[Openswan Users] IPSEC in transport mode, can I define REQUIRE rule?
Simon Deziel
simon at xelerance.com
Thu Jan 16 21:41:14 EST 2014
If your IPsec connection alive, the iptables rules are not needed as the
kernel will make sure to encrypt any packets between both peers. This is
not something racoon or Openswan does, it's the kernel directly.
The iptables rules are there to prevent any communication if your IPsec
connections accidentally dies or something like that.
Simon
On 14-01-16 02:15 AM, Idan Freiberg wrote:
> Thanks alot!
>
> As far as I remember *racoon *daemon isn't relying on iptables for
> dropping unsecured connections.
> As far as i understnad, openswan isn't dealing with that, can you accept ?
>
>
> On Thu, Jan 16, 2014 at 4:02 AM, Simon Deziel <simon at xelerance.com
> <mailto:simon at xelerance.com>> wrote:
>
> Hi Idan,
>
> You can set your connection to use "auto=route" or "auto=start". This
> will keep the IPsec connection ready to secure the communication between
> the 2 peers.
>
> You can supplement this with some iptables rules like those:
>
> iptables -A OUTPUT -m policy --dir out --pol ipsec --strict \
> --proto esp --mode transport -d <Other_IP> -j ACCEPT
> iptables -A OUTPUT -d <Other_IP> -j REJECT
>
> iptables -A INPUT -m policy --dir in --pol ipsec --strict \
> --proto esp --mode transport -s <Other_IP> -j ACCEPT
> iptables -A INPUT -s <Other_IP> -j REJECT
>
> The REJECT rules could also be used with "--pol none". I'd recommend
> reading man 8 iptables for more ideas on how to tweak those rules.
>
> HTH,
> Simon
>
> On 14-01-15 08:18 PM, Idan Freiberg wrote:
> > hello all!
> >
> > i'm trying to restrict connections to my centos box , so just windows
> > clients with a coresponding PSK will be able to communicate with
> my box.
> >
> > In windows , Ipsec rule can be defined as REQUIRE IPSEC rule, which
> > means non ipsec traffic will dropped automatically (clear traffic)
> >
> > I find it hard to configure a REQUIRE Like rule with Openswan.
> >
> > p.s. i am using ipsec in transport mode, not tunnel mode.
> >
> > Any help will be appreciated.
> > Idan.
> >
> >
> >
> > _______________________________________________
> > Users at lists.openswan.org <mailto:Users at lists.openswan.org>
> > https://lists.openswan.org/mailman/listinfo/users
> > Micropayments:
> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > Building and Integrating Virtual Private Networks with Openswan:
> >
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >
>
> _______________________________________________
> Users at lists.openswan.org <mailto:Users at lists.openswan.org>
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
>
>
> --
> Idan Freiberg
> Mobile: +972-52-2925213
More information about the Users
mailing list