Never mind. Figured it out. Apparently there is only one recognized "config setup" section in the base /etc/ipsec.conf file. I moved the listen directive in there and it worked exactly as expected.
Thanks, Scott ________________________________ From: Swan <[email protected]> on behalf of Scott A. Wozny <[email protected]> Sent: September 18, 2020 8:11 PM To: [email protected] <[email protected]> Subject: [Swan] How to force LibreSWAN to listen on a particular interface By default when I start LibreSWAN's ipsec it binds to UDP/500 and UDP/4500 on all interfaces as shown: [sawozny@vpnnj ~]$ sudo ipsec --status 000 using kernel interface: netkey 000 interface lo/lo 127.0.0.1@4500 000 interface lo/lo 127.0.0.1@500 000 interface eth0/eth0 192.168.1.214@4500 000 interface eth0/eth0 192.168.1.214@500 000 interface ens8/ens8 10.1.2.2@4500 000 interface ens8/ens8 10.1.2.2@500 000 interface ens9/ens9 10.1.3.2@4500 000 interface ens9/ens9 10.1.3.2@500<mailto:10.1.3.2@500> [sawozny@vpnca ~]$ sudo ipsec --status 000 using kernel interface: netkey 000 interface lo/lo 127.0.0.1@4500 000 interface lo/lo 127.0.0.1@500 000 interface eth0/eth0 192.168.1.215@4500 000 interface eth0/eth0 192.168.1.215@500 000 interface ens8/ens8 10.1.5.2@4500 000 interface ens8/ens8 10.1.5.2@500 000 interface ens9/ens9 10.1.6.2@4500 000 interface ens9/ens9 10.1.6.2@500<mailto:10.1.6.2@500> I’d like to only bind to the IP on interface ens8 on each machine. I tried adding this listen= parameter in a config setup section on both sides of my config, but ipsec still attaches to all interfaces available. Note, there’s a NAT device in the middle converting 10.1.2.2 to 172.16.1.2 and 10.1.5.2 to 172.16.1.10 which is why the configs are asymetrical. [sawozny@vpnnj ~]$ sudo cat /etc/ipsec.d/intersitetunnel.conf # /etc/ipsec.d/intersitetunnel.conf config setup listen=10.1.2.2 conn intersitetunnel left=10.1.2.2 leftid=@vpnnj leftsubnet=10.1.4.0/24 leftrsasigkey=0sAwEAAcQQa4wVLATC […] right=172.16.1.10 rightid=@vpnca rightsubnet=10.1.7.0/24 rightrsasigkey=0sAwEAAcp4iq2wyRG […] authby=rsasig auto=start [sawozny@vpnca ~]$ sudo cat /etc/ipsec.d/intersitetunnel.conf # /etc/ipsec.d/intersitetunnel.conf config setup listen=10.1.5.2 conn intersitetunnel left=10.1.5.2 leftid=@vpnca leftsubnet=10.1.7.0/24 leftrsasigkey=0sAwEAAcp4iq2wyRG […] right=172.16.1.2 rightid=@vpnnj rightsubnet=10.1.4.0/24 rightrsasigkey=0sAwEAAcQQa4wVLATC […] authby=rsasig auto=start The tunnel itself comes up (although it doesn’t yet pass traffic which I’m troubleshooting now). [sawozny@vpnnj ~]$ sudo ip xfrm policy [sudo] password for sawozny: src 10.1.4.0/24 dst 10.1.7.0/24 dir out priority 1042407 ptype main tmpl src 10.1.2.2 dst 172.16.1.10 proto esp reqid 16389 mode tunnel src 10.1.7.0/24 dst 10.1.4.0/24 dir fwd priority 1042407 ptype main tmpl src 172.16.1.10 dst 10.1.2.2 proto esp reqid 16389 mode tunnel src 10.1.7.0/24 dst 10.1.4.0/24 dir in priority 1042407 ptype main tmpl src 172.16.1.10 dst 10.1.2.2 proto esp reqid 16389 mode tunnel src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main [sawozny@vpnnj ~]$ sudo ip xfrm state src 172.16.1.10 dst 10.1.2.2 proto esp spi 0x092a9183 reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0x3298b10af98c345c36d1ec645571cb33fc364d20 96 enc cbc(aes) 0x87961e26af97aec8fa83b40d444648e5 encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 src 10.1.2.2 dst 172.16.1.10 proto esp spi 0x691db0b7 reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0x00208346d158ea51312b9f948cf321dc77aa51e0 96 enc cbc(aes) 0x7c3d3ceae35c4d8b97399a1bd5487765 encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 src 172.16.1.10 dst 10.1.2.2 proto esp spi 0xbfa41218 reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0x4cd4572e7f291034a70a6095671d5a212c3da06b 96 enc cbc(aes) 0x631d0eac41849e5be9a3d99031cc22be encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 src 10.1.2.2 dst 172.16.1.10 proto esp spi 0x9096b70e reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0xb40d645fb2f5d7aa159f8a855a2072baba29ec80 96 enc cbc(aes) 0xccd88264c98caf121a062be207618210 encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 [sawozny@vpnca ~]$ sudo ip xfrm policy [sudo] password for sawozny: src 10.1.7.0/24 dst 10.1.4.0/24 dir out priority 1042407 ptype main tmpl src 10.1.5.2 dst 172.16.1.2 proto esp reqid 16389 mode tunnel src 10.1.4.0/24 dst 10.1.7.0/24 dir fwd priority 1042407 ptype main tmpl src 172.16.1.2 dst 10.1.5.2 proto esp reqid 16389 mode tunnel src 10.1.4.0/24 dst 10.1.7.0/24 dir in priority 1042407 ptype main tmpl src 172.16.1.2 dst 10.1.5.2 proto esp reqid 16389 mode tunnel src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main [sawozny@vpnca ~]$ sudo ip xfrm state src 172.16.1.2 dst 10.1.5.2 proto esp spi 0x691db0b7 reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0x00208346d158ea51312b9f948cf321dc77aa51e0 96 enc cbc(aes) 0x7c3d3ceae35c4d8b97399a1bd5487765 encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 src 10.1.5.2 dst 172.16.1.2 proto esp spi 0x092a9183 reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0x3298b10af98c345c36d1ec645571cb33fc364d20 96 enc cbc(aes) 0x87961e26af97aec8fa83b40d444648e5 encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 src 172.16.1.2 dst 10.1.5.2 proto esp spi 0x9096b70e reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0xb40d645fb2f5d7aa159f8a855a2072baba29ec80 96 enc cbc(aes) 0xccd88264c98caf121a062be207618210 encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 src 10.1.5.2 dst 172.16.1.2 proto esp spi 0xbfa41218 reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0x4cd4572e7f291034a70a6095671d5a212c3da06b 96 enc cbc(aes) 0x631d0eac41849e5be9a3d99031cc22be encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 But both devices are still binding ipsec to all interfaces: [sawozny@vpnnj ~]$ sudo ss -tulpn Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp UNCONN 0 0 *:60859 *:* users:(("snmpd",pid=1045,fd=7)) udp UNCONN 0 0 *:161 *:* users:(("snmpd",pid=1045,fd=6)) udp UNCONN 0 0 127.0.0.1:323 *:* users:(("chronyd",pid=723,fd=5)) udp UNCONN 0 0 127.0.0.1:4500 *:* users:(("pluto",pid=30415,fd=23)) udp UNCONN 0 0 192.168.1.214:4500 *:* users:(("pluto",pid=30415,fd=21)) udp UNCONN 0 0 10.1.2.2:4500 *:* users:(("pluto",pid=30415,fd=19)) udp UNCONN 0 0 10.1.3.2:4500 *:* users:(("pluto",pid=30415,fd=17)) udp UNCONN 0 0 127.0.0.1:500 *:* users:(("pluto",pid=30415,fd=22)) udp UNCONN 0 0 192.168.1.214:500 *:* users:(("pluto",pid=30415,fd=20)) udp UNCONN 0 0 10.1.2.2:500 *:* users:(("pluto",pid=30415,fd=18)) udp UNCONN 0 0 10.1.3.2:500 *:* users:(("pluto",pid=30415,fd=16)) udp UNCONN 0 0 [::1]:323 [::]:* users:(("chronyd",pid=723,fd=6)) tcp LISTEN 0 128 *:22 *:* users:(("sshd",pid=1044,fd=3)) tcp LISTEN 0 100 127.0.0.1:25 *:* users:(("master",pid=1127,fd=13)) tcp LISTEN 0 128 127.0.0.1:199 *:* users:(("snmpd",pid=1045,fd=8)) [sawozny@vpnca ~]$ sudo ss -tulpn Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp UNCONN 0 0 *:51169 *:* users:(("snmpd",pid=1047,fd=7)) udp UNCONN 0 0 *:161 *:* users:(("snmpd",pid=1047,fd=6)) udp UNCONN 0 0 127.0.0.1:323 *:* users:(("chronyd",pid=739,fd=5)) udp UNCONN 0 0 127.0.0.1:4500 *:* users:(("pluto",pid=20234,fd=23)) udp UNCONN 0 0 192.168.1.215:4500 *:* users:(("pluto",pid=20234,fd=21)) udp UNCONN 0 0 10.1.5.2:4500 *:* users:(("pluto",pid=20234,fd=19)) udp UNCONN 0 0 10.1.6.2:4500 *:* users:(("pluto",pid=20234,fd=17)) udp UNCONN 0 0 127.0.0.1:500 *:* users:(("pluto",pid=20234,fd=22)) udp UNCONN 0 0 192.168.1.215:500 *:* users:(("pluto",pid=20234,fd=20)) udp UNCONN 0 0 10.1.5.2:500 *:* users:(("pluto",pid=20234,fd=18)) udp UNCONN 0 0 10.1.6.2:500 *:* users:(("pluto",pid=20234,fd=16)) udp UNCONN 0 0 [::1]:323 [::]:* users:(("chronyd",pid=739,fd=6)) tcp LISTEN 0 128 *:22 *:* users:(("sshd",pid=1044,fd=3)) tcp LISTEN 0 100 127.0.0.1:25 *:* users:(("master",pid=1130,fd=13)) tcp LISTEN 0 128 127.0.0.1:199 *:* users:(("snmpd",pid=1047,fd=8)) Any ideas what I’m doing wrong? Thanks, Scott
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
