[strongSwan] FTPS over IPSec

Alexandre Chapellon a.chapellon at horoa.net
Tue Nov 8 16:06:37 CET 2011

I guess you have your reasons.... but I can hardly imagine why you would 
*require* FTP/TLS over IPsec.
Anyway... If your problem appears when you turn on firewall , the first 
things that comes to my mind is FTP passive mode not being compatible 
with iptables contracking helpers.... Indeed, as the connection is 
encrypted, there is no way for iptables to dynamicly open ports related 
with the initial FTP connection.
Is this is your problem the workaround is to define passive port range 
and allow the whole range in your iptables rules.

I don't think this is related to strongswan in any way...

Le 08/11/2011 12:56, chou eiffel a écrit :
> Hi,
> I want to setup the FTPS over the IPSec tunnel by using lftp for FTPS 
> client, vsftpd for FTPS server, Strongswan for IPsec. The FTPS needs 
> turn on the ssl encryption and cert based authentication 
> (bi-directional). When I turn on the firewall and setup the ipsec 
> tunnel, ping is OK. But FTPS not working, it seems the Strongswan (or 
> in fact the firewall ) blocked the cert exchange messages. I can also 
> see in the tcpdump trace from gateway internal port the vsftpd trying 
> to resend Response containing cert info to the client but cannot 
> capture any following packets on gateway external port. If I turn off 
> the firewall, everything is OK. It is also OK when the firewall is on 
> if I don't use cert based auth in FTPS.
> Thanks a lot
> Eiffel
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/usersrequire* FTP/TLX over IPSEC... anyway.


Alexandre Chapellon

Ingénierie des systèmes open sources et réseaux.
Follow me on twitter: @alxgomz <http://www.twitter.com/alxgomz>

More information about the Users mailing list