[strongSwan] MOBIKE

Andreas Steffen andreas.steffen at strongswan.org
Fri Jul 29 17:33:34 CEST 2011

Hello Patricia,

binding the virtual IP to a dummy interface currently isn't
supported by strongSwan. It was just a suggestion for a
possible future option.

A workaround that you could implement is to activate
iptables with a default DROP policy, open the firewall to
UDP/500, UDP/4500 and ESP, and then add static IPsec policy
iptables rules of the form:

iptables -A INPUT  -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
iptables -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT

Thus no plaintext packets should leave the VPN endpoint.



On 29.07.2011 17:06, Patricia de Noriega wrote:
> How I can bind that interface by means of the ipsec.conf file?
> Best regards,
> On 29 July 2011 16:51, Andreas Steffen <andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>> wrote:
>     Would it help to bind the virtual IP do a dummy interface, so that
>     when the physical interface goes away the source route still
>     exists and remains covered by the traffic selectors and thus by
>     the transient DROP policy for the TS.
>     Regards
>     Andreas
>     On 07/29/2011 04:12 PM, Tobias Brunner wrote:
>     > Hi Patricia,
>     >
>     >> I've test also with virtual IP's and I obtain the same behaviour :(
>     >
>     > Ah, yes.  The source route installed by charon only covers eth0
>     and its
>     > default gateway.
>     >
>     > Andreas, Martin, any ideas?
>     >
>     > Regards,
>     > Tobias

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list