Re: [Swan-dev] Local port, IKE Cookies, IKE SA established time, IKE rekey time

Tue, 27 Oct 2020 20:24:25 -0700 

On Tue, 27 Oct 2020, Balaji Thoguluva wrote:


Does any of the Libreswan commands (ipsec whack etc.) display the following 
information? 

1. local (ephemeral) port of the application (for example TCP connection 
initiated) that triggered the IKEv2/IPsec connection. For example, for a TCP 
connection
triggered from Libreswan, currently ipsec whack --trafficstatus" command 
displays 0 for the peer port whereas it displays its local port correctly.


ipsec trafficstatus never shows that. But ipsec status also does not
currently show this. You can see it within the kernel state though,
eg:

root@west:/# ip xfrm state
src 192.1.2.23 dst 192.1.2.45
        proto esp spi 0x0e7eec94 reqid 16393 mode tunnel
        replay-window 32 flag af-unspec
        aead rfc4106(gcm(aes)) 
0x3b630190a4c05c5a4337c9cb28be756c9065abcc44f11ceb4a156dba65dfb84ad91cf83f 128
        encap type espintcp sport 4500 dport 59152 addr 0.0.0.0
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 192.1.2.45 dst 192.1.2.23
        proto esp spi 0xf0868fcb reqid 16393 mode tunnel
        replay-window 32 flag af-unspec
        aead rfc4106(gcm(aes)) 
0xb51a661573c7aa25a248490c1678da3854b8e735e66b9c799f44f02a17018a06106a3189 128
        encap type espintcp sport 59152 dport 4500 addr 0.0.0.0
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000

But if you have more than one tunnel, matching them up is tricky.

It does show up partially, eg the remote port, in ipsec status:

000 #3: "ikev2-westnet-eastnet":4500(tcp) STATE_V2_ESTABLISHED_IKE_SA 
(established IKE SA); EVENT_SA_REKEY in 2605s; newest ISAKMP; idle;

The remote here is port 4500 tcp.


2. IKE cookies (or IKE SPI)


Those are currently also not listed anywhere.


3. Time when IKE SA is established


No, just the EVENT_SA_REKEY which is keylife - establishment date.


4. time remaining to perform IKE rekey


Yes, see above: EVENT_SA_REKEY in 2605s;

We are looking at adding another output where you pick the items you
want and you get those back in json. Hopefully then people can write
wrappers around that to their requirements.

(if anyone wants to work on this, ping me)

Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev

Reply via email to