<div dir="ltr">Reading another thread, I changed "right" of "skip" connection on both client and server to be "127.0.0.1" and that fixed up a few things:<div>1) The IPsec installed is type transport (as desired)</div><div>2) I do see shunted policies list ICMP PASS</div><div><br></div><div><b>However, I still have my pings from client to server encrypted :(</b><br></div><div><div><br></div><div><b>Client:</b></div><div><div># ipsec statusall</div><div>Status of IKE charon daemon (strongSwan 5.1.2, Linux 4.4.0-75-generic, x86_64):</div><div> uptime: 10 minutes, since May 23 12:02:46 2017</div><div> malloc: sbrk 2564096, mmap 0, used 393728, free 2170368</div><div> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3</div><div> loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 rdrand random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity addrblock</div><div>Listening IP addresses:</div><div> 1.100.0.9</div><div>Connections:</div><div> skip: %any...127.0.0.1 IKEv2</div><div> skip: local: [C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC, CN=test.com] uses public key authentication</div><div> skip: cert: "C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC, CN=test.com"</div><div> skip: remote: [C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC, CN=test.com] uses public key authentication</div><div> skip: cert: "C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC, CN=test.com"</div><div> skip: child: 0.0.0.0/0[icmp] === 0.0.0.0/0[icmp] PASS</div><div> 1.100.0.5: 1.100.0.9...1.100.0.5 IKEv2, dpddelay=60s</div><div> 1.100.0.5: local: [C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC, CN=test.com] uses public key authentication</div><div> 1.100.0.5: cert: "C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC, CN=test.com"</div><div> 1.100.0.5: remote: [C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC, CN=test.com] uses public key authentication</div><div> 1.100.0.5: cert: "C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC, CN=test.com"</div><div> 1.100.0.5: child: dynamic === dynamic <b>TRANSPORT</b>, dpdaction=restart</div><div><b>Shunted Connections:</b></div><div><b> skip: 0.0.0.0/0[icmp] === 0.0.0.0/0[icmp] PASS</b></div><div>Security Associations (1 up, 0 connecting):</div><div> 1.100.0.5[1]: ESTABLISHED 10 minutes ago, 1.100.0.9[C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC, CN=test.com]...1.100.0.5[C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC, CN=test.com]</div><div> 1.100.0.5[1]: IKEv2 SPIs: be5caa6cea2281c2_i* 79bb5ad924d8d919_r, rekeying in 44 minutes</div><div> 1.100.0.5[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048</div><div> 1.100.0.5{1}: INSTALLED, <b>TRANSPORT</b>, ESP SPIs: c989f733_i c3f6a42e_o</div><div> 1.100.0.5{1}: AES_CBC_128/HMAC_SHA1_96, 520206 bytes_i (2551 pkts, 1s ago), 1691623 bytes_o (2986 pkts, 10s ago), rekeying in 5 minutes</div><div> 1.100.0.5{1}: <b>1.100.0.9/32 === 1.100.0.5/32</b> </div><div><br></div><div><br></div><div><b>Client setkey -DP output:</b></div><div><div>1.100.0.5[any] 1.100.0.9[any] 255</div><div> in prio high + 1073740029 ipsec</div><div> esp/transport//unique:1</div><div> created: May 23 12:18:12 2017 lastused: May 23 12:18:52 2017</div><div> lifetime: 0(s) validtime: 0(s)</div><div> spid=2248 seq=1 pid=176401</div><div> refcnt=11</div><div>1.100.0.9[any] 1.100.0.5[any] 255</div><div> out prio high + 1073740029 ipsec</div><div> esp/transport//unique:1</div><div> created: May 23 12:18:12 2017 lastused: May 23 12:18:47 2017</div><div> lifetime: 0(s) validtime: 0(s)</div><div> spid=2241 seq=2 pid=176401</div><div> refcnt=11</div><div>0.0.0.0/0 0.0.0.0/0 icmp</div><div> fwd prio high + 1073739774 none</div><div> created: May 23 12:02:46 2017 lastused: </div><div> lifetime: 0(s) validtime: 0(s)</div><div> spid=2130 seq=3 pid=176401</div><div> refcnt=1</div><div>0.0.0.0/0 0.0.0.0/0 icmp</div><div> in prio high + 1073739774 none</div><div> created: May 23 12:02:46 2017 lastused: May 23 12:02:50 2017</div><div> lifetime: 0(s) validtime: 0(s)</div><div> spid=2120 seq=4 pid=176401</div><div> refcnt=1</div><div>0.0.0.0/0 0.0.0.0/0 icmp</div><div> out prio high + 1073739774 none</div><div> created: May 23 12:02:46 2017 lastused: </div><div> lifetime: 0(s) validtime: 0(s)</div><div> spid=2113 seq=5 pid=176401</div><div> refcnt=1</div></div><div><br></div><br>On Tuesday, May 23, 2017 at 11:29:04 AM UTC-7, agarwa...@gmail.com wrote:<blockquote class="gmail_quote" style="margin: 0;margin-left: 0.8ex;border-left: 1px #ccc solid;padding-left: 1ex;"><div dir="ltr">Hi Noel,<div>Many thanks for the pointer. Looks like I am missing something more or perhaps making a mistake. </div><div><br></div><div>Client [1.100.0.9] -- Server [1.100.0.5] <br></div><div><br></div><div>Goal: All non-ICMP traffic to be over IPsec tunnel between these two machines.</div><div><br></div><div>Strongswan 5.1.2</div><div><br></div><div>The client and server are using self-signed certificates and have each other's certs in /etc/ipsec.d/certs/</div><div><br></div><div><b>Client ipsec.conf:</b></div><div><div><br></div></div><div><div>config setup</div><div> charondebug = "dmn 0,mgr 1, ike 2, job 2, cfg 2, knl 1, net 1, tls 1, lib 0, enc 0, tnc 0"</div><div> uniqueids=no</div><div><br></div><div>conn %default</div><div> ikelifetime=60m</div><div> keylife=20m</div><div> rekeymargin=3m</div><div> keyingtries=1</div><div> keyexchange=ikev2</div><div> authby=rsasig</div><div><br></div><div>conn skip</div><div> type=<b><font color="#ff0000">passthrough</font></b></div><div> left=1.100.0.9</div><div> leftsubnet=<a href="http://0.0.0.0/0%5Bicmp/%5D" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F0.0.0.0%2F0%255Bicmp%2F%255D\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHZ0VHOsME_CjtHtA78qw8AubjTqQ';return true;" onclick="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F0.0.0.0%2F0%255Bicmp%2F%255D\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHZ0VHOsME_CjtHtA78qw8AubjTqQ';return true;">0.0.0.0/0[icmp/]</a></div><div> leftcert=client_cert.pem</div><div> leftsendcert=always</div><div> rightcert=server_cert.pem</div><div> right=1.100.0.5</div><div> rightsubnet=<a href="http://0.0.0.0/0%5Bicmp/%5D" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F0.0.0.0%2F0%255Bicmp%2F%255D\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHZ0VHOsME_CjtHtA78qw8AubjTqQ';return true;" onclick="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F0.0.0.0%2F0%255Bicmp%2F%255D\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHZ0VHOsME_CjtHtA78qw8AubjTqQ';return true;">0.0.0.0/0[icmp/]</a></div><div> auto=route</div><div><br></div><div>conn 1.100.0.5</div><div> type=<font color="#ff0000"><b>transport</b></font></div><div> left=1.100.0.9</div><div> leftcert=client_cert.pem</div><div> leftsendcert=always</div><div> rightcert=server_cert.pem</div><div> right=1.100.0.5</div><div> reauth=no</div><div> auto=start</div></div><div><br></div><div><b>Server ipsec.conf:</b></div><div><br></div><div><div>config setup</div><div> charondebug = "dmn 0,mgr 1, ike 2, job 2, cfg 2, knl 1, net 1, tls 1, lib 0, enc 0, tnc 0"</div><div> uniqueids=no</div><div><br></div><div>conn %default</div><div> ikelifetime=60m</div><div> keylife=20m</div><div> rekeymargin=3m</div><div> keyingtries=1</div><div> keyexchange=ikev2</div><div> authby=rsasig</div><div><br></div><div>conn skip</div><div> type=<b><font color="#ff0000">passthrough</font></b></div><div> left=1.100.0.5</div><div> leftsubnet=<a href="http://0.0.0.0/0%5Bicmp/%5D" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F0.0.0.0%2F0%255Bicmp%2F%255D\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHZ0VHOsME_CjtHtA78qw8AubjTqQ';return true;" onclick="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F0.0.0.0%2F0%255Bicmp%2F%255D\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHZ0VHOsME_CjtHtA78qw8AubjTqQ';return true;">0.0.0.0/0[icmp/]</a></div><div> leftcert=server_cert.pem</div><div> leftsendcert=always</div><div> rightcert=client_cert.pem</div><div> right=1.100.0.9</div><div> rightsubnet=<a href="http://0.0.0.0/0%5Bicmp/%5D" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F0.0.0.0%2F0%255Bicmp%2F%255D\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHZ0VHOsME_CjtHtA78qw8AubjTqQ';return true;" onclick="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F0.0.0.0%2F0%255Bicmp%2F%255D\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHZ0VHOsME_CjtHtA78qw8AubjTqQ';return true;">0.0.0.0/0[icmp/]</a></div><div> auto=route</div><div><br></div><div>conn 1.100.0.9</div><div> type=<b><font color="#ff0000">transport</font></b></div><div> left=1.100.0.5</div><div> leftcert=server_cert.pem</div><div> leftsendcert=always</div><div> rightcert=client_cert.pem</div><div> right=1.100.0.9</div><div> reauth=no</div><div> auto=add</div></div><div><br></div><div><div>=============</div><div>Output of setkey -DP on client:</div><div><div>root@agarwalpiyush0:/usr/<wbr>local/google/home/<wbr>agarwalpiyush/work/agent-v# ./sbin/nfv_cli dm_carl0 setkey -DP</div><div>1.100.0.5 1.100.0.9 icmp</div><div> fwd prio high + 1073740030 ipsec</div><div> esp/tunnel/1.100.0.5-1.100.0.<wbr>9/unique:1</div><div> created: May 23 11:21:42 2017 lastused: </div><div> lifetime: 0(s) validtime: 0(s)</div><div> spid=1834 seq=1 pid=103981</div><div> refcnt=1</div><div>1.100.0.5 1.100.0.9 icmp</div><div> in prio high + 1073740030 ipsec</div><div> esp/tunnel/1.100.0.5-1.100.0.<wbr>9/unique:1</div><div> created: May 23 11:21:42 2017 lastused: </div><div> lifetime: 0(s) validtime: 0(s)</div><div> spid=1824 seq=2 pid=103981</div><div> refcnt=1</div><div>1.100.0.9 1.100.0.5 icmp</div><div> out prio high + 1073740030 ipsec</div><div> esp/tunnel/1.100.0.9-1.100.0.<wbr>5/unique:1</div><div> created: May 23 11:21:42 2017 lastused: </div><div> lifetime: 0(s) validtime: 0(s)</div><div> spid=1817 seq=3 pid=103981</div><div> refcnt=1</div><div><a href="http://0.0.0.0/0" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F0.0.0.0%2F0\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;" onclick="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F0.0.0.0%2F0\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F0.0.0.0%2F0\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;" onclick="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F0.0.0.0%2F0\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;">0.0.0.0/0</a> icmp</div><div> fwd prio high + 1073739774 none</div><div> created: May 23 11:21:31 2017 lastused: </div><div> lifetime: 0(s) validtime: 0(s)</div><div> spid=1698 seq=4 pid=103981</div><div> refcnt=1</div><div><a href="http://0.0.0.0/0" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F0.0.0.0%2F0\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;" onclick="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F0.0.0.0%2F0\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F0.0.0.0%2F0\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;" onclick="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F0.0.0.0%2F0\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;">0.0.0.0/0</a> icmp</div><div> in prio high + 1073739774 none</div><div> created: May 23 11:21:31 2017 lastused: May 23 11:21:35 2017</div><div> lifetime: 0(s) validtime: 0(s)</div><div> spid=1688 seq=5 pid=103981</div><div> refcnt=2</div><div><a href="http://0.0.0.0/0" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F0.0.0.0%2F0\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;" onclick="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F0.0.0.0%2F0\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F0.0.0.0%2F0\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;" onclick="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2F0.0.0.0%2F0\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;">0.0.0.0/0</a> icmp</div><div> out prio high + 1073739774 none</div><div> created: May 23 11:21:31 2017 lastused: </div><div> lifetime: 0(s) validtime: 0(s)</div><div> spid=1681 seq=6 pid=103981</div><div> refcnt=1</div></div><div><br></div><div><div><br></div></div><div>Questions:</div><div>1) I'd like a transport type IPsec session for all non-ICMP traffic between client and server. As soon as I specify "passthrough" policy, my IPsec session changes to type "tunnel" from output of ipsec status. Clearly I am not specifying passthrough policy correctly.</div><div><br></div><div>1) Do I need to specify left/right for my "skip" passthrough conn? If I do NOT specify left and right for skip connection, I see the IPsec type remains transport (which is good and what I want), I do see shunted policies in "ipsec status" but I still see ping packets are encrypted.</div><div><br></div><div>Thank you for any help!</div><div>Piyush</div><div><br></div>On Monday, May 22, 2017 at 12:19:17 PM UTC-7, Noel Kuntze wrote:<blockquote class="gmail_quote" style="margin:0;margin-left:0.8ex;border-left:1px #ccc solid;padding-left:1ex"><div>Add a passthrough policy for the protocol.<br><br><div class="gmail_quote">Am 22. Mai 2017 19:09:03 MESZ schrieb Piyush Agarwal <<a rel="nofollow">agarwa...@gmail.com</a>>:<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">Hi,<div>Reading through the left|rightsubnet, it seems like there is no way to *exclude* a protocol from getting encrypted? </div><div><br></div><div>I have a host to host tunnel and I want to encrypt everything between these except ICMP since I'd like to do out-of-tunnel ping/traceroute.</div><div><br></div><div>Prior to using strongswan, I was using racoon where I could use setkey to manually update the SPD to exclude icmp alone.</div><div><br></div><div>Please advise if there is any way to achieve this with strongswan.</div><div><br></div><div>Thanks.<br clear="all"><div><br></div>-- <br><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><span style="font-size:12.8px">Piyush Agarwal</span><br></div><div><span style="color:rgb(17,17,17)"><font face="arial, helvetica, sans-serif" size="2">Life can only be understood backwards; but it must be lived forwards.</font></span><br></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div></div>
</blockquote></div><br>
-- <br>
Sent from mobile</div></blockquote></div></div></blockquote></div></div></div>