[strongSwan] Drop data traffic if ipsec is not present
saratvajrapu1 at gmail.com
Fri Aug 5 20:39:24 CEST 2016
Thanks for your inputs.
I did some testing with leftfirewall, iptables rules and understood the
On Fri, Aug 5, 2016 at 12:31 AM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:
> Hi Sarat,
> leftfirewall=yes installs and removes dynamic IPsec policy
> iptables rules guaranteeing that only traffic coming or going
> into an IPsec tunne are forwarded.
> On 04.08.2016 14:00, Sarat Vajrapu wrote:
> > Hi Andreas,
> > Thanks for the inputs.
> > I was expecting leftfirewall=yes would take care of adding default
> > policies for IKE, ESP and drop traffic.
> > From your explanation, I understood that we need to explicitly configure
> > iptables. So what does leftfirewall actually do?
> > Regards,
> > Sarat Vajrapu
> > On Tue, Aug 2, 2016 at 2:50 PM, Andreas Steffen
> > <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
> > wrote:
> > Hi Sarat,
> > leftfirewall=yes is the right way to go. Just set up a
> > general drop policy with iptables, just allowing IKE
> > traffic via UDP ports 500 and 4500 as well as allowing
> > ESP (IP protocol 50). Also make sure that the updown
> > plugin is loaded by the charon daemon.
> > Best regards
> > Andreas
> > On 01.08.2016 09:21, Sarat Vajrapu wrote:
> > > Hi,
> > >
> > > I am trying a lab setup with IPsec between two nodes.
> > > Is there a way where I can send/receive data packets only if ipsec
> > > UP, else just drop the traffic?
> > >
> > > I tried "leftfirewall" option but it did not help me.
> > > Your inputs are highly appreciated.
> > >
> > > Regards,
> > > Sarat
> > >
> > >
> > > _______________________________________________
> > > Users mailing list
> > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> > > https://lists.strongswan.org/mailman/listinfo/users
> > >
> > --
> > ============================================================
> > Andreas Steffen
> > andreas.steffen at strongswan.org <mailto:andreas.steffen@
> > strongSwan - the Open Source VPN Solution!
> > www.strongswan.org <http://www.strongswan.org>
> > Institute for Internet Technologies and Applications
> > University of Applied Sciences Rapperswil
> > CH-8640 Rapperswil (Switzerland)
> > ===========================================================[
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users