[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: isakmp vpn configuration

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: isakmp vpn configuration
From: Daniel Eyholzer <eyhodani_(_at_)_blah_(_dot_)_ch>
Date: Wed, 24 Aug 2005 08:33:05 +0200
Organization: -

Hi Joel

j knight <enabled_(_at_)_myrealbox_(_dot_)_com> wrote:
> > I have tried to change Network and Netmask in the [default-route]
> > section from 0.0.0.0 to the network and netmask of one of the vlan
> > subnetworks, but it does not help. I can still connect to the other
> > subnet if I define them in the client. Anyone knows how I can restrict
> > access to only one of the vlan subnets?
> 
> I don't know why those changes aren't working, however, have you tried:
> 
> - setting a policy via isakmpd.policy that restricts 'remote_filter'

No. I will try that.

> - blocking traffic using pf

Yes, I have tried to filter on VPN client ip addresses on the enc0
interface. This works, but the problem is that not all users should be
allowed to do the same things. Since the VPN client ip address can be
chosen arbitrary on the VPN client, the user can chose an ip address that
is allowed to do what he wants to do. Therefore it is not secured, the user
has just to know which ip address has full access, and he can access all he
wants on all vlans.

Thanks, Daniel

Follow-Ups:
- Re: isakmp vpn configuration
  - From: j knight

References:
- isakmp vpn configuration
  - From: Daniel Eyholzer
- Re: isakmp vpn configuration
  - From: j knight

Prev by Date: Re: Network "hang" on IBM x335
Next by Date: Re: 3.8 beta requests
Previous by thread: Re: isakmp vpn configuration
Next by thread: Re: isakmp vpn configuration
Index(es):
- Date
- Thread

Visit your host, monkey.org