[strongSwan] firewall issue?

Harald Dunkel harald.dunkel at aixigo.de
Tue Jul 5 12:32:07 CEST 2016 

Hi folks,

I would highly appreciate some feedback about this. Is it
unreasonable to expect that the IPsec payload should not be
affected by the slow updown script?

All the road warrior Macs and Iphones do VPN-on-demand.
Currently the IPsec connection succeeds, but the DNS lookup
(the "demand" in this case) fails. You might imagine that
this affects a lot of tools (calendar lookup, EMail, etc.)
>From the user's point of view this is the difference between
"works" and "doesn't work".


Thanx very much
Harri

On 07/04/16 09:33, Harald Dunkel wrote:
> PS: I found out a little bit more. If there is a new connection
> initiated by a road warrior, then /var/log/messages shows me
> 
> Jul  4 08:55:03 srvl047 kernel: [73014.164939] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.87 DST=172.19.96.123 LEN=67 TOS=0x00 PREC=0x00 TTL=254 ID=23018 PROTO=UDP SPT=50374 DPT=53 LEN=47
> Jul  4 08:55:03 srvl047 kernel: [73014.164948] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.87 DST=172.19.96.123 LEN=67 TOS=0x00 PREC=0x00 TTL=254 ID=21954 PROTO=UDP SPT=62524 DPT=53 LEN=47
> Jul  4 08:55:03 srvl047 kernel: [73014.165334] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.87 DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=383 PROTO=UDP SPT=64310 DPT=53 LEN=46
> Jul  4 08:55:03 srvl047 kernel: [73014.165340] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.87 DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=41664 PROTO=UDP SPT=50876 DPT=53 LEN=46
> Jul  4 08:55:03 srvl047 vpn: + C=DE, O=example AG, OU=TI, CN=ppcm026.ws.example.com 172.19.97.87/32 == 5.145.142.13 -- 5.145.142.17 == 172.19.96.0/19
> 
> I know that the sequence in the log file might not match the
> actual sequence of events, but I wonder if there could be a
> race condition?
> 
> Is there some way to introduce an artificial "new connection
> delay" for the very first packages to give the firewall some
> time to come up?
> 
> https://wiki.strongswan.org/projects/strongswan/wiki/Updown
> suggests to introduce global iptable entries instead of
> setting leftfirewall=yes. Both source and destination address
> in the "iptables-dropped" lines are valid on eth1 (the
> internal side) only. I wouldn't like to support global
> forward rules between eth0 and eth1. Maybe there is a way to
> introduce a virtual network device to be used exclusively for
> the VPN payload, instead of eth0?
> 
> 
> Every helpful comment is highly appreciated. Regards
> 
> Harri
>

More information about the Users mailing list