Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:vpn:strongswan:firewall [2020/10/05 21:16] – ↷ Page moved from docs:guide-user:services:vpn:ipsec:strongswan:firewall to docs:guide-user:services:vpn:strongswan:firewall tmomasdocs:guide-user:services:vpn:strongswan:firewall [2020/10/05 21:16] – ↷ Links adapted because of a move operation tmomas
Line 4: Line 4:
 :!: This page is about strongswan. The old racoon documentation can be found [[docs:guide-user:services:vpn:ipsec:racoon:firewall|here]]. :!: This page is about strongswan. The old racoon documentation can be found [[docs:guide-user:services:vpn:ipsec:racoon:firewall|here]].
  
-When configuring firewalls, tunnels and zones we always have to keep security in mind. First rule should be: Everything that is not allowed explicitly should be denied automatically. This article provides an easy but quite powerful security concept for your IPsec VPN setup. If you missed the [[docs:guide-user:services:vpn:ipsec:strongswan:basics|basics]] please have look over there first.+When configuring firewalls, tunnels and zones we always have to keep security in mind. First rule should be: Everything that is not allowed explicitly should be denied automatically. This article provides an easy but quite powerful security concept for your IPsec VPN setup. If you missed the [[docs:guide-user:services:vpn:strongswan:basics|basics]] please have look over there first.
  
 ===== Preface ===== ===== Preface =====
-In the following chapters you will find a detailed description of how to setup firewall rules for IPsec VPN connections. The experienced reader may notice that nowhere iptables IPsec policy rules are used (-m policy --pol ipsec). The reason for that is a special VPN scenario where both tunnel ends use [[docs:guide-user:services:vpn:ipsec:strongswan:overlappingsubnets|overlapping IP addresses]]. In this case we have do use source NAT (network address translation) rules. **SNAT is only available in the POSTROUTING nat table**. At this late firewall stage the system will discover for the first time that the packet has to pass the IPsec tunnel. Any ipsec policy based filter before will ignore the packet. +In the following chapters you will find a detailed description of how to setup firewall rules for IPsec VPN connections. The experienced reader may notice that nowhere iptables IPsec policy rules are used (-m policy --pol ipsec). The reason for that is a special VPN scenario where both tunnel ends use [[docs:guide-user:services:vpn:strongswan:overlappingsubnets|overlapping IP addresses]]. In this case we have do use source NAT (network address translation) rules. **SNAT is only available in the POSTROUTING nat table**. At this late firewall stage the system will discover for the first time that the packet has to pass the IPsec tunnel. Any ipsec policy based filter before will ignore the packet. 
  
 ===== Zones ===== ===== Zones =====
Line 17: Line 17:
   * VPN and WAN in the same zone needs fine granular rules to ensure that packets won't reach an unallowed target.   * VPN and WAN in the same zone needs fine granular rules to ensure that packets won't reach an unallowed target.
  
-**Conclusion: Create a new zone and call it vpn.** It is not required to assign an interface to it. If you want to rename the zone to something else you have to adapt parameter **zone** in [[docs:guide-user:services:vpn:ipsec:strongswan:basic|/etc/config/ipsec]].+**Conclusion: Create a new zone and call it vpn.** It is not required to assign an interface to it. If you want to rename the zone to something else you have to adapt parameter **zone** in [[docs:guide-user:services:vpn:strongswan:basic|/etc/config/ipsec]].
  
 ===== Default Rules ===== ===== Default Rules =====
Line 132: Line 132:
 ===== VPN Firewall Script ===== ===== VPN Firewall Script =====
 Finally we have a look at the script. It injects all the additionally required settings according to  Finally we have a look at the script. It injects all the additionally required settings according to 
-[[docs:guide-user:services:vpn:ipsec:strongswan:basic|/etc/config/ipsec]] into the OpenWrt firewall. Save it as **/etc/ipsec/firewall.sh** and put a calling line into **/etc/firewall.user** so it gets loaded automatically. **REMARK: This script only enables VPN firewall rules that have been set in the LUCI web interface. There is no guarantee that manually implemented rules in /etc/config/firewall will work!**+[[docs:guide-user:services:vpn:strongswan:basic|/etc/config/ipsec]] into the OpenWrt firewall. Save it as **/etc/ipsec/firewall.sh** and put a calling line into **/etc/firewall.user** so it gets loaded automatically. **REMARK: This script only enables VPN firewall rules that have been set in the LUCI web interface. There is no guarantee that manually implemented rules in /etc/config/firewall will work!**
  
 <code bash> <code bash>
Line 265: Line 265:
  
 ===== What's next ===== ===== What's next =====
-With the firewall ready we can start our first IPSec VPN scenario. A [[docs:guide-user:services:vpn:ipsec:strongswan:site2site|site to site]] connection.+With the firewall ready we can start our first IPSec VPN scenario. A [[docs:guide-user:services:vpn:strongswan:site2site|site to site]] connection.
  
  • Last modified: 2020/11/11 09:58
  • by vgaetera