[strongSwan] Routing and firewalling

Ulrich Schinz ulrich.schinz at ksfh.de
Fri Aug 9 11:36:29 CEST 2013


First thing:

I setup a strongswan server. So far authentication is working 
(cert-based and radius-auth as well).

Now I'd like to have a setup where I can use the VPN-connection to 
establish connections into internet.

Background: our students can access "protected" areas of libraries, 
where they can download ebooks for example.
Accesscontrol on side of the libraries is the senders IP-adress. So I'd 
like to have the students connected to
our vpn and then have routet internet-traffic through vpn->internal 
network->outer ip(registered with libraries->internet....

Clients are Win7/8/XP...

In my serverconfiguration I have configured leftsubnets to let the users 
enter parts of our subnets. This is working very well.
Only... I can't access Internet.

Some details of my configuration:

config setup

conn %default

conn stud
         rightid="DC=de, DC=myhighschool, O=The official name of our 
highschool, OU=Some add Info, CN=*"

My rightsourceips are masqueraded on the vpn-server, so that the 
firewall does only need configuration for our vpn-server.

Maybe you can give me some hints how to manage the access to other IPs 
than defined in  leftsubnet. Fyi I also tried leftsubnet

Second thing:

I'd like to setup a firewalling based on the rightsourceips. So I can 
define multiple conns with different rightsourceips. Depending on these
IPs I'd like to setup firewallrules on my vpn-server.

I found a script which is being called on every connection with the 
vpn-server, /usr/libexec/ipsec/_updown.

Before I start to study this script my question is: what is the "wanted" 
way to get this script managed. Should I directly edit this script, or are
there externel resource that can be configured or....?

Thanks for your help in advance
kind regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130809/487735c0/attachment.html>

More information about the Users mailing list