Hi,
I'm new to IPSec and StrongSWAN, so a "Hello" to all list members! ;-)
Setting up a VPN tunnel between two Fritzboxes and a Ubuntu server drives
me crazy.
Packets from the private subnet of the Ubuntu server lead to a VPN tunnel
creation and everything working fine, but packets from the sub
Hi,
I'm new to IPSec and StrongSWAN, so a "Hello" to all list members! ;-)
Setting up a VPN tunnel between two Fritzboxes and a Ubuntu server drives
me crazy.
Packets from the private subnet of the Ubuntu server lead to a VPN tunnel
creation and everything working fine, but packets from the sub
Hello Rene,
strongSwan never sets up a tunnel based on incoming plaintext
packets. With auto=route only outgoing plaintext trigger the
setup of an IPsec tunnel. Packets from a subnet behind the
Fritzbox should cause the Fritzbox to initiate an IKE negotiation.
In any case a tcpdump or wireshark l
Hello Andreas,
After using tcpdump I set all IPTables policies to "ACCEPT" and
doing a flush of all rules lead to a working VPN.
Which IPtables rules do I have to set to allow IPSec connection handshake?
Best regards,
Renne
On Sat, 12 Feb 2011 18:12:07 +0100, Andreas Steffen
wrote:
> Hello
Hello Rene,
you must open UDP port 500 for IKE and UDP port 4500 if you have
a NAT situation. In order to pass encrypted IPsec packets you
must open IP protocol 50 (ESP).
Regards
Andreas
On 02/12/2011 08:15 PM, Rene Bartsch wrote:
> Hello Andreas,
>
> After using tcpdump I set all IPTables pol
Hello Andreas,
I've added the rules
iptables -t filter -A INPUT -d -p esp -m
comment --comment "ACCEPT IPSec ESP" -j ACCEPT
iptables -t filter -A INPUT -d -p udp -m udp --dport 500 -m
comment --comment "ACCEPT IPSec IKE" -j ACCEPT
iptables -t filter -A INPUT -d -
On 02/12/2011 08:58 PM, Rene Bartsch wrote:
> Hello Andreas,
>
> I've added the rules
>
> iptables -t filter -A INPUT -d -p esp -m
> comment --comment "ACCEPT IPSec ESP" -j ACCEPT
> iptables -t filter -A INPUT -d -p udp -m udp --dport 500 -m
> comment --comment "ACCEPT
On Sat, 12 Feb 2011 21:10:41 +0100, Andreas Steffen
wrote:
> On 02/12/2011 08:58 PM, Rene Bartsch wrote:
>> Hello Andreas,
>>
>> I've added the rules
>>
>> iptables -t filter -A INPUT -d -p esp
>> -m
>> comment --comment "ACCEPT IPSec ESP" -j ACCEPT
>> iptables -t filter -
On Sat, 12 Feb 2011 16:42:42 -0800, Daniel Mentz
wrote:
> On 02/12/2011 12:30 PM, Rene Bartsch wrote:
>> My IPTables rules:
>>
>> *filter
>> :INPUT DROP [0:0]
>> :FORWARD DROP [0:0]
>> :OUTPUT ACCEPT [86:9176]
>
> Hi Rene,
>
> not sure if this is relevant, but I think you're missing some ipta
After removing "leftfirewall=yes" from ipsec.conf and adding the incoming
FORWARD rule created by "leftfirewall=yes" to the INPUT chain manually, it
seems to work.
Is that a secure setup or is there any risk of sending plain packets?
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCE
On 02/13/2011 07:34 AM, Rene Bartsch wrote:
> The "leftfirewall=yes" option adds rules to FORWARD chain automatically at
> IPSec handshake:
Alright. Sorry, I missed that.
> I added a LOG target as last rule in INPUT and FORWARD chains. Trying a
> HTTP request with wget dropped the following pack
On 02/13/2011 08:49 AM, Rene Bartsch wrote:
> After removing "leftfirewall=yes" from ipsec.conf and adding the incoming
> FORWARD rule created by "leftfirewall=yes" to the INPUT chain manually, it
> seems to work.
That's strange. Can you save the output of "iptables-save" in both cases
and run a
On Sun, 13 Feb 2011 10:55:07 -0800, Daniel Mentz
wrote:
> On 02/13/2011 08:49 AM, Rene Bartsch wrote:
>> After removing "leftfirewall=yes" from ipsec.conf and adding the
incoming
>> FORWARD rule created by "leftfirewall=yes" to the INPUT chain manually,
>> it
>> seems to work.
>
> That's strange.
On 02/13/2011 12:42 PM, Rene Bartsch wrote:
> On Sun, 13 Feb 2011 10:55:07 -0800, Daniel Mentz
> wrote:
>> On 02/13/2011 08:49 AM, Rene Bartsch wrote:
>>> After removing "leftfirewall=yes" from ipsec.conf and adding the
> incoming
>>> FORWARD rule created by "leftfirewall=yes" to the INPUT chain
On Mon, 14 Feb 2011 21:52:38 -0800, Daniel Mentz
wrote:
> On 02/13/2011 12:42 PM, Rene Bartsch wrote:
>> On Sun, 13 Feb 2011 10:55:07 -0800, Daniel Mentz
>> wrote:
>>> On 02/13/2011 08:49 AM, Rene Bartsch wrote:
After removing "leftfirewall=yes" from ipsec.conf and adding the
>> incoming
>>
> If there's a way to detect the setup it would be great if "leftfirewall"
> automatically detects all rules for INPUT or FORWARD chain.
I believe that this is not doable because the rules in your
INPUT/FORWARD chain can be very complex, too complex for a general
solution. Even with the current
16 matches
Mail list logo
