[strongSwan] Exclude protocol from IPsec
Noel Kuntze
noel at familie-kuntze.de
Wed May 24 01:20:50 CEST 2017
TS is oriented the wrong way.
Am 24. Mai 2017 00:12:17 MESZ schrieb Piyush Agarwal <agarwalpiyush at gmail.com>:
>I see this in server's log, is that a red flag? The local address on
>server
>1.100.0.5 (client is 1.100.0.9).
>
>13[CFG] received stroke: route 'skip'
>13[CFG] proposing traffic selectors for us:
>13[CFG] 1.100.0.9/32[icmp]
>13[CFG] proposing traffic selectors for other:
>13[CFG] 1.100.0.5/32[icmp]
>13[KNL] adding policy 1.100.0.9/32[icmp] === 1.100.0.5/32[icmp] out
>(mark
>0/0x00000000)
>13[KNL] adding policy 1.100.0.5/32[icmp] === 1.100.0.9/32[icmp] in
>(mark
>0/0x00000000)
>13[KNL] adding policy 1.100.0.5/32[icmp] === 1.100.0.9/32[icmp] fwd
>(mark
>0/0x00000000)
>13[KNL] getting a local address in traffic selector 1.100.0.9/32[icmp]
>*13[KNL] no local address found in traffic selector 1.100.0.9/32[icmp]
><http://1.100.0.9/32[icmp]>*
>
>
>On Tue, May 23, 2017 at 2:48 PM, <agarwalpiyush at gmail.com> wrote:
>
>> Hi,
>> Thanks for the suggestion. With the change you recommended, I do see
>some
>> progress. But here are the issues:
>>
>> 1) client -> server ping: I do see echo request is un-encrypted as
>seen by
>> tcpdump on server's interface. But tcpdump on the server's interface
>shows
>> no reply being generated (if I remove passthrough policy, the
>encrypted
>> replies work just fine). I saw threads about strongswan using route
>table
>> 220, but I don't see any output of "ip route show table 220". Why is
>> "auto=route" required? How is it messing with the server side's echo
>reply,
>> assuming that is the case? I tried with auto=start but that still had
>ICMP
>> packets encrypted.
>>
>> 2) server -> client ping: I see server's ping show up encrypted on
>the
>> client's interface. Client's interface tcpdump sees un-unencrypted
>echo
>> reply. But this reply is not seen on server's interface at all!!
>>
>> Does the order of IP addresses in output of "Shunted policies" have
>any
>> significance? I see server side is showing shunted connected as
>"client/32
>> == server/32" which is not what I expected.
>>
>> *Client output:*
>> *client$:ipsec status*
>> Shunted Connections:
>> * skip: 1.100.0.9/32[icmp] <http://1.100.0.9/32%5Bicmp%5D>
>===
>> 1.100.0.5/32[icmp] <http://1.100.0.5/32%5Bicmp%5D> PASS*
>> Security Associations (1 up, 0 connecting):
>> 1.100.0.5[1]: ESTABLISHED 8 minutes ago, 1.100.0.9[C=US, ST=CA,
>> L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]...1.100.0.5[C=US,
>ST=CA,
>> L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]
>> 1.100.0.5{1}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c5067855_i
>> cfc50c8b_o
>> 1.100.0.5{1}: 1.100.0.9/32 === 1.100.0.5/32
>>
>> *Server output:*
>> *server$:ipsec status*
>> Shunted Connections:
>> * skip: 1.100.0.9/32[icmp] <http://1.100.0.9/32%5Bicmp%5D>
>===
>> 1.100.0.5/32[icmp] <http://1.100.0.5/32%5Bicmp%5D> PASS*
>> Security Associations (1 up, 0 connecting):
>> 1.100.0.9[1]: ESTABLISHED 9 minutes ago, 1.100.0.5[C=US, ST=CA,
>> L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]...1.100.0.9[C=US,
>ST=CA,
>> L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]
>> 1.100.0.9{1}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: cfc50c8b_i
>> c5067855_o
>> 1.100.0.9{1}: 1.100.0.5/32 === 1.100.0.9/32
>>
>> Much appreciate any help. Racoon/setkey was very straightforward to
>get
>> this working :( Hopefully it is a mistake I am making/misconfiguring
>etc.
>>
>> Reprinting the ipsec.conf (after changes were done):
>> *Client:*
>>
>> conn skip
>> type=passthrough
>> left=127.0.0.1
>> leftsubnet=1.100.0.9/32[icmp/] <http://1.100.0.9/32%5Bicmp/%5D>
>> leftcert=client_cert.pem
>> leftsendcert=always
>> rightcert=server_cert.pem
>> right=127.0.0.1
>> rightsubnet=1.100.0.5/32[icmp/] <http://1.100.0.5/32%5Bicmp/%5D>
>> auto=route
>>
>> conn 1.100.0.5
>> type=transport
>> left=1.100.0.9
>> leftcert=client_cert.pem
>> leftsendcert=always
>> rightcert=server_cert.pem
>> right=1.100.0.5
>> reauth=no
>> dpdaction=restart
>> auto=start
>>
>> *Server:*
>>
>> conn skip
>> type=passthrough
>> left=127.0.0.1
>> leftsubnet=1.100.0.5/32[icmp/] <http://1.100.0.5/32%5Bicmp/%5D>
>> leftcert=server_cert.pem
>> leftsendcert=always
>> rightcert=client_cert.pem
>> right=127.0.0.1
>> rightsubnet=1.100.0.9/32[icmp/] <http://1.100.0.9/32%5Bicmp/%5D>
>> auto=route
>>
>> conn 1.100.0.9
>> type=transport
>> left=1.100.0.5
>> leftcert=server_cert.pem
>> leftsendcert=always
>> rightcert=client_cert.pem
>> right=1.100.0.9
>> reauth=no
>> dpdaction=restart
>> auto=add
>>
>>
>> Thanks!
>>
>> On Tuesday, May 23, 2017 at 12:30:15 PM UTC-7, Dusan Ilic wrote:
>>>
>>> Try following
>>>
>>> type=passthrough
>>> left=127.0.0.1
>>> leftsubnet=1.100.0.9/32[icmp/]
>>> right=127.0.0.1
>>> rightsubnet=1.100.0.5/32[icmp/]
>>> auto=route
>>>
>>>
>>>
>>> ---- agarwa... at gmail.com skrev ----
>>>
>>>
>>> Reading another thread, I changed "right" of "skip" connection on
>both
>>> client and server to be "127.0.0.1" and that fixed up a few things:
>>> 1) The IPsec installed is type transport (as desired)
>>> 2) I do see shunted policies list ICMP PASS
>>>
>>> *However, I still have my pings from client to server encrypted :(*
>>>
>>> *Client:*
>>> # ipsec statusall
>>> Status of IKE charon daemon (strongSwan 5.1.2, Linux
>4.4.0-75-generic,
>>> x86_64):
>>> uptime: 10 minutes, since May 23 12:02:46 2017
>>> malloc: sbrk 2564096, mmap 0, used 393728, free 2170368
>>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue:
>0/0/0/0,
>>> scheduled: 3
>>> loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5
>rdrand
>>> random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12
>pem
>>> openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve
>>> socket-default stroke updown eap-identity addrblock
>>> Listening IP addresses:
>>> 1.100.0.9
>>> Connections:
>>> skip: %any...127.0.0.1 IKEv2
>>> skip: local: [C=US, ST=CA, L=Mountain View, O=TEST,
>OU=AgentC,
>>> CN=test.com] uses public key authentication
>>> skip: cert: "C=US, ST=CA, L=Mountain View, O=TEST,
>OU=AgentC,
>>> CN=test.com"
>>> skip: remote: [C=US, ST=CA, L=Mountain View, O=TEST,
>OU=AgentC,
>>> CN=test.com] uses public key authentication
>>> skip: cert: "C=US, ST=CA, L=Mountain View, O=TEST,
>OU=AgentC,
>>> CN=test.com"
>>> skip: child: 0.0.0.0/0[icmp] === 0.0.0.0/0[icmp] PASS
>>> 1.100.0.5: 1.100.0.9...1.100.0.5 IKEv2, dpddelay=60s
>>> 1.100.0.5: local: [C=US, ST=CA, L=Mountain View, O=TEST,
>>> OU=AgentC, CN=test.com] uses public key authentication
>>> 1.100.0.5: cert: "C=US, ST=CA, L=Mountain View, O=TEST,
>>> OU=AgentC, CN=test.com"
>>> 1.100.0.5: remote: [C=US, ST=CA, L=Mountain View, O=TEST,
>>> OU=AgentC, CN=test.com] uses public key authentication
>>> 1.100.0.5: cert: "C=US, ST=CA, L=Mountain View, O=TEST,
>>> OU=AgentC, CN=test.com"
>>> 1.100.0.5: child: dynamic === dynamic *TRANSPORT*,
>>> dpdaction=restart
>>> *Shunted Connections:*
>>> * skip: 0.0.0.0/0[icmp] === 0.0.0.0/0[icmp] PASS*
>>> Security Associations (1 up, 0 connecting):
>>> 1.100.0.5[1]: ESTABLISHED 10 minutes ago, 1.100.0.9[C=US, ST=CA,
>>> L=Mountain View, O=TEST, OU=AgentC, CN=test.com]...1.100.0.5[C=US,
>>> ST=CA, L=Mountain View, O=TEST, OU=AgentC, CN=test.com]
>>> 1.100.0.5[1]: IKEv2 SPIs: be5caa6cea2281c2_i* 79bb5ad924d8d919_r,
>>> rekeying in 44 minutes
>>> 1.100.0.5[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_H
>>> MAC_SHA1/MODP_2048
>>> 1.100.0.5{1}: INSTALLED, *TRANSPORT*, ESP SPIs: c989f733_i
>c3f6a42e_o
>>> 1.100.0.5{1}: AES_CBC_128/HMAC_SHA1_96, 520206 bytes_i (2551
>pkts,
>>> 1s ago), 1691623 bytes_o (2986 pkts, 10s ago), rekeying in 5 minutes
>>> 1.100.0.5{1}: *1.100.0.9/32 === 1.100.0.5/32*
>>>
>>>
>>> *Client setkey -DP output:*
>>> 1.100.0.5[any] 1.100.0.9[any] 255
>>> in prio high + 1073740029 ipsec
>>> esp/transport//unique:1
>>> created: May 23 12:18:12 2017 lastused: May 23 12:18:52
>2017
>>> lifetime: 0(s) validtime: 0(s)
>>> spid=2248 seq=1 pid=176401
>>> refcnt=11
>>> 1.100.0.9[any] 1.100.0.5[any] 255
>>> out prio high + 1073740029 ipsec
>>> esp/transport//unique:1
>>> created: May 23 12:18:12 2017 lastused: May 23 12:18:47
>2017
>>> lifetime: 0(s) validtime: 0(s)
>>> spid=2241 seq=2 pid=176401
>>> refcnt=11
>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>> fwd prio high + 1073739774 none
>>> created: May 23 12:02:46 2017 lastused:
>>> lifetime: 0(s) validtime: 0(s)
>>> spid=2130 seq=3 pid=176401
>>> refcnt=1
>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>> in prio high + 1073739774 none
>>> created: May 23 12:02:46 2017 lastused: May 23 12:02:50
>2017
>>> lifetime: 0(s) validtime: 0(s)
>>> spid=2120 seq=4 pid=176401
>>> refcnt=1
>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>> out prio high + 1073739774 none
>>> created: May 23 12:02:46 2017 lastused:
>>> lifetime: 0(s) validtime: 0(s)
>>> spid=2113 seq=5 pid=176401
>>> refcnt=1
>>>
>>>
>>> On Tuesday, May 23, 2017 at 11:29:04 AM UTC-7, agarwa... at gmail.com
>wrote:
>>>>
>>>> Hi Noel,
>>>> Many thanks for the pointer. Looks like I am missing something more
>or
>>>> perhaps making a mistake.
>>>>
>>>> Client [1.100.0.9] -- Server [1.100.0.5]
>>>>
>>>> Goal: All non-ICMP traffic to be over IPsec tunnel between these
>two
>>>> machines.
>>>>
>>>> Strongswan 5.1.2
>>>>
>>>> The client and server are using self-signed certificates and have
>each
>>>> other's certs in /etc/ipsec.d/certs/
>>>>
>>>> *Client ipsec.conf <http://ipsec.conf>:*
>>>>
>>>> config setup
>>>> charondebug = "dmn 0,mgr 1, ike 2, job 2, cfg 2, knl 1, net 1,
>tls
>>>> 1, lib 0, enc 0, tnc 0"
>>>> uniqueids=no
>>>>
>>>> conn %default
>>>> ikelifetime=60m
>>>> keylife=20m
>>>> rekeymargin=3m
>>>> keyingtries=1
>>>> keyexchange=ikev2
>>>> authby=rsasig
>>>>
>>>> conn skip
>>>> type=*passthrough*
>>>> left=1.100.0.9
>>>> leftsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>>>> leftcert=client_cert.pem
>>>> leftsendcert=always
>>>> rightcert=server_cert.pem
>>>> right=1.100.0.5
>>>> rightsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>>>> auto=route
>>>>
>>>> conn 1.100.0.5
>>>> type=*transport*
>>>> left=1.100.0.9
>>>> leftcert=client_cert.pem
>>>> leftsendcert=always
>>>> rightcert=server_cert.pem
>>>> right=1.100.0.5
>>>> reauth=no
>>>> auto=start
>>>>
>>>> *Server ipsec.conf <http://ipsec.conf>:*
>>>>
>>>> config setup
>>>> charondebug = "dmn 0,mgr 1, ike 2, job 2, cfg 2, knl 1, net 1,
>tls
>>>> 1, lib 0, enc 0, tnc 0"
>>>> uniqueids=no
>>>>
>>>> conn %default
>>>> ikelifetime=60m
>>>> keylife=20m
>>>> rekeymargin=3m
>>>> keyingtries=1
>>>> keyexchange=ikev2
>>>> authby=rsasig
>>>>
>>>> conn skip
>>>> type=*passthrough*
>>>> left=1.100.0.5
>>>> leftsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>>>> leftcert=server_cert.pem
>>>> leftsendcert=always
>>>> rightcert=client_cert.pem
>>>> right=1.100.0.9
>>>> rightsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>>>> auto=route
>>>>
>>>> conn 1.100.0.9
>>>> type=*transport*
>>>> left=1.100.0.5
>>>> leftcert=server_cert.pem
>>>> leftsendcert=always
>>>> rightcert=client_cert.pem
>>>> right=1.100.0.9
>>>> reauth=no
>>>> auto=add
>>>>
>>>> =============
>>>> Output of setkey -DP on client:
>>>>
>root at agarwalpiyush0:/usr/local/google/home/agarwalpiyush/work/agent-v#
>>>> ./sbin/nfv_cli dm_carl0 setkey -DP
>>>> 1.100.0.5 1.100.0.9 icmp
>>>> fwd prio high + 1073740030 ipsec
>>>> esp/tunnel/1.100.0.5-1.100.0.9/unique:1
>>>> created: May 23 11:21:42 2017 lastused:
>>>> lifetime: 0(s) validtime: 0(s)
>>>> spid=1834 seq=1 pid=103981
>>>> refcnt=1
>>>> 1.100.0.5 1.100.0.9 icmp
>>>> in prio high + 1073740030 ipsec
>>>> esp/tunnel/1.100.0.5-1.100.0.9/unique:1
>>>> created: May 23 11:21:42 2017 lastused:
>>>> lifetime: 0(s) validtime: 0(s)
>>>> spid=1824 seq=2 pid=103981
>>>> refcnt=1
>>>> 1.100.0.9 1.100.0.5 icmp
>>>> out prio high + 1073740030 ipsec
>>>> esp/tunnel/1.100.0.9-1.100.0.5/unique:1
>>>> created: May 23 11:21:42 2017 lastused:
>>>> lifetime: 0(s) validtime: 0(s)
>>>> spid=1817 seq=3 pid=103981
>>>> refcnt=1
>>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>> fwd prio high + 1073739774 none
>>>> created: May 23 11:21:31 2017 lastused:
>>>> lifetime: 0(s) validtime: 0(s)
>>>> spid=1698 seq=4 pid=103981
>>>> refcnt=1
>>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>> in prio high + 1073739774 none
>>>> created: May 23 11:21:31 2017 lastused: May 23 11:21:35
>2017
>>>> lifetime: 0(s) validtime: 0(s)
>>>> spid=1688 seq=5 pid=103981
>>>> refcnt=2
>>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>> out prio high + 1073739774 none
>>>> created: May 23 11:21:31 2017 lastused:
>>>> lifetime: 0(s) validtime: 0(s)
>>>> spid=1681 seq=6 pid=103981
>>>> refcnt=1
>>>>
>>>>
>>>> Questions:
>>>> 1) I'd like a transport type IPsec session for all non-ICMP traffic
>>>> between client and server. As soon as I specify "passthrough"
>policy, my
>>>> IPsec session changes to type "tunnel" from output of ipsec status.
>Clearly
>>>> I am not specifying passthrough policy correctly.
>>>>
>>>> 1) Do I need to specify left/right for my "skip" passthrough conn?
>If I
>>>> do NOT specify left and right for skip connection, I see the IPsec
>type
>>>> remains transport (which is good and what I want), I do see shunted
>>>> policies in "ipsec status" but I still see ping packets are
>encrypted.
>>>>
>>>> Thank you for any help!
>>>> Piyush
>>>>
>>>> On Monday, May 22, 2017 at 12:19:17 PM UTC-7, Noel Kuntze wrote:
>>>>>
>>>>> Add a passthrough policy for the protocol.
>>>>>
>>>>> Am 22. Mai 2017 19:09:03 MESZ schrieb Piyush Agarwal <
>>>>> agarwa... at gmail.com>:
>>>>>>
>>>>>> Hi,
>>>>>> Reading through the left|rightsubnet, it seems like there is no
>way to
>>>>>> *exclude* a protocol from getting encrypted?
>>>>>>
>>>>>> I have a host to host tunnel and I want to encrypt everything
>between
>>>>>> these except ICMP since I'd like to do out-of-tunnel
>ping/traceroute.
>>>>>>
>>>>>> Prior to using strongswan, I was using racoon where I could use
>setkey
>>>>>> to manually update the SPD to exclude icmp alone.
>>>>>>
>>>>>> Please advise if there is any way to achieve this with
>strongswan.
>>>>>>
>>>>>> Thanks.
>>>>>>
>>>>>> --
>>>>>> Piyush Agarwal
>>>>>> Life can only be understood backwards; but it must be lived
>forwards.
>>>>>>
>>>>>
>>>>> --
>>>>> Sent from mobile
>>>>>
>>>>
>
>
>--
>Piyush Agarwal
>Life can only be understood backwards; but it must be lived forwards.
--
Sent from mobile
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170524/87c00d07/attachment-0001.html>
More information about the Users
mailing list