updown: Allow IPIP traffic if IPComp was negotiated
The kernel implicitly creates an IPIP SA if an IPComp SA is installed. This SA is used inbound for small packets that are not compressed. Since the addresses are different (they are the tunnel addresses not those of the tunneled traffic) additional rules are required if the traffic selector does not cover the tunnel addresses (e.g. due to a NAT). For SAs with multiple traffic selectors duplicate rules will get installed.
This commit is contained in:
parent
cf4a7395aa
commit
6d1198e71d
|
@ -414,6 +414,14 @@ up-host:iptables)
|
|||
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
|
||||
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
|
||||
#
|
||||
# allow IPIP traffic because of the implicit SA created by the kernel if
|
||||
# IPComp is used (for small inbound packets that are not compressed)
|
||||
if [ -n "$PLUTO_IPCOMP" ]
|
||||
then
|
||||
iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
|
||||
-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
|
||||
fi
|
||||
#
|
||||
# log IPsec host connection setup
|
||||
if [ $VPN_LOGGING ]
|
||||
then
|
||||
|
@ -438,6 +446,13 @@ down-host:iptables)
|
|||
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
|
||||
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
|
||||
#
|
||||
# IPIP exception teardown
|
||||
if [ -n "$PLUTO_IPCOMP" ]
|
||||
then
|
||||
iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
|
||||
-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
|
||||
fi
|
||||
#
|
||||
# log IPsec host connection teardown
|
||||
if [ $VPN_LOGGING ]
|
||||
then
|
||||
|
@ -477,6 +492,15 @@ up-client:iptables)
|
|||
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
|
||||
fi
|
||||
#
|
||||
# allow IPIP traffic because of the implicit SA created by the kernel if
|
||||
# IPComp is used (for small inbound packets that are not compressed).
|
||||
# INPUT is correct here even for forwarded traffic.
|
||||
if [ -n "$PLUTO_IPCOMP" ]
|
||||
then
|
||||
iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
|
||||
-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
|
||||
fi
|
||||
#
|
||||
# log IPsec client connection setup
|
||||
if [ $VPN_LOGGING ]
|
||||
then
|
||||
|
@ -520,6 +544,13 @@ down-client:iptables)
|
|||
$IPSEC_POLICY_OUT -j ACCEPT
|
||||
fi
|
||||
#
|
||||
# IPIP exception teardown
|
||||
if [ -n "$PLUTO_IPCOMP" ]
|
||||
then
|
||||
iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
|
||||
-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
|
||||
fi
|
||||
#
|
||||
# log IPsec client connection teardown
|
||||
if [ $VPN_LOGGING ]
|
||||
then
|
||||
|
|
Loading…
Reference in New Issue