Re: Debian Firewall + IPSec gateway...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Guillaume Lécroart wrote:
> Hi,
>
> The problem here is how to identify the IPSec traffic. I implemented
> this long ago, where IPSec traffic would come out of a "ipsecxxx"
> interface, which was really easy for adding a '-i ipsecxxx' iptable rule.
> In the newer implementation of FreeSWan/OpenSWan, this behaviour has
> changed, since the IPSec traffic is still reported as coming form the
> physiscal interface. I found out that I could use the "policy matching"
> netfilter module, but this is not included in 2.4.27-2 (and possibly
> not in 2.6.10, since I couldn't find any ipt_policy.ko in
> /lib/modules/2.6.10-1-686).
>
> Is there another way of matching the IPSec traffic?
> Have I no other solution than building a custom kernel?
>
I know that the latest openswan has new support for KLIPS (ipsecx
interfaces)on 2.6, but that would involve rebuilding the kernel or
waiting until sarge includes it. And it's marked as experimental. I've
found a couple of docs describing how to set iptables up for your
scenario using --mark.
http://www.jasons.org/howto/118/
http://www.cornelius.demon.co.uk/IPSEC-FW.html
hth
- --
/phil
-----BEGIN PGP SIGNATURE-----
Comment: Public Key: http://www.dyermaker.org/gpgkey.asc
iD8DBQFB/4jR0q9tKssDeQcRAuVDAJ411WzkEbcZQzRlxAG/C2AeHYAHLACgptYp
aA5Fg9IVf8GMgECKRnKAs68=
=Iiot
-----END PGP SIGNATURE-----
Reply to: