[Openswan Users] there is a way to insert iptables rules, dynamically on ipsec tunnel creation???

Utkarsh Shah utkarsh at elitecore.com
Tue Jul 3 01:36:41 EDT 2007


Can you provide configuration (eg. ipsec.conf and ipsec.secrets) with a 
dummy vaules ??
 From the description you have specified, I think you have configuration 
for same peers with different authentication mechanism.. Is it so ??

Then you might need to specify IP Address pair in ipsec.secrets.

Utkarsh Shah

Matias Lopez Bergero wrote:
> Hi,
> Thanks  a lot!
> I switched the _updown script for the _updown_x509 and it adds the 
> firewall rules :-)
> Now I have a new problem. Wen I'm using the x509 connections, the 
> "old" net to net connections using shared RSA, the old ones has 
> stopped working.
> Looks like there is a conflict using both types of connection. Any 
> ideas on how to fix that??
> Thanks again.
> BR,
> Matias.
> Utkarsh Shah wrote:
>> Hi,
>> You can run commends whenever connection goes up and down by 
>> specifying it in _updown script which is usually located at 
>> /usr/lib/ipsec
>> and specify same updown script in your config if its not default.
>> Regards,
>> Utkarsh Shah
> Matias Lopez Bergero wrote:
>> Hello,
>> I'm being using Freeswan/Openswan for a couple of years.
>> I have used the gateway to gateway setup, but now, I need to setup a
>> road warrior config for just one user, maybe two.
>> I have no problem doing that config.
>> The vpn gateway is also a firewall, so I want to configure the
>> firewall(iptables) to allow only valid connections trough it, at the
>> FORWARD chain, that I have set default policy to DROP.
>> I have read trough the docs and Google, but I found nothing usable. I
>> found an interesting script called updown_x509, but it seams that I
>> cannot use that. It was written for old Pluto versions...
>> There is actually a way of doing this???
>> Other thing that I have found is some guys using L2TP. Maybe this is a
>> workaround for this problem... by filtering some private range???
>> Also I have read that someone is using the mark module of iptables. I
>> still have read this.
>> Any comments are most welcome,
>> Thanks.
>> BR,
>> Matias.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070703/4a45d2be/attachment.html 

More information about the Users mailing list