[Openswan Users] IPSEC in transport mode, can I define REQUIRE rule?

Simon Deziel simon at xelerance.com
Wed Jan 15 21:02:01 EST 2014


Hi Idan,

You can set your connection to use "auto=route" or "auto=start". This
will keep the IPsec connection ready to secure the communication between
the 2 peers.

You can supplement this with some iptables rules like those:

 iptables -A OUTPUT -m policy --dir out --pol ipsec --strict \
          --proto esp --mode transport -d <Other_IP> -j ACCEPT
 iptables -A OUTPUT -d <Other_IP> -j REJECT

 iptables -A INPUT -m policy --dir in --pol ipsec --strict \
          --proto esp --mode transport -s <Other_IP> -j ACCEPT
 iptables -A INPUT -s <Other_IP> -j REJECT

The REJECT rules could also be used with "--pol none". I'd recommend
reading man 8 iptables for more ideas on how to tweak those rules.

HTH,
Simon

On 14-01-15 08:18 PM, Idan Freiberg wrote:
> hello all!
> 
> i'm trying to restrict connections to my centos box , so just windows
> clients with a coresponding PSK will be able to communicate with my box.
> 
> In windows , Ipsec rule can be defined as REQUIRE IPSEC rule, which
> means non ipsec traffic will dropped automatically (clear traffic)
> 
> I find it hard to configure a REQUIRE Like rule with Openswan.
> 
> p.s. i am using ipsec in transport mode, not tunnel mode.
> 
> Any help will be appreciated.
> Idan.
> 
> 
> 
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 



More information about the Users mailing list