[strongSwan] how to create a ACL-like system based on certificates?

John A. Sullivan III jsullivan at opensourcedevel.com
Thu May 13 22:50:51 CEST 2010


On Thu, 2010-05-13 at 01:02 +0200, Andreas Schuldei wrote:
> In order to have fine grained control over the IPsec traffic in our
> distributed network of host-to-host ipsec connections we would like to
> create a ACLs-like system.
> 
> For example all servers should be able to talk to infrastructure hosts
> (like DNS or backup servers).
> 
> Only the other storage servers and the few specialized servers
> accessing the storage system should be able to initiate connections to
> storage servers.
> 
> Only the server distributing the search index and the few servers
> quering the search system should be able to initiate connections to
> search servers.
> 
> The monitoring servers should be able to initiate connections to all servers.
> 
> How could i represent such a system with different types of server
> certificates (one type per server class) and strongswan configuration?
I'll toss my two cents in as I see no one else has responded yet.  We've
never done this at the IPSec level.  We have done something similar by
combining either IPSec or OpenVPN and iptables via the ISCS project
(http://iscs.sourceforge.net).  I've not had the time to build a
community around ISCS so it is not as well maintained as I would like
but it does give exactly this kind of control and that control can be
based upon X.509 fields and those credentials can be used throughout the
entire WAN without resorting to virtual IP addresses for security
(although sometimes they are handy for routing and troubleshooting
issues).

There are several important fixes in the CVS awaiting to be rolled into
a new release - John





More information about the Users mailing list