[strongSwan] Is there good documentation on Netfilter/iptables strategies with strongSwan?

Whit Blauvelt whit at transpect.com
Sat Sep 23 16:37:52 CEST 2017


I find discussion three years ago in this list on using iptables marks with
strongSwan, and see suggestions there may be some of that it does
automatically in the background. There was discussion three years back about
researching different advanced methods. If it reached a clear conclusion, I
haven't found it.

I have also found a partial discussion elsewhere of possible conflicts
between strongSwan's methods and the marking techniques used by FireHOL, but
again without full resolution or a final summary document. In my own case
I'm finding FireHOL and its link-balancer utility invaluable.

I'm also not yet routing correctly to the subnets behind a system with those
on one end and the subnets behind one on AWS on the other -- where the AWS
instance has a slight complication in that it's got several interfaces, one
on a VPC, the other -- which strongSwan is connecting to -- not.

A few years back, when running openswan, I'd set up iptables like this:

  iptables -t mangle -A PREROUTING -p 17 --dport 500 -j MARK --set-mark 1 # udp/isakmp
  iptables -t mangle -A PREROUTING -p 50 -j MARK --set-mark 1 # esp
  iptables -t filter -A INPUT -m mark --mark 1 -j ACCEPT
  iptables -t filter -A FORWARD -m mark --mark 1 -j ACCEPT
  iptables -t filter -A OUTPUT -m mark --mark 1 -j ACCEPT

Worked well there. Obviously it's not a good formula for strongSwan (I've of
course tried it). Can someone please point me to either a good background
discussion or a good current set of examples showing how to get strongSwan
and Netfilter working correctly together?
I realize strongSwan works on platforms other than Linux, so documenting
Netfilter or pf or whatever isn't central to its mission. Still, in an ideal
world its documents will expand to include theory and recipes for the
various firewalls it is commonly used with.


More information about the Users mailing list