[Openswan Users] there is a way to insert iptables rules, dynamically on ipsec tunnel creation???
Matias Lopez Bergero
mlopezb at udesa.edu.ar
Tue Jul 3 12:32:01 EDT 2007
I find out the problem.
I was using the _updown_x509 for both the roadwarrior and the shared rsa
net to net.
So, I just add the leftupdown=/usr/lib/ipsec/_updown_x509 option to the
roadwarrior conn and now both "tunnels" are working :-)
Utkarsh Shah wrote:
> Can you provide configuration (eg. ipsec.conf and ipsec.secrets) with
> a dummy vaules ??
> >From the description you have specified, I think you have
> configuration for same peers with different authentication mechanism..
> Is it so ??
> Then you might need to specify IP Address pair in ipsec.secrets.
> Utkarsh Shah
> Matias Lopez Bergero wrote:
>> Thanks a lot!
>> I switched the _updown script for the _updown_x509 and it adds the
>> firewall rules :-)
>> Now I have a new problem. Wen I'm using the x509 connections, the
>> "old" net to net connections using shared RSA, the old ones has
>> stopped working.
>> Looks like there is a conflict using both types of connection. Any
>> ideas on how to fix that??
>> Thanks again.
>> Utkarsh Shah wrote:
>>> You can run commends whenever connection goes up and down by
>>> specifying it in _updown script which is usually located at
>>> and specify same updown script in your config if its not default.
>>> Utkarsh Shah
>> Matias Lopez Bergero wrote:
>>> I'm being using Freeswan/Openswan for a couple of years.
>>> I have used the gateway to gateway setup, but now, I need to setup a
>>> road warrior config for just one user, maybe two.
>>> I have no problem doing that config.
>>> The vpn gateway is also a firewall, so I want to configure the
>>> firewall(iptables) to allow only valid connections trough it, at the
>>> FORWARD chain, that I have set default policy to DROP.
>>> I have read trough the docs and Google, but I found nothing usable. I
>>> found an interesting script called updown_x509, but it seams that I
>>> cannot use that. It was written for old Pluto versions...
>>> There is actually a way of doing this???
>>> Other thing that I have found is some guys using L2TP. Maybe this is a
>>> workaround for this problem... by filtering some private range???
>>> Also I have read that someone is using the mark module of iptables. I
>>> still have read this.
>>> Any comments are most welcome,
More information about the Users