[Swan] Opportunistic encryption on a secondary interface
Matt Hilt
matt.hilt at numerica.us
Thu Nov 30 01:10:19 UTC 2017
I'm having a bit of trouble with opportunistic IPSec, specifically getting failover to clear working. Here is my setup:
* Redhat 7 on AWS in FIPS mode, libreswan 3.20.
* An SSH jump box with:
- the main eth0 interface is on a public subnet (10.0.0.0/24); This traffic need not be encrypted. This also has an elastic IP, but I don’t think that matters here.
- a second interface eth1 on a private subnet (10.0.1.0/24). This subnet should (almost) always be encrypted.
- opportunistic configuration mostly taken from the Wiki example for the private-or-clear section. One important change was left=10.0.1.100
- the “clear” policy includes just the gateway (10.0.1.1/32)
- the “private-or-clear” policy includes the rest of the subnet (10.0.1.0/24)
* A client configured for OE at 10.0.1.21.
- the “private” policy is set to the subnet (10.0.1.0/24)
- the “clear” policy is the gateway (10.0.1.1/32)
* A client without IPSEC at 10.0.1.22.
The idea here is that when starting new VMs in the private subnet I need to first go through the jump box to configure the IPSEC tunnels. So I need to fail over to clear until they are setup. But once they are configured I should only use encrypted traffic. What I am seeing is that I can connect to the properly configured host via the IPSEC tunnel, but I cannot get to the unconfigured host.
When I run “ipsec status” the connection list is interesting: specifically in the “clear” section the only interface listed is eth0 (see below). I have tried using both the “interfaces” and “listen” parameters in the main config section but even then the best I can do is get a blank value for the interface in the clear section. Any ideas?
----------------------
000 Connection list:
000
000 "clear": 10.0.0.100---10.0.0.1...%group; unrouted; eroute owner: #0
000 "clear": oriented; my_ip=unset; their_ip=unset
000 "clear": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "clear": our auth:unset, their auth:unset
000 "clear": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;
000 "clear": labeled_ipsec:no;
000 "clear": policy_label:unset;
000 "clear": ike_life: 0s; ipsec_life: 0s; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "clear": retransmit-interval: 0ms; retransmit-timeout: 0s;
000 "clear": sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "clear": policy: PFS+GROUP+GROUTED+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+PASS+NEVER_NEGOTIATE;
000 "clear": conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "clear": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no;
000 "clear": dpd: action:disabled; delay:0; timeout:0; nat-t: encaps:no; nat_keepalive:no; ikev1_natt:both
000 "clear": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#10.0.1.1/32": 10.0.0.100---10.0.0.1...%any; prospective erouted; eroute owner: #0
000 "clear#10.0.1.1/32": oriented; my_ip=unset; their_ip=unset
000 "clear#10.0.1.1/32": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "clear#10.0.1.1/32": our auth:unset, their auth:unset
000 "clear#10.0.1.1/32": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;
000 "clear#10.0.1.1/32": labeled_ipsec:no;
000 "clear#10.0.1.1/32": policy_label:unset;
000 "clear#10.0.1.1/32": ike_life: 0s; ipsec_life: 0s; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "clear#10.0.1.1/32": retransmit-interval: 0ms; retransmit-timeout: 0s;
000 "clear#10.0.1.1/32": sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "clear#10.0.1.1/32": policy: PFS+GROUPINSTANCE+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+PASS+NEVER_NEGOTIATE;
000 "clear#10.0.1.1/32": conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "clear#10.0.1.1/32": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no;
000 "clear#10.0.1.1/32": dpd: action:disabled; delay:0; timeout:0; nat-t: encaps:no; nat_keepalive:no; ikev1_natt:both
000 "clear#10.0.1.1/32": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "private-or-clear": 10.0.1.100<10.0.1.100>[CA-INFO-REDACTED]...%opportunisticgroup[%fromcert]; unrouted; eroute owner: #0
000 "private-or-clear": oriented; my_ip=unset; their_ip=unset; mycert= CA-INFO-REDACTED
000 "private-or-clear": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "private-or-clear": our auth:rsasig, their auth:rsasig
000 "private-or-clear": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;
000 "private-or-clear": labeled_ipsec:no;
000 "private-or-clear": policy_label:unset;
000 "private-or-clear": CAs: 'CA-INFO-REDACTED'
000 "private-or-clear": ike_life: 3600s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1;
000 "private-or-clear": retransmit-interval: 500ms; retransmit-timeout: 3s;
000 "private-or-clear": sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "private-or-clear": policy: RSASIG+ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "private-or-clear": conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "private-or-clear": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no;
000 "private-or-clear": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "private-or-clear": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "private-or-clear#10.0.1.0/24": 10.0.1.100<10.0.1.100>[CA-INFO-REDACTED]...%opportunistic[%fromcert]===10.0.1.0/24; prospective erouted; eroute owner: #0
000 "private-or-clear#10.0.1.0/24": oriented; my_ip=unset; their_ip=unset; mycert= CA-INFO-REDACTED
000 "private-or-clear#10.0.1.0/24": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "private-or-clear#10.0.1.0/24": our auth:rsasig, their auth:rsasig
000 "private-or-clear#10.0.1.0/24": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;
000 "private-or-clear#10.0.1.0/24": labeled_ipsec:no;
000 "private-or-clear#10.0.1.0/24": policy_label:unset;
000 "private-or-clear#10.0.1.0/24": CAs: 'CA-INFO-REDACTED'
000 "private-or-clear#10.0.1.0/24": ike_life: 3600s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1;
000 "private-or-clear#10.0.1.0/24": retransmit-interval: 500ms; retransmit-timeout: 3s;
000 "private-or-clear#10.0.1.0/24": sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "private-or-clear#10.0.1.0/24": policy: RSASIG+ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "private-or-clear#10.0.1.0/24": conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "private-or-clear#10.0.1.0/24": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no;
000 "private-or-clear#10.0.1.0/24": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "private-or-clear#10.0.1.0/24": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "private-or-clear#10.0.1.0/24"[1]: 10.0.1.100<10.0.1.100>[CA-INFO-REDACTED]...10.0.1.21[CA-INFO-REDACTED]; erouted; eroute owner: #2
000 "private-or-clear#10.0.1.0/24"[1]: oriented; my_ip=unset; their_ip=unset; mycert= CA-INFO-REDACTED
000 "private-or-clear#10.0.1.0/24"[1]: xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "private-or-clear#10.0.1.0/24"[1]: our auth:rsasig, their auth:rsasig
000 "private-or-clear#10.0.1.0/24"[1]: modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;
000 "private-or-clear#10.0.1.0/24"[1]: labeled_ipsec:no;
000 "private-or-clear#10.0.1.0/24"[1]: policy_label:unset;
000 "private-or-clear#10.0.1.0/24"[1]: CAs: 'CA-INFO-REDACTED'
000 "private-or-clear#10.0.1.0/24"[1]: ike_life: 3600s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1;
000 "private-or-clear#10.0.1.0/24"[1]: retransmit-interval: 500ms; retransmit-timeout: 3s;
000 "private-or-clear#10.0.1.0/24"[1]: sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "private-or-clear#10.0.1.0/24"[1]: policy: RSASIG+ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "private-or-clear#10.0.1.0/24"[1]: conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "private-or-clear#10.0.1.0/24"[1]: nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no;
000 "private-or-clear#10.0.1.0/24"[1]: dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "private-or-clear#10.0.1.0/24"[1]: newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "private-or-clear#10.0.1.0/24"[1]: IKEv2 algorithm newest: AES_GCM_C_256-AUTH_NONE-PRF_HMAC_SHA2_512-MODP2048
000 "private-or-clear#10.0.1.0/24"[1]: ESP algorithm newest: AES_GCM_C_256-NONE; pfsgroup=<Phase1>
<SNIP>
000 Total IPsec connections: loaded 7, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(0), anonymous(1)
000 IPsec SAs: total(1), authenticated(0), anonymous(1)
000
000 #2: "private-or-clear#10.0.1.0/24"[1] ...10.0.1.21:500 STATE_V2_IPSEC_I (IPsec SA established); EVENT_v2_SA_REPLACE_IF_USED in 2627s; newest IPSEC; eroute owner; isakmp#1; idle; import:local rekey
000 #2: "private-or-clear#10.0.1.0/24"[1] ...10.0.1.21 esp.5ea67249 at 10.0.1.21 esp.1248e35f at 10.0.1.100 tun.0 at 10.0.1.21 tun.0 at 10.0.1.100 ref=0 refhim=0 Traffic: ESPin=4KB ESPout=5KB! ESPmax=0B
000 #1: "private-or-clear#10.0.1.0/24"[1] ...10.0.1.21:500 STATE_PARENT_I3 (PARENT SA established); EVENT_v2_SA_REPLACE_IF_USED_IKE in 2837s; newest ISAKMP; isakmp#0; idle; import:local rekey
000 #1: "private-or-clear#10.0.1.0/24"[1] ...10.0.1.21 ref=0 refhim=0 Traffic:
000
000 Bare Shunt list:
000
000 10.0.1.100/32:0 -0-> 10.0.1.22/32:0 => %unk-0 0 oe-failed
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20171130/56b41226/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5455 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20171130/56b41226/attachment-0001.p7s>
More information about the Swan
mailing list