[strongSwan] configuring charon with installpolicy=no
Ayyash, Mohammad (NSN - FI/Espoo)
mohammad.ayyash at nsn.com
Fri May 14 14:27:01 CEST 2010
Hi,
First off, I googled a lot before sending this email, but found no
answer.
My question is:
--------------------
- how to properly configure Charon with "installpolicy=no", so that I
will be able to control SPD policies priority order.
More details:
--------------------
I have two hosts, first one (host1) has IP addresses 10.0.0.1/24,
20.0.0.1/24, second one (host2) has ip address 30.0.0.1/24 40.0.0.1/24.
The scenario is a vpn is to be established between 20.0.0.1 ===
40.0.0.1, serving subnets 10.0.0.0/24 === 30.0.0.0/24.
I want to be able to insert (just of the sake of example) and exception
to this security policy, that if you a ping goes from 10.0.0.1 to
30.0.0.1 (and the otherway around), it should be passed through
un-encrypted.
Ideally, I should be able to introduce SPD policies with higher
priorities, in a way that the ping policy has higher priority (I am
using setkey).
Host1:
spdadd 10.0.0.0/24 30.0.0.0/24 icmp -P out prio 1001 none;
spdadd 30.0.0.0/24 10.0.0.0/24 icmp -P in prio 1001 none;
spdadd 10.0.0.0/24 30.0.0.0/24 any -P out prio 1000 ipsec
esp/tunnel/20.0.0.1-40.0.0.1/unique;
spdadd 30.0.0.0/24 10.0.0.0/24 any -P in prio 1000 ipsec
esp/tunnel/40.0.0.1-20.0.0.1/unique;
Host2:
spdadd 10.0.0.0/24 30.0.0.0/24 icmp -P in prio 1001 none;
spdadd 30.0.0.0/24 10.0.0.0/24 icmp -P out prio 1001 none;
spdadd 10.0.0.0/24 30.0.0.0/24 any -P in prio 1000 ipsec
esp/tunnel/20.0.0.1-40.0.0.1/unique;
spdadd 30.0.0.0/24 10.0.0.0/24 any -P out prio 1000 ipsec
esp/tunnel/40.0.0.1-20.0.0.1/unique;
(the above example works with IKEv1 Racoon, which doesn't try to play
with policies)
In order to achieve the same with Charon, I have either 2 ways: (A)
prevent Charon from install the SPD policies, or (B) tell charon how to
treat priorties.
Solution (A):
============
Prevent Charon from installing policies, and do that manually instead.
I didn't go so far here: I tried to use installpolicy=no. Here is what I
did (only "ipsec" policy is tried)
Host1:
spdadd 10.0.0.0/24 30.0.0.0/24 any -P out ipsec
esp/tunnel/20.0.0.1-40.0.0.1/unqiue;
spdadd 30.0.0.0/24 10.0.0.0/24 any -P in ipsec
esp/tunnel/40.0.0.1-20.0.0.1/unqiue;
setkey -DP
30.0.0.0/24[any] 10.0.0.0/24[any] any
in prio def ipsec
esp/tunnel/40.0.0.1-20.0.0.1/require
created: May 14 14:11:13 2010 lastused:
lifetime: 0(s) validtime: 0(s)
spid=8744 seq=2 pid=14660
refcnt=1
10.0.0.0/24[any] 30.0.0.0/24[any] any
out prio def ipsec
esp/tunnel/20.0.0.1-40.0.0.1/require
created: May 14 14:11:13 2010 lastused:
lifetime: 0(s) validtime: 0(s)
spid=8737 seq=1 pid=14660
refcnt=1
30.0.0.0/24[any] 10.0.0.0/24[any] any
fwd prio def ipsec
esp/tunnel/40.0.0.1-20.0.0.1/require
created: May 14 14:11:13 2010 lastused:
lifetime: 0(s) validtime: 0(s)
spid=8754 seq=0 pid=14660
refcnt=1
ipsec.conf:
config setup
charonstart=yes
plutostart=no
charondebug="knl 2, dmn 2, ike 2, net 2, cfg 2, job 2"
conn %default
keyexchange=ikev2
auto=route
installpolicy=no
ca strongswan
cacert=/etc/ipsec/certs/ipsec.d/cacerts/cacert.pem
conn CONFIG
rekeymargin=2880
rekeyfuzz=100%
left=20.0.0.1
right=40.0.0.1
leftsubnet=10.0.0.0/24
rightsubnet=30.0.0.0/24
leftprotoport=%any
rightprotoport=%any
authby=secret
leftid=20.0.0.1
rightid=40.0.0.1
ike=aes128-md5-modp1536
esp=aes128-sha1
type=tunnel
ikelifetime=28800s
keylife=28800s
now start starter:
$starter --nofork
Starting strongSwan 4.3.6 IPsec [starter]...
00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)
00[KNL] listening on interfaces:
00[KNL] eth0
00[KNL] 20.0.0.1
00[KNL] fe80::209:6bff:fe58:6492
00[KNL] eth1
00[KNL] 192.168.0.250
00[KNL] 10.0.0.1
00[KNL] fe80::209:6bff:fe58:6493
00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from
'/usr/local/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from
'/usr/local/etc/ipsec.d/acerts'
00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] loaded IKE secret for 20.0.0.1 40.0.0.1
00[DMN] loaded plugins: aes des sha1 sha2 md5 fips-prf random x509
pubkey pkcs1 pgp dnskey pem xcbc hmac gmp kernel-netlink stroke updown
attr resolve
00[JOB] spawning 16 worker threads
charon (18334) started after 100 ms
01[JOB] started worker thread, ID: 1
01[JOB] no events, waiting
03[JOB] started worker thread, ID: 3
04[JOB] started worker thread, ID: 4
05[JOB] started worker thread, ID: 5
06[JOB] started worker thread, ID: 6
06[NET] waiting for data on raw sockets
08[JOB] started worker thread, ID: 8
08[CFG] received stroke: add connection 'CONFIG'
08[CFG] conn CONFIG
08[CFG] left=20.0.0.1
08[CFG] leftsubnet=10.0.0.0/24
08[CFG] leftsourceip=(null)
08[CFG] leftauth=(null)
08[CFG] leftauth2=(null)
08[CFG] leftid=20.0.0.1
02[JOB] started worker thread, ID: 2
07[JOB] started worker thread, ID: 7
09[JOB] started worker thread, ID: 9
10[JOB] started worker thread, ID: 10
11[JOB] started worker thread, ID: 11
12[JOB] started worker thread, ID: 12
13[JOB] started worker thread, ID: 13
14[JOB] started worker thread, ID: 14
15[JOB] started worker thread, ID: 15
16[JOB] started worker thread, ID: 16
08[CFG] leftid2=(null)
08[CFG] leftcert=(null)
08[CFG] leftcert2=(null)
08[CFG] leftca=(null)
08[CFG] leftca2=(null)
08[CFG] leftgroups=(null)
08[CFG] leftupdown=(null)
08[CFG] right=40.0.0.1
08[CFG] rightsubnet=30.0.0.0/24
08[CFG] rightsourceip=(null)
08[CFG] rightauth=(null)
08[CFG] rightauth2=(null)
08[CFG] rightid=40.0.0.1
08[CFG] rightid2=(null)
08[CFG] rightcert=(null)
08[CFG] rightcert2=(null)
08[CFG] rightca=(null)
08[CFG] rightca2=(null)
08[CFG] rightgroups=(null)
08[CFG] rightupdown=(null)
08[CFG] eap_identity=(null)
08[CFG] ike=aes128-md5-modp1536
08[CFG] esp=aes128-sha1
08[CFG] mediation=no
08[CFG] mediated_by=(null)
08[CFG] me_peerid=(null)
08[KNL] getting interface name for 40.0.0.1
08[KNL] 40.0.0.1 is not a local address
08[KNL] getting interface name for 20.0.0.1
08[KNL] 20.0.0.1 is on interface eth0
08[CFG] added configuration 'CONFIG'
02[CFG] received stroke: route 'CONFIG'
02[CFG] proposing traffic selectors for us:
02[CFG] 10.0.0.0/24 (derived from 10.0.0.0/24)
02[CFG] proposing traffic selectors for other:
02[CFG] 30.0.0.0/24 (derived from 30.0.0.0/24)
configuration 'CONFIG' routed
at this point, it is really irrelevant if you configure host2 or not,
simple because nothing will be sent. Try a ping from host2 to host1
(which should be encrypted)
ping -I 30.0.0.1 10.0.0.1
3[KNL] received a XFRM_MSG_ACQUIRE
03[KNL] XFRMA_TMPL
03[KNL] creating acquire job for policy 10.0.0.1/32[icmp/8] ===
30.0.0.1/32[icmp] with reqid {0}
10[CFG] trap not found, unable to acquire reqid 0
note that after this ping,a one direction SAD is created:
setkey -D
root at pennywise ipsec-tools-0.8-alpha20090422]# setkey -D
20.0.0.1 40.0.0.1
esp mode=tunnel spi=0(0x00000000) reqid=0(0x00000000)
seq=0x00000000 replay=0 flags=0x00000000 state=larval
created: May 14 15:22:52 2010 current: May 14 15:22:58 2010
diff: 6(s) hard: 165(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=18395 refcnt=0
given the spi=0, I guess this is just an initialized one, not even yet
completed.
As far as I could tell from "trap not found" error message, charon is
trying to find a matching SPD policy before it started IKE negotiation,
but it is not able to find it? why is that?
Solution (B):
============
Is there a way to control the order at which Charon installs SPD
policies?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100514/5b170ecf/attachment.html>
More information about the Users
mailing list