[strongSwan] Responder only behavior

Emeric POUPON emeric.poupon at stormshield.eu
Tue Mar 31 15:43:18 CEST 2015


Hello,

Actually "auto=add" and "rekey=yes" is not completely satisfactory.
Indeed the SPs for that connection are not generated and this can lead to sensible packets leaks on the public network.
Actually a safer approach would be to ignore the ACQUIRE message from the kernel.

What do you think?

Emeric


----- Mail original -----
De: "Noel Kuntze" <noel at familie-kuntze.de>
À: users at lists.strongswan.org
Envoyé: Mercredi 3 Décembre 2014 21:23:04
Objet: Re: [strongSwan] Responder only behavior


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Emeric,

Use auto=add and rekey=yes.
Responder only means, that another peer will initiate the connection. That is exactly what will happen.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 27.11.2014 um 15:33 schrieb Emeric POUPON:
> Hello,
>
> I want to make my gateway "responder only": I do not want it to initiate negotiations nor renegotiations.
>
> I set in ipsec.conf:
>
> conn test
> ...
>     type=tunnel
>     leftauth=psk
>     rightauth=psk
>     keyexchange=ikev2
>     auto=add
>     lifetime=3600
>     ikelifetime=1200
>     rekeymargin=60
>     dpdaction=clear
>     dpddelay=30
>
> If I kill the remote gw, the DPD does the job and clears the generated SA and SP. Good!
> If I disable the DPD (dpddelay=0) and I kill the remote gw, the SA is being renegotiated (rekeying process) at the end of the lifetime.
> Since I only want to act as a responder, this is not OK.
>
> Then I saw rekey in the doc:
>
> "  rekey = yes | no
>
> whether a connection should be renegotiated when it is about to expire. The two ends need not agree, but
> while a value of no prevents the daemon from requesting renegotiation, it does not prevent responding
> to renegotiation requested from the other end, so no will be largely ineffective unless both ends agree on it.
> Also see reauth."
>
> This seems to be what I want. But if set that option to "no", I have SAs and SPs that live in the kernel forever (both hard ans soft lifetime set to 0).
> Furthermore the IKE SA seems to live forever too:
> Security Associations (1 up, 0 connecting):
> site_to_site_001[1]: ESTABLISHED 35 minutes ago, XXX[XXX]...YYY[YYY]
> site_to_site_001[1]: IKEv2 SPIs: c7dcc38e3acfcd5f_i 53d3c2f9cea553ec_r*, rekeying disabled
> site_to_site_001[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> site_to_site_001{1}:  INSTALLED, TUNNEL, ESP SPIs: c6e6d402_i c5f08b9e_o
> site_to_site_001{1}:  AES_CBC_128/HMAC_SHA1_96, 588 bytes_i (7 pkts, 1965s ago), 1064 bytes_o (7 pkts, 1965s ago), rekeying disabled
> site_to_site_001{1}:   192.168.229.0/24 === 192.168.231.0/24
> (ikelifetime was set to 1200s = 20 minutes)
>
> I guess I am missing something?
>
> Best Regards,
> Emeric
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUf3EkAAoJEDg5KY9j7GZY1DQP/3+/BIOswsrxojzUJVH9cl8x
AHM2ik7vdKx9UcixAmbc0ggAFTYBcwIjHBXxsGXjRoM120La3hgEgBTsGOxdEYAT
G1EUrZtYd+m23+rerOJJQcQGtVEAvHUVcrC6XNhyOvgmItdcLzGuzsesfTgyhhOy
dhgxa2IxGvt1PqouPKynkB9D52HFhYvZkBAy0t+FqwIH6O86bPOAhiIByjygaRNQ
3hw8M+Li8MW7F1rnIt9WCNvLeRxJcC6CpT4w56Nm+ZZ0OkF6hn11stGwVJyNq5Xz
6w+lOyxlnauEFtE8YsaSnCiZBebLUxicmx4ilU7wt4BVoeVa7yMFa2KKhlGjj1bY
HbucSnQC8pSvWmTkM1Hzq3ipQG71Au4aBKrjP6XlCbgoyftpuq0EfdxfSfVdx6ou
uI+cgbi0Zne+uCcp9yl1YgknCil+jIYphDUu5d7jU40qYzHX3pfx5PBnxaWassZ8
CwobrhdLqgIt07ZAkFV5oKj6Mn3/FBAKUIXj8xzI+W2HUBBkHOj+WQFgMM1wtLLe
Qj+iQ0OcJiVry+yoLhhNXY0H3kpHjKV4ezMz4SkxZe0OyqQZu+8nlUAjpManf4ze
gmlo02zVh4/xP3gBxo6W9ia1MnZiTSJCkvmDzTJGDqZFEc2N+W7DKHcUReIGcApB
Hkq27Idloqp+EufChd4U
=pQK/
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users


More information about the Users mailing list