Gerd, Thanks very much for the confirmation and pointer on how to do things properly.
>> I'm not too keen on opening the firewall to all UDP packets using that >> UDP >> port number. Is there a more elegant method ? > > Yes, you could use the policy match of iptables. E.g. "-m policy --pol > ipsec" > matches only pakets coming in decrypted or going out encrypted. > Unfortunately, I can't get "-m policy --pol ipsec" to work :-( Here is the current firewall on my embedded system (i.e. no rules added): # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination I changed the ipsec.conf on my x86 ubuntu laptop to say "leftfirewall=yes" and captured the commands executed by /libexec/ipsec/_updown to add a firewall rule for all traffic coming in via the tunnel: iptables -I INPUT 1 -i eth0 -p 0 -s 172.17.0.0/16 -d 10.10.2.78/32 -m policy --pol ipsec --proto esp --reqid 1 --dir in -j ACCEPT When I execute a similar command on my embedded system, I get: # iptables -I INPUT 1 -i eth0 -p 0 -s 172.17.0.0/16 -d 10.10.0.51/32 -m policy --pol ipsec --proto esp --reqid 1 --dir in -j ACCEPT iptables: No chain/target/match by that name Even trying to cut down the command to the bare minimum has no success: # iptables -A INPUT -p 0 -m policy --pol ipsec --proto esp --dir in -j ACCEPT iptables: No chain/target/match by that name Any clues what can be causing this ? The iptables version on the embedded system is 1.4.2 (vs. 1.4.1.1 on the x86 ubuntu laptop). Looking at the way we configure and build iptables, it looks like a vanilla configure with nothing excluded or added. Is there some kernel build config option we are missing ? Or a module we may have built for the kernel but not actually installed ? Any hints gratefully accepted ! Regards, Graham. _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users