[strongSwan] Exclude protocol from IPsec
Piyush Agarwal
agarwalpiyush at gmail.com
Wed May 24 01:25:40 CEST 2017
Exactly, but nowhere in my config file do I find a mistake. How can I
correct the TS?
Again, my config "skip" for passthrough only specifies leftsubnet and
rightsubnet (and they are indeed correct):
Client's skip conn:
leftsubnet=1.100.0.9/32
rightsubnet=1.100.0.5/32
Server's skip conn:
leftsubnet=1.100.0.5/32
rightsubnet=1.100.0.9/32
Why is the server's TS wrong then? Is this a bug? Right now I am running
5.1.2 (but I also tried 5.3.5).
Thanks.
On Tue, May 23, 2017 at 4:20 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
> TS is oriented the wrong way.
>
>
> Am 24. Mai 2017 00:12:17 MESZ schrieb Piyush Agarwal <
> agarwalpiyush at gmail.com>:
>>
>> I see this in server's log, is that a red flag? The local address on
>> server 1.100.0.5 (client is 1.100.0.9).
>>
>> 13[CFG] received stroke: route 'skip'
>> 13[CFG] proposing traffic selectors for us:
>> 13[CFG] 1.100.0.9/32[icmp] <http://1.100.0.9/32%5Bicmp%5D>
>> 13[CFG] proposing traffic selectors for other:
>> 13[CFG] 1.100.0.5/32[icmp] <http://1.100.0.5/32%5Bicmp%5D>
>> 13[KNL] adding policy 1.100.0.9/32[icmp] <http://1.100.0.9/32%5Bicmp%5D>
>> === 1.100.0.5/32[icmp] <http://1.100.0.5/32%5Bicmp%5D> out (mark
>> 0/0x00000000)
>> 13[KNL] adding policy 1.100.0.5/32[icmp] <http://1.100.0.5/32%5Bicmp%5D>
>> === 1.100.0.9/32[icmp] <http://1.100.0.9/32%5Bicmp%5D> in (mark
>> 0/0x00000000)
>> 13[KNL] adding policy 1.100.0.5/32[icmp] <http://1.100.0.5/32%5Bicmp%5D>
>> === 1.100.0.9/32[icmp] <http://1.100.0.9/32%5Bicmp%5D> fwd (mark
>> 0/0x00000000)
>> 13[KNL] getting a local address in traffic selector 1.100.0.9/32[icmp]
>> <http://1.100.0.9/32%5Bicmp%5D>
>> *13[KNL] no local address found in traffic selector 1.100.0.9/32[icmp]
>> <http://1.100.0.9/32%5Bicmp%5D>*
>>
>>
>> On Tue, May 23, 2017 at 2:48 PM, <agarwalpiyush at gmail.com> wrote:
>>
>>> Hi,
>>> Thanks for the suggestion. With the change you recommended, I do see
>>> some progress. But here are the issues:
>>>
>>> 1) client -> server ping: I do see echo request is un-encrypted as seen
>>> by tcpdump on server's interface. But tcpdump on the server's interface
>>> shows no reply being generated (if I remove passthrough policy, the
>>> encrypted replies work just fine). I saw threads about strongswan using
>>> route table 220, but I don't see any output of "ip route show table 220".
>>> Why is "auto=route" required? How is it messing with the server side's echo
>>> reply, assuming that is the case? I tried with auto=start but that still
>>> had ICMP packets encrypted.
>>>
>>> 2) server -> client ping: I see server's ping show up encrypted on the
>>> client's interface. Client's interface tcpdump sees un-unencrypted echo
>>> reply. But this reply is not seen on server's interface at all!!
>>>
>>> Does the order of IP addresses in output of "Shunted policies" have any
>>> significance? I see server side is showing shunted connected as "client/32
>>> == server/32" which is not what I expected.
>>>
>>> *Client output:*
>>> *client$:ipsec status*
>>> Shunted Connections:
>>> * skip: 1.100.0.9/32[icmp] <http://1.100.0.9/32%5Bicmp%5D> ===
>>> 1.100.0.5/32[icmp] <http://1.100.0.5/32%5Bicmp%5D> PASS*
>>> Security Associations (1 up, 0 connecting):
>>> 1.100.0.5[1]: ESTABLISHED 8 minutes ago, 1.100.0.9[C=US, ST=CA,
>>> L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]...1.100.0.5[C=US,
>>> ST=CA, L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]
>>> 1.100.0.5{1}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c5067855_i
>>> cfc50c8b_o
>>> 1.100.0.5{1}: 1.100.0.9/32 === 1.100.0.5/32
>>>
>>> *Server output:*
>>> *server$:ipsec status*
>>> Shunted Connections:
>>> * skip: 1.100.0.9/32[icmp] <http://1.100.0.9/32%5Bicmp%5D> ===
>>> 1.100.0.5/32[icmp] <http://1.100.0.5/32%5Bicmp%5D> PASS*
>>> Security Associations (1 up, 0 connecting):
>>> 1.100.0.9[1]: ESTABLISHED 9 minutes ago, 1.100.0.5[C=US, ST=CA,
>>> L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]...1.100.0.9[C=US,
>>> ST=CA, L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]
>>> 1.100.0.9{1}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: cfc50c8b_i
>>> c5067855_o
>>> 1.100.0.9{1}: 1.100.0.5/32 === 1.100.0.9/32
>>>
>>> Much appreciate any help. Racoon/setkey was very straightforward to get
>>> this working :( Hopefully it is a mistake I am making/misconfiguring etc.
>>>
>>> Reprinting the ipsec.conf (after changes were done):
>>> *Client:*
>>>
>>> conn skip
>>> type=passthrough
>>> left=127.0.0.1
>>> leftsubnet=1.100.0.9/32[icmp/] <http://1.100.0.9/32%5Bicmp/%5D>
>>> leftcert=client_cert.pem
>>> leftsendcert=always
>>> rightcert=server_cert.pem
>>> right=127.0.0.1
>>> rightsubnet=1.100.0.5/32[icmp/] <http://1.100.0.5/32%5Bicmp/%5D>
>>> auto=route
>>>
>>> conn 1.100.0.5
>>> type=transport
>>> left=1.100.0.9
>>> leftcert=client_cert.pem
>>> leftsendcert=always
>>> rightcert=server_cert.pem
>>> right=1.100.0.5
>>> reauth=no
>>> dpdaction=restart
>>> auto=start
>>>
>>> *Server:*
>>>
>>> conn skip
>>> type=passthrough
>>> left=127.0.0.1
>>> leftsubnet=1.100.0.5/32[icmp/] <http://1.100.0.5/32%5Bicmp/%5D>
>>> leftcert=server_cert.pem
>>> leftsendcert=always
>>> rightcert=client_cert.pem
>>> right=127.0.0.1
>>> rightsubnet=1.100.0.9/32[icmp/] <http://1.100.0.9/32%5Bicmp/%5D>
>>> auto=route
>>>
>>> conn 1.100.0.9
>>> type=transport
>>> left=1.100.0.5
>>> leftcert=server_cert.pem
>>> leftsendcert=always
>>> rightcert=client_cert.pem
>>> right=1.100.0.9
>>> reauth=no
>>> dpdaction=restart
>>> auto=add
>>>
>>>
>>> Thanks!
>>>
>>> On Tuesday, May 23, 2017 at 12:30:15 PM UTC-7, Dusan Ilic wrote:
>>>>
>>>> Try following
>>>>
>>>> type=passthrough
>>>> left=127.0.0.1
>>>> leftsubnet=1.100.0.9/32[icmp/]
>>>> right=127.0.0.1
>>>> rightsubnet=1.100.0.5/32[icmp/]
>>>> auto=route
>>>>
>>>>
>>>>
>>>> ---- agarwa... at gmail.com skrev ----
>>>>
>>>>
>>>> Reading another thread, I changed "right" of "skip" connection on both
>>>> client and server to be "127.0.0.1" and that fixed up a few things:
>>>> 1) The IPsec installed is type transport (as desired)
>>>> 2) I do see shunted policies list ICMP PASS
>>>>
>>>> *However, I still have my pings from client to server encrypted :(*
>>>>
>>>> *Client:*
>>>> # ipsec statusall
>>>> Status of IKE charon daemon (strongSwan 5.1.2, Linux 4.4.0-75-generic,
>>>> x86_64):
>>>> uptime: 10 minutes, since May 23 12:02:46 2017
>>>> malloc: sbrk 2564096, mmap 0, used 393728, free 2170368
>>>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>>>> scheduled: 3
>>>> loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 rdrand
>>>> random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem
>>>> openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve
>>>> socket-default stroke updown eap-identity addrblock
>>>> Listening IP addresses:
>>>> 1.100.0.9
>>>> Connections:
>>>> skip: %any...127.0.0.1 IKEv2
>>>> skip: local: [C=US, ST=CA, L=Mountain View, O=TEST,
>>>> OU=AgentC, CN=test.com] uses public key authentication
>>>> skip: cert: "C=US, ST=CA, L=Mountain View, O=TEST,
>>>> OU=AgentC, CN=test.com"
>>>> skip: remote: [C=US, ST=CA, L=Mountain View, O=TEST,
>>>> OU=AgentC, CN=test.com] uses public key authentication
>>>> skip: cert: "C=US, ST=CA, L=Mountain View, O=TEST,
>>>> OU=AgentC, CN=test.com"
>>>> skip: child: 0.0.0.0/0[icmp] === 0.0.0.0/0[icmp] PASS
>>>> 1.100.0.5: 1.100.0.9...1.100.0.5 IKEv2, dpddelay=60s
>>>> 1.100.0.5: local: [C=US, ST=CA, L=Mountain View, O=TEST,
>>>> OU=AgentC, CN=test.com] uses public key authentication
>>>> 1.100.0.5: cert: "C=US, ST=CA, L=Mountain View, O=TEST,
>>>> OU=AgentC, CN=test.com"
>>>> 1.100.0.5: remote: [C=US, ST=CA, L=Mountain View, O=TEST,
>>>> OU=AgentC, CN=test.com] uses public key authentication
>>>> 1.100.0.5: cert: "C=US, ST=CA, L=Mountain View, O=TEST,
>>>> OU=AgentC, CN=test.com"
>>>> 1.100.0.5: child: dynamic === dynamic *TRANSPORT*,
>>>> dpdaction=restart
>>>> *Shunted Connections:*
>>>> * skip: 0.0.0.0/0[icmp] === 0.0.0.0/0[icmp] PASS*
>>>> Security Associations (1 up, 0 connecting):
>>>> 1.100.0.5[1]: ESTABLISHED 10 minutes ago, 1.100.0.9[C=US, ST=CA,
>>>> L=Mountain View, O=TEST, OU=AgentC, CN=test.com]...1.100.0.5[C=US,
>>>> ST=CA, L=Mountain View, O=TEST, OU=AgentC, CN=test.com]
>>>> 1.100.0.5[1]: IKEv2 SPIs: be5caa6cea2281c2_i* 79bb5ad924d8d919_r,
>>>> rekeying in 44 minutes
>>>> 1.100.0.5[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_H
>>>> MAC_SHA1/MODP_2048
>>>> 1.100.0.5{1}: INSTALLED, *TRANSPORT*, ESP SPIs: c989f733_i
>>>> c3f6a42e_o
>>>> 1.100.0.5{1}: AES_CBC_128/HMAC_SHA1_96, 520206 bytes_i (2551 pkts,
>>>> 1s ago), 1691623 bytes_o (2986 pkts, 10s ago), rekeying in 5 minutes
>>>> 1.100.0.5{1}: *1.100.0.9/32 === 1.100.0.5/32*
>>>>
>>>>
>>>> *Client setkey -DP output:*
>>>> 1.100.0.5[any] 1.100.0.9[any] 255
>>>> in prio high + 1073740029 ipsec
>>>> esp/transport//unique:1
>>>> created: May 23 12:18:12 2017 lastused: May 23 12:18:52 2017
>>>> lifetime: 0(s) validtime: 0(s)
>>>> spid=2248 seq=1 pid=176401
>>>> refcnt=11
>>>> 1.100.0.9[any] 1.100.0.5[any] 255
>>>> out prio high + 1073740029 ipsec
>>>> esp/transport//unique:1
>>>> created: May 23 12:18:12 2017 lastused: May 23 12:18:47 2017
>>>> lifetime: 0(s) validtime: 0(s)
>>>> spid=2241 seq=2 pid=176401
>>>> refcnt=11
>>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>> fwd prio high + 1073739774 none
>>>> created: May 23 12:02:46 2017 lastused:
>>>> lifetime: 0(s) validtime: 0(s)
>>>> spid=2130 seq=3 pid=176401
>>>> refcnt=1
>>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>> in prio high + 1073739774 none
>>>> created: May 23 12:02:46 2017 lastused: May 23 12:02:50 2017
>>>> lifetime: 0(s) validtime: 0(s)
>>>> spid=2120 seq=4 pid=176401
>>>> refcnt=1
>>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>> out prio high + 1073739774 none
>>>> created: May 23 12:02:46 2017 lastused:
>>>> lifetime: 0(s) validtime: 0(s)
>>>> spid=2113 seq=5 pid=176401
>>>> refcnt=1
>>>>
>>>>
>>>> On Tuesday, May 23, 2017 at 11:29:04 AM UTC-7, agarwa... at gmail.com
>>>> wrote:
>>>>>
>>>>> Hi Noel,
>>>>> Many thanks for the pointer. Looks like I am missing something more or
>>>>> perhaps making a mistake.
>>>>>
>>>>> Client [1.100.0.9] -- Server [1.100.0.5]
>>>>>
>>>>> Goal: All non-ICMP traffic to be over IPsec tunnel between these two
>>>>> machines.
>>>>>
>>>>> Strongswan 5.1.2
>>>>>
>>>>> The client and server are using self-signed certificates and have each
>>>>> other's certs in /etc/ipsec.d/certs/
>>>>>
>>>>> *Client ipsec.conf <http://ipsec.conf>:*
>>>>>
>>>>> config setup
>>>>> charondebug = "dmn 0,mgr 1, ike 2, job 2, cfg 2, knl 1, net 1, tls
>>>>> 1, lib 0, enc 0, tnc 0"
>>>>> uniqueids=no
>>>>>
>>>>> conn %default
>>>>> ikelifetime=60m
>>>>> keylife=20m
>>>>> rekeymargin=3m
>>>>> keyingtries=1
>>>>> keyexchange=ikev2
>>>>> authby=rsasig
>>>>>
>>>>> conn skip
>>>>> type=*passthrough*
>>>>> left=1.100.0.9
>>>>> leftsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>>>>> leftcert=client_cert.pem
>>>>> leftsendcert=always
>>>>> rightcert=server_cert.pem
>>>>> right=1.100.0.5
>>>>> rightsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>>>>> auto=route
>>>>>
>>>>> conn 1.100.0.5
>>>>> type=*transport*
>>>>> left=1.100.0.9
>>>>> leftcert=client_cert.pem
>>>>> leftsendcert=always
>>>>> rightcert=server_cert.pem
>>>>> right=1.100.0.5
>>>>> reauth=no
>>>>> auto=start
>>>>>
>>>>> *Server ipsec.conf <http://ipsec.conf>:*
>>>>>
>>>>> config setup
>>>>> charondebug = "dmn 0,mgr 1, ike 2, job 2, cfg 2, knl 1, net 1, tls
>>>>> 1, lib 0, enc 0, tnc 0"
>>>>> uniqueids=no
>>>>>
>>>>> conn %default
>>>>> ikelifetime=60m
>>>>> keylife=20m
>>>>> rekeymargin=3m
>>>>> keyingtries=1
>>>>> keyexchange=ikev2
>>>>> authby=rsasig
>>>>>
>>>>> conn skip
>>>>> type=*passthrough*
>>>>> left=1.100.0.5
>>>>> leftsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>>>>> leftcert=server_cert.pem
>>>>> leftsendcert=always
>>>>> rightcert=client_cert.pem
>>>>> right=1.100.0.9
>>>>> rightsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>>>>> auto=route
>>>>>
>>>>> conn 1.100.0.9
>>>>> type=*transport*
>>>>> left=1.100.0.5
>>>>> leftcert=server_cert.pem
>>>>> leftsendcert=always
>>>>> rightcert=client_cert.pem
>>>>> right=1.100.0.9
>>>>> reauth=no
>>>>> auto=add
>>>>>
>>>>> =============
>>>>> Output of setkey -DP on client:
>>>>> root at agarwalpiyush0:/usr/local/google/home/agarwalpiyush/work/agent-v#
>>>>> ./sbin/nfv_cli dm_carl0 setkey -DP
>>>>> 1.100.0.5 1.100.0.9 icmp
>>>>> fwd prio high + 1073740030 ipsec
>>>>> esp/tunnel/1.100.0.5-1.100.0.9/unique:1
>>>>> created: May 23 11:21:42 2017 lastused:
>>>>> lifetime: 0(s) validtime: 0(s)
>>>>> spid=1834 seq=1 pid=103981
>>>>> refcnt=1
>>>>> 1.100.0.5 1.100.0.9 icmp
>>>>> in prio high + 1073740030 ipsec
>>>>> esp/tunnel/1.100.0.5-1.100.0.9/unique:1
>>>>> created: May 23 11:21:42 2017 lastused:
>>>>> lifetime: 0(s) validtime: 0(s)
>>>>> spid=1824 seq=2 pid=103981
>>>>> refcnt=1
>>>>> 1.100.0.9 1.100.0.5 icmp
>>>>> out prio high + 1073740030 ipsec
>>>>> esp/tunnel/1.100.0.9-1.100.0.5/unique:1
>>>>> created: May 23 11:21:42 2017 lastused:
>>>>> lifetime: 0(s) validtime: 0(s)
>>>>> spid=1817 seq=3 pid=103981
>>>>> refcnt=1
>>>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>>> fwd prio high + 1073739774 none
>>>>> created: May 23 11:21:31 2017 lastused:
>>>>> lifetime: 0(s) validtime: 0(s)
>>>>> spid=1698 seq=4 pid=103981
>>>>> refcnt=1
>>>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>>> in prio high + 1073739774 none
>>>>> created: May 23 11:21:31 2017 lastused: May 23 11:21:35 2017
>>>>> lifetime: 0(s) validtime: 0(s)
>>>>> spid=1688 seq=5 pid=103981
>>>>> refcnt=2
>>>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>>> out prio high + 1073739774 none
>>>>> created: May 23 11:21:31 2017 lastused:
>>>>> lifetime: 0(s) validtime: 0(s)
>>>>> spid=1681 seq=6 pid=103981
>>>>> refcnt=1
>>>>>
>>>>>
>>>>> Questions:
>>>>> 1) I'd like a transport type IPsec session for all non-ICMP traffic
>>>>> between client and server. As soon as I specify "passthrough" policy, my
>>>>> IPsec session changes to type "tunnel" from output of ipsec status. Clearly
>>>>> I am not specifying passthrough policy correctly.
>>>>>
>>>>> 1) Do I need to specify left/right for my "skip" passthrough conn? If
>>>>> I do NOT specify left and right for skip connection, I see the IPsec type
>>>>> remains transport (which is good and what I want), I do see shunted
>>>>> policies in "ipsec status" but I still see ping packets are encrypted.
>>>>>
>>>>> Thank you for any help!
>>>>> Piyush
>>>>>
>>>>> On Monday, May 22, 2017 at 12:19:17 PM UTC-7, Noel Kuntze wrote:
>>>>>>
>>>>>> Add a passthrough policy for the protocol.
>>>>>>
>>>>>> Am 22. Mai 2017 19:09:03 MESZ schrieb Piyush Agarwal <
>>>>>> agarwa... at gmail.com>:
>>>>>>>
>>>>>>> Hi,
>>>>>>> Reading through the left|rightsubnet, it seems like there is no way
>>>>>>> to *exclude* a protocol from getting encrypted?
>>>>>>>
>>>>>>> I have a host to host tunnel and I want to encrypt everything
>>>>>>> between these except ICMP since I'd like to do out-of-tunnel
>>>>>>> ping/traceroute.
>>>>>>>
>>>>>>> Prior to using strongswan, I was using racoon where I could use
>>>>>>> setkey to manually update the SPD to exclude icmp alone.
>>>>>>>
>>>>>>> Please advise if there is any way to achieve this with strongswan.
>>>>>>>
>>>>>>> Thanks.
>>>>>>>
>>>>>>> --
>>>>>>> Piyush Agarwal
>>>>>>> Life can only be understood backwards; but it must be lived forwards.
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Sent from mobile
>>>>>>
>>>>>
>>
>>
>> --
>> Piyush Agarwal
>> Life can only be understood backwards; but it must be lived forwards.
>>
>
> --
> Sent from mobile
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "strongswan-users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/
> topic/strongswan-users/xLYdnbbn71U/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> strongswan-users+unsubscribe at googlegroups.com.
> To post to this group, send email to strongswan-users at googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/strongswan-users/02D99C08-5DEC-463B-AC3B-
> C58B570D9F5E%40familie-kuntze.de
> <https://groups.google.com/d/msgid/strongswan-users/02D99C08-5DEC-463B-AC3B-C58B570D9F5E%40familie-kuntze.de?utm_medium=email&utm_source=footer>
> .
>
> For more options, visit https://groups.google.com/d/optout.
>
--
Piyush Agarwal
Life can only be understood backwards; but it must be lived forwards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170523/01c6593e/attachment-0001.html>
More information about the Users
mailing list