[Openswan Users] {Disarmed} IPSec Tunnel: Pass through connection not working
Neal Murphy
neal.p.murphy at alum.wpi.edu
Mon Nov 21 14:34:34 EST 2011
On Monday 21 November 2011 13:21:49 SaRaVanAn wrote:
> Hi Michael,
> I want to encrypt all the traffic that is going via my system(Router).
> Suppose if a traffic is coming for a destination IP for which there is no
> tunnel exists, I need to block it(Plain traffic should not go via my
> router). The reason behind adding pass through connection is that , my
> system should not block AH/ESP/UDP encapsulated traffic for a destination
> irrespective of tunnel configurations.
Assuming you have a pre-defined network of tunnels, it sounds like you need to
use iptables (or equivalent, depending on your router's OS) to:
- allow port 500 (IKE), only to and from known/expected addrs
- allow port 4500 (NAT Traversal), only to and from known/expected addrs
- allow protocol 50 (ESP), only to from known/expected addrs
- allow ICMP to the router only (required for IP to work)
- allow ARP (required for layer 2 to work)
- drop all other traffic
If you don't need NAT-T, don't allow it.
More information about the Users
mailing list