[Openswan Users] Fedora Core 6 and ipsec0 in iptables

[Cameron Davidson]

Ben Martin wrote:
> Hi,
>   Just to check if my conclusion is correct,
>   From digging around it seems that for openswan on Fedora Core 6 to get
> ipsec0,1,2 etc to show up in ifconfig and be able to setup packet
> filtering with iptables for ipsec0 etc then I have to build a kernel
> using the KLIPS patch.
> 
>   It would be nice to have the unencrypted traffic arrive on ipsecX
> instead of eth1 so I can treat it differently in the firewall instead of
> dubiously allowing 192.x traffic (post decryption from openswan) to
> arrive on the internet connected network interface.
> 
> Thanks for any clarification.
> 

You are right in your conclusions about the ipsecx interfaces.

If you don't want to patch in Klips, then, assuming both sides are in 
the private IP space, it seems reasonably safe to filter on the eth1 
interface based on both source AND destination addresses. After all, it 
should not be possible to route traffic to your internal addresses.

In any case, I suspect any traffic claiming to come from your remote IP 
range will already have been discarded because it does not have the 
right security association.  But my understanding in that area is a bit 
sketchy.

Cameron.