Re: [strongSwan] Is there good documentation on Netfilter/iptables strategies with strongSwan?
On Sat, Sep 23, 2017 at 10:58:11AM -0400, Eric Germann wrote: > First off in AWS, if you’re going to be a router, have you disabled > “Source/Destination Check” (or something to that effect) in the instance > properties? If not, the instance will work across the tunnel, but you > won’t be able to route through it. Thanks Eric. I had already done that; it has been disabled this whole time. I've also done the other obvious stuff, such as turning of rp_filter, turning on forwarding Hopefully someone can point me in the right direction to answer my Netfilter questions. Best, Whit
Re: [strongSwan] Is there good documentation on Netfilter/iptables strategies with strongSwan?
First off in AWS, if you’re going to be a router, have you disabled “Source/Destination Check” (or something to that effect) in the instance properties? If not, the instance will work across the tunnel, but you won’t be able to route through it. EKG > On Sep 23, 2017, at 10:37, Whit Blauveltwrote: > > Hi, > > I find discussion three years ago in this list on using iptables marks with > strongSwan, and see suggestions there may be some of that it does > automatically in the background. There was discussion three years back about > researching different advanced methods. If it reached a clear conclusion, I > haven't found it. > > I have also found a partial discussion elsewhere of possible conflicts > between strongSwan's methods and the marking techniques used by FireHOL, but > again without full resolution or a final summary document. In my own case > I'm finding FireHOL and its link-balancer utility invaluable. > > I'm also not yet routing correctly to the subnets behind a system with those > on one end and the subnets behind one on AWS on the other -- where the AWS > instance has a slight complication in that it's got several interfaces, one > on a VPC, the other -- which strongSwan is connecting to -- not. > > A few years back, when running openswan, I'd set up iptables like this: > > iptables -t mangle -A PREROUTING -p 17 --dport 500 -j MARK --set-mark 1 # > udp/isakmp > iptables -t mangle -A PREROUTING -p 50 -j MARK --set-mark 1 # esp > iptables -t filter -A INPUT -m mark --mark 1 -j ACCEPT > iptables -t filter -A FORWARD -m mark --mark 1 -j ACCEPT > iptables -t filter -A OUTPUT -m mark --mark 1 -j ACCEPT > > Worked well there. Obviously it's not a good formula for strongSwan (I've of > course tried it). Can someone please point me to either a good background > discussion or a good current set of examples showing how to get strongSwan > and Netfilter working correctly together? > > I realize strongSwan works on platforms other than Linux, so documenting > Netfilter or pf or whatever isn't central to its mission. Still, in an ideal > world its documents will expand to include theory and recipes for the > various firewalls it is commonly used with. > > Best, > Whit smime.p7s Description: S/MIME cryptographic signature
[strongSwan] Is there good documentation on Netfilter/iptables strategies with strongSwan?
Hi, I find discussion three years ago in this list on using iptables marks with strongSwan, and see suggestions there may be some of that it does automatically in the background. There was discussion three years back about researching different advanced methods. If it reached a clear conclusion, I haven't found it. I have also found a partial discussion elsewhere of possible conflicts between strongSwan's methods and the marking techniques used by FireHOL, but again without full resolution or a final summary document. In my own case I'm finding FireHOL and its link-balancer utility invaluable. I'm also not yet routing correctly to the subnets behind a system with those on one end and the subnets behind one on AWS on the other -- where the AWS instance has a slight complication in that it's got several interfaces, one on a VPC, the other -- which strongSwan is connecting to -- not. A few years back, when running openswan, I'd set up iptables like this: iptables -t mangle -A PREROUTING -p 17 --dport 500 -j MARK --set-mark 1 # udp/isakmp iptables -t mangle -A PREROUTING -p 50 -j MARK --set-mark 1 # esp iptables -t filter -A INPUT -m mark --mark 1 -j ACCEPT iptables -t filter -A FORWARD -m mark --mark 1 -j ACCEPT iptables -t filter -A OUTPUT -m mark --mark 1 -j ACCEPT Worked well there. Obviously it's not a good formula for strongSwan (I've of course tried it). Can someone please point me to either a good background discussion or a good current set of examples showing how to get strongSwan and Netfilter working correctly together? I realize strongSwan works on platforms other than Linux, so documenting Netfilter or pf or whatever isn't central to its mission. Still, in an ideal world its documents will expand to include theory and recipes for the various firewalls it is commonly used with. Best, Whit