diff options
author | Yves-Alexis Perez <corsac@debian.org> | 2016-07-16 15:19:53 +0200 |
---|---|---|
committer | Yves-Alexis Perez <corsac@debian.org> | 2016-07-16 15:19:53 +0200 |
commit | bf372706c469764d59e9f29c39e3ecbebd72b8d2 (patch) | |
tree | 0f0e296e2d50e4a7faf99ae6fa428d2681e81ea1 /testing/tests/libipsec/net2net-null/hosts/sun | |
parent | 518dd33c94e041db0444c7d1f33da363bb8e3faf (diff) | |
download | vyos-strongswan-bf372706c469764d59e9f29c39e3ecbebd72b8d2.tar.gz vyos-strongswan-bf372706c469764d59e9f29c39e3ecbebd72b8d2.zip |
Imported Upstream version 5.5.0
Diffstat (limited to 'testing/tests/libipsec/net2net-null/hosts/sun')
-rwxr-xr-x | testing/tests/libipsec/net2net-null/hosts/sun/etc/updown | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/testing/tests/libipsec/net2net-null/hosts/sun/etc/updown b/testing/tests/libipsec/net2net-null/hosts/sun/etc/updown index 61f65311c..e7c3640d4 100755 --- a/testing/tests/libipsec/net2net-null/hosts/sun/etc/updown +++ b/testing/tests/libipsec/net2net-null/hosts/sun/etc/updown @@ -441,6 +441,14 @@ up-host-v6:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -465,6 +473,13 @@ down-host-v6:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -504,6 +519,15 @@ up-client-v6:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -547,6 +571,13 @@ down-client-v6:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then |