Strongswan, How do I block client-to-client traffic in strongswan v4.6.4?I want to completely isolate the VPN clients from each other.
My implementation is simple. The closest example is http://strongswan.org/uml/testresults4/pfkey/rw-cert/index.html When client VPN tunnels are connected to 'moon', roadwarrior 'carol' (in random hotel#1) and roadwarrior 'dave' (in random hotel#2) can access each other on their VPN tunnel assigned non-routable IPs! For example, if 'carol' is running a web server that binds to her VPN assigned non-routable, 'dave' can port scan and access 'carol' web server. How do I block traffic between all VPN clients (eg: 'carol' and 'dave')? I've tried iptables INPUT, FORWARD, and OUTPUTbut have been unable to block the client-to-client traffic. The VPN client ACCEPT rules are added *above* the REJECT rule I added. I've spent a great deal of effort getting 4.6.4 working and my attempts with 5.x have failed, so please don't ask me to upgrade. The server configs are inline below. VPN clients get a 10.1.0.0/16 address and can access each other when connected to the strongswan server. thanks, Chris # /etc/sysconfig/iptables FORWARD rules -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT -A FORWARD -i ppp+ -p all -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -A FORWARD -s 10.1.0.0/16 -d 10.1.0.0/16 -j REJECT -A FORWARD -p tcp -j ACCEPT -A FORWARD -p udp -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # This is what the rules look like before any VPN clients connect # note the REJECT line position $ iptables –L Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere policy match dir in pol ipsec ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED REJECT all -- 10.1.0.0/16 10.1.0.0/16 reject-with icmp-port-unreachable ACCEPT tcp -- anywhere anywhere ACCEPT udp -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED # live iptables after 10.1.0.6 and 10.1.0.7 connect. # note VPN client ACCEPT rules are added *above* the reject # Firewall policies are processed top down, so the REJECT line does absolutely nothing. $ iptables –L *snip* Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- 10.1.0.7 anywhere policy match dir in pol ipsec reqid 16660 proto esp ACCEPT all -- anywhere 10.1.0.7 policy match dir out pol ipsec reqid 16660 proto esp ACCEPT all -- 10.1.0.6 anywhere policy match dir in pol ipsec reqid 16652 proto esp ACCEPT all -- anywhere 10.1.0.6 policy match dir out pol ipsec reqid 16652 proto esp ACCEPT all -- anywhere anywhere policy match dir in pol ipsec ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED REJECT all -- 10.1.0.0/16 10.1.0.0/16 reject-with icmp-port-unreachable ACCEPT tcp -- anywhere anywhere ACCEPT udp -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED *snip* [root@e20-Strongswan etc]# cat strongswan.conf # strongswan.conf - strongSwan configuration file charon { # number of worker threads in charon threads = 32 # send strongswan vendor ID? # send_vendor_id = yes plugins { sql { # loglevel to log into sql database loglevel = -1 # URI to the database # database = sqlite:///path/to/file.db # database = mysql://user:password@localhost/database } } # ... } pluto { dns1 = 10.1.0.253 } libstrongswan { # set to no, the DH exponent size is optimized # dh_exponent_ansi_x9_42 = no } [root@e20-Strongswan etc]# cat ipsec.conf config setup plutodebug=control plutostart=yes plutostderrlog=/var/log/pluto.log nat_traversal=yes uniqueids=yes crlcheckinterval=60 cachecrls=yes strictcrlpolicy=yes ca $default auto=add conn ios type=tunnel keyexchange=ikev1 authby=xauthrsasig xauth=server left=%defaultroute leftsubnet=0.0.0.0/0 leftcert=serverCert.pem leftfirewall=yes right=%any rightsourceip=10.1.0.0/16 pfs=no auto=add
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
