Hello,
Hoping someone can point me in the right direction.
Running strongSwan 5.1.3 on Ubuntu 14.10. It appears that while my
tunnels will consistently come up via service strongswan restart, the
iptable rules are sporadically _not_ added to the hosts.
As an example, I've automate the
Use the iptables --wait argument?
From the manpage:
Wait for the xtables lock. To prevent multiple instances of the program
from running concurrently, an attempt will be made to obtain an
exclusive lock at launch. By default, the program will exit if the lock
cannot be obtained. This option
Thanks Bryan -- I appreciate the quick response.
So you modified the /usr/lib/ipsec/_updown script and added the --wait
flag for the add and remove operations?
If so, clever! I'll give that a try.
On Wed, Apr 1, 2015 at 8:03 AM, Bryan Duff duff0...@gmail.com wrote:
Use the iptables --wait
All,
I think I figured out what's going on. Because each host is
auto=start, multiple SAs were being built between each host.
charon would eventually detect that there were non-unique SAs and
destroy them, and the firewall rule would go with it.
I caught then when watching the iptable rules
Still can't quite get this to work as I'd like.
I copied /usr/lib/ipsec/_updown to /etc/ipsec.updown and modified all
iptables -I and iptables -D calls to include --wait (i.e.,
iptables --wait -I and ... -D).
I then modified my configuration file:
conn dev3-dev5
type=transport
authby=secret
Thanks Rajiv.
iptables is open between the hosts themselves -- esp and all ports you
listed are included. It's good to have double-checked though, so
thanks for the reminder.
The issue here is that occasionally the iptable rules are not
populated properly when an SA is established. In other
Hi
My preference would be to do the below steps:
1. add the following rules on each of the ipsec-peer-gws, if not already
done
iptables -A INPUT -p esp -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
iptables -A INPUT -p udp