[strongSwan] IPsec drop policies 2
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Sun Jan 19 19:43:30 CET 2020
Hello,
Policies are applied in descending order in which they are matched. So if you want a DROP policy to rather match a packet, it has to have a higher priority than others.
Vice versa also holds true.
In your case you want to drop anything that doesn't have any other policy. So I, for example, would use a drop policy with priority 1000.
All other policies managed by strongSwan will have values calculated by their subnet sizes and type.
Kind regards
Noel
Am 12.01.20 um 08:19 schrieb reterverv ercertecrterc:
> Hello.
>
> I have tried these rules in ipsec.conf:
> ------------------------------------------
> conn dropall
> authby=never
> leftsubnet=0.0.0.0/0[%any/%any]
> rightsubnet=0.0.0.0/0[%any/%any]
> type=drop
> auto=route
> -------------------------------------------
>
> And it blocks everything.
>
>> Set the priorities manually.
>
> I set the priority with any number manually in swanctl.conf, but it didn't work:
> -----------------------------
> connections {
> dropall {
> children {
> dropall {
> local_ts = 0.0.0.0/0[%any/%any]
> remote_ts = 0.0.0.0/0[%any/%any]
> priority = x <-------- x = any number
> mode = drop
> start_action = trap
> }
> }
> }
> }
> ----------------------------
>
>> Make sure the permitting policies have a higher one than the restricting ones.
>
> That part I don't understand. How can I check what restricting is and how can I override it with permitting policies?
>
> Are my rules similar to the kill-switch rules?
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200119/7cec944a/attachment.sig>
More information about the Users
mailing list