[strongSwan] Routing Problem

Noel Kuntze noel at familie-kuntze.de
Sat Mar 25 00:33:06 CET 2017


On 23.03.2017 18:17, Thomas Creutz wrote:


> After I revisited my firewall settings in detail, I found my mistake! We don't need the custom rules!
>
You actually do, because the remote networks are only trustworthy and reachable (the latter meaning the
*actual* network you want to reach), if the packets are IPsec protected. That means, when "-m policy 
--pol ipsec --dir in" in the iptables rules evaluates to TRUE, but you can't pass that extra match into the zone definition,
so it's not secure to just create the zone.


-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170325/d4d10668/attachment.sig>


More information about the Users mailing list