[strongSwan] Linux xfrm integration (was: Linux routing issue)

Carlos G Mendioroz tron at huapi.ba.ar
Mon Jan 31 13:00:42 CET 2022


Noel,
I'm starting to be a stone in the shoe it seems.
I've migrated the config to swanctl.
(There are some syntax details that did not seem apparent from reading 
the docs, like PSKs names having to start with ike, but in the end got 
it up and running.)

But now I'm kind of in the same place: I see traffic going out (from a 
test ping), coming back in encapsulated but it never gets decapsulated 
or assigned to my local if. XfrmInNoPols goes up, conn stats show ipsec 
(i.e. child) packets in and out.

I'm sort of in the same place I was before, but now I have if_id 
matching in the policy, state and interface.

Anything else I might be missing ?
This is using ESP on UDP (Nat traversal) and the main if is ppp.
No marks in the mix now...

TIA,
-Carlos

Noel Kuntze @ 28/1/2022 16:58 -0300 dixit:
> Hello Carlos,
> 
> I propose you "swiftly" migrate your config to `swanctl`. fully usable 
> examples with all bells and whistles are on the wiki[1].
> The mark on the state is used when looking up the state as an additional 
> selector, same with the mark on the inbound policies.
> Or "normal" mark fields on any policy or state. They're just used for 
> matching the mark on the skb, not assigning a mark to the skb.
> The latter can be configured in swanctl.conf only by using 
> `connections.<conn>.children.<child>.set_mark_in` and 
> `connections.<conn>.children.<child>.set_mark_out`.
> 
>> I am using an XFRM interface, but as soon as I clear the mark config 
>> from the ipsec.conf, havoc happens and my routing priorities do not 
>> work as intended. (In fact, I get disconnected from the system as I'm 
>> managing it from the local network). 
> 
> You need to bind the states to the interface using the if_id_in and 
> if_it_out keys in strongswan, or try to manipulate them by yourself 
> using `ip xfrm` (massive waste of time because they are 
> removed/updated/replaced when the tunnel gets renegotiated and 
> understanding how to use the tool takes way longer than just migrating 
> the config.
> 
> As long as the if_id fields on the XFRM state and policies are not set, 
> they disregard the existence of any XFRM interfaces.
> 
> 
> For the VTI, the configured tunnel endpoints on the VTI interface itself 
> also must matchthe ones on the inbound packets.
> The problem doesn't get easier with marks and VTIs, which are the only 
> interfaces you can use with `ipsec.conf`
> 
> Kind regards
> Noel
> 
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples
> 
> 
> Am 28.01.22 um 20:38 schrieb Carlos G Mendioroz:
>>
>>
>> Noel Kuntze @ 28/1/2022 16:35 -0300 dixit:
>>>  > So I removed the incoming marking (from mangle) and now instead of 
>>> seeing an incrementing XfrmInTmplMismatch counter, I see an XfrmInNoPols
>>>  > counter, but... state does show incrementing numbers on the 
>>> lifetime counters of both direction SAs:
>>>
>>> Yeah, state can be used to decapsulate the packet but then the policy 
>>> check fails so naturally these counters increase.
>>
>> Why does policy fail ? I have any - any policy !
>> Oh well, I'm missing things here evidently.
>>
>>
> 

-- 
Carlos G Mendioroz  <tron at huapi.ba.ar>  LW7 EQI  Argentina


More information about the Users mailing list