[strongSwan] Replicate Cisco like ACL with strongswan
hkbakke at gmail.com
Mon May 30 10:51:00 CEST 2011
Thanks for your input.
I would love to use IKEv2, but it is sadly not an option.
Your changes to auto=start makes sense but dns1 is still the only
connection that establishes an SA (STATE_MAIN_I4 ISAKMP SA
ESTABLISHED). The other ones seems stuck in QUICK_INIT_I1. The
connection should be using main mode only.
If I run setkey -DP it only seems to add the UDP-connections if it
adds anything at all.
In the meantime I have configured racoon and setkey.conf (with 8
spdadd rules) and it does work for both lookups and zone transfers so
I know the other end is correctly setup.
After shutting down racoon I can't establish the connections again
(timing out) so I guess I have to wait for the connections to time out
(dpd is perhaps not used in both ends), so perhaps strongswan is
working after your changes too?
I will try again after a couple of hours when the connections
hopefully has died in all ends.
- Is QUICK_INIT in statusall related to aggressive mode, and if so is
it possible to force MAIN (i thought strongswan didn't support
aggressive at all)?
- Don't I need 8 conn definitions in ipsec.conf too? I seem to be
missing half the connections from the other end with my config
compared to ACL/setkey.conf. Should I add a duplicate set of conn with
a reversed "pair" of left and right IPs or is this not necessary as
strongswan decides what left and right is for it self and therefore
doing this automatically?
On Mon, May 30, 2011 at 09:17, Andreas Steffen
<andreas.steffen at strongswan.org> wrote:
> Hello Hans-Kristian,
> first I recommend to use IKEv2 which is much faster
> and more robust:
> config setup
> conn %default
> You can still log to a file using strongswan.conf:
> Do not put auto=start into the "conn %default" section since
> "conn dns_SRV" will also be started, allowing all protocols.
> Rather define:
> conn dns1
> conn dns2
> conn dns3
> conn dns4
> conn dns_SRV
> Best regards
> On 05/30/2011 08:27 AM, Hans-Kristian Bakke wrote:
>> I need to set up a ipsec connection (in transport mode) directly
>> between two DNS-servers (host to host). The point is that only
>> DNS-server traffic should use the tunnel.
>> This is normally easy using Cisco-equipment as a ACL can do this easily.
>> However I am really struggling to find a way to do this with
>> strongSwan. Using leftprotoport and rightprotoport and separate
>> connections doesn't seem to work correctly.
>> The ACL I need to replicate on my end is this one (I have no influence
>> on the other end):
>> permit tcp host 10.27.64.11 host 10.17.0.11 eq 53
>> permit tcp host 10.17.0.11 eq 53 host 10.27.64.11
>> permit tcp host 10.27.64.11 eq 53 host 10.17.0.11
>> permit tcp host 10.17.0.11 host 10.27.64.11 eq 53
>> permit udp host 10.27.64.11 host 10.17.0.11 eq 53
>> permit udp host 10.17.0.11 eq 53 host 10.27.64.11
>> permit udp host 10.27.64.11 eq 53 host 10.17.0.11
>> permit udp host 10.17.0.11 host 10.27.64.11 eq 53
>> This is my ipsec.conf so far. I can't get rid of the feeling that
>> something is missing:
>> (using v4.2.4-5+lenny3 on Debian Lenny)
>> # ipsec.conf - strongSwan IPsec configuration file
>> # basic configuration
>> config setup
>> conn %default
>> conn dns1
>> conn dns2
>> conn dns3
>> conn dns4
>> conn dns_SRV
>> When I run ipsec statusall dns1 gets to STATE_MAIN_I4 (ISAKMP SA
>> ESTABLISHED) but the other ones doesn't seem to do anything.
>> The DNS-traffic still goes out unencrypted.
>> How can I replicate the ACL perfectly with strongswan?
>> Hans-Kristian Bakke
>> Mob: 91 76 17 38
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
More information about the Users