[Openswan Users] New User Question

Matt Smith matt at nearapogee.com
Thu May 30 23:22:22 UTC 2013 

> Date: Wed, 29 May 2013 12:50:05 -0400
> From: Neal Murphy <neal.p.murphy at alum.wpi.edu>
> To: users at openswan.org
> Subject: Re: [Openswan Users] New User Question
> Message-ID: <201305291250.05808.neal.p.murphy at alum.wpi.edu>
> Content-Type: Text/Plain;  charset="iso-8859-1"
> 
> Unless you are using a very old version of Linux, virtual interfaces should be 
> extinct. Today, an IF can have one or more primary addresses, each with zero 
> or more secondary addresses. (The first address in a LAN added becomes the 
> primary address; all other addrs in that LAN added later become secondary 
> addresses.)

Slightly off topic for this list, but I could not find any documentation
on this. And all of my experiments did not result in success. I would be
interested and greatful if you could point me in the direction of a
resource on this.

> To address your issue, something like the following should guarantee that only 
> IPSEC traffic passes between the two private addresses. Reverse the -d and -s 
> addrs for the other host. It neither addresses nor affects any other traffic.
> 
> -N chkPrivate
> -A chkPrivate -p esp -j ACCEPT
> -A chkPrivate -p udp -m multiports --ports 500,4500 -j ACCEPT
> -A chkPrivate -j REJECT --reject-with icmp-port-unreachable
> -A INPUT -s 192.168.151.58 -d 192.168.136.96 -j chkPrivate
> -A OUTPUT -s 192.168.136.96 -d 192.168.151.58 -j chkPrivate

This is what I ended up with:
-N PRIVATE
-N PRIVATEIN
-N PRIVATEOUT
-A PRIVATE -p esp -j ACCEPT
-A PRIVATE -p udp -m multiport --ports 500,4500 -j ACCEPT
-A PRIVATE -j REJECT --reject-with icmp-port-unreachable
-A PRIVATEIN -m policy --dir in --pol ipsec -j ACCEPT
-A PRIVATEIN -j PRIVATE
-A PRIVATEOUT -m policy --dir out --pol ipsec -j ACCEPT
-A PRIVATEOUT -j PRIVATE
-A INPUT -s 192.168.151.58 -d 192.168.136.96 -j PRIVATEIN
-A OUTPUT -s 192.168.136.96 -d 192.168.151.58 -j PRIVATEOUT

The "-m policy --dir {in|out} --pol ipsec -j ACCEPT" rules seemed to be
required to trust all IPSEC traffic between boxes, providing that is what
you want to do. In my case both boxes are fully trusted. Please correct
me, if I am errant in my thinking.

Much thanks! Very helpful.

More information about the Users mailing list