<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:2127265016;
mso-list-type:hybrid;
mso-list-template-ids:1653103992 1074331663 1074331673 1074331675 1074331663 1074331673 1074331675 1074331663 1074331673 1074331675;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-IN" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Hello,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I have a tunnel connection from PeerA to PeerB connected back to back:-<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">ipsec.conf of PeerA:-<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">config setup<o:p></o:p></p>
<p class="MsoNormal"> strictcrlpolicy=no<o:p></o:p></p>
<p class="MsoNormal"> charondebug=”ike 4, cfg 4, dmn 4, knl 4, chd 4”<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">conn peerA<o:p></o:p></p>
<p class="MsoNormal"> left=10.222.4.240<o:p></o:p></p>
<p class="MsoNormal"> leftfirewall=no<o:p></o:p></p>
<p class="MsoNormal"> leftsourceip=%config<o:p></o:p></p>
<p class="MsoNormal"> right=10.222.4.199<o:p></o:p></p>
<p class="MsoNormal"> rightsubnet=0.0.0.0/0<o:p></o:p></p>
<p class="MsoNormal"> reauth=no<o:p></o:p></p>
<p class="MsoNormal"> rekey=yes<o:p></o:p></p>
<p class="MsoNormal"> mobike=no<o:p></o:p></p>
<p class="MsoNormal"> type=tunnel<o:p></o:p></p>
<p class="MsoNormal"> authby=secret<o:p></o:p></p>
<p class="MsoNormal"> auto=add<o:p></o:p></p>
<p class="MsoNormal"> keyexchange=ikev2<o:p></o:p></p>
<p class="MsoNormal"> ikelifetime=3h<o:p></o:p></p>
<p class="MsoNormal"> keylife=2h<o:p></o:p></p>
<p class="MsoNormal"> lifepackets=10240<o:p></o:p></p>
<p class="MsoNormal"> rekeymargin=1h<o:p></o:p></p>
<p class="MsoNormal"> ike=aes128-sha1-modp768!<o:p></o:p></p>
<p class="MsoNormal"> esp=aes128-sha1!<o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Ipsec.conf of peerB<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal">config setup<o:p></o:p></p>
<p class="MsoNormal"> strictcrlpolicy=no<o:p></o:p></p>
<p class="MsoNormal"> charondebug=”ike 4, cfg 4, dmn 4, knl 4, chd 4”<o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal">conn peerB<o:p></o:p></p>
<p class="MsoNormal"> right=10.222.4.240<o:p></o:p></p>
<p class="MsoNormal"> leftfirewall=no<o:p></o:p></p>
<p class="MsoNormal"> rightsourceip=10.10.10.5<o:p></o:p></p>
<p class="MsoNormal"> left=10.222.4.199<o:p></o:p></p>
<p class="MsoNormal"> leftsubnet=10.222.4.199/32<o:p></o:p></p>
<p class="MsoNormal"> reauth=no<o:p></o:p></p>
<p class="MsoNormal"> rekey=yes<o:p></o:p></p>
<p class="MsoNormal"> mobike=no<o:p></o:p></p>
<p class="MsoNormal"> type=tunnel<o:p></o:p></p>
<p class="MsoNormal"> authby=secret<o:p></o:p></p>
<p class="MsoNormal"> auto=add<o:p></o:p></p>
<p class="MsoNormal"> keyexchange=ikev2<o:p></o:p></p>
<p class="MsoNormal"> ikelifetime=3h<o:p></o:p></p>
<p class="MsoNormal"> keylife=2h<o:p></o:p></p>
<p class="MsoNormal"> lifepackets=10240<o:p></o:p></p>
<p class="MsoNormal"> rekeymargin=1h<o:p></o:p></p>
<p class="MsoNormal"> ike=aes128-sha1-modp768!<o:p></o:p></p>
<p class="MsoNormal"> esp=aes128-sha1!<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Established a tunnel connection 10.10.10.5 === 10.222.4.199.<o:p></o:p></p>
<p class="MsoNormal">No Protocol/port is specified in Tunnel connection.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>I have kept leftfirewall=no as I only want to accept packets directed to certain Ports and block others. So, If I let strongswan set the Firewall policies all ports at the endpoint ( 10.222.4.199) would be open since we are not specifying
any protocols in connection.<o:p></o:p></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">So, Iam trying to establish connections manually. Default Policies of INPUT, OUTPUT, FORWARD chain in iptables are set to drop.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The commands executed are :-<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">iptables –A INPUT –s 10.222.4.199/32 –d 10.10.10.6/32 –i eth1 –p tcp –sport 80 –dport 80 –m policy –dir in –pol ipsec –reqid 1 –proto esp –j ACCEPT<o:p></o:p></p>
<p class="MsoNormal">iptables –A OUTPUT –s 10.10.10.6/32 –d 10.222.4.199/32 –o eth1 –p tcp –sport 80 –dport 80 –m policy –dir in –pol ipsec –reqid 1 –proto esp –j ACCEPT<o:p></o:p></p>
<p class="MsoNormal">iptables –A INPUT –s 10.222.4.199/32 –d 10.10.10.6/32 –i eth1 –p tcp –sport 22 –dport 22 –m policy –dir in –pol ipsec –reqid 1 –proto esp –j ACCEPT<o:p></o:p></p>
<p class="MsoNormal">iptables –A OUTPUT –s 10.10.10.6/32 –d 10.222.4.199/32 –o eth1 –p tcp –sport 22 –dport 22 –m policy –dir in –pol ipsec –reqid 1 –proto esp –j ACCEPT<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">If strongswan had set the iptables using updown script, it would be something like below :-<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">user# iptables -L -v<o:p></o:p></p>
<p class="MsoNormal">pkts bytes target prot opt in out source destination<o:p></o:p></p>
<p class="MsoNormal"> 0 0 ACCEPT all -- eth1 any 10.222.4.199 10.10.10.6 policy match dir in pol ipsec reqid 1 proto esp<o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal">And for FORWARD chain and OUTPUT chain also corresponding entries would be present.<o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">The questions I have are :<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo2"><![if !supportLists]><span style="color:#1F497D"><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="color:#1F497D">Is it okay to add multiple entries related to same ‘reqid’ in iptables when only single ipsec SA is present ?<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo2"><![if !supportLists]><span style="color:#1F497D"><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="color:#1F497D">Why ‘reqid’ is used by strongswan updown script evenwhen I can get same behaviour without the usage of ‘reqid’ . Or am I missing anything ?<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks and Regards,<o:p></o:p></p>
<p class="MsoNormal">Prasobh<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should
not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments
for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com
</body>
</html>