[strongSwan] Routing and firewalling

Ulrich Schinz ulrich.schinz at ksfh.de
Fri Aug 9 11:36:29 CEST 2013 

Hi,

First thing:

I setup a strongswan server. So far authentication is working 
(cert-based and radius-auth as well).

Now I'd like to have a setup where I can use the VPN-connection to 
establish connections into internet.

Background: our students can access "protected" areas of libraries, 
where they can download ebooks for example.
Accesscontrol on side of the libraries is the senders IP-adress. So I'd 
like to have the students connected to
our vpn and then have routet internet-traffic through vpn->internal 
network->outer ip(registered with libraries->internet....

Clients are Win7/8/XP...

In my serverconfiguration I have configured leftsubnets to let the users 
enter parts of our subnets. This is working very well.
Only... I can't access Internet.

Some details of my configuration:

config setup

conn %default
         ikelifetime=60m
         keylife=20m
         rekeymargin=3m
         keyingtries=1
         keyexchange=ike

conn stud
         left=192.168.0.5
         leftcert=vpn.myhighschool.de.crt
         leftsubnet=192.168.0.0/24,192.168.2.0/24
         leftid=vpn.myhighschool.de
         right=%any
         rightid="DC=de, DC=myhighschool, O=The official name of our 
highschool, OU=Some add Info, CN=*"
         rightsourceip=10.0.10.0/24
         auto=add

My rightsourceips are masqueraded on the vpn-server, so that the 
firewall does only need configuration for our vpn-server.

Maybe you can give me some hints how to manage the access to other IPs 
than defined in  leftsubnet. Fyi I also tried leftsubnet 0.0.0.0...


Second thing:

I'd like to setup a firewalling based on the rightsourceips. So I can 
define multiple conns with different rightsourceips. Depending on these
IPs I'd like to setup firewallrules on my vpn-server.

I found a script which is being called on every connection with the 
vpn-server, /usr/libexec/ipsec/_updown.

Before I start to study this script my question is: what is the "wanted" 
way to get this script managed. Should I directly edit this script, or are
there externel resource that can be configured or....?

Thanks for your help in advance
kind regards
Uli
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130809/487735c0/attachment.html>

More information about the Users mailing list