-1

Do these two options do anything bad when they're not supposed to be enabled and they are enabled? is there any example of what exactly they do, or if we need them.

  • My ipsec gateway is a VPC instance that is behind a NAT (10.0.10.0/24)
  • I want to have a networking sharing machine that is behind a NAT (192.168.10.0/24).
  • My road warriors may also be behind a NAT when they dial in.

Does this mean on the network-share<->gw, I use leftfirewall, and rightfirewall? And, on the roadwarrior I use only leftfirewall. I'm confused and I don't see any docs about when to use these things. All the docs say is that the create the iptables commands that I wouldn't understand if the docs were more descriptive, which they're not.

I'm using split-tunneling.

Evan Carroll
  • 2,245
  • 10
  • 34
  • 50
  • Is there something that the manual doesn't specify that you're confused about? http://wiki.strongswan.org/projects/strongswan/wiki/ConnSection#leftright-End-Parameters: `tunnels established with IPsec are exempted from [the firewall] so that packets can flow unchanged through the tunnels` – Mark Henderson Aug 12 '13 at 02:33
  • 1
    What does that even mean? What firewall? You mean to say that if I wrote restricted iptables rules it would write higher priority rules that would be exempt the stuff it needs? – Evan Carroll Aug 12 '13 at 02:39
  • There is no "firewall" that I'm aware of, in iptables, in ipsec/strongswan, or in the Linux. And, it certainly can't configure an upstream firewall. – Evan Carroll Aug 12 '13 at 02:42

1 Answers1

3

In the words of Jeff Atwood, with projects like this you must learn to love the source.

In the config reading functions we see that when [left|right]firewall is enabled it uses the firewall_defaults:

end->updown = strdupnull(firewall_defaults);

Which is...

firewall_defaults[] = IPSEC_SCRIPT " _updown iptables";

So, it runs ipsec _updown iptables - a simple search brings up the man page. On my CentOS systems, the _updown file is at /usr/libexec/ipsec/_updown which then calls other _updown.* files based on rules - your mileage may vary.

All that said, the StrongSwan documentation is woefully out of date in this regard. This setting is actually obsolete and should not be used.

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
  • That's a brilliant answer. I'll edit it and make it perfect though. That's exactly what I was looking for. – Evan Carroll Aug 12 '13 at 03:47
  • 1
    But, I think your conclusion is off. That doc you linked is from FreeS/WAN, the original source of OpenSwan -- and I believe StrongSwan is a fork of OpenSwan. Anyway, there is a lot of confusion I have around StrongSwan. FreeS/WAN is extremely old and unmaintained afaik. – Evan Carroll Aug 12 '13 at 03:50
  • 1
    It's unfortuantely easy to get lost between pluto/openswan/freeswan/strongswan. – Mark Henderson Aug 12 '13 at 04:35