fripost-ansible/roles/common/files/etc/network/if-up.d/ipsec, branch master Fripost ansible scripts Remove IPSec related files. 2015-06-07T00:52:19+00:00 Guilhem Moulin guilhem@fripost.org 2014-07-02T18:52:27+00:00 e63b5f5e39e2012bbdf1ca8301c6eb2cd13716cb 






Reformulate the headers showing the license.
2015-06-07T00:50:53+00:00

Guilhem Moulin
guilhem@fripost.org

2013-11-26T03:09:46+00:00

fd7e94a34b7fa9151d689375d8687d3686786d9b

To be clearer, and to follow the recommendation of the FSF, we include
a full header rather than a single sentence.





To be clearer, and to follow the recommendation of the FSF, we include
a full header rather than a single sentence.







wibble
2015-06-07T00:50:44+00:00

Guilhem Moulin
guilhem@fripost.org

2013-11-04T07:25:54+00:00

51ea7eca6ca198606a71c107bb67d64186761456












Be more specific regarding the protocol in use for IPSec policies.
2015-06-07T00:50:43+00:00

Guilhem Moulin
guilhem@fripost.org

2013-11-04T06:27:10+00:00

0dd6a96ce1bf2cef9140d01a5c49eb92e2f8ec6f

We use ESP only, so other protocols shouldn't be ACCEPTed.





We use ESP only, so other protocols shouldn't be ACCEPTed.







Prohibit binding against the IP reserved for IPSec.
2015-06-07T00:50:38+00:00

Guilhem Moulin
guilhem@fripost.org

2013-11-03T23:31:43+00:00

67c5135625d3553dcb6f2bfc193df24c0e1ab826

Packets originating from our (non-routable) $ipsec are marked; there is
no xfrm lookup (i.e., no matching IPSec association), the packet will
retain its mark and be null routed later on, thanks to

    ip rule  add fwmark "$secmark" table 666 priority 666
    ip route add blackhole default table 666





Packets originating from our (non-routable) $ipsec are marked; there is
no xfrm lookup (i.e., no matching IPSec association), the packet will
retain its mark and be null routed later on, thanks to

    ip rule  add fwmark "$secmark" table 666 priority 666
    ip route add blackhole default table 666







Use a dedicated, non-routable, IPv4 for IPSec.
2015-06-07T00:50:35+00:00

Guilhem Moulin
guilhem@fripost.org

2013-11-03T04:54:11+00:00

2bcaaf01a5fcc2d2ce618da6af30a43a70d03d80

At the each IPSec end-point the traffic is DNAT'ed to / MASQUERADE'd
from our dedicated IP after ESP decapsulation. Also, some IP tables
ensure that alien (not coming from / going to the tunnel end-point) is
dropped.





At the each IPSec end-point the traffic is DNAT'ed to / MASQUERADE'd
from our dedicated IP after ESP decapsulation. Also, some IP tables
ensure that alien (not coming from / going to the tunnel end-point) is
dropped.