[strongSwan] "Require" vs "use" levels in StrongSwan-generated policies

Rich Lafferty rich at lafferty.ca
Thu Nov 23 20:23:02 CET 2017 

Hello,

I currently have a racoon-based full IPsec mesh (i.e., all of our host-to-host traffic is encrypted using trap-based transport policies). Racoon is long in the tooth, and so I’m in the process of planning a migration to StrongSwan.

One thing I foresee in the near future is a need to stop using IPsec between some pairs of hosts in the mesh (specifically, within AWS VPCs).

In our current configuration, I manage the SPD database outside of Racoon, with policy entries like so:

spdadd 192.168.100.101 192.168.100.102 any -P out ipsec esp/transport//require;
spdadd 192.168.100.102 192.168.100.101 any -P in ipsec esp/transport//require;

(Which get installed with refid 0, which from Racoon’s point of view is just fine, as it doesn’t manage policies by refid).

If I wanted to migrate those hosts to no longer require IPsec, I would first update the policies one host at a time to be “esp/transport//use”, and subsequently I could remove the policies one host at a time.

From what I’ve been able to figure, StrongSwan-installed trap policies are always at the “require” level, which would mean that migrating a pair of hosts to no longer use an IPsec transport would require updating the configuration of both hosts at the same time.

So my question is: Is there a way to tell StrongSwan to generate its policies at “use” level rather than “require” level, so I can do this sort of staged deployment?

I am using StrongSwan 5.5.1 as distributed by Ubuntu, with a swanctl.conf-based configuration. A sample connection entry, in case it’s of use:

connections {
    racoon-west {
        version = 1
        local { auth = psk }
        remote { auth = psk }
        proposals = aes128-sha256-modp3072
        encap = yes

        reauth_time=24h
        over_time=0
        rand_time=0

        local_addrs = 192.168.100.101
        remote_addrs = 192.168.100.102

        children {
            racoon-west {
                mode = transport
                start_action = trap
                esp_proposals = aes128-sha256-modp3072
                rekey_time = 8h
                life_time = 7h
                rand_time = 0
            }
        }
    }
}

Thanks in advance for your help.

  -Rich

More information about the Users mailing list