[strongSwan] Possibly a bug in charon when auto=start
Daniel Mentz
danielml+mailinglists.strongswan at sent.com
Wed Mar 3 14:04:30 CET 2010
Hi Vladimir,
I recommend not to depend on IPsec policies if you want to enforce that
no unencrypted traffic leaves the gateway and that no unprotected
traffic is accepted.
Use the policy match provided by iptables. Here's an example:
iptables -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT
iptables -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT
# Do not forward packets to or from xyz if ipsec is off
iptables -A FORWARD -d 1.2.3.4/26 -j REJECT --reject-with
icmp-net-unreachable
iptables -A FORWARD -s 1.2.3.4/26 -j REJECT --reject-with
icmp-net-unreachable
-Daniel
> Martin, thank you for clarification.
> I think it will be good if this 'auto=start' feature will be documented in ipsec.conf(5) man page.
> Because a strongswan-newbie sysadmin may use this option without knowing that unencrypted packets are not filtered if the tunnel is not up yet. This may be a serious vulnerability of a system.
>
> Thank you!
> Best regards, Vladimir
>
>
>> Yes, this is the intended behavior. auto=start does not install policies
>> until the tunnel has been negotiated. auto=route installs the policies
>> and triggers a tunnel when required.
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list