[strongSwan] Kernel policy priority
divya mohan
m.divya.mohan at zoho.com
Thu Jul 24 09:06:17 CEST 2014
Hi,
I have a query regarding the priority assigned to kernel policies.
I have a setup like:
Node X =====[ A ]===== DUT ====== [ B ]===== Node Y
(10.22.115.70) (10.22.117.250) (10.104.39.40)
I am running IKEv2 (strongSwan 4.4.0) on DUT.
DUT has IPSec tunnels towards Node X and Node Y (denoted as A and B in diagram).
Towards Node X, all traffic needs to be encrypted, hence a blanket
policy is used [tunnel A: 0.0.0.0/0 <==> 0.0.0.0/0].
Towards Node Y, encryption is needed for the specific subnet [tunnel
B: 10.22.117.0/24 <==> 10.104.39.0/24].
I am assuming this setup works, as kernel policies added by strongswan
gives higher priority to "/24" subnet than "/0" subnet.
Hence traffic towards Node Y should use tunnel B (as it will have
higher priority), and any other traffic should use tunnel A.
This works fine if I configure both tunnels, and then start the traffic.
In this case, tunnel B has higher priority.
----------------------------------------------
Before starting traffic:
# ip xfrm policy
src 10.104.39.0/24 dst 10.22.117.0/24 proto icmp
dir fwd priority 2758
tmpl src 10.104.39.40 dst 10.22.117.250
proto esp reqid 2 mode tunnel
.
.
src 0.0.0.0/0 dst 0.0.0.0/0 proto icmp
dir fwd priority 2998
tmpl src 10.22.115.70 dst 10.22.117.250
proto esp reqid 1 mode tunnel
----------------------------------------------
The problem is observed if I follow this order:
1. Configure tunnel A.
2. Start traffic, so that CHILD_SAs are established.
3. Configure tunnel B and send SIGHUP to starter.
Now, traffic intended to be sent to Node Y (via tunnel B) seems to be
using tunnel A instead.
This seems to be caused as the kernel policy priority is modified when
child sa is installed.
--------------------------------------------------
After tunnel A configuration:
# ip xfrm policy
src 0.0.0.0/0 dst 0.0.0.0/0 proto icmp
dir fwd priority 2998
tmpl src 10.22.115.70 dst 10.22.117.250
proto esp reqid 1 mode tunnel
After child sa establishment:
# ip xfrm policy
src 0.0.0.0/0 dst 0.0.0.0/0 proto icmp
dir fwd priority 1998
tmpl src 10.22.115.70 dst 10.22.117.250
proto esp reqid 1 mode tunnel
After configuring tunnel B:
# ip xfrm policy
src 0.0.0.0/0 dst 0.0.0.0/0 proto icmp
dir fwd priority 1998
tmpl src 10.22.115.70 dst 10.22.117.250
proto esp reqid 1 mode tunnel
.
.
src 10.104.39.0/24 dst 10.22.117.0/24 proto icmp
dir fwd priority 2758
tmpl src 10.104.39.40 dst 10.22.117.250
proto esp reqid 2 mode tunnel
--------------------------------------------------
Final ipsec.conf file:
-----------------------------------------
config setup
charonstart=yes
plutostart=no
uniqueids=no
charondebug="knl 0,enc 0,net 0"
conn %default
auto=route
keyexchange=ikev2
reauth=no
conn A
rekeymargin=6
rekeyfuzz=100%
left=10.22.117.250
right=10.22.115.70
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
leftprotoport=1
rightprotoport=1
authby=secret
leftid=10.22.117.250
rightid=%any
ike=3des-md5-modp768!
esp=3des-md5!
type=tunnel
ikelifetime=120s
keylife=60s
mobike=no
auto=route
reauth=no
conn B
rekeymargin=6
rekeyfuzz=100%
left=10.22.117.250
right=10.104.39.40
leftsubnet=10.22.117.0/24
rightsubnet=10.104.39.0/24
leftprotoport=1
rightprotoport=1
authby=secret
leftid=10.22.117.250
rightid=%any
ike=3des-md5-modp768!
esp=3des-md5!
type=tunnel
ikelifetime=120s
keylife=60s
mobike=no
auto=route
reauth=no
----------------------------------
Apart from changing tunnel A to use specific subnets, is there any
other solution to this problem.
Could you please explain what is the intention behind assigning higher
priority to policies which have child sa established.
- Divya
More information about the Users
mailing list