[strongSwan] ipsec monitoring with help of iptables, help needed

[Andreas Schuldei]

hi!

I am working on a reliable way to monitor existing IPsec connections
between hosts.

Currently i use this ferm (as a high-level ipsec dialect) framework for that.
(I think the ferm syntax is pretty obvious and easy to understand. if
it is desired i can also provide raw iptables output, of course. )

============

# General variables are defined in the directory
@include 'vars.ferm.d/';

table filter {
    chain iptraffic { NOP; }  # this is the chain that detects traffic
which should have been encrypted but was not.
                                            # it does nothing, it is
just good for packet counting later on

    chain INPUT {
        policy DROP;

        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;

        # allow local connections
        interface lo ACCEPT;

        # Accept IPSec traffic
        mod policy dir in pol ipsec ACCEPT;

        # detect non-ipsec traffic to hosts that should talk ipsec
	saddr $ipsec_peers proto udp dport 500 ACCEPT;  # key exchange
traffic on port 500UDP is legitimate
        saddr $ipsec_peers proto ! esp jump iptraffic;    # traffic
from ipsec peers that is NOT ipsec-protected, send to detection chain

        # Include input rules, individual rules per host
        @include 'input.d/';

        REJECT;
    }

    chain OUTPUT {
        policy ACCEPT;

        # Accept IPSec traffic to make the OUTPUT quicker
        mod policy dir out pol ipsec ACCEPT;
	daddr $ipsec_peers proto udp dport 500 ACCEPT;
        daddr $ipsec_peers proto ! esp jump iptraffic;

        # include individual output rules, specific for each host
        @include 'output.d/';

    }

    chain FORWARD {
        @include 'forward.d/';

        REJECT;
    }
}

============

in order to see if there was any traffic through the detection chain
we regularly run this command (run from the monitoring software):

============
/sbin/iptables -v -L -Z  iptraffic
============

That command both prints the values and resets (to zero) the counters
of the iptraffic chain.  if the counters were not zero, there was
traffic that should have been ipsec protected, but was not. in that
case the monitoring system would raise a warning or alarm or so.

Should this work?

I implemented this and it does not work as expected. There are
unencrypted phantom packets. When i tcpdump on the router between the
hosts I see that non of those unencrypted packets that get detected
(and loged by iptables, if i so desire), really cross the wire. that
means i get a lot of false positives for monitoring alarms.

is my ordering of iptables rules flawed? how should i do it right? is
there a way to get rid of those phantom packets?