subject:"\[strongSwan\] Is there good documentation on Netfilter\/iptables strategies with strongSwan\?"

Re: [strongSwan] Is there good documentation on Netfilter/iptables strategies with strongSwan?

2017-09-23 Thread Whit Blauvelt

On Sat, Sep 23, 2017 at 10:58:11AM -0400, Eric Germann wrote:
> First off in AWS, if you’re going to be a router, have you disabled
> “Source/Destination Check” (or something to that effect) in the instance
> properties? If not, the instance will work across the tunnel, but you
> won’t be able to route through it.

Thanks Eric. I had already done that; it has been disabled this whole time.

I've also done the other obvious stuff, such as turning of rp_filter,
turning on forwarding

Hopefully someone can point me in the right direction to answer my Netfilter
questions.

Best,
Whit

Re: [strongSwan] Is there good documentation on Netfilter/iptables strategies with strongSwan?

2017-09-23 Thread Eric Germann

First off in AWS, if you’re going to be a router, have you disabled 
“Source/Destination Check” (or something to that effect) in the instance 
properties?  If not, the instance will work across the tunnel, but you won’t be 
able to route through it. 

EKG


> On Sep 23, 2017, at 10:37, Whit Blauvelt  wrote:
> 
> Hi,
> 
> I find discussion three years ago in this list on using iptables marks with
> strongSwan, and see suggestions there may be some of that it does
> automatically in the background. There was discussion three years back about
> researching different advanced methods. If it reached a clear conclusion, I
> haven't found it.
> 
> I have also found a partial discussion elsewhere of possible conflicts
> between strongSwan's methods and the marking techniques used by FireHOL, but
> again without full resolution or a final summary document. In my own case
> I'm finding FireHOL and its link-balancer utility invaluable.
> 
> I'm also not yet routing correctly to the subnets behind a system with those
> on one end and the subnets behind one on AWS on the other -- where the AWS
> instance has a slight complication in that it's got several interfaces, one
> on a VPC, the other -- which strongSwan is connecting to -- not.
> 
> A few years back, when running openswan, I'd set up iptables like this:
> 
>  iptables -t mangle -A PREROUTING -p 17 --dport 500 -j MARK --set-mark 1 # 
> udp/isakmp
>  iptables -t mangle -A PREROUTING -p 50 -j MARK --set-mark 1 # esp
>  iptables -t filter -A INPUT -m mark --mark 1 -j ACCEPT
>  iptables -t filter -A FORWARD -m mark --mark 1 -j ACCEPT
>  iptables -t filter -A OUTPUT -m mark --mark 1 -j ACCEPT
> 
> Worked well there. Obviously it's not a good formula for strongSwan (I've of
> course tried it). Can someone please point me to either a good background
> discussion or a good current set of examples showing how to get strongSwan
> and Netfilter working correctly together?
> 
> I realize strongSwan works on platforms other than Linux, so documenting
> Netfilter or pf or whatever isn't central to its mission. Still, in an ideal
> world its documents will expand to include theory and recipes for the
> various firewalls it is commonly used with.
> 
> Best,
> Whit


smime.p7s
Description: S/MIME cryptographic signature

[strongSwan] Is there good documentation on Netfilter/iptables strategies with strongSwan?

2017-09-23 Thread Whit Blauvelt

Hi,

I find discussion three years ago in this list on using iptables marks with
strongSwan, and see suggestions there may be some of that it does
automatically in the background. There was discussion three years back about
researching different advanced methods. If it reached a clear conclusion, I
haven't found it.

I have also found a partial discussion elsewhere of possible conflicts
between strongSwan's methods and the marking techniques used by FireHOL, but
again without full resolution or a final summary document. In my own case
I'm finding FireHOL and its link-balancer utility invaluable.

I'm also not yet routing correctly to the subnets behind a system with those
on one end and the subnets behind one on AWS on the other -- where the AWS
instance has a slight complication in that it's got several interfaces, one
on a VPC, the other -- which strongSwan is connecting to -- not.

A few years back, when running openswan, I'd set up iptables like this:

  iptables -t mangle -A PREROUTING -p 17 --dport 500 -j MARK --set-mark 1 # 
udp/isakmp
  iptables -t mangle -A PREROUTING -p 50 -j MARK --set-mark 1 # esp
  iptables -t filter -A INPUT -m mark --mark 1 -j ACCEPT
  iptables -t filter -A FORWARD -m mark --mark 1 -j ACCEPT
  iptables -t filter -A OUTPUT -m mark --mark 1 -j ACCEPT

Worked well there. Obviously it's not a good formula for strongSwan (I've of
course tried it). Can someone please point me to either a good background
discussion or a good current set of examples showing how to get strongSwan
and Netfilter working correctly together?
  
I realize strongSwan works on platforms other than Linux, so documenting
Netfilter or pf or whatever isn't central to its mission. Still, in an ideal
world its documents will expand to include theory and recipes for the
various firewalls it is commonly used with.

Best,
Whit

Re: [strongSwan] Is there good documentation on Netfilter/iptables strategies with strongSwan?

Re: [strongSwan] Is there good documentation on Netfilter/iptables strategies with strongSwan?

[strongSwan] Is there good documentation on Netfilter/iptables strategies with strongSwan?

3 matches

Site Navigation

Mail list logo

Footer information