[strongSwan] Subnet selector question

Makarand Pradhan MakarandPradhan at is5com.com
Fri Jan 29 21:39:31 CET 2021


A quick update.

I installed the farp plugin and now the arp is getting resolved. But still packets are not being pushed into the tunnel when I specify the icmp filter.

Pl find below the logs:
sh-4.3# ipsec statusall m1
Status of IKE charon daemon (weakSwan 5.8.2, Linux 4.1.35-rt41, ppc64):
  uptime: 11 minutes, since Jan 29 06:17:58 2021
  malloc: sbrk 2297856, mmap 0, used 307440, free 1990416
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
  loaded plugins: charon aes des blowfish rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac drbg attr kernel-netlink resolve socket-default farp stroke vici updown xauth-generic counters
Listening IP addresses:
  192.168.61.2
  192.168.62.2
  172.16.31.2
  172.16.32.2
  10.10.9.1
Connections:
          m1:  172.16.31.2...172.16.31.1  IKEv2, dpddelay=60s
          m1:   local:  [172.16.31.2] uses pre-shared key authentication
          m1:   remote: [172.16.31.1] uses pre-shared key authentication
          m1:   child:  10.10.9.0/24[icmp] 192.168.61.0/24 === 192.168.9.0/24[icmp] 192.168.51.0/24 TUNNEL, dpdaction=clear
Routed Connections:
          m1{1}:  ROUTED, TUNNEL, reqid 1
          m1{1}:   10.10.9.0/24[icmp] 192.168.61.0/24 === 192.168.9.0/24[icmp] 192.168.51.0/24
Security Associations (1 up, 0 connecting):
          m1[1]: ESTABLISHED 11 minutes ago, 172.16.31.2[172.16.31.2]...172.16.31.1[172.16.31.1]
          m1[1]: IKEv2 SPIs: 766231c8253bf352_i* 6be8de67ab04169d_r, pre-shared key reauthentication in 46 minutes
          m1[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536
          m1{3}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cb85fce1_i c83b5361_o
          m1{3}:  AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 107 minutes
          m1{3}:   10.10.9.0/24[icmp] 192.168.61.0/24 === 192.168.9.0/24[icmp] 192.168.51.0/24

06:30:48.324650 IP 10.10.9.32 > 192.168.9.31: ICMP echo request, id 4637, seq 318, length 64
06:30:49.364648 IP 10.10.9.32 > 192.168.9.31: ICMP echo request, id 4637, seq 319, length 64
06:30:50.404673 IP 10.10.9.32 > 192.168.9.31: ICMP echo request, id 4637, seq 320, length 64
06:30:51.444627 IP 10.10.9.32 > 192.168.9.31: ICMP echo request, id 4637, seq 321, length 64

No ESP for src 10.10.9.32 to 192.168.9.31 ICMP.

Ip xfrm seems to be ok:

src 10.10.9.0/24 dst 192.168.9.0/24 proto icmp
        dir out priority 375167 ptype main
        tmpl src 172.16.31.2 dst 172.16.31.1
                proto esp spi 0xc83b5361 reqid 1 mode tunnel


Scenario 2: Permit ssh traffic on port 22.
Ipsec.conf:
        rightsubnet=192.168.9.0/24[/22],192.168.51.0/24
        leftsubnet=10.10.9.0/24,192.168.61.0/24

Also, I see the same problem. ARP is resolved but packets are not pushed into the tunnel.

06:39:21.636521 ARP, Request who-has 192.168.9.31 (Broadcast) tell 192.168.61.1, length 46
06:39:21.637023 ARP, Reply 192.168.9.31 is-at e8:e8:75:90:3f:80 (oui Unknown), length 28
06:39:21.639116 IP 10.10.9.32.50550 > 192.168.9.31.ssh: Flags [S], seq 3400545033, win 64240, options [mss 1460,sackOK,TS val 2883004940 ecr 0,nop,wscale 7], length 0
06:39:34.712713 LLDP, length 121: iS5com
06:39:34.908298 IP 172.16.31.1.isakmp > 172.16.31.2.isakmp: isakmp: parent_sa inf2

Was wondering if the filtering functionality is broken?

I'm running 5.8.2. Will upgrading to 5.9.1 fix this?

Any opinions would be appreciated.

Thanks.
Makarand.

-----Original Message-----
From: Users <users-bounces at lists.strongswan.org> On Behalf Of Makarand Pradhan
Sent: January 28, 2021 12:33 PM
To: users at lists.strongswan.org
Subject: [strongSwan] Subnet selector question

GM Everyone,

Am trying to selectively push icmp traffic into the tunnel. Am missing something, would appreciate any pointers.

Scenario:
(PC1 10.10.9.31/24) <---> 10.10.9.1 Router 172.16.31.1 <-Tunnel-> 172.16.31.2 Router 192.168.9.1 <---> (192.168.9.31 PC 2)

Ipsec.conf: I'm permitting only icmp in []
        rightsubnet=192.168.9.0/24[icmp],192.168.51.0/24
        leftsubnet=10.10.9.0/24[icmp],192.168.61.0/24

Issue: Ping fails.

Tunnel status:
sh-4.3# ipsec status
Routed Connections:
          m1{1}:  ROUTED, TUNNEL, reqid 1
          m1{1}:   10.10.9.0/24[icmp] 192.168.61.0/24 === 192.168.9.0/24[icmp] 192.168.51.0/24
Security Associations (1 up, 0 connecting):
          m1[1]: ESTABLISHED 3 seconds ago, 172.16.31.2[172.16.31.2]...172.16.31.1[172.16.31.1]
          m1{2}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c7b29cc2_i ca9ed38c_o
          m1{2}:   10.10.9.0/24[icmp] 192.168.61.0/24 === 192.168.9.0/24[icmp] 192.168.51.0/24

I notice that the ARP request is not answered.

When I do not specify icmp, everything works. I think strongswan responds to the ARP. Don't see it with icmp filter.

Thanks for looking.

Kind rgds,
Makarand Pradhan
Senior Software Engineer.
iS5 Communications Inc.
5895 Ambler Dr,
Mississauga, Ontario
L4W 5B7
Main Line: +1-844-520-0588 Ext. 129
Direct Line: +1-289-724-2296
Cell: +1-226-501-5666
Fax:+1-289-401-5206
Email: makarandpradhan at is5com.com
Website: www.iS5Com.com

 
Confidentiality Notice: 
This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.



More information about the Users mailing list