Hi Noel,
On 07/05/16 14:12, Noel Kuntze wrote:
> That is what is happening. IPsec packets are processed as soon as the SAs and
> SPs are inserted into the SAD and SPD, but
> the updown script takes some time to execute. Obviously the firewall rules
> are inserted too late.
>
I am glad that we agree on that.
> The only solution for you is to write your own firewall rule that allows the
> IPsec protected IP packets from a roadwarrior IP to
> any other subnet. The SPs narrow down the allowed traffic further to what was
> negotiated.
>
Maybe I am too blind to see, but I haven't found this in
the wiki. This is the code I added to the forward chain:
iptables -A FORWARD -s ${right_lan} -d ${left_lan} -i eth0 -m policy --dir in
--pol ipsec --proto esp -j ACCEPT
iptables -A FORWARD -s ${left_lan} -d ${right_lan} -o eth0 -m policy --dir out
--pol ipsec --proto esp -j ACCEPT
Default policy is drop, of course. The leftsubnet lines in
ipsec.conf are set to "no".
Thanx for your help
Harri
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
