[Openswan Users] IPSEC in transport mode, can I define REQUIRE rule?

Idan Freiberg speidy at gmail.com
Fri Jan 17 18:38:10 EST 2014


Sure, sorry about that.
Thanks alot !
On Jan 18, 2014 1:26 AM, "Simon Deziel" <simon at xelerance.com> wrote:

> On 14-01-17 06:19 PM, Idan Freiberg wrote:
> > can i drop non-ipsec connections without using iptables?
> >
> > (like racoon do)
>
> What happens if racoon dies and the IPsec connection goes out?
>
> It would start leaking traffic in plain text. That's when iptables'
> extra protection can be handy.
>
> Simon
>
> P.S.: Please reply to the mailing list directly as others might be
> interested by your thread.
>
> > On Jan 17, 2014 4:42 AM, "Simon Deziel" <simon at xelerance.com
> > <mailto:simon at xelerance.com>> wrote:
> >
> >     If your IPsec connection alive, the iptables rules are not needed as
> the
> >     kernel will make sure to encrypt any packets between both peers.
> This is
> >     not something racoon or Openswan does, it's the kernel directly.
> >
> >     The iptables rules are there to prevent any communication if your
> IPsec
> >     connections accidentally dies or something like that.
> >
> >     Simon
> >
> >     On 14-01-16 02:15 AM, Idan Freiberg wrote:
> >     > Thanks alot!
> >     >
> >     > As far as I remember *racoon *daemon isn't relying on iptables for
> >     > dropping unsecured connections.
> >     > As far as i understnad, openswan isn't dealing with that, can you
> >     accept ?
> >     >
> >     >
> >     > On Thu, Jan 16, 2014 at 4:02 AM, Simon Deziel <simon at xelerance.com
> >     <mailto:simon at xelerance.com>
> >     > <mailto:simon at xelerance.com <mailto:simon at xelerance.com>>> wrote:
> >     >
> >     >     Hi Idan,
> >     >
> >     >     You can set your connection to use "auto=route" or
> >     "auto=start". This
> >     >     will keep the IPsec connection ready to secure the
> >     communication between
> >     >     the 2 peers.
> >     >
> >     >     You can supplement this with some iptables rules like those:
> >     >
> >     >      iptables -A OUTPUT -m policy --dir out --pol ipsec --strict \
> >     >               --proto esp --mode transport -d <Other_IP> -j ACCEPT
> >     >      iptables -A OUTPUT -d <Other_IP> -j REJECT
> >     >
> >     >      iptables -A INPUT -m policy --dir in --pol ipsec --strict \
> >     >               --proto esp --mode transport -s <Other_IP> -j ACCEPT
> >     >      iptables -A INPUT -s <Other_IP> -j REJECT
> >     >
> >     >     The REJECT rules could also be used with "--pol none". I'd
> >     recommend
> >     >     reading man 8 iptables for more ideas on how to tweak those
> rules.
> >     >
> >     >     HTH,
> >     >     Simon
> >     >
> >     >     On 14-01-15 08:18 PM, Idan Freiberg wrote:
> >     >     > hello all!
> >     >     >
> >     >     > i'm trying to restrict connections to my centos box , so
> >     just windows
> >     >     > clients with a coresponding PSK will be able to communicate
> with
> >     >     my box.
> >     >     >
> >     >     > In windows , Ipsec rule can be defined as REQUIRE IPSEC
> >     rule, which
> >     >     > means non ipsec traffic will dropped automatically (clear
> >     traffic)
> >     >     >
> >     >     > I find it hard to configure a REQUIRE Like rule with
> Openswan.
> >     >     >
> >     >     > p.s. i am using ipsec in transport mode, not tunnel mode.
> >     >     >
> >     >     > Any help will be appreciated.
> >     >     > Idan.
> >     >     >
> >     >     >
> >     >     >
> >     >     > _______________________________________________
> >     >     > Users at lists.openswan.org <mailto:Users at lists.openswan.org>
> >     <mailto:Users at lists.openswan.org <mailto:Users at lists.openswan.org>>
> >     >     > https://lists.openswan.org/mailman/listinfo/users
> >     >     > Micropayments:
> >     >     https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> >     >     > Building and Integrating Virtual Private Networks with
> Openswan:
> >     >     >
> >     >
> >
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >     >     >
> >     >
> >     >     _______________________________________________
> >     >     Users at lists.openswan.org <mailto:Users at lists.openswan.org>
> >     <mailto:Users at lists.openswan.org <mailto:Users at lists.openswan.org>>
> >     >     https://lists.openswan.org/mailman/listinfo/users
> >     >     Micropayments:
> >     https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> >     >     Building and Integrating Virtual Private Networks with
> Openswan:
> >     >
> >
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >     >
> >     >
> >     >
> >     >
> >     > --
> >     > Idan Freiberg
> >     > Mobile: +972-52-2925213 <tel:%2B972-52-2925213>
> >
> >     _______________________________________________
> >     Users at lists.openswan.org <mailto:Users at lists.openswan.org>
> >     https://lists.openswan.org/mailman/listinfo/users
> >     Micropayments:
> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> >     Building and Integrating Virtual Private Networks with Openswan:
> >
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140118/037d03a7/attachment-0001.html>


More information about the Users mailing list