> If there's a way to detect the setup it would be great if "leftfirewall" > automatically detects all rules for INPUT or FORWARD chain.
I believe that this is not doable because the rules in your INPUT/FORWARD chain can be very complex, too complex for a general solution. Even with the current solution where strongSwan appends ACCEPT rules to your FORWARD chain, you might run into problems. Imagine you have DROP rules in your chain that get triggered by the decrypted packets. Adding ACCEPT rules at the very end won't make a difference because these rules will never be examined. I guess you're better off with manually managing these chains. > Not yet. ;-) > After ISP-forced DSL-disconnection (Thank you Deutsche Telekom AG :-( ) I > have to restart IPSec on the Ubuntu machine (/etc/init.d/ipsec restart). > Otherwise no IPSec connections can be established. Is there any > configuration trick to > reestablish the IPSec connection after disconnection/IP-change? Restarting IPsec is a bad idea because it brings down not only the IPsec tunnels which are affected by the disconnect of this single interface but all IPsec tunnels negotiated by strongSwan. After the disconnect, I guess you have to do a ipsec update (if your IP address changed) I use /usr/lib/ipsec/whack --initiate --name $conn --asynchronous for every IPsec connection. I also re-insert all the necessary source routes with ip route add 192.168.x.y/z dev $PPP_IFACE src $SRCIP Not sure if this is the best solution, however. If you continue to have problems, then post the output of the following commands before and after the reconnect: ip route show table 0 ip -4 address ip xfrm policy ip xfrm state ipsec statusall -Daniel _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users