[strongSwan-dev] patch proposal: ignore acquire
Emeric POUPON
emeric.poupon at stormshield.eu
Mon Oct 5 12:24:36 CEST 2015
Hello,
I want to implement a "responder only" behavior in strongSwan.
I already discussed this before here: https://lists.strongswan.org/pipermail/users/2014-December/006986.html
The solution proposed "auto=add and rekey=yes" may be fine but is unfortunately not acceptable in some situations.
Since the SP are not always present in the SPD, some packets that may be candidate to be ciphered are sent to the default gateway if the tunnel is not set up yet.
The administrator has to make sure to properly filter these packets on the network.
My proposal is to add an "ignore_acquire" parameter, set by per connection.
If set, the acquire messages are just discarded.
ipsec.conf:
conn "test"
leftsubnet=192.168.120.0/24
type=tunnel
auto=route
rightsubnet=192.168.110.0/24
keyexchange=ikev2
mobike=no
left=192.168.56.120
right=192.168.56.110
leftauth=pubkey
rightauth=pubkey
leftcert="..."
rightid=%any
leftsendcert=yes
rightsendcert=yes
ignore_acquire=yes
#ping -S 192.168.120.120 192.168.110.110
-> no tunnel is open
logs:
...
Oct 5 11:59:17 08[KNL] received an SADB_ACQUIRE
Oct 5 11:59:17 08[KNL] creating acquire job for policy 192.168.56.120/32 === 192.168.56.110/32 with reqid {1}
Oct 5 11:59:17 08[CFG] Processing acquire, reqid = 1
Oct 5 11:59:17 08[CFG] ignoring acquire, due to connection configuration
...
It is up to the administrator to add "rekey=false" if he wants to prevent the connection to be rekeyed from this side.
The "ipsec up" command can still be used to open the connection.
What do you think?
Best Regards,
PS: I did not implement the option in the vici interface
Emeric
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch-responder-only
Type: text/x-patch
Size: 16436 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20151005/d04f6b17/attachment.bin>
More information about the Dev
mailing list