[strongSwan] Reg : Protocal specific encryption in Strongswan 5.3

Sindhu S. (sins) sins at cisco.com
Thu Oct 8 07:54:27 CEST 2015


Hi Noel,



Below code encrypts all the packets on eth1 interface.



Code:

        leftsubnet=%dynamic[]

        rightsubnet=%dynamic[]

        type=transport



Listening IP addresses:

  10.64.69.118

  2001:db8:0:f101::2

  fd08:2eef:c2ee:0:aabb:cc00:c900:11

  fd08:2eef:c2ee:0:aabb:cc00:c900:31

  fd08:2fff:c2ee:0:aabb:cc00:c900:2

Connections:

snbi_new_ipv6:  fe80::20c:29ff:fea8:e174%eth1...fe80::20c:29ff:feb2:ae2f%eth1  IKEv2

snbi_new_ipv6:   local:  [fe80::20c:29ff:fea8:e174] uses pre-shared key authentication

snbi_new_ipv6:   remote: [fe80::20c:29ff:feb2:ae2f] uses pre-shared key authentication

snbi_new_ipv6:   child:  dynamic === dynamic TRANSPORT

Security Associations (1 up, 0 connecting):

snbi_new_ipv6[1]: ESTABLISHED 38 seconds ago, fe80::20c:29ff:fea8:e174[fe80::20c:29ff:fea8:e174]...fe80::20c:29ff:feb2:ae2f[fe80::20c:29ff:feb2:ae2f]

snbi_new_ipv6[1]: IKEv2 SPIs: 608f1bced89f05fa_i 705b6afabeeaafd6_r*, pre-shared key reauthentication in 23 hours

snbi_new_ipv6[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_512/MODP_1024

snbi_new_ipv6{1}:  INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c9966614_i cffeac08_o

snbi_new_ipv6{1}:  AES_CBC_128, 436 bytes_i (7 pkts, 3s ago), 436 bytes_o (7 pkts, 3s ago), rekeying in 55 minutes

snbi_new_ipv6{1}:   fe80::20c:29ff:fea8:e174/128 === fe80::20c:29ff:feb2:ae2f/128





I want Only GRE packets on eth1  should get encrypt, So I added



Code:

        leftsubnet=%dynamic[gre]

        rightsubnet=%dynamic[gre]

        type=transport



But now,Packets are not getting encrypted and also ping is not working.



Listening IP addresses:

  10.64.69.118

  2001:db8:0:f101::2

  fd08:2eef:c2ee:0:aabb:cc00:c900:11

  fd08:2eef:c2ee:0:aabb:cc00:c900:31

  fd08:2fff:c2ee:0:aabb:cc00:c900:2

Connections:

snbi_new_ipv6:  fe80::20c:29ff:fea8:e174%eth1...fe80::20c:29ff:feb2:ae2f%eth1  IKEv2

snbi_new_ipv6:   local:  [fe80::20c:29ff:fea8:e174] uses pre-shared key authentication

snbi_new_ipv6:   remote: [fe80::20c:29ff:feb2:ae2f] uses pre-shared key authentication

snbi_new_ipv6:   child:  dynamic[gre] === dynamic[gre] TRANSPORT

Security Associations (1 up, 0 connecting):

snbi_new_ipv6[1]: ESTABLISHED 56 seconds ago, fe80::20c:29ff:fea8:e174[fe80::20c:29ff:fea8:e174]...fe80::20c:29ff:feb2:ae2f[fe80::20c:29ff:feb2:ae2f]

snbi_new_ipv6[1]: IKEv2 SPIs: 4aabd666d01b2aae_i 76b8b8d4769906e9_r*, pre-shared key reauthentication in 23 hours

snbi_new_ipv6[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_512/MODP_1024

snbi_new_ipv6{1}:  INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c7f2305d_i cb2e9d34_o

snbi_new_ipv6{1}:  AES_CBC_128, 0 bytes_i, 0 bytes_o, rekeying in 53 minutes

snbi_new_ipv6{1}:   fe80::20c:29ff:fea8:e174/128[gre] === fe80::20c:29ff:feb2:ae2f/128[gre]



Thanks,

Sindhu



-----Original Message-----
From: Noel Kuntze [mailto:noel at familie-kuntze.de]
Sent: Wednesday, October 07, 2015 4:37 PM
To: Sindhu S. (sins); users at lists.strongswan.org
Subject: Re: [strongSwan] Reg : Protocal specific encryption in Strongswan 5.3





-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA256



Hello Sindhu,



A good first step is change your ESP

settings to the default value



        esp=aes,sha!



> snbi_new_ipv6{1}:   fe80::20c:29ff:fea8:e174/128[gre] === fe80::20c:29ff:feb2:ae2f/128[gre]

The tunnel is up.



That's probably no longer a configuration issue.



- --



Mit freundlichen Grüßen/Kind Regards,

Noel Kuntze



GPG Key ID: 0x63EC6658

Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658



-----BEGIN PGP SIGNATURE-----

Version: GnuPG v2



iQIcBAEBCAAGBQJWFPzSAAoJEDg5KY9j7GZYjMAP/11z1u/UHFJ1Szg7YUISSkLO

WRYp5M3taxa0BUo5U6sdnPE43WhUkNk3nEKg6yP77LziecfYKKiPkH0oYwq30/3N

lXqrLK9bZdmd0LTayUN7hmJgavpLTB4GO/7gGzq/xLWzwSE+eoPrZY4Q4dvFmfa6

izIkJT5/aAKklDMfZ2PmCtD6R5qoijxgwnpqvHYO4zjWZ/3/31Zc6mUFu/lVNNp4

zXeXaaU+DKKktyKwbUiVGZ/K6NScAfK6rxw1RTH8jRAc08rRg71xMU4/skmRxFjE

DsGxRMLWDGtxzXwZZGRSn43ucNUh1R0Xqw0aXcRGopHhRrjuYex8lpd5sY+MCO1n

zbCDunE6xFeHZb3WywlRsCd+qiidkOFyYIh4gDwzUQyD9lEwj4De7B9E2Org5D7l

iNJhLw0s5T2nUYliwf0gPon4FKX8PF/Is8kR7qyjGMqsSwRFgTOLEeiPMcRwvkx6

wUVR/WY5mIG2s/7daUXYTtkao2dRhnZRbWta5Ghjm8Mp0l0q6D9tvQu/KnXiwcEH

Zw9EeQnxeEmHK5cCU9YHecO6xDdzOnGvJ45RQXRPqR7BZnb2kjrbs66zML4qZfOk

K8eQNQVCSHxZ9y4X5s5XDXfJpzMgGKRjijWqvEu2p9166vRlpXzz3XuiMQS7Q58Y

xqWqPdfvU5qvXWOWyv7w

=dKIk

-----END PGP SIGNATURE-----


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151008/94f99a99/attachment-0001.html>


More information about the Users mailing list