On Thu, 14 Dec 2017, Matt Dennison wrote:
I am attempting to secure traffic between a LibreSwan host and multiple dynamic
Windows hosts. If I specify a single right host
as shown in the configuration below it works as expected, in that security is
required. However, if I change to a IP range or
%any, security is now only optional. I need to change this behaviour so
security is required. I have not been able to figure
out how to enforce this change in behaviour, can anyone help?
When using right=%any, you cannot use auto=start, because you do not
know where "any" is. So the other endpoints need to initiate to you.
If you want to avoid leaking unencrypted packets before those endpoints
initiate you, you can either an iptables or an ipsec based block rule.
Using iptables:
iptables -A OUTPUT -s 192.168.10.130/32 -d 192.168.10.127/30 -m policy --dir
out --pol ipsec -j ACCEPT
iptables -A OUTPUT -s 192.168.10.130/32 -d 192.168.10.127/30 -m policy --dir
out --pol none -j DROP
To do the same within ipsec, you could do:
conn block-plain
left=192.168.10.130
right=%any
rightsubnet=192.168.10.127/30
type=drop
authby=never
auto=route
# low priority so tunnels win when up
priority=6000
Paul
conn main
type=transport
authby=secret
left=192.168.10.130
right=192.168.10.128
# right=192.168.10.127-192.168.10.129
# right=%any
pfs=yes
ike=3des-sha1;modp1024
phase2=esp
auto=start
Thanks
Matt
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
