Hello!
Simple question: If I get ipsec packets into wlan0 and want to enable
only ah,esp and udp 500, howto do this with iptables?
(I am using isakmpd/Linux 2.6; setkey and tcpdump for analysing)
If I do it this way, it doesn't work:
- allow esp, ah, udp/500
- deny rest
The "problem" is well known: The kernel decrypts the (esp-)packets and
retransmits them THROUGH the incoming device (here: wlan0).
Then I see the UNENCRYPTED packets on wlan0, which are denied.
1. Why do they re-enter this device? (Is this a bug or not?)
2. Howto tell the kernel to transfer/route the unencrypted packages
through another virtual device (like ipsec0 from freeswan)?
3. Any other proposal to solve this?
Greetings,
Nico
ps: The aim is to make an access point (running hostap/prism2), which
only allows ipsec clients with the right certificates and deny everthing
else.
pps: please cc Gregor.
--
Keep it simple & stupid, use what's available.
pgp: 8D0E E27A | Nico Schottelius
http://nerd-hosting.net | http://linux.schottelius.org
Attachment:
pgp00170.pgp
Description: PGP signature
