On 04.07.2016 09:33, Harald Dunkel wrote: > PS: I found out a little bit more. If there is a new connection > initiated by a road warrior, then /var/log/messages shows me > > Jul 4 08:55:03 srvl047 kernel: [73014.164939] iptables-dropped: IN=eth0 > OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.87 > DST=172.19.96.123 LEN=67 TOS=0x00 PREC=0x00 TTL=254 ID=23018 PROTO=UDP > SPT=50374 DPT=53 LEN=47 > Jul 4 08:55:03 srvl047 kernel: [73014.164948] iptables-dropped: IN=eth0 > OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.87 > DST=172.19.96.123 LEN=67 TOS=0x00 PREC=0x00 TTL=254 ID=21954 PROTO=UDP > SPT=62524 DPT=53 LEN=47 > Jul 4 08:55:03 srvl047 kernel: [73014.165334] iptables-dropped: IN=eth0 > OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.87 > DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=383 PROTO=UDP > SPT=64310 DPT=53 LEN=46 > Jul 4 08:55:03 srvl047 kernel: [73014.165340] iptables-dropped: IN=eth0 > OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.87 > DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=41664 PROTO=UDP > SPT=50876 DPT=53 LEN=46 > Jul 4 08:55:03 srvl047 vpn: + C=DE, O=example AG, OU=TI, > CN=ppcm026.ws.example.com 172.19.97.87/32 == 5.145.142.13 -- 5.145.142.17 == > 172.19.96.0/19 > > I know that the sequence in the log file might not match the > actual sequence of events, but I wonder if there could be a > race condition? > > Is there some way to introduce an artificial "new connection > delay" for the very first packages to give the firewall some > time to come up? > > https://wiki.strongswan.org/projects/strongswan/wiki/Updown > suggests to introduce global iptable entries instead of > setting leftfirewall=yes. Both source and destination address > in the "iptables-dropped" lines are valid on eth1 (the > internal side) only. I wouldn't like to support global > forward rules between eth0 and eth1. Maybe there is a way to > introduce a virtual network device to be used exclusively for > the VPN payload, instead of eth0?
I'm not sure what your objection is to creating the same rules permanently (which the page seems to call "global") that the updown script create dynamically anyway? Regards, Dennis _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users