[strongSwan] StrongSWAN and AVM Fritzbox - Help!
Daniel Mentz
danielml+mailinglists.strongswan at sent.com
Tue Feb 15 06:52:38 CET 2011
On 02/13/2011 12:42 PM, Rene Bartsch wrote:
> On Sun, 13 Feb 2011 10:55:07 -0800, Daniel Mentz
> <danielml+mailinglists.strongswan at sent.com> wrote:
>> On 02/13/2011 08:49 AM, Rene Bartsch wrote:
>>> After removing "leftfirewall=yes" from ipsec.conf and adding the
> incoming
>>> FORWARD rule created by "leftfirewall=yes" to the INPUT chain manually,
>>> it
>>> seems to work.
> xxx.xxx.xxx.20: eth0 primary public IP of Ubuntu 10.04.2 LTS server
> xxx.xxx.xxx.102: eth0:0 secondary public IP of Ubuntu 10.04.2 LTS server
> (IPSec connection)
> 192.168.176.1: dummy0 Test for virtual servers
>
> eth0: 1000Base-T internet-uplink
> eth1: unused
Hi Rene,
so I guess there's a misunderstanding here. I thought your servers were
"behind" your VPN gateway (your Ubuntu box), but it looks like your
server daemons run on the same machine. That's why you set up the dummy0
interface, I guess.
That's actually the reason, why the packets never hit the FORWARD chain.
The fact that the IP address 192.168.176.1 is assigned to an interface
which is different from the interface on which the ESP packets come in
is not considered as forwarding. So I guess the rules which are created
by "leftfirewall=yes" won't help you since you need those rules in your
INPUT chain.
You were asking whether your setup might send any plaintext packets,
right? If you're worried about that then you might want to change the
default policy of the OUTPUT chain from ACCEPT to DROP and insert
appropriate rules.
Does that answer your questions?
If you finally have a working setup, you might want to share your
experience on the strongSwan wiki so that other users can benefit from it.
-Daniel
More information about the Users
mailing list