[Swan] LibreSwan - Transport Mode, Secure Only by Multiple IP Addresses
Paul Wouters
paul at nohats.ca
Thu Dec 14 19:52:53 UTC 2017
On Thu, 14 Dec 2017, Matt Dennison wrote:
> I am attempting to secure traffic between a LibreSwan host and multiple dynamic Windows hosts. If I specify a single right host
> as shown in the configuration below it works as expected, in that security is required. However, if I change to a IP range or
> %any, security is now only optional. I need to change this behaviour so security is required. I have not been able to figure
> out how to enforce this change in behaviour, can anyone help?
When using right=%any, you cannot use auto=start, because you do not
know where "any" is. So the other endpoints need to initiate to you.
If you want to avoid leaking unencrypted packets before those endpoints
initiate you, you can either an iptables or an ipsec based block rule.
Using iptables:
iptables -A OUTPUT -s 192.168.10.130/32 -d 192.168.10.127/30 -m policy --dir out --pol ipsec -j ACCEPT
iptables -A OUTPUT -s 192.168.10.130/32 -d 192.168.10.127/30 -m policy --dir out --pol none -j DROP
To do the same within ipsec, you could do:
conn block-plain
left=192.168.10.130
right=%any
rightsubnet=192.168.10.127/30
type=drop
authby=never
auto=route
# low priority so tunnels win when up
priority=6000
Paul
> conn main
> type=transport
> authby=secret
> left=192.168.10.130
> right=192.168.10.128
> # right=192.168.10.127-192.168.10.129
> # right=%any
> pfs=yes
> ike=3des-sha1;modp1024
> phase2=esp
> auto=start
>
>
>
> Thanks
>
>
>
> Matt
More information about the Swan
mailing list