[strongSwan] Struggling to send custom configuration payload between peers
flyingrhino
flyingrhino at orcon.net.nz
Fri Dec 29 03:30:35 CET 2017
Hello fellow strongswan'ers,
I've got a strongswan deployment where the responder and initiators need to send custom strings to each other - which I will use in the up/down script for triggering various firewall rules and other setup functions at both ends. I also need to send a couple of prefix/CIDR (or submet/mask) values between the peers for the up/down script to act upon.
I tried doing this is using the attr plugin and per RFC 7296, attribute values over 16K - in my case 20000 & 21000.
I also added the 'dns' attribute as a reference value with the hope that an internally defined parameter will work if my custom parameter fails (I don't need the DNS, but I did it as a test to verify whether anything worked). However, both fail!
Please point me in the right direction - and whether this is the correct way of doing it.
The best solution for me is for the values passed between the peers to show up in the recipient's environment, just like the PLUTO_.* variables.
Please note that I am trying to send variables from the INITIATOR to RESPONDER *and* from the RESPONDER to INITIATOR.
RESPONDER strongswan.conf :
charon {
load = aes attr curl curve25519 gmp hmac kernel-netlink nonce pubkey openssl pem pkcs1 random revocation socket-default sha1 sha2 stroke updown x509 xcbc
plugins {
attr {
load = yes
dns = 8.8.8.8
20000 = "ResponderTest"
}
}
}
INITIATOR strongswan.conf :
charon {
load = aes attr curl curve25519 gmp hmac kernel-netlink nonce pubkey openssl pem pkcs1 random revocation socket-default sha1 sha2 stroke updown x509 xcbc
keep_alive = 5s
plugins {
attr {
load = yes
21000 = "InitiatorTest"
}
}
}
RESPONDER ipsec.conf :
config setup
charondebug="cfg 2, dmn 2, ike 2, net 2"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
leftsendcert=always
reauth=yes
rekey=yes
authby=pubkey
fragmentation=yes
dpdaction=clear
dpddelay=10s
left=x.y.z.w (was real server IP here)
leftcert=vpnHostCert.pem
auto=add
conn natt-rw-pki
leftsubnet=10.10.0.0/16
right=%any
rightsourceip=10.4.4.4
leftupdown=/usr/local/bin/ssrupdown.sh
compress=no
INITIATOR ipsec.conf :
config setup
charondebug="cfg 2, dmn 2, ike 2, net 2"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
leftsendcert=always
reauth=yes
rekey=yes
authby=pubkey
fragmentation=yes
dpdaction=restart
dpddelay=10s
leftcert=MyCert.pem
right=x.y.z.w (was the real server IP here)
auto=add
forceencaps=yes
conn natt-rw-pki
left=%any
rightsubnet=10.10.0.0/16
leftsourceip=%config
leftupdown=/usr/local/bin/ssiupdown.sh
compress=yes
RESPONDER relevant syslog lines :
Dec 29 13:11:45 sj-web-whmcs01 charon: 09[IKE] building INTERNAL_IP4_DNS attribute
Dec 29 13:11:45 sj-web-whmcs01 charon: 09[IKE] building (20000) attribute
INITIATOR relevant syslog lines :
Dec 29 15:16:37 asus303 charon: 10[IKE] processing INTERNAL_IP4_ADDRESS attribute │
Dec 29 15:16:37 asus303 charon: 10[IKE] processing INTERNAL_IP4_DNS attribute │
Dec 29 15:16:37 asus303 charon: 10[CFG] handling INTERNAL_IP4_DNS attribute failed │
Dec 29 15:16:37 asus303 charon: 10[IKE] processing (20000) attribute │
Dec 29 15:16:37 asus303 charon: 10[CFG] handling (20000) attribute failed
Thanks.
More information about the Users
mailing list