Re: [Users] Question on FreeS/WAN

From: Ken Bantoft (ken_at_freeswan.ca)
Date: Sat Sep 28 2002 - 08:03:41 CEST

• Next message: Thing: "[Users] 030 truncated message fro whack: got 440 bytes; expected 2476 message ignored"
• Previous message: Kaustubh.Kumbhalkar_at_lntinfotech.com: "RE: [Users] Starting IPsec6"
• In reply to: Jean Khosalim: "Re: [Users] Question on FreeS/WAN"
• Next in thread: Giacomo Mulas: "Re: [Users] Question on FreeS/WAN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Peter suggested a using fw mark (using iptables to mark packets, and then
advanced IP routing via the iproute2 package to route the marked packets
over the tunnel). While this may be possible, you'd have alot of
configuration work to do with your firewall rules. Don't attempt unless
you have strong knowledge of the iproute2 package and iptable's marking
capabilities - you'll still run into problems, since the IPSec SA's would
be established for the tunnel between the two hosts - you'd have to
override them for packets sent in the clear.

Also, his suggestion only buys you clear text or encrypted - not the
different crypto algo's for different services. I believe it's technically
possible (you setup several IP addresses on each host, bind ipsec# to each
alias, use a different crypto alg for each ip address pair, then use
iptables to mark different packets, and then iproute2 to route them over
different tunnels). If you understood what I just wrote, then you can
probably pull it off. Otherwise, it'll be a configuration nightmare :)

Ken

On Fri, 27 Sep 2002, Jean Khosalim wrote:

> To: Ken Bantoft and Peter Mueller,
>
> First of all, thanks for the replies. Second, I am confused.
> Peter's earlier reply seems to indicate that it is possible, while Ken said
> otherwise.
>
> Thanks,
> Jean Khosalim
>
> ----- Original Message -----
> From: "Ken Bantoft" <ken_at_freeswan.ca>
> To: "Jean Khosalim" <jkhosali_at_nps.navy.mil>
> Cc: <users_at_lists.freeswan.org>
> Sent: Friday, September 27, 2002 4:03 PM
> Subject: Re: [Users] Question on FreeS/WAN
>
>
> >
> > On Fri, 27 Sep 2002, Jean Khosalim wrote:
> >
> > > Hi all:
> > >
> > > Is it possible to control down to the service level for two hosts when I
> use FreeS/WAN ?
> > > For example :
> > > Host A - Host B, ping will be in the clear.
> > > Host A - Host B, telnet will use 3DES-MD5.
> > > Host A - Host B, service xyz will use XYZ.
> > >
> > > Thanks,
> > > Jean Khosalim
> > >
> >
> > Not currently - port based IKE isn't implemented at this time.
> >

-- 
Ken Bantoft                The Unoffical FreeS/WAN Site:
ken_at_freeswan.ca            http://www.freeswan.ca
                           PGP Key: finger ken_at_bantoft.org
"We can factor the number 15 with quantum computers. We 
can also factor the number 15 with a dog trained to bark 
three times."       -- Robert Harley, 5/12/01, Sci.crypt
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Thing: "[Users] 030 truncated message fro whack: got 440 bytes; expected 2476 message ignored"
• Previous message: Kaustubh.Kumbhalkar_at_lntinfotech.com: "RE: [Users] Starting IPsec6"
• In reply to: Jean Khosalim: "Re: [Users] Question on FreeS/WAN"
• Next in thread: Giacomo Mulas: "Re: [Users] Question on FreeS/WAN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Sun Sep 29 2002 - 05:20:16 CEST