[Openswan Users] Security of xl2tpd without KLIPS?
paul at xelerance.com
Tue Dec 11 13:38:05 EST 2007
On Tue, 4 Dec 2007, Aaron Gage wrote:
> > Should work, though you need openswan 2.4.10+ to be able to support OSX
> > using rightprotoport=17/0 (instead of the old 17/%any causing problems)
> Does XP work if I use rightprotoport=17/0 instead of 17/%any, and if
> not, can I just define a second connection that is otherwise equal but
> uses 17/%any for XP?
For XP, use 17/1701
> My iptables-fu is a little weak, so I have a security question: is it
> possible for an attacker to mark the packets before they arrive at the
> firewall so that they gain automatic acceptance? Or are the markings
> strictly internal to the kernel?
No. Marks are bits in the linux kernel, not in the packet. marks only
live within the kernel.
> What I want to do is this: the XP roadwarrior negotiates for
> IPSec/L2TP on the 172.16.1.0/24 interface, and when accepted, ESP
> packets go through the DMZ. The roadwarrior then gets an address in
> 10.0.0.224/28 (reserved in dhcpd and named). Is there something about
> this arrangement that won't work?
That should be fine.
Building and integrating Virtual Private Networks with Openswan:
More information about the Users