[Openswan Users] Getting IPSec policy into kernel

Venkat Yekkirala vyekkirala at trustedcs.com
Tue Mar 20 11:08:45 EDT 2007

> Maybe
> ----------
> conn %default
>         auto=route
> ----------
> in ipsec.conf does what you want?

Gives the same result as when I perform ipsec auto --route <conn>
(also suggested by Michael Richardson). Specifically, I see only
the outgoing policy inserted, but not the in and fwd policies.

> There are drawbacks in our setup here, thou.
> We have many policies that have to go through one tunnel. One 
> way to con-
> figure all of those to trigger the establishment of the 
> needed tunnel is
> using the klips-stack and adding all those policies as connections.
> With netkey i havent seen such a way, i can only after 
> establishing a tunnel
> configure the other policies in an updown-script.

Not really. For example, using ipsec-tools, you could have just
the policy inserted into the netkey/kernel and the kernel would
then trigger the acquires, while enforcing the ipsec policy rules.

I guess the route option was supposed to get the in/fwd policy as
well into the kernel (as mentioned by Michael earlier), but it isn't.

This would have security implications in that this would cause non-ipsec
packets to get into the system where the policy is for them to be ipsec
packets to be let in. Correct?

> Maybe someone knows a better way for this, having the 
> policies in the first
> place to be able for them to trigger establishment of the tunnel.
> Christian

More information about the Users mailing list