On Thu, 2010-05-13 at 01:02 +0200, Andreas Schuldei wrote:
In order to have fine grained control over the IPsec traffic in our
distributed network of host-to-host ipsec connections we would like to
create a ACLs-like system.
For example all servers should be able to talk to infrastructure hosts
(like DNS or backup servers).
Only the other storage servers and the few specialized servers
accessing the storage system should be able to initiate connections to
storage servers.
Only the server distributing the search index and the few servers
quering the search system should be able to initiate connections to
search servers.
The monitoring servers should be able to initiate connections to all servers.
How could i represent such a system with different types of server
certificates (one type per server class) and strongswan configuration?
I'll toss my two cents in as I see no one else has responded yet. We've
never done this at the IPSec level. We have done something similar by
combining either IPSec or OpenVPN and iptables via the ISCS project
(http://iscs.sourceforge.net). I've not had the time to build a
community around ISCS so it is not as well maintained as I would like
but it does give exactly this kind of control and that control can be
based upon X.509 fields and those credentials can be used throughout the
entire WAN without resorting to virtual IP addresses for security
(although sometimes they are handy for routing and troubleshooting
issues).
There are several important fixes in the CVS awaiting to be rolled into
a new release - John
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
