[strongSwan] firewall issue?

Harald Dunkel harald.dunkel at aixigo.de
Mon Jul 4 09:33:48 CEST 2016


PS: I found out a little bit more. If there is a new connection
initiated by a road warrior, then /var/log/messages shows me

Jul  4 08:55:03 srvl047 kernel: [73014.164939] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.87 DST=172.19.96.123 LEN=67 TOS=0x00 PREC=0x00 TTL=254 ID=23018 PROTO=UDP SPT=50374 DPT=53 LEN=47
Jul  4 08:55:03 srvl047 kernel: [73014.164948] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.87 DST=172.19.96.123 LEN=67 TOS=0x00 PREC=0x00 TTL=254 ID=21954 PROTO=UDP SPT=62524 DPT=53 LEN=47
Jul  4 08:55:03 srvl047 kernel: [73014.165334] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.87 DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=383 PROTO=UDP SPT=64310 DPT=53 LEN=46
Jul  4 08:55:03 srvl047 kernel: [73014.165340] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.87 DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=41664 PROTO=UDP SPT=50876 DPT=53 LEN=46
Jul  4 08:55:03 srvl047 vpn: + C=DE, O=example AG, OU=TI, CN=ppcm026.ws.example.com 172.19.97.87/32 == 5.145.142.13 -- 5.145.142.17 == 172.19.96.0/19

I know that the sequence in the log file might not match the
actual sequence of events, but I wonder if there could be a
race condition?

Is there some way to introduce an artificial "new connection
delay" for the very first packages to give the firewall some
time to come up?

https://wiki.strongswan.org/projects/strongswan/wiki/Updown
suggests to introduce global iptable entries instead of
setting leftfirewall=yes. Both source and destination address
in the "iptables-dropped" lines are valid on eth1 (the
internal side) only. I wouldn't like to support global
forward rules between eth0 and eth1. Maybe there is a way to
introduce a virtual network device to be used exclusively for
the VPN payload, instead of eth0?


Every helpful comment is highly appreciated. Regards

Harri



More information about the Users mailing list