IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] Equivalent to Location in Checkpoint

From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Sat Jul 13 2002 - 12:10:41 CEST

Hi Manny,

with the upcoming version 0.9.14 of the X.509 patch you could define
the policies for the three users as follows

conn %default
      left=%defaultroute
      leftcert=myCert.pem # leftid is subject DN of cert
      right=%any # we assume road warriors
      rightsubnetwithin=10.2.0.0/16 # address pool for road warriors
      rightrsasigkey=%cert # public keys from received peer certs
      auto=add

conn dhcp # dhcp-over-ipsec to lease a virtual IP
      rightsubnet= # peer does not have a virtual IP yet
      rightprotoport=udp/bootpc
      leftsubnet=0.0.0.0/0 # allow DHCP DISCOVERY Broadcasts
      leftprotoport=udp/bootps
      keylife=30s # only for first discovery
      rekeymargin=10s
      rekey=no

conn User1
      rightid="C=US, O=ACME, CN=User1"
      leftsubnet=10.3.0.0/16 # the whole internal subnet

conn User2-a
      rightid="C=US, O=ACME, CN=User2"
      rightprotoport=tcp
      leftsubnet=10.1.0.5/32 # this is the web server
      leftprotoport=tcp/http # http via tcp only

conn User2-b
      rightid="C=US, O=ACME, CN=User2"
      rightprotoport=6
      leftsubnet=10.1.0.10/32 # this is the mail server
      leftprotoport=6/143 # imap via tcp only

conn User3-a
      rightid="C=US, O=ACME, CN=User3"
      rightprotoport=tcp
      leftsubnet=10.1.1.0/24 # cluster of hosts which allow ftp access
      leftprotoport=tcp/ftp # ftp-data not solved yet
      ....

The restriction to ports and protocol will not be inforced by KLIPS
but by iptables. The firewall rules will be configured automatically
through the updown script using the new environment variables
$PLUTO_MY_PROTOCOL, $PLUTO_PEER_PROTOCOL, $PLUTO_MY_PORT, and
$PLUTO_PEER_PORT.

As you can see, a lot can be done with FreeS/WAN and the X.509 patch,
although our solution still is not so flexible as e.g. Checkpoint VPN-1.
But the quite different price tags should also be considered!

Regards

Andreas

Manny Fernandez wrote:
> Good day,
>
> How can we setup different access for different users, i.e.:
>
> User1, can make a VPN connection (Road Warrior or LAN-2-LAN) and can see
> all boxes on my internel subnet.
>
> User2, can make a VPN connection (Road Warrior or LAN-2-LAN) and can see
> only the internal WEB server on port 80 and Exchange server via IMAP.
>
> User3, can make a VPN connection (Road Warrior or LAN-2-LAN) and can see
> only an FTP and a SQL database.
>
> How can this be done? In checkpoint VPN-1, you add the user and the
> password and the user object determines what they can see, that an the
> actual policy.
>
> I am using Firewall Builder for my RH7.3, 2.4.1.5, IPtables
>
> Thanks
>
>
> Manny

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:23 CEST