Re: isakmp vpn configuration
Hi Joel j knight [EMAIL PROTECTED] wrote: I have tried to change Network and Netmask in the [default-route] section from 0.0.0.0 to the network and netmask of one of the vlan subnetworks, but it does not help. I can still connect to the other subnet if I define them in the client. Anyone knows how I can restrict access to only one of the vlan subnets? I don't know why those changes aren't working, however, have you tried: - setting a policy via isakmpd.policy that restricts 'remote_filter' No. I will try that. - blocking traffic using pf Yes, I have tried to filter on VPN client ip addresses on the enc0 interface. This works, but the problem is that not all users should be allowed to do the same things. Since the VPN client ip address can be chosen arbitrary on the VPN client, the user can chose an ip address that is allowed to do what he wants to do. Therefore it is not secured, the user has just to know which ip address has full access, and he can access all he wants on all vlans. Thanks, Daniel
Re: isakmp vpn configuration
--- Quoting Daniel Eyholzer on 2005/08/24 at 08:33 +0200: Yes, I have tried to filter on VPN client ip addresses on the enc0 interface. This works, but the problem is that not all users should be allowed to do the same things. Since the VPN client ip address can be chosen arbitrary on the VPN client, the user can chose an ip address that is allowed to do what he wants to do. Therefore it is not secured, the user has just to know which ip address has full access, and he can access all he wants on all vlans. You definitely want to setup a policy then and to use x509 certs for client authentication. Create a policy that delegates to sub policies for each client. The licensees of each sub policy should match the distinguished name of the client's key. Specify the appropriate remote_filter/local_filter options in the policy as well. Obviously this doesn't scale so well for large numbers of users. Check out the isakmpd.policy(5) man page for all the details. .joel
Re: isakmp vpn configuration
--- Quoting Daniel Eyholzer on 2005/08/17 at 15:58 +0200: I have tried to change Network and Netmask in the [default-route] section from 0.0.0.0 to the network and netmask of one of the vlan subnetworks, but it does not help. I can still connect to the other subnet if I define them in the client. Anyone knows how I can restrict access to only one of the vlan subnets? I don't know why those changes aren't working, however, have you tried: - setting a policy via isakmpd.policy that restricts 'remote_filter' - blocking traffic using pf .joel
isakmp vpn configuration
Hi there I have an OpenBSD box that is configured as firewall and vpn gateway. The box has two physical interfaces. One interface is the WAN interface that connects to the internet. The other interface connects to the LAN switch and has defined several virtual VLAN interfaces for different LAN subnets. The basic vpn configuration works. I can connect with the Greenbow vpn client from Windows host and reach the hosts on the LAN interfaces. In the Greenbow vpn client configuration I can define the subnet to which I want to tunnel to. So if I define the subnet of the vlan 2 interface in the Greenbow vpn client, I can reach the hosts that are in the vlan 2 subnet, if I define the subnet of the vlan 3 interface, I can reach the hosts that are in the vlan 3 subnet. I have no control to which subnet the vpn client has access. My isakmpd.conf looks like thist: # # Defaults section # [General] Default-phase-1-lifetime= 3600,60:86400 Default-phase-2-lifetime= 1200,60:86400 # --- # Connections # --- [Phase 1] Default=ISAKMP-clients [Phase 2] Passive-Connections=IPsec-clients # - # Phase 1 peer sections # - [ISAKMP-clients] Phase= 1 Transport= udp Configuration= default-main-mode Authentication= mekmitasdigoat # # Phase 2 sections # [IPsec-clients] Phase= 2 Configuration= default-quick-mode Local-ID= default-route Remote-ID= dummy-remote # -- # Client ID sections # -- [default-route] ID-type=IPV4_ADDR_SUBNET Network=0.0.0.0 Netmask=0.0.0.0 [dummy-remote] ID-type=IPV4_ADDR Address=0.0.0.0 [default-main-mode] DOI=IPSEC EXCHANGE_TYPE= ID_PROT Transforms= AES-SHA-GRP2 [default-quick-mode] DOI=IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-AES-SHA-PFS-GR2-SUITE I have tried to change Network and Netmask in the [default-route] section from 0.0.0.0 to the network and netmask of one of the vlan subnetworks, but it does not help. I can still connect to the other subnet if I define them in the client. Anyone knows how I can restrict access to only one of the vlan subnets? Thanks, Daniel
