[Openswan Users] there is a way to insert iptables rules, dynamically on ipsec tunnel creation???

Matias Lopez Bergero mlopezb at udesa.edu.ar
Tue Jul 3 12:32:01 EDT 2007


I find out the problem.

I was using the _updown_x509 for both the roadwarrior and the shared rsa 
net to net.
So, I just add the  leftupdown=/usr/lib/ipsec/_updown_x509 option to the 
roadwarrior conn and now both "tunnels" are working :-)


Utkarsh Shah wrote:
> Hi,
> Can you provide configuration (eg. ipsec.conf and ipsec.secrets) with 
> a dummy vaules ??
> >From the description you have specified, I think you have 
> configuration for same peers with different authentication mechanism.. 
> Is it so ??
> Then you might need to specify IP Address pair in ipsec.secrets.
> Regards,
> Utkarsh Shah
> Matias Lopez Bergero wrote:
>> Hi,
>> Thanks  a lot!
>> I switched the _updown script for the _updown_x509 and it adds the 
>> firewall rules :-)
>> Now I have a new problem. Wen I'm using the x509 connections, the 
>> "old" net to net connections using shared RSA, the old ones has 
>> stopped working.
>> Looks like there is a conflict using both types of connection. Any 
>> ideas on how to fix that??
>> Thanks again.
>> BR,
>> Matias.
>> Utkarsh Shah wrote:
>>> Hi,
>>> You can run commends whenever connection goes up and down by 
>>> specifying it in _updown script which is usually located at 
>>> /usr/lib/ipsec
>>> and specify same updown script in your config if its not default.
>>> Regards,
>>> Utkarsh Shah
>> Matias Lopez Bergero wrote:
>>> Hello,
>>> I'm being using Freeswan/Openswan for a couple of years.
>>> I have used the gateway to gateway setup, but now, I need to setup a
>>> road warrior config for just one user, maybe two.
>>> I have no problem doing that config.
>>> The vpn gateway is also a firewall, so I want to configure the
>>> firewall(iptables) to allow only valid connections trough it, at the
>>> FORWARD chain, that I have set default policy to DROP.
>>> I have read trough the docs and Google, but I found nothing usable. I
>>> found an interesting script called updown_x509, but it seams that I
>>> cannot use that. It was written for old Pluto versions...
>>> There is actually a way of doing this???
>>> Other thing that I have found is some guys using L2TP. Maybe this is a
>>> workaround for this problem... by filtering some private range???
>>> Also I have read that someone is using the mark module of iptables. I
>>> still have read this.
>>> Any comments are most welcome,
>>> Thanks.
>>> BR,
>>> Matias.

More information about the Users mailing list