<br><font size=2 face="Courier New">HI Andreas,</font>
<br><font size=2 face="Courier New">Tried with the below mentioned Steps.
Still; we are Not able to make it work. Please find the attached Log Files
& Configuration Files of Tunnel End Points. we are seeing some error
messages in logs such as .,</font>
<br>
<br><font size=2 face="Courier New"> ssh" #1: ignoring informational
payload, type INVALID_ID_INFORMATION</font>
<br><font size=2 face="Courier New">"ssh" #1: ignoring informational
payload, type INVALID_MESSAGE_ID</font>
<br><font size=2 face="Courier New">"ssh" #1: ignoring informational
payload, type INVALID_MESSAGE_ID</font>
<br>
<br>
<br>
<br><font size=2 face="Courier New">Looking forward for the reply.</font>
<br>
<br><font size=2 face="Courier New">-Thanks in Advance,</font>
<br><font size=2 face="Courier New">VKS</font>
<br>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=40%><font size=1 face="sans-serif"><b>Andreas Steffen <andreas.steffen@strongswan.org></b>
</font>
<p><font size=1 face="sans-serif">08/23/2011 11:53 PM</font>
<td width=59%>
<table width=100%>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">To</font></div>
<td valign=top><font size=1 face="sans-serif">kvunnava@rockwellcollins.com</font>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td valign=top><font size=1 face="sans-serif">users@lists.strongswan.org</font>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">Subject</font></div>
<td valign=top><font size=1 face="sans-serif">Re: [strongSwan] Automatic
Addition/Deletion of Ipsec-Policy-based Firewall Rules</font></table>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br></table>
<br>
<br>
<br><font size=2><tt>Hello,<br>
<br>
define two connections, one restricting the protocol to ssh<br>
and the second one to tftp:<br>
<br>
conn ssh<br>
also=hosts<br>
leftprotoport=tcp<br>
rightprotoport=tcp/ssh<br>
auto=add<br>
<br>
conn tftp<br>
also=hosts<br>
leftprotoport=udp<br>
rightprotoport=udp/tftp<br>
<br>
conn host<br>
left=<br>
right=<br>
#common definitions<br>
<br>
Regards<br>
<br>
Andreas<br>
<br>
On 23.08.2011 16:38, kvunnava@rockwellcollins.com wrote:<br>
> <br>
> Thanks Andreas.<br>
> We have Made some progress by following these steps...<br>
> <br>
> 1] Created a Static Firewall Policy allowing Traffic for UDP port<br>
> 500.*PFA Configuration File* *for Strongswan*.<br>
> 2] It is Noticed that Tunnel was established by dynamically adding
a<br>
> Matching policy for IPSEC.<br>
> 3] Now the Requirement is to send Only SSH/TFTP Encrypted Traffic
over<br>
> this Tunnel.<br>
> <br>
> Can You please let me know the Steps to achieve the Last Requirement
??<br>
> Also Please note that this Traffic not to be allowed once the Tunnel<br>
> went down.<br>
> <br>
> <br>
> <br>
> Looking forward for the reply!!!<br>
> <br>
> -Best Regards,<br>
> VKS.<br>
> <br>
> <br>
> <br>
> *Andreas Steffen <andreas.steffen@strongswan.org>*<br>
> <br>
> 08/23/2011 01:39 AM<br>
> <br>
> <br>
> To<br>
> kvunnava@rockwellcollins.com<br>
> cc<br>
> users@lists.strongswan.org<br>
> Subject<br>
> Re:
[strongSwan] Automatic Addition/Deletion of Ipsec-Policy-based<br>
> Firewall Rules<br>
> <br>
> <br>
> <br>
> <br>
> <br>
> <br>
> <br>
> <br>
> IPsec policy based rules are installed with the standard _updown<br>
> script which is activated with the ipsec.conf parameter<br>
> <br>
> leftfirewall=yes<br>
> <br>
> Regards<br>
> <br>
> Andreas<br>
> <br>
> On 08/22/2011 05:05 PM, kvunnava@rockwellcollins.com wrote:<br>
>><br>
>> Hi Guys,<br>
>> we have a requirement related to IPSEC-Policy-based Firewall Rules.<br>
>><br>
>> Steps we followed:<br>
>> 1] Configured the ipsec.conf with the parameter "leftupdown=<Script<br>
> Path>".<br>
>> 2] Created the script and kept it at right place.<br>
>><br>
>> Once the IKEv1 based Tunnel was UP; it was expected that Execution
of<br>
>> script to be happen.But thats Not happening.<br>
>><br>
>> Please let me know the Right way to Configure the "Automatic<br>
>> Addition/Deletion of Ipsec-Policy-based Firewall Rules".<br>
>> <br>
>> -Thanks in Advance,<br>
>> VKS.<br>
<br>
======================================================================<br>
Andreas Steffen
andreas.steffen@strongswan.org<br>
strongSwan - the Linux VPN Solution!
www.strongswan.org<br>
Institute for Internet Technologies and Applications<br>
University of Applied Sciences Rapperswil<br>
CH-8640 Rapperswil (Switzerland)<br>
===========================================================[ITA-HSR]==<br>
</tt></font>
<br>