First off in AWS, if you’re going to be a router, have you disabled “Source/Destination Check” (or something to that effect) in the instance properties? If not, the instance will work across the tunnel, but you won’t be able to route through it.
EKG > On Sep 23, 2017, at 10:37, Whit Blauvelt <w...@transpect.com> wrote: > > Hi, > > I find discussion three years ago in this list on using iptables marks with > strongSwan, and see suggestions there may be some of that it does > automatically in the background. There was discussion three years back about > researching different advanced methods. If it reached a clear conclusion, I > haven't found it. > > I have also found a partial discussion elsewhere of possible conflicts > between strongSwan's methods and the marking techniques used by FireHOL, but > again without full resolution or a final summary document. In my own case > I'm finding FireHOL and its link-balancer utility invaluable. > > I'm also not yet routing correctly to the subnets behind a system with those > on one end and the subnets behind one on AWS on the other -- where the AWS > instance has a slight complication in that it's got several interfaces, one > on a VPC, the other -- which strongSwan is connecting to -- not. > > A few years back, when running openswan, I'd set up iptables like this: > > iptables -t mangle -A PREROUTING -p 17 --dport 500 -j MARK --set-mark 1 # > udp/isakmp > iptables -t mangle -A PREROUTING -p 50 -j MARK --set-mark 1 # esp > iptables -t filter -A INPUT -m mark --mark 1 -j ACCEPT > iptables -t filter -A FORWARD -m mark --mark 1 -j ACCEPT > iptables -t filter -A OUTPUT -m mark --mark 1 -j ACCEPT > > Worked well there. Obviously it's not a good formula for strongSwan (I've of > course tried it). Can someone please point me to either a good background > discussion or a good current set of examples showing how to get strongSwan > and Netfilter working correctly together? > > I realize strongSwan works on platforms other than Linux, so documenting > Netfilter or pf or whatever isn't central to its mission. Still, in an ideal > world its documents will expand to include theory and recipes for the > various firewalls it is commonly used with. > > Best, > Whit
smime.p7s
Description: S/MIME cryptographic signature