[strongSwan] firewall issue?

Harald Dunkel harald.dunkel at aixigo.de
Thu Jul 7 09:33:06 CEST 2016

Hi Noel,

On 07/05/16 14:12, Noel Kuntze wrote:
> That is what is happening. IPsec packets are processed as soon as the SAs and SPs are inserted into the SAD and SPD, but
> the updown script takes some time to execute. Obviously the firewall rules are inserted too late.

I am glad that we agree on that.

> The only solution for you is to write your own firewall rule that allows the IPsec protected IP packets from a roadwarrior IP to
> any other subnet. The SPs narrow down the allowed traffic further to what was negotiated.

Maybe I am too blind to see, but I haven't found this in
the wiki. This is the code I added to the forward chain:

iptables -A FORWARD -s ${right_lan} -d ${left_lan}  -i eth0 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
iptables -A FORWARD -s ${left_lan}  -d ${right_lan} -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT

Default policy is drop, of course. The leftsubnet lines in
ipsec.conf are set to "no".

Thanx for your help

More information about the Users mailing list