Jussi, thanks for your response!
Fortunately for SSH it is not Sentinel which is to blame.
Actually I have set "Deny unprotected IP traffic" but even
without it the routing through the tunnels is ok. The only
improvement that I would really appreciate with Sentinel is
a possibility to move the order of the VPN connections (a
feature similar to the Pre- and PostIPsec filter rules where
the order can be changed using the up and down arrows). VPN
connections are always appended at the back. This means that
I must create the more restrictive tunnels first and the
general 0.0.0.0/0 tunnel as the last connection.
The fault is clearly on the FreeS/WAN side since it does not
seem to be able to route the incoming packets into another
tunnel leaving at the same ipsec interface.
Kind regards
Andreas
Jussi Torhonen wrote:
>
> Andreas Steffen wrote:
>
> > Both WLAN clients can access the Internet via NAT and the ZHW net
> > through the ipsec0 tunnel. But client soggy cannot reach client wroclaw
> > via the Linux GW. Pinging wroclaw from soggy and vice-versa
> > and monitoring ipsec1 using tcpdump shows that the ping is
> > tunneled to the FreeS/WAN gateway and appears at the ipsec1
> > interface and I expected that it would enter ipsec1 again to be
> > tunneled via eth1 to the WLAN peer. But this does not happen.
> > Is FreeS/WAN supposed to work this way or I am doing something
> > wrong? The ipchains rules on the eth1 / ipsec1 ports to not
> > deny any packets entering or leaving these interfaces.
>
> Have you configured SSH Sentinel to 'Deny unprotected IP traffic' and
> cleared option 'Trust all certificates'? Both can be found under
> Security Policy -> Default Response Rule.
>
> Now SSH Sentinel accepts encrypted traffic only. You have a VPN tunnel
> over WLAN is targeted over FreeSWAN to subnet 0.0.0.0/0 (any), now the
> link from the client machine is well secured. No other cleartext or even
> secured host2host connections are allowed any more between WLAN clients.
>
> Now client machines Soggy and Wroclaw are not any more able to
> communicate with each other, even they're located in same subnet
> 160.85.106.0/28. You'll get VPN tunnel over WLAN between Soggy and
> FreeSWAN, as well as between Wroclaw and FreeSWAN, but not between S and
> W. Connection from the client to outside world including the university
> campus are working.
>
> Best regards,
> Jussi Torhonen, SSH Sentinel Team, http://www.ipsec.com
> SSH Communications Security Corp, http://www.ssh.com
======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:48 CEST