[strongSwan] "Require" vs "use" levels in StrongSwan-generated policies

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Nov 29 19:54:10 CET 2017 

Hi,

That's not supported. You can maybe use connections.<conn>.children.<child>.policies to disable the installation of the policies
and manage them outside of charon. IIRC there also was some patch set from somebody that implemented exactly what you ask.
I can't find it right now, though.

Kind regards

Noel

On 23.11.2017 20:23, Rich Lafferty wrote:
> Hello,
>
> I currently have a racoon-based full IPsec mesh (i.e., all of our host-to-host traffic is encrypted using trap-based transport policies). Racoon is long in the tooth, and so I’m in the process of planning a migration to StrongSwan.
>
> One thing I foresee in the near future is a need to stop using IPsec between some pairs of hosts in the mesh (specifically, within AWS VPCs).
>
> In our current configuration, I manage the SPD database outside of Racoon, with policy entries like so:
>
> spdadd 192.168.100.101 192.168.100.102 any -P out ipsec esp/transport//require;
> spdadd 192.168.100.102 192.168.100.101 any -P in ipsec esp/transport//require;
>
> (Which get installed with refid 0, which from Racoon’s point of view is just fine, as it doesn’t manage policies by refid).
>
> If I wanted to migrate those hosts to no longer require IPsec, I would first update the policies one host at a time to be “esp/transport//use”, and subsequently I could remove the policies one host at a time.
>
> From what I’ve been able to figure, StrongSwan-installed trap policies are always at the “require” level, which would mean that migrating a pair of hosts to no longer use an IPsec transport would require updating the configuration of both hosts at the same time.
>
> So my question is: Is there a way to tell StrongSwan to generate its policies at “use” level rather than “require” level, so I can do this sort of staged deployment?
>
> I am using StrongSwan 5.5.1 as distributed by Ubuntu, with a swanctl.conf-based configuration. A sample connection entry, in case it’s of use:
>
> connections {
>     racoon-west {
>         version = 1
>         local { auth = psk }
>         remote { auth = psk }
>         proposals = aes128-sha256-modp3072
>         encap = yes
>
>         reauth_time=24h
>         over_time=0
>         rand_time=0
>
>         local_addrs = 192.168.100.101
>         remote_addrs = 192.168.100.102
>
>         children {
>             racoon-west {
>                 mode = transport
>                 start_action = trap
>                 esp_proposals = aes128-sha256-modp3072
>                 rekey_time = 8h
>                 life_time = 7h
>                 rand_time = 0
>             }
>         }
>     }
> }
>
> Thanks in advance for your help.
>
>   -Rich

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171129/1ae1af8a/attachment.sig>

More information about the Users mailing list