[strongSwan] IPsec drop policies 2

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Mon Jan 20 21:29:28 CET 2020 

Hello,

Use priority = 3 instead of priority = 1 and try it.

Kind regards

Noel

Am 20.01.20 um 17:48 schrieb reterverv ercertecrterc:
>  Hello.
> 
> I have now following configuration. The connection is blocked before the configuration is started. That is also correct.
> 
> But when the connection is established, then I have no internet connection.
> 
> What is missing in the configuration?
> 
> Best regards
> 
> Bernd
> 
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> connections {
> 	dropall {
> 		children {
> 			dropall {
> 				local_ts = 0.0.0.0/0
> 				remote_ts = 0.0.0.0/0
> 				priority = 2
> 				mode = drop
> 				start_action = trap
> 			}
> 		}
> 	}
> 	lan-passthrough {
> 		children {
> 			lan-passthrough {
> 				local_ts = 192.168.1.0/24 # Replace with your LAN subnet
> 				remote_ts = 192.168.1.0/24 # Replace with your LAN subnet
> 				priority = 1
> 				mode = pass
> 				start_action = trap
> 			}
> 		}
> 	}
> 	pp {
> 		unique = never
> 		version = 2
> 		keyingtries=0
> 		dpd_delay = 300s
> 		rekey_time = 0
> 		encap = yes
> 		proposals = aes256-sha256-modp2048
> 		vips = 0.0.0.0
> 		send_cert = never
> 		send_certreq = yes
> 		local_addrs = 192.168.1.1 # Replace with your default Router IP address
> 		remote_addrs = <PP Server IP> # Replace with your PP Server IP
> 
> 		local {
> 			id = 192.168.1.1 # Replace with your default Router IP address
> 			auth = eap-mschapv2
> 			eap_id = Username # Replace with your PP-Username
> 		}
> 		remote {
> 			id = %any
> 			auth = pubkey
> 		}
> 		children {
> 			pp {
> 				dpd_action = start
> 				close_action = start
> 				inactivity = 36000s
> 				life_time = 0
> 				esp_proposals = aes256-sha256
> 				updown = /etc/swanctl/updown.sh
> 				remote_ts = 0.0.0.0/0
> 				priority = 1
> 				mode = tunnel
> 				start_action = none # "none" is for manual start, or use "start" for autostart
> 			}
> 		}
> 	}
> } # connections
> secrets {
> 	eap-user {
> 		id = Username # Replace with your PP-Username
> 		secret = "Password" # Replace with your "PP-Password"
> 	}
> } # secrets
> -------------------------------------------------------------------------------------------------------------------------------------------------------------
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200120/92b157d7/attachment.sig>

More information about the Users mailing list