[strongSwan] Replicate Cisco like ACL with strongswan

Andreas Steffen andreas.steffen at strongswan.org
Mon May 30 11:45:05 CEST 2011 

Hello Hans-Kristian,

see my inline comments.

Regards

Andreas

On 05/30/2011 10:51 AM, Hans-Kristian Bakke wrote:
> Hi
> Hi
>
> Thanks for your input.
>
> I would love to use IKEv2, but it is sadly not an option.
>
> Your changes to auto=start makes sense but dns1 is still the only
> connection that establishes an SA (STATE_MAIN_I4 ISAKMP SA
> ESTABLISHED). The other ones seems stuck in QUICK_INIT_I1. The
> connection should be using main mode only.
> If I run setkey -DP it only seems to add the UDP-connections if it
> adds anything at all.
>
> In the meantime I have configured racoon and setkey.conf (with 8
> spdadd rules) and it does work for both lookups and zone transfers so
> I know the other end is correctly setup.
> After shutting down racoon I can't establish the connections again
> (timing out) so I guess I have to wait for the connections to time out
> (dpd is perhaps not used in both ends), so perhaps strongswan is
> working after your changes too?
>
> I will try again after a couple of hours when the connections
> hopefully has died in all ends.
>
> Questions:
> - Is QUICK_INIT in statusall related to aggressive mode, and if so is
> it possible to force MAIN (i thought strongswan didn't support
> aggressive at all)?
Phase 2 Quick Mode is always required after Phase 1 Main Mode to
set up the actual IPsec SAs. In your case 4 Quick Modes will be
needed to set up dns1 .. dns4, but only one Main Mode. I think
you get stuck somewhere during the setup of the first Quick Mode
since Main Mode gets established. A log file would be helpful.

> - Don't I need 8 conn definitions in ipsec.conf too? I seem to be
> missing half the connections from the other end with my config
> compared to ACL/setkey.conf. Should I add a duplicate set of conn with
> a reversed "pair" of left and right IPs or is this not necessary as
> strongswan decides what left and right is for it self and therefore
> doing this automatically?
>
4 connection definitions are sufficients since the IPsec Policies
are set up pairwise in the kernel (both inbound and outbound).

> Regards,
> Hans-Kristian Bakke
>
>
>
>
> On Mon, May 30, 2011 at 09:17, Andreas Steffen
> <andreas.steffen at strongswan.org>  wrote:
>> Hello Hans-Kristian,
>>
>> first I recommend to use IKEv2 which is much faster
>> and more robust:
>>
>> config setup
>>         charonstart=yes
>>         plutostart=no
>>
>> conn %default
>>         keyexchange=ikev2
>>         ikelifetime=28800
>>         keylife=3600
>>         auth=esp
>>         authby=psk
>>         type=transport
>>         ike=aes128-sha1-modp1024!
>>         esp=aes128-sha1-modp1024!
>>         dpdaction=restart
>>         dpddelay=60
>>         dpdtimeout=500
>>
>> You can still log to a file using strongswan.conf:
>>
>> http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
>>
>> Do not put auto=start into the "conn %default" section since
>> "conn dns_SRV" will also be started, allowing all protocols.
>>
>> Rather define:
>>
>> conn dns1
>>         also=dns_SRV
>>         leftprotoport=tcp
>>         rightprotoport=tcp/53
>>         auto=start
>>
>> conn dns2
>>         also=dns_SRV
>>         leftprotoport=udp
>>         rightprotoport=udp/53
>>         auto=start
>>
>> conn dns3
>>         also=dns_SRV
>>         leftprotoport=udp/53
>>         rightprotoport=udp
>>         auto=start
>>
>> conn dns4
>>         also=dns_SRV
>>         leftprotoport=tcp/53
>>         rightprotoport=tcp
>>         auto=start
>>
>> conn dns_SRV
>>         left=10.17.0.11
>>         right=10.27.64.11
>>
>> Best regards
>>
>> Andreas
>>
>> On 05/30/2011 08:27 AM, Hans-Kristian Bakke wrote:
>>>
>>> Hi
>>>
>>> I need to set up a ipsec connection (in transport mode) directly
>>> between two DNS-servers (host to host). The point is that only
>>> DNS-server traffic should use the tunnel.
>>> This is normally easy using Cisco-equipment as a ACL can do this easily.
>>> However I am really struggling to find a way to do this with
>>> strongSwan. Using leftprotoport and rightprotoport and separate
>>> connections doesn't seem to work correctly.
>>>
>>> The ACL I need to replicate on my end is this one (I have no influence
>>> on the other end):
>>>   permit tcp host 10.27.64.11 host 10.17.0.11 eq 53
>>>   permit tcp host 10.17.0.11 eq 53 host 10.27.64.11
>>>   permit tcp host 10.27.64.11 eq 53 host 10.17.0.11
>>>   permit tcp host 10.17.0.11 host 10.27.64.11 eq 53
>>>   permit udp host 10.27.64.11 host 10.17.0.11 eq 53
>>>   permit udp host 10.17.0.11 eq 53 host 10.27.64.11
>>>   permit udp host 10.27.64.11 eq 53 host 10.17.0.11
>>>   permit udp host 10.17.0.11 host 10.27.64.11 eq 53
>>>
>>> This is my ipsec.conf so far. I can't get rid of the feeling that
>>> something is missing:
>>> (using v4.2.4-5+lenny3 on Debian Lenny)
>>> --
>>> # ipsec.conf - strongSwan IPsec configuration file
>>>
>>> # basic configuration
>>>
>>> config setup
>>>         charonstart=no
>>>         plutostart=yes
>>>         plutodebug=control
>>>         nat_traversal=no
>>>         plutostderrlog=/var/log/pluto.log
>>>
>>> conn %default
>>>         keyexchange=ikev1
>>>         ikelifetime=28800
>>>         keylife=3600
>>>         auth=esp
>>>         authby=psk
>>>         auto=start
>>>         type=transport
>>>         ike=aes128-sha1-modp1024
>>>         esp=aes128-sha1-modp1024
>>>         dpdaction=restart
>>>         dpddelay=60
>>>         dpdtimeout=500
>>>
>>> conn dns1
>>>         leftprotoport=tcp
>>>         rightprotoport=tcp/53
>>>         also=dns_SRV
>>>
>>> conn dns2
>>>         leftprotoport=udp
>>>         rightprotoport=udp/53
>>>         also=dns_SRV
>>>
>>> conn dns3
>>>         leftprotoport=udp/53
>>>         rightprotoport=udp
>>>         also=dns_SRV
>>>
>>> conn dns4
>>>         leftprotoport=tcp/53
>>>         rightprotoport=tcp
>>>         also=dns_SRV
>>>
>>> conn dns_SRV
>>>         left=10.17.0.11
>>>         right=10.27.64.11
>>> ---
>>>
>>> When I run ipsec statusall dns1 gets to STATE_MAIN_I4 (ISAKMP SA
>>> ESTABLISHED) but the other ones doesn't seem to do anything.
>>> The DNS-traffic still goes out unencrypted.
>>>
>>> How can I replicate the ACL perfectly with strongswan?
>>>
>>> Mvh
>>>
>>> Hans-Kristian Bakke
>>> Mob: 91 76 17 38
>>
>> ======================================================================
>> Andreas Steffen                         andreas.steffen at strongswan.org
>> strongSwan - the Linux VPN Solution!                www.strongswan.org
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ===========================================================[ITA-HSR]==
>>


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list