[strongSwan] Access to gateway & firewall
Radosław Smogura
mail at smogura.eu
Thu Jan 26 12:10:21 CET 2012
Hey Martin,
On Wed, 25 Jan 2012 10:04:26 +0100, Martin Willi wrote:
> Hello Radek,
>
>> Problem over here is that when I turn on firewall packets are
>> rejected
>> because origin of (decrypted) packets is eth0. Is there any
>> possibility
>> to route VPN traffic via dummy0, so firewall will see those as
>> comming
>> from dummy0?
>
> I'm not aware of any method to change the interface identifier.
>
> I'd recommend to adjust your firewall rules. Have a look at iptables
> ipsec "policy" matching, it is rather powerful. It allows you to
> match
> traffic that comes out of any (or even a specific) IPsec tunnel.
>
> Regards
> Martin
Actually I added in SuseFirewall2-custom, in procedure
fw_custom_after_chain_creation() following lines:
for chain in input_ext; do
ip6tables -A $chain -m policy --strict --dir in --pol ipsec
--proto esp -j ACCEPT
done
It semi resolves my problem, possible better solution will be to jump
to input_int chain.
Problem actually lies in fact that decrypted packet has origin
interface eth0 (which even do not have assigned VPN ip). Suse firewall
matches packets to zones by interface, so even if packet is trusted, it
is treated as normal packet from "outside". Changing the input interface
of packet may make administration more easier. I think this is due to
kernel, and someone may have argument as well, that packet is really
from eth0, just two different point of views.
There is patch for iptables (but still not in official branch) which
could allow change of origin interface
http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-4.html#ss4.5
and this is solution I was looking for.
Thanks for your help.
Regards,
Radek
More information about the Users
mailing list