[strongSwan] firewall issue?
Harald Dunkel
harald.dunkel at aixigo.de
Thu Jul 7 09:33:06 CEST 2016
Hi Noel,
On 07/05/16 14:12, Noel Kuntze wrote:
> That is what is happening. IPsec packets are processed as soon as the SAs and SPs are inserted into the SAD and SPD, but
> the updown script takes some time to execute. Obviously the firewall rules are inserted too late.
>
I am glad that we agree on that.
> The only solution for you is to write your own firewall rule that allows the IPsec protected IP packets from a roadwarrior IP to
> any other subnet. The SPs narrow down the allowed traffic further to what was negotiated.
>
Maybe I am too blind to see, but I haven't found this in
the wiki. This is the code I added to the forward chain:
iptables -A FORWARD -s ${right_lan} -d ${left_lan} -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -A FORWARD -s ${left_lan} -d ${right_lan} -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
Default policy is drop, of course. The leftsubnet lines in
ipsec.conf are set to "no".
Thanx for your help
Harri
More information about the Users
mailing list