[strongSwan] configuring charon with installpolicy=no

Ayyash, Mohammad (NSN - FI/Espoo) mohammad.ayyash at nsn.com
Mon May 17 09:43:25 CEST 2010


hi,

it "almost" worked.  Problem is now, ping gets no reply whatsoever.. I
wonder why.

But can you please let me know if there is even a better way to control
policy priorities if I let charon insert them? apparently, it is better
to let charon do that

Here is a complete example about how the ping doesn't get any reply, two
hosts logs:
================= Host1 ============================
ipsec.conf
config setup
        charonstart=yes
        plutostart=no
        charondebug="knl 2, dmn 2, ike 2, net 2, cfg 2, job 2"
conn %default
        keyexchange=ikev2
        auto=route
        installpolicy=no
        reauth=no
ca strongswan
        cacert=/etc/ipsec/certs/ipsec.d/cacerts/cacert.pem
conn CONFIG
        rekeymargin=2880
        rekeyfuzz=100%
        left=20.0.0.1
        right=40.0.0.1
        leftsubnet=10.0.0.0/24
        rightsubnet=30.0.0.0/24
        leftprotoport=%any
        rightprotoport=%any
        authby=secret
        leftid=20.0.0.1
        rightid=40.0.0.1
        ike=aes128-md5-modp1536
        esp=aes128-sha1
        type=tunnel
        ikelifetime=28800s
        keylife=28800s


$ ip xfrm policy flush
$ ip xfrm policy add dir in  src 30.0.0.0/24 dst 10.0.0.0/24 proto any
priority 1000 tmpl src 40.0.0.1 dst 20.0.0.1 proto esp mode tunnel reqid
1 level required
$ ip xfrm policy add dir out src 10.0.0.0/24 dst 30.0.0.0/24 proto any
priority 1000 tmpl src 20.0.0.1 dst 40.0.0.1 proto esp mode tunnel reqid
1 level required
$ ip xfrm policy
src 30.0.0.0/24 dst 10.0.0.0/24
        dir in priority 1000
        tmpl src 40.0.0.1 dst 20.0.0.1
                proto esp reqid 1 mode tunnel
src 10.0.0.0/24 dst 30.0.0.0/24
        dir out priority 1000
        tmpl src 20.0.0.1 dst 40.0.0.1
                proto esp reqid 1 mode tunnel



$ starter --nofork
Starting strongSwan 4.3.6 IPsec [starter]...
00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)
00[KNL] listening on interfaces:
00[KNL]   eth0
00[KNL]     20.0.0.1
00[KNL]     fe80::209:6bff:fe58:6492
00[KNL]   eth1
00[KNL]     192.168.0.250
00[KNL]     10.0.0.1
00[KNL]     fe80::209:6bff:fe58:6493
00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from
'/usr/local/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from
'/usr/local/etc/ipsec.d/acerts'
00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG]   loaded IKE secret for 20.0.0.1 40.0.0.1
00[DMN] loaded plugins: aes des sha1 sha2 md5 fips-prf random x509
pubkey pkcs1 pgp dnskey pem xcbc hmac gmp kernel-netlink stroke updown
attr resolve
00[JOB] spawning 16 worker threads
charon (19425) started after 140 ms
01[JOB] started worker thread, ID: 1
01[JOB] no events, waiting
07[JOB] started worker thread, ID: 7
08[JOB] started worker thread, ID: 8
06[JOB] started worker thread, ID: 6
09[JOB] started worker thread, ID: 9
09[NET] waiting for data on raw sockets
05[JOB] started worker thread, ID: 5
05[CFG] received stroke: add connection 'CONFIG'
05[CFG] conn CONFIG
05[CFG]   left=20.0.0.1
05[CFG]   leftsubnet=10.0.0.0/24
05[CFG]   leftsourceip=(null)
05[CFG]   leftauth=(null)
05[CFG]   leftauth2=(null)
05[CFG]   leftid=20.0.0.1
05[CFG]   leftid2=(null)
05[CFG]   leftcert=(null)
05[CFG]   leftcert2=(null)
05[CFG]   leftca=(null)
05[CFG]   leftca2=(null)
05[CFG]   leftgroups=(null)
05[CFG]   leftupdown=(null)
05[CFG]   right=40.0.0.1
05[CFG]   rightsubnet=30.0.0.0/24
05[CFG]   rightsourceip=(null)
05[CFG]   rightauth=(null)
05[CFG]   rightauth2=(null)
05[CFG]   rightid=40.0.0.1
05[CFG]   rightid2=(null)
05[CFG]   rightcert=(null)
05[CFG]   rightcert2=(null)
05[CFG]   rightca=(null)
05[CFG]   rightca2=(null)
05[CFG]   rightgroups=(null)
05[CFG]   rightupdown=(null)
05[CFG]   eap_identity=(null)
05[CFG]   ike=aes128-md5-modp1536
05[CFG]   esp=aes128-sha1
05[CFG]   mediation=no
05[CFG]   mediated_by=(null)
05[CFG]   me_peerid=(null)
14[JOB] started worker thread, ID: 14
15[JOB] started worker thread, ID: 15
16[JOB] started worker thread, ID: 16
02[JOB] started worker thread, ID: 2
10[JOB] started worker thread, ID: 10
11[JOB] started worker thread, ID: 11
12[JOB] started worker thread, ID: 12
04[JOB] started worker thread, ID: 4
03[JOB] started worker thread, ID: 3
13[JOB] started worker thread, ID: 13
05[KNL] getting interface name for 40.0.0.1
05[KNL] 40.0.0.1 is not a local address
05[KNL] getting interface name for 20.0.0.1
05[KNL] 20.0.0.1 is on interface eth0
05[CFG] added configuration 'CONFIG'
14[CFG] received stroke: route 'CONFIG'
14[CFG] proposing traffic selectors for us:
14[CFG]  10.0.0.0/24 (derived from 10.0.0.0/24)
14[CFG] proposing traffic selectors for other:
14[CFG]  30.0.0.0/24 (derived from 30.0.0.0/24)
configuration 'CONFIG' routed
09[NET] received packet: from 40.0.0.1[500] to 20.0.0.1[500]
09[NET] waiting for data on raw sockets
02[NET] received packet: from 40.0.0.1[500] to 20.0.0.1[500]
02[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]
02[CFG] looking for an ike config for 20.0.0.1...40.0.0.1
02[CFG]   candidate: 20.0.0.1...40.0.0.1, prio 12
02[CFG] found matching ike config: 20.0.0.1...40.0.0.1 with prio 12
02[IKE] 40.0.0.1 is initiating an IKE_SA
02[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
02[CFG] selecting proposal:
02[CFG]   proposal matches
02[CFG] received proposals:
IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/HMAC_SHA1_9
6/HMAC_SHA2_256_128/HMAC_MD5_96/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_
AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_3
84/PRF_HMAC_SHA2_512/MODP_2048/MODP_1536/MODP_4096/MODP_8192/MODP_1024
02[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/HMAC_SHA1_9
6/HMAC_SHA2_256_128/HMAC_MD5_96/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_
AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_3
84/PRF_HMAC_SHA2_512/MODP_2048/MODP_1536/MODP_4096/MODP_8192/MODP_1024
02[CFG] selected proposal:
IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536
01[JOB] next event in 29s 999ms, waiting
02[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(MULT_AUTH) ]
02[NET] sending packet: from 20.0.0.1[500] to 40.0.0.1[500]
06[NET] sending packet: from 20.0.0.1[500] to 40.0.0.1[500]
09[NET] received packet: from 40.0.0.1[4500] to 20.0.0.1[4500]
09[NET] waiting for data on raw sockets
10[NET] received packet: from 40.0.0.1[4500] to 20.0.0.1[4500]
10[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr
N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
10[CFG] looking for peer configs matching
20.0.0.1[20.0.0.1]...40.0.0.1[40.0.0.1]
10[CFG]   candidate "CONFIG", match: 20/20/12 (me/other/ike)
10[CFG] selected peer config 'CONFIG'
10[IKE] authentication of '40.0.0.1' with pre-shared key successful
10[IKE] peer supports MOBIKE
10[IKE] got additional MOBIKE peer address: 30.0.0.1
10[IKE] got additional MOBIKE peer address:
2001:490:ff0:c2c7:202:55ff:fe54:aad9
10[IKE] authentication of '20.0.0.1' (myself) with pre-shared key
10[IKE] successfully created shared key MAC
10[IKE] IKE_SA CONFIG[1] established between
20.0.0.1[20.0.0.1]...40.0.0.1[40.0.0.1]
10[IKE] IKE_SA CONFIG[1] state change: CONNECTING => ESTABLISHED
10[IKE] scheduling rekeying in 25116s
01[JOB] next event in 29s 280ms, waiting
10[IKE] maximum IKE_SA lifetime 27996s
01[JOB] next event in 29s 231ms, waiting
10[CFG] looking for a child config for 10.0.0.1/32[icmp] 10.0.0.0/24 ===
30.0.0.1/32[icmp/8] 30.0.0.0/24
10[CFG] proposing traffic selectors for us:
10[CFG]  10.0.0.0/24 (derived from 10.0.0.0/24)
10[CFG] proposing traffic selectors for other:
10[CFG]  30.0.0.0/24 (derived from 30.0.0.0/24)
10[CFG]   candidate "CONFIG" with prio 7+7
10[CFG] found matching child config "CONFIG" with prio 14
10[CFG] selecting proposal:
10[CFG]   proposal matches
10[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_S
HA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
10[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_S
HA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
10[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
10[KNL] getting SPI for reqid {2}
10[KNL] got SPI cc92e3ae for reqid {2}
10[CFG] selecting traffic selectors for us:
10[CFG]  config: 10.0.0.0/24, received: 10.0.0.1/32[icmp] => match:
10.0.0.1/32[icmp]
10[CFG]  config: 10.0.0.0/24, received: 10.0.0.0/24 => match:
10.0.0.0/24
10[CFG] selecting traffic selectors for other:
10[CFG]  config: 30.0.0.0/24, received: 30.0.0.1/32[icmp/8] => match:
30.0.0.1/32[icmp/8]
10[CFG]  config: 30.0.0.0/24, received: 30.0.0.0/24 => match:
30.0.0.0/24
10[KNL] adding SAD entry with SPI cc92e3ae and reqid {2}
10[KNL]   using encryption algorithm AES_CBC with key size 128
10[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160
10[KNL] adding SAD entry with SPI cbd8e62e and reqid {2}
10[KNL]   using encryption algorithm AES_CBC with key size 128
10[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160
10[IKE] CHILD_SA CONFIG{2} established with SPIs cc92e3ae_i cbd8e62e_o
and TS 10.0.0.0/24 === 30.0.0.0/24
10[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr
N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
10[NET] sending packet: from 20.0.0.1[4500] to 40.0.0.1[4500]
06[NET] sending packet: from 20.0.0.1[4500] to 40.0.0.1[4500]
01[JOB] next event in 1ms, waiting
01[JOB] got event, queuing job for execution
01[JOB] next event in 25086s 718ms, waiting



$ ip xfrm state
src 40.0.0.1 dst 20.0.0.1
        proto esp spi 0xcc92e3ae reqid 2 mode tunnel
        replay-window 32 flag 20
        auth hmac(sha1) 0x0009e244d350a3055610d752274cb7310a7b1f7d
        enc cbc(aes) 0xa14f2995b930ceadf13aa327da93aea8
src 20.0.0.1 dst 40.0.0.1
        proto esp spi 0xcbd8e62e reqid 2 mode tunnel
        replay-window 32 flag 20
        auth hmac(sha1) 0x030f878e09fa0c4bc3b00a1e0fbab8409d9c7090
        enc cbc(aes) 0x93b0e4bbce244819f11be6ac0e7f2676


$ tcpdump -i eth0 port 500 or port 4500 or ip proto 51 or ip proto 50
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
10:24:47.623723 IP 40.0.0.1.isakmp > 20.0.0.1.isakmp: isakmp: parent_sa
ikev2_init[I]
10:24:47.809724 IP 20.0.0.1.isakmp > 40.0.0.1.isakmp: isakmp: parent_sa
ikev2_init[]
10:24:48.261709 IP 40.0.0.1.ipsec-nat-t > 20.0.0.1.ipsec-nat-t:
NONESP-encap: isakmp: child_sa  ikev2_auth[I]
10:24:49.160183 IP 20.0.0.1.ipsec-nat-t > 40.0.0.1.ipsec-nat-t:
NONESP-encap: isakmp: child_sa  ikev2_auth[]
10:24:49.468469 IP 40.0.0.1 > 20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x1),
length 132
10:24:50.468321 IP 40.0.0.1 > 20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x2),
length 132
10:24:51.467906 IP 40.0.0.1 > 20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x3),
length 132
10:24:52.467547 IP 40.0.0.1 > 20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x4),
length 132
10:24:53.468205 IP 40.0.0.1 > 20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x5),
length 132


================== HOST 2 ===========================
ipsec.conf:
config setup
        charonstart=yes
        plutostart=no
        charondebug="knl 2, dmn 2, ike 2, net 2, cfg 2, job 2"
conn %default
        keyexchange=ikev2
        auto=route
        installpolicy=no
        reauth=no
ca strongswan
        cacert=/etc/ipsec/certs/ipsec.d/cacerts/cacert.pem
conn CONFIG
        rekeymargin=2880
        rekeyfuzz=100%
        left=40.0.0.1
        right=20.0.0.1
        leftsubnet=30.0.0.0/24
        rightsubnet=10.0.0.0/24
        leftprotoport=%any
        rightprotoport=%any
        authby=secret
        leftid=40.0.0.1
        rightid=20.0.0.1
        ike=aes128-md5-modp1536
        esp=aes128-sha1
        type=tunnel
        ikelifetime=28800s
        keylife=28800s


$ ip xfrm policy flush
$ ip xfrm policy add dir out src 30.0.0.0/24 dst 10.0.0.0/24 proto any
priority 1000 tmpl src 40.0.0.1 dst 20.0.0.1 proto esp mode tunnel reqid
1 level required
$ ip xfrm policy add dir in  src 10.0.0.0/24 dst 30.0.0.0/24 proto any
priority 1000 tmpl src 20.0.0.1 dst 40.0.0.1 proto esp mode tunnel reqid
1 level required
$ ip xfrm policy
src 10.0.0.0/24 dst 30.0.0.0/24
        dir in priority 1000
        tmpl src 20.0.0.1 dst 40.0.0.1
                proto esp reqid 1 mode tunnel
src 30.0.0.0/24 dst 10.0.0.0/24
        dir out priority 1000
        tmpl src 40.0.0.1 dst 20.0.0.1
                proto esp reqid 1 mode tunnel


$ starter --nofork
Starting strongSwan 4.3.6 IPsec [starter]...
00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)
00[KNL] listening on interfaces:
00[KNL]   eth1
00[KNL]   eth2
00[KNL]     40.0.0.1
00[KNL]     2001:490:ff0:c2c7:202:55ff:fe54:aad9
00[KNL]     fe80::202:55ff:fe54:aad9
00[KNL]   eth3
00[KNL]     30.0.0.1
00[KNL]     fe80::202:55ff:fe54:aada
00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from
'/usr/local/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from
'/usr/local/etc/ipsec.d/acerts'
00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG]   loaded IKE secret for 40.0.0.1 20.0.0.1
00[DMN] loaded plugins: aes des sha1 sha2 md5 fips-prf random x509
pubkey pkcs1 pgp dnskey pem xcbc hmac gmp kernel-netlink stroke updown
attr resolve
00[JOB] spawning 16 worker threads
charon (16019) started after 140 ms
01[JOB] started worker thread, ID: 1
01[JOB] no events, waiting
03[JOB] started worker thread, ID: 3
04[JOB] started worker thread, ID: 4
05[JOB] started worker thread, ID: 5
06[JOB] started worker thread, ID: 6
06[NET] waiting for data on raw sockets
08[JOB] started worker thread, ID: 8
08[CFG] received stroke: add connection 'CONFIG'
08[CFG] conn CONFIG
08[CFG]   left=40.0.0.1
08[CFG]   leftsubnet=30.0.0.0/24
08[CFG]   leftsourceip=(null)
08[CFG]   leftauth=(null)
08[CFG]   leftauth2=(null)
08[CFG]   leftid=40.0.0.1
02[JOB] started worker thread, ID: 2
07[JOB] started worker thread, ID: 7
09[JOB] started worker thread, ID: 9
10[JOB] started worker thread, ID: 10
11[JOB] started worker thread, ID: 11
12[JOB] started worker thread, ID: 12
13[JOB] started worker thread, ID: 13
14[JOB] started worker thread, ID: 14
15[JOB] started worker thread, ID: 15
16[JOB] started worker thread, ID: 16
08[CFG]   leftid2=(null)
08[CFG]   leftcert=(null)
08[CFG]   leftcert2=(null)
08[CFG]   leftca=(null)
08[CFG]   leftca2=(null)
08[CFG]   leftgroups=(null)
08[CFG]   leftupdown=(null)
08[CFG]   right=20.0.0.1
08[CFG]   rightsubnet=10.0.0.0/24
08[CFG]   rightsourceip=(null)
08[CFG]   rightauth=(null)
08[CFG]   rightauth2=(null)
08[CFG]   rightid=20.0.0.1
08[CFG]   rightid2=(null)
08[CFG]   rightcert=(null)
08[CFG]   rightcert2=(null)
08[CFG]   rightca=(null)
08[CFG]   rightca2=(null)
08[CFG]   rightgroups=(null)
08[CFG]   rightupdown=(null)
08[CFG]   eap_identity=(null)
08[CFG]   ike=aes128-md5-modp1536
08[CFG]   esp=aes128-sha1
08[CFG]   mediation=no
08[CFG]   mediated_by=(null)
08[CFG]   me_peerid=(null)
08[KNL] getting interface name for 20.0.0.1
08[KNL] 20.0.0.1 is not a local address
08[KNL] getting interface name for 40.0.0.1
08[KNL] 40.0.0.1 is on interface eth2
08[CFG] added configuration 'CONFIG'
02[CFG] received stroke: route 'CONFIG'
02[CFG] proposing traffic selectors for us:
02[CFG]  30.0.0.0/24 (derived from 30.0.0.0/24)
02[CFG] proposing traffic selectors for other:
02[CFG]  10.0.0.0/24 (derived from 10.0.0.0/24)
configuration 'CONFIG' routed
03[KNL] received a XFRM_MSG_ACQUIRE
03[KNL]   XFRMA_TMPL
03[KNL] creating acquire job for policy 30.0.0.1/32[icmp/8] ===
10.0.0.1/32[icmp] with reqid {1}
10[IKE] queueing IKE_INIT task
10[IKE] queueing IKE_VENDOR task
10[IKE] queueing IKE_NATD task
10[IKE] queueing IKE_CERT_PRE task
10[IKE] queueing IKE_AUTHENTICATE task
10[IKE] queueing IKE_CERT_POST task
10[IKE] queueing IKE_CONFIG task
10[IKE] queueing IKE_AUTH_LIFETIME task
10[IKE] queueing IKE_MOBIKE task
10[IKE] queueing CHILD_CREATE task
10[IKE] activating new tasks
10[IKE]   activating IKE_INIT task
10[IKE]   activating IKE_VENDOR task
10[IKE]   activating IKE_NATD task
10[IKE]   activating IKE_CERT_PRE task
10[IKE]   activating IKE_AUTHENTICATE task
10[IKE]   activating IKE_CERT_POST task
10[IKE]   activating IKE_CONFIG task
10[IKE]   activating CHILD_CREATE task
10[IKE]   activating IKE_AUTH_LIFETIME task
10[IKE]   activating IKE_MOBIKE task
10[IKE] initiating IKE_SA CONFIG[1] to 20.0.0.1
10[IKE] IKE_SA CONFIG[1] state change: CREATED => CONNECTING
10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]
10[NET] sending packet: from 40.0.0.1[500] to 20.0.0.1[500]
05[NET] sending packet: from 40.0.0.1[500] to 20.0.0.1[500]
01[JOB] next event in 3s 999ms, waiting
06[NET] received packet: from 20.0.0.1[500] to 40.0.0.1[500]
06[NET] waiting for data on raw sockets
11[NET] received packet: from 20.0.0.1[500] to 40.0.0.1[500]
11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(MULT_AUTH) ]
11[CFG] selecting proposal:
11[CFG]   proposal matches
11[CFG] received proposals:
IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536
11[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/HMAC_SHA1_9
6/HMAC_SHA2_256_128/HMAC_MD5_96/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_
AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_3
84/PRF_HMAC_SHA2_512/MODP_2048/MODP_1536/MODP_4096/MODP_8192/MODP_1024
11[CFG] selected proposal:
IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536
11[IKE] reinitiating already active tasks
11[IKE]   IKE_CERT_PRE task
11[IKE]   IKE_AUTHENTICATE task
11[IKE] authentication of '40.0.0.1' (myself) with pre-shared key
11[IKE] successfully created shared key MAC
11[IKE] establishing CHILD_SA CONFIG{1}
11[CFG] proposing traffic selectors for us:
11[CFG]  30.0.0.0/24 (derived from 30.0.0.0/24)
11[CFG] proposing traffic selectors for other:
11[CFG]  10.0.0.0/24 (derived from 10.0.0.0/24)
11[KNL] getting SPI for reqid {1}
11[KNL] got SPI cbd8e62e for reqid {1}
11[ENC] generating IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr
N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
11[NET] sending packet: from 40.0.0.1[4500] to 20.0.0.1[4500]
05[NET] sending packet: from 40.0.0.1[4500] to 20.0.0.1[4500]
01[JOB] next event in 3s 378ms, waiting
06[NET] received packet: from 20.0.0.1[4500] to 40.0.0.1[4500]
06[NET] waiting for data on raw sockets
12[NET] received packet: from 20.0.0.1[4500] to 40.0.0.1[4500]
12[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP)
N(ADD_4_ADDR) N(ADD_4_ADDR) ]
12[IKE] authentication of '20.0.0.1' with pre-shared key successful
12[IKE] IKE_SA CONFIG[1] established between
40.0.0.1[40.0.0.1]...20.0.0.1[20.0.0.1]
12[IKE] IKE_SA CONFIG[1] state change: CONNECTING => ESTABLISHED
01[JOB] next event in 2s 465ms, waiting
12[IKE] scheduling rekeying in 24709s
01[JOB] next event in 2s 465ms, waiting
12[IKE] maximum IKE_SA lifetime 27589s
12[CFG] selecting proposal:
12[CFG]   proposal matches
12[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
12[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_S
HA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
12[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
12[CFG] selecting traffic selectors for us:
12[CFG]  config: 30.0.0.0/24, received: 30.0.0.0/24 => match:
30.0.0.0/24
12[CFG] selecting traffic selectors for other:
12[CFG]  config: 10.0.0.0/24, received: 10.0.0.0/24 => match:
10.0.0.0/24
12[KNL] adding SAD entry with SPI cbd8e62e and reqid {1}
12[KNL]   using encryption algorithm AES_CBC with key size 128
12[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160
12[KNL] adding SAD entry with SPI cc92e3ae and reqid {1}
12[KNL]   using encryption algorithm AES_CBC with key size 128
12[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160
12[IKE] CHILD_SA CONFIG{1} established with SPIs cbd8e62e_i cc92e3ae_o
and TS 30.0.0.0/24 === 10.0.0.0/24
12[IKE] peer supports MOBIKE
12[IKE] got additional MOBIKE peer address: 192.168.0.250
12[IKE] got additional MOBIKE peer address: 10.0.0.1
12[IKE] activating new tasks
12[IKE] nothing to initiate
01[JOB] got event, queuing job for execution
01[JOB] next event in 619ms, waiting
01[JOB] got event, queuing job for execution
01[JOB] next event in 24705s 911ms, waiting



$ ip xfrm state
src 40.0.0.1 dst 20.0.0.1
        proto esp spi 0xcc92e3ae reqid 1 mode tunnel
        replay-window 32 flag 20
        auth hmac(sha1) 0x0009e244d350a3055610d752274cb7310a7b1f7d
        enc cbc(aes) 0xa14f2995b930ceadf13aa327da93aea8
src 20.0.0.1 dst 40.0.0.1
        proto esp spi 0xcbd8e62e reqid 1 mode tunnel
        replay-window 32 flag 20
        auth hmac(sha1) 0x030f878e09fa0c4bc3b00a1e0fbab8409d9c7090
        enc cbc(aes) 0x93b0e4bbce244819f11be6ac0e7f2676


$ tcpdump -i eth2 port 500 or port 4500 or ip proto 51 or ip proto 50
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes
10:18:42.954850 IP 40.0.0.1.isakmp > 20.0.0.1.isakmp: isakmp: parent_sa
ikev2_init[I]
10:18:43.143401 IP 20.0.0.1.isakmp > 40.0.0.1.isakmp: isakmp: parent_sa
ikev2_init[]
10:18:43.593044 IP 40.0.0.1.ipsec-nat-t > 20.0.0.1.ipsec-nat-t:
NONESP-encap: isakmp: child_sa  ikev2_auth[I]
10:18:44.492888 IP 20.0.0.1.ipsec-nat-t > 40.0.0.1.ipsec-nat-t:
NONESP-encap: isakmp: child_sa  ikev2_auth[]
10:18:44.801023 IP 40.0.0.1 > 20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x1),
length 132
10:18:45.800963 IP 40.0.0.1 > 20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x2),
length 132
10:18:46.800639 IP 40.0.0.1 > 20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x3),
length 132
10:18:47.800361 IP 40.0.0.1 > 20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x4),
length 132
10:18:48.800041 IP 40.0.0.1 > 20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x5),
length 132








-----Original Message-----
From: ext Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
Sent: Monday, May 17, 2010 9:52 AM
To: Ayyash, Mohammad (NSN - FI/Espoo)
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] configuring charon with installpolicy=no

Well,

if you define a single auto=route connection in ipsec.conf
and set reqid=1 using ip xfrm policy add then the connection
setup should work since by default charon is assigning reqids
in monotonically increasing order starting with 1. Be sure
to set

    reauth=no

Otherwise the periodic reauthentication would increase the reqid
to 2 and the reqids of IPsec SA and IPsec policy wouldn't match
any more.

Regards

Andreas

On 17.05.2010 08:31, Ayyash, Mohammad (NSN - FI/Espoo) wrote:
> hi,
>
> upgrading is not yet an option right now.  Any suggestion on how to
> insert a higher priority policy? if I don't use "installpolicy=no",
and
> let charon insert the policies, what will the priority be?  I think
> stopping at "it uses the default priority" will not be enough for me,
as
> I am using different IPsec implementation (at least one implementation
I
> have has reverse priority order than usual) and would like to control
> the priorities used by charon.
>
> By the way, I did try to remove "auto=route", I even tried "auto=add",
> "auto=ignore" and no success, exactly the same error message.
>
> I also tried to set the reqid using ip xfrm (I set it to arbitrary
553):
>
> ip xfrm policy add dir in  src 30.0.0.0/24 dst 10.0.0.0/24 proto any
> tmpl src 40.0.0.1 dst 20.0.0.1 proto esp mode tunnel reqid 554 level
> required
>
> ip xfrm policy add dir out src 10.0.0.0/24 dst 30.0.0.0/24 proto any
> tmpl src 20.0.0.1 dst 40.0.0.1 proto esp mode tunnel reqid 553 level
> required
>
>
> I still get:
> 03[KNL] received a XFRM_MSG_ACQUIRE
> 03[KNL]   XFRMA_TMPL
> 03[KNL] creating acquire job for policy 10.0.0.1/32[icmp/8] ===
> 30.0.0.1/32[icmp] with reqid {553}
> 09[CFG] trap not found, unable to acquire reqid 553
>
>
> (note: I tried the above with "auto=ignore")
>
>
> thanks
>
>
> -----Original Message-----
> From: ext Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> Sent: Friday, May 14, 2010 3:58 PM
> To: Ayyash, Mohammad (NSN - FI/Espoo)
> Cc: users at lists.strongswan.org
> Subject: Re: [strongSwan] configuring charon with installpolicy=no
>
> Hi,
>
> strongSwan matches XFRM_ACQUIRE messages triggered by IPsec
> policies installed in the kernel based on the reqid. It seems
> that the manual spdadd command installs the policies with
> reqid 0 whereas the charon daemon start to number connections
> installed with auto=route starting with reqid 1. Therefore
> no match for the acquire message is found and the connection
> does not come up.
>
> Starting with version 4.4.0 strongswan allows to assign a fixed reqid
> to a connection definition with the reqid= option, e.g.
>
> conn CONFIG
>        ...
>        reqid=3
>        auto=route
>
> Regards
>
> Andreas
>
> On 05/14/2010 02:27 PM, Ayyash, Mohammad (NSN - FI/Espoo) wrote:
>> Hi,
>>
>> First off, I googled a lot before sending this email, but found no
> answer.
>>
>> My question is:
>>
>> --------------------
>>
>> - how to properly configure Charon with "installpolicy=no", so that I
>> will be able to control SPD policies priority order.
>>
>> More details:
>>
>> --------------------
>>
>> I have two hosts, first one (host1) has IP addresses 10.0.0.1/24,
>> 20.0.0.1/24, second one (host2) has ip address 30.0.0.1/24
> 40.0.0.1/24.
>>
>> The scenario is a vpn is to be established between 20.0.0.1 ===
>> 40.0.0.1, serving subnets 10.0.0.0/24 === 30.0.0.0/24.
>>
>> I want to be able to insert (just of the sake of example) and
> exception
>> to this security policy, that if you a ping goes from 10.0.0.1 to
>> 30.0.0.1 (and the otherway around), it should be passed through
>> un-encrypted.
>>
>> Ideally, I should be able to introduce SPD policies with higher
>> priorities, in a way that the ping policy has higher priority (I am
>> using setkey).
>>
>> Host1:
>>
>> spdadd 10.0.0.0/24 30.0.0.0/24 icmp -P out prio 1001 none;
>>
>> spdadd 30.0.0.0/24 10.0.0.0/24 icmp -P in prio 1001 none;
>>
>> spdadd 10.0.0.0/24 30.0.0.0/24 any -P out prio 1000 ipsec
>> esp/tunnel/20.0.0.1-40.0.0.1/unique;
>>
>> spdadd 30.0.0.0/24 10.0.0.0/24 any -P in prio 1000 ipsec
>> esp/tunnel/40.0.0.1-20.0.0.1/unique;
>>
>> Host2:
>>
>> spdadd 10.0.0.0/24 30.0.0.0/24 icmp -P in prio 1001 none;
>>
>> spdadd 30.0.0.0/24 10.0.0.0/24 icmp -P out prio 1001 none;
>>
>> spdadd 10.0.0.0/24 30.0.0.0/24 any -P in prio 1000 ipsec
>> esp/tunnel/20.0.0.1-40.0.0.1/unique;
>>
>> spdadd 30.0.0.0/24 10.0.0.0/24 any -P out prio 1000 ipsec
>> esp/tunnel/40.0.0.1-20.0.0.1/unique;
>>
>> (the above example works with IKEv1 Racoon, which doesn't try to play
>> with policies)
>>
>> In order to achieve the same with Charon, I have either 2 ways: (A)
>> prevent Charon from install the SPD policies, or (B) tell charon how
> to
>> treat priorties.
>>
>> Solution (A):
>>
>> ============
>>
>> Prevent Charon from installing policies, and do that manually
instead.
> I
>> didn't go so far here: I tried to use installpolicy=no. Here is what
I
>> did (only "ipsec" policy is tried)
>>
>> Host1:
>>
>> spdadd 10.0.0.0/24 30.0.0.0/24 any -P out ipsec
>> esp/tunnel/20.0.0.1-40.0.0.1/unqiue;
>>
>> spdadd 30.0.0.0/24 10.0.0.0/24 any -P in ipsec
>> esp/tunnel/40.0.0.1-20.0.0.1/unqiue;
>>
>> setkey -DP
>>
>> 30.0.0.0/24[any] 10.0.0.0/24[any] any
>>
>> in prio def ipsec
>>
>> esp/tunnel/40.0.0.1-20.0.0.1/require
>>
>> created: May 14 14:11:13 2010 lastused:
>>
>> lifetime: 0(s) validtime: 0(s)
>>
>> spid=8744 seq=2 pid=14660
>>
>> refcnt=1
>>
>> 10.0.0.0/24[any] 30.0.0.0/24[any] any
>>
>> out prio def ipsec
>>
>> esp/tunnel/20.0.0.1-40.0.0.1/require
>>
>> created: May 14 14:11:13 2010 lastused:
>>
>> lifetime: 0(s) validtime: 0(s)
>>
>> spid=8737 seq=1 pid=14660
>>
>> refcnt=1
>>
>> 30.0.0.0/24[any] 10.0.0.0/24[any] any
>>
>> fwd prio def ipsec
>>
>> esp/tunnel/40.0.0.1-20.0.0.1/require
>>
>> created: May 14 14:11:13 2010 lastused:
>>
>> lifetime: 0(s) validtime: 0(s)
>>
>> spid=8754 seq=0 pid=14660
>>
>> refcnt=1
>>
>> ipsec.conf:
>>
>> config setup
>>
>> charonstart=yes
>>
>> plutostart=no
>>
>> charondebug="knl 2, dmn 2, ike 2, net 2, cfg 2, job 2"
>>
>> conn %default
>>
>> keyexchange=ikev2
>>
>> auto=route
>>
>> installpolicy=no
>>
>> ca strongswan
>>
>> cacert=/etc/ipsec/certs/ipsec.d/cacerts/cacert.pem
>>
>> conn CONFIG
>>
>> rekeymargin=2880
>>
>> rekeyfuzz=100%
>>
>> left=20.0.0.1
>>
>> right=40.0.0.1
>>
>> leftsubnet=10.0.0.0/24
>>
>> rightsubnet=30.0.0.0/24
>>
>> leftprotoport=%any
>>
>> rightprotoport=%any
>>
>> authby=secret
>>
>> leftid=20.0.0.1
>>
>> rightid=40.0.0.1
>>
>> ike=aes128-md5-modp1536
>>
>> esp=aes128-sha1
>>
>> type=tunnel
>>
>> ikelifetime=28800s
>>
>> keylife=28800s
>>
>> now start starter:
>>
>> $starter --nofork
>>
>> Starting strongSwan 4.3.6 IPsec [starter]...
>>
>> 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)
>>
>> 00[KNL] listening on interfaces:
>>
>> 00[KNL] eth0
>>
>> 00[KNL] 20.0.0.1
>>
>> 00[KNL] fe80::209:6bff:fe58:6492
>>
>> 00[KNL] eth1
>>
>> 00[KNL] 192.168.0.250
>>
>> 00[KNL] 10.0.0.1
>>
>> 00[KNL] fe80::209:6bff:fe58:6493
>>
>> 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
>>
>> 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
>>
>> 00[CFG] loading ocsp signer certificates from
>> '/usr/local/etc/ipsec.d/ocspcerts'
>>
>> 00[CFG] loading attribute certificates from
> '/usr/local/etc/ipsec.d/acerts'
>>
>> 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
>>
>> 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
>>
>> 00[CFG] loaded IKE secret for 20.0.0.1 40.0.0.1
>>
>> 00[DMN] loaded plugins: aes des sha1 sha2 md5 fips-prf random x509
>> pubkey pkcs1 pgp dnskey pem xcbc hmac gmp kernel-netlink stroke
updown
>> attr resolve
>>
>> 00[JOB] spawning 16 worker threads
>>
>> charon (18334) started after 100 ms
>>
>> 01[JOB] started worker thread, ID: 1
>>
>> 01[JOB] no events, waiting
>>
>> 03[JOB] started worker thread, ID: 3
>>
>> 04[JOB] started worker thread, ID: 4
>>
>> 05[JOB] started worker thread, ID: 5
>>
>> 06[JOB] started worker thread, ID: 6
>>
>> 06[NET] waiting for data on raw sockets
>>
>> 08[JOB] started worker thread, ID: 8
>>
>> 08[CFG] received stroke: add connection 'CONFIG'
>>
>> 08[CFG] conn CONFIG
>>
>> 08[CFG] left=20.0.0.1
>>
>> 08[CFG] leftsubnet=10.0.0.0/24
>>
>> 08[CFG] leftsourceip=(null)
>>
>> 08[CFG] leftauth=(null)
>>
>> 08[CFG] leftauth2=(null)
>>
>> 08[CFG] leftid=20.0.0.1
>>
>> 02[JOB] started worker thread, ID: 2
>>
>> 07[JOB] started worker thread, ID: 7
>>
>> 09[JOB] started worker thread, ID: 9
>>
>> 10[JOB] started worker thread, ID: 10
>>
>> 11[JOB] started worker thread, ID: 11
>>
>> 12[JOB] started worker thread, ID: 12
>>
>> 13[JOB] started worker thread, ID: 13
>>
>> 14[JOB] started worker thread, ID: 14
>>
>> 15[JOB] started worker thread, ID: 15
>>
>> 16[JOB] started worker thread, ID: 16
>>
>> 08[CFG] leftid2=(null)
>>
>> 08[CFG] leftcert=(null)
>>
>> 08[CFG] leftcert2=(null)
>>
>> 08[CFG] leftca=(null)
>>
>> 08[CFG] leftca2=(null)
>>
>> 08[CFG] leftgroups=(null)
>>
>> 08[CFG] leftupdown=(null)
>>
>> 08[CFG] right=40.0.0.1
>>
>> 08[CFG] rightsubnet=30.0.0.0/24
>>
>> 08[CFG] rightsourceip=(null)
>>
>> 08[CFG] rightauth=(null)
>>
>> 08[CFG] rightauth2=(null)
>>
>> 08[CFG] rightid=40.0.0.1
>>
>> 08[CFG] rightid2=(null)
>>
>> 08[CFG] rightcert=(null)
>>
>> 08[CFG] rightcert2=(null)
>>
>> 08[CFG] rightca=(null)
>>
>> 08[CFG] rightca2=(null)
>>
>> 08[CFG] rightgroups=(null)
>>
>> 08[CFG] rightupdown=(null)
>>
>> 08[CFG] eap_identity=(null)
>>
>> 08[CFG] ike=aes128-md5-modp1536
>>
>> 08[CFG] esp=aes128-sha1
>>
>> 08[CFG] mediation=no
>>
>> 08[CFG] mediated_by=(null)
>>
>> 08[CFG] me_peerid=(null)
>>
>> 08[KNL] getting interface name for 40.0.0.1
>>
>> 08[KNL] 40.0.0.1 is not a local address
>>
>> 08[KNL] getting interface name for 20.0.0.1
>>
>> 08[KNL] 20.0.0.1 is on interface eth0
>>
>> 08[CFG] added configuration 'CONFIG'
>>
>> 02[CFG] received stroke: route 'CONFIG'
>>
>> 02[CFG] proposing traffic selectors for us:
>>
>> 02[CFG] 10.0.0.0/24 (derived from 10.0.0.0/24)
>>
>> 02[CFG] proposing traffic selectors for other:
>>
>> 02[CFG] 30.0.0.0/24 (derived from 30.0.0.0/24)
>>
>> configuration 'CONFIG' routed
>>
>>
>> at this point, it is really irrelevant if you configure host2 or not,
>> simple because nothing will be sent. Try a ping from host2 to host1
>> (which should be encrypted)
>>
>> ping -I 30.0.0.1 10.0.0.1
>>
>> 3[KNL] received a XFRM_MSG_ACQUIRE
>>
>> 03[KNL] XFRMA_TMPL
>>
>> 03[KNL] creating acquire job for policy 10.0.0.1/32[icmp/8] ===
>> 30.0.0.1/32[icmp] with reqid {0}
>>
>> 10[CFG] trap not found, unable to acquire reqid 0
>>
>> note that after this ping,a one direction SAD is created:
>>
>> setkey -D
>>
>> root at pennywise ipsec-tools-0.8-alpha20090422]# setkey -D
>>
>> 20.0.0.1 40.0.0.1
>>
>> esp mode=tunnel spi=0(0x00000000) reqid=0(0x00000000)
>>
>> seq=0x00000000 replay=0 flags=0x00000000 state=larval
>>
>> created: May 14 15:22:52 2010 current: May 14 15:22:58 2010
>>
>> diff: 6(s) hard: 165(s) soft: 0(s)
>>
>> last: hard: 0(s) soft: 0(s)
>>
>> current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
>>
>> allocated: 0 hard: 0 soft: 0
>>
>> sadb_seq=0 pid=18395 refcnt=0
>>
>> given the spi=0, I guess this is just an initialized one, not even
yet
>> completed.
>>
>>
>> As far as I could tell from "trap not found" error message, charon is
>> trying to find a matching SPD policy before it started IKE
> negotiation,
>> but it is not able to find it? why is that?
>>
>>
>> Solution (B):
>>
>> ============
>>
>> Is there a way to control the order at which Charon installs SPD
> policies?

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list