[strongSwan] Is there good documentation on Netfilter/iptables strategies with strongSwan?
ekgermann at semperen.com
Sat Sep 23 16:58:11 CEST 2017
First off in AWS, if you’re going to be a router, have you disabled “Source/Destination Check” (or something to that effect) in the instance properties? If not, the instance will work across the tunnel, but you won’t be able to route through it.
> On Sep 23, 2017, at 10:37, Whit Blauvelt <whit at transpect.com> wrote:
> I find discussion three years ago in this list on using iptables marks with
> strongSwan, and see suggestions there may be some of that it does
> automatically in the background. There was discussion three years back about
> researching different advanced methods. If it reached a clear conclusion, I
> haven't found it.
> I have also found a partial discussion elsewhere of possible conflicts
> between strongSwan's methods and the marking techniques used by FireHOL, but
> again without full resolution or a final summary document. In my own case
> I'm finding FireHOL and its link-balancer utility invaluable.
> I'm also not yet routing correctly to the subnets behind a system with those
> on one end and the subnets behind one on AWS on the other -- where the AWS
> instance has a slight complication in that it's got several interfaces, one
> on a VPC, the other -- which strongSwan is connecting to -- not.
> A few years back, when running openswan, I'd set up iptables like this:
> iptables -t mangle -A PREROUTING -p 17 --dport 500 -j MARK --set-mark 1 # udp/isakmp
> iptables -t mangle -A PREROUTING -p 50 -j MARK --set-mark 1 # esp
> iptables -t filter -A INPUT -m mark --mark 1 -j ACCEPT
> iptables -t filter -A FORWARD -m mark --mark 1 -j ACCEPT
> iptables -t filter -A OUTPUT -m mark --mark 1 -j ACCEPT
> Worked well there. Obviously it's not a good formula for strongSwan (I've of
> course tried it). Can someone please point me to either a good background
> discussion or a good current set of examples showing how to get strongSwan
> and Netfilter working correctly together?
> I realize strongSwan works on platforms other than Linux, so documenting
> Netfilter or pf or whatever isn't central to its mission. Still, in an ideal
> world its documents will expand to include theory and recipes for the
> various firewalls it is commonly used with.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2195 bytes
Desc: not available
More information about the Users