[strongSwan] Exclude protocol from IPsec

agarwalpiyush at gmail.com agarwalpiyush at gmail.com
Tue May 23 20:29:03 CEST 2017 

Hi Noel,
Many thanks for the pointer. Looks like I am missing something more or 
perhaps making a mistake. 

Client [1.100.0.9] -- Server [1.100.0.5] 

Goal: All non-ICMP traffic to be over IPsec tunnel between these two 
machines.

Strongswan 5.1.2

The client and server are using self-signed certificates and have each 
other's certs in /etc/ipsec.d/certs/

*Client ipsec.conf:*

config setup
    charondebug = "dmn 0,mgr 1, ike 2, job 2, cfg 2, knl 1, net 1, tls 1, 
lib 0, enc 0, tnc 0"
    uniqueids=no

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev2
    authby=rsasig

conn skip
    type=*passthrough*
    left=1.100.0.9
    leftsubnet=0.0.0.0/0[icmp/]
    leftcert=client_cert.pem
    leftsendcert=always
    rightcert=server_cert.pem
    right=1.100.0.5
    rightsubnet=0.0.0.0/0[icmp/]
    auto=route

conn 1.100.0.5
    type=*transport*
    left=1.100.0.9
    leftcert=client_cert.pem
    leftsendcert=always
    rightcert=server_cert.pem
    right=1.100.0.5
    reauth=no
    auto=start

*Server ipsec.conf:*

config setup
    charondebug = "dmn 0,mgr 1, ike 2, job 2, cfg 2, knl 1, net 1, tls 1, 
lib 0, enc 0, tnc 0"
    uniqueids=no

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev2
    authby=rsasig

conn skip
    type=*passthrough*
    left=1.100.0.5
    leftsubnet=0.0.0.0/0[icmp/]
    leftcert=server_cert.pem
    leftsendcert=always
    rightcert=client_cert.pem
    right=1.100.0.9
    rightsubnet=0.0.0.0/0[icmp/]
    auto=route

conn 1.100.0.9
    type=*transport*
    left=1.100.0.5
    leftcert=server_cert.pem
    leftsendcert=always
    rightcert=client_cert.pem
    right=1.100.0.9
    reauth=no
    auto=add

=============
Output of setkey -DP on client:
root at agarwalpiyush0:/usr/local/google/home/agarwalpiyush/work/agent-v# 
./sbin/nfv_cli dm_carl0 setkey -DP
1.100.0.5 1.100.0.9 icmp
        fwd prio high + 1073740030 ipsec
        esp/tunnel/1.100.0.5-1.100.0.9/unique:1
        created: May 23 11:21:42 2017  lastused:                     
        lifetime: 0(s) validtime: 0(s)
        spid=1834 seq=1 pid=103981
        refcnt=1
1.100.0.5 1.100.0.9 icmp
        in prio high + 1073740030 ipsec
        esp/tunnel/1.100.0.5-1.100.0.9/unique:1
        created: May 23 11:21:42 2017  lastused:                     
        lifetime: 0(s) validtime: 0(s)
        spid=1824 seq=2 pid=103981
        refcnt=1
1.100.0.9 1.100.0.5 icmp
        out prio high + 1073740030 ipsec
        esp/tunnel/1.100.0.9-1.100.0.5/unique:1
        created: May 23 11:21:42 2017  lastused:                     
        lifetime: 0(s) validtime: 0(s)
        spid=1817 seq=3 pid=103981
        refcnt=1
0.0.0.0/0 0.0.0.0/0 icmp
        fwd prio high + 1073739774 none
        created: May 23 11:21:31 2017  lastused:                     
        lifetime: 0(s) validtime: 0(s)
        spid=1698 seq=4 pid=103981
        refcnt=1
0.0.0.0/0 0.0.0.0/0 icmp
        in prio high + 1073739774 none
        created: May 23 11:21:31 2017  lastused: May 23 11:21:35 2017
        lifetime: 0(s) validtime: 0(s)
        spid=1688 seq=5 pid=103981
        refcnt=2
0.0.0.0/0 0.0.0.0/0 icmp
        out prio high + 1073739774 none
        created: May 23 11:21:31 2017  lastused:                     
        lifetime: 0(s) validtime: 0(s)
        spid=1681 seq=6 pid=103981
        refcnt=1


Questions:
1) I'd like a transport type IPsec session for all non-ICMP traffic between 
client and server. As soon as I specify "passthrough" policy, my IPsec 
session changes to type "tunnel" from output of ipsec status. Clearly I am 
not specifying passthrough policy correctly.

1) Do I need to specify left/right for my "skip" passthrough conn? If I do 
NOT specify left and right for skip connection, I see the IPsec type 
remains transport (which is good and what I want), I do see shunted 
policies in "ipsec status" but I still see ping packets are encrypted.

Thank you for any help!
Piyush

On Monday, May 22, 2017 at 12:19:17 PM UTC-7, Noel Kuntze wrote:
>
> Add a passthrough policy for the protocol.
>
> Am 22. Mai 2017 19:09:03 MESZ schrieb Piyush Agarwal <agarwa... at gmail.com 
> <javascript:>>:
>>
>> Hi,
>> Reading through the left|rightsubnet, it seems like there is no way to 
>> *exclude* a protocol from getting encrypted? 
>>
>> I have a host to host tunnel and I want to encrypt everything between 
>> these except ICMP since I'd like to do out-of-tunnel ping/traceroute.
>>
>> Prior to using strongswan, I was using racoon where I could use setkey to 
>> manually update the SPD to exclude icmp alone.
>>
>> Please advise if there is any way to achieve this with strongswan.
>>
>> Thanks.
>>
>> -- 
>> Piyush Agarwal
>> Life can only be understood backwards; but it must be lived forwards.
>>
>
> -- 
> Sent from mobile
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170523/8eb410cb/attachment.html>

More information about the Users mailing list