Hi Sarat, leftfirewall=yes installs and removes dynamic IPsec policy iptables rules guaranteeing that only traffic coming or going into an IPsec tunne are forwarded.
Regards Andreas On 04.08.2016 14:00, Sarat Vajrapu wrote: > Hi Andreas, > > Thanks for the inputs. > > I was expecting leftfirewall=yes would take care of adding default > policies for IKE, ESP and drop traffic. > From your explanation, I understood that we need to explicitly configure > iptables. So what does leftfirewall actually do? > > Regards, > Sarat Vajrapu > > On Tue, Aug 2, 2016 at 2:50 PM, Andreas Steffen > <andreas.stef...@strongswan.org <mailto:andreas.stef...@strongswan.org>> > wrote: > > Hi Sarat, > > leftfirewall=yes is the right way to go. Just set up a > general drop policy with iptables, just allowing IKE > traffic via UDP ports 500 and 4500 as well as allowing > ESP (IP protocol 50). Also make sure that the updown > plugin is loaded by the charon daemon. > > Best regards > > Andreas > > On 01.08.2016 09:21, Sarat Vajrapu wrote: > > Hi, > > > > I am trying a lab setup with IPsec between two nodes. > > Is there a way where I can send/receive data packets only if ipsec is > > UP, else just drop the traffic? > > > > I tried "leftfirewall" option but it did not help me. > > Your inputs are highly appreciated. > > > > Regards, > > Sarat > > > > > > _______________________________________________ > > Users mailing list > > Users@lists.strongswan.org <mailto:Users@lists.strongswan.org> > > https://lists.strongswan.org/mailman/listinfo/users > > > > -- > ====================================================================== > Andreas Steffen > andreas.stef...@strongswan.org <mailto:andreas.stef...@strongswan.org> > strongSwan - the Open Source VPN Solution! > www.strongswan.org <http://www.strongswan.org> > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== > > -- ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users