[strongSwan] Exclude protocol from IPsec
agarwalpiyush at gmail.com
agarwalpiyush at gmail.com
Tue May 23 23:48:34 CEST 2017
Hi,
Thanks for the suggestion. With the change you recommended, I do see some
progress. But here are the issues:
1) client -> server ping: I do see echo request is un-encrypted as seen by
tcpdump on server's interface. But tcpdump on the server's interface shows
no reply being generated (if I remove passthrough policy, the encrypted
replies work just fine). I saw threads about strongswan using route table
220, but I don't see any output of "ip route show table 220". Why is
"auto=route" required? How is it messing with the server side's echo reply,
assuming that is the case? I tried with auto=start but that still had ICMP
packets encrypted.
2) server -> client ping: I see server's ping show up encrypted on the
client's interface. Client's interface tcpdump sees un-unencrypted echo
reply. But this reply is not seen on server's interface at all!!
Does the order of IP addresses in output of "Shunted policies" have any
significance? I see server side is showing shunted connected as "client/32
== server/32" which is not what I expected.
*Client output:*
*client$:ipsec status*
Shunted Connections:
* skip: 1.100.0.9/32[icmp] === 1.100.0.5/32[icmp] PASS*
Security Associations (1 up, 0 connecting):
1.100.0.5[1]: ESTABLISHED 8 minutes ago, 1.100.0.9[C=US, ST=CA,
L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]...1.100.0.5[C=US, ST=CA,
L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]
1.100.0.5{1}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c5067855_i
cfc50c8b_o
1.100.0.5{1}: 1.100.0.9/32 === 1.100.0.5/32
*Server output:*
*server$:ipsec status*
Shunted Connections:
* skip: 1.100.0.9/32[icmp] === 1.100.0.5/32[icmp] PASS*
Security Associations (1 up, 0 connecting):
1.100.0.9[1]: ESTABLISHED 9 minutes ago, 1.100.0.5[C=US, ST=CA,
L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]...1.100.0.9[C=US, ST=CA,
L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]
1.100.0.9{1}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: cfc50c8b_i
c5067855_o
1.100.0.9{1}: 1.100.0.5/32 === 1.100.0.9/32
Much appreciate any help. Racoon/setkey was very straightforward to get
this working :( Hopefully it is a mistake I am making/misconfiguring etc.
Reprinting the ipsec.conf (after changes were done):
*Client:*
conn skip
type=passthrough
left=127.0.0.1
leftsubnet=1.100.0.9/32[icmp/]
leftcert=client_cert.pem
leftsendcert=always
rightcert=server_cert.pem
right=127.0.0.1
rightsubnet=1.100.0.5/32[icmp/]
auto=route
conn 1.100.0.5
type=transport
left=1.100.0.9
leftcert=client_cert.pem
leftsendcert=always
rightcert=server_cert.pem
right=1.100.0.5
reauth=no
dpdaction=restart
auto=start
*Server:*
conn skip
type=passthrough
left=127.0.0.1
leftsubnet=1.100.0.5/32[icmp/]
leftcert=server_cert.pem
leftsendcert=always
rightcert=client_cert.pem
right=127.0.0.1
rightsubnet=1.100.0.9/32[icmp/]
auto=route
conn 1.100.0.9
type=transport
left=1.100.0.5
leftcert=server_cert.pem
leftsendcert=always
rightcert=client_cert.pem
right=1.100.0.9
reauth=no
dpdaction=restart
auto=add
Thanks!
On Tuesday, May 23, 2017 at 12:30:15 PM UTC-7, Dusan Ilic wrote:
>
> Try following
>
> type=passthrough
> left=127.0.0.1
> leftsubnet=1.100.0.9/32[icmp/]
> right=127.0.0.1
> rightsubnet=1.100.0.5/32[icmp/]
> auto=route
>
>
>
> ---- agarwa... at gmail.com <javascript:> skrev ----
>
> Reading another thread, I changed "right" of "skip" connection on both
> client and server to be "127.0.0.1" and that fixed up a few things:
> 1) The IPsec installed is type transport (as desired)
> 2) I do see shunted policies list ICMP PASS
>
> *However, I still have my pings from client to server encrypted :(*
>
> *Client:*
> # ipsec statusall
> Status of IKE charon daemon (strongSwan 5.1.2, Linux 4.4.0-75-generic,
> x86_64):
> uptime: 10 minutes, since May 23 12:02:46 2017
> malloc: sbrk 2564096, mmap 0, used 393728, free 2170368
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 3
> loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 rdrand
> random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem
> openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve
> socket-default stroke updown eap-identity addrblock
> Listening IP addresses:
> 1.100.0.9
> Connections:
> skip: %any...127.0.0.1 IKEv2
> skip: local: [C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC,
> CN=test.com] uses public key authentication
> skip: cert: "C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC,
> CN=test.com"
> skip: remote: [C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC,
> CN=test.com] uses public key authentication
> skip: cert: "C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC,
> CN=test.com"
> skip: child: 0.0.0.0/0[icmp] === 0.0.0.0/0[icmp] PASS
> 1.100.0.5: 1.100.0.9...1.100.0.5 IKEv2, dpddelay=60s
> 1.100.0.5: local: [C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC,
> CN=test.com] uses public key authentication
> 1.100.0.5: cert: "C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC,
> CN=test.com"
> 1.100.0.5: remote: [C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC,
> CN=test.com] uses public key authentication
> 1.100.0.5: cert: "C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC,
> CN=test.com"
> 1.100.0.5: child: dynamic === dynamic *TRANSPORT*, dpdaction=restart
> *Shunted Connections:*
> * skip: 0.0.0.0/0[icmp] === 0.0.0.0/0[icmp] PASS*
> Security Associations (1 up, 0 connecting):
> 1.100.0.5[1]: ESTABLISHED 10 minutes ago, 1.100.0.9[C=US, ST=CA,
> L=Mountain View, O=TEST, OU=AgentC, CN=test.com]...1.100.0.5[C=US, ST=CA,
> L=Mountain View, O=TEST, OU=AgentC, CN=test.com]
> 1.100.0.5[1]: IKEv2 SPIs: be5caa6cea2281c2_i* 79bb5ad924d8d919_r,
> rekeying in 44 minutes
> 1.100.0.5[1]: IKE proposal:
> AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
> 1.100.0.5{1}: INSTALLED, *TRANSPORT*, ESP SPIs: c989f733_i c3f6a42e_o
> 1.100.0.5{1}: AES_CBC_128/HMAC_SHA1_96, 520206 bytes_i (2551 pkts, 1s
> ago), 1691623 bytes_o (2986 pkts, 10s ago), rekeying in 5 minutes
> 1.100.0.5{1}: *1.100.0.9/32 === 1.100.0.5/32*
>
>
> *Client setkey -DP output:*
> 1.100.0.5[any] 1.100.0.9[any] 255
> in prio high + 1073740029 ipsec
> esp/transport//unique:1
> created: May 23 12:18:12 2017 lastused: May 23 12:18:52 2017
> lifetime: 0(s) validtime: 0(s)
> spid=2248 seq=1 pid=176401
> refcnt=11
> 1.100.0.9[any] 1.100.0.5[any] 255
> out prio high + 1073740029 ipsec
> esp/transport//unique:1
> created: May 23 12:18:12 2017 lastused: May 23 12:18:47 2017
> lifetime: 0(s) validtime: 0(s)
> spid=2241 seq=2 pid=176401
> refcnt=11
> 0.0.0.0/0 0.0.0.0/0 icmp
> fwd prio high + 1073739774 none
> created: May 23 12:02:46 2017 lastused:
> lifetime: 0(s) validtime: 0(s)
> spid=2130 seq=3 pid=176401
> refcnt=1
> 0.0.0.0/0 0.0.0.0/0 icmp
> in prio high + 1073739774 none
> created: May 23 12:02:46 2017 lastused: May 23 12:02:50 2017
> lifetime: 0(s) validtime: 0(s)
> spid=2120 seq=4 pid=176401
> refcnt=1
> 0.0.0.0/0 0.0.0.0/0 icmp
> out prio high + 1073739774 none
> created: May 23 12:02:46 2017 lastused:
> lifetime: 0(s) validtime: 0(s)
> spid=2113 seq=5 pid=176401
> refcnt=1
>
>
> On Tuesday, May 23, 2017 at 11:29:04 AM UTC-7, agarwa... at gmail.com wrote:
>>
>> Hi Noel,
>> Many thanks for the pointer. Looks like I am missing something more or
>> perhaps making a mistake.
>>
>> Client [1.100.0.9] -- Server [1.100.0.5]
>>
>> Goal: All non-ICMP traffic to be over IPsec tunnel between these two
>> machines.
>>
>> Strongswan 5.1.2
>>
>> The client and server are using self-signed certificates and have each
>> other's certs in /etc/ipsec.d/certs/
>>
>> *Client ipsec.conf <http://ipsec.conf>:*
>>
>> config setup
>> charondebug = "dmn 0,mgr 1, ike 2, job 2, cfg 2, knl 1, net 1, tls 1,
>> lib 0, enc 0, tnc 0"
>> uniqueids=no
>>
>> conn %default
>> ikelifetime=60m
>> keylife=20m
>> rekeymargin=3m
>> keyingtries=1
>> keyexchange=ikev2
>> authby=rsasig
>>
>> conn skip
>> type=*passthrough*
>> left=1.100.0.9
>> leftsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>> leftcert=client_cert.pem
>> leftsendcert=always
>> rightcert=server_cert.pem
>> right=1.100.0.5
>> rightsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>> auto=route
>>
>> conn 1.100.0.5
>> type=*transport*
>> left=1.100.0.9
>> leftcert=client_cert.pem
>> leftsendcert=always
>> rightcert=server_cert.pem
>> right=1.100.0.5
>> reauth=no
>> auto=start
>>
>> *Server ipsec.conf <http://ipsec.conf>:*
>>
>> config setup
>> charondebug = "dmn 0,mgr 1, ike 2, job 2, cfg 2, knl 1, net 1, tls 1,
>> lib 0, enc 0, tnc 0"
>> uniqueids=no
>>
>> conn %default
>> ikelifetime=60m
>> keylife=20m
>> rekeymargin=3m
>> keyingtries=1
>> keyexchange=ikev2
>> authby=rsasig
>>
>> conn skip
>> type=*passthrough*
>> left=1.100.0.5
>> leftsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>> leftcert=server_cert.pem
>> leftsendcert=always
>> rightcert=client_cert.pem
>> right=1.100.0.9
>> rightsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>> auto=route
>>
>> conn 1.100.0.9
>> type=*transport*
>> left=1.100.0.5
>> leftcert=server_cert.pem
>> leftsendcert=always
>> rightcert=client_cert.pem
>> right=1.100.0.9
>> reauth=no
>> auto=add
>>
>> =============
>> Output of setkey -DP on client:
>> root at agarwalpiyush0:/usr/local/google/home/agarwalpiyush/work/agent-v#
>> ./sbin/nfv_cli dm_carl0 setkey -DP
>> 1.100.0.5 1.100.0.9 icmp
>> fwd prio high + 1073740030 ipsec
>> esp/tunnel/1.100.0.5-1.100.0.9/unique:1
>> created: May 23 11:21:42 2017 lastused:
>> lifetime: 0(s) validtime: 0(s)
>> spid=1834 seq=1 pid=103981
>> refcnt=1
>> 1.100.0.5 1.100.0.9 icmp
>> in prio high + 1073740030 ipsec
>> esp/tunnel/1.100.0.5-1.100.0.9/unique:1
>> created: May 23 11:21:42 2017 lastused:
>> lifetime: 0(s) validtime: 0(s)
>> spid=1824 seq=2 pid=103981
>> refcnt=1
>> 1.100.0.9 1.100.0.5 icmp
>> out prio high + 1073740030 ipsec
>> esp/tunnel/1.100.0.9-1.100.0.5/unique:1
>> created: May 23 11:21:42 2017 lastused:
>> lifetime: 0(s) validtime: 0(s)
>> spid=1817 seq=3 pid=103981
>> refcnt=1
>> 0.0.0.0/0 0.0.0.0/0 icmp
>> fwd prio high + 1073739774 none
>> created: May 23 11:21:31 2017 lastused:
>> lifetime: 0(s) validtime: 0(s)
>> spid=1698 seq=4 pid=103981
>> refcnt=1
>> 0.0.0.0/0 0.0.0.0/0 icmp
>> in prio high + 1073739774 none
>> created: May 23 11:21:31 2017 lastused: May 23 11:21:35 2017
>> lifetime: 0(s) validtime: 0(s)
>> spid=1688 seq=5 pid=103981
>> refcnt=2
>> 0.0.0.0/0 0.0.0.0/0 icmp
>> out prio high + 1073739774 none
>> created: May 23 11:21:31 2017 lastused:
>> lifetime: 0(s) validtime: 0(s)
>> spid=1681 seq=6 pid=103981
>> refcnt=1
>>
>>
>> Questions:
>> 1) I'd like a transport type IPsec session for all non-ICMP traffic
>> between client and server. As soon as I specify "passthrough" policy, my
>> IPsec session changes to type "tunnel" from output of ipsec status. Clearly
>> I am not specifying passthrough policy correctly.
>>
>> 1) Do I need to specify left/right for my "skip" passthrough conn? If I
>> do NOT specify left and right for skip connection, I see the IPsec type
>> remains transport (which is good and what I want), I do see shunted
>> policies in "ipsec status" but I still see ping packets are encrypted.
>>
>> Thank you for any help!
>> Piyush
>>
>> On Monday, May 22, 2017 at 12:19:17 PM UTC-7, Noel Kuntze wrote:
>>>
>>> Add a passthrough policy for the protocol.
>>>
>>> Am 22. Mai 2017 19:09:03 MESZ schrieb Piyush Agarwal <
>>> agarwa... at gmail.com>:
>>>>
>>>> Hi,
>>>> Reading through the left|rightsubnet, it seems like there is no way to
>>>> *exclude* a protocol from getting encrypted?
>>>>
>>>> I have a host to host tunnel and I want to encrypt everything between
>>>> these except ICMP since I'd like to do out-of-tunnel ping/traceroute.
>>>>
>>>> Prior to using strongswan, I was using racoon where I could use setkey
>>>> to manually update the SPD to exclude icmp alone.
>>>>
>>>> Please advise if there is any way to achieve this with strongswan.
>>>>
>>>> Thanks.
>>>>
>>>> --
>>>> Piyush Agarwal
>>>> Life can only be understood backwards; but it must be lived forwards.
>>>>
>>>
>>> --
>>> Sent from mobile
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170523/6d0dd52c/attachment-0001.html>
More information about the Users
mailing list