[strongSwan] Help needed with shunted connections - not working as expected

Mahendra SP mahendra.sp at gmail.com
Wed Feb 17 04:42:08 CET 2016 

Hi Noel,

Thank you for the quick response.

There are two hosts namely 192.168.1.6 and 192.168.1.8.

Here is what I want to do:
1. Block all traffic over TCP from 192.168.1.6 to TCP port 9100 on
192.168.1.8
2. Drop the rest of the traffic between these two systems.

Sorry for not having correct parameters. Please find below the correct one.

conn allow-9100
leftsubnet=192.168.1.6[6/%any]
rightsubnet=192.168.1.8[6/9100]
leftfirewall=yes
type=passthrough
        auto=route

conn drop-rest
leftsubnet=192.168.1.6
rightsubnet=192.168.1.8
leftfirewall=yes
type=drop
        auto=route

Is it possible to achieve the above mentioned items 1 and 2  ?  With the
above settings, I was expecting connections to port 9100 would be allowed
and rest is dropped. What I observe is, all traffic including 9100 is
dropped. Is there some priority that we can set ?

Thanks
Mahendra




On Tue, Feb 16, 2016 at 11:23 PM, Noel Kuntze <noel at familie-kuntze.de>
wrote:

> On 16.02.2016 13:43, Mahendra SP wrote:
> > conn allow-9100
> >       leftsubnet=192.168.1.6[6/%any]
> >       rightsubnet=192.168.1.8[6/9100]
> >       leftfirewall=yes
> >       type=allow
> >     auto=route
> "allow" is not a valid setting for "type".
>
>
> > conn drop-rest
> >       leftsubnet=192.168.1.6
> >       rightsubnet=192.168.1.8
> >       leftfirewall=yes
> >       type=passthrough
> >     auto=route
> What's the purpose of that? It just tells XFRM to not do any processing on
> packets that match those left- and rightsubnet settings.
>
> When I look at all your settings, they seem to contradict each other.
> Please do a minimal setup. I think the error is in your overlaping subnets
> with all those different types.
>
>
> --
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160217/add3b265/attachment-0001.html>

More information about the Users mailing list