[strongSwan] StrongSWAN and AVM Fritzbox - Help!
danielml+mailinglists.strongswan at sent.com
Fri Feb 18 05:31:36 CET 2011
> If there's a way to detect the setup it would be great if "leftfirewall"
> automatically detects all rules for INPUT or FORWARD chain.
I believe that this is not doable because the rules in your
INPUT/FORWARD chain can be very complex, too complex for a general
solution. Even with the current solution where strongSwan appends ACCEPT
rules to your FORWARD chain, you might run into problems. Imagine you
have DROP rules in your chain that get triggered by the decrypted
packets. Adding ACCEPT rules at the very end won't make a difference
because these rules will never be examined.
I guess you're better off with manually managing these chains.
> Not yet. ;-)
> After ISP-forced DSL-disconnection (Thank you Deutsche Telekom AG :-( ) I
> have to restart IPSec on the Ubuntu machine (/etc/init.d/ipsec restart).
> Otherwise no IPSec connections can be established. Is there any
> configuration trick to
> reestablish the IPSec connection after disconnection/IP-change?
Restarting IPsec is a bad idea because it brings down not only the IPsec
tunnels which are affected by the disconnect of this single interface
but all IPsec tunnels negotiated by strongSwan.
After the disconnect, I guess you have to do a
(if your IP address changed)
/usr/lib/ipsec/whack --initiate --name $conn --asynchronous
for every IPsec connection. I also re-insert all the necessary source
ip route add 192.168.x.y/z dev $PPP_IFACE src $SRCIP
Not sure if this is the best solution, however.
If you continue to have problems, then post the output of the following
commands before and after the reconnect:
ip route show table 0
ip -4 address
ip xfrm policy
ip xfrm state
More information about the Users