[strongSwan] Replicate Cisco like ACL with strongswan
hkbakke at gmail.com
Mon May 30 08:27:39 CEST 2011
I need to set up a ipsec connection (in transport mode) directly
between two DNS-servers (host to host). The point is that only
DNS-server traffic should use the tunnel.
This is normally easy using Cisco-equipment as a ACL can do this easily.
However I am really struggling to find a way to do this with
strongSwan. Using leftprotoport and rightprotoport and separate
connections doesn't seem to work correctly.
The ACL I need to replicate on my end is this one (I have no influence
on the other end):
permit tcp host 10.27.64.11 host 10.17.0.11 eq 53
permit tcp host 10.17.0.11 eq 53 host 10.27.64.11
permit tcp host 10.27.64.11 eq 53 host 10.17.0.11
permit tcp host 10.17.0.11 host 10.27.64.11 eq 53
permit udp host 10.27.64.11 host 10.17.0.11 eq 53
permit udp host 10.17.0.11 eq 53 host 10.27.64.11
permit udp host 10.27.64.11 eq 53 host 10.17.0.11
permit udp host 10.17.0.11 host 10.27.64.11 eq 53
This is my ipsec.conf so far. I can't get rid of the feeling that
something is missing:
(using v4.2.4-5+lenny3 on Debian Lenny)
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
When I run ipsec statusall dns1 gets to STATE_MAIN_I4 (ISAKMP SA
ESTABLISHED) but the other ones doesn't seem to do anything.
The DNS-traffic still goes out unencrypted.
How can I replicate the ACL perfectly with strongswan?
Mob: 91 76 17 38
More information about the Users