[strongSwan] Isolate clients and force local network traffictoan interface
Loc Nguyen
ncore at nic.fi
Thu Dec 7 19:15:08 CET 2017
Hi,
Is there a way to configure strongswan to block client to client traffic without using iptables?
Loc
From: Loc Nguyen
Sent: Wednesday, November 29, 2017 11:15 AM
To: Noel Kuntze; users at lists.strongswan.org
Subject: Re: [strongSwan] Isolate clients and force local network traffictoan interface
Hi,
I have 3 interfaces:
WAN, where clients are connecting.
LAN/10.11.0.0/16, this is network where clients get IP address.
FILTER/eth2, where all clients traffic are routed here.
I have 2 clients, client 1 IP 10.11.0.55 and client 2 IP 10.11.0.56.
Here are ip route and iptables rules.
ip rule add from 10.11.0.0/16 table FILTER
ip route add default dev eth2 table FILTER
When client 1 ping 8.8.8.8, I see the traffic go to eth2 interface.
But when client 1 ping client 2, I don’t see the traffic go to eth2 interface. How do I force also local network 10.11.0.0/16 traffic to eth2 interface for filtering.
Thanks,
Loc
From: Noel Kuntze
Sent: Wednesday, November 29, 2017 10:56 AM
To: Loc Nguyen; users at lists.strongswan.org
Subject: Re: [strongSwan] Isolate clients and force local network traffic toan interface
Hi,
I can't tell what exactly you want. You can tell if traffic was protected with ipsec by using the iptables policy match module.
You can use a VTI[1], too.
Kind regards
Noel
[1] https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
On 28.11.2017 20:37, Loc Nguyen wrote:
>
> Hi,
>
>
>
> I create an IPsec network 10.11.0.0/16 and using dnsmasq to assign IP addresses.
>
>
>
> I able to route all 10.11.0.0/16 network traffic to an interface. I would like also route local network 10.11.0.0/16 between client to client to that interface too.
>
>
>
> I can use iptables FORWARD to block client to client. Instead of blocking I want the traffic to the interface.
>
>
>
> Thanks,
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171207/4ebd65b0/attachment.html>
More information about the Users
mailing list