[strongSwan] Drop data traffic if ipsec is not present

Sarat Vajrapu saratvajrapu1 at gmail.com
Thu Aug 4 14:00:03 CEST 2016


Hi Andreas,

Thanks for the inputs.

I was expecting leftfirewall=yes would take care of adding default policies
for IKE, ESP and drop traffic.
>From your explanation, I understood that we need to explicitly configure
iptables. So what does leftfirewall actually do?

Regards,
Sarat Vajrapu

On Tue, Aug 2, 2016 at 2:50 PM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hi Sarat,
>
> leftfirewall=yes is the right way to go. Just set up a
> general drop policy with iptables, just allowing IKE
> traffic via UDP ports 500 and 4500 as well as allowing
> ESP (IP protocol 50). Also make sure that the updown
> plugin is loaded by the charon daemon.
>
> Best regards
>
> Andreas
>
> On 01.08.2016 09:21, Sarat Vajrapu wrote:
> > Hi,
> >
> > I am trying a lab setup with IPsec between two nodes.
> > Is there a way where I can send/receive data packets only if ipsec is
> > UP, else just drop the traffic?
> >
> > I tried "leftfirewall" option but it did not help me.
> > Your inputs are highly appreciated.
> >
> > Regards,
> > Sarat
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
> >
>
> --
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160804/78c5bfab/attachment.html>


More information about the Users mailing list