[strongSwan] Exclude protocol from IPsec
agarwalpiyush at gmail.com
agarwalpiyush at gmail.com
Wed May 24 05:56:13 CEST 2017
Actually, can someone confirm if allow_swap=no will NOT work in 5.1.2? [It
certainly did not work for me, but I am trying to rule out a mistake on my
end]. If it is expected to work, are there any pointers as to what mistake
I could have made? The exact same configuration worked for 5.3.5 by the way.
The reason I'd like that confirmation is I'd prefer to stick with 5.1.2
(included in Ubuntu 14.04) as much as possible. But if allow_swap will not
work in 5.1.2, then to make my ping outside IPsec tunnel work, I'll have to
consider 5.3.5.
Thank you much.
Piyush
On Tuesday, May 23, 2017 at 5:59:44 PM UTC-7, Piyush Agarwal wrote:
>
> Turns out charon.plugins.stroke.allow_swap handling is missing (or there
> is a bug) in 5.1.2.
>
> I moved to 5.3.5 and I have unencrypted ping now working.
>
> Thanks.
>
> On Tue, May 23, 2017 at 5:02 PM, Piyush Agarwal <agarwalpiyush at gmail.com>
> wrote:
>
>> After some googling, I tried two things:
>> 1) changed strongswan.conf to set allow_swap = no:
>>
>> charon {
>> install_routes = no
>> load_modular = yes
>> plugins {
>> stroke {
>> allow_swap = no
>> }
>> include strongswan.d/charon/*.conf
>> }
>>
>> filelog {
>> /var/run/charon.log {
>> default = 2
>> flush_line = yes
>> }
>> }
>> }
>>
>>
>> 2) added "allow_swap = no" in stroke.conf in /etc/strongswan.d/charon/
>>
>> But they did not help and I still see this log message in server's
>> charon.log (and not client's):
>>
>> *10[CFG] left is other host, swapping ends*
>>
>>
>> On Tue, May 23, 2017 at 4:25 PM, Piyush Agarwal <agarwalpiyush at gmail.com>
>> wrote:
>>
>>> Exactly, but nowhere in my config file do I find a mistake. How can I
>>> correct the TS?
>>>
>>> Again, my config "skip" for passthrough only specifies leftsubnet and
>>> rightsubnet (and they are indeed correct):
>>>
>>> Client's skip conn:
>>> leftsubnet=1.100.0.9/32
>>> rightsubnet=1.100.0.5/32
>>>
>>>
>>> Server's skip conn:
>>> leftsubnet=1.100.0.5/32
>>> rightsubnet=1.100.0.9/32
>>>
>>> Why is the server's TS wrong then? Is this a bug? Right now I am running
>>> 5.1.2 (but I also tried 5.3.5).
>>>
>>> Thanks.
>>>
>>> On Tue, May 23, 2017 at 4:20 PM, Noel Kuntze <noel at familie-kuntze.de>
>>> wrote:
>>>
>>>> TS is oriented the wrong way.
>>>>
>>>>
>>>> Am 24. Mai 2017 00:12:17 MESZ schrieb Piyush Agarwal <
>>>> agarwalpiyush at gmail.com>:
>>>>>
>>>>> I see this in server's log, is that a red flag? The local address on
>>>>> server 1.100.0.5 (client is 1.100.0.9).
>>>>>
>>>>> 13[CFG] received stroke: route 'skip'
>>>>> 13[CFG] proposing traffic selectors for us:
>>>>> 13[CFG] 1.100.0.9/32[icmp] <http://1.100.0.9/32%5Bicmp%5D>
>>>>> 13[CFG] proposing traffic selectors for other:
>>>>> 13[CFG] 1.100.0.5/32[icmp] <http://1.100.0.5/32%5Bicmp%5D>
>>>>> 13[KNL] adding policy 1.100.0.9/32[icmp]
>>>>> <http://1.100.0.9/32%5Bicmp%5D> === 1.100.0.5/32[icmp]
>>>>> <http://1.100.0.5/32%5Bicmp%5D> out (mark 0/0x00000000)
>>>>> 13[KNL] adding policy 1.100.0.5/32[icmp]
>>>>> <http://1.100.0.5/32%5Bicmp%5D> === 1.100.0.9/32[icmp]
>>>>> <http://1.100.0.9/32%5Bicmp%5D> in (mark 0/0x00000000)
>>>>> 13[KNL] adding policy 1.100.0.5/32[icmp]
>>>>> <http://1.100.0.5/32%5Bicmp%5D> === 1.100.0.9/32[icmp]
>>>>> <http://1.100.0.9/32%5Bicmp%5D> fwd (mark 0/0x00000000)
>>>>> 13[KNL] getting a local address in traffic selector 1.100.0.9/32[icmp]
>>>>> <http://1.100.0.9/32%5Bicmp%5D>
>>>>> *13[KNL] no local address found in traffic selector 1.100.0.9/32[icmp]
>>>>> <http://1.100.0.9/32%5Bicmp%5D>*
>>>>>
>>>>>
>>>>> On Tue, May 23, 2017 at 2:48 PM, <agarwalpiyush at gmail.com> wrote:
>>>>>
>>>>>> Hi,
>>>>>> Thanks for the suggestion. With the change you recommended, I do see
>>>>>> some progress. But here are the issues:
>>>>>>
>>>>>> 1) client -> server ping: I do see echo request is un-encrypted as
>>>>>> seen by tcpdump on server's interface. But tcpdump on the server's
>>>>>> interface shows no reply being generated (if I remove passthrough policy,
>>>>>> the encrypted replies work just fine). I saw threads about strongswan using
>>>>>> route table 220, but I don't see any output of "ip route show table 220".
>>>>>> Why is "auto=route" required? How is it messing with the server side's echo
>>>>>> reply, assuming that is the case? I tried with auto=start but that still
>>>>>> had ICMP packets encrypted.
>>>>>>
>>>>>> 2) server -> client ping: I see server's ping show up encrypted on
>>>>>> the client's interface. Client's interface tcpdump sees un-unencrypted echo
>>>>>> reply. But this reply is not seen on server's interface at all!!
>>>>>>
>>>>>> Does the order of IP addresses in output of "Shunted policies" have
>>>>>> any significance? I see server side is showing shunted connected as
>>>>>> "client/32 == server/32" which is not what I expected.
>>>>>>
>>>>>> *Client output:*
>>>>>> *client$:ipsec status*
>>>>>> Shunted Connections:
>>>>>> * skip: 1.100.0.9/32[icmp] <http://1.100.0.9/32%5Bicmp%5D>
>>>>>> === 1.100.0.5/32[icmp] <http://1.100.0.5/32%5Bicmp%5D> PASS*
>>>>>> Security Associations (1 up, 0 connecting):
>>>>>> 1.100.0.5[1]: ESTABLISHED 8 minutes ago, 1.100.0.9[C=US, ST=CA,
>>>>>> L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]...1.100.0.5[C=US,
>>>>>> ST=CA, L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]
>>>>>> 1.100.0.5{1}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c5067855_i
>>>>>> cfc50c8b_o
>>>>>> 1.100.0.5{1}: 1.100.0.9/32 === 1.100.0.5/32
>>>>>>
>>>>>> *Server output:*
>>>>>> *server$:ipsec status*
>>>>>> Shunted Connections:
>>>>>> * skip: 1.100.0.9/32[icmp] <http://1.100.0.9/32%5Bicmp%5D>
>>>>>> === 1.100.0.5/32[icmp] <http://1.100.0.5/32%5Bicmp%5D> PASS*
>>>>>> Security Associations (1 up, 0 connecting):
>>>>>> 1.100.0.9[1]: ESTABLISHED 9 minutes ago, 1.100.0.5[C=US, ST=CA,
>>>>>> L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]...1.100.0.9[C=US,
>>>>>> ST=CA, L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]
>>>>>> 1.100.0.9{1}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: cfc50c8b_i
>>>>>> c5067855_o
>>>>>> 1.100.0.9{1}: 1.100.0.5/32 === 1.100.0.9/32
>>>>>>
>>>>>> Much appreciate any help. Racoon/setkey was very straightforward to
>>>>>> get this working :( Hopefully it is a mistake I am making/misconfiguring
>>>>>> etc.
>>>>>>
>>>>>> Reprinting the ipsec.conf (after changes were done):
>>>>>> *Client:*
>>>>>>
>>>>>> conn skip
>>>>>> type=passthrough
>>>>>> left=127.0.0.1
>>>>>> leftsubnet=1.100.0.9/32[icmp/] <http://1.100.0.9/32%5Bicmp/%5D>
>>>>>> leftcert=client_cert.pem
>>>>>> leftsendcert=always
>>>>>> rightcert=server_cert.pem
>>>>>> right=127.0.0.1
>>>>>> rightsubnet=1.100.0.5/32[icmp/] <http://1.100.0.5/32%5Bicmp/%5D>
>>>>>> auto=route
>>>>>>
>>>>>> conn 1.100.0.5
>>>>>> type=transport
>>>>>> left=1.100.0.9
>>>>>> leftcert=client_cert.pem
>>>>>> leftsendcert=always
>>>>>> rightcert=server_cert.pem
>>>>>> right=1.100.0.5
>>>>>> reauth=no
>>>>>> dpdaction=restart
>>>>>> auto=start
>>>>>>
>>>>>> *Server:*
>>>>>>
>>>>>> conn skip
>>>>>> type=passthrough
>>>>>> left=127.0.0.1
>>>>>> leftsubnet=1.100.0.5/32[icmp/] <http://1.100.0.5/32%5Bicmp/%5D>
>>>>>> leftcert=server_cert.pem
>>>>>> leftsendcert=always
>>>>>> rightcert=client_cert.pem
>>>>>> right=127.0.0.1
>>>>>> rightsubnet=1.100.0.9/32[icmp/] <http://1.100.0.9/32%5Bicmp/%5D>
>>>>>> auto=route
>>>>>>
>>>>>> conn 1.100.0.9
>>>>>> type=transport
>>>>>> left=1.100.0.5
>>>>>> leftcert=server_cert.pem
>>>>>> leftsendcert=always
>>>>>> rightcert=client_cert.pem
>>>>>> right=1.100.0.9
>>>>>> reauth=no
>>>>>> dpdaction=restart
>>>>>> auto=add
>>>>>>
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>> On Tuesday, May 23, 2017 at 12:30:15 PM UTC-7, Dusan Ilic wrote:
>>>>>>>
>>>>>>> Try following
>>>>>>>
>>>>>>> type=passthrough
>>>>>>> left=127.0.0.1
>>>>>>> leftsubnet=1.100.0.9/32[icmp/]
>>>>>>> right=127.0.0.1
>>>>>>> rightsubnet=1.100.0.5/32[icmp/]
>>>>>>> auto=route
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ---- agarwa... at gmail.com skrev ----
>>>>>>>
>>>>>>>
>>>>>>> Reading another thread, I changed "right" of "skip" connection on
>>>>>>> both client and server to be "127.0.0.1" and that fixed up a few
>>>>>>> things:
>>>>>>> 1) The IPsec installed is type transport (as desired)
>>>>>>> 2) I do see shunted policies list ICMP PASS
>>>>>>>
>>>>>>> *However, I still have my pings from client to server encrypted :(*
>>>>>>>
>>>>>>> *Client:*
>>>>>>> # ipsec statusall
>>>>>>> Status of IKE charon daemon (strongSwan 5.1.2, Linux 4.4.0-75-generic,
>>>>>>> x86_64):
>>>>>>> uptime: 10 minutes, since May 23 12:02:46 2017
>>>>>>> malloc: sbrk 2564096, mmap 0, used 393728, free 2170368
>>>>>>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue:
>>>>>>> 0/0/0/0, scheduled: 3
>>>>>>> loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5
>>>>>>> rdrand random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12
>>>>>>> pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve
>>>>>>> socket-default stroke updown eap-identity addrblock
>>>>>>> Listening IP addresses:
>>>>>>> 1.100.0.9
>>>>>>> Connections:
>>>>>>> skip: %any...127.0.0.1 IKEv2
>>>>>>> skip: local: [C=US, ST=CA, L=Mountain View, O=TEST,
>>>>>>> OU=AgentC, CN=test.com] uses public key authentication
>>>>>>> skip: cert: "C=US, ST=CA, L=Mountain View, O=TEST,
>>>>>>> OU=AgentC, CN=test.com"
>>>>>>> skip: remote: [C=US, ST=CA, L=Mountain View, O=TEST,
>>>>>>> OU=AgentC, CN=test.com] uses public key authentication
>>>>>>> skip: cert: "C=US, ST=CA, L=Mountain View, O=TEST,
>>>>>>> OU=AgentC, CN=test.com"
>>>>>>> skip: child: 0.0.0.0/0[icmp] === 0.0.0.0/0[icmp] PASS
>>>>>>> 1.100.0.5: 1.100.0.9...1.100.0.5 IKEv2, dpddelay=60s
>>>>>>> 1.100.0.5: local: [C=US, ST=CA, L=Mountain View, O=TEST,
>>>>>>> OU=AgentC, CN=test.com] uses public key authentication
>>>>>>> 1.100.0.5: cert: "C=US, ST=CA, L=Mountain View, O=TEST,
>>>>>>> OU=AgentC, CN=test.com"
>>>>>>> 1.100.0.5: remote: [C=US, ST=CA, L=Mountain View, O=TEST,
>>>>>>> OU=AgentC, CN=test.com] uses public key authentication
>>>>>>> 1.100.0.5: cert: "C=US, ST=CA, L=Mountain View, O=TEST,
>>>>>>> OU=AgentC, CN=test.com"
>>>>>>> 1.100.0.5: child: dynamic === dynamic *TRANSPORT*,
>>>>>>> dpdaction=restart
>>>>>>> *Shunted Connections:*
>>>>>>> * skip: 0.0.0.0/0[icmp] === 0.0.0.0/0[icmp] PASS*
>>>>>>> Security Associations (1 up, 0 connecting):
>>>>>>> 1.100.0.5[1]: ESTABLISHED 10 minutes ago, 1.100.0.9[C=US, ST=CA,
>>>>>>> L=Mountain View, O=TEST, OU=AgentC, CN=test.com]...1.100.0.5[C=US,
>>>>>>> ST=CA, L=Mountain View, O=TEST, OU=AgentC, CN=test.com]
>>>>>>> 1.100.0.5[1]: IKEv2 SPIs: be5caa6cea2281c2_i*
>>>>>>> 79bb5ad924d8d919_r, rekeying in 44 minutes
>>>>>>> 1.100.0.5[1]: IKE proposal:
>>>>>>> AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>>>>>>> 1.100.0.5{1}: INSTALLED, *TRANSPORT*, ESP SPIs: c989f733_i
>>>>>>> c3f6a42e_o
>>>>>>> 1.100.0.5{1}: AES_CBC_128/HMAC_SHA1_96, 520206 bytes_i (2551
>>>>>>> pkts, 1s ago), 1691623 bytes_o (2986 pkts, 10s ago), rekeying in 5
>>>>>>> minutes
>>>>>>> 1.100.0.5{1}: *1.100.0.9/32 === 1.100.0.5/32*
>>>>>>>
>>>>>>>
>>>>>>> *Client setkey -DP output:*
>>>>>>> 1.100.0.5[any] 1.100.0.9[any] 255
>>>>>>> in prio high + 1073740029 ipsec
>>>>>>> esp/transport//unique:1
>>>>>>> created: May 23 12:18:12 2017 lastused: May 23 12:18:52
>>>>>>> 2017
>>>>>>> lifetime: 0(s) validtime: 0(s)
>>>>>>> spid=2248 seq=1 pid=176401
>>>>>>> refcnt=11
>>>>>>> 1.100.0.9[any] 1.100.0.5[any] 255
>>>>>>> out prio high + 1073740029 ipsec
>>>>>>> esp/transport//unique:1
>>>>>>> created: May 23 12:18:12 2017 lastused: May 23 12:18:47
>>>>>>> 2017
>>>>>>> lifetime: 0(s) validtime: 0(s)
>>>>>>> spid=2241 seq=2 pid=176401
>>>>>>> refcnt=11
>>>>>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>>>>> fwd prio high + 1073739774 none
>>>>>>> created: May 23 12:02:46 2017 lastused:
>>>>>>>
>>>>>>> lifetime: 0(s) validtime: 0(s)
>>>>>>> spid=2130 seq=3 pid=176401
>>>>>>> refcnt=1
>>>>>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>>>>> in prio high + 1073739774 none
>>>>>>> created: May 23 12:02:46 2017 lastused: May 23 12:02:50
>>>>>>> 2017
>>>>>>> lifetime: 0(s) validtime: 0(s)
>>>>>>> spid=2120 seq=4 pid=176401
>>>>>>> refcnt=1
>>>>>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>>>>> out prio high + 1073739774 none
>>>>>>> created: May 23 12:02:46 2017 lastused:
>>>>>>>
>>>>>>> lifetime: 0(s) validtime: 0(s)
>>>>>>> spid=2113 seq=5 pid=176401
>>>>>>> refcnt=1
>>>>>>>
>>>>>>>
>>>>>>> On Tuesday, May 23, 2017 at 11:29:04 AM UTC-7, agarwa... at gmail.com
>>>>>>> wrote:
>>>>>>>>
>>>>>>>> Hi Noel,
>>>>>>>> Many thanks for the pointer. Looks like I am missing something more
>>>>>>>> or perhaps making a mistake.
>>>>>>>>
>>>>>>>> Client [1.100.0.9] -- Server [1.100.0.5]
>>>>>>>>
>>>>>>>> Goal: All non-ICMP traffic to be over IPsec tunnel between these
>>>>>>>> two machines.
>>>>>>>>
>>>>>>>> Strongswan 5.1.2
>>>>>>>>
>>>>>>>> The client and server are using self-signed certificates and have
>>>>>>>> each other's certs in /etc/ipsec.d/certs/
>>>>>>>>
>>>>>>>> *Client ipsec.conf <http://ipsec.conf>:*
>>>>>>>>
>>>>>>>> config setup
>>>>>>>> charondebug = "dmn 0,mgr 1, ike 2, job 2, cfg 2, knl 1, net 1,
>>>>>>>> tls 1, lib 0, enc 0, tnc 0"
>>>>>>>> uniqueids=no
>>>>>>>>
>>>>>>>> conn %default
>>>>>>>> ikelifetime=60m
>>>>>>>> keylife=20m
>>>>>>>> rekeymargin=3m
>>>>>>>> keyingtries=1
>>>>>>>> keyexchange=ikev2
>>>>>>>> authby=rsasig
>>>>>>>>
>>>>>>>> conn skip
>>>>>>>> type=*passthrough*
>>>>>>>> left=1.100.0.9
>>>>>>>> leftsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>>>>>>>> leftcert=client_cert.pem
>>>>>>>> leftsendcert=always
>>>>>>>> rightcert=server_cert.pem
>>>>>>>> right=1.100.0.5
>>>>>>>> rightsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>>>>>>>> auto=route
>>>>>>>>
>>>>>>>> conn 1.100.0.5
>>>>>>>> type=*transport*
>>>>>>>> left=1.100.0.9
>>>>>>>> leftcert=client_cert.pem
>>>>>>>> leftsendcert=always
>>>>>>>> rightcert=server_cert.pem
>>>>>>>> right=1.100.0.5
>>>>>>>> reauth=no
>>>>>>>> auto=start
>>>>>>>>
>>>>>>>> *Server ipsec.conf <http://ipsec.conf>:*
>>>>>>>>
>>>>>>>> config setup
>>>>>>>> charondebug = "dmn 0,mgr 1, ike 2, job 2, cfg 2, knl 1, net 1,
>>>>>>>> tls 1, lib 0, enc 0, tnc 0"
>>>>>>>> uniqueids=no
>>>>>>>>
>>>>>>>> conn %default
>>>>>>>> ikelifetime=60m
>>>>>>>> keylife=20m
>>>>>>>> rekeymargin=3m
>>>>>>>> keyingtries=1
>>>>>>>> keyexchange=ikev2
>>>>>>>> authby=rsasig
>>>>>>>>
>>>>>>>> conn skip
>>>>>>>> type=*passthrough*
>>>>>>>> left=1.100.0.5
>>>>>>>> leftsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>>>>>>>> leftcert=server_cert.pem
>>>>>>>> leftsendcert=always
>>>>>>>> rightcert=client_cert.pem
>>>>>>>> right=1.100.0.9
>>>>>>>> rightsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>>>>>>>> auto=route
>>>>>>>>
>>>>>>>> conn 1.100.0.9
>>>>>>>> type=*transport*
>>>>>>>> left=1.100.0.5
>>>>>>>> leftcert=server_cert.pem
>>>>>>>> leftsendcert=always
>>>>>>>> rightcert=client_cert.pem
>>>>>>>> right=1.100.0.9
>>>>>>>> reauth=no
>>>>>>>> auto=add
>>>>>>>>
>>>>>>>> =============
>>>>>>>> Output of setkey -DP on client:
>>>>>>>> root at agarwalpiyush0:/usr/local/google/home/agarwalpiyush/work/agent-v#
>>>>>>>> ./sbin/nfv_cli dm_carl0 setkey -DP
>>>>>>>> 1.100.0.5 1.100.0.9 icmp
>>>>>>>> fwd prio high + 1073740030 ipsec
>>>>>>>> esp/tunnel/1.100.0.5-1.100.0.9/unique:1
>>>>>>>> created: May 23 11:21:42 2017 lastused:
>>>>>>>>
>>>>>>>> lifetime: 0(s) validtime: 0(s)
>>>>>>>> spid=1834 seq=1 pid=103981
>>>>>>>> refcnt=1
>>>>>>>> 1.100.0.5 1.100.0.9 icmp
>>>>>>>> in prio high + 1073740030 ipsec
>>>>>>>> esp/tunnel/1.100.0.5-1.100.0.9/unique:1
>>>>>>>> created: May 23 11:21:42 2017 lastused:
>>>>>>>>
>>>>>>>> lifetime: 0(s) validtime: 0(s)
>>>>>>>> spid=1824 seq=2 pid=103981
>>>>>>>> refcnt=1
>>>>>>>> 1.100.0.9 1.100.0.5 icmp
>>>>>>>> out prio high + 1073740030 ipsec
>>>>>>>> esp/tunnel/1.100.0.9-1.100.0.5/unique:1
>>>>>>>> created: May 23 11:21:42 2017 lastused:
>>>>>>>>
>>>>>>>> lifetime: 0(s) validtime: 0(s)
>>>>>>>> spid=1817 seq=3 pid=103981
>>>>>>>> refcnt=1
>>>>>>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>>>>>> fwd prio high + 1073739774 none
>>>>>>>> created: May 23 11:21:31 2017 lastused:
>>>>>>>>
>>>>>>>> lifetime: 0(s) validtime: 0(s)
>>>>>>>> spid=1698 seq=4 pid=103981
>>>>>>>> refcnt=1
>>>>>>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>>>>>> in prio high + 1073739774 none
>>>>>>>> created: May 23 11:21:31 2017 lastused: May 23 11:21:35
>>>>>>>> 2017
>>>>>>>> lifetime: 0(s) validtime: 0(s)
>>>>>>>> spid=1688 seq=5 pid=103981
>>>>>>>> refcnt=2
>>>>>>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>>>>>> out prio high + 1073739774 none
>>>>>>>> created: May 23 11:21:31 2017 lastused:
>>>>>>>>
>>>>>>>> lifetime: 0(s) validtime: 0(s)
>>>>>>>> spid=1681 seq=6 pid=103981
>>>>>>>> refcnt=1
>>>>>>>>
>>>>>>>>
>>>>>>>> Questions:
>>>>>>>> 1) I'd like a transport type IPsec session for all non-ICMP traffic
>>>>>>>> between client and server. As soon as I specify "passthrough" policy, my
>>>>>>>> IPsec session changes to type "tunnel" from output of ipsec status. Clearly
>>>>>>>> I am not specifying passthrough policy correctly.
>>>>>>>>
>>>>>>>> 1) Do I need to specify left/right for my "skip" passthrough conn?
>>>>>>>> If I do NOT specify left and right for skip connection, I see the IPsec
>>>>>>>> type remains transport (which is good and what I want), I do see shunted
>>>>>>>> policies in "ipsec status" but I still see ping packets are encrypted.
>>>>>>>>
>>>>>>>> Thank you for any help!
>>>>>>>> Piyush
>>>>>>>>
>>>>>>>> On Monday, May 22, 2017 at 12:19:17 PM UTC-7, Noel Kuntze wrote:
>>>>>>>>>
>>>>>>>>> Add a passthrough policy for the protocol.
>>>>>>>>>
>>>>>>>>> Am 22. Mai 2017 19:09:03 MESZ schrieb Piyush Agarwal <
>>>>>>>>> agarwa... at gmail.com>:
>>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>> Reading through the left|rightsubnet, it seems like there is no
>>>>>>>>>> way to *exclude* a protocol from getting encrypted?
>>>>>>>>>>
>>>>>>>>>> I have a host to host tunnel and I want to encrypt everything
>>>>>>>>>> between these except ICMP since I'd like to do out-of-tunnel
>>>>>>>>>> ping/traceroute.
>>>>>>>>>>
>>>>>>>>>> Prior to using strongswan, I was using racoon where I could use
>>>>>>>>>> setkey to manually update the SPD to exclude icmp alone.
>>>>>>>>>>
>>>>>>>>>> Please advise if there is any way to achieve this with strongswan.
>>>>>>>>>>
>>>>>>>>>> Thanks.
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Piyush Agarwal
>>>>>>>>>> Life can only be understood backwards; but it must be lived
>>>>>>>>>> forwards.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Sent from mobile
>>>>>>>>>
>>>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Piyush Agarwal
>>>>> Life can only be understood backwards; but it must be lived forwards.
>>>>>
>>>>
>>>> --
>>>> Sent from mobile
>>>>
>>>> --
>>>> You received this message because you are subscribed to a topic in the
>>>> Google Groups "strongswan-users" group.
>>>> To unsubscribe from this topic, visit
>>>> https://groups.google.com/d/topic/strongswan-users/xLYdnbbn71U/unsubscribe
>>>> .
>>>> To unsubscribe from this group and all its topics, send an email to
>>>> strongswan-users+unsubscribe at googlegroups.com.
>>>> To post to this group, send email to strongswan-users at googlegroups.com.
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/d/msgid/strongswan-users/02D99C08-5DEC-463B-AC3B-C58B570D9F5E%40familie-kuntze.de
>>>> <https://groups.google.com/d/msgid/strongswan-users/02D99C08-5DEC-463B-AC3B-C58B570D9F5E%40familie-kuntze.de?utm_medium=email&utm_source=footer>
>>>> .
>>>>
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>
>>>
>>>
>>> --
>>> Piyush Agarwal
>>> Life can only be understood backwards; but it must be lived forwards.
>>>
>>
>>
>>
>> --
>> Piyush Agarwal
>> Life can only be understood backwards; but it must be lived forwards.
>>
>
>
>
> --
> Piyush Agarwal
> Life can only be understood backwards; but it must be lived forwards.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170523/07e6366d/attachment-0001.html>
More information about the Users
mailing list