[strongSwan] Is there good documentation on Netfilter/iptables strategies with strongSwan?

Eric Germann ekgermann at semperen.com
Sat Sep 23 16:58:11 CEST 2017

First off in AWS, if you’re going to be a router, have you disabled “Source/Destination Check” (or something to that effect) in the instance properties?  If not, the instance will work across the tunnel, but you won’t be able to route through it. 


> On Sep 23, 2017, at 10:37, Whit Blauvelt <whit at transpect.com> wrote:
> Hi,
> I find discussion three years ago in this list on using iptables marks with
> strongSwan, and see suggestions there may be some of that it does
> automatically in the background. There was discussion three years back about
> researching different advanced methods. If it reached a clear conclusion, I
> haven't found it.
> I have also found a partial discussion elsewhere of possible conflicts
> between strongSwan's methods and the marking techniques used by FireHOL, but
> again without full resolution or a final summary document. In my own case
> I'm finding FireHOL and its link-balancer utility invaluable.
> I'm also not yet routing correctly to the subnets behind a system with those
> on one end and the subnets behind one on AWS on the other -- where the AWS
> instance has a slight complication in that it's got several interfaces, one
> on a VPC, the other -- which strongSwan is connecting to -- not.
> A few years back, when running openswan, I'd set up iptables like this:
>  iptables -t mangle -A PREROUTING -p 17 --dport 500 -j MARK --set-mark 1 # udp/isakmp
>  iptables -t mangle -A PREROUTING -p 50 -j MARK --set-mark 1 # esp
>  iptables -t filter -A INPUT -m mark --mark 1 -j ACCEPT
>  iptables -t filter -A FORWARD -m mark --mark 1 -j ACCEPT
>  iptables -t filter -A OUTPUT -m mark --mark 1 -j ACCEPT
> Worked well there. Obviously it's not a good formula for strongSwan (I've of
> course tried it). Can someone please point me to either a good background
> discussion or a good current set of examples showing how to get strongSwan
> and Netfilter working correctly together?
> I realize strongSwan works on platforms other than Linux, so documenting
> Netfilter or pf or whatever isn't central to its mission. Still, in an ideal
> world its documents will expand to include theory and recipes for the
> various firewalls it is commonly used with.
> Best,
> Whit
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2195 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170923/d79ced07/attachment.bin>

More information about the Users mailing list