[strongSwan] IPsec drop policies 2

reterverv ercertecrterc bernd1293 at inbox.lv
Mon Jan 20 17:48:47 CET 2020


 Hello.

I have now following configuration. The connection is blocked before the configuration is started. That is also correct.

But when the connection is established, then I have no internet connection.

What is missing in the configuration?

Best regards

Bernd

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
connections {
	dropall {
		children {
			dropall {
				local_ts = 0.0.0.0/0
				remote_ts = 0.0.0.0/0
				priority = 2
				mode = drop
				start_action = trap
			}
		}
	}
	lan-passthrough {
		children {
			lan-passthrough {
				local_ts = 192.168.1.0/24 # Replace with your LAN subnet
				remote_ts = 192.168.1.0/24 # Replace with your LAN subnet
				priority = 1
				mode = pass
				start_action = trap
			}
		}
	}
	pp {
		unique = never
		version = 2
		keyingtries=0
		dpd_delay = 300s
		rekey_time = 0
		encap = yes
		proposals = aes256-sha256-modp2048
		vips = 0.0.0.0
		send_cert = never
		send_certreq = yes
		local_addrs = 192.168.1.1 # Replace with your default Router IP address
		remote_addrs = <PP Server IP> # Replace with your PP Server IP

		local {
			id = 192.168.1.1 # Replace with your default Router IP address
			auth = eap-mschapv2
			eap_id = Username # Replace with your PP-Username
		}
		remote {
			id = %any
			auth = pubkey
		}
		children {
			pp {
				dpd_action = start
				close_action = start
				inactivity = 36000s
				life_time = 0
				esp_proposals = aes256-sha256
				updown = /etc/swanctl/updown.sh
				remote_ts = 0.0.0.0/0
				priority = 1
				mode = tunnel
				start_action = none # "none" is for manual start, or use "start" for autostart
			}
		}
	}
} # connections
secrets {
	eap-user {
		id = Username # Replace with your PP-Username
		secret = "Password" # Replace with your "PP-Password"
	}
} # secrets
-------------------------------------------------------------------------------------------------------------------------------------------------------------



More information about the Users mailing list