I'm having a bit of trouble with opportunistic IPSec, specifically getting failover to clear working. Here is my setup:
* Redhat 7 on AWS in FIPS mode, libreswan 3.20. * An SSH jump box with: - the main eth0 interface is on a public subnet (10.0.0.0/24); This traffic need not be encrypted. This also has an elastic IP, but I don’t think that matters here. - a second interface eth1 on a private subnet (10.0.1.0/24). This subnet should (almost) always be encrypted. - opportunistic configuration mostly taken from the Wiki example for the private-or-clear section. One important change was left=10.0.1.100 - the “clear” policy includes just the gateway (10.0.1.1/32) - the “private-or-clear” policy includes the rest of the subnet (10.0.1.0/24) * A client configured for OE at 10.0.1.21. - the “private” policy is set to the subnet (10.0.1.0/24) - the “clear” policy is the gateway (10.0.1.1/32) * A client without IPSEC at 10.0.1.22. The idea here is that when starting new VMs in the private subnet I need to first go through the jump box to configure the IPSEC tunnels. So I need to fail over to clear until they are setup. But once they are configured I should only use encrypted traffic. What I am seeing is that I can connect to the properly configured host via the IPSEC tunnel, but I cannot get to the unconfigured host. When I run “ipsec status” the connection list is interesting: specifically in the “clear” section the only interface listed is eth0 (see below). I have tried using both the “interfaces” and “listen” parameters in the main config section but even then the best I can do is get a blank value for the interface in the clear section. Any ideas? ---------------------- 000 Connection list: 000 000 "clear": 10.0.0.100---10.0.0.1...%group; unrouted; eroute owner: #0 000 "clear": oriented; my_ip=unset; their_ip=unset 000 "clear": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "clear": our auth:unset, their auth:unset 000 "clear": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset; 000 "clear": labeled_ipsec:no; 000 "clear": policy_label:unset; 000 "clear": ike_life: 0s; ipsec_life: 0s; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0; 000 "clear": retransmit-interval: 0ms; retransmit-timeout: 0s; 000 "clear": sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "clear": policy: PFS+GROUP+GROUTED+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+PASS+NEVER_NEGOTIATE; 000 "clear": conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "clear": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; 000 "clear": dpd: action:disabled; delay:0; timeout:0; nat-t: encaps:no; nat_keepalive:no; ikev1_natt:both 000 "clear": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "clear#10.0.1.1/32": 10.0.0.100---10.0.0.1...%any; prospective erouted; eroute owner: #0 000 "clear#10.0.1.1/32": oriented; my_ip=unset; their_ip=unset 000 "clear#10.0.1.1/32": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "clear#10.0.1.1/32": our auth:unset, their auth:unset 000 "clear#10.0.1.1/32": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset; 000 "clear#10.0.1.1/32": labeled_ipsec:no; 000 "clear#10.0.1.1/32": policy_label:unset; 000 "clear#10.0.1.1/32": ike_life: 0s; ipsec_life: 0s; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0; 000 "clear#10.0.1.1/32": retransmit-interval: 0ms; retransmit-timeout: 0s; 000 "clear#10.0.1.1/32": sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "clear#10.0.1.1/32": policy: PFS+GROUPINSTANCE+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+PASS+NEVER_NEGOTIATE; 000 "clear#10.0.1.1/32": conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "clear#10.0.1.1/32": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; 000 "clear#10.0.1.1/32": dpd: action:disabled; delay:0; timeout:0; nat-t: encaps:no; nat_keepalive:no; ikev1_natt:both 000 "clear#10.0.1.1/32": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "private-or-clear": 10.0.1.100<10.0.1.100>[CA-INFO-REDACTED]...%opportunisticgroup[%fromcert]; unrouted; eroute owner: #0 000 "private-or-clear": oriented; my_ip=unset; their_ip=unset; mycert= CA-INFO-REDACTED 000 "private-or-clear": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "private-or-clear": our auth:rsasig, their auth:rsasig 000 "private-or-clear": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset; 000 "private-or-clear": labeled_ipsec:no; 000 "private-or-clear": policy_label:unset; 000 "private-or-clear": CAs: 'CA-INFO-REDACTED' 000 "private-or-clear": ike_life: 3600s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1; 000 "private-or-clear": retransmit-interval: 500ms; retransmit-timeout: 3s; 000 "private-or-clear": sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "private-or-clear": policy: RSASIG+ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "private-or-clear": conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "private-or-clear": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; 000 "private-or-clear": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "private-or-clear": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "private-or-clear#10.0.1.0/24": 10.0.1.100<10.0.1.100>[CA-INFO-REDACTED]...%opportunistic[%fromcert]===10.0.1.0/24; prospective erouted; eroute owner: #0 000 "private-or-clear#10.0.1.0/24": oriented; my_ip=unset; their_ip=unset; mycert= CA-INFO-REDACTED 000 "private-or-clear#10.0.1.0/24": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "private-or-clear#10.0.1.0/24": our auth:rsasig, their auth:rsasig 000 "private-or-clear#10.0.1.0/24": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset; 000 "private-or-clear#10.0.1.0/24": labeled_ipsec:no; 000 "private-or-clear#10.0.1.0/24": policy_label:unset; 000 "private-or-clear#10.0.1.0/24": CAs: 'CA-INFO-REDACTED' 000 "private-or-clear#10.0.1.0/24": ike_life: 3600s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1; 000 "private-or-clear#10.0.1.0/24": retransmit-interval: 500ms; retransmit-timeout: 3s; 000 "private-or-clear#10.0.1.0/24": sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "private-or-clear#10.0.1.0/24": policy: RSASIG+ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "private-or-clear#10.0.1.0/24": conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "private-or-clear#10.0.1.0/24": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; 000 "private-or-clear#10.0.1.0/24": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "private-or-clear#10.0.1.0/24": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "private-or-clear#10.0.1.0/24"[1]: 10.0.1.100<10.0.1.100>[CA-INFO-REDACTED]...10.0.1.21[CA-INFO-REDACTED]; erouted; eroute owner: #2 000 "private-or-clear#10.0.1.0/24"[1]: oriented; my_ip=unset; their_ip=unset; mycert= CA-INFO-REDACTED 000 "private-or-clear#10.0.1.0/24"[1]: xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "private-or-clear#10.0.1.0/24"[1]: our auth:rsasig, their auth:rsasig 000 "private-or-clear#10.0.1.0/24"[1]: modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset; 000 "private-or-clear#10.0.1.0/24"[1]: labeled_ipsec:no; 000 "private-or-clear#10.0.1.0/24"[1]: policy_label:unset; 000 "private-or-clear#10.0.1.0/24"[1]: CAs: 'CA-INFO-REDACTED' 000 "private-or-clear#10.0.1.0/24"[1]: ike_life: 3600s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1; 000 "private-or-clear#10.0.1.0/24"[1]: retransmit-interval: 500ms; retransmit-timeout: 3s; 000 "private-or-clear#10.0.1.0/24"[1]: sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "private-or-clear#10.0.1.0/24"[1]: policy: RSASIG+ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "private-or-clear#10.0.1.0/24"[1]: conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "private-or-clear#10.0.1.0/24"[1]: nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; 000 "private-or-clear#10.0.1.0/24"[1]: dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "private-or-clear#10.0.1.0/24"[1]: newest ISAKMP SA: #1; newest IPsec SA: #2; 000 "private-or-clear#10.0.1.0/24"[1]: IKEv2 algorithm newest: AES_GCM_C_256-AUTH_NONE-PRF_HMAC_SHA2_512-MODP2048 000 "private-or-clear#10.0.1.0/24"[1]: ESP algorithm newest: AES_GCM_C_256-NONE; pfsgroup=<Phase1> <SNIP> 000 Total IPsec connections: loaded 7, active 1 000 000 State Information: DDoS cookies not required, Accepting new IKE connections 000 IKE SAs: total(1), half-open(0), open(0), authenticated(0), anonymous(1) 000 IPsec SAs: total(1), authenticated(0), anonymous(1) 000 000 #2: "private-or-clear#10.0.1.0/24"[1] ...10.0.1.21:500 STATE_V2_IPSEC_I (IPsec SA established); EVENT_v2_SA_REPLACE_IF_USED in 2627s; newest IPSEC; eroute owner; isakmp#1; idle; import:local rekey 000 #2: "private-or-clear#10.0.1.0/24"[1] ...10.0.1.21 [email protected] [email protected] [email protected] [email protected] ref=0 refhim=0 Traffic: ESPin=4KB ESPout=5KB! ESPmax=0B 000 #1: "private-or-clear#10.0.1.0/24"[1] ...10.0.1.21:500 STATE_PARENT_I3 (PARENT SA established); EVENT_v2_SA_REPLACE_IF_USED_IKE in 2837s; newest ISAKMP; isakmp#0; idle; import:local rekey 000 #1: "private-or-clear#10.0.1.0/24"[1] ...10.0.1.21 ref=0 refhim=0 Traffic: 000 000 Bare Shunt list: 000 000 10.0.1.100/32:0 -0-> 10.0.1.22/32:0 => %unk-0 0 oe-failed
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
