[strongSwan] Replicate Cisco like ACL with strongswan

Mon May 30 09:17:30 CEST 2011

Hello Hans-Kristian,

first I recommend to use IKEv2 which is much faster
and more robust:

config setup
	charonstart=yes
	plutostart=no

conn %default
	keyexchange=ikev2
	ikelifetime=28800
	keylife=3600
	auth=esp
	authby=psk
	type=transport
	ike=aes128-sha1-modp1024!
	esp=aes128-sha1-modp1024!
	dpdaction=restart
	dpddelay=60
	dpdtimeout=500

You can still log to a file using strongswan.conf:

http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration

Do not put auto=start into the "conn %default" section since
"conn dns_SRV" will also be started, allowing all protocols.

Rather define:

conn dns1
	also=dns_SRV
	leftprotoport=tcp
	rightprotoport=tcp/53
	auto=start

conn dns2
	also=dns_SRV
	leftprotoport=udp
	rightprotoport=udp/53
	auto=start

conn dns3
	also=dns_SRV
	leftprotoport=udp/53
	rightprotoport=udp
	auto=start

conn dns4
	also=dns_SRV
	leftprotoport=tcp/53
	rightprotoport=tcp
	auto=start

conn dns_SRV
	left=10.17.0.11
	right=10.27.64.11

Best regards

Andreas

On 05/30/2011 08:27 AM, Hans-Kristian Bakke wrote:
> Hi
>
> I need to set up a ipsec connection (in transport mode) directly
> between two DNS-servers (host to host). The point is that only
> DNS-server traffic should use the tunnel.
> This is normally easy using Cisco-equipment as a ACL can do this easily.
> However I am really struggling to find a way to do this with
> strongSwan. Using leftprotoport and rightprotoport and separate
> connections doesn't seem to work correctly.
>
> The ACL I need to replicate on my end is this one (I have no influence
> on the other end):
>   permit tcp host 10.27.64.11 host 10.17.0.11 eq 53
>   permit tcp host 10.17.0.11 eq 53 host 10.27.64.11
>   permit tcp host 10.27.64.11 eq 53 host 10.17.0.11
>   permit tcp host 10.17.0.11 host 10.27.64.11 eq 53
>   permit udp host 10.27.64.11 host 10.17.0.11 eq 53
>   permit udp host 10.17.0.11 eq 53 host 10.27.64.11
>   permit udp host 10.27.64.11 eq 53 host 10.17.0.11
>   permit udp host 10.17.0.11 host 10.27.64.11 eq 53
>
> This is my ipsec.conf so far. I can't get rid of the feeling that
> something is missing:
> (using v4.2.4-5+lenny3 on Debian Lenny)
> --
> # ipsec.conf - strongSwan IPsec configuration file
>
> # basic configuration
>
> config setup
> 	charonstart=no
> 	plutostart=yes
> 	plutodebug=control
> 	nat_traversal=no
> 	plutostderrlog=/var/log/pluto.log
>
> conn %default
> 	keyexchange=ikev1
> 	ikelifetime=28800
> 	keylife=3600
> 	auth=esp
> 	authby=psk
> 	auto=start
> 	type=transport
> 	ike=aes128-sha1-modp1024
> 	esp=aes128-sha1-modp1024
> 	dpdaction=restart
> 	dpddelay=60
> 	dpdtimeout=500
>
> conn dns1
> 	leftprotoport=tcp
> 	rightprotoport=tcp/53
> 	also=dns_SRV
>
> conn dns2
> 	leftprotoport=udp
> 	rightprotoport=udp/53
> 	also=dns_SRV
>
> conn dns3
> 	leftprotoport=udp/53
> 	rightprotoport=udp
> 	also=dns_SRV
>
> conn dns4
> 	leftprotoport=tcp/53
> 	rightprotoport=tcp
> 	also=dns_SRV
>
> conn dns_SRV
> 	left=10.17.0.11
> 	right=10.27.64.11
> ---
>
> When I run ipsec statusall dns1 gets to STATE_MAIN_I4 (ISAKMP SA
> ESTABLISHED) but the other ones doesn't seem to do anything.
> The DNS-traffic still goes out unencrypted.
>
> How can I replicate the ACL perfectly with strongswan?
>
> Mvh
>
> Hans-Kristian Bakke
> Mob: 91 76 17 38

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==