[strongSwan] Exclude protocol from IPsec
agarwalpiyush at gmail.com
agarwalpiyush at gmail.com
Tue May 23 21:20:04 CEST 2017
Reading another thread, I changed "right" of "skip" connection on both
client and server to be "127.0.0.1" and that fixed up a few things:
1) The IPsec installed is type transport (as desired)
2) I do see shunted policies list ICMP PASS
*However, I still have my pings from client to server encrypted :(*
*Client:*
# ipsec statusall
Status of IKE charon daemon (strongSwan 5.1.2, Linux 4.4.0-75-generic,
x86_64):
uptime: 10 minutes, since May 23 12:02:46 2017
malloc: sbrk 2564096, mmap 0, used 393728, free 2170368
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 3
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 rdrand
random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem
openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve
socket-default stroke updown eap-identity addrblock
Listening IP addresses:
1.100.0.9
Connections:
skip: %any...127.0.0.1 IKEv2
skip: local: [C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC,
CN=test.com] uses public key authentication
skip: cert: "C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC,
CN=test.com"
skip: remote: [C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC,
CN=test.com] uses public key authentication
skip: cert: "C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC,
CN=test.com"
skip: child: 0.0.0.0/0[icmp] === 0.0.0.0/0[icmp] PASS
1.100.0.5: 1.100.0.9...1.100.0.5 IKEv2, dpddelay=60s
1.100.0.5: local: [C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC,
CN=test.com] uses public key authentication
1.100.0.5: cert: "C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC,
CN=test.com"
1.100.0.5: remote: [C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC,
CN=test.com] uses public key authentication
1.100.0.5: cert: "C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC,
CN=test.com"
1.100.0.5: child: dynamic === dynamic *TRANSPORT*, dpdaction=restart
*Shunted Connections:*
* skip: 0.0.0.0/0[icmp] === 0.0.0.0/0[icmp] PASS*
Security Associations (1 up, 0 connecting):
1.100.0.5[1]: ESTABLISHED 10 minutes ago, 1.100.0.9[C=US, ST=CA,
L=Mountain View, O=TEST, OU=AgentC, CN=test.com]...1.100.0.5[C=US, ST=CA,
L=Mountain View, O=TEST, OU=AgentC, CN=test.com]
1.100.0.5[1]: IKEv2 SPIs: be5caa6cea2281c2_i* 79bb5ad924d8d919_r,
rekeying in 44 minutes
1.100.0.5[1]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
1.100.0.5{1}: INSTALLED, *TRANSPORT*, ESP SPIs: c989f733_i c3f6a42e_o
1.100.0.5{1}: AES_CBC_128/HMAC_SHA1_96, 520206 bytes_i (2551 pkts, 1s
ago), 1691623 bytes_o (2986 pkts, 10s ago), rekeying in 5 minutes
1.100.0.5{1}: *1.100.0.9/32 === 1.100.0.5/32*
*Client setkey -DP output:*
1.100.0.5[any] 1.100.0.9[any] 255
in prio high + 1073740029 ipsec
esp/transport//unique:1
created: May 23 12:18:12 2017 lastused: May 23 12:18:52 2017
lifetime: 0(s) validtime: 0(s)
spid=2248 seq=1 pid=176401
refcnt=11
1.100.0.9[any] 1.100.0.5[any] 255
out prio high + 1073740029 ipsec
esp/transport//unique:1
created: May 23 12:18:12 2017 lastused: May 23 12:18:47 2017
lifetime: 0(s) validtime: 0(s)
spid=2241 seq=2 pid=176401
refcnt=11
0.0.0.0/0 0.0.0.0/0 icmp
fwd prio high + 1073739774 none
created: May 23 12:02:46 2017 lastused:
lifetime: 0(s) validtime: 0(s)
spid=2130 seq=3 pid=176401
refcnt=1
0.0.0.0/0 0.0.0.0/0 icmp
in prio high + 1073739774 none
created: May 23 12:02:46 2017 lastused: May 23 12:02:50 2017
lifetime: 0(s) validtime: 0(s)
spid=2120 seq=4 pid=176401
refcnt=1
0.0.0.0/0 0.0.0.0/0 icmp
out prio high + 1073739774 none
created: May 23 12:02:46 2017 lastused:
lifetime: 0(s) validtime: 0(s)
spid=2113 seq=5 pid=176401
refcnt=1
On Tuesday, May 23, 2017 at 11:29:04 AM UTC-7, agarwa... at gmail.com wrote:
>
> Hi Noel,
> Many thanks for the pointer. Looks like I am missing something more or
> perhaps making a mistake.
>
> Client [1.100.0.9] -- Server [1.100.0.5]
>
> Goal: All non-ICMP traffic to be over IPsec tunnel between these two
> machines.
>
> Strongswan 5.1.2
>
> The client and server are using self-signed certificates and have each
> other's certs in /etc/ipsec.d/certs/
>
> *Client ipsec.conf:*
>
> config setup
> charondebug = "dmn 0,mgr 1, ike 2, job 2, cfg 2, knl 1, net 1, tls 1,
> lib 0, enc 0, tnc 0"
> uniqueids=no
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
> authby=rsasig
>
> conn skip
> type=*passthrough*
> left=1.100.0.9
> leftsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
> leftcert=client_cert.pem
> leftsendcert=always
> rightcert=server_cert.pem
> right=1.100.0.5
> rightsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
> auto=route
>
> conn 1.100.0.5
> type=*transport*
> left=1.100.0.9
> leftcert=client_cert.pem
> leftsendcert=always
> rightcert=server_cert.pem
> right=1.100.0.5
> reauth=no
> auto=start
>
> *Server ipsec.conf:*
>
> config setup
> charondebug = "dmn 0,mgr 1, ike 2, job 2, cfg 2, knl 1, net 1, tls 1,
> lib 0, enc 0, tnc 0"
> uniqueids=no
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
> authby=rsasig
>
> conn skip
> type=*passthrough*
> left=1.100.0.5
> leftsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
> leftcert=server_cert.pem
> leftsendcert=always
> rightcert=client_cert.pem
> right=1.100.0.9
> rightsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
> auto=route
>
> conn 1.100.0.9
> type=*transport*
> left=1.100.0.5
> leftcert=server_cert.pem
> leftsendcert=always
> rightcert=client_cert.pem
> right=1.100.0.9
> reauth=no
> auto=add
>
> =============
> Output of setkey -DP on client:
> root at agarwalpiyush0:/usr/local/google/home/agarwalpiyush/work/agent-v#
> ./sbin/nfv_cli dm_carl0 setkey -DP
> 1.100.0.5 1.100.0.9 icmp
> fwd prio high + 1073740030 ipsec
> esp/tunnel/1.100.0.5-1.100.0.9/unique:1
> created: May 23 11:21:42 2017 lastused:
> lifetime: 0(s) validtime: 0(s)
> spid=1834 seq=1 pid=103981
> refcnt=1
> 1.100.0.5 1.100.0.9 icmp
> in prio high + 1073740030 ipsec
> esp/tunnel/1.100.0.5-1.100.0.9/unique:1
> created: May 23 11:21:42 2017 lastused:
> lifetime: 0(s) validtime: 0(s)
> spid=1824 seq=2 pid=103981
> refcnt=1
> 1.100.0.9 1.100.0.5 icmp
> out prio high + 1073740030 ipsec
> esp/tunnel/1.100.0.9-1.100.0.5/unique:1
> created: May 23 11:21:42 2017 lastused:
> lifetime: 0(s) validtime: 0(s)
> spid=1817 seq=3 pid=103981
> refcnt=1
> 0.0.0.0/0 0.0.0.0/0 icmp
> fwd prio high + 1073739774 none
> created: May 23 11:21:31 2017 lastused:
> lifetime: 0(s) validtime: 0(s)
> spid=1698 seq=4 pid=103981
> refcnt=1
> 0.0.0.0/0 0.0.0.0/0 icmp
> in prio high + 1073739774 none
> created: May 23 11:21:31 2017 lastused: May 23 11:21:35 2017
> lifetime: 0(s) validtime: 0(s)
> spid=1688 seq=5 pid=103981
> refcnt=2
> 0.0.0.0/0 0.0.0.0/0 icmp
> out prio high + 1073739774 none
> created: May 23 11:21:31 2017 lastused:
> lifetime: 0(s) validtime: 0(s)
> spid=1681 seq=6 pid=103981
> refcnt=1
>
>
> Questions:
> 1) I'd like a transport type IPsec session for all non-ICMP traffic
> between client and server. As soon as I specify "passthrough" policy, my
> IPsec session changes to type "tunnel" from output of ipsec status. Clearly
> I am not specifying passthrough policy correctly.
>
> 1) Do I need to specify left/right for my "skip" passthrough conn? If I do
> NOT specify left and right for skip connection, I see the IPsec type
> remains transport (which is good and what I want), I do see shunted
> policies in "ipsec status" but I still see ping packets are encrypted.
>
> Thank you for any help!
> Piyush
>
> On Monday, May 22, 2017 at 12:19:17 PM UTC-7, Noel Kuntze wrote:
>>
>> Add a passthrough policy for the protocol.
>>
>> Am 22. Mai 2017 19:09:03 MESZ schrieb Piyush Agarwal <agarwa... at gmail.com
>> >:
>>>
>>> Hi,
>>> Reading through the left|rightsubnet, it seems like there is no way to
>>> *exclude* a protocol from getting encrypted?
>>>
>>> I have a host to host tunnel and I want to encrypt everything between
>>> these except ICMP since I'd like to do out-of-tunnel ping/traceroute.
>>>
>>> Prior to using strongswan, I was using racoon where I could use setkey
>>> to manually update the SPD to exclude icmp alone.
>>>
>>> Please advise if there is any way to achieve this with strongswan.
>>>
>>> Thanks.
>>>
>>> --
>>> Piyush Agarwal
>>> Life can only be understood backwards; but it must be lived forwards.
>>>
>>
>> --
>> Sent from mobile
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170523/18009c95/attachment-0001.html>
More information about the Users
mailing list