[Openswan Users] Getting IPSec policy into kernel
Venkat Yekkirala
vyekkirala at trustedcs.com
Tue Mar 20 11:08:45 EDT 2007
> Maybe
> ----------
> conn %default
> auto=route
> ----------
> in ipsec.conf does what you want?
Gives the same result as when I perform ipsec auto --route <conn>
(also suggested by Michael Richardson). Specifically, I see only
the outgoing policy inserted, but not the in and fwd policies.
>
> There are drawbacks in our setup here, thou.
> We have many policies that have to go through one tunnel. One
> way to con-
> figure all of those to trigger the establishment of the
> needed tunnel is
> using the klips-stack and adding all those policies as connections.
>
> With netkey i havent seen such a way, i can only after
> establishing a tunnel
> configure the other policies in an updown-script.
Not really. For example, using ipsec-tools, you could have just
the policy inserted into the netkey/kernel and the kernel would
then trigger the acquires, while enforcing the ipsec policy rules.
I guess the route option was supposed to get the in/fwd policy as
well into the kernel (as mentioned by Michael earlier), but it isn't.
This would have security implications in that this would cause non-ipsec
packets to get into the system where the policy is for them to be ipsec
packets to be let in. Correct?
> Maybe someone knows a better way for this, having the
> policies in the first
> place to be able for them to trigger establishment of the tunnel.
>
>
> Christian
>
More information about the Users
mailing list