[strongSwan] Exclude protocol from IPsec

Noel Kuntze noel at familie-kuntze.de
Wed May 24 01:20:50 CEST 2017


TS is oriented the wrong way.

Am 24. Mai 2017 00:12:17 MESZ schrieb Piyush Agarwal <agarwalpiyush at gmail.com>:
>I see this in server's log, is that a red flag? The local address on
>server
>1.100.0.5 (client is 1.100.0.9).
>
>13[CFG] received stroke: route 'skip'
>13[CFG] proposing traffic selectors for us:
>13[CFG]  1.100.0.9/32[icmp]
>13[CFG] proposing traffic selectors for other:
>13[CFG]  1.100.0.5/32[icmp]
>13[KNL] adding policy 1.100.0.9/32[icmp] === 1.100.0.5/32[icmp] out 
>(mark
>0/0x00000000)
>13[KNL] adding policy 1.100.0.5/32[icmp] === 1.100.0.9/32[icmp] in 
>(mark
>0/0x00000000)
>13[KNL] adding policy 1.100.0.5/32[icmp] === 1.100.0.9/32[icmp] fwd 
>(mark
>0/0x00000000)
>13[KNL] getting a local address in traffic selector 1.100.0.9/32[icmp]
>*13[KNL] no local address found in traffic selector 1.100.0.9/32[icmp]
><http://1.100.0.9/32[icmp]>*
>
>
>On Tue, May 23, 2017 at 2:48 PM, <agarwalpiyush at gmail.com> wrote:
>
>> Hi,
>> Thanks for the suggestion. With the change you recommended, I do see
>some
>> progress. But here are the issues:
>>
>> 1) client -> server ping: I do see echo request is un-encrypted as
>seen by
>> tcpdump on server's interface. But tcpdump on the server's interface
>shows
>> no reply being generated (if I remove passthrough policy, the
>encrypted
>> replies work just fine). I saw threads about strongswan using route
>table
>> 220, but I don't see any output of "ip route show table 220". Why is
>> "auto=route" required? How is it messing with the server side's echo
>reply,
>> assuming that is the case? I tried with auto=start but that still had
>ICMP
>> packets encrypted.
>>
>> 2) server -> client ping: I see server's ping show up encrypted on
>the
>> client's interface. Client's interface tcpdump sees un-unencrypted
>echo
>> reply. But this reply is not seen on server's interface at all!!
>>
>> Does the order of IP addresses in output of "Shunted policies" have
>any
>> significance? I see server side is showing shunted connected as
>"client/32
>> == server/32" which is not what I expected.
>>
>> *Client output:*
>> *client$:ipsec status*
>> Shunted Connections:
>> *        skip:  1.100.0.9/32[icmp] <http://1.100.0.9/32%5Bicmp%5D>
>===
>> 1.100.0.5/32[icmp] <http://1.100.0.5/32%5Bicmp%5D> PASS*
>> Security Associations (1 up, 0 connecting):
>>    1.100.0.5[1]: ESTABLISHED 8 minutes ago, 1.100.0.9[C=US, ST=CA,
>> L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]...1.100.0.5[C=US,
>ST=CA,
>> L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]
>>    1.100.0.5{1}:  INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c5067855_i
>> cfc50c8b_o
>>    1.100.0.5{1}:   1.100.0.9/32 === 1.100.0.5/32
>>
>> *Server output:*
>> *server$:ipsec status*
>> Shunted Connections:
>> *        skip:  1.100.0.9/32[icmp] <http://1.100.0.9/32%5Bicmp%5D>
>===
>> 1.100.0.5/32[icmp] <http://1.100.0.5/32%5Bicmp%5D> PASS*
>> Security Associations (1 up, 0 connecting):
>>    1.100.0.9[1]: ESTABLISHED 9 minutes ago, 1.100.0.5[C=US, ST=CA,
>> L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]...1.100.0.9[C=US,
>ST=CA,
>> L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]
>>    1.100.0.9{1}:  INSTALLED, TRANSPORT, reqid 1, ESP SPIs: cfc50c8b_i
>> c5067855_o
>>    1.100.0.9{1}:   1.100.0.5/32 === 1.100.0.9/32
>>
>> Much appreciate any help. Racoon/setkey was very straightforward to
>get
>> this working :( Hopefully it is a mistake I am making/misconfiguring
>etc.
>>
>> Reprinting the ipsec.conf (after changes were done):
>> *Client:*
>>
>> conn skip
>>     type=passthrough
>>     left=127.0.0.1
>>     leftsubnet=1.100.0.9/32[icmp/] <http://1.100.0.9/32%5Bicmp/%5D>
>>     leftcert=client_cert.pem
>>     leftsendcert=always
>>     rightcert=server_cert.pem
>>     right=127.0.0.1
>>     rightsubnet=1.100.0.5/32[icmp/] <http://1.100.0.5/32%5Bicmp/%5D>
>>     auto=route
>>
>> conn 1.100.0.5
>>     type=transport
>>     left=1.100.0.9
>>     leftcert=client_cert.pem
>>     leftsendcert=always
>>     rightcert=server_cert.pem
>>     right=1.100.0.5
>>     reauth=no
>>     dpdaction=restart
>>     auto=start
>>
>> *Server:*
>>
>> conn skip
>>     type=passthrough
>>     left=127.0.0.1
>>     leftsubnet=1.100.0.5/32[icmp/] <http://1.100.0.5/32%5Bicmp/%5D>
>>     leftcert=server_cert.pem
>>     leftsendcert=always
>>     rightcert=client_cert.pem
>>     right=127.0.0.1
>>     rightsubnet=1.100.0.9/32[icmp/] <http://1.100.0.9/32%5Bicmp/%5D>
>>     auto=route
>>
>> conn 1.100.0.9
>>     type=transport
>>     left=1.100.0.5
>>     leftcert=server_cert.pem
>>     leftsendcert=always
>>     rightcert=client_cert.pem
>>     right=1.100.0.9
>>     reauth=no
>>     dpdaction=restart
>>     auto=add
>>
>>
>> Thanks!
>>
>> On Tuesday, May 23, 2017 at 12:30:15 PM UTC-7, Dusan Ilic wrote:
>>>
>>> Try following
>>>
>>>     type=passthrough
>>>     left=127.0.0.1
>>>     leftsubnet=1.100.0.9/32[icmp/]
>>>     right=127.0.0.1
>>>     rightsubnet=1.100.0.5/32[icmp/]
>>>     auto=route
>>>
>>>
>>>
>>> ---- agarwa... at gmail.com skrev ----
>>>
>>>
>>> Reading another thread, I changed "right" of "skip" connection on
>both
>>> client and server to be  "127.0.0.1" and that fixed up a few things:
>>> 1) The IPsec installed is type transport (as desired)
>>> 2) I do see shunted policies list ICMP PASS
>>>
>>> *However, I still have my pings from client to server encrypted :(*
>>>
>>> *Client:*
>>> # ipsec statusall
>>> Status of IKE charon daemon (strongSwan 5.1.2, Linux
>4.4.0-75-generic,
>>> x86_64):
>>>   uptime: 10 minutes, since May 23 12:02:46 2017
>>>   malloc: sbrk 2564096, mmap 0, used 393728, free 2170368
>>>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue:
>0/0/0/0,
>>> scheduled: 3
>>>   loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5
>rdrand
>>> random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12
>pem
>>> openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve
>>> socket-default stroke updown eap-identity addrblock
>>> Listening IP addresses:
>>>   1.100.0.9
>>> Connections:
>>>         skip:  %any...127.0.0.1  IKEv2
>>>         skip:   local:  [C=US, ST=CA, L=Mountain View, O=TEST,
>OU=AgentC,
>>> CN=test.com] uses public key authentication
>>>         skip:    cert:  "C=US, ST=CA, L=Mountain View, O=TEST,
>OU=AgentC,
>>> CN=test.com"
>>>         skip:   remote: [C=US, ST=CA, L=Mountain View, O=TEST,
>OU=AgentC,
>>> CN=test.com] uses public key authentication
>>>         skip:    cert:  "C=US, ST=CA, L=Mountain View, O=TEST,
>OU=AgentC,
>>> CN=test.com"
>>>         skip:   child:  0.0.0.0/0[icmp] === 0.0.0.0/0[icmp] PASS
>>>    1.100.0.5:  1.100.0.9...1.100.0.5  IKEv2, dpddelay=60s
>>>    1.100.0.5:   local:  [C=US, ST=CA, L=Mountain View, O=TEST,
>>> OU=AgentC, CN=test.com] uses public key authentication
>>>    1.100.0.5:    cert:  "C=US, ST=CA, L=Mountain View, O=TEST,
>>> OU=AgentC, CN=test.com"
>>>    1.100.0.5:   remote: [C=US, ST=CA, L=Mountain View, O=TEST,
>>> OU=AgentC, CN=test.com] uses public key authentication
>>>    1.100.0.5:    cert:  "C=US, ST=CA, L=Mountain View, O=TEST,
>>> OU=AgentC, CN=test.com"
>>>    1.100.0.5:   child:  dynamic === dynamic *TRANSPORT*,
>>> dpdaction=restart
>>> *Shunted Connections:*
>>> *        skip:  0.0.0.0/0[icmp] === 0.0.0.0/0[icmp] PASS*
>>> Security Associations (1 up, 0 connecting):
>>>    1.100.0.5[1]: ESTABLISHED 10 minutes ago, 1.100.0.9[C=US, ST=CA,
>>> L=Mountain View, O=TEST, OU=AgentC, CN=test.com]...1.100.0.5[C=US,
>>> ST=CA, L=Mountain View, O=TEST, OU=AgentC, CN=test.com]
>>>    1.100.0.5[1]: IKEv2 SPIs: be5caa6cea2281c2_i* 79bb5ad924d8d919_r,
>>> rekeying in 44 minutes
>>>    1.100.0.5[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_H
>>> MAC_SHA1/MODP_2048
>>>    1.100.0.5{1}:  INSTALLED, *TRANSPORT*, ESP SPIs: c989f733_i
>c3f6a42e_o
>>>    1.100.0.5{1}:  AES_CBC_128/HMAC_SHA1_96, 520206 bytes_i (2551
>pkts,
>>> 1s ago), 1691623 bytes_o (2986 pkts, 10s ago), rekeying in 5 minutes
>>>    1.100.0.5{1}:   *1.100.0.9/32 === 1.100.0.5/32*
>>>
>>>
>>> *Client setkey -DP output:*
>>> 1.100.0.5[any] 1.100.0.9[any] 255
>>>         in prio high + 1073740029 ipsec
>>>         esp/transport//unique:1
>>>         created: May 23 12:18:12 2017  lastused: May 23 12:18:52
>2017
>>>         lifetime: 0(s) validtime: 0(s)
>>>         spid=2248 seq=1 pid=176401
>>>         refcnt=11
>>> 1.100.0.9[any] 1.100.0.5[any] 255
>>>         out prio high + 1073740029 ipsec
>>>         esp/transport//unique:1
>>>         created: May 23 12:18:12 2017  lastused: May 23 12:18:47
>2017
>>>         lifetime: 0(s) validtime: 0(s)
>>>         spid=2241 seq=2 pid=176401
>>>         refcnt=11
>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>         fwd prio high + 1073739774 none
>>>         created: May 23 12:02:46 2017  lastused:
>>>         lifetime: 0(s) validtime: 0(s)
>>>         spid=2130 seq=3 pid=176401
>>>         refcnt=1
>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>         in prio high + 1073739774 none
>>>         created: May 23 12:02:46 2017  lastused: May 23 12:02:50
>2017
>>>         lifetime: 0(s) validtime: 0(s)
>>>         spid=2120 seq=4 pid=176401
>>>         refcnt=1
>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>         out prio high + 1073739774 none
>>>         created: May 23 12:02:46 2017  lastused:
>>>         lifetime: 0(s) validtime: 0(s)
>>>         spid=2113 seq=5 pid=176401
>>>         refcnt=1
>>>
>>>
>>> On Tuesday, May 23, 2017 at 11:29:04 AM UTC-7, agarwa... at gmail.com
>wrote:
>>>>
>>>> Hi Noel,
>>>> Many thanks for the pointer. Looks like I am missing something more
>or
>>>> perhaps making a mistake.
>>>>
>>>> Client [1.100.0.9] -- Server [1.100.0.5]
>>>>
>>>> Goal: All non-ICMP traffic to be over IPsec tunnel between these
>two
>>>> machines.
>>>>
>>>> Strongswan 5.1.2
>>>>
>>>> The client and server are using self-signed certificates and have
>each
>>>> other's certs in /etc/ipsec.d/certs/
>>>>
>>>> *Client ipsec.conf <http://ipsec.conf>:*
>>>>
>>>> config setup
>>>>     charondebug = "dmn 0,mgr 1, ike 2, job 2, cfg 2, knl 1, net 1,
>tls
>>>> 1, lib 0, enc 0, tnc 0"
>>>>     uniqueids=no
>>>>
>>>> conn %default
>>>>     ikelifetime=60m
>>>>     keylife=20m
>>>>     rekeymargin=3m
>>>>     keyingtries=1
>>>>     keyexchange=ikev2
>>>>     authby=rsasig
>>>>
>>>> conn skip
>>>>     type=*passthrough*
>>>>     left=1.100.0.9
>>>>     leftsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>>>>     leftcert=client_cert.pem
>>>>     leftsendcert=always
>>>>     rightcert=server_cert.pem
>>>>     right=1.100.0.5
>>>>     rightsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>>>>     auto=route
>>>>
>>>> conn 1.100.0.5
>>>>     type=*transport*
>>>>     left=1.100.0.9
>>>>     leftcert=client_cert.pem
>>>>     leftsendcert=always
>>>>     rightcert=server_cert.pem
>>>>     right=1.100.0.5
>>>>     reauth=no
>>>>     auto=start
>>>>
>>>> *Server ipsec.conf <http://ipsec.conf>:*
>>>>
>>>> config setup
>>>>     charondebug = "dmn 0,mgr 1, ike 2, job 2, cfg 2, knl 1, net 1,
>tls
>>>> 1, lib 0, enc 0, tnc 0"
>>>>     uniqueids=no
>>>>
>>>> conn %default
>>>>     ikelifetime=60m
>>>>     keylife=20m
>>>>     rekeymargin=3m
>>>>     keyingtries=1
>>>>     keyexchange=ikev2
>>>>     authby=rsasig
>>>>
>>>> conn skip
>>>>     type=*passthrough*
>>>>     left=1.100.0.5
>>>>     leftsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>>>>     leftcert=server_cert.pem
>>>>     leftsendcert=always
>>>>     rightcert=client_cert.pem
>>>>     right=1.100.0.9
>>>>     rightsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>>>>     auto=route
>>>>
>>>> conn 1.100.0.9
>>>>     type=*transport*
>>>>     left=1.100.0.5
>>>>     leftcert=server_cert.pem
>>>>     leftsendcert=always
>>>>     rightcert=client_cert.pem
>>>>     right=1.100.0.9
>>>>     reauth=no
>>>>     auto=add
>>>>
>>>> =============
>>>> Output of setkey -DP on client:
>>>>
>root at agarwalpiyush0:/usr/local/google/home/agarwalpiyush/work/agent-v#
>>>> ./sbin/nfv_cli dm_carl0 setkey -DP
>>>> 1.100.0.5 1.100.0.9 icmp
>>>>         fwd prio high + 1073740030 ipsec
>>>>         esp/tunnel/1.100.0.5-1.100.0.9/unique:1
>>>>         created: May 23 11:21:42 2017  lastused:
>>>>         lifetime: 0(s) validtime: 0(s)
>>>>         spid=1834 seq=1 pid=103981
>>>>         refcnt=1
>>>> 1.100.0.5 1.100.0.9 icmp
>>>>         in prio high + 1073740030 ipsec
>>>>         esp/tunnel/1.100.0.5-1.100.0.9/unique:1
>>>>         created: May 23 11:21:42 2017  lastused:
>>>>         lifetime: 0(s) validtime: 0(s)
>>>>         spid=1824 seq=2 pid=103981
>>>>         refcnt=1
>>>> 1.100.0.9 1.100.0.5 icmp
>>>>         out prio high + 1073740030 ipsec
>>>>         esp/tunnel/1.100.0.9-1.100.0.5/unique:1
>>>>         created: May 23 11:21:42 2017  lastused:
>>>>         lifetime: 0(s) validtime: 0(s)
>>>>         spid=1817 seq=3 pid=103981
>>>>         refcnt=1
>>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>>         fwd prio high + 1073739774 none
>>>>         created: May 23 11:21:31 2017  lastused:
>>>>         lifetime: 0(s) validtime: 0(s)
>>>>         spid=1698 seq=4 pid=103981
>>>>         refcnt=1
>>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>>         in prio high + 1073739774 none
>>>>         created: May 23 11:21:31 2017  lastused: May 23 11:21:35
>2017
>>>>         lifetime: 0(s) validtime: 0(s)
>>>>         spid=1688 seq=5 pid=103981
>>>>         refcnt=2
>>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>>         out prio high + 1073739774 none
>>>>         created: May 23 11:21:31 2017  lastused:
>>>>         lifetime: 0(s) validtime: 0(s)
>>>>         spid=1681 seq=6 pid=103981
>>>>         refcnt=1
>>>>
>>>>
>>>> Questions:
>>>> 1) I'd like a transport type IPsec session for all non-ICMP traffic
>>>> between client and server. As soon as I specify "passthrough"
>policy, my
>>>> IPsec session changes to type "tunnel" from output of ipsec status.
>Clearly
>>>> I am not specifying passthrough policy correctly.
>>>>
>>>> 1) Do I need to specify left/right for my "skip" passthrough conn?
>If I
>>>> do NOT specify left and right for skip connection, I see the IPsec
>type
>>>> remains transport (which is good and what I want), I do see shunted
>>>> policies in "ipsec status" but I still see ping packets are
>encrypted.
>>>>
>>>> Thank you for any help!
>>>> Piyush
>>>>
>>>> On Monday, May 22, 2017 at 12:19:17 PM UTC-7, Noel Kuntze wrote:
>>>>>
>>>>> Add a passthrough policy for the protocol.
>>>>>
>>>>> Am 22. Mai 2017 19:09:03 MESZ schrieb Piyush Agarwal <
>>>>> agarwa... at gmail.com>:
>>>>>>
>>>>>> Hi,
>>>>>> Reading through the left|rightsubnet, it seems like there is no
>way to
>>>>>> *exclude* a protocol from getting encrypted?
>>>>>>
>>>>>> I have a host to host tunnel and I want to encrypt everything
>between
>>>>>> these except ICMP since I'd like to do out-of-tunnel
>ping/traceroute.
>>>>>>
>>>>>> Prior to using strongswan, I was using racoon where I could use
>setkey
>>>>>> to manually update the SPD to exclude icmp alone.
>>>>>>
>>>>>> Please advise if there is any way to achieve this with
>strongswan.
>>>>>>
>>>>>> Thanks.
>>>>>>
>>>>>> --
>>>>>> Piyush Agarwal
>>>>>> Life can only be understood backwards; but it must be lived
>forwards.
>>>>>>
>>>>>
>>>>> --
>>>>> Sent from mobile
>>>>>
>>>>
>
>
>-- 
>Piyush Agarwal
>Life can only be understood backwards; but it must be lived forwards.

-- 
Sent from mobile
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170524/87c00d07/attachment-0001.html>


More information about the Users mailing list