[Openswan Users] IPSEC in transport mode, can I define REQUIRE rule?
Idan Freiberg
speidy at gmail.com
Fri Jan 17 18:38:10 EST 2014
Sure, sorry about that.
Thanks alot !
On Jan 18, 2014 1:26 AM, "Simon Deziel" <simon at xelerance.com> wrote:
> On 14-01-17 06:19 PM, Idan Freiberg wrote:
> > can i drop non-ipsec connections without using iptables?
> >
> > (like racoon do)
>
> What happens if racoon dies and the IPsec connection goes out?
>
> It would start leaking traffic in plain text. That's when iptables'
> extra protection can be handy.
>
> Simon
>
> P.S.: Please reply to the mailing list directly as others might be
> interested by your thread.
>
> > On Jan 17, 2014 4:42 AM, "Simon Deziel" <simon at xelerance.com
> > <mailto:simon at xelerance.com>> wrote:
> >
> > If your IPsec connection alive, the iptables rules are not needed as
> the
> > kernel will make sure to encrypt any packets between both peers.
> This is
> > not something racoon or Openswan does, it's the kernel directly.
> >
> > The iptables rules are there to prevent any communication if your
> IPsec
> > connections accidentally dies or something like that.
> >
> > Simon
> >
> > On 14-01-16 02:15 AM, Idan Freiberg wrote:
> > > Thanks alot!
> > >
> > > As far as I remember *racoon *daemon isn't relying on iptables for
> > > dropping unsecured connections.
> > > As far as i understnad, openswan isn't dealing with that, can you
> > accept ?
> > >
> > >
> > > On Thu, Jan 16, 2014 at 4:02 AM, Simon Deziel <simon at xelerance.com
> > <mailto:simon at xelerance.com>
> > > <mailto:simon at xelerance.com <mailto:simon at xelerance.com>>> wrote:
> > >
> > > Hi Idan,
> > >
> > > You can set your connection to use "auto=route" or
> > "auto=start". This
> > > will keep the IPsec connection ready to secure the
> > communication between
> > > the 2 peers.
> > >
> > > You can supplement this with some iptables rules like those:
> > >
> > > iptables -A OUTPUT -m policy --dir out --pol ipsec --strict \
> > > --proto esp --mode transport -d <Other_IP> -j ACCEPT
> > > iptables -A OUTPUT -d <Other_IP> -j REJECT
> > >
> > > iptables -A INPUT -m policy --dir in --pol ipsec --strict \
> > > --proto esp --mode transport -s <Other_IP> -j ACCEPT
> > > iptables -A INPUT -s <Other_IP> -j REJECT
> > >
> > > The REJECT rules could also be used with "--pol none". I'd
> > recommend
> > > reading man 8 iptables for more ideas on how to tweak those
> rules.
> > >
> > > HTH,
> > > Simon
> > >
> > > On 14-01-15 08:18 PM, Idan Freiberg wrote:
> > > > hello all!
> > > >
> > > > i'm trying to restrict connections to my centos box , so
> > just windows
> > > > clients with a coresponding PSK will be able to communicate
> with
> > > my box.
> > > >
> > > > In windows , Ipsec rule can be defined as REQUIRE IPSEC
> > rule, which
> > > > means non ipsec traffic will dropped automatically (clear
> > traffic)
> > > >
> > > > I find it hard to configure a REQUIRE Like rule with
> Openswan.
> > > >
> > > > p.s. i am using ipsec in transport mode, not tunnel mode.
> > > >
> > > > Any help will be appreciated.
> > > > Idan.
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > Users at lists.openswan.org <mailto:Users at lists.openswan.org>
> > <mailto:Users at lists.openswan.org <mailto:Users at lists.openswan.org>>
> > > > https://lists.openswan.org/mailman/listinfo/users
> > > > Micropayments:
> > > https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > > > Building and Integrating Virtual Private Networks with
> Openswan:
> > > >
> > >
> >
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> > > >
> > >
> > > _______________________________________________
> > > Users at lists.openswan.org <mailto:Users at lists.openswan.org>
> > <mailto:Users at lists.openswan.org <mailto:Users at lists.openswan.org>>
> > > https://lists.openswan.org/mailman/listinfo/users
> > > Micropayments:
> > https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > > Building and Integrating Virtual Private Networks with
> Openswan:
> > >
> >
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> > >
> > >
> > >
> > >
> > > --
> > > Idan Freiberg
> > > Mobile: +972-52-2925213 <tel:%2B972-52-2925213>
> >
> > _______________________________________________
> > Users at lists.openswan.org <mailto:Users at lists.openswan.org>
> > https://lists.openswan.org/mailman/listinfo/users
> > Micropayments:
> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > Building and Integrating Virtual Private Networks with Openswan:
> >
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140118/037d03a7/attachment-0001.html>
More information about the Users
mailing list