We've come across a problem sending UDP packets through a tunnel when the
tunnel goes through a firewall and I was hoping someone can
explain/confirm what is going on (please).
Our machine sets up a tunnel to a secure gateway and then opens a UDP
socket through that tunnel to a machine on the far side of the secure
gateway.
We have found that although we can send UDP packets to the far machine,
the return UDP packets were not reaching the local application UNTIL we
opened up the left UDP port in the firewall (all UDP ports are blocked by
default).
So, it appears that the UDP packets come through the tunnel, are decrypted
and then looped-back through the firewall ?
I'm not too keen on opening the firewall to all UDP packets using that UDP
port number. Is there a more elegant method ?
I've a sneaking suspicion someone is going to suggest setting
left=firewall in ipsec.conf and letting charon call _updown to adjust the
iptables ?
I can imagine that charon knows how to invoke the __updown script with the
correct left and right IP addresses, but how does it know which UDP ports
we will be using through the tunnel ?
Regards,
Graham.
P. S. As ever, if there is a webpage that explains this all, I would be
glad of any pointers!
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
