Re: [strongSwan] Prevent traffic outside VPN
Am 29.03.19 um 16:54 schrieb Tony Phillips: > When my tunnel comes up, locations at the destination of the VPN are > reachable as desired. > > However, in my use case, I want to prevent anything talking to the client on > its real interface (bypassing the tunnel). Right now, even with the tunnel > up, I can SSH into the client's real eth0 interface's IP address *and* the > tunnel IP address. > > I've tried removing the original default route (and of course adding a > host-specific route so the client knows how to get to the VPN server), but > still doesn't stop traffic from "outside" the VPN from reaching the client. > > Here's my ipsec.conf file: > > config setup > charondebug=1 > > conn %default > ikelifetime=20m > reauth=yes > rekey=yes > keylife=10m > rekeymargin=3m > rekeyfuzz=0% > keyingtries=1 > type=tunnel > > conn test > keyexchange=ikev1 > ikelifetime=1440m > keylife=60m > aggressive=yes > ike=aes-sha1-modp1024 > esp=aes-sha1 > xauth=client > left=10.181.43.20 > leftid=(omitted) > leftsourceip=%modeconfig > leftauth=psk > rightauth=psk > leftauth2=xauth > right=10.248.1.2 > rightsubnet=0.0.0.0/ > xauth_identity=test > auto=add > > From my understanding of the documentation, what I'm asking for SHOULD be the > default behavior. But I'm obviously missing something. > > The address I'm given by the VPN server is in the 10.248.60/19 range. > > > Set up a local firewall. Trigger it with the setup of the tunnel. Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein signature.asc Description: OpenPGP digital signature
Re: [strongSwan] Problem loading many private keys
Hi, Thanks a lot for the tips! Just wanted to update that I got it working with generating certificates with one private key (as it's ok for this lab-only setup), so did not get to load-tester or alternative ways how to load the keys, but will keep those options in mind! :) Roberts On Thu, 4 Apr 2019 at 21:49, Noel Kuntze wrote: > Hi, > > To keep this in a thread. > > "Just" either use swanctl or move your configs, keys and such into ipsec.d > and subdirectories after strongSwan was already started. > The variant using swanctl/vici is to just translate your config to use it > instead. > For VICI, you can just load new configs, keys and certificates into the > daemon when you want to establish a new IKE_SA and CHILD_SA. > I got a python script here doing that, albeit for another purpose. It's > relatively simple. The best approach would be to just use the load-tester > though, as Tobias suggested. It does exactly what you want. > > > Am 04.04.19 um 17:03 schrieb Tobias Brunner: > > Hi Roberts, > > > >> Ah, ok, you're suggesting to use a single private key and use it for the > >> CSRs/Certificates? > > > > That's what our load-tester plugin does [1]. > > > > Regards, > > Tobias > > > > [1] https://wiki.strongswan.org/projects/strongswan/wiki/LoadTests > > > > -- Roberts
[strongSwan] Prevent traffic outside VPN
When my tunnel comes up, locations at the destination of the VPN are reachable as desired. However, in my use case, I want to prevent anything talking to the client on its real interface (bypassing the tunnel). Right now, even with the tunnel up, I can SSH into the client's real eth0 interface's IP address *and* the tunnel IP address. I've tried removing the original default route (and of course adding a host-specific route so the client knows how to get to the VPN server), but still doesn't stop traffic from "outside" the VPN from reaching the client. Here's my ipsec.conf file: config setup charondebug=1 conn %default ikelifetime=20m reauth=yes rekey=yes keylife=10m rekeymargin=3m rekeyfuzz=0% keyingtries=1 type=tunnel conn test keyexchange=ikev1 ikelifetime=1440m keylife=60m aggressive=yes ike=aes-sha1-modp1024 esp=aes-sha1 xauth=client left=10.181.43.20 leftid=(omitted) leftsourceip=%modeconfig leftauth=psk rightauth=psk leftauth2=xauth right=10.248.1.2 rightsubnet=0.0.0.0/ xauth_identity=test auto=add From my understanding of the documentation, what I'm asking for SHOULD be the default behavior. But I'm obviously missing something. The address I'm given by the VPN server is in the 10.248.60/19 range.