Hello Hans-Kristian,
first I recommend to use IKEv2 which is much faster
and more robust:
config setup
charonstart=yes
plutostart=no
conn %default
keyexchange=ikev2
ikelifetime=28800
keylife=3600
auth=esp
authby=psk
type=transport
ike=aes128-sha1-modp1024!
esp=aes128-sha1-modp1024!
dpdaction=restart
dpddelay=60
dpdtimeout=500
You can still log to a file using strongswan.conf:
http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
Do not put auto=start into the "conn %default" section since
"conn dns_SRV" will also be started, allowing all protocols.
Rather define:
conn dns1
also=dns_SRV
leftprotoport=tcp
rightprotoport=tcp/53
auto=start
conn dns2
also=dns_SRV
leftprotoport=udp
rightprotoport=udp/53
auto=start
conn dns3
also=dns_SRV
leftprotoport=udp/53
rightprotoport=udp
auto=start
conn dns4
also=dns_SRV
leftprotoport=tcp/53
rightprotoport=tcp
auto=start
conn dns_SRV
left=10.17.0.11
right=10.27.64.11
Best regards
Andreas
On 05/30/2011 08:27 AM, Hans-Kristian Bakke wrote:
> Hi
>
> I need to set up a ipsec connection (in transport mode) directly
> between two DNS-servers (host to host). The point is that only
> DNS-server traffic should use the tunnel.
> This is normally easy using Cisco-equipment as a ACL can do this easily.
> However I am really struggling to find a way to do this with
> strongSwan. Using leftprotoport and rightprotoport and separate
> connections doesn't seem to work correctly.
>
> The ACL I need to replicate on my end is this one (I have no influence
> on the other end):
> permit tcp host 10.27.64.11 host 10.17.0.11 eq 53
> permit tcp host 10.17.0.11 eq 53 host 10.27.64.11
> permit tcp host 10.27.64.11 eq 53 host 10.17.0.11
> permit tcp host 10.17.0.11 host 10.27.64.11 eq 53
> permit udp host 10.27.64.11 host 10.17.0.11 eq 53
> permit udp host 10.17.0.11 eq 53 host 10.27.64.11
> permit udp host 10.27.64.11 eq 53 host 10.17.0.11
> permit udp host 10.17.0.11 host 10.27.64.11 eq 53
>
> This is my ipsec.conf so far. I can't get rid of the feeling that
> something is missing:
> (using v4.2.4-5+lenny3 on Debian Lenny)
> --
> # ipsec.conf - strongSwan IPsec configuration file
>
> # basic configuration
>
> config setup
> charonstart=no
> plutostart=yes
> plutodebug=control
> nat_traversal=no
> plutostderrlog=/var/log/pluto.log
>
> conn %default
> keyexchange=ikev1
> ikelifetime=28800
> keylife=3600
> auth=esp
> authby=psk
> auto=start
> type=transport
> ike=aes128-sha1-modp1024
> esp=aes128-sha1-modp1024
> dpdaction=restart
> dpddelay=60
> dpdtimeout=500
>
> conn dns1
> leftprotoport=tcp
> rightprotoport=tcp/53
> also=dns_SRV
>
> conn dns2
> leftprotoport=udp
> rightprotoport=udp/53
> also=dns_SRV
>
> conn dns3
> leftprotoport=udp/53
> rightprotoport=udp
> also=dns_SRV
>
> conn dns4
> leftprotoport=tcp/53
> rightprotoport=tcp
> also=dns_SRV
>
> conn dns_SRV
> left=10.17.0.11
> right=10.27.64.11
> ---
>
> When I run ipsec statusall dns1 gets to STATE_MAIN_I4 (ISAKMP SA
> ESTABLISHED) but the other ones doesn't seem to do anything.
> The DNS-traffic still goes out unencrypted.
>
> How can I replicate the ACL perfectly with strongswan?
>
> Mvh
>
> Hans-Kristian Bakke
> Mob: 91 76 17 38
======================================================================
Andreas Steffen [email protected]
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
