<html><div>SOLVED!<br><br>Thanks to Noel, I have a fix to block Strongswan client-to-client VPN traffic (thus isolating VPN clients).<br><br>I had two problems.<br>The first was my default iptables FORWARD rules were in the wrong order.<br><br><font face="Verdana" size="1">-A FORWARD -s 10.1.0.0/16 -d 10.1.0.0/16 -j REJECT<br>-A FORWARD -m policy --dir in --pol ipsec -j ACCEPT<br>-A FORWARD -i ppp+ -p all -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT<br>-A FORWARD -p tcp -j ACCEPT<br>-A FORWARD -p udp -j ACCEPT<br>-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT<br><br><font size="1"><font size="1">The second problem is </font></font></font>/usr/libexec/ipsec/_updown script case "up-client:iptables" adds client FORWARD ACCEPT rules to the 1st position above the REJECT.<br>I fixed that by changing FORWARD 1 to FORWARD 4. Thus the VPN client rules go in position 4.<br><br># VPN client connects as 10.1.0.1<br># _updown adds client ACCEPT rules in FORWARD position 4<br>[root@e20-Strongswan ipsec]# iptables -L | grep -A 10 FORWARD<br>Chain FORWARD (policy ACCEPT)<br>target prot opt source destination<br>REJECT all -- 10.1.0.0/16 10.1.0.0/16 reject-with icmp-port-unreachable<br>ACCEPT all -- anywhere anywhere policy match dir in pol ipsec<br>ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED<br>ACCEPT all -- 10.1.0.1 anywhere policy match dir in pol ipsec reqid 16724 proto esp<br>ACCEPT all -- anywhere 10.1.0.1 policy match dir out pol ipsec reqid 16724 proto esp<br>ACCEPT tcp -- anywhere anywhere<br>ACCEPT udp -- anywhere anywhere<br>ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED<br><br>Chris<br><br></div>
-----Original Message-----<br><b>From:</b> Noel Kuntze [mailto:noel@familie-kuntze.de]<br><b>Sent:</b> Thursday, October 10, 2013 11:00 AM<br><b>To:</b> 'Chris Strong'<br><b>Subject:</b> Re: [strongSwan] blocking Strongswan VPN client-to-client traffic?<br><br>
<font face="Verdana" size="1">-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA256<br><br>Hello Chris,<br><br>The iptables rules are inserted by the default updown script, which is in (/usr)/lib/strongswan/.<br>If you don't like its behaviour, you can edit it and put your own iptables rules and other commands in it.<br>If you want to do that, you need to _copy_ it and alter the copy to your needs.<br>Then put leftupdown=<path to your updown script(it needs to be executable, of course)><br><br>Regards<br>Noel Kuntze<br><br>On 10.10.2013 19:37, Chris Strong wrote:<br>> Strongswan,<br>><br>>
How do I block client-to-client traffic in strongswan v4.6.4? I want
to completely isolate the VPN clients from each other.<br>><br>> My implementation is simple. The closest example is <a href="http://strongswan.org/uml/testresults4/pfkey/rw-cert/index.html" target="_blank">http://strongswan.org/uml/testresults4/pfkey/rw-cert/index.html</a><br>><br>>
When client VPN tunnels are connected to 'moon', roadwarrior 'carol'
(in random hotel#1) and roadwarrior 'dave' (in random hotel#2) can
access each other on their VPN tunnel assigned non-routable IPs!
Forexample, if 'carol' is running a web server that binds to her VPN
assigned non-routable, 'dave' canport scan and access 'carol' web
server.<br>><br>> How do I block traffic between all VPN clients
(eg: 'carol' and 'dave')? I've tried iptables INPUT, FORWARD, and
OUTPUTbut have been unable to block the client-to-client traffic.
TheVPN client ACCEPT rules are added *above* the REJECT rule I added.<br>><br>>
I've spent a great deal of effort getting 4.6.4 working and my attempts
with 5.x have failed, so please don't ask me to upgrade.<br>><br>>
The server configs are inline below. VPN clients get a 10.1.0.0/16
address and can access each other when connected to the strongswan
server.<br>><br>> thanks,<br>> Chris<br>><br>> # /etc/sysconfig/iptables FORWARD rules<br>> -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT<br>> -A FORWARD -i ppp+ -p all -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT<br>> -A FORWARD -s 10.1.0.0/16 -d 10.1.0.0/16 -j REJECT<br>> -A FORWARD -p tcp -j ACCEPT<br>> -A FORWARD -p udp -j ACCEPT<br>> -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT<br>><br>> # This is what the rules look like before any VPN clients connect<br>> # note the REJECT line position<br>> $ iptables –L<br>> Chain FORWARD (policy ACCEPT)<br>> target prot opt source destination<br>> ACCEPT all -- anywhere anywhere policy match dir in pol ipsec<br>> ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED<br>> REJECT all -- 10.1.0.0/16 10.1.0.0/16 reject-with icmp-port-unreachable<br>> ACCEPT tcp -- anywhere anywhere<br>> ACCEPT udp -- anywhere anywhere<br>> ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED<br>><br>> # live iptables after 10.1.0.6 and 10.1.0.7 connect.<br>> # note VPN client ACCEPT rules are added *above* the reject<br>> # Firewall policies are processed top down, so the REJECT line does absolutely nothing.<br>> $ iptables –L<br>> *snip*<br>> Chain FORWARD (policy ACCEPT)<br>> target prot opt source destination<br>> ACCEPT all -- 10.1.0.7 anywhere policy match dir in pol ipsec reqid 16660 proto esp<br>> ACCEPT all -- anywhere 10.1.0.7 policy match dir out pol ipsec reqid 16660 proto esp<br>> ACCEPT all -- 10.1.0.6 anywhere policy match dir in pol ipsec reqid 16652 proto esp<br>> ACCEPT all -- anywhere 10.1.0.6 policy match dir out pol ipsec reqid 16652 proto esp<br>> ACCEPT all -- anywhere anywhere policy match dir in pol ipsec<br>> ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED<br>> REJECT all -- 10.1.0.0/16 10.1.0.0/16 reject-with icmp-port-unreachable<br>> ACCEPT tcp -- anywhere anywhere<br>> ACCEPT udp -- anywhere anywhere<br>> ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED<br>> *snip*<br>><br>> [root@e20-Strongswan etc]# cat strongswan.conf<br>> # strongswan.conf - strongSwan configuration file<br>><br>> charon {<br>><br>> # number of worker threads in charon<br>> threads = 32<br>><br>> # send strongswan vendor ID?<br>> # send_vendor_id = yes<br>><br>> plugins {<br>><br>> sql {<br>> # loglevel to log into sql database<br>> loglevel = -1<br>><br>> # URI to the database<br>> # database = sqlite:///path/to/file.db<br>> # database = mysql://user:password@localhost/database<br>> }<br>> }<br>><br>> # ...<br>> }<br>><br>> pluto {<br>> dns1 = 10.1.0.253<br>> }<br>><br>> libstrongswan {<br>><br>> # set to no, the DH exponent size is optimized<br>> # dh_exponent_ansi_x9_42 = no<br>> }<br>><br>><br>> [root@e20-Strongswan etc]# cat ipsec.conf<br>> config setup<br>> plutodebug=control<br>> plutostart=yes<br>> plutostderrlog=/var/log/pluto.log<br>> Licht aus, Decke bis zur Nase, Heizung an. Könnte besser, könnte aber auch schlechter.<br>> nat_traversal=yes<br>> uniqueids=yes<br>> crlcheckinterval=60<br>> cachecrls=yes<br>> strictcrlpolicy=yes<br>><br>> ca $default<br>> auto=add<br>><br>> conn ios<br>> type=tunnel<br>> keyexchange=ikev1<br>> authby=xauthrsasig<br>> xauth=server<br>> left=%defaultroute<br>> leftsubnet=0.0.0.0/0<br>> leftcert=serverCert.pem<br>> leftfirewall=yes<br>> right=%any<br>> rightsourceip=10.1.0.0/16<br>> pfs=no<br>> auto=add<br>><br>><br>><br>> _______________________________________________<br>> Users mailing list<br>> Users@lists.strongswan.org<br>> <a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br><br>-----BEGIN PGP SIGNATURE-----<br>Version: GnuPG v2.0.22 (GNU/Linux)<br>Comment: Using GnuPG with Thunderbird - <a href="http://www.enigmail.net/" target="_blank">http://www.enigmail.net/</a><br><br>iQIcBAEBCAAGBQJSVusuAAoJEDg5KY9j7GZY9HUQAI4HQdFwQxvgLEwsla+V8sZq<br>n2dojNQf8LwfMmQulrh7opGSw0JeCNdpN+X6+YEJnHXHbi/b2Aa5a+d6Ik1TL48o<br>Q7BCVLOnhncZYaWDBsh/nRp5p8/uByIv7DUG6fLQBhy1mqHzcp2aGE1PbLqLY8UJ<br>damrPlwr4pl1cQQc2vngMlCsIYWKfVEjAOMF/vl/bftQ1jRCJ9WDiu3rl8ah084P<br>1QxUDeRCL0kBDHRbUdpS9cTZT4Csmwyej6nbKmg/1CZbus5HBXpu9Sm81sDf9Iah<br>eHbGTC2Ck7qkxdWDc9Elg1Z2q1seJqfIobXVO9oX9Yisnbq40+SpGW0aHgZe4Rly<br>VS7pPAmzCheCK8ruRWl4enMj8v6FC/hNJC10v0XHN17mlPGKoQw++kA40KKhwZYl<br>eucYEHxDaU2ArHVux7c69qvtSibDhhIUKnIl2992gKMVIpTwPJQyRuTF6YsKckSn<br>dArHMfgHKA05N7/lPniabptH4p7P+fTXpuhxFeyom7x5gN/ZsNd6PgDwPwwPzdaQ<br>WMZeeC2dMWeRzzXzdCBJuF9H6C280FFj3/yQU+zcDEpyVRWSCHDSAPdQ9kRVmK6v<br>X40uosZCjemqMvUOOlSbBcN9xehe08oZC7DW76rORxZ4R/AmWGEV8XxPLjA4EM9g<br>1HigkVeD8+b8hslM3YAD<br>=uPMx<br>-----END PGP SIGNATURE-----</font><path to="" your="" updown="" script(it="" needs="" be="" executable,="" of="" course)=""></path></html>