[strongSwan] StrongSWAN and AVM Fritzbox - Help!

Daniel Mentz danielml+mailinglists.strongswan at sent.com
Fri Feb 18 05:31:36 CET 2011

> If there's a way to detect the setup it would be great if "leftfirewall"
> automatically detects all rules for INPUT or FORWARD chain.

I believe that this is not doable because the rules in your 
INPUT/FORWARD chain can be very complex, too complex for a general 
solution. Even with the current solution where strongSwan appends ACCEPT 
rules to your FORWARD chain, you might run into problems. Imagine you 
have DROP rules in your chain that get triggered by the decrypted 
packets. Adding ACCEPT rules at the very end won't make a difference 
because these rules will never be examined.

I guess you're better off with manually managing these chains.

> Not yet. ;-)
> After ISP-forced DSL-disconnection (Thank you Deutsche Telekom AG :-( ) I
> have to restart IPSec on the Ubuntu machine (/etc/init.d/ipsec restart).
> Otherwise no IPSec connections can be established. Is there any
> configuration trick to
> reestablish the IPSec connection after disconnection/IP-change?

Restarting IPsec is a bad idea because it brings down not only the IPsec 
tunnels which are affected by the disconnect of this single interface 
but all IPsec tunnels negotiated by strongSwan.

After the disconnect, I guess you have to do a

ipsec update

(if your IP address changed)
I use
/usr/lib/ipsec/whack  --initiate --name $conn --asynchronous

for every IPsec connection. I also re-insert all the necessary source 
routes with

ip route add 192.168.x.y/z dev $PPP_IFACE src $SRCIP

Not sure if this is the best solution, however.
If you continue to have problems, then post the output of the following 
commands before and after the reconnect:

ip route show table 0
ip -4 address
ip xfrm policy
ip xfrm state
ipsec statusall


More information about the Users mailing list