[strongSwan] simple leftupdown script required

Noel Kuntze noel at familie-kuntze.de
Thu Mar 2 18:14:10 CET 2017


On 02.03.2017 15:22, Alex Sharaz wrote:
> Hi,
> Looking for some help setting up my 1st strong swan vpn server and having some IPTABLES lack of knowledge issues.
> 
> I've an Ubuntu 16.04 server with strongswan 5.3.5 packages installed. The  plan is to have external user to connect to the server via a public IP address from outside the university. and enter the campus network via our checkpoint firewall on a 172.18.64.0/24 <http://172.18.64.0/24> IP address. Client devices are assigned an IP address by the vpn server.
> 
> e.g.
> 
> outside world --> <144.32.x.y> (interface ens1f0)  || VPN server||| 10.16.35.121 (interface ens1f1) -------|| campus firewall ||---- 144.32/0/0/16
>  
> netstat -nr on the server gives
> 
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
> 0.0.0.0         144.32.128.1    0.0.0.0         UG        0 0          0 ens1f0
> 10.16.35.120    0.0.0.0         255.255.255.248 U         0 0          0 ens1f1
> 144.32.128.0    0.0.0.0         255.255.254.0   U         0 0          0 ens1f0
> 
> So all traffic destined for the campus network needs to go down ens1f1 interface
> 
> I've set up my own updown script which I know is being invoked but not sure if I've got the correct stuff in it. 
> 
> I can connect to the VPN server and ping 10.167.35.120 and 10.16.35.126 which is the campus firewall endpoint and that works.
> 
> When connected iptables -S shows
> 
> 
> -P INPUT ACCEPT
> -P FORWARD ACCEPT
> -P OUTPUT ACCEPT
> -A FORWARD -s 172.18.64.1/32 <http://172.18.64.1/32> -i ens1f1 -j ACCEPT
> -A FORWARD -d 172.18.64.1/32 <http://172.18.64.1/32> -o ens1f1 -j ACCEPT
> 
> ... or is this too simplistic a set of rules ?

Just don't insert any rules with the updown script.
You only need two static rules:
-A FORWARD -m policy --pol ipsec --dir in -j ACCEPT
-A FORWARD -m policy --pol ipsec --dir out -j ACCEPT
Done.
Btw, setting the chain policy of the builtin FORWARD chain to ACCEPT and then just ACCEPTing stuff and
not dropping anything doesn't make sense. Either decide for whitelisting or blacklisting (preferably whitelisting).

And please use iptables-save and -restore. Don't use ifconfig, route or netstat, use iproute2 and ss instead. We're not in
the 90s anymore.

> 
> Rgds
> Alex
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 

-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170302/4eb3fff8/attachment.sig>


More information about the Users mailing list