On Friday 16 August 2013 11:23:28 andreas.balg@clavisit.com wrote:

Hi there,

I recently tried to add an strongswan (4.5.2)  ipsec (site-to-site) tunnel to our "uplink router" (debian 7.1 linux/iptables 1.4.14)  but I do not understand how I could add a policy allowing NAT/Routing or any kind of access to the clients behind this tunnel.  Without FW-Builder rules loaded, the tunnel is up and running, routing is working but this ipsec implementation does not create a virtual interface (like ipsec0) anymore neither does it use regular routing entries but ip xfrm policies instead.

As soon as I load ANY fwbuilder created rules-scripts no packages are transported through the tunnel anymore - no matter if Strongswan itself adds his automatic iptables rules or not . Of course ESP/AH packages are NOT blocked by the firewal l (SA can be established with "Shields up")

Any hints or ideas how to fix this ?

Best regards,

Andreas Balg


I might be missing the point but on our fwbuilder / ipsec I have set up rules as follows:

created a custom service ipsec inbound with the following code string

-m policy --dir in --pol ipsec

and have a rule which on matching branches to a separate policy:


eg roadWarrior_IP_Range Office_Range ipsec_inbound branch ipsec_policy


and in the ipsec policy add rules as per required

eg roadWarrior_IPRange RDP_Server RDP allow