From cwinkler at marvell.com Thu Jan 7 20:05:59 2021 From: cwinkler at marvell.com (Chris Winkler) Date: Thu, 7 Jan 2021 19:05:59 +0000 Subject: [strongSwan-dev] Support for FC-SP-2 Message-ID: Attached is a set of patches to enable coexistence of FC-SP-2 protocol with IPSec for IKE negotiation. The full codebase is available on a github fork as well: https://github.com/cwinkler-marvell/strongswan.git Below is detailed information about this request: Introduction ============ FC-SP-2 is a protocol that was developed to implement security in Fibre Channel fabric. FC-SP-2 requires both - end point authentication and data in flight encryption/decryption. Marvell has taken this specification and is progressing towards providing full implementation of this protocol through hardware, firmware, drivers and application layers. Marvell has selected strongSwan as the best choice for negotiating encryption keys using IKEv2 but must extend the capabilities of IPSec into the particular requirements of FC-SP-2 Fibre Channel. Key Differences between IPSec and FC-SP-2 ======================================== 1. The most obvious difference is that IPSec uses IP as its transport layer where FC-SP-2 uses Fibre Channel. Fibre Channel does not have an IP address but uses the WWPN and a PID (port ID) to create a tuple for a connection. This creates two specific needs within strongSwan for the FC-SP-2 plugin that Marvell has developed called auth-els: a. The PID is carried in 3 bytes of the IPv4 address. b. The connections are managed by the auth-els plugin because IP sockets are not used. 2. The second difference is that the encryption keys do not go to the kernel but are managed by the HW, FW and driver on the PCI-e card for Fibre Channel. This requires all kernel interface calls, such as add_sa, delete_sa, etc, to be routed to the auth-els plugin and not the kernel. The routing of these kernel calls is based on the address family (AF_xxx) stored in the host object. Proposed core changes required to support FC-SP-2 ================================================= 1. host object: Since there is no AF_FC, identifying Fibre Channel hosts is done with AF_NETLINK which is not used except in isolated applications. The overloading of AF_NETLINK may be fixed in the future if an appropriate address family (AF_xxx) is created. 2. libcharon/network/socket_manager: a. Create separate IP socket and FC socket. b. Route socket calls to the appropriate socket based on AF type. 3. libcharon/kernel/kernel interface: a. Create a separate fc_sp interface in addition to the ipsec interface. b. Route kernel calls to the appropriate "kernel" based on the AF type. 4. Other minor changes required to handle the Fibre Channel addressing differences such as changes to the traffic selector. Status of development ===================== A full implementation of a local version of strongSwan has been developed that supports IPSec and FC-SP-2 where secure traffic of both types is running after IKE negotiation completes for each connection type. A suite of tests to insure that IPSec is not affected by core changes in anyway has been completed. Set of patches can be provided when requested. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ss_fork_010721.tgz Type: application/x-compressed Size: 41307 bytes Desc: ss_fork_010721.tgz URL: From njbuwm at gmail.com Thu Jan 14 14:32:34 2021 From: njbuwm at gmail.com (N B) Date: Thu, 14 Jan 2021 08:32:34 -0500 Subject: [strongSwan-dev] Android strongswan intents Message-ID: Hello, My team is trying to tie into some Strongswan intents in Android in order to do some auto-configuration / connecting / disconnecting from outside of the strongswan application. >From this webpage: https://wiki.strongswan.org/projects/strongswan/wiki/androidvpnclient We thought we could watch for intents with the action *org.strongswan.android.action.START_PROFILE *in order to receive the vpn profile id in order to send that with connect/disconnect intents later on. We are however not receiving that intent when strongswan is connecting to a profile. Should we be able to? Is this sent out via broadcast or local intent that outside apps should have access to? Is there a way to query strongswan for the vpn profile id and / or connection status? Thank you for your time, Nick -------------- next part -------------- An HTML attachment was scrubbed... URL: From tobias at strongswan.org Thu Jan 14 14:59:26 2021 From: tobias at strongswan.org (Tobias Brunner) Date: Thu, 14 Jan 2021 14:59:26 +0100 Subject: [strongSwan-dev] Android strongswan intents In-Reply-To: References: Message-ID: <2131b437-9218-25a8-182e-b447c05e5b12@strongswan.org> Hi Nick, > We are however not receiving that intent when strongswan is connecting > to a profile. Should we be able to? Is this sent out via broadcast or > local intent that outside apps should have access to? No, why would you think so? > Is there a way to query strongswan for the vpn profile id and / or > connection status? No, neither. Regards, Tobias From njbuwm at gmail.com Thu Jan 14 16:06:18 2021 From: njbuwm at gmail.com (N B) Date: Thu, 14 Jan 2021 10:06:18 -0500 Subject: [strongSwan-dev] Android strongswan intents In-Reply-To: <2131b437-9218-25a8-182e-b447c05e5b12@strongswan.org> References: <2131b437-9218-25a8-182e-b447c05e5b12@strongswan.org> Message-ID: Hi Tobias, > No, why would you think so? Because the "How-to use Intents to connect/terminate VPN profiles" and the preceding sentence "Since 2.0.0 it's possible to use Intents and a VPN profile's UUID to connect/terminate it with automation apps [...]" it seemed to possibly be implying that you could. Alright, good to know. Thank you for your time, Nick On 1/14/21, Tobias Brunner wrote: > Hi Nick, > >> We are however not receiving that intent when strongswan is connecting >> to a profile. Should we be able to? Is this sent out via broadcast or >> local intent that outside apps should have access to? > > No, why would you think so? > >> Is there a way to query strongswan for the vpn profile id and / or >> connection status? > > No, neither. > > Regards, > Tobias >