Re: [strongSwan] second connection from the same machine fails
Thanks Tobias, I changed the marking for the connections to be unique and changed also added mark_in. Now i see that ssh issue is also resolved , but need to get the return tarffic routed to vti interface based on the marking. Regards, Naveen On Fri, Mar 2, 2018 at 12:54 AM, Tobias Brunner wrote: > Hi Naveen, > > > 1) The second connection with the below configuration fails . > > The log message tells you why. The policies of the two connections > conflict. While you don't get that error message with newer strongSwan > releases (>= 5.3.0) it would not work properly as you'd still have two > connections using the same policies. > > > mark_out=32 > > Why did you only set mark_out? As you can see in the log this causes > conflicts for the in/fwd policies: > > > unable to install policy 0.0.0.0/0 === 0.0.0.0/0 in for reqid 2, the > same policy for reqid 1 exists > > unable to install policy 0.0.0.0/0 === 0.0.0.0/0 fwd for reqid 2, the > same policy for reqid 1 exists > > > > 2) I intend to use marking as selector using VTI interface , i see that > > the packet gets encrypted and leave the machine, however my intention is > > identify return traffic after decryption to be marked with the same > > marking, so that i can route based on the marked packet to a specific > > interface, but i see that the inbound SA does not have the mark and the > > policy drops the return traffic . > > There are two aspects to this: 1) if you don't set mark_in (or just > mark) how do you expect marks to be on the inbound policies and SAs? > 2) with recent releases (>= 5.5.2) no mark is actually set on the > inbound SA (unless explicitly requested, which is possible since 5.6.1 > via swanctl.conf), but only on the inbound policies, specifically to > allow marking packets after decryption. > > > How can i get the return traffic to be marked so that there is no policy > > mismatch. > > Mark the traffic via iptables (before or after decryption). > > > 3) When i bring up the tunnel with the leftsubnet any and rightsubnet > > any , i lose ssh access, i have disabled route install from strongswan > > configuration file . > > Configure passthrough/bypass policies to allow SSH traffic, or set marks > on policies/SAs so only marked packets are processed. > > Regards, > Tobias >
Re: [strongSwan] second connection from the same machine fails
Hi Naveen, > 1) The second connection with the below configuration fails . The log message tells you why. The policies of the two connections conflict. While you don't get that error message with newer strongSwan releases (>= 5.3.0) it would not work properly as you'd still have two connections using the same policies. > mark_out=32 Why did you only set mark_out? As you can see in the log this causes conflicts for the in/fwd policies: > unable to install policy 0.0.0.0/0 === 0.0.0.0/0 in for reqid 2, the same > policy for reqid 1 exists > unable to install policy 0.0.0.0/0 === 0.0.0.0/0 fwd for reqid 2, the same > policy for reqid 1 exists > 2) I intend to use marking as selector using VTI interface , i see that > the packet gets encrypted and leave the machine, however my intention is > identify return traffic after decryption to be marked with the same > marking, so that i can route based on the marked packet to a specific > interface, but i see that the inbound SA does not have the mark and the > policy drops the return traffic . There are two aspects to this: 1) if you don't set mark_in (or just mark) how do you expect marks to be on the inbound policies and SAs? 2) with recent releases (>= 5.5.2) no mark is actually set on the inbound SA (unless explicitly requested, which is possible since 5.6.1 via swanctl.conf), but only on the inbound policies, specifically to allow marking packets after decryption. > How can i get the return traffic to be marked so that there is no policy > mismatch. Mark the traffic via iptables (before or after decryption). > 3) When i bring up the tunnel with the leftsubnet any and rightsubnet > any , i lose ssh access, i have disabled route install from strongswan > configuration file . Configure passthrough/bypass policies to allow SSH traffic, or set marks on policies/SAs so only marked packets are processed. Regards, Tobias
Re: [strongSwan] second connection from the same machine fails
Hi Naveen,I believe you need to set uniqueids = no in config setup. Cheers,Christopher BachnerOn Mar 2, 2018 09:33, Naveen Neelakanta wrote: Hi Noel,Need some guidance on the below issues using strongswan .1) The second connection with the below configuration fails . config setup conn %default ikelifetime=8h keylife=8h rekeymargin=3m keyingtries=2 keyexchange=ikev1 authby=secret type=tunnel left=10.24.18.209 leftsubnet=0.0.0.0/0 ike=aes128-sha1-modp1024 esp=null-md5-modp1024 conn net-net right=10.24.18.35 rightsubnet=0.0.0.0/0 mark_out=32 auto=add installpolicy=yes conn net1-net1 right=10.24.18.36 rightsubnet=0.0.0.0/0 mark_out=33 auto=add installpolicy=yes #ipsec up net1-net1unable to install policy 0.0.0.0/0 === 0.0.0.0/0 in for reqid 2, the same policy for reqid 1 exists unable to install policy 0.0.0.0/0 === 0.0.0.0/0 fwd for reqid 2, the same policy for reqid 1 exists unable to install IPsec policies (SPD) in kernel establishing connection 'net1-net1' failed 2) I intend to use marking as selector using VTI interface , i see that the packet gets encrypted and leave the machine, however my intention is identify return traffic after decryption to be marked with the same marking, so that i can route based on the marked packet to a specific interface, but i see that the inbound SA does not have the mark and the policy drops the return traffic . src 0.0.0.0/0 dst 0.0.0.0/0 dir out priority 39 mark 32/0x tmpl src 10.24.18.209 dst 10.24.18.35 proto esp spi 0xce437d69 reqid 1 mode tunnel src 0.0.0.0/0 dst 0.0.0.0/0 dir in priority 39 mark 32/0x tmpl src 10.24.18.35 dst 10.24.18.209 proto esp reqid 1 mode tunnel SADB: src 10.24.18.209 dst 10.24.18.35 proto esp spi 0xce437d69 reqid 1 mode tunnel replay-window 0 flag af-unspec mark 32/0x auth-trunc hmac(md5) 0x73f7dac6b9ef4de0dd6965ce30e2e548 96 enc ecb(cipher_null) src 10.24.18.35 dst 10.24.18.209 proto esp spi 0xca115267 reqid 1 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(md5) 0xcc44e5211adb4b23d281e9b94853b31c 96 enc ecb(cipher_null) How can i get the return traffic to be marked so that there is no policy mismatch. 3) When i bring up the tunnel with the leftsubnet any and rightsubnet any , i lose ssh access, i have disabled route install from strongswan configuration file . conn %default ikelifetime=8h keylife=8h rekeymargin=3m keyingtries=2 keyexchange=ikev1 authby=secret type=tunnel left=10.24.18.209 leftsubnet=0.0.0.0/0 ike=aes128-sha1-modp1024 esp=null-md5-modp1024 installpolicy=no conn net-net right=10.24.18.35 rightsubnet=0.0.0.0/0 mark_out=32 auto=add installpolicy=yes # strongswan.conf ### interfaces_use = eth3 install_routes = no Please provide some light on the above issues.Thanks,Naveen