[Swan] ipsec whack individual connections

John Crisp jcrisp at safeandsoundit.co.uk
Fri Feb 20 14:12:18 EET 2015


Thanks for the quick and helpful response !

On 20/02/15 00:36, Paul Wouters wrote:
> On Thu, 19 Feb 2015, John Crisp wrote:
> 
>> are fine, but would like to be able to individually stop/restart
>> connections.
> 
> ipsec auto --down name and ipsec auto --up name will do that.
> 

Ahhhh, OK. That works :-)

>> First is how to identify connections that are 'up' (though I guess that
>> I could ignore this and restart them regardless of state)
>>
> 
> That's just the phase1/parent. You should look for:


I have pasted the ipsec status output below - I don't seem to see
anything similar to your output !

>>
>> ipsec whack MyConnection
>>
>> But it seems that this is far too simplistic !
> 
> You should. We _are_ working on a replacement command that will be much
> more consise and friendly to the administrator.

Cool :-)

> 
> Note that you can get state changes to your custom scripts by setting
> the statsbin= value to your binary/shell script. That way you are
> notified of state changes without needing to call ipsec status or grep
> the logs.
> 

I will try and have a look at that thank you.

B. Rgds
John


Current config (connection from a CentOS 6 VM on Proxmox to a Draytek
3300 router):

/etc/ipsec.conf
config setup
    protostack=netkey
    #plutodebug=none
    #klipsdebug=none
    dumpdir=/var/run/pluto/
    nat_traversal=yes

    virtual_private=%v4:192.168.97.0/24

include /etc/ipsec.d/*.conf

/etc/ipsec.d/ipsec.conf

conn HomeToTest
    authby=secret
    auto=add
    type=tunnel
    ikelifetime=28800s
    keylife=3600s
    dpdaction=restart
    dpddelay=30
    dpdtimeout=10
    pfs=yes
    left=%defaultroute
    leftsourceip=192.168.97.1
    leftsubnet=192.168.97.0/24
    rightsubnet=192.168.10.0/24
    right=4.5.6.7


[root at test ipsec.d]# ipsec auto --status
000 using kernel interface: netkey
000 interface lo/lo 127.0.0.1 at 4500
000 interface lo/lo 127.0.0.1 at 500
000 interface eth0/eth0 1.2.3.4 at 4500
000 interface eth0/eth0 1.2.3.4 at 500
000 interface eth1/eth1 192.168.97.1 at 4500
000 interface eth1/eth1 192.168.97.1 at 500
000
000
000 fips mode=disabled;
000 SElinux=disabled
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf,
secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d,
dumpdir=/var/run/pluto/, statsbin=unset
000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
000 pluto_version=3.12, pluto_vendorid=OE-Libreswan-3.12
000 nhelpers=-1, uniqueids=yes, force-busy=no
000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>
000 secctx-attr-value=32001
000 myid = (none)
000 debug none
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnet: 192.168.97.0/24
000
000 ESP algorithms supported:
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=128,
keysizemax=128
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm AH/ESP auth: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384,
keysizemin=384, keysizemax=384
000 algorithm AH/ESP auth: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,
keysizemin=512, keysizemax=512
000 algorithm AH/ESP auth: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=9, name=AUTH_ALGORITHM_AES_XCBC,
keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=251, name=AUTH_ALGORITHM_NULL_KAME,
keysizemin=0, keysizemax=0
000
000 IKE algorithms supported:
000
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=20,
v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=19,
v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=18,
v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=16,
v2name=AES_CCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=15,
v2name=AES_CCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=14,
v2name=AES_CCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3,
v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=24, v1name=OAKLEY_CAMELLIA_CTR, v2id=24,
v2name=CAMELLIA_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=8, v1name=DISABLED-OAKLEY_CAMELLIA_CBC,
v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=DISABLED-OAKLEY_AES_CTR,
v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12,
v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC,
v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC,
v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH,
v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashlen=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashlen=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashlen=32
000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashlen=48
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashlen=64
000 algorithm IKE hash: id=9, name=DISABLED-OAKLEY_AES_XCBC, hashlen=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 Connection list:
000
000 "HomeToTest":
192.168.97.0/24===1.2.3.4---9.8.7.6...4.5.6.7<4.5.6.7>===192.168.10.0/24; erouted;
eroute owner: #727
000 "HomeToTest":     oriented; my_ip=192.168.97.1; their_ip=unset
000 "HomeToTest":   xauth info: us:none, them:none,  my_xauthuser=[any];
their_xauthuser=[any]
000 "HomeToTest":   modecfg info: us:none, them:none, modecfg
policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "HomeToTest":   labeled_ipsec:no, loopback:no;
000 "HomeToTest":    policy_label:unset;
000 "HomeToTest":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0;
000 "HomeToTest":   sha2_truncbug:no; initial_contact:no;
cisco_unity:no; send_vendorid:no;
000 "HomeToTest":   policy:
PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "HomeToTest":   conn_prio: 24,24; interface: eth0; metric: 0; mtu:
unset; sa_prio:auto;
000 "HomeToTest":   dpd: action:restart; delay:30; timeout:10; nat-t:
force_encaps:no; nat_keepalive:yes; ikev1_natt:both
000 "HomeToTest":   newest ISAKMP SA: #726; newest IPsec SA: #727;
000 "HomeToTest":   IKE algorithm newest: AES_CBC_128-SHA1-MODP1024
000 "HomeToTest":   ESP algorithm newest: AES_128-HMAC_SHA1;
pfsgroup=<Phase1>
000
000 Total IPsec connections: loaded 1, active 1
000
000 State list:
000
000 #727: "HomeToTest":500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 3327s; newest IPSEC; eroute owner; isakmp#726; idle;
import:not set
000 #727: "HomeToTest" esp.6b4fb749 at 4.5.6.7 esp.8d48393b at 1.2.3.4
tun.0 at 4.5.6.7 tun.0 at 1.2.3.4 ref=0 refhim=4294901761 Traffic: ESPin=0B
ESPout=0B! ESPmax=4194303B
000 #726: "HomeToTest":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 28526s; newest ISAKMP; lastdpd=-1s(seq
in:0 out:0); idle; import:not set
000
000 Shunt list:
000



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20150220/6639bae9/attachment.sig>


More information about the Swan mailing list