[solved] IPSec mobile clients/roadwarrior: Tunnel web traffic only



  • Hi all,

    I configured IPSec as described in the infamous article - IPsec Road Warrior/Mobile Client How-To - which works quite nice.

    Is it possible to allow a roadwarrior to redirect his web traffic over the tunnel but deny access to any local subnets?

    Cheers



  • On the ipsec interface rules, block access to 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8. Just be sure and assign a public DNS, so it doesn't have to traverse a subnet it now no longer has access to.



  • Thanks for your hint, that's what I assumed. I was just too picky trying to find any switches inside the IPSec configuration. That's what I use now - does it like fine?

    
            Protocol Source 	Port 	Destination 	Port 	Gateway 	Queue 	Description
    (-)	IPv4 * 	 * 	        * 	10.0.0.0/8 	* 	* 	        none 	@Block any traffic to Class A subnets 	
    (-)	IPv4 * 	 * 	        * 	172.16.0.0/12 	* 	* 	        none 	@Block any traffic to Class B subnets 	
    (-)	IPv4 * 	 * 	        * 	192.168.0.0/16 	* 	* 	        none 	@Block any traffic to Class C subnets 	
    (+)	IPv4 * 	 IPRANGE ipsec 	* 	* 	        * 	* 	        none 	@Allow any traffic to any destination 
    
    

    Alternatively - invert match with a single rule:

    
            Protocol Source 	Port 	Destination 	        Port 	Gateway Queue 	Description
    (+)	IPv4 * 	 IPRANGE ipsec 	* 	! IPRANGE RFC1918 	* 	* 	none 	@Block traffic to any private subnet
    
    


  • I marked the topic as solved. If anyone wants to comment on my rules you are welcome. :)


Log in to reply