[strongSwan] Remove default policy

Naveen Neelakanta naveen.b.neelakanta at gmail.com
Wed Mar 23 20:32:14 CET 2016 

Hi Thomas/Users,

Thanks for your reply.  I am trying to get the forwarded packets to be ipsec
protected, where lan1 is forwarding packets to net1 interface, both these
interfaces are on the same linux vm. What rules should i add to get the
packets forwarded from on interface to the other.  I see packets on lan1
interface, but the same are not forwarded to vnet1. I am expecting the
forwarded packets to be protected when leaving the net1 interface. When the
ipsec policies are not present i see that the packets are get forwarded.
Below are the ipsec policies present in my vm.

root at ubuntu:/etc# ifconfig
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lan1     Link encap:Ethernet  HWaddr d2:c8:d9:72:30:18
          inet addr:1.1.1.2  Bcast:1.1.1.255  Mask:255.255.255.0
          inet6 addr: fe80::d0c8:d9ff:fe72:3018/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7497 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1667 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:667371 (667.3 KB)  TX bytes:159674 (159.6 KB)

net1     Link encap:Ethernet  HWaddr 4a:05:8e:91:83:ad
          inet addr:10.8.13.2  Bcast:10.8.13.255  Mask:255.255.255.0
          inet6 addr: fe80::4805:8eff:fe91:83ad/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2554 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4599 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:254035 (254.0 KB)  TX bytes:560363 (560.3 KB)

root at ubuntu:/home/naveen/working/strongswan-5.3.5# ip xfrm p
src 1.1.1.1/32 dst 8.8.8.8/32
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir fwd priority 3075
tmpl src 199.168.148.132 dst 10.8.13.2
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 3075
tmpl src 199.168.148.132 dst 10.8.13.2
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 3075
tmpl src 10.8.13.2 dst 199.168.148.132
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0

root at ubuntu:/etc# ip xfrm s
src 10.8.13.2 dst 199.168.148.132
proto esp spi 0x00f81546 reqid 1 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(md5) 0x0f2339e9967a471fdf21022e3fb56e6b 96
enc ecb(cipher_null)
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 199.168.148.132 dst 10.8.13.2
proto esp spi 0xc59caeda reqid 1 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(md5) 0x29b22fbf6924301429552dc996118e72 96
enc ecb(cipher_null)
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0

iptables -t nat -A POSTROUTING -o vnet1 -j MASQUERADEecho 1 > /proc/sys
/net/ipv4/ip_forward
tcpdump -i lan1 -nl
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lan1, link-type EN10MB (Ethernet), capture size 65535 bytes
12:16:14.863442 IP 1.1.1.1 > 8.8.8.8: ICMP echo request, id 31387, seq 246,
length 64
12:16:15.863621 IP 1.1.1.1 > 8.8.8.8: ICMP echo request, id 31387, seq 247,
length 64


tcpdump -i vnet1 -nl

root at ubuntu:/etc# ip route
default via 10.8.13.1 dev vnet1
1.1.1.0/24 dev vlan1  proto kernel  scope link  src 1.1.1.2
10.8.13.0/24 dev vnet1  proto kernel  scope link  src 10.8.13.2

Let me know for any other information required.

Thanks
Naveen

On Wed, Mar 23, 2016 at 12:23 AM, Thomas Egerer <hakke_007 at gmx.de> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On March 23, 2016 4:02:48 AM GMT+01:00, Naveen Neelakanta <
> naveen.b.neelakanta at gmail.com> wrote:
> >Hello,
> >
> >Is it possible to configure strongswan not to add the below default
> >policy rules.
> >I am running strong swan in TEST namespace on linux and i don't see
> >the arp working from the root name space to namespace interface.  I
> >would like to know why ARP between the root namespace and Test
> >namespace is not working if i have the below policy rules. i have used
> >veth pair to connect namespace and root .
> >
> >src 0.0.0.0/0 dst 0.0.0.0/0
> >        socket in priority 0
> >src 0.0.0.0/0 dst 0.0.0.0/0
> >        socket out priority 0
> >src 0.0.0.0/0 dst 0.0.0.0/0
> >        socket in priority 0
> >src 0.0.0.0/0 dst 0.0.0.0/0
> >        socket out priority 0
> >src ::/0 dst ::/0
> >        socket in priority 0
> >src ::/0 dst ::/0
> >        socket out priority 0
> >src ::/0 dst ::/0
> >        socket in priority 0
> >src ::/0 dst ::/0
> >        socket out priority 0
> >
> >Thanks,
> >Naveen
> >_______________________________________________
> >Users mailing list
> >Users at lists.strongswan.org
> >https://lists.strongswan.org/mailman/listinfo/users
>
> These socket policies are essential to charon to bypass the xfrm stack of
> the kernel. You cannot remove them.
>
>
> Thomas
> - --
> Sent from a mobile device. Please excuse my brevity.
> -----BEGIN PGP SIGNATURE-----
> Version: APG v1.1.1
>
> iQI+BAEBCgAoBQJW8kRlIRxUaG9tYXMgRWdlcmVyIDxoYWtrZV8wMDdAZ214LmRl
> PgAKCRBit9TjYqwUxvBVEACdETVLmjCn8xo61I85f6ixlMq9SCYqu2p/xxNZ/J/3
> qHdl/6ngqFhVoSaPvI3jXSMjElSlrU3I+AcmHYLyPLDBwXZPLJ91mmn1A6eJCEBq
> 7Q6jd9Xk5KfnYpzR5gyNyDjoyWXXwfKBwO+3U68wZs4f8nk9BEDIxHLGDQaVoYxu
> yBHQqrTM9gKzejk9tHTbaRGdKRsALBngRFhPLW4NCSC6AkGTi1/S/nku8tm40IEu
> aV4k3sNN4ivCoYb0ksiqHlzeVs23I3dokpR2NMFtxtW3VUwZUmlngrOjuAntc1M+
> dZ3qwOsXknI1diwMZMPRVnjDgGqdAwjtGPy76xLZpkFhVtAdJAweNwhnFtCwo+k/
> 3JMF0JmE7ZPhYMT7U5eGq+ed5qxEffcFMSNgMZgsObP/HJj1m7+1IAbAon+sc2Lf
> cN21Ja9EJ4Wf/E8OleBIRiESmUKvzFH5q+iix5EWJ/U93y1OqDOEIcK+o7yOyiGX
> POAfsT43YfYiIS18QCQNtpK3xZNDygUND27/OyoZwMeY3KAqO2AiOonHzI4yACyr
> CaN4V/5gmd/zszhIegEC4FgqBd2GfhJP90/Cuk2yTrKMADtNWNes4CXU9juEFHXj
> 6fOpI98DjB1b2tEctEHL8o2u+HBF876i9blmOzqKwYqmV7W7iIo4LP8H61U6/OeB
> xw==
> =MF5U
> -----END PGP SIGNATURE-----
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160323/4ed7bb37/attachment-0001.html>

More information about the Users mailing list