[strongSwan] Query regarding Manual Setting of IpTables ( leftfirewall = no )

prasobh.s25 at wipro.com prasobh.s25 at wipro.com
Fri Sep 11 10:22:31 CEST 2015


Hello,

I have a tunnel connection from PeerA to PeerB connected back to back:-

ipsec.conf of PeerA:-

config setup
                strictcrlpolicy=no
                charondebug="ike 4, cfg 4, dmn 4, knl 4, chd 4"

conn peerA
                left=10.222.4.240
                leftfirewall=no
                leftsourceip=%config
                right=10.222.4.199
                rightsubnet=0.0.0.0/0
                reauth=no
                rekey=yes
                mobike=no
                type=tunnel
                authby=secret
                auto=add
                keyexchange=ikev2
                ikelifetime=3h
                keylife=2h
                lifepackets=10240
                rekeymargin=1h
                ike=aes128-sha1-modp768!
                esp=aes128-sha1!

Ipsec.conf of peerB

config setup
                strictcrlpolicy=no
                charondebug="ike 4, cfg 4, dmn 4, knl 4, chd 4"

conn peerB
                right=10.222.4.240
                leftfirewall=no
                rightsourceip=10.10.10.5
                left=10.222.4.199
                leftsubnet=10.222.4.199/32
                reauth=no
                rekey=yes
                mobike=no
                type=tunnel
                authby=secret
                auto=add
                keyexchange=ikev2
                ikelifetime=3h
                keylife=2h
                lifepackets=10240
                rekeymargin=1h
                ike=aes128-sha1-modp768!
                esp=aes128-sha1!

Established a tunnel connection 10.10.10.5 === 10.222.4.199.
No Protocol/port is specified in Tunnel connection.

I have kept leftfirewall=no as I only want to accept packets directed to certain Ports and block others. So, If I let strongswan set the Firewall policies all ports at the endpoint ( 10.222.4.199) would be open since we are not specifying any protocols in connection.

So, Iam trying to establish connections manually. Default Policies of INPUT, OUTPUT, FORWARD chain in iptables are set to drop.

The commands executed are :-

iptables -A INPUT -s 10.222.4.199/32 -d 10.10.10.6/32 -i eth1 -p tcp -sport 80 -dport 80 -m policy -dir in -pol ipsec -reqid 1 -proto esp -j ACCEPT
iptables -A OUTPUT -s 10.10.10.6/32 -d 10.222.4.199/32 -o eth1 -p tcp -sport 80 -dport 80 -m policy -dir in -pol ipsec -reqid 1 -proto esp -j ACCEPT
iptables -A INPUT -s 10.222.4.199/32 -d 10.10.10.6/32 -i eth1 -p tcp -sport 22 -dport 22 -m policy -dir in -pol ipsec -reqid 1 -proto esp -j ACCEPT
iptables -A OUTPUT -s 10.10.10.6/32 -d 10.222.4.199/32 -o eth1 -p tcp -sport 22 -dport 22 -m policy -dir in -pol ipsec -reqid 1 -proto esp -j ACCEPT

If strongswan had set the iptables using updown script, it would be something like below :-

user# iptables -L -v
pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  eth1   any     10.222.4.199     10.10.10.6           policy match dir in pol ipsec reqid 1 proto esp

And for FORWARD chain and OUTPUT chain also corresponding entries would be present.

The questions I have are :


1.       Is it okay to add multiple entries related to same 'reqid' in iptables when only single ipsec SA is present ?

2.       Why 'reqid' is used by strongswan updown script evenwhen I can get same behaviour without the usage of 'reqid' . Or am I missing anything ?



Thanks and Regards,
Prasobh






The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150911/b0baae33/attachment.html>


More information about the Users mailing list