On 02/13/2011 12:42 PM, Rene Bartsch wrote: > On Sun, 13 Feb 2011 10:55:07 -0800, Daniel Mentz > <danielml+mailinglists.strongs...@sent.com> wrote: >> On 02/13/2011 08:49 AM, Rene Bartsch wrote: >>> After removing "leftfirewall=yes" from ipsec.conf and adding the > incoming >>> FORWARD rule created by "leftfirewall=yes" to the INPUT chain manually, >>> it >>> seems to work.
> xxx.xxx.xxx.20: eth0 primary public IP of Ubuntu 10.04.2 LTS server > xxx.xxx.xxx.102: eth0:0 secondary public IP of Ubuntu 10.04.2 LTS server > (IPSec connection) > 192.168.176.1: dummy0 Test for virtual servers > > eth0: 1000Base-T internet-uplink > eth1: unused Hi Rene, so I guess there's a misunderstanding here. I thought your servers were "behind" your VPN gateway (your Ubuntu box), but it looks like your server daemons run on the same machine. That's why you set up the dummy0 interface, I guess. That's actually the reason, why the packets never hit the FORWARD chain. The fact that the IP address 192.168.176.1 is assigned to an interface which is different from the interface on which the ESP packets come in is not considered as forwarding. So I guess the rules which are created by "leftfirewall=yes" won't help you since you need those rules in your INPUT chain. You were asking whether your setup might send any plaintext packets, right? If you're worried about that then you might want to change the default policy of the OUTPUT chain from ACCEPT to DROP and insert appropriate rules. Does that answer your questions? If you finally have a working setup, you might want to share your experience on the strongSwan wiki so that other users can benefit from it. -Daniel _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users