[strongSwan] Strongswan - IPSEC Gateway - Firewalling Troubles
Paton, Andy
andy.paton at hp.com
Mon Jun 10 14:08:20 CEST 2013
All,
I am currently - (struggling) - to work out how to best achieve an outcome to the following scenario, and would appreciate any help you could provide.
Scenario
1. RoadWarrior IPSEC IKEv2 VPN Gateway
2. Routing to multiple backends, based on certificates
[cid:image004.jpg at 01CE65D9.ED4C43F0]
Current Setup
I have Strongswan running on a Ubuntu Server VM - with 3 Virtual NIC's currently attached.
- eth0 Public Facing Interface 10.1.0.2
- eth1 Internal NIC Subnet ID 172.17.81.137/27
- eth2 Internal NIC Subnet ID 162.17.81.137/27
Users should be able to access only the relevant backend subnet for their role, and this is achieved using Wildcards in the certificates, and multiple configuration groups in SS.
conn group1
left=10.1.0.2
leftcert=vpnserver.crt
leftsubnet=172.17.81.128/27
leftid=vpnserver.of.our.company.fqdn
leftfirewall=yes
right=%any
rightid="DC=de, DC=company, O=Companyname, OU=group1 certificate, CN=*"
rightsourceip=10.0.50.0/24
auto=add
conn group2
left=10.1.0.2
leftcert=vpnserver.crt
leftsubnet=162.17.81.128/27
leftid=vpnserver.of.our.company.fqdn
leftfirewall=yes
right=%any
rightid="DC=de, DC=company, O=Companyname, OU=group2 certificate, CN=*"
rightsourceip=10.0.60.0/24
The idea here is that users in Group 2 shouldn't be able to access the Subnet's defined in Group 1.
This configuration works in so much that IKEv2 connections are established and resources can be accessed from both zones.
However.... Currently the IPTABLES rules are wide open, so I can cross access resources.
So my question is (and please bear in mind I am not an expert in IPTABLES / Firewalling):
1) How do I go about configuring the IPTABLES firewall such that only devices connected to group1 can access group1 subnets, and the same for group2.
2) How do I secure the front facing IP address of the gateway such that only IKE connections are allowed in?
3) What is the best way to implement these IPTABLES scripts?
Also - I may need some help with the routing so for information..
1) Default GW on the 172.x.x.x subnet = 172.17.81.138
2) Default GW on the 162.x.x.x subnet = 162,17,81.138
Regards,
Andy Paton
Business Development Solution Architect
[HP]<http://www.hp.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130610/63760db2/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 3690 bytes
Desc: image003.png
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130610/63760db2/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.jpg
Type: image/jpeg
Size: 12982 bytes
Desc: image004.jpg
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130610/63760db2/attachment.jpg>
More information about the Users
mailing list