Whilst recently setting up a router manually from scratch using Debian, I decided to use nftables along with strongSwan to provide an IKEv2 VPN access into this.
After much frustration along with trial and error, I have finally discovered the correct rules to use with nftables to allow VPN access into the router and the LAN behind it.
In addition to this I wanted to also make sure the router is forwarding traffic back out so that when connected, it does not disrupt Internet access to the connected device (e.g. a smartphone).
I discovered that by using meta ipsec exists accept
in the filter input/forward tables, this allows the traffic into the router correctly.
Allowing it via input allows access into the router, and the forward allows forwarding traffic to the LAN.
While these rules work, I'm not sure how secure they are.
Should I be using this meta expression match or should I be matching on anything else? Perhaps anything else that is provided by IPSEC that can be configured through strongSwan?