Remco Barendse
2003-Jan-14 12:01 UTC
[Shorewall-users] Firewalling multiple FreeSwan connections
Hi all! I have got a vpn connection set up using FreeSwan and shorewall. Everything works fine but I want to add another subnet to the whole. This means that 1 box will get two net-to-net connections. I want to limit the services on one subnet however. Cuurently I have defined a vpn zone for the current connection and allow all vpn<->loc traffic. How would I go about in tightening the rope for this other connection?>From the docs I have seen FreeSwan will simply create another ipsecXinterface which would simplify the situation if a just assign a new zone to each ipsecX interface. But this would require that I ''force'' FreeSwan to open up ipsec2 for vpn zone2 and ipsec0 for the first vpn zone (if this is possible at all). Any experiences with this and can FreeSwan indeed be forced to create a certain interface number for a certain connection? Thanx for any input! Remco -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Homer Parker
2003-Jan-14 23:18 UTC
[Shorewall-users] Firewalling multiple FreeSwan connections
On Tue, 14 Jan 2003 21:01:17 +0100 (CET) Remco Barendse <shorewall@barendse.to> wrote....> Hi all! > > I have got a vpn connection set up using FreeSwan and shorewall. > Everything works fine but I want to add another subnet to the whole. > This means that 1 box will get two net-to-net connections. > > I want to limit the services on one subnet however. Cuurently I have > defined a vpn zone for the current connection and allow all vpn<->loc > traffic. > > How would I go about in tightening the rope for this other connection? > From the docs I have seen FreeSwan will simply create another ipsecX > interface which would simplify the situation if a just assign a new zone > > to each ipsecX interface. > > But this would require that I ''force'' FreeSwan to open up ipsec2 for vpn > > zone2 and ipsec0 for the first vpn zone (if this is possible at all). > > Any experiences with this and can FreeSwan indeed be forced to create a > certain interface number for a certain connection? > > Thanx for any input! >I tried this with a LEAF Bering firewall... It worked, as long as who I had defined as ipsec0 got in first... Otherwise, the routing was all off.. I was actually going to two different subnets with them... At this point in time, the project has been dropped, and I have since quit messing with it.. I never did find a way to bind a config in FreeS/WAN to a connection to get everything right :( --- Homer Parker /"\ ASCII Ribbon Campaign \ / No HTML/RTF in email http://www.homershut.net x No Word docs in email telnet://bbs.homershut.net / \ Respect for open standards This e-mail message is 100% Microsoft free! WARNING: THIS ACCOUNT BELONGS TO A RABID ANTI-SPAMMER NET-NAZI DOT-COMMUNIST!! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://mail.shorewall.net/pipermail/shorewall-users/attachments/20030115/c70381ec/attachment.bin
Reasonably Related Threads
- Question on Shorewall with FreeSwan
- [Fwd: Building custom _updown script for freeswan to make it talk with shorewall]
- Problem with FreeSwan and Shorewall on a LEAF(Oxygen) based router.
- Using Julian Anastasov''s ''routes'' patches on 2.4 kernel in conjunction with IPSec
- VPN