[strongSwan] Automatic Tunnel Opening and Routing

Noel Kuntze noel at familie-kuntze.de
Thu Apr 30 00:17:17 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Jacques.

First:
The description of the "leftsourceip" option is the following:
       leftsourceip = %config4 | %config6 | <ip address>
              Comma separated list of internal source IPs to use in a  tunnel,
              also  known  as  virtual IP. If the value is one of the synonyms
              %config, %cfg, %modeconfig, or %modecfg, an  address  (from  the
              tunnel address family) is requested from the peer. With %config4
              and %config6 an address of the  given  address  family  will  be
              requested  explicitly.   If an IP address is configured, it will
              be requested from the responder, which is free to respond with a
              different address.

So as you can see, strongSwan always requests an IP address from the other side.
If you want to use a static IP, add that IP to an interface and configure leftsubnet correctly.
You cannot use leftsourceip then, as the responder will give you another IP.

Second:

How do you want to correctly close the tunnel (which requires interaction with the remote side), if
there is no working communication path? You need to use dpd on both sides to handle that gracefully.
auto=route should work in any case, where the remote subnet and endpoint is defined.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 29.04.2015 um 10:54 schrieb Jacques Monin:
> Thank you for your answers, I'll try to be more explicit about my needs.
>
> I need to do two configurations :
>
> VPN Client: 172.16.0.3 - 1.1.1.1 - INTERNET - 2.2.2.2 - Firewall- 172.16.1.0/24 <http://172.16.1.0/24>
>
> Mode Config : 172.16.0.32-64 - 1.1.1.1 - INTERNET - 2.2.2.2 - Firewall - 172.16.1.0/24 <http://172.16.1.0/24>
>
> Here my ipsec.conf :
>
> config setup
>
> conn %default
>         dpddelay=30
>         keyingtries=5
>         rekeymargin=120
>         dpdtimeout=15
>         keyexchange=ikev1
>         keylife=1h
>         ikelifetime=6h
>         authby=rsasig
>
> conn normal
>         right=2.2.2.2
>         rightsubnet=172.16.1.0/24 <http://172.16.1.0/24>
>         rightid=%any
>
>         left=%defaultroute
>         leftsubnet=172.16.0.3/32 <http://172.16.0.3/32>
>         leftsourceip=172.16.0.3
>         leftcert=cert.pem
>         leftca=cacert.pem
>         leftsendcert=always
>
>         auto=route
>         type=tunnel
>         ike=aes256-sha2_256-modp1536
>         esp=aes256-sha2_256-modp1024
>
> conn cfgconf
>         right=2.2.2.2
>         rightsubnet=172.16.1.0/24 <http://172.16.1.0/24>
>         rightid=%any
>
>         left=%defaultroute
>         leftsourceip=%modeconfig
>         leftcert=cert.pem
>         leftca=cacert.pem
>         leftrsasigkey=%cert
>         leftsendcert=always
>
>         auto=route
>         type=tunnel
>         ike=aes256-sha2_256-modp1536
>         esp=aes256-sha2_256-modp1024
>
>
> strongswan.conf :
>
> charon {
>         load_modular          = yes
>         install_virtual_ip      = yes
>         install_routes          = yes
>         plugins {
>                 include strongswan.d/charon/*.conf
>         }
> }
>
> include strongswan.d/*.conf
>
> I have problems with these two configurations:
>
> For the first:
> -Strongswan doesnt create a virtual IP address 172.16.0.3 but a virtual IP address in config mode subnet even if I remove the cfgconf from ipsec.conf. So when I do "ip a show eth1" I got 172.16.0.33 instead of 172.16.0.3 (but when I check my configuration with ipsec statusall It gives me : normal{1}:   172.16.0.3/32 <http://172.16.0.3/32> === 172.16.1.0/24 <http://172.16.1.0/24> . So, is strongswan supposed to make virtual IP address for non config connection ?
>
> For the second:
> -All works fine if I don't want to use traffic detection mode. Indead, if I want my tunnel to be opened with traffic detection, I need to specify auto=route but my tunnel is in config mode so the routing doesn't seem to work (howover, when I open my tunnel with auto=start, all works fine). So, is there any way to pass throught this problem ? Is it possible tu use traffic detection without initial routing ?
>
> For boths:
> -I'm using virtual IP address because I do roadwarrior configurations, so when I unplug a network wire, these virtual IP addresses are erased, so I'd need either virtual addresses which are not erased when the wire is unpluged or tunnels to be closed when the wire is unpluged (in order to have the virtual IP address recreated after the wire to be replug).
>
> Thanks for helping
>
> 2015-04-29 7:55 GMT+02:00 Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>:
>
>
> Hello Jacques,
>
> Do you have logs? I would like to see what strongSwan does and your operating system in particular,
> as you do not use DPD, so a connection failure should not be detected and the policies and the tunnel state should remain up,
> although no communication is possible. If this is wanted, is yours to decide.
>
> Also, if your ultimate goal is to avoid leaking traffic, look at the "policy" match in iptables
> and make creative use of it in *filter FORWARD.
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 28.04.2015 um 11:19 schrieb Jacques Monin:
> > Hello,
>
> > I'm trying to configurate strongswan in order to have automatic tunnel opening and routing.
>
> > The tunnel opens well on traffic detection, the routes are created and all works well. But if a network wire is unpluged, the routing is erased and I have to restart strongswan.
> > Is there any way to avoid this ?
>
> > Is this possible to have the routing and the virtual addresse adding done while the opening of the tunnel ?
> > By using leftupdown="ipsec _updown"
>
> > It seems that the only option to have automatic tunnel opening is to specify auto=route in ipsec.conf (I was hoping auto=add had the same behaviour).
> > So is there any way to have automatic tunnel opening without initial routing ?
>
> > Here my configuration :
>
> > config setup
>
> > conn %default
> >         dpddelay=30
> >         keyingtries=5
> >         rekeymargin=120
> >         dpdtimeout=120
> >         keyexchange=ikev1
> >         keylife=1h
> >         ikelifetime=6h
> >         authby=rsasig
>
> > conn Visio
> >         right=A.A.A.A
> >         rightsubnet=172.16.1.0/24 <http://172.16.1.0/24> <http://172.16.1.0/24>
> >         rightid=%any
>
> >         left=%defaultroute
> >         leftsubnet=172.16.0.3/32 <http://172.16.0.3/32> <http://172.16.0.3/32>
> >         leftsourceip=172.16.0.3
> >         leftcert=cert.pem
> >         leftca=cacert.pem
> >         leftsendcert=always
>
> >         auto=route
> >         type=tunnel
> >         ike=aes256-sha2_256-modp1536
> >         esp=aes256-sha2_256-modp1024
>
> > Thanks for you help
>
>
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> > https://lists.strongswan.org/mailman/listinfo/users
>
>
>     _______________________________________________
>     Users mailing list
>     Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>     https://lists.strongswan.org/mailman/listinfo/users
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVQVhrAAoJEDg5KY9j7GZYkP4P/A8EAysFMtOna3V3vCbCjqCh
9nmi97sdJryC9pZOvQgAx9VLVwaWwYVJfRqz5d03uQDlO6jSxwV0n3YM5wCZdoyg
nh63d8Oz98K5KfAojcKgysgZeLTdDKfmWXZWju2LNStWzuD+rhZW6Dbd5W/5vVY/
ySjFt4ALWI3MEE17Uh2NYipKj7gRcCvBFAu3i6WFYdwER856WhDoWIW6QyPAAG5a
c6VC29dh61fKDEoamNGpnKjtpHlv31laYiPzEAd96HyL1n133cmDfTStEAOyNaRO
IDl6X8i0Yd1BvSVuz8y45Apoj9z8WFz+NLumcmuOM7mzPmAjY+8CgNBx3zjmbGYx
uxd3Thzyv17xPj8VK1UpZEnWRwzueTj3xqSWGh/gKdM599U7RipDpvQgBns/9qW3
Ipx9EOfkcAhqYM4d1ToUa/KglRkoiy+72owpspHVddFYj46L0fR8Rdy5mGkNoSqz
Vs08zDnGqgyGjx2uYvmFJy1nealrjq8Y0A4kpEyXB8bu9gr5CbO3ISlJ5tJI/jnQ
pKPwhobyHpH9isV6D10R9OSktVl/nwkycToaTLuq5FEzscCY1UNXcXRpqPoXnOI3
YEqesIx+EwvTc8mMvFpoCFsfYXqBTsMnE8tRru9UPuHlV/i8bNpk5uv2ZyfvGdEt
Hr3clyYw35S8vp5Xe25Z
=5QA1
-----END PGP SIGNATURE-----




More information about the Users mailing list