[strongSwan] blocking Strongswan VPN client-to-client traffic?

Chris Strong cstrong at cstrong.com
Thu Oct 10 19:37:44 CEST 2013 

Strongswan,

How do I block client-to-client traffic in strongswan v4.6.4?I want to completely isolate the VPN clients from each other.

My implementation is simple. The closest example is http://strongswan.org/uml/testresults4/pfkey/rw-cert/index.html

When client VPN tunnels are connected to 'moon', roadwarrior 'carol' (in random hotel#1) and roadwarrior 'dave' (in random hotel#2) can access each other on their VPN tunnel assigned non-routable IPs! For example, if 'carol' is running a web server that binds to her VPN assigned non-routable, 'dave' can port scan and access 'carol' web server.

How do I block traffic between all VPN clients (eg: 'carol' and 'dave')? I've tried iptables INPUT, FORWARD, and OUTPUTbut have been unable to block the client-to-client traffic. The VPN client ACCEPT rules are added *above* the REJECT rule I added.

I've spent a great deal of effort getting 4.6.4 working and my attempts with 5.x have failed, so please don't ask me to upgrade.

The server configs are inline below. VPN clients get a 10.1.0.0/16 address and can access each other when connected to the strongswan server.

thanks,
Chris

# /etc/sysconfig/iptables FORWARD rules
-A FORWARD -m policy --dir in --pol ipsec -j ACCEPT
-A FORWARD -i ppp+ -p all -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -s 10.1.0.0/16 -d 10.1.0.0/16 -j REJECT
-A FORWARD -p tcp -j ACCEPT
-A FORWARD -p udp -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# This is what the rules look like before any VPN clients connect
# note the REJECT line position
$ iptables –L
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere policy match dir in pol ipsec
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
REJECT all -- 10.1.0.0/16 10.1.0.0/16 reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

# live iptables after 10.1.0.6 and 10.1.0.7 connect.
# note VPN client ACCEPT rules are added *above* the reject
# Firewall policies are processed top down, so the REJECT line does absolutely nothing.
$ iptables –L
*snip*
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 10.1.0.7 anywhere policy match dir in pol ipsec reqid 16660 proto esp
ACCEPT all -- anywhere 10.1.0.7 policy match dir out pol ipsec reqid 16660 proto esp
ACCEPT all -- 10.1.0.6 anywhere policy match dir in pol ipsec reqid 16652 proto esp
ACCEPT all -- anywhere 10.1.0.6 policy match dir out pol ipsec reqid 16652 proto esp
ACCEPT all -- anywhere anywhere policy match dir in pol ipsec
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
REJECT all -- 10.1.0.0/16 10.1.0.0/16 reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
*snip*

[root at e20-Strongswan etc]# cat strongswan.conf
# strongswan.conf - strongSwan configuration file

charon {

 # number of worker threads in charon
 threads = 32

 # send strongswan vendor ID?
 # send_vendor_id = yes

 plugins {

 sql {
 # loglevel to log into sql database
 loglevel = -1

 # URI to the database
 # database = sqlite:///path/to/file.db
 # database = mysql://user:password@localhost/database
 }
 }

 # ...
}

pluto {
 dns1 = 10.1.0.253
}

libstrongswan {

 # set to no, the DH exponent size is optimized
 # dh_exponent_ansi_x9_42 = no
}


[root at e20-Strongswan etc]# cat ipsec.conf
config setup
 plutodebug=control
 plutostart=yes
 plutostderrlog=/var/log/pluto.log
 nat_traversal=yes
 uniqueids=yes
 crlcheckinterval=60
 cachecrls=yes
 strictcrlpolicy=yes

ca $default
 auto=add

conn ios
 type=tunnel
 keyexchange=ikev1
 authby=xauthrsasig
 xauth=server
 left=%defaultroute
 leftsubnet=0.0.0.0/0
 leftcert=serverCert.pem
 leftfirewall=yes
 right=%any
 rightsourceip=10.1.0.0/16
 pfs=no
 auto=add



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131010/1bc80fce/attachment.html>

More information about the Users mailing list