[strongSwan] Exclude protocol from IPsec

Piyush Agarwal agarwalpiyush at gmail.com
Wed May 24 00:12:17 CEST 2017


I see this in server's log, is that a red flag? The local address on server
1.100.0.5 (client is 1.100.0.9).

13[CFG] received stroke: route 'skip'
13[CFG] proposing traffic selectors for us:
13[CFG]  1.100.0.9/32[icmp]
13[CFG] proposing traffic selectors for other:
13[CFG]  1.100.0.5/32[icmp]
13[KNL] adding policy 1.100.0.9/32[icmp] === 1.100.0.5/32[icmp] out  (mark
0/0x00000000)
13[KNL] adding policy 1.100.0.5/32[icmp] === 1.100.0.9/32[icmp] in  (mark
0/0x00000000)
13[KNL] adding policy 1.100.0.5/32[icmp] === 1.100.0.9/32[icmp] fwd  (mark
0/0x00000000)
13[KNL] getting a local address in traffic selector 1.100.0.9/32[icmp]
*13[KNL] no local address found in traffic selector 1.100.0.9/32[icmp]
<http://1.100.0.9/32[icmp]>*


On Tue, May 23, 2017 at 2:48 PM, <agarwalpiyush at gmail.com> wrote:

> Hi,
> Thanks for the suggestion. With the change you recommended, I do see some
> progress. But here are the issues:
>
> 1) client -> server ping: I do see echo request is un-encrypted as seen by
> tcpdump on server's interface. But tcpdump on the server's interface shows
> no reply being generated (if I remove passthrough policy, the encrypted
> replies work just fine). I saw threads about strongswan using route table
> 220, but I don't see any output of "ip route show table 220". Why is
> "auto=route" required? How is it messing with the server side's echo reply,
> assuming that is the case? I tried with auto=start but that still had ICMP
> packets encrypted.
>
> 2) server -> client ping: I see server's ping show up encrypted on the
> client's interface. Client's interface tcpdump sees un-unencrypted echo
> reply. But this reply is not seen on server's interface at all!!
>
> Does the order of IP addresses in output of "Shunted policies" have any
> significance? I see server side is showing shunted connected as "client/32
> == server/32" which is not what I expected.
>
> *Client output:*
> *client$:ipsec status*
> Shunted Connections:
> *        skip:  1.100.0.9/32[icmp] <http://1.100.0.9/32%5Bicmp%5D> ===
> 1.100.0.5/32[icmp] <http://1.100.0.5/32%5Bicmp%5D> PASS*
> Security Associations (1 up, 0 connecting):
>    1.100.0.5[1]: ESTABLISHED 8 minutes ago, 1.100.0.9[C=US, ST=CA,
> L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]...1.100.0.5[C=US, ST=CA,
> L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]
>    1.100.0.5{1}:  INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c5067855_i
> cfc50c8b_o
>    1.100.0.5{1}:   1.100.0.9/32 === 1.100.0.5/32
>
> *Server output:*
> *server$:ipsec status*
> Shunted Connections:
> *        skip:  1.100.0.9/32[icmp] <http://1.100.0.9/32%5Bicmp%5D> ===
> 1.100.0.5/32[icmp] <http://1.100.0.5/32%5Bicmp%5D> PASS*
> Security Associations (1 up, 0 connecting):
>    1.100.0.9[1]: ESTABLISHED 9 minutes ago, 1.100.0.5[C=US, ST=CA,
> L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]...1.100.0.9[C=US, ST=CA,
> L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]
>    1.100.0.9{1}:  INSTALLED, TRANSPORT, reqid 1, ESP SPIs: cfc50c8b_i
> c5067855_o
>    1.100.0.9{1}:   1.100.0.5/32 === 1.100.0.9/32
>
> Much appreciate any help. Racoon/setkey was very straightforward to get
> this working :( Hopefully it is a mistake I am making/misconfiguring etc.
>
> Reprinting the ipsec.conf (after changes were done):
> *Client:*
>
> conn skip
>     type=passthrough
>     left=127.0.0.1
>     leftsubnet=1.100.0.9/32[icmp/] <http://1.100.0.9/32%5Bicmp/%5D>
>     leftcert=client_cert.pem
>     leftsendcert=always
>     rightcert=server_cert.pem
>     right=127.0.0.1
>     rightsubnet=1.100.0.5/32[icmp/] <http://1.100.0.5/32%5Bicmp/%5D>
>     auto=route
>
> conn 1.100.0.5
>     type=transport
>     left=1.100.0.9
>     leftcert=client_cert.pem
>     leftsendcert=always
>     rightcert=server_cert.pem
>     right=1.100.0.5
>     reauth=no
>     dpdaction=restart
>     auto=start
>
> *Server:*
>
> conn skip
>     type=passthrough
>     left=127.0.0.1
>     leftsubnet=1.100.0.5/32[icmp/] <http://1.100.0.5/32%5Bicmp/%5D>
>     leftcert=server_cert.pem
>     leftsendcert=always
>     rightcert=client_cert.pem
>     right=127.0.0.1
>     rightsubnet=1.100.0.9/32[icmp/] <http://1.100.0.9/32%5Bicmp/%5D>
>     auto=route
>
> conn 1.100.0.9
>     type=transport
>     left=1.100.0.5
>     leftcert=server_cert.pem
>     leftsendcert=always
>     rightcert=client_cert.pem
>     right=1.100.0.9
>     reauth=no
>     dpdaction=restart
>     auto=add
>
>
> Thanks!
>
> On Tuesday, May 23, 2017 at 12:30:15 PM UTC-7, Dusan Ilic wrote:
>>
>> Try following
>>
>>     type=passthrough
>>     left=127.0.0.1
>>     leftsubnet=1.100.0.9/32[icmp/]
>>     right=127.0.0.1
>>     rightsubnet=1.100.0.5/32[icmp/]
>>     auto=route
>>
>>
>>
>> ---- agarwa... at gmail.com skrev ----
>>
>>
>> Reading another thread, I changed "right" of "skip" connection on both
>> client and server to be  "127.0.0.1" and that fixed up a few things:
>> 1) The IPsec installed is type transport (as desired)
>> 2) I do see shunted policies list ICMP PASS
>>
>> *However, I still have my pings from client to server encrypted :(*
>>
>> *Client:*
>> # ipsec statusall
>> Status of IKE charon daemon (strongSwan 5.1.2, Linux 4.4.0-75-generic,
>> x86_64):
>>   uptime: 10 minutes, since May 23 12:02:46 2017
>>   malloc: sbrk 2564096, mmap 0, used 393728, free 2170368
>>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>> scheduled: 3
>>   loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 rdrand
>> random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem
>> openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve
>> socket-default stroke updown eap-identity addrblock
>> Listening IP addresses:
>>   1.100.0.9
>> Connections:
>>         skip:  %any...127.0.0.1  IKEv2
>>         skip:   local:  [C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC,
>> CN=test.com] uses public key authentication
>>         skip:    cert:  "C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC,
>> CN=test.com"
>>         skip:   remote: [C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC,
>> CN=test.com] uses public key authentication
>>         skip:    cert:  "C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC,
>> CN=test.com"
>>         skip:   child:  0.0.0.0/0[icmp] === 0.0.0.0/0[icmp] PASS
>>    1.100.0.5:  1.100.0.9...1.100.0.5  IKEv2, dpddelay=60s
>>    1.100.0.5:   local:  [C=US, ST=CA, L=Mountain View, O=TEST,
>> OU=AgentC, CN=test.com] uses public key authentication
>>    1.100.0.5:    cert:  "C=US, ST=CA, L=Mountain View, O=TEST,
>> OU=AgentC, CN=test.com"
>>    1.100.0.5:   remote: [C=US, ST=CA, L=Mountain View, O=TEST,
>> OU=AgentC, CN=test.com] uses public key authentication
>>    1.100.0.5:    cert:  "C=US, ST=CA, L=Mountain View, O=TEST,
>> OU=AgentC, CN=test.com"
>>    1.100.0.5:   child:  dynamic === dynamic *TRANSPORT*,
>> dpdaction=restart
>> *Shunted Connections:*
>> *        skip:  0.0.0.0/0[icmp] === 0.0.0.0/0[icmp] PASS*
>> Security Associations (1 up, 0 connecting):
>>    1.100.0.5[1]: ESTABLISHED 10 minutes ago, 1.100.0.9[C=US, ST=CA,
>> L=Mountain View, O=TEST, OU=AgentC, CN=test.com]...1.100.0.5[C=US,
>> ST=CA, L=Mountain View, O=TEST, OU=AgentC, CN=test.com]
>>    1.100.0.5[1]: IKEv2 SPIs: be5caa6cea2281c2_i* 79bb5ad924d8d919_r,
>> rekeying in 44 minutes
>>    1.100.0.5[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_H
>> MAC_SHA1/MODP_2048
>>    1.100.0.5{1}:  INSTALLED, *TRANSPORT*, ESP SPIs: c989f733_i c3f6a42e_o
>>    1.100.0.5{1}:  AES_CBC_128/HMAC_SHA1_96, 520206 bytes_i (2551 pkts,
>> 1s ago), 1691623 bytes_o (2986 pkts, 10s ago), rekeying in 5 minutes
>>    1.100.0.5{1}:   *1.100.0.9/32 === 1.100.0.5/32*
>>
>>
>> *Client setkey -DP output:*
>> 1.100.0.5[any] 1.100.0.9[any] 255
>>         in prio high + 1073740029 ipsec
>>         esp/transport//unique:1
>>         created: May 23 12:18:12 2017  lastused: May 23 12:18:52 2017
>>         lifetime: 0(s) validtime: 0(s)
>>         spid=2248 seq=1 pid=176401
>>         refcnt=11
>> 1.100.0.9[any] 1.100.0.5[any] 255
>>         out prio high + 1073740029 ipsec
>>         esp/transport//unique:1
>>         created: May 23 12:18:12 2017  lastused: May 23 12:18:47 2017
>>         lifetime: 0(s) validtime: 0(s)
>>         spid=2241 seq=2 pid=176401
>>         refcnt=11
>> 0.0.0.0/0 0.0.0.0/0 icmp
>>         fwd prio high + 1073739774 none
>>         created: May 23 12:02:46 2017  lastused:
>>         lifetime: 0(s) validtime: 0(s)
>>         spid=2130 seq=3 pid=176401
>>         refcnt=1
>> 0.0.0.0/0 0.0.0.0/0 icmp
>>         in prio high + 1073739774 none
>>         created: May 23 12:02:46 2017  lastused: May 23 12:02:50 2017
>>         lifetime: 0(s) validtime: 0(s)
>>         spid=2120 seq=4 pid=176401
>>         refcnt=1
>> 0.0.0.0/0 0.0.0.0/0 icmp
>>         out prio high + 1073739774 none
>>         created: May 23 12:02:46 2017  lastused:
>>         lifetime: 0(s) validtime: 0(s)
>>         spid=2113 seq=5 pid=176401
>>         refcnt=1
>>
>>
>> On Tuesday, May 23, 2017 at 11:29:04 AM UTC-7, agarwa... at gmail.com wrote:
>>>
>>> Hi Noel,
>>> Many thanks for the pointer. Looks like I am missing something more or
>>> perhaps making a mistake.
>>>
>>> Client [1.100.0.9] -- Server [1.100.0.5]
>>>
>>> Goal: All non-ICMP traffic to be over IPsec tunnel between these two
>>> machines.
>>>
>>> Strongswan 5.1.2
>>>
>>> The client and server are using self-signed certificates and have each
>>> other's certs in /etc/ipsec.d/certs/
>>>
>>> *Client ipsec.conf <http://ipsec.conf>:*
>>>
>>> config setup
>>>     charondebug = "dmn 0,mgr 1, ike 2, job 2, cfg 2, knl 1, net 1, tls
>>> 1, lib 0, enc 0, tnc 0"
>>>     uniqueids=no
>>>
>>> conn %default
>>>     ikelifetime=60m
>>>     keylife=20m
>>>     rekeymargin=3m
>>>     keyingtries=1
>>>     keyexchange=ikev2
>>>     authby=rsasig
>>>
>>> conn skip
>>>     type=*passthrough*
>>>     left=1.100.0.9
>>>     leftsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>>>     leftcert=client_cert.pem
>>>     leftsendcert=always
>>>     rightcert=server_cert.pem
>>>     right=1.100.0.5
>>>     rightsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>>>     auto=route
>>>
>>> conn 1.100.0.5
>>>     type=*transport*
>>>     left=1.100.0.9
>>>     leftcert=client_cert.pem
>>>     leftsendcert=always
>>>     rightcert=server_cert.pem
>>>     right=1.100.0.5
>>>     reauth=no
>>>     auto=start
>>>
>>> *Server ipsec.conf <http://ipsec.conf>:*
>>>
>>> config setup
>>>     charondebug = "dmn 0,mgr 1, ike 2, job 2, cfg 2, knl 1, net 1, tls
>>> 1, lib 0, enc 0, tnc 0"
>>>     uniqueids=no
>>>
>>> conn %default
>>>     ikelifetime=60m
>>>     keylife=20m
>>>     rekeymargin=3m
>>>     keyingtries=1
>>>     keyexchange=ikev2
>>>     authby=rsasig
>>>
>>> conn skip
>>>     type=*passthrough*
>>>     left=1.100.0.5
>>>     leftsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>>>     leftcert=server_cert.pem
>>>     leftsendcert=always
>>>     rightcert=client_cert.pem
>>>     right=1.100.0.9
>>>     rightsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>>>     auto=route
>>>
>>> conn 1.100.0.9
>>>     type=*transport*
>>>     left=1.100.0.5
>>>     leftcert=server_cert.pem
>>>     leftsendcert=always
>>>     rightcert=client_cert.pem
>>>     right=1.100.0.9
>>>     reauth=no
>>>     auto=add
>>>
>>> =============
>>> Output of setkey -DP on client:
>>> root at agarwalpiyush0:/usr/local/google/home/agarwalpiyush/work/agent-v#
>>> ./sbin/nfv_cli dm_carl0 setkey -DP
>>> 1.100.0.5 1.100.0.9 icmp
>>>         fwd prio high + 1073740030 ipsec
>>>         esp/tunnel/1.100.0.5-1.100.0.9/unique:1
>>>         created: May 23 11:21:42 2017  lastused:
>>>         lifetime: 0(s) validtime: 0(s)
>>>         spid=1834 seq=1 pid=103981
>>>         refcnt=1
>>> 1.100.0.5 1.100.0.9 icmp
>>>         in prio high + 1073740030 ipsec
>>>         esp/tunnel/1.100.0.5-1.100.0.9/unique:1
>>>         created: May 23 11:21:42 2017  lastused:
>>>         lifetime: 0(s) validtime: 0(s)
>>>         spid=1824 seq=2 pid=103981
>>>         refcnt=1
>>> 1.100.0.9 1.100.0.5 icmp
>>>         out prio high + 1073740030 ipsec
>>>         esp/tunnel/1.100.0.9-1.100.0.5/unique:1
>>>         created: May 23 11:21:42 2017  lastused:
>>>         lifetime: 0(s) validtime: 0(s)
>>>         spid=1817 seq=3 pid=103981
>>>         refcnt=1
>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>         fwd prio high + 1073739774 none
>>>         created: May 23 11:21:31 2017  lastused:
>>>         lifetime: 0(s) validtime: 0(s)
>>>         spid=1698 seq=4 pid=103981
>>>         refcnt=1
>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>         in prio high + 1073739774 none
>>>         created: May 23 11:21:31 2017  lastused: May 23 11:21:35 2017
>>>         lifetime: 0(s) validtime: 0(s)
>>>         spid=1688 seq=5 pid=103981
>>>         refcnt=2
>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>         out prio high + 1073739774 none
>>>         created: May 23 11:21:31 2017  lastused:
>>>         lifetime: 0(s) validtime: 0(s)
>>>         spid=1681 seq=6 pid=103981
>>>         refcnt=1
>>>
>>>
>>> Questions:
>>> 1) I'd like a transport type IPsec session for all non-ICMP traffic
>>> between client and server. As soon as I specify "passthrough" policy, my
>>> IPsec session changes to type "tunnel" from output of ipsec status. Clearly
>>> I am not specifying passthrough policy correctly.
>>>
>>> 1) Do I need to specify left/right for my "skip" passthrough conn? If I
>>> do NOT specify left and right for skip connection, I see the IPsec type
>>> remains transport (which is good and what I want), I do see shunted
>>> policies in "ipsec status" but I still see ping packets are encrypted.
>>>
>>> Thank you for any help!
>>> Piyush
>>>
>>> On Monday, May 22, 2017 at 12:19:17 PM UTC-7, Noel Kuntze wrote:
>>>>
>>>> Add a passthrough policy for the protocol.
>>>>
>>>> Am 22. Mai 2017 19:09:03 MESZ schrieb Piyush Agarwal <
>>>> agarwa... at gmail.com>:
>>>>>
>>>>> Hi,
>>>>> Reading through the left|rightsubnet, it seems like there is no way to
>>>>> *exclude* a protocol from getting encrypted?
>>>>>
>>>>> I have a host to host tunnel and I want to encrypt everything between
>>>>> these except ICMP since I'd like to do out-of-tunnel ping/traceroute.
>>>>>
>>>>> Prior to using strongswan, I was using racoon where I could use setkey
>>>>> to manually update the SPD to exclude icmp alone.
>>>>>
>>>>> Please advise if there is any way to achieve this with strongswan.
>>>>>
>>>>> Thanks.
>>>>>
>>>>> --
>>>>> Piyush Agarwal
>>>>> Life can only be understood backwards; but it must be lived forwards.
>>>>>
>>>>
>>>> --
>>>> Sent from mobile
>>>>
>>>


-- 
Piyush Agarwal
Life can only be understood backwards; but it must be lived forwards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170523/904d2611/attachment-0001.html>


More information about the Users mailing list