[strongSwan] ACLs-like system to control IPsec traffic

Andreas Schuldei schuldei+strongswan at spotify.com
Thu May 13 11:21:57 CEST 2010


ah, and one server could be in several classes of machines (e.g.
search and storage)

On Thu, May 13, 2010 at 1:09 AM, Andreas Schuldei
<schuldei+strongswan at spotify.com> wrote:
> In order to have fine grained control over the IPsec traffic in our
> distributed network of host-to-host ipsec connections we would like to
> create a ACLs-like system.
>
> For example all servers should be able to talk to infrastructure hosts
> (like DNS or backup servers).
>
> Only the other storage servers and the few specialized servers
> accessing the storage system should be able to initiate connections to
> storage servers.
>
> Only the server distributing the search index and the few servers
> quering the search system should be able to initiate connections to
> search servers.
>
> The monitoring servers should be able to initiate connections to all servers.
>
> How could i represent such a system with different types of server
> certificates (one type per server class) and strongswan configuration?
>
> /andreas
>




More information about the Users mailing list