[strongSwan] Help needed with shunted connections - not working as expected

Mahendra SP mahendra.sp at gmail.com
Thu Feb 18 04:36:36 CET 2016


Hi,

Please let me know if the combination to allow port 9100 and drop the rest
is ever possible with Strongswan?

Thanks
Mahendra


On Wed, Feb 17, 2016 at 9:12 AM, Mahendra SP <mahendra.sp at gmail.com> wrote:

> Hi Noel,
>
> Thank you for the quick response.
>
> There are two hosts namely 192.168.1.6 and 192.168.1.8.
>
> Here is what I want to do:
> 1. Block all traffic over TCP from 192.168.1.6 to TCP port 9100 on
> 192.168.1.8
> 2. Drop the rest of the traffic between these two systems.
>
> Sorry for not having correct parameters. Please find below the correct one.
>
> conn allow-9100
> leftsubnet=192.168.1.6[6/%any]
> rightsubnet=192.168.1.8[6/9100]
> leftfirewall=yes
> type=passthrough
>         auto=route
>
> conn drop-rest
> leftsubnet=192.168.1.6
> rightsubnet=192.168.1.8
> leftfirewall=yes
> type=drop
>         auto=route
>
> Is it possible to achieve the above mentioned items 1 and 2  ?  With the
> above settings, I was expecting connections to port 9100 would be allowed
> and rest is dropped. What I observe is, all traffic including 9100 is
> dropped. Is there some priority that we can set ?
>
> Thanks
> Mahendra
>
>
>
>
> On Tue, Feb 16, 2016 at 11:23 PM, Noel Kuntze <noel at familie-kuntze.de>
> wrote:
>
>> On 16.02.2016 13:43, Mahendra SP wrote:
>> > conn allow-9100
>> >       leftsubnet=192.168.1.6[6/%any]
>> >       rightsubnet=192.168.1.8[6/9100]
>> >       leftfirewall=yes
>> >       type=allow
>> >     auto=route
>> "allow" is not a valid setting for "type".
>>
>>
>> > conn drop-rest
>> >       leftsubnet=192.168.1.6
>> >       rightsubnet=192.168.1.8
>> >       leftfirewall=yes
>> >       type=passthrough
>> >     auto=route
>> What's the purpose of that? It just tells XFRM to not do any processing on
>> packets that match those left- and rightsubnet settings.
>>
>> When I look at all your settings, they seem to contradict each other.
>> Please do a minimal setup. I think the error is in your overlaping subnets
>> with all those different types.
>>
>>
>> --
>>
>> Mit freundlichen Grüßen/Kind Regards,
>> Noel Kuntze
>>
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160218/b1dc97d7/attachment.html>


More information about the Users mailing list