Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:vpn:ipsec:strongswan:firewall [2019/08/26 15:52] – tag optimization vgaetera | docs:guide-user:services:vpn:strongswan:firewall [2020/10/05 21:16] – ↷ Links adapted because of a move operation tmomas | ||
|---|---|---|---|
| Line 4: | Line 4: | ||
| :!: This page is about strongswan. The old racoon documentation can be found [[docs: | :!: This page is about strongswan. The old racoon documentation can be found [[docs: | ||
| - | When configuring firewalls, tunnels and zones we always have to keep security in mind. First rule should be: Everything that is not allowed explicitly should be denied automatically. This article provides an easy but quite powerful security concept for your IPsec VPN setup. If you missed the [[docs: | + | When configuring firewalls, tunnels and zones we always have to keep security in mind. First rule should be: Everything that is not allowed explicitly should be denied automatically. This article provides an easy but quite powerful security concept for your IPsec VPN setup. If you missed the [[docs: |
| ===== Preface ===== | ===== Preface ===== | ||
| - | In the following chapters you will find a detailed description of how to setup firewall rules for IPsec VPN connections. The experienced reader may notice that nowhere iptables IPsec policy rules are used (-m policy --pol ipsec). The reason for that is a special VPN scenario where both tunnel ends use [[docs: | + | In the following chapters you will find a detailed description of how to setup firewall rules for IPsec VPN connections. The experienced reader may notice that nowhere iptables IPsec policy rules are used (-m policy --pol ipsec). The reason for that is a special VPN scenario where both tunnel ends use [[docs: |
| ===== Zones ===== | ===== Zones ===== | ||
| Line 17: | Line 17: | ||
| * VPN and WAN in the same zone needs fine granular rules to ensure that packets won't reach an unallowed target. | * VPN and WAN in the same zone needs fine granular rules to ensure that packets won't reach an unallowed target. | ||
| - | **Conclusion: | + | **Conclusion: |
| ===== Default Rules ===== | ===== Default Rules ===== | ||
| Line 132: | Line 132: | ||
| ===== VPN Firewall Script ===== | ===== VPN Firewall Script ===== | ||
| Finally we have a look at the script. It injects all the additionally required settings according to | Finally we have a look at the script. It injects all the additionally required settings according to | ||
| - | [[docs: | + | [[docs: |
| <code bash> | <code bash> | ||
| Line 265: | Line 265: | ||
| ===== What's next ===== | ===== What's next ===== | ||
| - | With the firewall ready we can start our first IPSec VPN scenario. A [[docs: | + | With the firewall ready we can start our first IPSec VPN scenario. A [[docs: |