[strongSwan] Possibly a bug in charon when auto=start

Daniel Mentz danielml+mailinglists.strongswan at sent.com
Wed Mar 3 14:04:30 CET 2010


Hi Vladimir,

I recommend not to depend on IPsec policies if you want to enforce that 
no unencrypted traffic leaves the gateway and that no unprotected 
traffic is accepted.

Use the policy match provided by iptables. Here's an example:

iptables -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT
iptables -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT
# Do not forward packets to or from xyz if ipsec is off
iptables -A FORWARD -d 1.2.3.4/26 -j REJECT --reject-with 
icmp-net-unreachable
iptables -A FORWARD -s 1.2.3.4/26 -j REJECT --reject-with 
icmp-net-unreachable

-Daniel

> Martin, thank you for clarification.
> I think it will be good if this 'auto=start' feature will be documented in ipsec.conf(5) man page.
> Because a strongswan-newbie sysadmin may use this option without knowing that unencrypted packets are not filtered if the tunnel is not up yet. This may be a serious vulnerability of a system.
> 
> Thank you!
> Best regards, Vladimir
> 
> 
>> Yes, this is the intended behavior. auto=start does not install policies
>> until the tunnel has been negotiated. auto=route installs the policies
>> and triggers a tunnel when required.
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users





More information about the Users mailing list