From: Thomas S. <tho...@tr...> - 2008-03-20 07:49:50
|
hi, it seems i didn't send the mail to the list ;) does there exist a webfrontend for the mailinglist, so search the archive? greetings thomas Am 18.03.2008 17:11, schrieb Thomas Stegbauer: > hello ml, > > i am not sure if i have a misconfiguration, or a misunderstanding > > on my configuration i have a > remote anonymous { > passive on; > generate_policy on; > .. > .. > } > > with this config every user, who has a valid cert from my ca, can login > to to vpn, this is, like it should be. > > but i am unable to define, which ip-subnet the remote-site must use, > (policy get automaticaly genereated, cause i dont know remote-ip) so a > remote-site can also establish a site to site policy, whith any > parameter's and knockout an other valid remote-user. > > is there a way to work-arround this? > > greetings > thomas > > -- # Thomas Stegbauer |
From: VANHULLEBUS Y. <va...@fr...> - 2008-03-20 09:56:15
|
On Thu, Mar 20, 2008 at 08:49:39AM +0100, Thomas Stegbauer wrote: > hi, Hi. > it seems i didn't send the mail to the list ;) > > does there exist a webfrontend for the mailinglist, so search the archive? http://sourceforge.net/mail/?group_id=74601 (the link from ipsec-tools.sf.net is broken, I just updated it, so it should be ok within a few hours). [...] > > hello ml, > > > > i am not sure if i have a misconfiguration, or a misunderstanding > > > > on my configuration i have a > > remote anonymous { > > passive on; > > generate_policy on; > > .. > > .. > > } > > > > with this config every user, who has a valid cert from my ca, can login > > to to vpn, this is, like it should be. > > > > but i am unable to define, which ip-subnet the remote-site must use, > > (policy get automaticaly genereated, cause i dont know remote-ip) so a > > remote-site can also establish a site to site policy, whith any > > parameter's and knockout an other valid remote-user. > > > > is there a way to work-arround this? Yes: * You can use semi anonymous sainfos, which will look like that: sainfo address gatenetwork any anonymous{ .... } That means your peers can use whatever IP he wants, but your local part of the tunnel can only be you gate's nework. * You can use the "from idtype id" statement of sainfo, which will only allows some specific users (well, some specific Phase1, which used the specified identifier) to use that sainfo. Of course, the best is to use a semi anonymous sainfo whith specified Ph1 peers :-) Yvan. |