diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2013-11-07 17:50:02 +0100 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2014-01-23 10:27:12 +0100 |
| commit | 6d1198e71d3bd8e2f3b5c1fc1f3348807433d851 (patch) | |
| tree | fcab928da6a62d5ab8c54cf9982960e359a434d2 | |
| parent | cf4a7395aaee59b871382154ba9bfeda0819d057 (diff) | |
| download | strongswan-6d1198e71d3bd8e2f3b5c1fc1f3348807433d851.tar.bz2 strongswan-6d1198e71d3bd8e2f3b5c1fc1f3348807433d851.tar.xz | |
updown: Allow IPIP traffic if IPComp was negotiated
The kernel implicitly creates an IPIP SA if an IPComp SA is installed.
This SA is used inbound for small packets that are not compressed.
Since the addresses are different (they are the tunnel addresses not
those of the tunneled traffic) additional rules are required if the
traffic selector does not cover the tunnel addresses (e.g. due to a NAT).
For SAs with multiple traffic selectors duplicate rules will get installed.
| -rw-r--r-- | src/_updown/_updown.in | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in index 36bf64c6a..532bd2437 100644 --- a/src/_updown/_updown.in +++ b/src/_updown/_updown.in @@ -414,6 +414,14 @@ up-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -438,6 +446,13 @@ down-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -477,6 +492,15 @@ up-client:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -520,6 +544,13 @@ down-client:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then |