[strongSwan] Query regarding Manual Setting of IpTables ( leftfirewall = no )
prasobh.s25 at wipro.com
prasobh.s25 at wipro.com
Fri Sep 11 10:22:31 CEST 2015
Hello,
I have a tunnel connection from PeerA to PeerB connected back to back:-
ipsec.conf of PeerA:-
config setup
strictcrlpolicy=no
charondebug="ike 4, cfg 4, dmn 4, knl 4, chd 4"
conn peerA
left=10.222.4.240
leftfirewall=no
leftsourceip=%config
right=10.222.4.199
rightsubnet=0.0.0.0/0
reauth=no
rekey=yes
mobike=no
type=tunnel
authby=secret
auto=add
keyexchange=ikev2
ikelifetime=3h
keylife=2h
lifepackets=10240
rekeymargin=1h
ike=aes128-sha1-modp768!
esp=aes128-sha1!
Ipsec.conf of peerB
config setup
strictcrlpolicy=no
charondebug="ike 4, cfg 4, dmn 4, knl 4, chd 4"
conn peerB
right=10.222.4.240
leftfirewall=no
rightsourceip=10.10.10.5
left=10.222.4.199
leftsubnet=10.222.4.199/32
reauth=no
rekey=yes
mobike=no
type=tunnel
authby=secret
auto=add
keyexchange=ikev2
ikelifetime=3h
keylife=2h
lifepackets=10240
rekeymargin=1h
ike=aes128-sha1-modp768!
esp=aes128-sha1!
Established a tunnel connection 10.10.10.5 === 10.222.4.199.
No Protocol/port is specified in Tunnel connection.
I have kept leftfirewall=no as I only want to accept packets directed to certain Ports and block others. So, If I let strongswan set the Firewall policies all ports at the endpoint ( 10.222.4.199) would be open since we are not specifying any protocols in connection.
So, Iam trying to establish connections manually. Default Policies of INPUT, OUTPUT, FORWARD chain in iptables are set to drop.
The commands executed are :-
iptables -A INPUT -s 10.222.4.199/32 -d 10.10.10.6/32 -i eth1 -p tcp -sport 80 -dport 80 -m policy -dir in -pol ipsec -reqid 1 -proto esp -j ACCEPT
iptables -A OUTPUT -s 10.10.10.6/32 -d 10.222.4.199/32 -o eth1 -p tcp -sport 80 -dport 80 -m policy -dir in -pol ipsec -reqid 1 -proto esp -j ACCEPT
iptables -A INPUT -s 10.222.4.199/32 -d 10.10.10.6/32 -i eth1 -p tcp -sport 22 -dport 22 -m policy -dir in -pol ipsec -reqid 1 -proto esp -j ACCEPT
iptables -A OUTPUT -s 10.10.10.6/32 -d 10.222.4.199/32 -o eth1 -p tcp -sport 22 -dport 22 -m policy -dir in -pol ipsec -reqid 1 -proto esp -j ACCEPT
If strongswan had set the iptables using updown script, it would be something like below :-
user# iptables -L -v
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth1 any 10.222.4.199 10.10.10.6 policy match dir in pol ipsec reqid 1 proto esp
And for FORWARD chain and OUTPUT chain also corresponding entries would be present.
The questions I have are :
1. Is it okay to add multiple entries related to same 'reqid' in iptables when only single ipsec SA is present ?
2. Why 'reqid' is used by strongswan updown script evenwhen I can get same behaviour without the usage of 'reqid' . Or am I missing anything ?
Thanks and Regards,
Prasobh
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150911/b0baae33/attachment.html>
More information about the Users
mailing list