[strongSwan] Possibly a bug in charon when auto=start
danielml+mailinglists.strongswan at sent.com
Wed Mar 3 14:04:30 CET 2010
I recommend not to depend on IPsec policies if you want to enforce that
no unencrypted traffic leaves the gateway and that no unprotected
traffic is accepted.
Use the policy match provided by iptables. Here's an example:
iptables -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT
iptables -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT
# Do not forward packets to or from xyz if ipsec is off
iptables -A FORWARD -d 184.108.40.206/26 -j REJECT --reject-with
iptables -A FORWARD -s 220.127.116.11/26 -j REJECT --reject-with
> Martin, thank you for clarification.
> I think it will be good if this 'auto=start' feature will be documented in ipsec.conf(5) man page.
> Because a strongswan-newbie sysadmin may use this option without knowing that unencrypted packets are not filtered if the tunnel is not up yet. This may be a serious vulnerability of a system.
> Thank you!
> Best regards, Vladimir
>> Yes, this is the intended behavior. auto=start does not install policies
>> until the tunnel has been negotiated. auto=route installs the policies
>> and triggers a tunnel when required.
> Users mailing list
> Users at lists.strongswan.org
More information about the Users