On Friday 16 August 2013 11:23:28 firstname.lastname@example.org wrote:
I recently tried to add an strongswan (4.5.2) ipsec (site-to-site) tunnel to our "uplink router" (debian 7.1 linux/iptables 1.4.14) but I do not understand how I could add a policy allowing NAT/Routing or any kind of access to the clients behind this tunnel. Without FW-Builder rules loaded, the tunnel is up and running, routing is working but this ipsec implementation does not create a virtual interface (like ipsec0) anymore neither does it use regular routing entries but ip xfrm policies instead.
As soon as I load ANY fwbuilder created rules-scripts no packages are transported through the tunnel anymore - no matter if Strongswan itself adds his automatic iptables rules or not . Of course ESP/AH packages are NOT blocked by the firewal l (SA can be established with "Shields up")
Any hints or ideas how to fix this ?
I might be missing the point but on our fwbuilder / ipsec I have set up rules as follows:
created a custom service ipsec inbound with the following code string
-m policy --dir in --pol ipsec
and have a rule which on matching branches to a separate policy:
eg roadWarrior_IP_Range Office_Range ipsec_inbound branch ipsec_policy
and in the ipsec policy add rules as per required
eg roadWarrior_IPRange RDP_Server RDP allow