[strongSwan] CONFIGURATION OF MULTIPLE CHILD SAs IN IPSEC.CONF FILE

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Fri May 26 17:43:46 CEST 2017


Hi,

Doing it in iptables is a bad idea, because you then need to bind the rules to the different tunnels by use of the policy match module with --tunnel-src, --tunnel-dst or --reqid.
You either need to use static reqids (which you can't if there are several peers for the same conn) or use the --tunnel-src and --tunnel-dst arguments, where you need to
add and remove rules dynamically depending on the local and remote IP. You also need to apply those rules in *filter INPUT, FORWARD and OUTPUT, because you need to
restrict access to and from the remote peer, not just for traffic that is routed over this host. And even then, the policy is mandatory not optional, so you end up
basically blackholing or blacklisting the traffic between the endpoints which is not allowed, independent on if you actually intended the ACL to apply to the tunnel or not.

So just say no to that. You could construct passthrough policies around the TS you actually want to tunnel, but you'll need to negotiate a larger traffic selector
than you actually need. There's no way around that. With passthrough policies, you won't need to do the fancy iptables stuff (having to potentially play with marks, too)
and don't get the blackhole problem.

Kind regards

Noel

On 26.05.2017 16:54, Eric Germann wrote:
> You can’t do it in Strongswan directly, but if you combine SS + iptables you can (assuming Linux here, but concept is same).
> 
> rightsubnet = 172.27.186.64/28	# This puts 172.27.186.64 -> 80 in the tunnel scope
> leftsubnet = 172.30.200.172/29	# This puts 172.30.200.172 -> 180 in the tunnel scope
> 
> 
> Then in iptables, do explicit FORWARD statement for the hosts (/32’s) you want to forward.  You can get as fancy or simple as you want, from all ports/protocols to individual port/protocol combinations with state tracking.
> 
> Let SS do the forwarding/crypto and the FW do the access control.
> 
> EKG
> 
>> On May 26, 2017, at 8:27 AM, Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
>>
>> Hello Chris,
>>
>> You can't.
>>
>> Kind regards,
>> Noel
>>
>> On 26.05.2017 10:30, christopher kamutumwa wrote:
>>> Hello all,
>>>
>>> I have a query how can i configure multiple ChildSAs in a range on ips in the ipsec.conf file e.g below ips
>>>
>>> right subnet = 172.27.186.71-74
>>> right subnet = 172.27.186.64-66
>>> left subnet = 172.30.200.172-176
>>>
>>> will appreciate any help rendered
>>>
>>> regards
>>>
>>> chris
>>>
>>>
>>
>> <0x0739AD6C.asc>
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170526/1ed17c67/attachment.sig>


More information about the Users mailing list