[strongSwan] StrongSWAN and AVM Fritzbox - Help!

Daniel Mentz danielml+mailinglists.strongswan at sent.com
Tue Feb 15 06:52:38 CET 2011

On 02/13/2011 12:42 PM, Rene Bartsch wrote:
> On Sun, 13 Feb 2011 10:55:07 -0800, Daniel Mentz
> <danielml+mailinglists.strongswan at sent.com>  wrote:
>> On 02/13/2011 08:49 AM, Rene Bartsch wrote:
>>> After removing "leftfirewall=yes" from ipsec.conf and adding the
> incoming
>>> FORWARD rule created by "leftfirewall=yes" to the INPUT chain manually,
>>> it
>>> seems to work.

> xxx.xxx.xxx.20:  eth0    primary   public IP of Ubuntu 10.04.2 LTS server
> xxx.xxx.xxx.102: eth0:0  secondary public IP of Ubuntu 10.04.2 LTS server
> (IPSec connection)
>   dummy0  Test for virtual servers
> eth0: 1000Base-T internet-uplink
> eth1: unused

Hi Rene,
so I guess there's a misunderstanding here. I thought your servers were 
"behind" your VPN gateway (your Ubuntu box), but it looks like your 
server daemons run on the same machine. That's why you set up the dummy0 
interface, I guess.
That's actually the reason, why the packets never hit the FORWARD chain. 
The fact that the IP address is assigned to an interface 
which is different from the interface on which the ESP packets come in 
is not considered as forwarding. So I guess the rules which are created 
by "leftfirewall=yes" won't help you since you need those rules in your 
INPUT chain.

You were asking whether your setup might send any plaintext packets, 
right? If you're worried about that then you might want to change the 
default policy of the OUTPUT chain from ACCEPT to DROP and insert 
appropriate rules.

Does that answer your questions?

If you finally have a working setup, you might want to share your 
experience on the strongSwan wiki so that other users can benefit from it.


More information about the Users mailing list