ipsec configuration - Security

This is a discussion on ipsec configuration - Security ; Hi, I have question about ipsec configuration - in my case under openswan. In my config file I've: left=172.18.1.2 leftsubnet=10.0.0.0/24 right=172.18.2.2 rightsubnet=192.168.20.0/24 in which I would like give the possibility to tunnel only one machine from left part: 10.0.0.34 not ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: ipsec configuration

  1. ipsec configuration

    Hi,
    I have question about ipsec configuration - in my case under openswan.
    In my config file I've:
    left=172.18.1.2
    leftsubnet=10.0.0.0/24
    right=172.18.2.2
    rightsubnet=192.168.20.0/24
    in which I would like give the possibility to tunnel only one machine
    from left part: 10.0.0.34 not all network 10.0.0.0/24
    How may I do it ?

    Greetings
    Admo

  2. Re: ipsec configuration

    On 08.05.2006, Adam wrote:
    > Hi,
    > I have question about ipsec configuration - in my case under openswan.
    > In my config file I've:
    > left=172.18.1.2
    > leftsubnet=10.0.0.0/24
    > right=172.18.2.2
    > rightsubnet=192.168.20.0/24
    > in which I would like give the possibility to tunnel only one machine
    > from left part: 10.0.0.34 not all network 10.0.0.0/24


    Where does the 10.0.0.0/24 come from, then?

    --
    Feel free to correct my English
    Stanislaw Klekot

  3. Re: ipsec configuration

    Stachu 'Dozzie' K. wrote:
    > On 08.05.2006, Adam wrote:
    >
    >>Hi,
    >>I have question about ipsec configuration - in my case under openswan.
    >>In my config file I've:
    >>left=172.18.1.2
    >>leftsubnet=10.0.0.0/24
    >>right=172.18.2.2
    >>rightsubnet=192.168.20.0/24
    >>in which I would like give the possibility to tunnel only one machine
    >>from left part: 10.0.0.34 not all network 10.0.0.0/24

    >
    >
    > Where does the 10.0.0.0/24 come from, then?
    >


    ? From network one the left side.

  4. Re: ipsec configuration

    On 08.05.2006, Adam wrote:
    > Stachu 'Dozzie' K. wrote:
    >> On 08.05.2006, Adam wrote:
    >>
    >>>Hi,
    >>>I have question about ipsec configuration - in my case under openswan.
    >>>In my config file I've:
    >>>left=172.18.1.2
    >>>leftsubnet=10.0.0.0/24
    >>>right=172.18.2.2
    >>>rightsubnet=192.168.20.0/24
    >>>in which I would like give the possibility to tunnel only one machine
    >>>from left part: 10.0.0.34 not all network 10.0.0.0/24

    >>
    >>
    >> Where does the 10.0.0.0/24 come from, then?
    >>

    >
    > ? From network one the left side.


    You want left side network to be just one host, right?

    --
    Feel free to correct my English
    Stanislaw Klekot

  5. Re: ipsec configuration

    Adam wrote in news:e3mra3$37$1@inews.gazeta.pl:

    > Hi,
    > I have question about ipsec configuration - in my case under openswan.
    > In my config file I've:
    > left=172.18.1.2
    > leftsubnet=10.0.0.0/24
    > right=172.18.2.2
    > rightsubnet=192.168.20.0/24
    > in which I would like give the possibility to tunnel only one machine
    > from left part: 10.0.0.34 not all network 10.0.0.0/24
    > How may I do it ?
    >
    > Greetings
    > Admo


    change you leftsubnet to:

    leftsubnet=10.0.0.34/32

    Both sides of the tunnel have to be configured the same way, so you have to
    make the above change at both ends of the tunnel. Failing that you could
    use Netfilter/iptables to only allow the 10.0.0.34 address to get through.
    Remember that you can apply Netfilter forwarding rules to the tunnel
    interface - the packets are in the clear as the encrypt/decrypt happens
    after/before netfilter sees them.

    Klazmon.

  6. Re: ipsec configuration

    Stachu 'Dozzie' K. wrote:
    > On 08.05.2006, Adam wrote:
    >
    >>Stachu 'Dozzie' K. wrote:
    >>
    >>>On 08.05.2006, Adam wrote:
    >>>
    >>>
    >>>>Hi,
    >>>>I have question about ipsec configuration - in my case under openswan.
    >>>>In my config file I've:
    >>>>left=172.18.1.2
    >>>>leftsubnet=10.0.0.0/24
    >>>>right=172.18.2.2
    >>>>rightsubnet=192.168.20.0/24
    >>>>in which I would like give the possibility to tunnel only one machine
    >>>
    >>>>from left part: 10.0.0.34 not all network 10.0.0.0/24
    >>>
    >>>
    >>>Where does the 10.0.0.0/24 come from, then?
    >>>

    >>
    >>? From network one the left side.

    >
    >
    > You want left side network to be just one host, right?
    >


    Yes

  7. Re: ipsec configuration

    Llanzlan Klazmon wrote:
    > Adam wrote in news:e3mra3$37$1@inews.gazeta.pl:
    >
    >
    >>Hi,
    >>I have question about ipsec configuration - in my case under openswan.
    >>In my config file I've:
    >>left=172.18.1.2
    >>leftsubnet=10.0.0.0/24
    >>right=172.18.2.2
    >>rightsubnet=192.168.20.0/24
    >>in which I would like give the possibility to tunnel only one machine
    >>from left part: 10.0.0.34 not all network 10.0.0.0/24
    >>How may I do it ?
    >>
    >>Greetings
    >>Admo

    >
    >
    > change you leftsubnet to:
    >
    > leftsubnet=10.0.0.34/32
    >
    > Both sides of the tunnel have to be configured the same way, so you have to
    > make the above change at both ends of the tunnel. Failing that you could
    > use Netfilter/iptables to only allow the 10.0.0.34 address to get through.
    > Remember that you can apply Netfilter forwarding rules to the tunnel
    > interface - the packets are in the clear as the encrypt/decrypt happens
    > after/before netfilter sees them.
    >
    > Klazmon.




    May I add only one port - not all machine ?

  8. Re: ipsec configuration

    Adam wrote in news:e3sp9p$he7$1@inews.gazeta.pl:

    > Llanzlan Klazmon wrote:
    >> Adam wrote in news:e3mra3$37$1@inews.gazeta.pl:
    >>
    >>
    >>>Hi,
    >>>I have question about ipsec configuration - in my case under openswan.
    >>>In my config file I've:
    >>>left=172.18.1.2
    >>>leftsubnet=10.0.0.0/24
    >>>right=172.18.2.2
    >>>rightsubnet=192.168.20.0/24
    >>>in which I would like give the possibility to tunnel only one machine
    >>>from left part: 10.0.0.34 not all network 10.0.0.0/24
    >>>How may I do it ?
    >>>
    >>>Greetings
    >>>Admo

    >>
    >>
    >> change you leftsubnet to:
    >>
    >> leftsubnet=10.0.0.34/32
    >>
    >> Both sides of the tunnel have to be configured the same way, so you
    >> have to make the above change at both ends of the tunnel. Failing that
    >> you could use Netfilter/iptables to only allow the 10.0.0.34 address to
    >> get through. Remember that you can apply Netfilter forwarding rules to
    >> the tunnel interface - the packets are in the clear as the
    >> encrypt/decrypt happens after/before netfilter sees them.
    >>
    >> Klazmon.

    >
    >
    >
    > May I add only one port - not all machine ?


    Not by configuring OpenSwan AFAIK. To restrict access to one port you would
    have to use Netfilter/iptables as well.

    Klazmon.







  9. Re: ipsec configuration

    Llanzlan Klazmon wrote:
    > Adam wrote in news:e3sp9p$he7$1@inews.gazeta.pl:
    >
    >
    >>Llanzlan Klazmon wrote:
    >>
    >>>Adam wrote in news:e3mra3$37$1@inews.gazeta.pl:
    >>>
    >>>
    >>>
    >>>>Hi,
    >>>>I have question about ipsec configuration - in my case under openswan.
    >>>>In my config file I've:
    >>>>left=172.18.1.2
    >>>>leftsubnet=10.0.0.0/24
    >>>>right=172.18.2.2
    >>>>rightsubnet=192.168.20.0/24
    >>>>in which I would like give the possibility to tunnel only one machine
    >>>
    >>>>from left part: 10.0.0.34 not all network 10.0.0.0/24
    >>>
    >>>>How may I do it ?
    >>>>
    >>>>Greetings
    >>>>Admo
    >>>
    >>>
    >>>change you leftsubnet to:
    >>>
    >>>leftsubnet=10.0.0.34/32
    >>>
    >>>Both sides of the tunnel have to be configured the same way, so you
    >>>have to make the above change at both ends of the tunnel. Failing that
    >>>you could use Netfilter/iptables to only allow the 10.0.0.34 address to
    >>>get through. Remember that you can apply Netfilter forwarding rules to
    >>>the tunnel interface - the packets are in the clear as the
    >>>encrypt/decrypt happens after/before netfilter sees them.
    >>>
    >>>Klazmon.

    >>
    >>
    >>
    >>May I add only one port - not all machine ?

    >
    >
    > Not by configuring OpenSwan AFAIK. To restrict access to one port you would
    > have to use Netfilter/iptables as well.
    >
    > Klazmon.
    >
    >
    >
    >
    >
    >


    But then wth iptables will be tunnel?, all data must be sended encrypted

+ Reply to Thread