[Swan] ipsec traffic leak

Xinwei Hong xhong at skytap.com
Thu May 4 22:50:28 UTC 2017


Just realized that I can do a "ipsec auto --route conn_xxx", this can add
the entry and pkt would be dropped as expected. Please let me know if this
is the correct way to deal with it.

Thanks,
Xinwei

On Thu, May 4, 2017 at 3:37 PM, Xinwei Hong <xhong at skytap.com> wrote:

> Hi,
>
> I have a policy-based ipsec setting where I only have one end ready and we
> are waiting for other end to connect to it. So, the VPN tunnel is not
> actually created yet. When we try to ping an address in remote subnet
> (presumably), the traffic could leak out to network through its interface.
> I checked and found this xfrm entry was missing.
>
> # ip xfrm policy
> src 10.100.0.0/16 dst 10.200.0.0/16
> dir out priority 2608
> tmpl src 0.0.0.0 dst 0.0.0.0
> proto esp reqid 0 mode transport
> When this entry exists, pkt will be dropped as expected.
>
> If I have all config ready and do a "ipsec start", that entry is added and
> pkt go dropped. If I do a ipsec auto --down/delete/add/up, I suppose we can
> get same behavior as "ipsec start", i.e. the entry is added. However, the
> entry will not be added and traffic get routed out. If the remote peer goes
> up and connect to this terminal, the entry will be added correctly. Do you
> know any reason why this behavior difference? How can we make sure no
> traffic gets leaked out while we are waiting for the peer to connect?
>
> I do see the following log when the entry is not added.
> May 3 22:29:08 vvr-10-69-244-34 pluto[22363]: vpn-5483483: WARNING: using
> a weak secret (PSK)
> May 3 22:29:08 vvr-10-69-244-34 pluto[22363]: vpn-5483483:
> "conn_vpn-5483483-tunnel-VPNRemoteRoutedSubnet-tunnel-10.200.0.0/16" #1:
> initiating Main Mode
> May 3 22:29:08 vvr-10-69-244-34 pluto[22363]: vpn-5483483:
> "conn_vpn-5483483-tunnel-VPNRemoteRoutedSubnet-tunnel-10.200.0.0/16":
> *deleting* non-instance connection
> May 3 22:29:08 vvr-10-69-244-34 pluto[22363]: vpn-5483483:
> "conn_vpn-5483483-tunnel-VPNRemoteRoutedSubnet-tunnel-10.200.0.0/16" #1:
> *deleting* state (STATE_MAIN_I1)
> May 3 22:29:08 vvr-10-69-244-34 pluto[22363]: vpn-5483483: added
> connection description "conn_vpn-5483483-tunnel-
> VPNRemoteRoutedSubnet-tunnel-10.200.0.0/16"
>
> The "deleting .." was not there when we do "ipsec start". Not sure if the
> SPD policy entry was deleted during the time. (in both cases, remote peer
> is not ready or does not exist)
>
>
> Thanks,
> Xinwei
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170504/0a534a57/attachment.html>


More information about the Swan mailing list