[strongSwan] Drop data traffic if ipsec is not present

Andreas Steffen andreas.steffen at strongswan.org
Thu Aug 4 21:01:49 CEST 2016 

Hi Sarat,

leftfirewall=yes installs and removes dynamic IPsec policy
iptables rules guaranteeing that only traffic coming or going
into an IPsec tunne are forwarded.

Regards

Andreas

On 04.08.2016 14:00, Sarat Vajrapu wrote:
> Hi Andreas,
> 
> Thanks for the inputs.
> 
> I was expecting leftfirewall=yes would take care of adding default
> policies for IKE, ESP and drop traffic.
> From your explanation, I understood that we need to explicitly configure
> iptables. So what does leftfirewall actually do? 
> 
> Regards,
> Sarat Vajrapu
> 
> On Tue, Aug 2, 2016 at 2:50 PM, Andreas Steffen
> <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
> wrote:
> 
>     Hi Sarat,
> 
>     leftfirewall=yes is the right way to go. Just set up a
>     general drop policy with iptables, just allowing IKE
>     traffic via UDP ports 500 and 4500 as well as allowing
>     ESP (IP protocol 50). Also make sure that the updown
>     plugin is loaded by the charon daemon.
> 
>     Best regards
> 
>     Andreas
> 
>     On 01.08.2016 09:21, Sarat Vajrapu wrote:
>     > Hi,
>     >
>     > I am trying a lab setup with IPsec between two nodes.
>     > Is there a way where I can send/receive data packets only if ipsec is
>     > UP, else just drop the traffic?
>     >
>     > I tried "leftfirewall" option but it did not help me.
>     > Your inputs are highly appreciated.
>     >
>     > Regards,
>     > Sarat
>     >
>     >
>     > _______________________________________________
>     > Users mailing list
>     > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>     > https://lists.strongswan.org/mailman/listinfo/users
>     >
> 
>     --
>     ======================================================================
>     Andreas Steffen                       
>      andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>
>     strongSwan - the Open Source VPN Solution!         
>     www.strongswan.org <http://www.strongswan.org>
>     Institute for Internet Technologies and Applications
>     University of Applied Sciences Rapperswil
>     CH-8640 Rapperswil (Switzerland)
>     ===========================================================[ITA-HSR]==
> 
> 

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4275 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160804/83ef194f/attachment-0001.bin>

More information about the Users mailing list