[Openswan Users] Testing ipsec connection and confirming encryption
Kevin Keane
subscription at kkeane.com
Wed Aug 24 07:50:18 EDT 2011
> -----Original Message-----
> From: Roberto Suarez Soto [mailto:roberto.suarez.soto at gmail.com]
> Sent: Wednesday, August 24, 2011 12:53 AM
> To: Kevin Keane
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] Testing ipsec connection and confirming
> encryption
>
> El 08/24/2011 08:33 AM, Kevin Keane escribió:
> > Thank you very much! That's exactly what I needed. For those who find this
> post in google, the correct syntax for iptables that worked for me was this:
> >
> > iptables -A INPUT -s<peer IP> -m policy --dir in --pol ipsec -m
> > multiport -p tcp --dports<whatever ports you want opened> -j ACCEPT
> >
> > This policy is a bit more restrictive than the one Paul suggested.
>
> Just FWIW, what I usually do is allow only ESP traffic between the two
> IPSec peers, and then filter in FORWARD the traffic between subnets. I think in
> practice the result is as good as using -m policy. And if not, please do tell; I'm
> eager to know, for my own sake :-)
>
That sounds like a great idea!
In my case, there are no subnets to protect; IPsec protects traffic between the actual machines.
More information about the Users
mailing list