example Inc., OU=Comunicaciones, CN=peer668.example.com,
> SN=3"
>         auto=add

The easiest is probably to add an rightupdown=/some/script.sh
and have script.sh block or tear down the tunnel. You could use
firewall rules, but you might run into the problem where another
roadwarrior tries to connect from the same dynamic ip or from
behind the same NAT router. calling "ipsec auto --down blocked668"
is probably enough, though the client might get one or two packets
through the brief existance of the tunnel.

You could of course also copy your CA stuff to a tmp machine/dir,
revoke the cert, update the crl and install it, and later on
recreate a new crl from the 'real' CA and put that back.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list