I have had good luck when creating hub and spoke VPNs where I used
netfilter rules on the hub to control the traffic from the spokes back
to the hub.

For my hub I used Trustix as I find it to be lightweight and stable. I
used the 2.4.28-7 kernel. Trustix runs Openswan.

I haven't touched FC3. I did some work with FC1 and 2. There is a lot
of user support and an active community, but Fedora sure is a
heavyweight for a purpose built box.

I used simple netfilter rules to control traffic from the spokes back to
the hub. The spokes were appliances like Netscreens, Pix 501s, etc.
Policies to control traffic were implemented there also, but since they
were remote, the risk existed of them being compromised. So I had
netfilter rules on the Hub.

Excuse me if I go too much into the obvious, but I went crazy finding
all the information also. Here is an excerpt from a netfilter FORWARD
table which I used in this context. Note that the first two lines serve
the identical function, save the second uses the ipsec0 interface as the
input interface. $LAN_IFACE is simply the Hub's interface address on

$IPTABLES -A FORWARD -p tcp --dport 3001 -s -d -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 3001 -i ipsec0 -o $LAN_IFACE -d -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s -d -j LOG
--log-level info --log-prefix "VPN Dropped: "
$IPTABLES -A FORWARD -p tcp -s -d -j DROP

Here is a sample config from /etc/ipsec.conf. It shows some of the
features useful like controlling the lifetime of the phase 1 ISAKMP and
phase 2 ipsec phases.

conn site1
# Left (Local) security gateway, subnet behind it, next hop
# toward right.
leftnexthop= # router
# Right (remote) security gateway, subnet behind it, next hop
# toward left.
rightnexthop= #router
keylife=60m # phase 2 lifetime in minutes
auto=start # start when service ipsec starts
ikelifetime=480m # phase 1 lifetime in minutes

Here are some links I found with lot's of searching which were useful to
me in one way or another. Good luck. YMMV. Test a lot.

firewall-wizards mailing list