[strongSwan] StrongSWAN and AVM Fritzbox - Help!
ml at bartschnet.de
Tue Feb 15 20:27:53 CET 2011
On Mon, 14 Feb 2011 21:52:38 -0800, Daniel Mentz
<danielml+mailinglists.strongswan at sent.com> wrote:
> On 02/13/2011 12:42 PM, Rene Bartsch wrote:
>> On Sun, 13 Feb 2011 10:55:07 -0800, Daniel Mentz
>> <danielml+mailinglists.strongswan at sent.com> wrote:
>>> On 02/13/2011 08:49 AM, Rene Bartsch wrote:
>>>> After removing "leftfirewall=yes" from ipsec.conf and adding the
>>>> FORWARD rule created by "leftfirewall=yes" to the INPUT chain
>>>> seems to work.
>> xxx.xxx.xxx.20: eth0 primary public IP of Ubuntu 10.04.2 LTS
>> xxx.xxx.xxx.102: eth0:0 secondary public IP of Ubuntu 10.04.2 LTS
>> (IPSec connection)
>> 192.168.176.1: dummy0 Test for virtual servers
>> eth0: 1000Base-T internet-uplink
>> eth1: unused
> Hi Rene,
> so I guess there's a misunderstanding here. I thought your servers were
> "behind" your VPN gateway (your Ubuntu box), but it looks like your
> server daemons run on the same machine. That's why you set up the dummy0
> interface, I guess.
Yes, separating service daemons for public internet and IPSec intranet.
> That's actually the reason, why the packets never hit the FORWARD chain.
> The fact that the IP address 192.168.176.1 is assigned to an interface
> which is different from the interface on which the ESP packets come in
> is not considered as forwarding. So I guess the rules which are created
> by "leftfirewall=yes" won't help you since you need those rules in your
> INPUT chain.
If there's a way to detect the setup it would be great if "leftfirewall"
automatically detects all rules for INPUT or FORWARD chain.
> You were asking whether your setup might send any plaintext packets,
> right? If you're worried about that then you might want to change the
> default policy of the OUTPUT chain from ACCEPT to DROP and insert
> appropriate rules.
Keeping OUTPUT rules in sync with scripts, e.g. cron jobs creating FTP
connections, is too complicated. I think I'll drop private network packets
to the internet as you suggested before.
> Does that answer your questions?
Not yet. ;-)
After ISP-forced DSL-disconnection (Thank you Deutsche Telekom AG :-( ) I
have to restart IPSec on the Ubuntu machine (/etc/init.d/ipsec restart).
Otherwise no IPSec connections can be established. Is there any
configuration trick to
reestablish the IPSec connection after disconnection/IP-change?
> If you finally have a working setup, you might want to share your
> experience on the strongSwan wiki so that other users can benefit from
Only wimps use tape backup: real men just upload their important stuff on
ftp, and let the rest of the world mirror it ;) Torvalds, Linus
More information about the Users