[strongSwan] [EDIT] Traffic selection problems
Brian Topping
brian.topping at gmail.com
Thu Feb 28 09:54:09 CET 2019
> unless, you use an additional tunneling protocol like GRE. So for
> transport mode you will have to use %dynamic (optional with
> protocol/port) as traffic selector.
Thanks Tobias. After spending the last couple of solid days on this, I’m a little closer to a solution. Reading parts of the IKE2 RFC has helped, but not enough.
I am working to create a VTI PtP. The updown script I am using is in [1]. At one point, it was getting called on both sides, now it’s getting called on the initiator after the `CHILD_SA established`, but it does not happen on the responder at the same point.
One of the problems I have is because the TS negotiation is not using the 10.9.255.252/30 network for both sides, so a ping from initiator to responder’s policy address does not get accepted by the `policy match dir in pol ipsec` netfilter rule because no single address can both send the packet and have the response returned.
Are you able to see what I am missing here? At the end, I would like to have a `vti` device on both nodes where as much as possible, the vti tunnel was completely configured with Virtual IP from the responder.
Brian
[1] https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN#Connection-specific-VTI-Devices
Common config
> config setup
> charondebug="ike 4, knl 2, cfg 4, mgr 2"
>
> conn %default
> keyingtries=3
> authby=secret
> type=transport
> ike=aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072
> esp=aes192gcm16-aes128gcm16-ecp256-modp3072,aes192-sha256-ecp256-modp3072
Initiator config
> conn net-net
> mark=%unique
> left=%defaultroute
> leftfirewall=no
> leftsubnet=0.0.0.0/0
> leftupdown=/etc/strongswan.d/ipsec-vti.sh
> leftsourceip=%config4
> right=res.pon.der.ip
> rightid=@example.com
> rightsubnet=%dynamic
> auto=add
Responder config
> conn net-net
> mark=%unique
> left=res.pon.der.ip
> leftupdown=/etc/strongswan/ipsec-vti.sh
> leftid=@example.com
> leftfirewall=no
> leftsourceip=10.9.255.1
> leftsubnet=0.0.0.0/0
> right=%any
> rightsourceip=10.9.255.0/24
> auto=add
Initiator xfrm
> root at initiator:~# ip x p
> src 10.9.255.1/32 dst res.pon.der.ip/32
> dir out priority 367231
> mark 0x1/0xffffffff
> tmpl src ini.tia.tor.ip dst res.pon.der.ip
> proto esp spi 0xc97a3d09 reqid 1 mode tunnel
> src res.pon.der.ip/32 dst 10.9.255.1/32
> dir fwd priority 367231
> mark 0x1/0xffffffff
> tmpl src res.pon.der.ip dst ini.tia.tor.ip
> proto esp reqid 1 mode tunnel
> src res.pon.der.ip/32 dst 10.9.255.1/32
> dir in priority 367231
> mark 0x1/0xffffffff
> tmpl src res.pon.der.ip dst ini.tia.tor.ip
> proto esp reqid 1 mode tunnel
> src 0.0.0.0/0 dst 0.0.0.0/0
> socket in priority 0
> src 0.0.0.0/0 dst 0.0.0.0/0
> socket out priority 0
> src 0.0.0.0/0 dst 0.0.0.0/0
> socket in priority 0
> src 0.0.0.0/0 dst 0.0.0.0/0
> socket out priority 0
> src ::/0 dst ::/0
> socket in priority 0
> src ::/0 dst ::/0
> socket out priority 0
> src ::/0 dst ::/0
> socket in priority 0
> src ::/0 dst ::/0
> socket out priority 0
> root at initiator:~# ip x s
> src ini.tia.tor.ip dst res.pon.der.ip
> proto esp spi 0xc97a3d09 reqid 1 mode tunnel
> replay-window 0 flag af-unspec
> mark 0x1/0xffffffff
> aead rfc4106(gcm(aes)) xxxx 128
> anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
> src res.pon.der.ip dst ini.tia.tor.ip
> proto esp spi 0xc2f50f38 reqid 1 mode tunnel
> replay-window 32 flag af-unspec
> aead rfc4106(gcm(aes)) yyyy 128
> anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
> root at initiator:~# ip t l
> vti1: ip/ip remote 173.248.143.113 local 71.33.222.96 ttl inherit key 1
> ip_vti0: ip/ip remote any local any ttl inherit nopmtudisc key 0
> root at initiator:~# ip a sh vti1
> 24: vti1 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1472 qdisc noqueue state UNKNOWN group default qlen 1000
> link/ipip ini.tia.tor.ip peer res.pon.der.ip
> inet 10.9.255.1/32 scope global vti1
> valid_lft forever preferred_lft forever
> inet6 fe80::200:5efe:4721:de60/64 scope link
> valid_lft forever preferred_lft forever
Responder xfrm
> [root at responder ~]# ip x p
> src res.pon.der.ip/32 dst 10.9.255.1/32
> dir out priority 367231 ptype main
> mark 0x1/0xffffffff
> tmpl src res.pon.der.ip dst ini.tia.tor.ip
> proto esp spi 0xc2f50f38 reqid 1 mode tunnel
> src 10.9.255.1/32 dst res.pon.der.ip/32
> dir fwd priority 367231 ptype main
> mark 0x1/0xffffffff
> tmpl src ini.tia.tor.ip dst res.pon.der.ip
> proto esp reqid 1 mode tunnel
> src 10.9.255.1/32 dst res.pon.der.ip/32
> dir in priority 367231 ptype main
> mark 0x1/0xffffffff
> tmpl src ini.tia.tor.ip dst res.pon.der.ip
> proto esp reqid 1 mode tunnel
> src 0.0.0.0/0 dst 0.0.0.0/0
> socket in priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> socket out priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> socket in priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> socket out priority 0 ptype main
> src ::/0 dst ::/0
> socket in priority 0 ptype main
> src ::/0 dst ::/0
> socket out priority 0 ptype main
> src ::/0 dst ::/0
> socket in priority 0 ptype main
> src ::/0 dst ::/0
> socket out priority 0 ptype main
> [root at responder ~]# ip x s
> src res.pon.der.ip dst ini.tia.tor.ip
> proto esp spi 0xc2f50f38 reqid 1 mode tunnel
> replay-window 0 flag af-unspec
> mark 0x1/0xffffffff
> aead rfc4106(gcm(aes)) yyyy 128
> anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
> src ini.tia.tor.ip dst res.pon.der.ip
> proto esp spi 0xc97a3d09 reqid 1 mode tunnel
> replay-window 32 flag af-unspec
> aead rfc4106(gcm(aes)) xxxx 128
> anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
> [[NO TUNNEL CREATED]]
Initiator log
> ...
> 11[IKE] IKE_SA net-net[1] state change: CONNECTING => ESTABLISHED
> 11[IKE] scheduling reauthentication in 10166s
> 11[IKE] maximum IKE_SA lifetime 10706s
> 11[IKE] processing INTERNAL_IP4_ADDRESS attribute
> 11[KNL] ini.tia.tor.ip is on interface pppoe-wan
> 11[IKE] installing new virtual IP 10.9.255.1
> 11[KNL] virtual IP 10.9.255.1 installed on pppoe-wan
> 11[CFG] selecting proposal:
> 11[CFG] proposal matches
> 11[CFG] received proposals: ESP:AES_GCM_16_192/NO_EXT_SEQ
> 11[CFG] configured proposals: ESP:AES_GCM_16_192/AES_GCM_16_128/ECP_256/MODP_3072/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA2_256_128/ECP_256/MODP_3072/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128
> AC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
> 11[CFG] selected proposal: ESP:AES_GCM_16_192/NO_EXT_SEQ
> 11[CFG] selecting traffic selectors for us:
> 11[CFG] config: 0.0.0.0/0, received: 10.9.255.1/32 => match: 10.9.255.1/32
> 11[CFG] selecting traffic selectors for other:
> 11[CFG] config: res.pon.der.ip/32, received: res.pon.der.ip/32 => match: res.pon.der.ip/32
> 11[KNL] adding SAD entry with SPI c2f50f38 and reqid {1}
> 11[KNL] using encryption algorithm AES_GCM_16 with key size 224
> 11[KNL] using replay window of 32 packets
> 11[KNL] HW offload: no
> 11[KNL] adding SAD entry with SPI c97a3d09 and reqid {1} (mark 1/0xffffffff)
> 11[KNL] using encryption algorithm AES_GCM_16 with key size 224
> 11[KNL] using replay window of 0 packets
> 11[KNL] HW offload: no
> 11[KNL] adding policy res.pon.der.ip/32 === 10.9.255.1/32 in (mark 1/0xffffffff) [priority 367231, refcount 1]
> 11[KNL] adding policy res.pon.der.ip/32 === 10.9.255.1/32 fwd (mark 1/0xffffffff) [priority 367231, refcount 1]
> 11[KNL] adding policy 10.9.255.1/32 === res.pon.der.ip/32 out (mark 1/0xffffffff) [priority 367231, refcount 1]
> 11[KNL] getting a local address in traffic selector 10.9.255.1/32
> 11[KNL] using host 10.9.255.1
> 11[KNL] getting iface name for index 21
> 11[KNL] using 207.225.112.2 as nexthop and pppoe-wan as dev to reach res.pon.der.ip/32
> 11[KNL] installing route: res.pon.der.ip/32 via 207.225.112.2 src 10.9.255.1 dev pppoe-wan
> 11[KNL] getting iface index for pppoe-wan
> 11[IKE] CHILD_SA net-net{1} established with SPIs c2f50f38_i c97a3d09_o and TS 10.9.255.1/32 === res.pon.der.ip/32
> : 11[IKE] CHILD_SA net-net{1} established with SPIs c2f50f38_i c97a3d09_o and TS 10.9.255.1/32 === res.pon.der.ip/32
> 11[KNL] ini.tia.tor.ip is on interface pppoe-wan
> 03[KNL] interface vti1 activated
> 08[KNL] fe80::200:5efe:4721:de60 appeared on vti1
> 12[KNL] 10.9.255.1 appeared on vti1
> 11[CHD] updown: net.ipv4.conf.vti1.disable_policy = 1
> 11[IKE] received AUTH_LIFETIME of 10009s, scheduling reauthentication in 9469s
> 11[IKE] peer supports MOBIKE
> 11[IKE] got additional MOBIKE peer address: 10.10.0.41
> 11[IKE] got additional MOBIKE peer address: 172.17.0.1
> 11[IKE] got additional MOBIKE peer address: fc00::10ca:1
> 11[IKE] activating new tasks
> 11[IKE] nothing to initiate
> 11[MGR] checkin IKE_SA net-net[1]
> 11[MGR] checkin of IKE_SA successful
> 07[KNL] getting iface index for pppoe-wan
> 04[KNL] creating roam job due to address/link change
> 04[MGR] checkout IKEv2 SA with SPIs 23d8ee02a0a4b711_i 8b31ca6022e3616c_r
> 04[MGR] IKE_SA net-net[1] successfully checked out
> 04[KNL] using ini.tia.tor.ip as address to reach res.pon.der.ip/32
> 04[IKE] keeping connection path ini.tia.tor.ip - res.pon.der.ip
> 04[IKE] sending address list update using MOBIKE
> 04[IKE] queueing IKE_MOBIKE task
> 04[IKE] activating new tasks
> 04[IKE] activating IKE_MOBIKE task
> 04[KNL] using ini.tia.tor.ip as address to reach res.pon.der.ip/32
> 04[ENC] generating INFORMATIONAL request 2 [ N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
> 04[KNL] using ini.tia.tor.ip as address to reach res.pon.der.ip/32
> 04[NET] sending packet: from ini.tia.tor.ip[4500] to res.pon.der.ip[4500] (93 bytes)
> 04[MGR] checkin IKE_SA net-net[1]
> 04[MGR] checkin of IKE_SA successful
> 05[MGR] checkout IKEv2 SA by message with SPIs 23d8ee02a0a4b711_i 8b31ca6022e3616c_r
> 05[MGR] IKE_SA net-net[1] successfully checked out
> 05[NET] received packet: from res.pon.der.ip[4500] to ini.tia.tor.ip[4500] (57 bytes)
> 05[ENC] parsed INFORMATIONAL response 2 [ ]
> 05[IKE] activating new tasks
> 05[IKE] nothing to initiate
> 05[MGR] checkin IKE_SA net-net[1]
> 05[MGR] checkin of IKE_SA successful
> 06[MGR] checkout IKEv2 SA with SPIs 23d8ee02a0a4b711_i 0000000000000000_r
> 06[MGR] IKE_SA net-net[1] successfully checked out
> 06[MGR] checkin IKE_SA net-net[1]
> 06[MGR] checkin of IKE_SA successful
> 08[MGR] checkout IKEv2 SA with SPIs 23d8ee02a0a4b711_i 8b31ca6022e3616c_r
> 08[MGR] IKE_SA net-net[1] successfully checked out
> 08[MGR] checkin IKE_SA net-net[1]
> 08[MGR] checkin of IKE_SA successful
> 09[MGR] checkout IKEv2 SA with SPIs 23d8ee02a0a4b711_i 8b31ca6022e3616c_r
> 09[MGR] IKE_SA net-net[1] successfully checked out
> 09[MGR] checkin IKE_SA net-net[1]
> 09[MGR] checkin of IKE_SA successful
Responder log
> ...
> 06[IKE] IKE_SA net-net[1] state change: CONNECTING => ESTABLISHED
> 06[IKE] scheduling reauthentication in 10009s
> 06[IKE] maximum IKE_SA lifetime 10549s
> 06[IKE] peer requested virtual IP %any
> 06[CFG] assigning new lease to 'ini.tia.tor.ip'
> 06[IKE] assigning virtual IP 10.9.255.1 to peer 'ini.tia.tor.ip'
> 06[CFG] looking for a child config for res.pon.der.ip/32 === 0.0.0.0/0
> 06[CFG] proposing traffic selectors for us:
> 06[CFG] res.pon.der.ip/32
> 06[CFG] proposing traffic selectors for other:
> 06[CFG] 10.9.255.1/32
> 06[CFG] candidate "net-net" with prio 5+1
> 06[CFG] found matching child config "net-net" with prio 6
> 06[CFG] selecting proposal:
> 06[CFG] proposal matches
> 06[CFG] received proposals: ESP:AES_GCM_16_192/AES_GCM_16_128/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_2
> 06[CFG] configured proposals: ESP:AES_GCM_16_192/AES_GCM_16_128/ECP_256/MODP_3072/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA2_256_128/ECP_256/MODP_3072/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256
> XCBC_96/NO_EXT_SEQ
> 06[CFG] selected proposal: ESP:AES_GCM_16_192/NO_EXT_SEQ
> 06[KNL] got SPI c97a3d09
> 06[CFG] selecting traffic selectors for us:
> 06[CFG] config: 0.0.0.0/0, received: res.pon.der.ip/32 => match: res.pon.der.ip/32
> 06[CFG] selecting traffic selectors for other:
> 06[CFG] config: 10.9.255.1/32, received: 0.0.0.0/0 => match: 10.9.255.1/32
> 06[IKE] not using transport mode, not host-to-host
> 06[KNL] adding SAD entry with SPI c97a3d09 and reqid {1}
> 06[KNL] using encryption algorithm AES_GCM_16 with key size 224
> 06[KNL] using replay window of 32 packets
> 06[KNL] HW offload: no
> 06[KNL] adding SAD entry with SPI c2f50f38 and reqid {1} (mark 1/0xffffffff)
> 06[KNL] using encryption algorithm AES_GCM_16 with key size 224
> 06[KNL] using replay window of 0 packets
> 06[KNL] HW offload: no
> 06[KNL] adding policy 10.9.255.1/32 === res.pon.der.ip/32 in (mark 1/0xffffffff) [priority 367231, refcount 1]
> 06[KNL] adding policy 10.9.255.1/32 === res.pon.der.ip/32 fwd (mark 1/0xffffffff) [priority 367231, refcount 1]
> 06[KNL] adding policy res.pon.der.ip/32 === 10.9.255.1/32 out (mark 1/0xffffffff) [priority 367231, refcount 1]
> 06[KNL] getting a local address in traffic selector res.pon.der.ip/32
> 06[KNL] using host res.pon.der.ip
> 06[KNL] getting iface name for index 2
> 06[KNL] using gat.e.way.ip as nexthop and eno1 as dev to reach ini.tia.tor.ip/32
> 06[KNL] installing route: 10.9.255.1/32 via gat.e.way.ip src res.pon.der.ip dev eno1
> 06[KNL] getting iface index for eno1
> 06[IKE] CHILD_SA net-net{1} established with SPIs c97a3d09_i c2f50f38_o and TS res.pon.der.ip/32 === 10.9.255.1/32
> 06[IKE] CHILD_SA net-net{1} established with SPIs c97a3d09_i c2f50f38_o and TS res.pon.der.ip/32 === 10.9.255.1/32
> 06[KNL] res.pon.der.ip is on interface eno1
> 06[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
> 06[NET] sending packet: from res.pon.der.ip[4500] to ini.tia.tor.ip[4500] (297 bytes)
> 06[MGR] checkin IKE_SA net-net[1]
> 06[MGR] checkin of IKE_SA successful
> 08[MGR] checkout IKEv2 SA by message with SPIs 23d8ee02a0a4b711_i 8b31ca6022e3616c_r
> 08[MGR] IKE_SA net-net[1] successfully checked out
> 08[NET] received packet: from ini.tia.tor.ip[4500] to res.pon.der.ip[4500] (93 bytes)
> 08[ENC] parsed INFORMATIONAL request 2 [ N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
> 08[IKE] got additional MOBIKE peer address: 192.168.10.1
> 08[IKE] got additional MOBIKE peer address: 10.10.4.1
> 08[IKE] got additional MOBIKE peer address: 10.9.255.1
> 08[ENC] generating INFORMATIONAL response 2 [ ]
> 08[NET] sending packet: from res.pon.der.ip[4500] to ini.tia.tor.ip[4500] (57 bytes)
> 08[MGR] checkin IKE_SA net-net[1]
> 08[MGR] checkin of IKE_SA successful
More information about the Users
mailing list