On Mon, 14 Feb 2011 21:52:38 -0800, Daniel Mentz <[email protected]> wrote: > On 02/13/2011 12:42 PM, Rene Bartsch wrote: >> On Sun, 13 Feb 2011 10:55:07 -0800, Daniel Mentz >> <[email protected]> wrote: >>> On 02/13/2011 08:49 AM, Rene Bartsch wrote: >>>> After removing "leftfirewall=yes" from ipsec.conf and adding the >> incoming >>>> FORWARD rule created by "leftfirewall=yes" to the INPUT chain manually, >>>> it >>>> seems to work. > >> xxx.xxx.xxx.20: eth0 primary public IP of Ubuntu 10.04.2 LTS server >> xxx.xxx.xxx.102: eth0:0 secondary public IP of Ubuntu 10.04.2 LTS server >> (IPSec connection) >> 192.168.176.1: dummy0 Test for virtual servers >> >> eth0: 1000Base-T internet-uplink >> eth1: unused > > Hi Rene, > so I guess there's a misunderstanding here. I thought your servers were > "behind" your VPN gateway (your Ubuntu box), but it looks like your > server daemons run on the same machine. That's why you set up the dummy0
> interface, I guess. Yes, separating service daemons for public internet and IPSec intranet. ;-) > That's actually the reason, why the packets never hit the FORWARD chain. > The fact that the IP address 192.168.176.1 is assigned to an interface > which is different from the interface on which the ESP packets come in > is not considered as forwarding. So I guess the rules which are created > by "leftfirewall=yes" won't help you since you need those rules in your > INPUT chain. If there's a way to detect the setup it would be great if "leftfirewall" automatically detects all rules for INPUT or FORWARD chain. > You were asking whether your setup might send any plaintext packets, > right? If you're worried about that then you might want to change the > default policy of the OUTPUT chain from ACCEPT to DROP and insert > appropriate rules. Keeping OUTPUT rules in sync with scripts, e.g. cron jobs creating FTP connections, is too complicated. I think I'll drop private network packets to the internet as you suggested before. > Does that answer your questions? Not yet. ;-) After ISP-forced DSL-disconnection (Thank you Deutsche Telekom AG :-( ) I have to restart IPSec on the Ubuntu machine (/etc/init.d/ipsec restart). Otherwise no IPSec connections can be established. Is there any configuration trick to reestablish the IPSec connection after disconnection/IP-change? > If you finally have a working setup, you might want to share your > experience on the strongSwan wiki so that other users can benefit from it. Only wimps use tape backup: real men just upload their important stuff on ftp, and let the rest of the world mirror it ;) Torvalds, Linus (1996-07-20) > > -Daniel _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
