On Tue, Jun 25, 2002 at 03:07:05PM -0500, Linas Vepstas was heard to remark:
> On Tue, Jun 25, 2002 at 11:33:19AM +0200, pierre was heard to remark:
> > Hello,
> > Is it normal that in the following case the non IPSec peer can access
> > the protected subnet ? (without using a firewall on the VPN Gateway, of
> > course!)
> >
> > IPSec peer-----------
> > ----VPN Gateway (FreeSWAN+X509
> > certificates)-----protected subnet
> > non IPSec peer----
> >
> > I was thinking that only the IPSec peer would access the protected
> > subnet and the others would be rejected since not authenticated.
> > However, it seems that clear connections to the protected subnet are
> > still possible. Is it really like that when there is not a firewall ?
>
> The vpn gateway passes all traffic. it acts as a tunnel between
> the two gateways, it does *not* do packet filtering or otherwise
> try to control what kind of traffic flows through the tunnel.
I was very very very wrong in stating the above. 'most' tunnels
behave like this, but the ipsec/freeswan tunnel does not. It only
allows those packeets whose src and dst ip addrs match those
set up in ipsec.conf.
--linas
-- pub 1024D/01045933 2001-02-01 Linas Vepstas (Labas!) <linas_at_linas.org> PGP Key fingerprint = 8305 2521 6000 0B5E 8984 3F54 64A9 9A82 0104 5933
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:17 CEST