freeswan: client ip addresses

freeswan: client ip addresses

[urgrue]

how on earth can i configure what IP address is assigned to the 
client's end of the VPN tunnel when he logs into freeswan?
i can't find a single word talking about this in the freeswan docs and 
nobody on their mailing list even bothered to reply to my question! im 
hoping people here will be nicer to me ;)
it makes freeswan pretty useless for me if i cant firewall the various 
vpn connections appropriately.

Re: freeswan: client ip addresses

[urgrue]

EEEK! Really? isn't this a bit ridiculous?
how is one supposed to, for example, allow less-privileged employees 
access to the mail server only, and the better-privileged access also 
to the top-secret database?
there must be some way, if not i just cant understand what the IPSEC 
people are thinking. so much for being the fancy next-generation vpn 
solution!
i wish there was a vtun for windows, that would be really nice.


> You don't. with an IPSEC VPN there are no aditional IP addresses, so
> you can't easily distinguish between different VPN clients.
> 
> BYe, Martin
> 

Re: freeswan: client ip addresses

[John Hallam]

	I may be completely -- or only partly -- confused here, but isn't
the idea of an IPSEC tunnel that the packets travel encapsulated from the
remote machine to the IPSEC gateway, and are then decapsulated and appear
on the local gateway IPSEC interface looking as if they came from the
machine at the other end of the tunnel?

	So you firewall based on the IP details of the remote client (even
though the local IPSEC interface that spits out the decapsulated packets
shares the IP address of the physical interface through which the
encapsulated packets arrive).

	John.

On Tue, 30 Apr 2002, urgrue wrote:

> EEEK! Really? isn't this a bit ridiculous?
> how is one supposed to, for example, allow less-privileged employees
> access to the mail server only, and the better-privileged access also
> to the top-secret database?
> there must be some way, if not i just cant understand what the IPSEC
> people are thinking. so much for being the fancy next-generation vpn
> solution!

Re: freeswan: client ip addresses

[urgrue]

if thats, so, i dont like it. first, it assumes your vpn server is the 
default gw (or along the default route) of the LAN, otherwise if the 
source IP of the packet is indeed the actual original IP of the client, 
replies will never make it back to the tunnel.
second, this means that the only way you can differentiate between 
users or groups of users is to have many vpn servers and each must 
masquerade the originating IP. this is just ridiculous.

but thanks to everyone for helping out. now that i know there is a CIPE 
for windows i'm definitely trying that!



> 	I may be completely -- or only partly -- confused here, but
> isn't
> the idea of an IPSEC tunnel that the packets travel encapsulated from
> the
> remote machine to the IPSEC gateway, and are then decapsulated and
> appear
> on the local gateway IPSEC interface looking as if they came from the
> machine at the other end of the tunnel?
> 
> 	So you firewall based on the IP details of the remote client
> (even
> though the local IPSEC interface that spits out the decapsulated
> packets
> shares the IP address of the physical interface through which the
> encapsulated packets arrive).
> 
> 	John.
> 
> On Tue, 30 Apr 2002, urgrue wrote:
> 
> > EEEK! Really? isn't this a bit ridiculous?
> > how is one supposed to, for example, allow less-privileged employees
> > access to the mail server only, and the better-privileged access
> also
> > to the top-secret database?
> > there must be some way, if not i just cant understand what the IPSEC
> > people are thinking. so much for being the fancy next-generation vpn
> > solution!
>