[Openswan Users] there is a way to insert iptables rules, dynamically on ipsec tunnel creation???

[Matias Lopez Bergero]

Hi,

Thanks  a lot!
I switched the _updown script for the _updown_x509 and it adds the 
firewall rules :-)

Now I have a new problem. Wen I'm using the x509 connections, the "old" 
net to net connections using shared RSA, the old ones has stopped working.
Looks like there is a conflict using both types of connection. Any ideas 
on how to fix that??

Thanks again.

BR,
Matias.

Utkarsh Shah wrote:
> Hi,
>
> You can run commends whenever connection goes up and down by 
> specifying it in _updown script which is usually located at /usr/lib/ipsec
> and specify same updown script in your config if its not default.
>
> Regards,
> Utkarsh Shah
Matias Lopez Bergero wrote:
> Hello,
>
> I'm being using Freeswan/Openswan for a couple of years.
> I have used the gateway to gateway setup, but now, I need to setup a
> road warrior config for just one user, maybe two.
> I have no problem doing that config.
>
> The vpn gateway is also a firewall, so I want to configure the
> firewall(iptables) to allow only valid connections trough it, at the
> FORWARD chain, that I have set default policy to DROP.
> I have read trough the docs and Google, but I found nothing usable. I
> found an interesting script called updown_x509, but it seams that I
> cannot use that. It was written for old Pluto versions...
> There is actually a way of doing this???
>
> Other thing that I have found is some guys using L2TP. Maybe this is a
> workaround for this problem... by filtering some private range???
> Also I have read that someone is using the mark module of iptables. I
> still have read this.
>
> Any comments are most welcome,
> Thanks.
>
> BR,
> Matias.
>
>