Hello Hans-Kristian, see my inline comments.
Regards Andreas On 05/30/2011 10:51 AM, Hans-Kristian Bakke wrote: > Hi > Hi > > Thanks for your input. > > I would love to use IKEv2, but it is sadly not an option. > > Your changes to auto=start makes sense but dns1 is still the only > connection that establishes an SA (STATE_MAIN_I4 ISAKMP SA > ESTABLISHED). The other ones seems stuck in QUICK_INIT_I1. The > connection should be using main mode only. > If I run setkey -DP it only seems to add the UDP-connections if it > adds anything at all. > > In the meantime I have configured racoon and setkey.conf (with 8 > spdadd rules) and it does work for both lookups and zone transfers so > I know the other end is correctly setup. > After shutting down racoon I can't establish the connections again > (timing out) so I guess I have to wait for the connections to time out > (dpd is perhaps not used in both ends), so perhaps strongswan is > working after your changes too? > > I will try again after a couple of hours when the connections > hopefully has died in all ends. > > Questions: > - Is QUICK_INIT in statusall related to aggressive mode, and if so is > it possible to force MAIN (i thought strongswan didn't support > aggressive at all)? Phase 2 Quick Mode is always required after Phase 1 Main Mode to set up the actual IPsec SAs. In your case 4 Quick Modes will be needed to set up dns1 .. dns4, but only one Main Mode. I think you get stuck somewhere during the setup of the first Quick Mode since Main Mode gets established. A log file would be helpful. > - Don't I need 8 conn definitions in ipsec.conf too? I seem to be > missing half the connections from the other end with my config > compared to ACL/setkey.conf. Should I add a duplicate set of conn with > a reversed "pair" of left and right IPs or is this not necessary as > strongswan decides what left and right is for it self and therefore > doing this automatically? > 4 connection definitions are sufficients since the IPsec Policies are set up pairwise in the kernel (both inbound and outbound). > Regards, > Hans-Kristian Bakke > > > > > On Mon, May 30, 2011 at 09:17, Andreas Steffen > <[email protected]> wrote: >> Hello Hans-Kristian, >> >> first I recommend to use IKEv2 which is much faster >> and more robust: >> >> config setup >> charonstart=yes >> plutostart=no >> >> conn %default >> keyexchange=ikev2 >> ikelifetime=28800 >> keylife=3600 >> auth=esp >> authby=psk >> type=transport >> ike=aes128-sha1-modp1024! >> esp=aes128-sha1-modp1024! >> dpdaction=restart >> dpddelay=60 >> dpdtimeout=500 >> >> You can still log to a file using strongswan.conf: >> >> http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration >> >> Do not put auto=start into the "conn %default" section since >> "conn dns_SRV" will also be started, allowing all protocols. >> >> Rather define: >> >> conn dns1 >> also=dns_SRV >> leftprotoport=tcp >> rightprotoport=tcp/53 >> auto=start >> >> conn dns2 >> also=dns_SRV >> leftprotoport=udp >> rightprotoport=udp/53 >> auto=start >> >> conn dns3 >> also=dns_SRV >> leftprotoport=udp/53 >> rightprotoport=udp >> auto=start >> >> conn dns4 >> also=dns_SRV >> leftprotoport=tcp/53 >> rightprotoport=tcp >> auto=start >> >> conn dns_SRV >> left=10.17.0.11 >> right=10.27.64.11 >> >> Best regards >> >> Andreas >> >> On 05/30/2011 08:27 AM, Hans-Kristian Bakke wrote: >>> >>> Hi >>> >>> I need to set up a ipsec connection (in transport mode) directly >>> between two DNS-servers (host to host). The point is that only >>> DNS-server traffic should use the tunnel. >>> This is normally easy using Cisco-equipment as a ACL can do this easily. >>> However I am really struggling to find a way to do this with >>> strongSwan. Using leftprotoport and rightprotoport and separate >>> connections doesn't seem to work correctly. >>> >>> The ACL I need to replicate on my end is this one (I have no influence >>> on the other end): >>> permit tcp host 10.27.64.11 host 10.17.0.11 eq 53 >>> permit tcp host 10.17.0.11 eq 53 host 10.27.64.11 >>> permit tcp host 10.27.64.11 eq 53 host 10.17.0.11 >>> permit tcp host 10.17.0.11 host 10.27.64.11 eq 53 >>> permit udp host 10.27.64.11 host 10.17.0.11 eq 53 >>> permit udp host 10.17.0.11 eq 53 host 10.27.64.11 >>> permit udp host 10.27.64.11 eq 53 host 10.17.0.11 >>> permit udp host 10.17.0.11 host 10.27.64.11 eq 53 >>> >>> This is my ipsec.conf so far. I can't get rid of the feeling that >>> something is missing: >>> (using v4.2.4-5+lenny3 on Debian Lenny) >>> -- >>> # ipsec.conf - strongSwan IPsec configuration file >>> >>> # basic configuration >>> >>> config setup >>> charonstart=no >>> plutostart=yes >>> plutodebug=control >>> nat_traversal=no >>> plutostderrlog=/var/log/pluto.log >>> >>> conn %default >>> keyexchange=ikev1 >>> ikelifetime=28800 >>> keylife=3600 >>> auth=esp >>> authby=psk >>> auto=start >>> type=transport >>> ike=aes128-sha1-modp1024 >>> esp=aes128-sha1-modp1024 >>> dpdaction=restart >>> dpddelay=60 >>> dpdtimeout=500 >>> >>> conn dns1 >>> leftprotoport=tcp >>> rightprotoport=tcp/53 >>> also=dns_SRV >>> >>> conn dns2 >>> leftprotoport=udp >>> rightprotoport=udp/53 >>> also=dns_SRV >>> >>> conn dns3 >>> leftprotoport=udp/53 >>> rightprotoport=udp >>> also=dns_SRV >>> >>> conn dns4 >>> leftprotoport=tcp/53 >>> rightprotoport=tcp >>> also=dns_SRV >>> >>> conn dns_SRV >>> left=10.17.0.11 >>> right=10.27.64.11 >>> --- >>> >>> When I run ipsec statusall dns1 gets to STATE_MAIN_I4 (ISAKMP SA >>> ESTABLISHED) but the other ones doesn't seem to do anything. >>> The DNS-traffic still goes out unencrypted. >>> >>> How can I replicate the ACL perfectly with strongswan? >>> >>> Mvh >>> >>> Hans-Kristian Bakke >>> Mob: 91 76 17 38 >> >> ====================================================================== >> Andreas Steffen [email protected] >> strongSwan - the Linux VPN Solution! www.strongswan.org >> Institute for Internet Technologies and Applications >> University of Applied Sciences Rapperswil >> CH-8640 Rapperswil (Switzerland) >> ===========================================================[ITA-HSR]== >> -- ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
