[strongSwan] configuring charon with installpolicy=no

Mon May 17 08:52:04 CEST 2010

Well,

if you define a single auto=route connection in ipsec.conf
and set reqid=1 using ip xfrm policy add then the connection
setup should work since by default charon is assigning reqids
in monotonically increasing order starting with 1. Be sure
to set

    reauth=no

Otherwise the periodic reauthentication would increase the reqid
to 2 and the reqids of IPsec SA and IPsec policy wouldn't match
any more.

Regards

Andreas

On 17.05.2010 08:31, Ayyash, Mohammad (NSN - FI/Espoo) wrote:
> hi,
>
> upgrading is not yet an option right now.  Any suggestion on how to
> insert a higher priority policy? if I don't use "installpolicy=no", and
> let charon insert the policies, what will the priority be?  I think
> stopping at "it uses the default priority" will not be enough for me, as
> I am using different IPsec implementation (at least one implementation I
> have has reverse priority order than usual) and would like to control
> the priorities used by charon.
>
> By the way, I did try to remove "auto=route", I even tried "auto=add",
> "auto=ignore" and no success, exactly the same error message.
>
> I also tried to set the reqid using ip xfrm (I set it to arbitrary 553):
>
> ip xfrm policy add dir in  src 30.0.0.0/24 dst 10.0.0.0/24 proto any
> tmpl src 40.0.0.1 dst 20.0.0.1 proto esp mode tunnel reqid 554 level
> required
>
> ip xfrm policy add dir out src 10.0.0.0/24 dst 30.0.0.0/24 proto any
> tmpl src 20.0.0.1 dst 40.0.0.1 proto esp mode tunnel reqid 553 level
> required
>
>
> I still get:
> 03[KNL] received a XFRM_MSG_ACQUIRE
> 03[KNL]   XFRMA_TMPL
> 03[KNL] creating acquire job for policy 10.0.0.1/32[icmp/8] ===
> 30.0.0.1/32[icmp] with reqid {553}
> 09[CFG] trap not found, unable to acquire reqid 553
>
>
> (note: I tried the above with "auto=ignore")
>
>
> thanks
>
>
> -----Original Message-----
> From: ext Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> Sent: Friday, May 14, 2010 3:58 PM
> To: Ayyash, Mohammad (NSN - FI/Espoo)
> Cc: users at lists.strongswan.org
> Subject: Re: [strongSwan] configuring charon with installpolicy=no
>
> Hi,
>
> strongSwan matches XFRM_ACQUIRE messages triggered by IPsec
> policies installed in the kernel based on the reqid. It seems
> that the manual spdadd command installs the policies with
> reqid 0 whereas the charon daemon start to number connections
> installed with auto=route starting with reqid 1. Therefore
> no match for the acquire message is found and the connection
> does not come up.
>
> Starting with version 4.4.0 strongswan allows to assign a fixed reqid
> to a connection definition with the reqid= option, e.g.
>
> conn CONFIG
>        ...
>        reqid=3
>        auto=route
>
> Regards
>
> Andreas
>
> On 05/14/2010 02:27 PM, Ayyash, Mohammad (NSN - FI/Espoo) wrote:
>> Hi,
>>
>> First off, I googled a lot before sending this email, but found no
> answer.
>>
>> My question is:
>>
>> --------------------
>>
>> - how to properly configure Charon with "installpolicy=no", so that I
>> will be able to control SPD policies priority order.
>>
>> More details:
>>
>> --------------------
>>
>> I have two hosts, first one (host1) has IP addresses 10.0.0.1/24,
>> 20.0.0.1/24, second one (host2) has ip address 30.0.0.1/24
> 40.0.0.1/24.
>>
>> The scenario is a vpn is to be established between 20.0.0.1 ===
>> 40.0.0.1, serving subnets 10.0.0.0/24 === 30.0.0.0/24.
>>
>> I want to be able to insert (just of the sake of example) and
> exception
>> to this security policy, that if you a ping goes from 10.0.0.1 to
>> 30.0.0.1 (and the otherway around), it should be passed through
>> un-encrypted.
>>
>> Ideally, I should be able to introduce SPD policies with higher
>> priorities, in a way that the ping policy has higher priority (I am
>> using setkey).
>>
>> Host1:
>>
>> spdadd 10.0.0.0/24 30.0.0.0/24 icmp -P out prio 1001 none;
>>
>> spdadd 30.0.0.0/24 10.0.0.0/24 icmp -P in prio 1001 none;
>>
>> spdadd 10.0.0.0/24 30.0.0.0/24 any -P out prio 1000 ipsec
>> esp/tunnel/20.0.0.1-40.0.0.1/unique;
>>
>> spdadd 30.0.0.0/24 10.0.0.0/24 any -P in prio 1000 ipsec
>> esp/tunnel/40.0.0.1-20.0.0.1/unique;
>>
>> Host2:
>>
>> spdadd 10.0.0.0/24 30.0.0.0/24 icmp -P in prio 1001 none;
>>
>> spdadd 30.0.0.0/24 10.0.0.0/24 icmp -P out prio 1001 none;
>>
>> spdadd 10.0.0.0/24 30.0.0.0/24 any -P in prio 1000 ipsec
>> esp/tunnel/20.0.0.1-40.0.0.1/unique;
>>
>> spdadd 30.0.0.0/24 10.0.0.0/24 any -P out prio 1000 ipsec
>> esp/tunnel/40.0.0.1-20.0.0.1/unique;
>>
>> (the above example works with IKEv1 Racoon, which doesn't try to play
>> with policies)
>>
>> In order to achieve the same with Charon, I have either 2 ways: (A)
>> prevent Charon from install the SPD policies, or (B) tell charon how
> to
>> treat priorties.
>>
>> Solution (A):
>>
>> ============
>>
>> Prevent Charon from installing policies, and do that manually instead.
> I
>> didn't go so far here: I tried to use installpolicy=no. Here is what I
>> did (only "ipsec" policy is tried)
>>
>> Host1:
>>
>> spdadd 10.0.0.0/24 30.0.0.0/24 any -P out ipsec
>> esp/tunnel/20.0.0.1-40.0.0.1/unqiue;
>>
>> spdadd 30.0.0.0/24 10.0.0.0/24 any -P in ipsec
>> esp/tunnel/40.0.0.1-20.0.0.1/unqiue;
>>
>> setkey -DP
>>
>> 30.0.0.0/24[any] 10.0.0.0/24[any] any
>>
>> in prio def ipsec
>>
>> esp/tunnel/40.0.0.1-20.0.0.1/require
>>
>> created: May 14 14:11:13 2010 lastused:
>>
>> lifetime: 0(s) validtime: 0(s)
>>
>> spid=8744 seq=2 pid=14660
>>
>> refcnt=1
>>
>> 10.0.0.0/24[any] 30.0.0.0/24[any] any
>>
>> out prio def ipsec
>>
>> esp/tunnel/20.0.0.1-40.0.0.1/require
>>
>> created: May 14 14:11:13 2010 lastused:
>>
>> lifetime: 0(s) validtime: 0(s)
>>
>> spid=8737 seq=1 pid=14660
>>
>> refcnt=1
>>
>> 30.0.0.0/24[any] 10.0.0.0/24[any] any
>>
>> fwd prio def ipsec
>>
>> esp/tunnel/40.0.0.1-20.0.0.1/require
>>
>> created: May 14 14:11:13 2010 lastused:
>>
>> lifetime: 0(s) validtime: 0(s)
>>
>> spid=8754 seq=0 pid=14660
>>
>> refcnt=1
>>
>> ipsec.conf:
>>
>> config setup
>>
>> charonstart=yes
>>
>> plutostart=no
>>
>> charondebug="knl 2, dmn 2, ike 2, net 2, cfg 2, job 2"
>>
>> conn %default
>>
>> keyexchange=ikev2
>>
>> auto=route
>>
>> installpolicy=no
>>
>> ca strongswan
>>
>> cacert=/etc/ipsec/certs/ipsec.d/cacerts/cacert.pem
>>
>> conn CONFIG
>>
>> rekeymargin=2880
>>
>> rekeyfuzz=100%
>>
>> left=20.0.0.1
>>
>> right=40.0.0.1
>>
>> leftsubnet=10.0.0.0/24
>>
>> rightsubnet=30.0.0.0/24
>>
>> leftprotoport=%any
>>
>> rightprotoport=%any
>>
>> authby=secret
>>
>> leftid=20.0.0.1
>>
>> rightid=40.0.0.1
>>
>> ike=aes128-md5-modp1536
>>
>> esp=aes128-sha1
>>
>> type=tunnel
>>
>> ikelifetime=28800s
>>
>> keylife=28800s
>>
>> now start starter:
>>
>> $starter --nofork
>>
>> Starting strongSwan 4.3.6 IPsec [starter]...
>>
>> 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)
>>
>> 00[KNL] listening on interfaces:
>>
>> 00[KNL] eth0
>>
>> 00[KNL] 20.0.0.1
>>
>> 00[KNL] fe80::209:6bff:fe58:6492
>>
>> 00[KNL] eth1
>>
>> 00[KNL] 192.168.0.250
>>
>> 00[KNL] 10.0.0.1
>>
>> 00[KNL] fe80::209:6bff:fe58:6493
>>
>> 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
>>
>> 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
>>
>> 00[CFG] loading ocsp signer certificates from
>> '/usr/local/etc/ipsec.d/ocspcerts'
>>
>> 00[CFG] loading attribute certificates from
> '/usr/local/etc/ipsec.d/acerts'
>>
>> 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
>>
>> 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
>>
>> 00[CFG] loaded IKE secret for 20.0.0.1 40.0.0.1
>>
>> 00[DMN] loaded plugins: aes des sha1 sha2 md5 fips-prf random x509
>> pubkey pkcs1 pgp dnskey pem xcbc hmac gmp kernel-netlink stroke updown
>> attr resolve
>>
>> 00[JOB] spawning 16 worker threads
>>
>> charon (18334) started after 100 ms
>>
>> 01[JOB] started worker thread, ID: 1
>>
>> 01[JOB] no events, waiting
>>
>> 03[JOB] started worker thread, ID: 3
>>
>> 04[JOB] started worker thread, ID: 4
>>
>> 05[JOB] started worker thread, ID: 5
>>
>> 06[JOB] started worker thread, ID: 6
>>
>> 06[NET] waiting for data on raw sockets
>>
>> 08[JOB] started worker thread, ID: 8
>>
>> 08[CFG] received stroke: add connection 'CONFIG'
>>
>> 08[CFG] conn CONFIG
>>
>> 08[CFG] left=20.0.0.1
>>
>> 08[CFG] leftsubnet=10.0.0.0/24
>>
>> 08[CFG] leftsourceip=(null)
>>
>> 08[CFG] leftauth=(null)
>>
>> 08[CFG] leftauth2=(null)
>>
>> 08[CFG] leftid=20.0.0.1
>>
>> 02[JOB] started worker thread, ID: 2
>>
>> 07[JOB] started worker thread, ID: 7
>>
>> 09[JOB] started worker thread, ID: 9
>>
>> 10[JOB] started worker thread, ID: 10
>>
>> 11[JOB] started worker thread, ID: 11
>>
>> 12[JOB] started worker thread, ID: 12
>>
>> 13[JOB] started worker thread, ID: 13
>>
>> 14[JOB] started worker thread, ID: 14
>>
>> 15[JOB] started worker thread, ID: 15
>>
>> 16[JOB] started worker thread, ID: 16
>>
>> 08[CFG] leftid2=(null)
>>
>> 08[CFG] leftcert=(null)
>>
>> 08[CFG] leftcert2=(null)
>>
>> 08[CFG] leftca=(null)
>>
>> 08[CFG] leftca2=(null)
>>
>> 08[CFG] leftgroups=(null)
>>
>> 08[CFG] leftupdown=(null)
>>
>> 08[CFG] right=40.0.0.1
>>
>> 08[CFG] rightsubnet=30.0.0.0/24
>>
>> 08[CFG] rightsourceip=(null)
>>
>> 08[CFG] rightauth=(null)
>>
>> 08[CFG] rightauth2=(null)
>>
>> 08[CFG] rightid=40.0.0.1
>>
>> 08[CFG] rightid2=(null)
>>
>> 08[CFG] rightcert=(null)
>>
>> 08[CFG] rightcert2=(null)
>>
>> 08[CFG] rightca=(null)
>>
>> 08[CFG] rightca2=(null)
>>
>> 08[CFG] rightgroups=(null)
>>
>> 08[CFG] rightupdown=(null)
>>
>> 08[CFG] eap_identity=(null)
>>
>> 08[CFG] ike=aes128-md5-modp1536
>>
>> 08[CFG] esp=aes128-sha1
>>
>> 08[CFG] mediation=no
>>
>> 08[CFG] mediated_by=(null)
>>
>> 08[CFG] me_peerid=(null)
>>
>> 08[KNL] getting interface name for 40.0.0.1
>>
>> 08[KNL] 40.0.0.1 is not a local address
>>
>> 08[KNL] getting interface name for 20.0.0.1
>>
>> 08[KNL] 20.0.0.1 is on interface eth0
>>
>> 08[CFG] added configuration 'CONFIG'
>>
>> 02[CFG] received stroke: route 'CONFIG'
>>
>> 02[CFG] proposing traffic selectors for us:
>>
>> 02[CFG] 10.0.0.0/24 (derived from 10.0.0.0/24)
>>
>> 02[CFG] proposing traffic selectors for other:
>>
>> 02[CFG] 30.0.0.0/24 (derived from 30.0.0.0/24)
>>
>> configuration 'CONFIG' routed
>>
>>
>> at this point, it is really irrelevant if you configure host2 or not,
>> simple because nothing will be sent. Try a ping from host2 to host1
>> (which should be encrypted)
>>
>> ping -I 30.0.0.1 10.0.0.1
>>
>> 3[KNL] received a XFRM_MSG_ACQUIRE
>>
>> 03[KNL] XFRMA_TMPL
>>
>> 03[KNL] creating acquire job for policy 10.0.0.1/32[icmp/8] ===
>> 30.0.0.1/32[icmp] with reqid {0}
>>
>> 10[CFG] trap not found, unable to acquire reqid 0
>>
>> note that after this ping,a one direction SAD is created:
>>
>> setkey -D
>>
>> root at pennywise ipsec-tools-0.8-alpha20090422]# setkey -D
>>
>> 20.0.0.1 40.0.0.1
>>
>> esp mode=tunnel spi=0(0x00000000) reqid=0(0x00000000)
>>
>> seq=0x00000000 replay=0 flags=0x00000000 state=larval
>>
>> created: May 14 15:22:52 2010 current: May 14 15:22:58 2010
>>
>> diff: 6(s) hard: 165(s) soft: 0(s)
>>
>> last: hard: 0(s) soft: 0(s)
>>
>> current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
>>
>> allocated: 0 hard: 0 soft: 0
>>
>> sadb_seq=0 pid=18395 refcnt=0
>>
>> given the spi=0, I guess this is just an initialized one, not even yet
>> completed.
>>
>>
>> As far as I could tell from "trap not found" error message, charon is
>> trying to find a matching SPD policy before it started IKE
> negotiation,
>> but it is not able to find it? why is that?
>>
>>
>> Solution (B):
>>
>> ============
>>
>> Is there a way to control the order at which Charon installs SPD
> policies?

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==