[strongSwan] IPsec drop policies 2

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Sun Jan 19 19:43:30 CET 2020


Hello,

Policies are applied in descending order in which they are matched. So if you want a DROP policy to rather match a packet, it has to have a higher priority than others.
Vice versa also holds true.
In your case you want to drop anything that doesn't have any other policy. So I, for example, would use a drop policy with priority 1000.
All other policies managed by strongSwan will have values calculated by their subnet sizes and type.

Kind regards

Noel

Am 12.01.20 um 08:19 schrieb reterverv ercertecrterc:
> Hello.
> 
> I have tried these rules in ipsec.conf:
> ------------------------------------------
> conn dropall
>     authby=never
>     leftsubnet=0.0.0.0/0[%any/%any]
>     rightsubnet=0.0.0.0/0[%any/%any]
>     type=drop
>     auto=route
> -------------------------------------------
> 
> And it blocks everything.
> 
>> Set the priorities manually.
> 
> I set the priority with any number manually in swanctl.conf, but it didn't work:
> -----------------------------
> connections {
>     dropall {
>         children {
>             dropall {
>                 local_ts = 0.0.0.0/0[%any/%any]
>                 remote_ts = 0.0.0.0/0[%any/%any]
>                 priority = x <-------- x = any number
>                 mode = drop
>                 start_action = trap
>             }
>         }
>     }
> }
> ----------------------------
> 
>> Make sure the permitting policies have a higher one than the restricting ones.
> 
> That part I don't understand. How can I check what restricting is and how can I override it with permitting policies?
> 
> Are my rules similar to the kill-switch rules?
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200119/7cec944a/attachment.sig>


More information about the Users mailing list