[strongSwan] Replicate Cisco like ACL with strongswan

Hans-Kristian Bakke hkbakke at gmail.com
Mon May 30 08:27:39 CEST 2011 

Hi

I need to set up a ipsec connection (in transport mode) directly
between two DNS-servers (host to host). The point is that only
DNS-server traffic should use the tunnel.
This is normally easy using Cisco-equipment as a ACL can do this easily.
However I am really struggling to find a way to do this with
strongSwan. Using leftprotoport and rightprotoport and separate
connections doesn't seem to work correctly.

The ACL I need to replicate on my end is this one (I have no influence
on the other end):
 permit tcp host 10.27.64.11 host 10.17.0.11 eq 53
 permit tcp host 10.17.0.11 eq 53 host 10.27.64.11
 permit tcp host 10.27.64.11 eq 53 host 10.17.0.11
 permit tcp host 10.17.0.11 host 10.27.64.11 eq 53
 permit udp host 10.27.64.11 host 10.17.0.11 eq 53
 permit udp host 10.17.0.11 eq 53 host 10.27.64.11
 permit udp host 10.27.64.11 eq 53 host 10.17.0.11
 permit udp host 10.17.0.11 host 10.27.64.11 eq 53

This is my ipsec.conf so far. I can't get rid of the feeling that
something is missing:
(using v4.2.4-5+lenny3 on Debian Lenny)
--
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
	charonstart=no
	plutostart=yes
	plutodebug=control
	nat_traversal=no
	plutostderrlog=/var/log/pluto.log

conn %default
	keyexchange=ikev1
	ikelifetime=28800
	keylife=3600
	auth=esp
	authby=psk
	auto=start
	type=transport
	ike=aes128-sha1-modp1024
	esp=aes128-sha1-modp1024
	dpdaction=restart
	dpddelay=60
	dpdtimeout=500

conn dns1
	leftprotoport=tcp
	rightprotoport=tcp/53
	also=dns_SRV

conn dns2
	leftprotoport=udp
	rightprotoport=udp/53
	also=dns_SRV

conn dns3
	leftprotoport=udp/53
	rightprotoport=udp
	also=dns_SRV

conn dns4
	leftprotoport=tcp/53
	rightprotoport=tcp
	also=dns_SRV

conn dns_SRV
	left=10.17.0.11
	right=10.27.64.11
---

When I run ipsec statusall dns1 gets to STATE_MAIN_I4 (ISAKMP SA
ESTABLISHED) but the other ones doesn't seem to do anything.
The DNS-traffic still goes out unencrypted.

How can I replicate the ACL perfectly with strongswan?

Mvh

Hans-Kristian Bakke
Mob: 91 76 17 38

More information about the Users mailing list