[solved] IPSec mobile clients/roadwarrior: Tunnel web traffic only
I configured IPSec as described in the infamous article - IPsec Road Warrior/Mobile Client How-To - which works quite nice.
Is it possible to allow a roadwarrior to redirect his web traffic over the tunnel but deny access to any local subnets?
On the ipsec interface rules, block access to 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8. Just be sure and assign a public DNS, so it doesn't have to traverse a subnet it now no longer has access to.
Thanks for your hint, that's what I assumed. I was just too picky trying to find any switches inside the IPSec configuration. That's what I use now - does it like fine?
Protocol Source Port Destination Port Gateway Queue Description (-) IPv4 * * * 10.0.0.0/8 * * none @Block any traffic to Class A subnets (-) IPv4 * * * 172.16.0.0/12 * * none @Block any traffic to Class B subnets (-) IPv4 * * * 192.168.0.0/16 * * none @Block any traffic to Class C subnets (+) IPv4 * IPRANGE ipsec * * * * none @Allow any traffic to any destination
Alternatively - invert match with a single rule:
Protocol Source Port Destination Port Gateway Queue Description (+) IPv4 * IPRANGE ipsec * ! IPRANGE RFC1918 * * none @Block traffic to any private subnet
I marked the topic as solved. If anyone wants to comment on my rules you are welcome. :)