[strongSwan] Isolate clients and force local network traffictoan interface

Loc Nguyen ncore at nic.fi
Thu Dec 7 19:15:08 CET 2017


Hi,

Is there a way to configure strongswan to block client to client traffic without using iptables?

Loc

From: Loc Nguyen
Sent: Wednesday, November 29, 2017 11:15 AM
To: Noel Kuntze; users at lists.strongswan.org
Subject: Re: [strongSwan] Isolate clients and force local network traffictoan interface

Hi,

I have 3 interfaces:

WAN, where clients are connecting.

LAN/10.11.0.0/16, this is network where clients get IP address.

FILTER/eth2, where all clients traffic are routed here.

I have 2 clients, client 1 IP 10.11.0.55 and client 2 IP 10.11.0.56.

Here are ip route and iptables rules.
ip rule add from 10.11.0.0/16 table FILTER
ip route add default dev eth2 table FILTER

When client 1 ping 8.8.8.8, I see the traffic go to eth2 interface.

But when client 1 ping client 2, I don’t see the traffic go to eth2 interface. How do I force also local network 10.11.0.0/16 traffic to eth2 interface for filtering.

Thanks,
Loc

From: Noel Kuntze
Sent: Wednesday, November 29, 2017 10:56 AM
To: Loc Nguyen; users at lists.strongswan.org
Subject: Re: [strongSwan] Isolate clients and force local network traffic toan interface

Hi,

I can't tell what exactly you want. You can tell if traffic was protected with ipsec by using the iptables policy match module.
You can use a VTI[1], too.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN

On 28.11.2017 20:37, Loc Nguyen wrote:
>
> Hi,
>
>  
>
> I create an IPsec network 10.11.0.0/16 and using dnsmasq to assign IP addresses.
>
>  
>
> I able to route all 10.11.0.0/16 network traffic to an interface. I would like also route local network 10.11.0.0/16 between client to client to that interface too.
>
>  
>
> I can use iptables FORWARD to block client to client. Instead of blocking I want the traffic to the interface.
>
>  
>
> Thanks,
>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171207/4ebd65b0/attachment.html>


More information about the Users mailing list