[strongSwan] Routing and firewalling

[Martin Willi]

Hi Ulrich,

> I can't access Internet.
>          leftsubnet=192.168.0.0/24,192.168.2.0/24

To allow access to the Internet, you'll have to include 0.0.0.0/0 (or at
least the non-private addresses of it).

>          keyexchange=ike

Please be aware that multiple subnets work for IKEv2 only, but not for
IKEv1 connections (unless you use the Unity extensions).

>          rightsourceip=10.0.10.0/24
> Fyi I also tried leftsubnet 0.0.0.0...

How do you handle mapping to public IP addresses? Is there a NAT that
translates your client addresses to a public IP? Does the reverse path
work, i.e. knows your router to the Internet where it has to send
10.0.10.0/24 packets to?

> Before I start to study this script my question is: what is the "wanted" 
> way to get this script managed. Should I directly edit this script, or are
> there externel resource that can be configured or....?

Probably it is better to copy that script to a different location, and
refer to it using the leftupdown option. This avoids any overwrites when
updating strongSwan.

> I'd like to setup a firewalling based on the rightsourceips.

However, how would you use the updown script for sourceip based
firewalling?

If you don't want to use IPsec policies to implement access control to
specific subnets, you usually define different conn entries, each having
its dedicated rightsourceip pool. You can use rightid or rightgroups
matching to select the appropriate config for each client.

Once each client gets an address from the correct pool, you can use
static iptables rules (or dedicated firewalling on your network) to
perform access control based on the clients IP.

Regards
Martin