[strongSwan] firewall issue?

Noel Kuntze noel at familie-kuntze.de
Tue Jul 5 14:12:25 CEST 2016

Hello Harald,

Your objections from your last email are wrong.
Adding a global rule with the policy match does not introduce any possible vulnerability.

> The problem is that eth0 has been reused for the decoded
> traffic. The iptables entries about eth0 affect both
> the connection to the internet as well as the connection
> to the road warriors. If we want to let the road warriors
> in but keep the rest of the internet out, then we end up
> with separate iptables entries for each road warrior.
You can easily use the iptables policy match to create a rule that only matches on IPsec protected packets
(and the roadwarrior source IP, if you care). That is easily done and will fix your problem.

On 05.07.2016 12:32, Harald Dunkel wrote:
> Hi folks,
> I would highly appreciate some feedback about this. Is it
> unreasonable to expect that the IPsec payload should not be
> affected by the slow updown script?
> All the road warrior Macs and Iphones do VPN-on-demand.
> Currently the IPsec connection succeeds, but the DNS lookup
> (the "demand" in this case) fails. You might imagine that
> this affects a lot of tools (calendar lookup, EMail, etc.)
> From the user's point of view this is the difference between
> "works" and "doesn't work".
> Thanx very much
> Harri
That is what is happening. IPsec packets are processed as soon as the SAs and SPs are inserted into the SAD and SPD, but
the updown script takes some time to execute. Obviously the firewall rules are inserted too late.

The only solution for you is to write your own firewall rule that allows the IPsec protected IP packets from a roadwarrior IP to
any other subnet. The SPs narrow down the allowed traffic further to what was negotiated.


Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160705/2a2d2169/attachment.sig>

More information about the Users mailing list