Re: [strongSwan-dev] patch proposal: ignore acquire

Emeric POUPON Mon, 05 Oct 2015 07:05:21 -0700

Hello,

Thanks for your support.


I tried what you suggested:

ipsec.conf:

conn "test PASS"
        leftsubnet=192.168.120.0/24
        rightsubnet=192.168.110.0/24
        auto=route
        type=passthrough
        authby=never

conn "test"
        leftsubnet=192.168.120.0/24
        type=tunnel
        auto=add
        rightsubnet=192.168.110.0/24
        keyexchange=ikev2
        mobike=no
        left=192.168.56.120
        right=192.168.56.110
        leftauth=pubkey
        rightauth=pubkey
        leftcert="..."
        rightid=%any
        
esp=aes128-sha1-modp1024-noesn,aes128-md5-modp1024-noesn,blowfish128-sha1-modp1024-noesn,blowfish128-md5-modp1024-noesn,3des-sha1-modp1024-noesn,3des-md5-modp1024-noesn!
        ike=aes128-sha1-modp1024,blowfish128-sha1-modp1024,3des-sha1-modp1024!
        leftsendcert=yes
        rightsendcert=yes

In the SPD, I can see the shunted connections:

# setkey -DP
192.168.110.0/24[any] 192.168.120.0/24[any] 255
        in none
        created: Oct  5 15:46:17 2015  lastused: Oct  5 15:46:17 2015
        lifetime: 9223372036854775807(s) validtime: 0(s)
        spid=60 seq=1 pid=3097
        refcnt=1
192.168.120.0/24[any] 192.168.110.0/24[any] 255
        out none
        created: Oct  5 15:46:17 2015  lastused: Oct  5 15:46:17 2015
        lifetime: 9223372036854775807(s) validtime: 0(s)
        spid=59 seq=0 pid=3097
        refcnt=1

Ping from 192.168.120.120 192.168.110.110 -> not working


I open the connection from the other side:
ipsec statusall:
...
Connections:
   test PASS:  %any...%any  IKEv1/2
   test PASS:   local:  uses public key authentication
   test PASS:   remote: uses public key authentication
   test PASS:   child:  192.168.120.0/24=== 192.168.110.0/24PASS
        test:  192.168.56.120...192.168.56.110  IKEv2
        test:   local:  [C=AT, ST=TEST, L=TEST, O=TEST, OU=TEST, CN=TEST_120, 
[email protected]] uses public key authentication
        test:    cert:  "C=AT, ST=TEST, L=TEST, O=TEST, OU=TEST, CN=TEST_120, 
[email protected]"
        test:   remote: uses public key authentication
        test:   child:  192.168.120.0/24=== 192.168.110.0/24TUNNEL
Shunted Connections:
   test PASS:  192.168.120.0/24=== 192.168.110.0/24PASS
Security Associations (1 up, 0 connecting):
        test[1]: ESTABLISHED 3 seconds ago, 192.168.56.120[C=AT, ST=TEST, 
L=TEST, O=TEST, OU=TEST, CN=TEST_120, 
[email protected]]...192.168.56.110[C=AT, ST=TEST, L=TEST, O=TEST, OU=TEST, 
CN=TEST_110, [email protected]]
        test[1]: IKEv2 SPIs: c8617fe834425023_i 86616e2507eeaf29_r*, public key 
reauthentication in 88 minutes
        test[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
        test{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c57a4cd6_i cad79a5e_o
        test{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 
35 minutes
        test{1}:   192.168.120.0/24=== 192.168.110.0/24


However, 'setkey -DP' does no show any new SP installed
Ping from 192.168.120.120 192.168.110.110 -> still not working

In the logs:
Oct  5 15:51:02 08[IKE] <test|1> IKE_SA test[1] established between 
192.168.56.120[C=AT, ST=TEST, L=TEST, O=TEST, OU=TEST, CN=TEST_120, 
[email protected]]...192.168.56.110[C=AT, ST=TEST, L=
TEST, O=TEST, OU=TEST, CN=TEST_110, [email protected]]
Oct  5 15:51:02 08[IKE] <test|1> IKE_SA test[1] state change: CONNECTING => 
ESTABLISHED
Oct  5 15:51:02 08[SNS] <test|1> IKE SA established
Oct  5 15:51:02 08[IKE] <test|1> scheduling reauthentication in 5298s
Oct  5 15:51:02 08[IKE] <test|1> maximum IKE_SA lifetime 5898s
Oct  5 15:51:02 01[JOB] next event in 29s 969ms, waiting
Oct  5 15:51:02 08[IKE] <test|1> sending end entity cert "C=AT, ST=TEST, 
L=TEST, O=TEST, OU=TEST, CN=TEST_120, [email protected]"
Oct  5 15:51:02 08[ENC] <test|1> added payload of type CERTIFICATE to message
Oct  5 15:51:02 08[CFG] <test|1> looking for a child config for 
192.168.120.0/24=== 192.168.110.0/24
Oct  5 15:51:02 08[CFG] <test|1> proposing traffic selectors for us:
Oct  5 15:51:02 08[CFG] <test|1>  192.168.120.0/24
Oct  5 15:51:02 08[CFG] <test|1> proposing traffic selectors for other:
Oct  5 15:51:02 08[CFG] <test|1>  192.168.110.0/24
Oct  5 15:51:02 08[CFG] <test|1>   candidate "test" with prio 5+5
Oct  5 15:51:02 08[CFG] <test|1> found matching child config "test" with prio 10
Oct  5 15:51:02 08[CFG] <test|1> selecting proposal:
Oct  5 15:51:02 08[CFG] <test|1>   proposal matches
Oct  5 15:51:02 08[CFG] <test|1> received proposals: 
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, 
ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ, 
ESP:BLOWFISH_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:B
LOWFISH_CBC_128/HMAC_MD5_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, 
ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ
Oct  5 15:51:02 08[CFG] <test|1> configured proposals: 
ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, 
ESP:AES_CBC_128/HMAC_MD5_96/MODP_1024/NO_EXT_SEQ, ESP:BLOWFISH_CBC_128/HMAC_SHA
1_96/MODP_1024/NO_EXT_SEQ, 
ESP:BLOWFISH_CBC_128/HMAC_MD5_96/MODP_1024/NO_EXT_SEQ, 
ESP:3DES_CBC/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, 
ESP:3DES_CBC/HMAC_MD5_96/MODP_1024/NO_EXT_SEQ
Oct  5 15:51:02 08[CFG] <test|1> selected proposal: 
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Oct  5 15:51:02 08[KNL] <test|1> got SPI c57a4cd6
Oct  5 15:51:02 08[CFG] <test|1> selecting traffic selectors for us:
Oct  5 15:51:02 08[CFG] <test|1>  config: 192.168.120.0/24, received: 
192.168.120.0/24 => match: 192.168.120.0/24
Oct  5 15:51:02 08[CFG] <test|1> selecting traffic selectors for other:
Oct  5 15:51:02 08[CFG] <test|1>  config: 192.168.110.0/24, received: 
192.168.110.0/24 => match: 192.168.110.0/24
Oct  5 15:51:02 08[CHD] <test|1>   using AES_CBC for encryption
Oct  5 15:51:02 08[CHD] <test|1>   using HMAC_SHA1_96 for integrity
Oct  5 15:51:02 08[CHD] <test|1> adding inbound ESP SA
Oct  5 15:51:02 08[CHD] <test|1>   SPI 0xc57a4cd6, src 192.168.56.110 dst 
192.168.56.120
Oct  5 15:51:02 08[KNL] <test|1> deleting SAD entry with SPI c57a4cd6
Oct  5 15:51:02 08[KNL] <test|1> deleted SAD entry with SPI c57a4cd6
Oct  5 15:51:02 08[KNL] <test|1> adding SAD entry with SPI c57a4cd6 and reqid 
{1}
Oct  5 15:51:02 08[KNL] <test|1>   using encryption algorithm AES_CBC with key 
size 128
Oct  5 15:51:02 08[KNL] <test|1>   using integrity algorithm HMAC_SHA1_96 with 
key size 160
Oct  5 15:51:02 16[JOB] watched FD 7 ready to read
Oct  5 15:51:02 08[CHD] <test|1> adding outbound ESP SA
Oct  5 15:51:02 08[CHD] <test|1>   SPI 0xcad79a5e, src 192.168.56.120 dst 
192.168.56.110
Oct  5 15:51:02 16[JOB] watcher going to poll() 4 fds
Oct  5 15:51:02 08[KNL] <test|1> adding SAD entry with SPI cad79a5e and reqid 
{1}
Oct  5 15:51:02 16[JOB] watcher got notification, rebuilding
Oct  5 15:51:02 16[JOB] watcher going to poll() 5 fds
Oct  5 15:51:02 08[KNL] <test|1>   using encryption algorithm AES_CBC with key 
size 128
Oct  5 15:51:02 16[JOB] watched FD 7 ready to read
Oct  5 15:51:02 16[JOB] watcher going to poll() 4 fds
Oct  5 15:51:02 08[KNL] <test|1>   using integrity algorithm HMAC_SHA1_96 with 
key size 160
Oct  5 15:51:02 08[KNL] <test|1> policy 192.168.120.0/24 === 192.168.110.0/24 
out already exists, increasing refcount
Oct  5 15:51:02 08[KNL] <test|1> policy 192.168.110.0/24 === 192.168.120.0/24 
in already exists, increasing refcount
Oct  5 15:51:02 08[KNL] <test|1> policy 192.168.120.0/24 === 192.168.110.0/24 
out already exists, increasing refcount
Oct  5 15:51:02 08[KNL] <test|1> policy 192.168.110.0/24 === 192.168.120.0/24 
in already exists, increasing refcount
Oct  5 15:51:02 08[IKE] <test|1> CHILD_SA test{1} established with SPIs 
c57a4cd6_i cad79a5e_o and TS 192.168.120.0/24=== 192.168.110.0/24
Oct  5 15:51:02 08[SNS] <test|1> IPSEC SA established

I see at least two problems:
- Why do the additional policies are not installed in the kernel? Only the 
refcount are updated?
- I'm not sure FreeBSD can handle SP priority? We are using FreeBSD 9.3.


What do you think?

Emeric


----- Mail original -----
De: "Tobias Brunner" <[email protected]>
À: "Emeric POUPON" <[email protected]>, [email protected]
Envoyé: Lundi 5 Octobre 2015 14:45:10
Objet: Re: [strongSwan-dev] patch proposal: ignore acquire

Hi Emeric,

> My proposal is to add an "ignore_acquire" parameter, set by per connection.
> If set, the acquire messages are just discarded.

My recommendation would be to install a drop policy for the same traffic
selector and to use auto=add for the actual connection.  In recent
releases drop policies are always installed with a lower priority than
IPsec policies or passthrough policies, so traffic will be blocked until
the IPsec connection is established (and again when it is torn down),
but not while it is established.

This should work fine with the kernel-pfkey plugin, however, the reqid
check in the kernel-netlink plugin currently prevents this from working
if the traffic selectors are exactly the same for the drop and IPsec
policy.  Since shunt policies have no reqid associated with them we
might make an exception for these, though.  I've updated the
policy-del-ext branch to support this.

Regards,
Tobias

_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev

Re: [strongSwan-dev] patch proposal: ignore acquire

Reply via email to