[strongSwan] StrongSWAN and AVM Fritzbox - Help!

Rene Bartsch ml at bartschnet.de
Tue Feb 15 20:27:53 CET 2011

On Mon, 14 Feb 2011 21:52:38 -0800, Daniel Mentz
<danielml+mailinglists.strongswan at sent.com> wrote:
> On 02/13/2011 12:42 PM, Rene Bartsch wrote:
>> On Sun, 13 Feb 2011 10:55:07 -0800, Daniel Mentz
>> <danielml+mailinglists.strongswan at sent.com>  wrote:
>>> On 02/13/2011 08:49 AM, Rene Bartsch wrote:
>>>> After removing "leftfirewall=yes" from ipsec.conf and adding the
>> incoming
>>>> FORWARD rule created by "leftfirewall=yes" to the INPUT chain
>>>> it
>>>> seems to work.
>> xxx.xxx.xxx.20:  eth0    primary   public IP of Ubuntu 10.04.2 LTS
>> xxx.xxx.xxx.102: eth0:0  secondary public IP of Ubuntu 10.04.2 LTS
>> (IPSec connection)
>>   dummy0  Test for virtual servers
>> eth0: 1000Base-T internet-uplink
>> eth1: unused
> Hi Rene,
> so I guess there's a misunderstanding here. I thought your servers were 
> "behind" your VPN gateway (your Ubuntu box), but it looks like your 
> server daemons run on the same machine. That's why you set up the dummy0

> interface, I guess.

Yes, separating service daemons for public internet and IPSec intranet.

> That's actually the reason, why the packets never hit the FORWARD chain.

> The fact that the IP address is assigned to an interface 
> which is different from the interface on which the ESP packets come in 
> is not considered as forwarding. So I guess the rules which are created 
> by "leftfirewall=yes" won't help you since you need those rules in your 
> INPUT chain.

If there's a way to detect the setup it would be great if "leftfirewall"
automatically detects all rules for INPUT or FORWARD chain.

> You were asking whether your setup might send any plaintext packets, 
> right? If you're worried about that then you might want to change the 
> default policy of the OUTPUT chain from ACCEPT to DROP and insert 
> appropriate rules.

Keeping OUTPUT rules in sync with scripts, e.g. cron jobs creating FTP
connections, is too complicated. I think I'll drop private network packets
to the internet as you suggested before.

> Does that answer your questions?

Not yet. ;-)
After ISP-forced DSL-disconnection (Thank you Deutsche Telekom AG :-( ) I
have to restart IPSec on the Ubuntu machine (/etc/init.d/ipsec restart).
Otherwise no IPSec connections can be established. Is there any
configuration trick to 
reestablish the IPSec connection after disconnection/IP-change?

> If you finally have a working setup, you might want to share your 
> experience on the strongSwan wiki so that other users can benefit from

Only wimps use tape backup: real men just upload their important stuff on
ftp, and let the rest of the world mirror it ;) Torvalds, Linus

> -Daniel

More information about the Users mailing list