[Openswan Users] IPSEC in transport mode, can I define REQUIRE rule?

Simon Deziel simon at xelerance.com
Fri Jan 17 18:25:47 EST 2014 

On 14-01-17 06:19 PM, Idan Freiberg wrote:
> can i drop non-ipsec connections without using iptables?
> 
> (like racoon do)

What happens if racoon dies and the IPsec connection goes out?

It would start leaking traffic in plain text. That's when iptables'
extra protection can be handy.

Simon

P.S.: Please reply to the mailing list directly as others might be
interested by your thread.

> On Jan 17, 2014 4:42 AM, "Simon Deziel" <simon at xelerance.com
> <mailto:simon at xelerance.com>> wrote:
> 
>     If your IPsec connection alive, the iptables rules are not needed as the
>     kernel will make sure to encrypt any packets between both peers. This is
>     not something racoon or Openswan does, it's the kernel directly.
> 
>     The iptables rules are there to prevent any communication if your IPsec
>     connections accidentally dies or something like that.
> 
>     Simon
> 
>     On 14-01-16 02:15 AM, Idan Freiberg wrote:
>     > Thanks alot!
>     >
>     > As far as I remember *racoon *daemon isn't relying on iptables for
>     > dropping unsecured connections.
>     > As far as i understnad, openswan isn't dealing with that, can you
>     accept ?
>     >
>     >
>     > On Thu, Jan 16, 2014 at 4:02 AM, Simon Deziel <simon at xelerance.com
>     <mailto:simon at xelerance.com>
>     > <mailto:simon at xelerance.com <mailto:simon at xelerance.com>>> wrote:
>     >
>     >     Hi Idan,
>     >
>     >     You can set your connection to use "auto=route" or
>     "auto=start". This
>     >     will keep the IPsec connection ready to secure the
>     communication between
>     >     the 2 peers.
>     >
>     >     You can supplement this with some iptables rules like those:
>     >
>     >      iptables -A OUTPUT -m policy --dir out --pol ipsec --strict \
>     >               --proto esp --mode transport -d <Other_IP> -j ACCEPT
>     >      iptables -A OUTPUT -d <Other_IP> -j REJECT
>     >
>     >      iptables -A INPUT -m policy --dir in --pol ipsec --strict \
>     >               --proto esp --mode transport -s <Other_IP> -j ACCEPT
>     >      iptables -A INPUT -s <Other_IP> -j REJECT
>     >
>     >     The REJECT rules could also be used with "--pol none". I'd
>     recommend
>     >     reading man 8 iptables for more ideas on how to tweak those rules.
>     >
>     >     HTH,
>     >     Simon
>     >
>     >     On 14-01-15 08:18 PM, Idan Freiberg wrote:
>     >     > hello all!
>     >     >
>     >     > i'm trying to restrict connections to my centos box , so
>     just windows
>     >     > clients with a coresponding PSK will be able to communicate with
>     >     my box.
>     >     >
>     >     > In windows , Ipsec rule can be defined as REQUIRE IPSEC
>     rule, which
>     >     > means non ipsec traffic will dropped automatically (clear
>     traffic)
>     >     >
>     >     > I find it hard to configure a REQUIRE Like rule with Openswan.
>     >     >
>     >     > p.s. i am using ipsec in transport mode, not tunnel mode.
>     >     >
>     >     > Any help will be appreciated.
>     >     > Idan.
>     >     >
>     >     >
>     >     >
>     >     > _______________________________________________
>     >     > Users at lists.openswan.org <mailto:Users at lists.openswan.org>
>     <mailto:Users at lists.openswan.org <mailto:Users at lists.openswan.org>>
>     >     > https://lists.openswan.org/mailman/listinfo/users
>     >     > Micropayments:
>     >     https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>     >     > Building and Integrating Virtual Private Networks with Openswan:
>     >     >
>     >    
>     http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>     >     >
>     >
>     >     _______________________________________________
>     >     Users at lists.openswan.org <mailto:Users at lists.openswan.org>
>     <mailto:Users at lists.openswan.org <mailto:Users at lists.openswan.org>>
>     >     https://lists.openswan.org/mailman/listinfo/users
>     >     Micropayments:
>     https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>     >     Building and Integrating Virtual Private Networks with Openswan:
>     >    
>     http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>     >
>     >
>     >
>     >
>     > --
>     > Idan Freiberg
>     > Mobile: +972-52-2925213 <tel:%2B972-52-2925213>
> 
>     _______________________________________________
>     Users at lists.openswan.org <mailto:Users at lists.openswan.org>
>     https://lists.openswan.org/mailman/listinfo/users
>     Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>     Building and Integrating Virtual Private Networks with Openswan:
>     http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

More information about the Users mailing list