[strongSwan] Drop data traffic if ipsec is not present

Sarat Vajrapu saratvajrapu1 at gmail.com
Fri Aug 5 20:39:24 CEST 2016 

Hi Andreas,

Thanks for your inputs.
I did some testing with leftfirewall, iptables rules and understood the
behavior.

Regards,
Sarat

On Fri, Aug 5, 2016 at 12:31 AM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hi Sarat,
>
> leftfirewall=yes installs and removes dynamic IPsec policy
> iptables rules guaranteeing that only traffic coming or going
> into an IPsec tunne are forwarded.
>
> Regards
>
> Andreas
>
> On 04.08.2016 14:00, Sarat Vajrapu wrote:
> > Hi Andreas,
> >
> > Thanks for the inputs.
> >
> > I was expecting leftfirewall=yes would take care of adding default
> > policies for IKE, ESP and drop traffic.
> > From your explanation, I understood that we need to explicitly configure
> > iptables. So what does leftfirewall actually do?
> >
> > Regards,
> > Sarat Vajrapu
> >
> > On Tue, Aug 2, 2016 at 2:50 PM, Andreas Steffen
> > <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
> > wrote:
> >
> >     Hi Sarat,
> >
> >     leftfirewall=yes is the right way to go. Just set up a
> >     general drop policy with iptables, just allowing IKE
> >     traffic via UDP ports 500 and 4500 as well as allowing
> >     ESP (IP protocol 50). Also make sure that the updown
> >     plugin is loaded by the charon daemon.
> >
> >     Best regards
> >
> >     Andreas
> >
> >     On 01.08.2016 09:21, Sarat Vajrapu wrote:
> >     > Hi,
> >     >
> >     > I am trying a lab setup with IPsec between two nodes.
> >     > Is there a way where I can send/receive data packets only if ipsec
> is
> >     > UP, else just drop the traffic?
> >     >
> >     > I tried "leftfirewall" option but it did not help me.
> >     > Your inputs are highly appreciated.
> >     >
> >     > Regards,
> >     > Sarat
> >     >
> >     >
> >     > _______________________________________________
> >     > Users mailing list
> >     > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> >     > https://lists.strongswan.org/mailman/listinfo/users
> >     >
> >
> >     --
> >     ============================================================
> ==========
> >     Andreas Steffen
> >      andreas.steffen at strongswan.org <mailto:andreas.steffen@
> strongswan.org>
> >     strongSwan - the Open Source VPN Solution!
> >     www.strongswan.org <http://www.strongswan.org>
> >     Institute for Internet Technologies and Applications
> >     University of Applied Sciences Rapperswil
> >     CH-8640 Rapperswil (Switzerland)
> >     ===========================================================[
> ITA-HSR]==
> >
> >
>
> --
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160806/a07998e1/attachment-0001.html>

More information about the Users mailing list