[Openswan Users] Security of xl2tpd without KLIPS?

Paul Wouters paul at xelerance.com
Tue Dec 11 13:38:05 EST 2007


On Tue, 4 Dec 2007, Aaron Gage wrote:

> > Should work, though you need openswan 2.4.10+ to be able to support OSX
> > using rightprotoport=17/0 (instead of the old 17/%any causing problems)
>
> Does XP work if I use rightprotoport=17/0 instead of 17/%any, and if
> not, can I just define a second connection that is otherwise equal but
> uses 17/%any for XP?

For XP, use 17/1701

> My iptables-fu is a little weak, so I have a security question: is it
> possible for an attacker to mark the packets before they arrive at the
> firewall so that they gain automatic acceptance?  Or are the markings
> strictly internal to the kernel?

No. Marks are bits in the linux kernel, not in the packet. marks only
live within the kernel.

> What I want to do is this: the XP roadwarrior negotiates for
> IPSec/L2TP on the 172.16.1.0/24 interface, and when accepted, ESP
> packets go through the DMZ.  The roadwarrior then gets an address in
> 10.0.0.224/28 (reserved in dhcpd and named).  Is there something about
> this arrangement that won't work?

That should be fine.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list