Hi,
I am trying to implement a Route-based VPN with Strongswan and XFRM Interfaces. My problem is that the traffic coming / going to that XFRM Interface will be blocked with "FORWARD REJECT". Environment: Debian 10 Buster (4.19.0-12) Shorewall 5.2.3.2 (Debian Buster Repository) iproute2 5.8.0-1 (Debian Buster backports, at least 5.1.0 is required for XFRM, default repo contains 4.20.0) This is how the interface will be added: ip link add ipsec30 type xfrm if_id 30 dev eth2 sysctl -w net.ipv4.conf.ipsec30.disable_policy=1 ip link set ipsec30 up And set the required route(s): ip route add 10.17.0.0/16 dev ens30 Shorewall config (only related to this VPN, other interfaces are directly connected to the firewall and ipv4): zones vpn30 ipv4 interfaces: vpn30 ipsec30 I see two different behaviors based on the zone type. In this example I try to connect to a host with SSH. Client: 10.17.214.6 Server: 10.0.5.8 If the type is "ipv4" I see the reject on the incoming connection: Oct 28 17:46:31 hostname kernel: [57864.415557] FORWARD REJECT IN=ipsec30 OUT=eth3 MAC= SRC=10.17.14.6 DST=10.0.5.8 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=52462 DF PROTO=TCP SPT=39218 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0 If the type is "ipsec" I see the reject on the answer of the server I try to connect to: Oct 28 17:46:50 hostname kernel: [57884.255061] FORWARD REJECT IN=eth3 OUT=ipsec30 MAC=6e:04:7e:ca:5f:5e:3e:2b:36:91:b4:f6:08:00 SRC=10.0.5.8 DST=10.17.14.6 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=22 DPT=39234 WINDOW=65160 RES=0x00 ACK SYN URGP=0 I also have tried the option routeback on the interface. Can anyone help me with this behavior? Thanks in advance. Regards, Peter
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
