[Swan-dev] Local port, IKE Cookies, IKE SA established time, IKE rekey time

Paul Wouters paul at nohats.ca
Wed Oct 28 03:23:32 UTC 2020 

On Tue, 27 Oct 2020, Balaji Thoguluva wrote:

> Does any of the Libreswan commands (ipsec whack etc.) display the following information? 
> 
> 1. local (ephemeral) port of the application (for example TCP connection initiated) that triggered the IKEv2/IPsec connection. For example, for a TCP connection
> triggered from Libreswan, currently ipsec whack --trafficstatus" command displays 0 for the peer port whereas it displays its local port correctly.

ipsec trafficstatus never shows that. But ipsec status also does not
currently show this. You can see it within the kernel state though,
eg:

root at west:/# ip xfrm state
src 192.1.2.23 dst 192.1.2.45
 	proto esp spi 0x0e7eec94 reqid 16393 mode tunnel
 	replay-window 32 flag af-unspec
 	aead rfc4106(gcm(aes)) 0x3b630190a4c05c5a4337c9cb28be756c9065abcc44f11ceb4a156dba65dfb84ad91cf83f 128
 	encap type espintcp sport 4500 dport 59152 addr 0.0.0.0
 	anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 192.1.2.45 dst 192.1.2.23
 	proto esp spi 0xf0868fcb reqid 16393 mode tunnel
 	replay-window 32 flag af-unspec
 	aead rfc4106(gcm(aes)) 0xb51a661573c7aa25a248490c1678da3854b8e735e66b9c799f44f02a17018a06106a3189 128
 	encap type espintcp sport 59152 dport 4500 addr 0.0.0.0
 	anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000

But if you have more than one tunnel, matching them up is tricky.

It does show up partially, eg the remote port, in ipsec status:

000 #3: "ikev2-westnet-eastnet":4500(tcp) STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); EVENT_SA_REKEY in 2605s; newest ISAKMP; idle;

The remote here is port 4500 tcp.

> 2. IKE cookies (or IKE SPI)

Those are currently also not listed anywhere.

> 3. Time when IKE SA is established

No, just the EVENT_SA_REKEY which is keylife - establishment date.

> 4. time remaining to perform IKE rekey

Yes, see above: EVENT_SA_REKEY in 2605s;

We are looking at adding another output where you pick the items you
want and you get those back in json. Hopefully then people can write
wrappers around that to their requirements.

(if anyone wants to work on this, ping me)

Paul

More information about the Swan-dev mailing list