[Openswan Users] New User Question

Neal Murphy neal.p.murphy at alum.wpi.edu
Fri May 31 01:55:20 UTC 2013


On Thursday, May 30, 2013 07:22:22 PM Matt Smith wrote:
 
> Slightly off topic for this list, but I could not find any documentation
> on this. And all of my experiments did not result in success. I would be
> interested and greatful if you could point me in the direction of a
> resource on this.

http://en.wikipedia.org/wiki/Ifconfig. The net-tools pkg (source of ifconfig) 
hasn't been updated since April, 2001; there've been a lot of changes since 
then. Basically, it has been deprecated for a looong time. But like some of 
James Cagney's film characters, it doen't take kindly to dyin'. The iproute2 
pkg replaces it and other utilities--and generally does a better job.

As to the 'new way' look up documentation on the iproute2 package.

> This is what I ended up with:
> -N PRIVATE
> -N PRIVATEIN
> -N PRIVATEOUT
> -A PRIVATE -p esp -j ACCEPT
> -A PRIVATE -p udp -m multiport --ports 500,4500 -j ACCEPT
> -A PRIVATE -j REJECT --reject-with icmp-port-unreachable
> -A PRIVATEIN -m policy --dir in --pol ipsec -j ACCEPT
> -A PRIVATEIN -j PRIVATE
> -A PRIVATEOUT -m policy --dir out --pol ipsec -j ACCEPT
> -A PRIVATEOUT -j PRIVATE
> -A INPUT -s 192.168.151.58 -d 192.168.136.96 -j PRIVATEIN
> -A OUTPUT -s 192.168.136.96 -d 192.168.151.58 -j PRIVATEOUT
> 
> The "-m policy --dir {in|out} --pol ipsec -j ACCEPT" rules seemed to be
> required to trust all IPSEC traffic between boxes, providing that is what
> you want to do. In my case both boxes are fully trusted. Please correct
> me, if I am errant in my thinking.

To my semi-expert eye, it looks OK. This is as close as I can get you. Now 
it's time to experiment, to find what *really* works.


More information about the Users mailing list