0

Strongswan ikev2 network manager plugin network-manager-strongswan was installed on ubuntu 20.04.4 and configured to reconnect automatically. However when VPN is not available I'd like to block all possible outgoing traffic. Strongswan does not create separate tunnel interface. Instead is adds virtual IP (192.168.22.0/24 subnet in my case) to existing interface and insert corresponding route, e.g.:

$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: enp0s5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:1c:dd:23:11:5d brd ff:ff:ff:ff:ff:ff
    inet 10.22.48.4/24 brd 10.22.48.255 scope global dynamic noprefixroute enp0s5
       valid_lft 1781sec preferred_lft 1781sec
    inet 192.168.22.12/32 scope global enp0s5
       valid_lft forever preferred_lft forever

$ ip route show table 220
default via 10.22.48.1 dev enp0s5 proto static src 192.168.22.12 
10.22.48.0/24 dev enp0s5 proto static src 10.22.48.4

I do not want to rely on vpn up/down scripts. Also solution like How can I block traffic over wifi before the VPN connects? would not work as I have no separate tunnel interface.

Mine firewall configuration so far:

ufw allow out 53                              comment "dns"
ufw allow out 67:68/udp                       comment "dhcp"
ufw allow out 500,4500/udp                    comment "ipsec ikev2"
ufw allow out from 192.168.22.0/24            comment "from ipsec ip"
ufw allow out from 127.0.0.0/8 to 127.0.0.0/8 comment "lo"
ufw  deny out to 0.0.0.0/0

But I not sure if this solution good enough. Feels like I do missing something. For example, I need to allow dns explicitly. Looks like it does not go through the tunnel.

UPD Libreswan on server side, ikev2.conf:

conn ikev2-cp
  left=%defaultroute
  leftcert=<hidden>
  leftsendcert=always
  leftsubnet=0.0.0.0/0
  leftrsasigkey=%cert
  right=%any
  rightid=%fromcert
  rightaddresspool=192.168.22.10-192.168.22.250
  rightca=%same
  rightrsasigkey=%cert
  narrowing=yes
  dpddelay=30
  dpdtimeout=120
  dpdaction=clear
  auto=add
  ikev2=insist
  rekey=no
  pfs=no
  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
  ikelifetime=24h
  salifetime=24h
  encapsulation=yes
  leftid=<hidden>
  modecfgdns="8.8.8.8 8.8.4.4"
  mobike=no
  authby=rsa-sha1
lorond
  • 101
  • 2

0 Answers0