[strongSwan] Automatic Tunnel Opening and Routing

Jacques Monin jacques.monin01 at gmail.com
Thu Apr 30 17:33:16 CEST 2015


Thanks for your answers.
It's very helpfull.

Is there any way for strongswan to create Virtual IP address which are not
in mode config subnet ?

Cheers

2015-04-30 0:17 GMT+02:00 Noel Kuntze <noel at familie-kuntze.de>:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Jacques.
>
> First:
> The description of the "leftsourceip" option is the following:
>        leftsourceip = %config4 | %config6 | <ip address>
>               Comma separated list of internal source IPs to use in a
> tunnel,
>               also  known  as  virtual IP. If the value is one of the
> synonyms
>               %config, %cfg, %modeconfig, or %modecfg, an  address  (from
> the
>               tunnel address family) is requested from the peer. With
> %config4
>               and %config6 an address of the  given  address  family
> will  be
>               requested  explicitly.   If an IP address is configured, it
> will
>               be requested from the responder, which is free to respond
> with a
>               different address.
>
> So as you can see, strongSwan always requests an IP address from the other
> side.
> If you want to use a static IP, add that IP to an interface and configure
> leftsubnet correctly.
> You cannot use leftsourceip then, as the responder will give you another
> IP.
>
> Second:
>
> How do you want to correctly close the tunnel (which requires interaction
> with the remote side), if
> there is no working communication path? You need to use dpd on both sides
> to handle that gracefully.
> auto=route should work in any case, where the remote subnet and endpoint
> is defined.
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 29.04.2015 um 10:54 schrieb Jacques Monin:
> > Thank you for your answers, I'll try to be more explicit about my needs.
> >
> > I need to do two configurations :
> >
> > VPN Client: 172.16.0.3 - 1.1.1.1 - INTERNET - 2.2.2.2 - Firewall-
> 172.16.1.0/24 <http://172.16.1.0/24>
> >
> > Mode Config : 172.16.0.32-64 - 1.1.1.1 - INTERNET - 2.2.2.2 - Firewall -
> 172.16.1.0/24 <http://172.16.1.0/24>
> >
> > Here my ipsec.conf :
> >
> > config setup
> >
> > conn %default
> >         dpddelay=30
> >         keyingtries=5
> >         rekeymargin=120
> >         dpdtimeout=15
> >         keyexchange=ikev1
> >         keylife=1h
> >         ikelifetime=6h
> >         authby=rsasig
> >
> > conn normal
> >         right=2.2.2.2
> >         rightsubnet=172.16.1.0/24 <http://172.16.1.0/24>
> >         rightid=%any
> >
> >         left=%defaultroute
> >         leftsubnet=172.16.0.3/32 <http://172.16.0.3/32>
> >         leftsourceip=172.16.0.3
> >         leftcert=cert.pem
> >         leftca=cacert.pem
> >         leftsendcert=always
> >
> >         auto=route
> >         type=tunnel
> >         ike=aes256-sha2_256-modp1536
> >         esp=aes256-sha2_256-modp1024
> >
> > conn cfgconf
> >         right=2.2.2.2
> >         rightsubnet=172.16.1.0/24 <http://172.16.1.0/24>
> >         rightid=%any
> >
> >         left=%defaultroute
> >         leftsourceip=%modeconfig
> >         leftcert=cert.pem
> >         leftca=cacert.pem
> >         leftrsasigkey=%cert
> >         leftsendcert=always
> >
> >         auto=route
> >         type=tunnel
> >         ike=aes256-sha2_256-modp1536
> >         esp=aes256-sha2_256-modp1024
> >
> >
> > strongswan.conf :
> >
> > charon {
> >         load_modular          = yes
> >         install_virtual_ip      = yes
> >         install_routes          = yes
> >         plugins {
> >                 include strongswan.d/charon/*.conf
> >         }
> > }
> >
> > include strongswan.d/*.conf
> >
> > I have problems with these two configurations:
> >
> > For the first:
> > -Strongswan doesnt create a virtual IP address 172.16.0.3 but a virtual
> IP address in config mode subnet even if I remove the cfgconf from
> ipsec.conf. So when I do "ip a show eth1" I got 172.16.0.33 instead of
> 172.16.0.3 (but when I check my configuration with ipsec statusall It gives
> me : normal{1}:   172.16.0.3/32 <http://172.16.0.3/32> === 172.16.1.0/24 <
> http://172.16.1.0/24> . So, is strongswan supposed to make virtual IP
> address for non config connection ?
> >
> > For the second:
> > -All works fine if I don't want to use traffic detection mode. Indead,
> if I want my tunnel to be opened with traffic detection, I need to specify
> auto=route but my tunnel is in config mode so the routing doesn't seem to
> work (howover, when I open my tunnel with auto=start, all works fine). So,
> is there any way to pass throught this problem ? Is it possible tu use
> traffic detection without initial routing ?
> >
> > For boths:
> > -I'm using virtual IP address because I do roadwarrior configurations,
> so when I unplug a network wire, these virtual IP addresses are erased, so
> I'd need either virtual addresses which are not erased when the wire is
> unpluged or tunnels to be closed when the wire is unpluged (in order to
> have the virtual IP address recreated after the wire to be replug).
> >
> > Thanks for helping
> >
> > 2015-04-29 7:55 GMT+02:00 Noel Kuntze <noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de>>:
> >
> >
> > Hello Jacques,
> >
> > Do you have logs? I would like to see what strongSwan does and your
> operating system in particular,
> > as you do not use DPD, so a connection failure should not be detected
> and the policies and the tunnel state should remain up,
> > although no communication is possible. If this is wanted, is yours to
> decide.
> >
> > Also, if your ultimate goal is to avoid leaking traffic, look at the
> "policy" match in iptables
> > and make creative use of it in *filter FORWARD.
> >
> > Mit freundlichen Grüßen/Kind Regards,
> > Noel Kuntze
> >
> > GPG Key ID: 0x63EC6658
> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >
> > Am 28.04.2015 um 11:19 schrieb Jacques Monin:
> > > Hello,
> >
> > > I'm trying to configurate strongswan in order to have automatic tunnel
> opening and routing.
> >
> > > The tunnel opens well on traffic detection, the routes are created and
> all works well. But if a network wire is unpluged, the routing is erased
> and I have to restart strongswan.
> > > Is there any way to avoid this ?
> >
> > > Is this possible to have the routing and the virtual addresse adding
> done while the opening of the tunnel ?
> > > By using leftupdown="ipsec _updown"
> >
> > > It seems that the only option to have automatic tunnel opening is to
> specify auto=route in ipsec.conf (I was hoping auto=add had the same
> behaviour).
> > > So is there any way to have automatic tunnel opening without initial
> routing ?
> >
> > > Here my configuration :
> >
> > > config setup
> >
> > > conn %default
> > >         dpddelay=30
> > >         keyingtries=5
> > >         rekeymargin=120
> > >         dpdtimeout=120
> > >         keyexchange=ikev1
> > >         keylife=1h
> > >         ikelifetime=6h
> > >         authby=rsasig
> >
> > > conn Visio
> > >         right=A.A.A.A
> > >         rightsubnet=172.16.1.0/24 <http://172.16.1.0/24> <
> http://172.16.1.0/24>
> > >         rightid=%any
> >
> > >         left=%defaultroute
> > >         leftsubnet=172.16.0.3/32 <http://172.16.0.3/32> <
> http://172.16.0.3/32>
> > >         leftsourceip=172.16.0.3
> > >         leftcert=cert.pem
> > >         leftca=cacert.pem
> > >         leftsendcert=always
> >
> > >         auto=route
> > >         type=tunnel
> > >         ike=aes256-sha2_256-modp1536
> > >         esp=aes256-sha2_256-modp1024
> >
> > > Thanks for you help
> >
> >
> > > _______________________________________________
> > > Users mailing list
> > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> > > https://lists.strongswan.org/mailman/listinfo/users
> >
> >
> >     _______________________________________________
> >     Users mailing list
> >     Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> >     https://lists.strongswan.org/mailman/listinfo/users
> >
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJVQVhrAAoJEDg5KY9j7GZYkP4P/A8EAysFMtOna3V3vCbCjqCh
> 9nmi97sdJryC9pZOvQgAx9VLVwaWwYVJfRqz5d03uQDlO6jSxwV0n3YM5wCZdoyg
> nh63d8Oz98K5KfAojcKgysgZeLTdDKfmWXZWju2LNStWzuD+rhZW6Dbd5W/5vVY/
> ySjFt4ALWI3MEE17Uh2NYipKj7gRcCvBFAu3i6WFYdwER856WhDoWIW6QyPAAG5a
> c6VC29dh61fKDEoamNGpnKjtpHlv31laYiPzEAd96HyL1n133cmDfTStEAOyNaRO
> IDl6X8i0Yd1BvSVuz8y45Apoj9z8WFz+NLumcmuOM7mzPmAjY+8CgNBx3zjmbGYx
> uxd3Thzyv17xPj8VK1UpZEnWRwzueTj3xqSWGh/gKdM599U7RipDpvQgBns/9qW3
> Ipx9EOfkcAhqYM4d1ToUa/KglRkoiy+72owpspHVddFYj46L0fR8Rdy5mGkNoSqz
> Vs08zDnGqgyGjx2uYvmFJy1nealrjq8Y0A4kpEyXB8bu9gr5CbO3ISlJ5tJI/jnQ
> pKPwhobyHpH9isV6D10R9OSktVl/nwkycToaTLuq5FEzscCY1UNXcXRpqPoXnOI3
> YEqesIx+EwvTc8mMvFpoCFsfYXqBTsMnE8tRru9UPuHlV/i8bNpk5uv2ZyfvGdEt
> Hr3clyYw35S8vp5Xe25Z
> =5QA1
> -----END PGP SIGNATURE-----
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150430/d8b08e66/attachment.html>


More information about the Users mailing list