[strongSwan] Exclude protocol from IPsec
Piyush Agarwal
agarwalpiyush at gmail.com
Wed May 24 00:12:17 CEST 2017
I see this in server's log, is that a red flag? The local address on server
1.100.0.5 (client is 1.100.0.9).
13[CFG] received stroke: route 'skip'
13[CFG] proposing traffic selectors for us:
13[CFG] 1.100.0.9/32[icmp]
13[CFG] proposing traffic selectors for other:
13[CFG] 1.100.0.5/32[icmp]
13[KNL] adding policy 1.100.0.9/32[icmp] === 1.100.0.5/32[icmp] out (mark
0/0x00000000)
13[KNL] adding policy 1.100.0.5/32[icmp] === 1.100.0.9/32[icmp] in (mark
0/0x00000000)
13[KNL] adding policy 1.100.0.5/32[icmp] === 1.100.0.9/32[icmp] fwd (mark
0/0x00000000)
13[KNL] getting a local address in traffic selector 1.100.0.9/32[icmp]
*13[KNL] no local address found in traffic selector 1.100.0.9/32[icmp]
<http://1.100.0.9/32[icmp]>*
On Tue, May 23, 2017 at 2:48 PM, <agarwalpiyush at gmail.com> wrote:
> Hi,
> Thanks for the suggestion. With the change you recommended, I do see some
> progress. But here are the issues:
>
> 1) client -> server ping: I do see echo request is un-encrypted as seen by
> tcpdump on server's interface. But tcpdump on the server's interface shows
> no reply being generated (if I remove passthrough policy, the encrypted
> replies work just fine). I saw threads about strongswan using route table
> 220, but I don't see any output of "ip route show table 220". Why is
> "auto=route" required? How is it messing with the server side's echo reply,
> assuming that is the case? I tried with auto=start but that still had ICMP
> packets encrypted.
>
> 2) server -> client ping: I see server's ping show up encrypted on the
> client's interface. Client's interface tcpdump sees un-unencrypted echo
> reply. But this reply is not seen on server's interface at all!!
>
> Does the order of IP addresses in output of "Shunted policies" have any
> significance? I see server side is showing shunted connected as "client/32
> == server/32" which is not what I expected.
>
> *Client output:*
> *client$:ipsec status*
> Shunted Connections:
> * skip: 1.100.0.9/32[icmp] <http://1.100.0.9/32%5Bicmp%5D> ===
> 1.100.0.5/32[icmp] <http://1.100.0.5/32%5Bicmp%5D> PASS*
> Security Associations (1 up, 0 connecting):
> 1.100.0.5[1]: ESTABLISHED 8 minutes ago, 1.100.0.9[C=US, ST=CA,
> L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]...1.100.0.5[C=US, ST=CA,
> L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]
> 1.100.0.5{1}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c5067855_i
> cfc50c8b_o
> 1.100.0.5{1}: 1.100.0.9/32 === 1.100.0.5/32
>
> *Server output:*
> *server$:ipsec status*
> Shunted Connections:
> * skip: 1.100.0.9/32[icmp] <http://1.100.0.9/32%5Bicmp%5D> ===
> 1.100.0.5/32[icmp] <http://1.100.0.5/32%5Bicmp%5D> PASS*
> Security Associations (1 up, 0 connecting):
> 1.100.0.9[1]: ESTABLISHED 9 minutes ago, 1.100.0.5[C=US, ST=CA,
> L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]...1.100.0.9[C=US, ST=CA,
> L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]
> 1.100.0.9{1}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: cfc50c8b_i
> c5067855_o
> 1.100.0.9{1}: 1.100.0.5/32 === 1.100.0.9/32
>
> Much appreciate any help. Racoon/setkey was very straightforward to get
> this working :( Hopefully it is a mistake I am making/misconfiguring etc.
>
> Reprinting the ipsec.conf (after changes were done):
> *Client:*
>
> conn skip
> type=passthrough
> left=127.0.0.1
> leftsubnet=1.100.0.9/32[icmp/] <http://1.100.0.9/32%5Bicmp/%5D>
> leftcert=client_cert.pem
> leftsendcert=always
> rightcert=server_cert.pem
> right=127.0.0.1
> rightsubnet=1.100.0.5/32[icmp/] <http://1.100.0.5/32%5Bicmp/%5D>
> auto=route
>
> conn 1.100.0.5
> type=transport
> left=1.100.0.9
> leftcert=client_cert.pem
> leftsendcert=always
> rightcert=server_cert.pem
> right=1.100.0.5
> reauth=no
> dpdaction=restart
> auto=start
>
> *Server:*
>
> conn skip
> type=passthrough
> left=127.0.0.1
> leftsubnet=1.100.0.5/32[icmp/] <http://1.100.0.5/32%5Bicmp/%5D>
> leftcert=server_cert.pem
> leftsendcert=always
> rightcert=client_cert.pem
> right=127.0.0.1
> rightsubnet=1.100.0.9/32[icmp/] <http://1.100.0.9/32%5Bicmp/%5D>
> auto=route
>
> conn 1.100.0.9
> type=transport
> left=1.100.0.5
> leftcert=server_cert.pem
> leftsendcert=always
> rightcert=client_cert.pem
> right=1.100.0.9
> reauth=no
> dpdaction=restart
> auto=add
>
>
> Thanks!
>
> On Tuesday, May 23, 2017 at 12:30:15 PM UTC-7, Dusan Ilic wrote:
>>
>> Try following
>>
>> type=passthrough
>> left=127.0.0.1
>> leftsubnet=1.100.0.9/32[icmp/]
>> right=127.0.0.1
>> rightsubnet=1.100.0.5/32[icmp/]
>> auto=route
>>
>>
>>
>> ---- agarwa... at gmail.com skrev ----
>>
>>
>> Reading another thread, I changed "right" of "skip" connection on both
>> client and server to be "127.0.0.1" and that fixed up a few things:
>> 1) The IPsec installed is type transport (as desired)
>> 2) I do see shunted policies list ICMP PASS
>>
>> *However, I still have my pings from client to server encrypted :(*
>>
>> *Client:*
>> # ipsec statusall
>> Status of IKE charon daemon (strongSwan 5.1.2, Linux 4.4.0-75-generic,
>> x86_64):
>> uptime: 10 minutes, since May 23 12:02:46 2017
>> malloc: sbrk 2564096, mmap 0, used 393728, free 2170368
>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>> scheduled: 3
>> loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 rdrand
>> random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem
>> openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve
>> socket-default stroke updown eap-identity addrblock
>> Listening IP addresses:
>> 1.100.0.9
>> Connections:
>> skip: %any...127.0.0.1 IKEv2
>> skip: local: [C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC,
>> CN=test.com] uses public key authentication
>> skip: cert: "C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC,
>> CN=test.com"
>> skip: remote: [C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC,
>> CN=test.com] uses public key authentication
>> skip: cert: "C=US, ST=CA, L=Mountain View, O=TEST, OU=AgentC,
>> CN=test.com"
>> skip: child: 0.0.0.0/0[icmp] === 0.0.0.0/0[icmp] PASS
>> 1.100.0.5: 1.100.0.9...1.100.0.5 IKEv2, dpddelay=60s
>> 1.100.0.5: local: [C=US, ST=CA, L=Mountain View, O=TEST,
>> OU=AgentC, CN=test.com] uses public key authentication
>> 1.100.0.5: cert: "C=US, ST=CA, L=Mountain View, O=TEST,
>> OU=AgentC, CN=test.com"
>> 1.100.0.5: remote: [C=US, ST=CA, L=Mountain View, O=TEST,
>> OU=AgentC, CN=test.com] uses public key authentication
>> 1.100.0.5: cert: "C=US, ST=CA, L=Mountain View, O=TEST,
>> OU=AgentC, CN=test.com"
>> 1.100.0.5: child: dynamic === dynamic *TRANSPORT*,
>> dpdaction=restart
>> *Shunted Connections:*
>> * skip: 0.0.0.0/0[icmp] === 0.0.0.0/0[icmp] PASS*
>> Security Associations (1 up, 0 connecting):
>> 1.100.0.5[1]: ESTABLISHED 10 minutes ago, 1.100.0.9[C=US, ST=CA,
>> L=Mountain View, O=TEST, OU=AgentC, CN=test.com]...1.100.0.5[C=US,
>> ST=CA, L=Mountain View, O=TEST, OU=AgentC, CN=test.com]
>> 1.100.0.5[1]: IKEv2 SPIs: be5caa6cea2281c2_i* 79bb5ad924d8d919_r,
>> rekeying in 44 minutes
>> 1.100.0.5[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_H
>> MAC_SHA1/MODP_2048
>> 1.100.0.5{1}: INSTALLED, *TRANSPORT*, ESP SPIs: c989f733_i c3f6a42e_o
>> 1.100.0.5{1}: AES_CBC_128/HMAC_SHA1_96, 520206 bytes_i (2551 pkts,
>> 1s ago), 1691623 bytes_o (2986 pkts, 10s ago), rekeying in 5 minutes
>> 1.100.0.5{1}: *1.100.0.9/32 === 1.100.0.5/32*
>>
>>
>> *Client setkey -DP output:*
>> 1.100.0.5[any] 1.100.0.9[any] 255
>> in prio high + 1073740029 ipsec
>> esp/transport//unique:1
>> created: May 23 12:18:12 2017 lastused: May 23 12:18:52 2017
>> lifetime: 0(s) validtime: 0(s)
>> spid=2248 seq=1 pid=176401
>> refcnt=11
>> 1.100.0.9[any] 1.100.0.5[any] 255
>> out prio high + 1073740029 ipsec
>> esp/transport//unique:1
>> created: May 23 12:18:12 2017 lastused: May 23 12:18:47 2017
>> lifetime: 0(s) validtime: 0(s)
>> spid=2241 seq=2 pid=176401
>> refcnt=11
>> 0.0.0.0/0 0.0.0.0/0 icmp
>> fwd prio high + 1073739774 none
>> created: May 23 12:02:46 2017 lastused:
>> lifetime: 0(s) validtime: 0(s)
>> spid=2130 seq=3 pid=176401
>> refcnt=1
>> 0.0.0.0/0 0.0.0.0/0 icmp
>> in prio high + 1073739774 none
>> created: May 23 12:02:46 2017 lastused: May 23 12:02:50 2017
>> lifetime: 0(s) validtime: 0(s)
>> spid=2120 seq=4 pid=176401
>> refcnt=1
>> 0.0.0.0/0 0.0.0.0/0 icmp
>> out prio high + 1073739774 none
>> created: May 23 12:02:46 2017 lastused:
>> lifetime: 0(s) validtime: 0(s)
>> spid=2113 seq=5 pid=176401
>> refcnt=1
>>
>>
>> On Tuesday, May 23, 2017 at 11:29:04 AM UTC-7, agarwa... at gmail.com wrote:
>>>
>>> Hi Noel,
>>> Many thanks for the pointer. Looks like I am missing something more or
>>> perhaps making a mistake.
>>>
>>> Client [1.100.0.9] -- Server [1.100.0.5]
>>>
>>> Goal: All non-ICMP traffic to be over IPsec tunnel between these two
>>> machines.
>>>
>>> Strongswan 5.1.2
>>>
>>> The client and server are using self-signed certificates and have each
>>> other's certs in /etc/ipsec.d/certs/
>>>
>>> *Client ipsec.conf <http://ipsec.conf>:*
>>>
>>> config setup
>>> charondebug = "dmn 0,mgr 1, ike 2, job 2, cfg 2, knl 1, net 1, tls
>>> 1, lib 0, enc 0, tnc 0"
>>> uniqueids=no
>>>
>>> conn %default
>>> ikelifetime=60m
>>> keylife=20m
>>> rekeymargin=3m
>>> keyingtries=1
>>> keyexchange=ikev2
>>> authby=rsasig
>>>
>>> conn skip
>>> type=*passthrough*
>>> left=1.100.0.9
>>> leftsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>>> leftcert=client_cert.pem
>>> leftsendcert=always
>>> rightcert=server_cert.pem
>>> right=1.100.0.5
>>> rightsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>>> auto=route
>>>
>>> conn 1.100.0.5
>>> type=*transport*
>>> left=1.100.0.9
>>> leftcert=client_cert.pem
>>> leftsendcert=always
>>> rightcert=server_cert.pem
>>> right=1.100.0.5
>>> reauth=no
>>> auto=start
>>>
>>> *Server ipsec.conf <http://ipsec.conf>:*
>>>
>>> config setup
>>> charondebug = "dmn 0,mgr 1, ike 2, job 2, cfg 2, knl 1, net 1, tls
>>> 1, lib 0, enc 0, tnc 0"
>>> uniqueids=no
>>>
>>> conn %default
>>> ikelifetime=60m
>>> keylife=20m
>>> rekeymargin=3m
>>> keyingtries=1
>>> keyexchange=ikev2
>>> authby=rsasig
>>>
>>> conn skip
>>> type=*passthrough*
>>> left=1.100.0.5
>>> leftsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>>> leftcert=server_cert.pem
>>> leftsendcert=always
>>> rightcert=client_cert.pem
>>> right=1.100.0.9
>>> rightsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>>> auto=route
>>>
>>> conn 1.100.0.9
>>> type=*transport*
>>> left=1.100.0.5
>>> leftcert=server_cert.pem
>>> leftsendcert=always
>>> rightcert=client_cert.pem
>>> right=1.100.0.9
>>> reauth=no
>>> auto=add
>>>
>>> =============
>>> Output of setkey -DP on client:
>>> root at agarwalpiyush0:/usr/local/google/home/agarwalpiyush/work/agent-v#
>>> ./sbin/nfv_cli dm_carl0 setkey -DP
>>> 1.100.0.5 1.100.0.9 icmp
>>> fwd prio high + 1073740030 ipsec
>>> esp/tunnel/1.100.0.5-1.100.0.9/unique:1
>>> created: May 23 11:21:42 2017 lastused:
>>> lifetime: 0(s) validtime: 0(s)
>>> spid=1834 seq=1 pid=103981
>>> refcnt=1
>>> 1.100.0.5 1.100.0.9 icmp
>>> in prio high + 1073740030 ipsec
>>> esp/tunnel/1.100.0.5-1.100.0.9/unique:1
>>> created: May 23 11:21:42 2017 lastused:
>>> lifetime: 0(s) validtime: 0(s)
>>> spid=1824 seq=2 pid=103981
>>> refcnt=1
>>> 1.100.0.9 1.100.0.5 icmp
>>> out prio high + 1073740030 ipsec
>>> esp/tunnel/1.100.0.9-1.100.0.5/unique:1
>>> created: May 23 11:21:42 2017 lastused:
>>> lifetime: 0(s) validtime: 0(s)
>>> spid=1817 seq=3 pid=103981
>>> refcnt=1
>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>> fwd prio high + 1073739774 none
>>> created: May 23 11:21:31 2017 lastused:
>>> lifetime: 0(s) validtime: 0(s)
>>> spid=1698 seq=4 pid=103981
>>> refcnt=1
>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>> in prio high + 1073739774 none
>>> created: May 23 11:21:31 2017 lastused: May 23 11:21:35 2017
>>> lifetime: 0(s) validtime: 0(s)
>>> spid=1688 seq=5 pid=103981
>>> refcnt=2
>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>> out prio high + 1073739774 none
>>> created: May 23 11:21:31 2017 lastused:
>>> lifetime: 0(s) validtime: 0(s)
>>> spid=1681 seq=6 pid=103981
>>> refcnt=1
>>>
>>>
>>> Questions:
>>> 1) I'd like a transport type IPsec session for all non-ICMP traffic
>>> between client and server. As soon as I specify "passthrough" policy, my
>>> IPsec session changes to type "tunnel" from output of ipsec status. Clearly
>>> I am not specifying passthrough policy correctly.
>>>
>>> 1) Do I need to specify left/right for my "skip" passthrough conn? If I
>>> do NOT specify left and right for skip connection, I see the IPsec type
>>> remains transport (which is good and what I want), I do see shunted
>>> policies in "ipsec status" but I still see ping packets are encrypted.
>>>
>>> Thank you for any help!
>>> Piyush
>>>
>>> On Monday, May 22, 2017 at 12:19:17 PM UTC-7, Noel Kuntze wrote:
>>>>
>>>> Add a passthrough policy for the protocol.
>>>>
>>>> Am 22. Mai 2017 19:09:03 MESZ schrieb Piyush Agarwal <
>>>> agarwa... at gmail.com>:
>>>>>
>>>>> Hi,
>>>>> Reading through the left|rightsubnet, it seems like there is no way to
>>>>> *exclude* a protocol from getting encrypted?
>>>>>
>>>>> I have a host to host tunnel and I want to encrypt everything between
>>>>> these except ICMP since I'd like to do out-of-tunnel ping/traceroute.
>>>>>
>>>>> Prior to using strongswan, I was using racoon where I could use setkey
>>>>> to manually update the SPD to exclude icmp alone.
>>>>>
>>>>> Please advise if there is any way to achieve this with strongswan.
>>>>>
>>>>> Thanks.
>>>>>
>>>>> --
>>>>> Piyush Agarwal
>>>>> Life can only be understood backwards; but it must be lived forwards.
>>>>>
>>>>
>>>> --
>>>> Sent from mobile
>>>>
>>>
--
Piyush Agarwal
Life can only be understood backwards; but it must be lived forwards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170523/904d2611/attachment-0001.html>
More information about the Users
mailing list