[Openswan Users] Testing ipsec connection and confirming encryption
Roberto Suarez Soto
roberto.suarez.soto at gmail.com
Wed Aug 24 03:52:39 EDT 2011
El 08/24/2011 08:33 AM, Kevin Keane escribió:
> Thank you very much! That's exactly what I needed. For those who find this post in google, the correct syntax for iptables that worked for me was this:
>
> iptables -A INPUT -s<peer IP> -m policy --dir in --pol ipsec -m multiport -p tcp --dports<whatever ports you want opened> -j ACCEPT
>
> This policy is a bit more restrictive than the one Paul suggested.
Just FWIW, what I usually do is allow only ESP traffic between the two IPSec
peers, and then filter in FORWARD the traffic between subnets. I think in
practice the result is as good as using -m policy. And if not, please do tell;
I'm eager to know, for my own sake :-)
Thanks,
--
Roberto Suarez Soto Pick up the phone,
I'm always home
More information about the Users
mailing list