Gerd,
Thanks very much for the confirmation and pointer on how to do things
properly.
>> I'm not too keen on opening the firewall to all UDP packets using that
>> UDP
>> port number. Is there a more elegant method ?
>
> Yes, you could use the policy match of iptables. E.g. "-m policy --pol
> ipsec"
> matches only pakets coming in decrypted or going out encrypted.
>
Unfortunately, I can't get "-m policy --pol ipsec" to work :-(
Here is the current firewall on my embedded system (i.e. no rules added):
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I changed the ipsec.conf on my x86 ubuntu laptop to say "leftfirewall=yes"
and captured the commands executed by /libexec/ipsec/_updown to add a
firewall rule for all traffic coming in via the tunnel:
iptables -I INPUT 1 -i eth0 -p 0 -s 172.17.0.0/16 -d 10.10.2.78/32 -m
policy --pol ipsec --proto esp --reqid 1 --dir in -j ACCEPT
When I execute a similar command on my embedded system, I get:
# iptables -I INPUT 1 -i eth0 -p 0 -s 172.17.0.0/16 -d 10.10.0.51/32 -m
policy --pol ipsec --proto esp --reqid 1 --dir in -j ACCEPT
iptables: No chain/target/match by that name
Even trying to cut down the command to the bare minimum has no success:
# iptables -A INPUT -p 0 -m policy --pol ipsec --proto esp --dir in -j ACCEPT
iptables: No chain/target/match by that name
Any clues what can be causing this ?
The iptables version on the embedded system is 1.4.2 (vs. 1.4.1.1 on the
x86 ubuntu laptop). Looking at the way we configure and build iptables, it
looks like a vanilla configure with nothing excluded or added.
Is there some kernel build config option we are missing ?
Or a module we may have built for the kernel but not actually installed ?
Any hints gratefully accepted !
Regards,
Graham.
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
