[strongSwan-dev] patch proposal: ignore acquire

Emeric POUPON emeric.poupon at stormshield.eu
Mon Oct 5 16:04:46 CEST 2015 

Hello,

Thanks for your support.

I tried what you suggested:

ipsec.conf:

conn "test PASS"
        leftsubnet=192.168.120.0/24
        rightsubnet=192.168.110.0/24
        auto=route
        type=passthrough
        authby=never

conn "test"
        leftsubnet=192.168.120.0/24
        type=tunnel
        auto=add
        rightsubnet=192.168.110.0/24
        keyexchange=ikev2
        mobike=no
        left=192.168.56.120
        right=192.168.56.110
        leftauth=pubkey
        rightauth=pubkey
        leftcert="..."
        rightid=%any
        esp=aes128-sha1-modp1024-noesn,aes128-md5-modp1024-noesn,blowfish128-sha1-modp1024-noesn,blowfish128-md5-modp1024-noesn,3des-sha1-modp1024-noesn,3des-md5-modp1024-noesn!
        ike=aes128-sha1-modp1024,blowfish128-sha1-modp1024,3des-sha1-modp1024!
        leftsendcert=yes
        rightsendcert=yes

In the SPD, I can see the shunted connections:

# setkey -DP
192.168.110.0/24[any] 192.168.120.0/24[any] 255
	in none
	created: Oct  5 15:46:17 2015  lastused: Oct  5 15:46:17 2015
	lifetime: 9223372036854775807(s) validtime: 0(s)
	spid=60 seq=1 pid=3097
	refcnt=1
192.168.120.0/24[any] 192.168.110.0/24[any] 255
	out none
	created: Oct  5 15:46:17 2015  lastused: Oct  5 15:46:17 2015
	lifetime: 9223372036854775807(s) validtime: 0(s)
	spid=59 seq=0 pid=3097
	refcnt=1

Ping from 192.168.120.120 192.168.110.110 -> not working


I open the connection from the other side:
ipsec statusall:
...
Connections:
   test PASS:  %any...%any  IKEv1/2
   test PASS:   local:  uses public key authentication
   test PASS:   remote: uses public key authentication
   test PASS:   child:  192.168.120.0/24=== 192.168.110.0/24PASS
        test:  192.168.56.120...192.168.56.110  IKEv2
        test:   local:  [C=AT, ST=TEST, L=TEST, O=TEST, OU=TEST, CN=TEST_120, E=TEST_120 at TEST.org] uses public key authentication
        test:    cert:  "C=AT, ST=TEST, L=TEST, O=TEST, OU=TEST, CN=TEST_120, E=TEST_120 at TEST.org"
        test:   remote: uses public key authentication
        test:   child:  192.168.120.0/24=== 192.168.110.0/24TUNNEL
Shunted Connections:
   test PASS:  192.168.120.0/24=== 192.168.110.0/24PASS
Security Associations (1 up, 0 connecting):
        test[1]: ESTABLISHED 3 seconds ago, 192.168.56.120[C=AT, ST=TEST, L=TEST, O=TEST, OU=TEST, CN=TEST_120, E=TEST_120 at TEST.org]...192.168.56.110[C=AT, ST=TEST, L=TEST, O=TEST, OU=TEST, CN=TEST_110, E=TEST_110 at TEST.org]
        test[1]: IKEv2 SPIs: c8617fe834425023_i 86616e2507eeaf29_r*, public key reauthentication in 88 minutes
        test[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
        test{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c57a4cd6_i cad79a5e_o
        test{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 35 minutes
        test{1}:   192.168.120.0/24=== 192.168.110.0/24


However, 'setkey -DP' does no show any new SP installed
Ping from 192.168.120.120 192.168.110.110 -> still not working

In the logs:
Oct  5 15:51:02 08[IKE] <test|1> IKE_SA test[1] established between 192.168.56.120[C=AT, ST=TEST, L=TEST, O=TEST, OU=TEST, CN=TEST_120, E=TEST_120 at TEST.org]...192.168.56.110[C=AT, ST=TEST, L=
TEST, O=TEST, OU=TEST, CN=TEST_110, E=TEST_110 at TEST.org]
Oct  5 15:51:02 08[IKE] <test|1> IKE_SA test[1] state change: CONNECTING => ESTABLISHED
Oct  5 15:51:02 08[SNS] <test|1> IKE SA established
Oct  5 15:51:02 08[IKE] <test|1> scheduling reauthentication in 5298s
Oct  5 15:51:02 08[IKE] <test|1> maximum IKE_SA lifetime 5898s
Oct  5 15:51:02 01[JOB] next event in 29s 969ms, waiting
Oct  5 15:51:02 08[IKE] <test|1> sending end entity cert "C=AT, ST=TEST, L=TEST, O=TEST, OU=TEST, CN=TEST_120, E=TEST_120 at TEST.org"
Oct  5 15:51:02 08[ENC] <test|1> added payload of type CERTIFICATE to message
Oct  5 15:51:02 08[CFG] <test|1> looking for a child config for 192.168.120.0/24=== 192.168.110.0/24
Oct  5 15:51:02 08[CFG] <test|1> proposing traffic selectors for us:
Oct  5 15:51:02 08[CFG] <test|1>  192.168.120.0/24
Oct  5 15:51:02 08[CFG] <test|1> proposing traffic selectors for other:
Oct  5 15:51:02 08[CFG] <test|1>  192.168.110.0/24
Oct  5 15:51:02 08[CFG] <test|1>   candidate "test" with prio 5+5
Oct  5 15:51:02 08[CFG] <test|1> found matching child config "test" with prio 10
Oct  5 15:51:02 08[CFG] <test|1> selecting proposal:
Oct  5 15:51:02 08[CFG] <test|1>   proposal matches
Oct  5 15:51:02 08[CFG] <test|1> received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ, ESP:BLOWFISH_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:B
LOWFISH_CBC_128/HMAC_MD5_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ
Oct  5 15:51:02 08[CFG] <test|1> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_MD5_96/MODP_1024/NO_EXT_SEQ, ESP:BLOWFISH_CBC_128/HMAC_SHA
1_96/MODP_1024/NO_EXT_SEQ, ESP:BLOWFISH_CBC_128/HMAC_MD5_96/MODP_1024/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/MODP_1024/NO_EXT_SEQ
Oct  5 15:51:02 08[CFG] <test|1> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Oct  5 15:51:02 08[KNL] <test|1> got SPI c57a4cd6
Oct  5 15:51:02 08[CFG] <test|1> selecting traffic selectors for us:
Oct  5 15:51:02 08[CFG] <test|1>  config: 192.168.120.0/24, received: 192.168.120.0/24 => match: 192.168.120.0/24
Oct  5 15:51:02 08[CFG] <test|1> selecting traffic selectors for other:
Oct  5 15:51:02 08[CFG] <test|1>  config: 192.168.110.0/24, received: 192.168.110.0/24 => match: 192.168.110.0/24
Oct  5 15:51:02 08[CHD] <test|1>   using AES_CBC for encryption
Oct  5 15:51:02 08[CHD] <test|1>   using HMAC_SHA1_96 for integrity
Oct  5 15:51:02 08[CHD] <test|1> adding inbound ESP SA
Oct  5 15:51:02 08[CHD] <test|1>   SPI 0xc57a4cd6, src 192.168.56.110 dst 192.168.56.120
Oct  5 15:51:02 08[KNL] <test|1> deleting SAD entry with SPI c57a4cd6
Oct  5 15:51:02 08[KNL] <test|1> deleted SAD entry with SPI c57a4cd6
Oct  5 15:51:02 08[KNL] <test|1> adding SAD entry with SPI c57a4cd6 and reqid {1}
Oct  5 15:51:02 08[KNL] <test|1>   using encryption algorithm AES_CBC with key size 128
Oct  5 15:51:02 08[KNL] <test|1>   using integrity algorithm HMAC_SHA1_96 with key size 160
Oct  5 15:51:02 16[JOB] watched FD 7 ready to read
Oct  5 15:51:02 08[CHD] <test|1> adding outbound ESP SA
Oct  5 15:51:02 08[CHD] <test|1>   SPI 0xcad79a5e, src 192.168.56.120 dst 192.168.56.110
Oct  5 15:51:02 16[JOB] watcher going to poll() 4 fds
Oct  5 15:51:02 08[KNL] <test|1> adding SAD entry with SPI cad79a5e and reqid {1}
Oct  5 15:51:02 16[JOB] watcher got notification, rebuilding
Oct  5 15:51:02 16[JOB] watcher going to poll() 5 fds
Oct  5 15:51:02 08[KNL] <test|1>   using encryption algorithm AES_CBC with key size 128
Oct  5 15:51:02 16[JOB] watched FD 7 ready to read
Oct  5 15:51:02 16[JOB] watcher going to poll() 4 fds
Oct  5 15:51:02 08[KNL] <test|1>   using integrity algorithm HMAC_SHA1_96 with key size 160
Oct  5 15:51:02 08[KNL] <test|1> policy 192.168.120.0/24 === 192.168.110.0/24 out already exists, increasing refcount
Oct  5 15:51:02 08[KNL] <test|1> policy 192.168.110.0/24 === 192.168.120.0/24 in already exists, increasing refcount
Oct  5 15:51:02 08[KNL] <test|1> policy 192.168.120.0/24 === 192.168.110.0/24 out already exists, increasing refcount
Oct  5 15:51:02 08[KNL] <test|1> policy 192.168.110.0/24 === 192.168.120.0/24 in already exists, increasing refcount
Oct  5 15:51:02 08[IKE] <test|1> CHILD_SA test{1} established with SPIs c57a4cd6_i cad79a5e_o and TS 192.168.120.0/24=== 192.168.110.0/24
Oct  5 15:51:02 08[SNS] <test|1> IPSEC SA established

I see at least two problems:
- Why do the additional policies are not installed in the kernel? Only the refcount are updated?
- I'm not sure FreeBSD can handle SP priority? We are using FreeBSD 9.3.


What do you think?

Emeric


----- Mail original -----
De: "Tobias Brunner" <tobias at strongswan.org>
À: "Emeric POUPON" <emeric.poupon at stormshield.eu>, dev at lists.strongswan.org
Envoyé: Lundi 5 Octobre 2015 14:45:10
Objet: Re: [strongSwan-dev] patch proposal: ignore acquire

Hi Emeric,

> My proposal is to add an "ignore_acquire" parameter, set by per connection.
> If set, the acquire messages are just discarded.

My recommendation would be to install a drop policy for the same traffic
selector and to use auto=add for the actual connection.  In recent
releases drop policies are always installed with a lower priority than
IPsec policies or passthrough policies, so traffic will be blocked until
the IPsec connection is established (and again when it is torn down),
but not while it is established.

This should work fine with the kernel-pfkey plugin, however, the reqid
check in the kernel-netlink plugin currently prevents this from working
if the traffic selectors are exactly the same for the drop and IPsec
policy.  Since shunt policies have no reqid associated with them we
might make an exception for these, though.  I've updated the
policy-del-ext branch to support this.

Regards,
Tobias

More information about the Dev mailing list