[Openswan Users] IPSEC in transport mode, can I define REQUIRE rule?
simon at xelerance.com
Wed Jan 15 21:02:01 EST 2014
You can set your connection to use "auto=route" or "auto=start". This
will keep the IPsec connection ready to secure the communication between
the 2 peers.
You can supplement this with some iptables rules like those:
iptables -A OUTPUT -m policy --dir out --pol ipsec --strict \
--proto esp --mode transport -d <Other_IP> -j ACCEPT
iptables -A OUTPUT -d <Other_IP> -j REJECT
iptables -A INPUT -m policy --dir in --pol ipsec --strict \
--proto esp --mode transport -s <Other_IP> -j ACCEPT
iptables -A INPUT -s <Other_IP> -j REJECT
The REJECT rules could also be used with "--pol none". I'd recommend
reading man 8 iptables for more ideas on how to tweak those rules.
On 14-01-15 08:18 PM, Idan Freiberg wrote:
> hello all!
> i'm trying to restrict connections to my centos box , so just windows
> clients with a coresponding PSK will be able to communicate with my box.
> In windows , Ipsec rule can be defined as REQUIRE IPSEC rule, which
> means non ipsec traffic will dropped automatically (clear traffic)
> I find it hard to configure a REQUIRE Like rule with Openswan.
> p.s. i am using ipsec in transport mode, not tunnel mode.
> Any help will be appreciated.
> Users at lists.openswan.org
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
More information about the Users