[Swan] Explicit failure shunt for opportunistic connections
markd lists
markd.lists at gmail.com
Thu Jan 9 21:44:56 EET 2014
Hi List
Hoping someone can help me understand the behaviour of an policy group
based OE setup (0.0.0.0/0 in private-or-clear). Specifically what happens
when there are no TXT or IPSECKEY RR for either host.
I've been trying to simulate a "default fail open" scenario where neither
of host A or host B have TXT or IPSECKEY published RSA keys. My
understanding was that specifying failureshunt=passthrough on conn
private-or-clear would install a %pass rule on ipsec eroute when OE
attempts failed. This contradicts what I am seeing in pluto.log.
I see the initial acquire-pfkey caused by the connection attempt
| add bare shunt 0x7f631eb121d0 10.236.54.8/32:0 --0-->
10.236.33.242/32:0=> %hold 0 %acquire-pfkey
initiate on demand from 10.236.54.8:0 to 10.236.33.242:0 proto=0 state:
fos_start because: acquire
.. connection private-or-clear#0.0.0.0/0 being chosen
| find_connection: looking for policy for connection: 10.236.54.8:0/0 ->
10.236.33.242:0/0
| find_connection: conn "private-or-clear#0.0.0.0/0" has compatible peers:
10.236.54.8/32 -> 0.0.0.0/0 [pri: 16777229]
| find_connection: comparing best "private-or-clear#0.0.0.0/0"
[pri:16777229]{0x7f631eb20c10} (child none) to "private-or-clear#0.0.0.0/0"
[pri:16777229]{0x7f631eb20c10} (child none)
| find_connection: concluding with "private-or-clear#0.0.0.0/0"
[pri:16777229]{0x7f631eb20c10} kind=CK_TEMPLATE
| creating new instance from "private-or-clear#0.0.0.0/0"
| initiate on demand from 10.236.54.8 to 10.236.33.242 new state: fos_start
with ugh: ok
.. TXT lookup and failure for our explicitly specified leftid (purposefully
not in DNS)
| DNS query 7 for TXT for is01.infrasec.orion.altus. (gw:
@is01.infrasec.orion.altus)
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 23 seconds
| next event EVENT_PENDING_DDNS in 23 seconds
|
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 23 seconds
| next event EVENT_PENDING_DDNS in 23 seconds
|
| *received adns message
| asynch DNS answer 7 no TXT record for is01.infrasec.orion.altus.
.. IPSECKEY lookup and failure
| continuing from failed DNS lookup for our IPSECKEY record, 10.236.54.8 to
10.236.33.242: no TXT record for is01.infrasec.orion.altus.
initiate on demand from 10.236.54.8:0 to 10.236.33.242:0 proto=0 state:
fos_our_txt because: our IPSECKEY record
| find_connection: looking for policy for connection: 10.236.54.8:0/0 ->
10.236.33.242:0/0
| find_connection: conn "private-or-clear#0.0.0.0/0" has compatible peers:
10.236.54.8/32 -> 0.0.0.0/0 [pri: 16777229]
| find_connection: comparing best "private-or-clear#0.0.0.0/0"
[pri:16777229]{0x7f631eb20c10} (child none) to "private-or-clear#0.0.0.0/0"
[pri:16777229]{0x7f631eb20c10} (child none)
| find_connection: concluding with "private-or-clear#0.0.0.0/0"
[pri:16777229]{0x7f631eb20c10} kind=CK_TEMPLATE
| creating new instance from "private-or-clear#0.0.0.0/0"
| started looking for secret for @is01.infrasec.orion.altus->(none) of kind
PPK_RSA
| actually looking for secret for @is01.infrasec.orion.altus->(none) of
kind PPK_RSA
| line 1: key type PPK_RSA(@is01.infrasec.orion.altus) to type PPK_RSA
| 1: compared key (none) to @is01.infrasec.orion.altus/ (none) -> 2
| 2: compared key (none) to @is01.infrasec.orion.altus/ (none) -> 2
| line 1: match=2
| best_match 0>2 best=0x7f631eb1fa60 (line=1)
| concluding with best_match=2 best=0x7f631eb1fa60 (lineno=1)
and finally a "no explicit failure shunt" message and removal of the hold
shunt (where I assumed a %pass rule would be installed)
| initiate on demand from 10.236.54.8 to 10.236.33.242 new state:
fos_our_txt with ugh: no IPSECKEY RR for us
Can not opportunistically initiate for 10.236.54.8 to 10.236.33.242: no
IPSECKEY RR for us
| no explicit failure shunt for 10.236.54.8 to 10.236.33.242; removing
spurious hold shunt
| removing specific host-to-host bare shunt
| no IPSECKEY RR for us eroute 10.236.54.8/32:0 --0-> 10.236.33.242/32:0 =>
%unk-0 (raw_eroute)
My full config is
root at is01:~# ipsec readwriteconf
#conn is01-is02-ptp loaded
#conn clear loaded
#conn clear-or-private loaded
#conn private-or-clear loaded
#conn private loaded
#conn block loaded
config setup
klipsdebug="all xmit tunnel-xmit netlink xform eroute spi radij esp
ah rcv tunnel pfkey comp"
plutodebug="all raw crypt parsing emitting control lifecycle kernel
dns oppo oppoinfo controlmore x509 dpd pfkey natt nattraversal klips netkey"
plutorestartoncrash=yes
perpeerlog=yes
nat_traversal=yes
interfaces=%defaultroute
plutostderrlog=/var/log/pluto.log
dumpdir=/var/run/pluto/
perpeerlogdir=/var/log/pluto/peer/
virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
protostack=klips
# begin conn is01-is02-ptp
conn is01-is02-ptp
left=10.236.54.8
leftrsasigkey=0sAQPNFN3fcdyfu5uNbinu64WYwnXaLzjOEVLDPCA0Zav9MXckXTDprur1V64wordf8+fGku5zYe+Omof92NEIUgwDRLX6j7MSGu6q494yKbefg19yhNiQEwqOAmno1FW10ObG85IUAYmFRuR7oWjCCkH0oCjz1JkhA26KcWgn5w2AdJtHCAlZnvwj6J83H1BD2uk2YK5DiYRpOTpKLkF9sF06FvH/4SgLxv/tZEFgRCdFfM8q7E8f7tZy3sBzwer7ri0EaS9lxvNeylwqdWsu6bv4+Bgi4f5z9jERSUQOMrdkhQyGqpQN4UMtN4mzRLNhdg57DXbaMyL1vN1NRtaqVkJtwe6ZKalStVbRQ7RPXccNksRHbHKoEs/eFqWaz3jg89MRnaCqv0PFB0PI69ostlNQP/I7ztkXkYZ5N1QRiEreNHyTwHsOvX7Rsg4Sd1Rz5+AYhR3QwVa91vDf1Kqx4kKFy8D8BWivPJg3TuzNs+pASdOJ8i3udDEoslFF0V7s
right=10.236.54.7
rightrsasigkey=0sAQO/pPptL7AHfE5Uz4aZz+ZVD7lmUxG0nnbdNrt67RsK6ToycJqP4h7at6A3uaqhdZJ1TDFI31/vIQf/u4NSDxDAaLk6hdAP9fibf+QjbGrbjUJFQXYqOEcH2S/Lws7OrGXkkhNQGOcIMfKkGETcCdHiTrlAygLkF7usgOKi75JN2Vz4ic9FTRxnLkM8t9lJhxlNZNjeJTkGrHg3THQ4NTuQPohfJC0g0L7wkcbvp+BM9JGRmv+uUR72Oxyhcwg6sgAoXZtX+ESjiO05gjOB7jd6tHZwmQIz0QGymsCZCXaxhSu3NzfKeAcJxZg2SUwU8nyI4tpo8/4N5gkfq3Agqsbh/eMW/4m1Xy/4ke/T8xYyP1Xz4tpZM/iEfxnHBOgXDVKayLbdX4AJi23O97y8AaF3iVu4Lom4xA0K8XbQJAbCfm9LpwObJkH/sla49D8CSO5g7Z01yqLkLaEYZYc6PhDBDBnfJk77hTMPwzUUtTYBTxyq//oIfdkpI9T0DGgr
failureshunt=passthrough
dpddelay=120
dpdtimeout=60
dpdaction=clear
auto==start
type=tunnel
compress=no
pfs=yes
ikepad=yes
rekey=yes
overlapip=yes
authby=rsasig
phase2=esp
# end conn is01-is02-ptp
# begin conn clear
conn clear
left=%defaultroute
right=%group
authby=never
auto==ondemand
type=passthrough
# end conn clear
# begin conn clear-or-private
conn clear-or-private
left=%defaultroute
leftid="@is01.infrasec.orion.altus"
right=%opportunisticgroup
salifetime=3600
rekey=no
keyingtries=2
ikelifetime=3600
failureshunt=passthrough
auto==ondemand
type=passthrough
# end conn clear-or-private
# begin conn private-or-clear
conn private-or-clear
left=%defaultroute
leftid="@is01.infrasec.orion.altus"
right=%opportunisticgroup
salifetime=3600
rekey=no
keyingtries=2
ikelifetime=3600
failureshunt=passthrough
auto==ondemand
type=tunnel
compress=no
pfs=yes
ikepad=yes
rekey=no
overlapip=yes
authby=rsasig
phase2=esp
# end conn private-or-clear
# begin conn private
conn private
left=%defaultroute
leftid="@is01.infrasec.orion.altus"
right=%opportunisticgroup
salifetime=3600
rekey=no
keyingtries=2
ikelifetime=3600
failureshunt=drop
auto==ondemand
type=tunnel
compress=no
pfs=yes
ikepad=yes
rekey=no
overlapip=yes
authby=rsasig
phase2=esp
# end conn private
# begin conn block
conn block
left=%defaultroute
right=%group
authby=never
auto==ondemand
type=reject
# end conn block
# end of config
root at is01:~#
root at is01:~# ipsec eroute
25 10.236.54.8/32 -> 0.0.0.0/0 => %trap
1994 10.236.54.8/32 -> 10.236.54.7/32 => tun0x1004 at 10.236.54.7
0 10.236.54.8/32 -> 128.8.10.90/32 => %pass
0 10.236.54.8/32 -> 128.63.2.53/32 => %pass
0 10.236.54.8/32 -> 192.5.5.241/32 => %pass
0 10.236.54.8/32 -> 192.33.4.12/32 => %pass
0 10.236.54.8/32 -> 192.36.148.17/32 => %pass
0 10.236.54.8/32 -> 192.58.128.30/32 => %pass
0 10.236.54.8/32 -> 192.112.36.4/32 => %pass
0 10.236.54.8/32 -> 192.203.230.10/32 => %pass
0 10.236.54.8/32 -> 192.228.79.201/32 => %pass
0 10.236.54.8/32 -> 193.0.14.129/32 => %pass
12 10.236.54.8/32 -> $ip_of_my_local_dns_server_1/32 => %pass
13 10.236.54.8/32 -> $ip_of_my_local_dns_server_2/32 => %pass
0 10.236.54.8/32 -> 198.41.0.4/32 => %pass
0 10.236.54.8/32 -> 199.7.83.42/32 => %pass
0 10.236.54.8/32 -> 202.12.27.33/32 => %pass
root at is01:~#
root at is01:~# cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/local/share/doc/libreswan/policygroups.html for details.
#
# root name servers should be in the clear
192.58.128.30/32
198.41.0.4/32
192.228.79.201/32
192.33.4.12/32
128.8.10.90/32
192.203.230.10/32
192.5.5.241/32
192.112.36.4/32
128.63.2.53/32
192.36.148.17/32
193.0.14.129/32
199.7.83.42/32
202.12.27.33/32
#Local DNS Servers
$ip_of_my_local_dns_server_1/32
$ip_of_my_local_dns_server_2/32
root at is01:~#
root at is01:~# cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/local/share/doc/libreswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
root at is01:~#
Any pointers would be much appreciated.
Thanks!
Mark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20140109/d1087bd8/attachment.html>
More information about the Swan
mailing list