[strongSwan] Exclude protocol from IPsec
Dusan Ilic
dusan at comhem.se
Tue May 23 21:29:41 CEST 2017
Try following
type=passthrough
left=127.0.0.1
leftsubnet=1.100.0.9/32[icmp/]
right=127.0.0.1
rightsubnet=1.100.0.5/32[icmp/]
auto=route
---- agarwalpiyush at gmail.com skrev ----
>Reading another thread, I changed "right" of "skip" connection on both
>client and server to be "127.0.0.1" and that fixed up a few things:
>1) The IPsec installed is type transport (as desired)
>2) I do see shunted policies list ICMP PASS
>
>*However, I still have my pings from client to server encrypted :(*
>
>*Client:*
># ipsec statusall
>Status of IKE charon daemon (strongSwan 5.1.2, Linux 4.4.0-75-generic,
>x86_64):
> uptime: 10 minutes, since May 23 12:02:46 2017
> malloc: sbrk 2564096, mmap 0, used 393728, free 2170368
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>scheduled: 3
> loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 rdrand
>random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem
>openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve
>socket-default stroke updown eap-identity addrblock
>Listening IP addresses:
> 1.100.0.9
>Connections:
> skip: %any...127.0.0.1 IKEv2
> skip: local: [C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC,
>CN=test.com] uses public key authentication
> skip: cert: "C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC,
>CN=test.com"
> skip: remote: [C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC,
>CN=test.com] uses public key authentication
> skip: cert: "C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC,
>CN=test.com"
> skip: child: 0.0.0.0/0[icmp] === 0.0.0.0/0[icmp] PASS
> 1.100.0.5: 1.100.0.9...1.100.0.5 IKEv2, dpddelay=60s
> 1.100.0.5: local: [C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC,
>CN=test.com] uses public key authentication
> 1.100.0.5: cert: "C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC,
>CN=test.com"
> 1.100.0.5: remote: [C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC,
>CN=test.com] uses public key authentication
> 1.100.0.5: cert: "C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC,
>CN=test.com"
> 1.100.0.5: child: dynamic === dynamic *TRANSPORT*, dpdaction=restart
>*Shunted Connections:*
>* skip: 0.0.0.0/0[icmp] === 0.0.0.0/0[icmp] PASS*
>Security Associations (1 up, 0 connecting):
> 1.100.0.5[1]: ESTABLISHED 10 minutes ago, 1.100.0.9[C=US, ST=CA,
>L=Mountain View, O=TEST, OU=AgentC, CN=test.com]...1.100.0.5[C=US, ST=CA,
>L=Mountain View, O=TEST, OU=AgentC, CN=test.com]
> 1.100.0.5[1]: IKEv2 SPIs: be5caa6cea2281c2_i* 79bb5ad924d8d919_r,
>rekeying in 44 minutes
> 1.100.0.5[1]: IKE proposal:
>AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
> 1.100.0.5{1}: INSTALLED, *TRANSPORT*, ESP SPIs: c989f733_i c3f6a42e_o
> 1.100.0.5{1}: AES_CBC_128/HMAC_SHA1_96, 520206 bytes_i (2551 pkts, 1s
>ago), 1691623 bytes_o (2986 pkts, 10s ago), rekeying in 5 minutes
> 1.100.0.5{1}: *1.100.0.9/32 === 1.100.0.5/32*
>
>
>*Client setkey -DP output:*
>1.100.0.5[any] 1.100.0.9[any] 255
> in prio high + 1073740029 ipsec
> esp/transport//unique:1
> created: May 23 12:18:12 2017 lastused: May 23 12:18:52 2017
> lifetime: 0(s) validtime: 0(s)
> spid=2248 seq=1 pid=176401
> refcnt=11
>1.100.0.9[any] 1.100.0.5[any] 255
> out prio high + 1073740029 ipsec
> esp/transport//unique:1
> created: May 23 12:18:12 2017 lastused: May 23 12:18:47 2017
> lifetime: 0(s) validtime: 0(s)
> spid=2241 seq=2 pid=176401
> refcnt=11
>0.0.0.0/0 0.0.0.0/0 icmp
> fwd prio high + 1073739774 none
> created: May 23 12:02:46 2017 lastused:
> lifetime: 0(s) validtime: 0(s)
> spid=2130 seq=3 pid=176401
> refcnt=1
>0.0.0.0/0 0.0.0.0/0 icmp
> in prio high + 1073739774 none
> created: May 23 12:02:46 2017 lastused: May 23 12:02:50 2017
> lifetime: 0(s) validtime: 0(s)
> spid=2120 seq=4 pid=176401
> refcnt=1
>0.0.0.0/0 0.0.0.0/0 icmp
> out prio high + 1073739774 none
> created: May 23 12:02:46 2017 lastused:
> lifetime: 0(s) validtime: 0(s)
> spid=2113 seq=5 pid=176401
> refcnt=1
>
>
>On Tuesday, May 23, 2017 at 11:29:04 AM UTC-7, agarwa... at gmail.com wrote:
>>
>> Hi Noel,
>> Many thanks for the pointer. Looks like I am missing something more or
>> perhaps making a mistake.
>>
>> Client [1.100.0.9] -- Server [1.100.0.5]
>>
>> Goal: All non-ICMP traffic to be over IPsec tunnel between these two
>> machines.
>>
>> Strongswan 5.1.2
>>
>> The client and server are using self-signed certificates and have each
>> other's certs in /etc/ipsec.d/certs/
>>
>> *Client ipsec.conf:*
>>
>> config setup
>> charondebug = "dmn 0,mgr 1, ike 2, job 2, cfg 2, knl 1, net 1, tls 1,
>> lib 0, enc 0, tnc 0"
>> uniqueids=no
>>
>> conn %default
>> ikelifetime=60m
>> keylife=20m
>> rekeymargin=3m
>> keyingtries=1
>> keyexchange=ikev2
>> authby=rsasig
>>
>> conn skip
>> type=*passthrough*
>> left=1.100.0.9
>> leftsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>> leftcert=client_cert.pem
>> leftsendcert=always
>> rightcert=server_cert.pem
>> right=1.100.0.5
>> rightsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>> auto=route
>>
>> conn 1.100.0.5
>> type=*transport*
>> left=1.100.0.9
>> leftcert=client_cert.pem
>> leftsendcert=always
>> rightcert=server_cert.pem
>> right=1.100.0.5
>> reauth=no
>> auto=start
>>
>> *Server ipsec.conf:*
>>
>> config setup
>> charondebug = "dmn 0,mgr 1, ike 2, job 2, cfg 2, knl 1, net 1, tls 1,
>> lib 0, enc 0, tnc 0"
>> uniqueids=no
>>
>> conn %default
>> ikelifetime=60m
>> keylife=20m
>> rekeymargin=3m
>> keyingtries=1
>> keyexchange=ikev2
>> authby=rsasig
>>
>> conn skip
>> type=*passthrough*
>> left=1.100.0.5
>> leftsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>> leftcert=server_cert.pem
>> leftsendcert=always
>> rightcert=client_cert.pem
>> right=1.100.0.9
>> rightsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>> auto=route
>>
>> conn 1.100.0.9
>> type=*transport*
>> left=1.100.0.5
>> leftcert=server_cert.pem
>> leftsendcert=always
>> rightcert=client_cert.pem
>> right=1.100.0.9
>> reauth=no
>> auto=add
>>
>> =============
>> Output of setkey -DP on client:
>> root at agarwalpiyush0:/usr/local/google/home/agarwalpiyush/work/agent-v#
>> ./sbin/nfv_cli dm_carl0 setkey -DP
>> 1.100.0.5 1.100.0.9 icmp
>> fwd prio high + 1073740030 ipsec
>> esp/tunnel/1.100.0.5-1.100.0.9/unique:1
>> created: May 23 11:21:42 2017 lastused:
>> lifetime: 0(s) validtime: 0(s)
>> spid=1834 seq=1 pid=103981
>> refcnt=1
>> 1.100.0.5 1.100.0.9 icmp
>> in prio high + 1073740030 ipsec
>> esp/tunnel/1.100.0.5-1.100.0.9/unique:1
>> created: May 23 11:21:42 2017 lastused:
>> lifetime: 0(s) validtime: 0(s)
>> spid=1824 seq=2 pid=103981
>> refcnt=1
>> 1.100.0.9 1.100.0.5 icmp
>> out prio high + 1073740030 ipsec
>> esp/tunnel/1.100.0.9-1.100.0.5/unique:1
>> created: May 23 11:21:42 2017 lastused:
>> lifetime: 0(s) validtime: 0(s)
>> spid=1817 seq=3 pid=103981
>> refcnt=1
>> 0.0.0.0/0 0.0.0.0/0 icmp
>> fwd prio high + 1073739774 none
>> created: May 23 11:21:31 2017 lastused:
>> lifetime: 0(s) validtime: 0(s)
>> spid=1698 seq=4 pid=103981
>> refcnt=1
>> 0.0.0.0/0 0.0.0.0/0 icmp
>> in prio high + 1073739774 none
>> created: May 23 11:21:31 2017 lastused: May 23 11:21:35 2017
>> lifetime: 0(s) validtime: 0(s)
>> spid=1688 seq=5 pid=103981
>> refcnt=2
>> 0.0.0.0/0 0.0.0.0/0 icmp
>> out prio high + 1073739774 none
>> created: May 23 11:21:31 2017 lastused:
>> lifetime: 0(s) validtime: 0(s)
>> spid=1681 seq=6 pid=103981
>> refcnt=1
>>
>>
>> Questions:
>> 1) I'd like a transport type IPsec session for all non-ICMP traffic
>> between client and server. As soon as I specify "passthrough" policy, my
>> IPsec session changes to type "tunnel" from output of ipsec status. Clearly
>> I am not specifying passthrough policy correctly.
>>
>> 1) Do I need to specify left/right for my "skip" passthrough conn? If I do
>> NOT specify left and right for skip connection, I see the IPsec type
>> remains transport (which is good and what I want), I do see shunted
>> policies in "ipsec status" but I still see ping packets are encrypted.
>>
>> Thank you for any help!
>> Piyush
>>
>> On Monday, May 22, 2017 at 12:19:17 PM UTC-7, Noel Kuntze wrote:
>>>
>>> Add a passthrough policy for the protocol.
>>>
>>> Am 22. Mai 2017 19:09:03 MESZ schrieb Piyush Agarwal <agarwa... at gmail.com
>>> >:
>>>>
>>>> Hi,
>>>> Reading through the left|rightsubnet, it seems like there is no way to
>>>> *exclude* a protocol from getting encrypted?
>>>>
>>>> I have a host to host tunnel and I want to encrypt everything between
>>>> these except ICMP since I'd like to do out-of-tunnel ping/traceroute.
>>>>
>>>> Prior to using strongswan, I was using racoon where I could use setkey
>>>> to manually update the SPD to exclude icmp alone.
>>>>
>>>> Please advise if there is any way to achieve this with strongswan.
>>>>
>>>> Thanks.
>>>>
>>>> --
>>>> Piyush Agarwal
>>>> Life can only be understood backwards; but it must be lived forwards.
>>>>
>>>
>>> --
>>> Sent from mobile
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170523/fa7f1a0b/attachment-0001.html>
More information about the Users
mailing list