Re: [strongSwan] Understanding IPsec through a firewall
> > Or a module we may have built for the kernel but not actually installed ? > Sigh! Time to answer my own question (I hope). Looking at our kernel config, I see that is selected. Looking in kernelbuild/net/netfilter I can see an xt_policy.ko module. However, this module is not installed on the embedded system. Ho hum. I hope this will be a quick fix ... Cheers, Graham. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Understanding IPsec through a firewall
Gerd, Thanks very much for the confirmation and pointer on how to do things properly. >> I'm not too keen on opening the firewall to all UDP packets using that >> UDP >> port number. Is there a more elegant method ? > > Yes, you could use the policy match of iptables. E.g. "-m policy --pol > ipsec" > matches only pakets coming in decrypted or going out encrypted. > Unfortunately, I can't get "-m policy --pol ipsec" to work :-( Here is the current firewall on my embedded system (i.e. no rules added): # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination I changed the ipsec.conf on my x86 ubuntu laptop to say "leftfirewall=yes" and captured the commands executed by /libexec/ipsec/_updown to add a firewall rule for all traffic coming in via the tunnel: iptables -I INPUT 1 -i eth0 -p 0 -s 172.17.0.0/16 -d 10.10.2.78/32 -m policy --pol ipsec --proto esp --reqid 1 --dir in -j ACCEPT When I execute a similar command on my embedded system, I get: # iptables -I INPUT 1 -i eth0 -p 0 -s 172.17.0.0/16 -d 10.10.0.51/32 -m policy --pol ipsec --proto esp --reqid 1 --dir in -j ACCEPT iptables: No chain/target/match by that name Even trying to cut down the command to the bare minimum has no success: # iptables -A INPUT -p 0 -m policy --pol ipsec --proto esp --dir in -j ACCEPT iptables: No chain/target/match by that name Any clues what can be causing this ? The iptables version on the embedded system is 1.4.2 (vs. 1.4.1.1 on the x86 ubuntu laptop). Looking at the way we configure and build iptables, it looks like a vanilla configure with nothing excluded or added. Is there some kernel build config option we are missing ? Or a module we may have built for the kernel but not actually installed ? Any hints gratefully accepted ! Regards, Graham. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Understanding IPsec through a firewall
Hi Graham, > So, it appears that the UDP packets come through the tunnel, are decrypted > and then looped-back through the firewall ? That is correct. > I'm not too keen on opening the firewall to all UDP packets using that UDP > port number. Is there a more elegant method ? Yes, you could use the policy match of iptables. E.g. "-m policy --pol ipsec" matches only pakets coming in decrypted or going out encrypted. If you have several different ipsec connections needing different treatment in your firewall, you have to differentiate with the ips as the policy match doesn't know about the strongswan connection names. Kind regards, Gerd ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Understanding IPsec through a firewall
We've come across a problem sending UDP packets through a tunnel when the tunnel goes through a firewall and I was hoping someone can explain/confirm what is going on (please). Our machine sets up a tunnel to a secure gateway and then opens a UDP socket through that tunnel to a machine on the far side of the secure gateway. We have found that although we can send UDP packets to the far machine, the return UDP packets were not reaching the local application UNTIL we opened up the left UDP port in the firewall (all UDP ports are blocked by default). So, it appears that the UDP packets come through the tunnel, are decrypted and then looped-back through the firewall ? I'm not too keen on opening the firewall to all UDP packets using that UDP port number. Is there a more elegant method ? I've a sneaking suspicion someone is going to suggest setting left=firewall in ipsec.conf and letting charon call _updown to adjust the iptables ? I can imagine that charon knows how to invoke the __updown script with the correct left and right IP addresses, but how does it know which UDP ports we will be using through the tunnel ? Regards, Graham. P. S. As ever, if there is a webpage that explains this all, I would be glad of any pointers! ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
