[Users] Announce: X.509 patch 0.9.16 for freeswan-1.99 released

From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Thu Dec 12 2002 - 00:09:04 CET

• Next message: slackrob: "[Users] Yosemite"
• Previous message: Ken Bantoft: "Re: [Users] freeswan + multiple if with same ip"
• Next in thread: Ken Bantoft: "[Users] ANNOUNCE: Super FreeS/WAN 1.99_kb3rc1 Released"
• Reply: Ken Bantoft: "[Users] ANNOUNCE: Super FreeS/WAN 1.99_kb3rc1 Released"
• Reply: Andreas Steffen: "[Users] Announce: X.509 patch 0.9.17 for freeswan-1.99 released"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

I have integrated Stephen J. Bevan's protocol and port selector
patch into version 0.9.16 of X.509 patch that can be downloaded from

   http://www.strongsec.com/freeswan

CHANGES
-------

- The selector patch adds port and protocol based eroutes allowing
   outbound traffic selection. Inbound traffic selection must
   still be based on firewall rules activated by an updown script.
   If I want e.g. to tunnel http traffic and icmp messages only
   then I can do this by defining the following two IPsec SAs:

     conn icmp
          right=%any
          rightprotoport=icmp
          left=%defaultroute
          leftid=@pluto.strongsec.com
          leftprotoport=icmp

     conn http
          right=%any
          rightprotoport=6
          left=%defaultroute
          leftid=@pluto.strongsec.com
          leftprotoport=6/80

   The command

    ipsec auto --status

   will show the following connection definitions:

     "icmp": 160.85.106.10[@pulpo.strongsec.com]:1/0...%any:1/0
     "http": 160.85.106.10[@pulpo.strongsec.com]:6/80...%any:6/0

   When an instance of these connection definitions is set up,
   the corresponding eroutes are created automatically. The remaining
   protocols and ports are either dropped by default or can be passed
   in the clear outside the tunnel by setting up appropriate eroutes
   manually (see Stephen's README.selectors for details). In FreeS/WAN
   2.00, the new food group functionality might be used to process
   %drop and %passthrough selectors.

- Fixed a bug in the _updown.x509 script that uses iptables to
   set up dynamical firewall rules supporting port and protocol
   based filtering.

Although Stephen's patch was originally intended for Super-FreeS/WAN,
Ken Bantoft has suggested to integrate the kernel-based port and
protocol selection into the X.509 patch first, since X.509 already
offers userland support for protocol and port specific IPsec SAs in
the form of the [left|right]protoport connection parameter.

Since the selector patch adds new functionality to the pfkey
kernel and library functions, Mathieu Lafon's NAT-Traversal
patch will have to be adapted slightly in order to patch correctly
on top of the X.509 with selectors patch.

Kind regards

Andreas

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: slackrob: "[Users] Yosemite"
• Previous message: Ken Bantoft: "Re: [Users] freeswan + multiple if with same ip"
• Next in thread: Ken Bantoft: "[Users] ANNOUNCE: Super FreeS/WAN 1.99_kb3rc1 Released"
• Reply: Ken Bantoft: "[Users] ANNOUNCE: Super FreeS/WAN 1.99_kb3rc1 Released"
• Reply: Andreas Steffen: "[Users] Announce: X.509 patch 0.9.17 for freeswan-1.99 released"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Wed Dec 18 2002 - 05:21:03 CET