[strongSwan] Replicate Cisco like ACL with strongswan

Sun, 29 May 2011 23:27:52 -0700 

Hi

I need to set up a ipsec connection (in transport mode) directly
between two DNS-servers (host to host). The point is that only
DNS-server traffic should use the tunnel.
This is normally easy using Cisco-equipment as a ACL can do this easily.
However I am really struggling to find a way to do this with
strongSwan. Using leftprotoport and rightprotoport and separate
connections doesn't seem to work correctly.

The ACL I need to replicate on my end is this one (I have no influence
on the other end):
 permit tcp host 10.27.64.11 host 10.17.0.11 eq 53
 permit tcp host 10.17.0.11 eq 53 host 10.27.64.11
 permit tcp host 10.27.64.11 eq 53 host 10.17.0.11
 permit tcp host 10.17.0.11 host 10.27.64.11 eq 53
 permit udp host 10.27.64.11 host 10.17.0.11 eq 53
 permit udp host 10.17.0.11 eq 53 host 10.27.64.11
 permit udp host 10.27.64.11 eq 53 host 10.17.0.11
 permit udp host 10.17.0.11 host 10.27.64.11 eq 53

This is my ipsec.conf so far. I can't get rid of the feeling that
something is missing:
(using v4.2.4-5+lenny3 on Debian Lenny)
--
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        charonstart=no
        plutostart=yes
        plutodebug=control
        nat_traversal=no
        plutostderrlog=/var/log/pluto.log

conn %default
        keyexchange=ikev1
        ikelifetime=28800
        keylife=3600
        auth=esp
        authby=psk
        auto=start
        type=transport
        ike=aes128-sha1-modp1024
        esp=aes128-sha1-modp1024
        dpdaction=restart
        dpddelay=60
        dpdtimeout=500

conn dns1
        leftprotoport=tcp
        rightprotoport=tcp/53
        also=dns_SRV

conn dns2
        leftprotoport=udp
        rightprotoport=udp/53
        also=dns_SRV

conn dns3
        leftprotoport=udp/53
        rightprotoport=udp
        also=dns_SRV

conn dns4
        leftprotoport=tcp/53
        rightprotoport=tcp
        also=dns_SRV

conn dns_SRV
        left=10.17.0.11
        right=10.27.64.11
---

When I run ipsec statusall dns1 gets to STATE_MAIN_I4 (ISAKMP SA
ESTABLISHED) but the other ones doesn't seem to do anything.
The DNS-traffic still goes out unencrypted.

How can I replicate the ACL perfectly with strongswan?

Mvh

Hans-Kristian Bakke
Mob: 91 76 17 38

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to