[strongSwan] Restricting protocol and port numbers question

Makarand Pradhan MakarandPradhan at is5com.com
Fri Sep 4 17:50:44 CEST 2020 

Thanks Tobias.

Added the routes and now I can see that the ICMP packets are encrypted.  All other packets are not encrypted. I will use iptables to firewall.

Kind rgds,
Makarand Pradhan
Senior Software Engineer.
iS5 Communications Inc.
5895 Ambler Dr,
Mississauga, Ontario
L4W 5B7
Main Line: +1-844-520-0588 Ext. 129
Direct Line: +1-289-724-2296
Cell: +1-226-501-5666
Fax:+1-289-401-5206
Email: makarandpradhan at is5com.com
Website: www.iS5Com.com

 
Confidentiality Notice: 
This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.

-----Original Message-----
From: Tobias Brunner <tobias at strongswan.org> 
Sent: September 4, 2020 4:26 AM
To: Makarand Pradhan <MakarandPradhan at is5com.com>; users at lists.strongswan.org
Subject: Re: [strongSwan] Restricting protocol and port numbers question

Hi Makarand,

> All the same, the packets are not pushed into the tunnel:
> 
> ping 192.168.9.3 -I 10.10.9.4
> PING 192.168.9.3 (192.168.9.3) from 10.10.9.4 : 56(84) bytes of data.
> ping: sendmsg: Network is unreachable
> ping: sendmsg: Network is unreachable
> 
> The ip xfrm policy seems to be correct:
> src 192.168.9.0/24 dst 10.10.9.0/24 proto icmp 
> 	dir fwd priority 375167 ptype main 
> 	tmpl src 172.16.31.1 dst 172.16.31.2
> 		proto esp reqid 1 mode tunnel
> 
> Would highly appreciate if anyone can point the error in my configuration?

No routes are installed in table 220 for policies with port/protocol restrictions.  So make sure you have routes installed that allow to reach the remote networks.

Regards,
Tobias

More information about the Users mailing list