[strongSwan] Access to gateway & firewall

Hans-Kristian Bakke hkbakke at gmail.com
Wed Jan 25 21:30:37 CET 2012


I do something like this (this is a very simplified, but valid,
example of course):

iptables -A INPUT -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -A INPUT -i eth0 -j DROP

As the packet are matched against the rules from the top down, valid
ipsec traffic coming through established connections will be accepted.
If not the packet will be processed against the next rule which will
drop all the traffic.
Note the "--dir in" parameter on the ipsec rule. This can also be
"--dir out" depending on which direction you want to policy.

Best regards,

Hans-Kristian Bakke



On Sat, Jan 21, 2012 at 19:18,  <mail at rsmogura.net> wrote:
> Hello,
>
> I have configured road warrior gateway with IKEv2 everything works
> almost fine. I would like to have access to some services on gateway and
> secure those with Firewall.
>
> I have configured gateway as follow
> eth0 - public IP
> dummy0 - virtual IPv6 address
>
> Problem over here is that when I turn on firewall packets are rejected
> because origin of (decrypted) packets is eth0. Is there any possibility
> to route VPN traffic via dummy0, so firewall will see those as comming
> from dummy0?
>
> Server has Open Suse, with limited support to firewall. Strong swan
> version is strongSwan U4.5.3/K3.1.0-1.2-default
>
> Regards,
> Radek
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users




More information about the Users mailing list