[Openswan Users] IPSEC in transport mode, can I define REQUIRE rule?
Simon Deziel
simon at xelerance.com
Wed Jan 15 21:02:01 EST 2014
Hi Idan,
You can set your connection to use "auto=route" or "auto=start". This
will keep the IPsec connection ready to secure the communication between
the 2 peers.
You can supplement this with some iptables rules like those:
iptables -A OUTPUT -m policy --dir out --pol ipsec --strict \
--proto esp --mode transport -d <Other_IP> -j ACCEPT
iptables -A OUTPUT -d <Other_IP> -j REJECT
iptables -A INPUT -m policy --dir in --pol ipsec --strict \
--proto esp --mode transport -s <Other_IP> -j ACCEPT
iptables -A INPUT -s <Other_IP> -j REJECT
The REJECT rules could also be used with "--pol none". I'd recommend
reading man 8 iptables for more ideas on how to tweak those rules.
HTH,
Simon
On 14-01-15 08:18 PM, Idan Freiberg wrote:
> hello all!
>
> i'm trying to restrict connections to my centos box , so just windows
> clients with a coresponding PSK will be able to communicate with my box.
>
> In windows , Ipsec rule can be defined as REQUIRE IPSEC rule, which
> means non ipsec traffic will dropped automatically (clear traffic)
>
> I find it hard to configure a REQUIRE Like rule with Openswan.
>
> p.s. i am using ipsec in transport mode, not tunnel mode.
>
> Any help will be appreciated.
> Idan.
>
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
More information about the Users
mailing list