[strongSwan] Replicate Cisco like ACL with strongswan

Hans-Kristian Bakke hkbakke at gmail.com
Mon May 30 10:51:00 CEST 2011 

Hi
Hi

Thanks for your input.

I would love to use IKEv2, but it is sadly not an option.

Your changes to auto=start makes sense but dns1 is still the only
connection that establishes an SA (STATE_MAIN_I4 ISAKMP SA
ESTABLISHED). The other ones seems stuck in QUICK_INIT_I1. The
connection should be using main mode only.
If I run setkey -DP it only seems to add the UDP-connections if it
adds anything at all.

In the meantime I have configured racoon and setkey.conf (with 8
spdadd rules) and it does work for both lookups and zone transfers so
I know the other end is correctly setup.
After shutting down racoon I can't establish the connections again
(timing out) so I guess I have to wait for the connections to time out
(dpd is perhaps not used in both ends), so perhaps strongswan is
working after your changes too?

I will try again after a couple of hours when the connections
hopefully has died in all ends.

Questions:
- Is QUICK_INIT in statusall related to aggressive mode, and if so is
it possible to force MAIN (i thought strongswan didn't support
aggressive at all)?
- Don't I need 8 conn definitions in ipsec.conf too? I seem to be
missing half the connections from the other end with my config
compared to ACL/setkey.conf. Should I add a duplicate set of conn with
a reversed "pair" of left and right IPs or is this not necessary as
strongswan decides what left and right is for it self and therefore
doing this automatically?

Regards,
Hans-Kristian Bakke




On Mon, May 30, 2011 at 09:17, Andreas Steffen
<andreas.steffen at strongswan.org> wrote:
> Hello Hans-Kristian,
>
> first I recommend to use IKEv2 which is much faster
> and more robust:
>
> config setup
>        charonstart=yes
>        plutostart=no
>
> conn %default
>        keyexchange=ikev2
>        ikelifetime=28800
>        keylife=3600
>        auth=esp
>        authby=psk
>        type=transport
>        ike=aes128-sha1-modp1024!
>        esp=aes128-sha1-modp1024!
>        dpdaction=restart
>        dpddelay=60
>        dpdtimeout=500
>
> You can still log to a file using strongswan.conf:
>
> http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
>
> Do not put auto=start into the "conn %default" section since
> "conn dns_SRV" will also be started, allowing all protocols.
>
> Rather define:
>
> conn dns1
>        also=dns_SRV
>        leftprotoport=tcp
>        rightprotoport=tcp/53
>        auto=start
>
> conn dns2
>        also=dns_SRV
>        leftprotoport=udp
>        rightprotoport=udp/53
>        auto=start
>
> conn dns3
>        also=dns_SRV
>        leftprotoport=udp/53
>        rightprotoport=udp
>        auto=start
>
> conn dns4
>        also=dns_SRV
>        leftprotoport=tcp/53
>        rightprotoport=tcp
>        auto=start
>
> conn dns_SRV
>        left=10.17.0.11
>        right=10.27.64.11
>
> Best regards
>
> Andreas
>
> On 05/30/2011 08:27 AM, Hans-Kristian Bakke wrote:
>>
>> Hi
>>
>> I need to set up a ipsec connection (in transport mode) directly
>> between two DNS-servers (host to host). The point is that only
>> DNS-server traffic should use the tunnel.
>> This is normally easy using Cisco-equipment as a ACL can do this easily.
>> However I am really struggling to find a way to do this with
>> strongSwan. Using leftprotoport and rightprotoport and separate
>> connections doesn't seem to work correctly.
>>
>> The ACL I need to replicate on my end is this one (I have no influence
>> on the other end):
>>  permit tcp host 10.27.64.11 host 10.17.0.11 eq 53
>>  permit tcp host 10.17.0.11 eq 53 host 10.27.64.11
>>  permit tcp host 10.27.64.11 eq 53 host 10.17.0.11
>>  permit tcp host 10.17.0.11 host 10.27.64.11 eq 53
>>  permit udp host 10.27.64.11 host 10.17.0.11 eq 53
>>  permit udp host 10.17.0.11 eq 53 host 10.27.64.11
>>  permit udp host 10.27.64.11 eq 53 host 10.17.0.11
>>  permit udp host 10.17.0.11 host 10.27.64.11 eq 53
>>
>> This is my ipsec.conf so far. I can't get rid of the feeling that
>> something is missing:
>> (using v4.2.4-5+lenny3 on Debian Lenny)
>> --
>> # ipsec.conf - strongSwan IPsec configuration file
>>
>> # basic configuration
>>
>> config setup
>>        charonstart=no
>>        plutostart=yes
>>        plutodebug=control
>>        nat_traversal=no
>>        plutostderrlog=/var/log/pluto.log
>>
>> conn %default
>>        keyexchange=ikev1
>>        ikelifetime=28800
>>        keylife=3600
>>        auth=esp
>>        authby=psk
>>        auto=start
>>        type=transport
>>        ike=aes128-sha1-modp1024
>>        esp=aes128-sha1-modp1024
>>        dpdaction=restart
>>        dpddelay=60
>>        dpdtimeout=500
>>
>> conn dns1
>>        leftprotoport=tcp
>>        rightprotoport=tcp/53
>>        also=dns_SRV
>>
>> conn dns2
>>        leftprotoport=udp
>>        rightprotoport=udp/53
>>        also=dns_SRV
>>
>> conn dns3
>>        leftprotoport=udp/53
>>        rightprotoport=udp
>>        also=dns_SRV
>>
>> conn dns4
>>        leftprotoport=tcp/53
>>        rightprotoport=tcp
>>        also=dns_SRV
>>
>> conn dns_SRV
>>        left=10.17.0.11
>>        right=10.27.64.11
>> ---
>>
>> When I run ipsec statusall dns1 gets to STATE_MAIN_I4 (ISAKMP SA
>> ESTABLISHED) but the other ones doesn't seem to do anything.
>> The DNS-traffic still goes out unencrypted.
>>
>> How can I replicate the ACL perfectly with strongswan?
>>
>> Mvh
>>
>> Hans-Kristian Bakke
>> Mob: 91 76 17 38
>
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>

More information about the Users mailing list