[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: isakmp vpn configuration
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: isakmp vpn configuration
- From: Daniel Eyholzer <eyhodani_(_at_)_blah_(_dot_)_ch>
- Date: Wed, 24 Aug 2005 08:33:05 +0200
- Organization: -
j knight <enabled_(_at_)_myrealbox_(_dot_)_com> wrote:
> > I have tried to change Network and Netmask in the [default-route]
> > section from 0.0.0.0 to the network and netmask of one of the vlan
> > subnetworks, but it does not help. I can still connect to the other
> > subnet if I define them in the client. Anyone knows how I can restrict
> > access to only one of the vlan subnets?
> I don't know why those changes aren't working, however, have you tried:
> - setting a policy via isakmpd.policy that restricts 'remote_filter'
No. I will try that.
> - blocking traffic using pf
Yes, I have tried to filter on VPN client ip addresses on the enc0
interface. This works, but the problem is that not all users should be
allowed to do the same things. Since the VPN client ip address can be
chosen arbitrary on the VPN client, the user can chose an ip address that
is allowed to do what he wants to do. Therefore it is not secured, the user
has just to know which ip address has full access, and he can access all he
wants on all vlans.
Visit your host, monkey.org