Hi
I have a working ipsec site-to-site vpn with the Auto packet filter option enabled. With the Auto packet filter option enabled, Astaro create the below iptables rules and all traffic successfully traverses the tunnel.
-A AUTO_FORWARD -s 192.168.20.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -i ipsec+ -j CONFIRMED
-A AUTO_FORWARD -s 192.168.0.0/255.255.255.0 -d 192.168.20.0/255.255.255.0 -o ipsec+ -j CONFIRMED
As you can see and expect it used the ipsec interfaces, although it defines the rules for all ipsec interfaces and not the specific ipsec interface for this vpn tunnel which is weird? Maybe someone can explain why it does this as a side question.
The problem is that I don't want all traffic to be permitted between the two networks so i disable the auto packet filter rule and try to create my own rules. This is where i get stuck as all traffic is blocked.
Even if i try and replicate the above rule with my own rules it doesn't work. For example if i create two new packet filter rules that allows any traffic between the two lan subnets it create the below iptables rules but no traffic is allowed through the ipsec tunnel. As you can see the interface is eth0 and not the ipsec interfaces. As far as i can see there is no way of choosing which interface you want to define the rules for ?
-A USR_FORWARD -s 192.168.0.0/255.255.255.0 -d 192.168.20.0/255.255.255.0 -o eth0 -m logmark --logmark 1 -j LOGACCEPT
-A USR_FORWARD -s 192.168.20.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -i eth0 -m logmark --logmark 2 -j LOGACCEPT
So my question is, with a working ipsec site-to-site vpn... how can i disable the Auto packet filter option on the ipsec tunnel and manually create packet filter rules that permit traffic through my ipsec tunnel?
Many thanks
Scott
This thread was automatically locked due to age.