<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16544" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=125523206-22102007><FONT face=Arial
size=2>Hoj,</FONT></SPAN></DIV>
<DIV><SPAN class=125523206-22102007><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=125523206-22102007><FONT face=Arial size=2>Use
case:</FONT></SPAN></DIV>
<DIV><SPAN class=125523206-22102007><FONT face=Arial size=2>- Imam povezana dva
networka z uporabo OpenSWan IPSec implementacije na Ubuntu</FONT></SPAN></DIV>
<DIV><SPAN class=125523206-22102007><FONT face=Arial size=2>- left =
10.0.0.0/24</FONT></SPAN></DIV>
<DIV><SPAN class=125523206-22102007><FONT face=Arial size=2>- right =
10.0.1.0/24</FONT></SPAN></DIV>
<DIV><SPAN class=125523206-22102007><FONT face=Arial size=2>- RSA
keys</FONT></SPAN></DIV>
<DIV><SPAN class=125523206-22102007><FONT face=Arial size=2>- zunanji interface
left = eth0; zunanji interface right = ppp0 (eth0)</FONT></SPAN></DIV>
<DIV><SPAN class=125523206-22102007><FONT face=Arial size=2>- notranji interfaci
= eth1</FONT></SPAN></DIV>
<DIV><SPAN class=125523206-22102007><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=125523206-22102007><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=125523206-22102007><FONT face=Arial size=2>Z iptables bi rad
filtriral promet in sicer tako, da bi vedel kaj prihaja preko VPN-ja in kaj iz
interneta. Namrec NIMAM moznosti nastaviti anti-spoofing rulo. To pomeni, da
lahko na zunanjem interfaceju (torej od ISP-ja) dobim tudi promet iz
10.0.0.0/16.</FONT></SPAN></DIV>
<DIV><SPAN class=125523206-22102007><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=125523206-22102007><FONT face=Arial size=2>Na kernelu 2.4 je
bilo to enostavno - pac VPN promet je prisel preko ipsec+ interfaceja. Na 2.6 pa
mi prihaja preko external interfaceja (ppp0 oz. eth0). Ce je le mozno bi se rad
izognil patchanju kernela (oz. ga ne zelim patchat).</FONT></SPAN></DIV>
<DIV><SPAN class=125523206-22102007><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=125523206-22102007><FONT face=Arial size=2>Kaksen hint (pa po
moznosti se example :) ), kako identificirati tak promet?</FONT></SPAN></DIV>
<DIV><SPAN class=125523206-22102007><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=125523206-22102007><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=125523206-22102007><FONT face=Arial size=2>Podobno rabim tudi
za implementacijo MS IPSec VPN-ja, kjer mora L2TP avtentikacija priti preko
VPN-ja << spet isti problem kot zgoraj.</FONT></SPAN></DIV>
<DIV><SPAN class=125523206-22102007><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=125523206-22102007><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=125523206-22102007><FONT face=Arial size=2>Hvala in
lp,</FONT></SPAN></DIV>
<DIV><SPAN class=125523206-22102007><FONT face=Arial
size=2>Damir</FONT></SPAN></DIV></BODY></HTML>