[strongSwan] simple leftupdown script required

Alex Sharaz alex.sharaz at york.ac.uk
Thu Mar 2 15:22:57 CET 2017


Hi,
Looking for some help setting up my 1st strong swan vpn server and having
some IPTABLES lack of knowledge issues.

I've an Ubuntu 16.04 server with strongswan 5.3.5 packages installed. The
 plan is to have external user to connect to the server via a public IP
address from outside the university. and enter the campus network via our
checkpoint firewall on a 172.18.64.0/24 IP address. Client devices are
assigned an IP address by the vpn server.

e.g.

outside world --> <144.32.x.y> (interface ens1f0)  || VPN server|||
10.16.35.121 (interface ens1f1) -------|| campus firewall ||----
144.32/0/0/16

netstat -nr on the server gives

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt
Iface
0.0.0.0         144.32.128.1    0.0.0.0         UG        0 0          0
ens1f0
10.16.35.120    0.0.0.0         255.255.255.248 U         0 0          0
ens1f1
144.32.128.0    0.0.0.0         255.255.254.0   U         0 0          0
ens1f0

So all traffic destined for the campus network needs to go down ens1f1
interface

I've set up my own updown script which I know is being invoked but not sure
if I've got the correct stuff in it.

I can connect to the VPN server and ping 10.167.35.120 and 10.16.35.126
which is the campus firewall endpoint and that works.

When connected iptables -S shows


-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -s 172.18.64.1/32 -i ens1f1 -j ACCEPT
-A FORWARD -d 172.18.64.1/32 -o ens1f1 -j ACCEPT

... or is this too simplistic a set of rules ?

Rgds
Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170302/9b39512d/attachment.html>


More information about the Users mailing list