[strongSwan] Access to gateway & firewall

Radosław Smogura mail at smogura.eu
Thu Jan 26 12:10:21 CET 2012

Hey Martin,
On Wed, 25 Jan 2012 10:04:26 +0100, Martin Willi wrote:
> Hello Radek,
>> Problem over here is that when I turn on firewall packets are 
>> rejected
>> because origin of (decrypted) packets is eth0. Is there any 
>> possibility
>> to route VPN traffic via dummy0, so firewall will see those as 
>> comming
>> from dummy0?
> I'm not aware of any method to change the interface identifier.
> I'd recommend to adjust your firewall rules. Have a look at iptables
> ipsec "policy" matching, it is rather powerful. It allows you to 
> match
> traffic that comes out of any (or even a specific) IPsec tunnel.
> Regards
> Martin

Actually I added in SuseFirewall2-custom, in procedure 
fw_custom_after_chain_creation() following lines:

for chain in input_ext; do
         ip6tables -A $chain -m policy --strict --dir in --pol ipsec 
--proto esp -j ACCEPT

It semi resolves my problem, possible better solution will be to jump 
to input_int chain.

Problem actually lies in fact that decrypted packet has origin 
interface eth0 (which even do not have assigned VPN ip). Suse firewall 
matches packets to zones by interface, so even if packet is trusted, it 
is treated as normal packet from "outside". Changing the input interface 
of packet may make administration more easier. I think this is due to 
kernel, and someone may have argument as well, that packet is really 
from eth0, just two different point of views.

There is patch for iptables (but still not in official branch) which 
could allow change of origin interface 
and this is solution I was looking for.

Thanks for your help.


More information about the Users mailing list