andreas.steffen at strongswan.org
Fri Jul 29 17:33:34 CEST 2011
binding the virtual IP to a dummy interface currently isn't
supported by strongSwan. It was just a suggestion for a
possible future option.
A workaround that you could implement is to activate
iptables with a default DROP policy, open the firewall to
UDP/500, UDP/4500 and ESP, and then add static IPsec policy
iptables rules of the form:
iptables -A INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
Thus no plaintext packets should leave the VPN endpoint.
On 29.07.2011 17:06, Patricia de Noriega wrote:
> How I can bind that interface by means of the ipsec.conf file?
> Best regards,
> On 29 July 2011 16:51, Andreas Steffen <andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>> wrote:
> Would it help to bind the virtual IP do a dummy interface, so that
> when the physical interface goes away the source route still
> exists and remains covered by the traffic selectors and thus by
> the transient DROP policy for the TS.
> On 07/29/2011 04:12 PM, Tobias Brunner wrote:
> > Hi Patricia,
> >> I've test also with virtual IP's and I obtain the same behaviour :(
> > Ah, yes. The source route installed by charon only covers eth0
> and its
> > default gateway.
> > Andreas, Martin, any ideas?
> > Regards,
> > Tobias
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
More information about the Users