[Shorewall-users] shorewall and Strongswan - possible incompatibility?

Mon, 28 Nov 2016 01:48:58 -0800 

Hello everyone!
I'm using Debian, Shorewall and Stongswan on my linux routers.
It seems Shorewall don't allow input of ESP packets, formed by ipsec
initiated by Strongswan.

I have the following line tunnels:

#TYPE         ZONE        GATEWAY             GATEWAY_ZONE
ipsec         net         xx.xx.xx.51

it compiles to the following iptables rules:

...
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
  107 28045 eth0_in    all  --  eth0   *       0.0.0.0/0
0.0.0.0/0
...
Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source
destination
...
  101 27583 net-fw     all  --  *      *       0.0.0.0/0
0.0.0.0/0            policy match dir in pol none
...
Chain net-fw (1 references)
 pkts bytes target     prot opt in     out     source
destination
   12  2213 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     esp  --  *      *       xx.xx.xx.51        0.0.0.0/0

    0     0 ACCEPT     udp  --  *      *       xx.xx.xx.51        0.0.0.0/0
           udp dpt:500 ctstate NEW,UNTRACKED

And the packets never hit the net-fw chain, rejected by policy:
Nov 28 12:24:47 gw kernel: [9640691.231945] Shorewall:INPUT:REJECT:IN=eth0
OUT= MAC=00: SRC=xx.xx.xx.51 DST=<router> LEN=86 TOS=0x00 PREC=0x00 TTL=62
ID=61247 PROTO=4

In the case I use the "leftfirewall=yes" option in Strongswan config, which
inserts it's native iptables rules, it inserts the following:
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
...
    0     0 ACCEPT     4    --  eth0   *       xx.xx.xx.51        <router>
       policy match dir in pol ipsec reqid 2 proto 50

So I assume there should be no "policy match dir in pol none" option in
eth0_in chain to correctly process ipsec packets.
Similarly, if I add some rules like
ACCEPT   net:xx.xx.xx.0/16       $FW                ah
ACCEPT   net:xx.xx.xx.0/16       $FW                esp
packets never hit those rules too as they are compiled into net-fw chain.

So, is there any option to turn off "policy match dir in pol none" option
in eth0_in chain or am I completely mistaken of the issue?

Thanks in advance!

------------------------------------------------------------------------------

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to