[strongSwan] Automatic Addition/Deletion of Ipsec-Policy-based Firewall Rules

Andreas Steffen andreas.steffen at strongswan.org
Tue Aug 23 20:23:56 CEST 2011


Hello,

define two connections, one restricting the protocol to ssh
and the second one to tftp:

conn ssh
     also=hosts
     leftprotoport=tcp
     rightprotoport=tcp/ssh
     auto=add

conn tftp
     also=hosts
     leftprotoport=udp
     rightprotoport=udp/tftp

conn host
     left=
     right=
     #common definitions

Regards

Andreas

On 23.08.2011 16:38, kvunnava at rockwellcollins.com wrote:
> 
> Thanks Andreas.
> We have Made some progress by following these steps...
> 
> 1] Created a Static Firewall Policy allowing Traffic for UDP port
> 500.*PFA Configuration File* *for Strongswan*.
> 2] It is Noticed that Tunnel was established by dynamically adding a
> Matching policy for IPSEC.
> 3] Now the Requirement is to send Only SSH/TFTP Encrypted Traffic over
> this Tunnel.
> 
> Can You please let me know the Steps to achieve the Last Requirement ??
> Also Please note that this Traffic not to be allowed once the Tunnel
> went down.
> 
> 
> 
> Looking forward for the reply!!!
> 
> -Best Regards,
> VKS.
> 
> 
> 
> *Andreas Steffen <andreas.steffen at strongswan.org>*
> 
> 08/23/2011 01:39 AM
> 
> 	
> To
> 	kvunnava at rockwellcollins.com
> cc
> 	users at lists.strongswan.org
> Subject
> 	Re: [strongSwan] Automatic Addition/Deletion of Ipsec-Policy-based
> Firewall Rules
> 
> 
> 	
> 
> 
> 
> 
> 
> IPsec policy based  rules are installed with the standard _updown
> script which is activated with the ipsec.conf parameter
> 
>  leftfirewall=yes
> 
> Regards
> 
> Andreas
> 
> On 08/22/2011 05:05 PM, kvunnava at rockwellcollins.com wrote:
>>
>> Hi Guys,
>> we have a requirement related to IPSEC-Policy-based Firewall Rules.
>>
>> Steps we followed:
>> 1] Configured the ipsec.conf with the parameter "leftupdown=<Script
> Path>".
>> 2] Created the script and kept it at right place.
>>
>> Once the IKEv1 based Tunnel was UP; it was expected that Execution of
>> script to be happen.But thats Not happening.
>>
>> Please let me know the Right way to Configure the "Automatic
>> Addition/Deletion of Ipsec-Policy-based Firewall Rules".
>>  
>> -Thanks in Advance,
>> VKS.

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list