[strongSwan] Automatic Addition/Deletion of Ipsec-Policy-based Firewall Rules

kvunnava at rockwellcollins.com kvunnava at rockwellcollins.com
Wed Sep 7 11:33:39 CEST 2011 

HI Andreas,
Tried with the below mentioned Steps. Still; we are Not able to make it 
work. Please find the attached Log Files & Configuration Files of Tunnel 
End Points. we are seeing some error messages in logs such as .,

 ssh" #1: ignoring informational payload, type INVALID_ID_INFORMATION
"ssh" #1: ignoring informational payload, type INVALID_MESSAGE_ID
"ssh" #1: ignoring informational payload, type INVALID_MESSAGE_ID



Looking forward for the reply.

-Thanks in Advance,
VKS




Andreas Steffen <andreas.steffen at strongswan.org> 
08/23/2011 11:53 PM

To
kvunnava at rockwellcollins.com
cc
users at lists.strongswan.org
Subject
Re: [strongSwan] Automatic Addition/Deletion of Ipsec-Policy-based 
Firewall Rules






Hello,

define two connections, one restricting the protocol to ssh
and the second one to tftp:

conn ssh
     also=hosts
     leftprotoport=tcp
     rightprotoport=tcp/ssh
     auto=add

conn tftp
     also=hosts
     leftprotoport=udp
     rightprotoport=udp/tftp

conn host
     left=
     right=
     #common definitions

Regards

Andreas

On 23.08.2011 16:38, kvunnava at rockwellcollins.com wrote:
> 
> Thanks Andreas.
> We have Made some progress by following these steps...
> 
> 1] Created a Static Firewall Policy allowing Traffic for UDP port
> 500.*PFA Configuration File* *for Strongswan*.
> 2] It is Noticed that Tunnel was established by dynamically adding a
> Matching policy for IPSEC.
> 3] Now the Requirement is to send Only SSH/TFTP Encrypted Traffic over
> this Tunnel.
> 
> Can You please let me know the Steps to achieve the Last Requirement ??
> Also Please note that this Traffic not to be allowed once the Tunnel
> went down.
> 
> 
> 
> Looking forward for the reply!!!
> 
> -Best Regards,
> VKS.
> 
> 
> 
> *Andreas Steffen <andreas.steffen at strongswan.org>*
> 
> 08/23/2011 01:39 AM
> 
> 
> To
>                kvunnava at rockwellcollins.com
> cc
>                users at lists.strongswan.org
> Subject
>                Re: [strongSwan] Automatic Addition/Deletion of 
Ipsec-Policy-based
> Firewall Rules
> 
> 
> 
> 
> 
> 
> 
> 
> IPsec policy based  rules are installed with the standard _updown
> script which is activated with the ipsec.conf parameter
> 
>  leftfirewall=yes
> 
> Regards
> 
> Andreas
> 
> On 08/22/2011 05:05 PM, kvunnava at rockwellcollins.com wrote:
>>
>> Hi Guys,
>> we have a requirement related to IPSEC-Policy-based Firewall Rules.
>>
>> Steps we followed:
>> 1] Configured the ipsec.conf with the parameter "leftupdown=<Script
> Path>".
>> 2] Created the script and kept it at right place.
>>
>> Once the IKEv1 based Tunnel was UP; it was expected that Execution of
>> script to be happen.But thats Not happening.
>>
>> Please let me know the Right way to Configure the "Automatic
>> Addition/Deletion of Ipsec-Policy-based Firewall Rules".
>> 
>> -Thanks in Advance,
>> VKS.

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110907/c5479ad1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IPSEC_SERVER.conf
Type: application/octet-stream
Size: 610 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110907/c5479ad1/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IPSEC_CLIENT.conf
Type: application/octet-stream
Size: 388 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110907/c5479ad1/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PLUTO_IPSEC_SERVER.log
Type: application/octet-stream
Size: 9627 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110907/c5479ad1/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PLUTO_IPSEC_CLIENT.log
Type: application/octet-stream
Size: 15765 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110907/c5479ad1/attachment-0003.obj>

More information about the Users mailing list