[Openswan Users] ipsec gatway firewal guidance
sibxol at btconnect.com
Fri Mar 22 23:24:37 UTC 2013
On Friday 22 March 2013 21:09:23 Neal Murphy wrote:
> he gateway already knows where to send packets to your internal SSH
> server. Once the VPN is up, the gateway also knows where to send packets
> to the remote's IP address. It is simple routing; all packets are sent
> through the FORWARD chain.
> There's one caveat. If you have netfilter rules controlling packets
> traversing between your internal LAN and the VPN, you'll need to ACCEPT
> NEW,ESTABLISHED conns on your SSH port from the remote IP on the ipsecN:
> interface when the packets arrive from the VPN, and you'll need to ACCEPT
> ESTABLISHED conns from your internal SSH server to the remote's IP.
More information about the Users