[Swan] Opportunistic encryption on a secondary interface

Matt Hilt matt.hilt at numerica.us
Thu Nov 30 01:10:19 UTC 2017 

I'm having a bit of trouble with opportunistic IPSec, specifically getting failover to clear working. Here is my setup:

* Redhat 7 on AWS in FIPS mode, libreswan 3.20.
* An SSH jump box with:
  - the main eth0 interface is on a public subnet (10.0.0.0/24); This traffic need not be encrypted. This also has an elastic IP, but I don’t think that matters here.
  - a second interface eth1 on a private subnet (10.0.1.0/24). This subnet should (almost) always be encrypted.
  - opportunistic configuration mostly taken from the Wiki example for the private-or-clear section. One important change was left=10.0.1.100
  - the “clear” policy includes just the gateway (10.0.1.1/32)
  - the “private-or-clear” policy includes the rest of the subnet (10.0.1.0/24)
* A client configured for OE at 10.0.1.21.
  - the “private” policy is set to the subnet (10.0.1.0/24) 
  - the “clear” policy is the gateway (10.0.1.1/32)
* A client without IPSEC at 10.0.1.22.

The idea here is that when starting new VMs in the private subnet I need to first go through the jump box to configure the IPSEC tunnels. So I need to fail over to clear until they are setup. But once they are configured I should only use encrypted traffic. What I am seeing is that I can connect to the properly configured host via the IPSEC tunnel, but I cannot get to the unconfigured host.

When I run “ipsec status” the connection list is interesting: specifically in the “clear” section the only interface listed is eth0 (see below). I have tried using both the “interfaces” and “listen” parameters in the main config section but even then the best I can do is get a blank value for the interface in the clear section. Any ideas?

----------------------

000 Connection list:
000  
000 "clear": 10.0.0.100---10.0.0.1...%group; unrouted; eroute owner: #0
000 "clear":     oriented; my_ip=unset; their_ip=unset
000 "clear":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "clear":   our auth:unset, their auth:unset
000 "clear":   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;
000 "clear":   labeled_ipsec:no;
000 "clear":   policy_label:unset;
000 "clear":   ike_life: 0s; ipsec_life: 0s; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "clear":   retransmit-interval: 0ms; retransmit-timeout: 0s;
000 "clear":   sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "clear":   policy: PFS+GROUP+GROUTED+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+PASS+NEVER_NEGOTIATE;
000 "clear":   conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "clear":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no;
000 "clear":   dpd: action:disabled; delay:0; timeout:0; nat-t: encaps:no; nat_keepalive:no; ikev1_natt:both
000 "clear":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#10.0.1.1/32": 10.0.0.100---10.0.0.1...%any; prospective erouted; eroute owner: #0
000 "clear#10.0.1.1/32":     oriented; my_ip=unset; their_ip=unset
000 "clear#10.0.1.1/32":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "clear#10.0.1.1/32":   our auth:unset, their auth:unset
000 "clear#10.0.1.1/32":   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;
000 "clear#10.0.1.1/32":   labeled_ipsec:no;
000 "clear#10.0.1.1/32":   policy_label:unset;
000 "clear#10.0.1.1/32":   ike_life: 0s; ipsec_life: 0s; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "clear#10.0.1.1/32":   retransmit-interval: 0ms; retransmit-timeout: 0s;
000 "clear#10.0.1.1/32":   sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "clear#10.0.1.1/32":   policy: PFS+GROUPINSTANCE+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+PASS+NEVER_NEGOTIATE;
000 "clear#10.0.1.1/32":   conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "clear#10.0.1.1/32":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no;
000 "clear#10.0.1.1/32":   dpd: action:disabled; delay:0; timeout:0; nat-t: encaps:no; nat_keepalive:no; ikev1_natt:both
000 "clear#10.0.1.1/32":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "private-or-clear": 10.0.1.100<10.0.1.100>[CA-INFO-REDACTED]...%opportunisticgroup[%fromcert]; unrouted; eroute owner: #0
000 "private-or-clear":     oriented; my_ip=unset; their_ip=unset; mycert= CA-INFO-REDACTED
000 "private-or-clear":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "private-or-clear":   our auth:rsasig, their auth:rsasig
000 "private-or-clear":   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;
000 "private-or-clear":   labeled_ipsec:no;
000 "private-or-clear":   policy_label:unset;
000 "private-or-clear":   CAs: 'CA-INFO-REDACTED'
000 "private-or-clear":   ike_life: 3600s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1;
000 "private-or-clear":   retransmit-interval: 500ms; retransmit-timeout: 3s;
000 "private-or-clear":   sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "private-or-clear":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "private-or-clear":   conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "private-or-clear":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no;
000 "private-or-clear":   dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "private-or-clear":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "private-or-clear#10.0.1.0/24": 10.0.1.100<10.0.1.100>[CA-INFO-REDACTED]...%opportunistic[%fromcert]===10.0.1.0/24; prospective erouted; eroute owner: #0
000 "private-or-clear#10.0.1.0/24":     oriented; my_ip=unset; their_ip=unset; mycert= CA-INFO-REDACTED
000 "private-or-clear#10.0.1.0/24":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "private-or-clear#10.0.1.0/24":   our auth:rsasig, their auth:rsasig
000 "private-or-clear#10.0.1.0/24":   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;
000 "private-or-clear#10.0.1.0/24":   labeled_ipsec:no;
000 "private-or-clear#10.0.1.0/24":   policy_label:unset;
000 "private-or-clear#10.0.1.0/24":   CAs: 'CA-INFO-REDACTED'
000 "private-or-clear#10.0.1.0/24":   ike_life: 3600s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1;
000 "private-or-clear#10.0.1.0/24":   retransmit-interval: 500ms; retransmit-timeout: 3s;
000 "private-or-clear#10.0.1.0/24":   sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "private-or-clear#10.0.1.0/24":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "private-or-clear#10.0.1.0/24":   conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "private-or-clear#10.0.1.0/24":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no;
000 "private-or-clear#10.0.1.0/24":   dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "private-or-clear#10.0.1.0/24":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "private-or-clear#10.0.1.0/24"[1]: 10.0.1.100<10.0.1.100>[CA-INFO-REDACTED]...10.0.1.21[CA-INFO-REDACTED]; erouted; eroute owner: #2
000 "private-or-clear#10.0.1.0/24"[1]:     oriented; my_ip=unset; their_ip=unset; mycert= CA-INFO-REDACTED
000 "private-or-clear#10.0.1.0/24"[1]:   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "private-or-clear#10.0.1.0/24"[1]:   our auth:rsasig, their auth:rsasig
000 "private-or-clear#10.0.1.0/24"[1]:   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;
000 "private-or-clear#10.0.1.0/24"[1]:   labeled_ipsec:no;
000 "private-or-clear#10.0.1.0/24"[1]:   policy_label:unset;
000 "private-or-clear#10.0.1.0/24"[1]:   CAs: 'CA-INFO-REDACTED'
000 "private-or-clear#10.0.1.0/24"[1]:   ike_life: 3600s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1;
000 "private-or-clear#10.0.1.0/24"[1]:   retransmit-interval: 500ms; retransmit-timeout: 3s;
000 "private-or-clear#10.0.1.0/24"[1]:   sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "private-or-clear#10.0.1.0/24"[1]:   policy: RSASIG+ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "private-or-clear#10.0.1.0/24"[1]:   conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "private-or-clear#10.0.1.0/24"[1]:   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no;
000 "private-or-clear#10.0.1.0/24"[1]:   dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "private-or-clear#10.0.1.0/24"[1]:   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "private-or-clear#10.0.1.0/24"[1]:   IKEv2 algorithm newest: AES_GCM_C_256-AUTH_NONE-PRF_HMAC_SHA2_512-MODP2048
000 "private-or-clear#10.0.1.0/24"[1]:   ESP algorithm newest: AES_GCM_C_256-NONE; pfsgroup=<Phase1>
<SNIP>
000 Total IPsec connections: loaded 7, active 1
000  
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(0), anonymous(1)
000 IPsec SAs: total(1), authenticated(0), anonymous(1)
000  
000 #2: "private-or-clear#10.0.1.0/24"[1] ...10.0.1.21:500 STATE_V2_IPSEC_I (IPsec SA established); EVENT_v2_SA_REPLACE_IF_USED in 2627s; newest IPSEC; eroute owner; isakmp#1; idle; import:local rekey
000 #2: "private-or-clear#10.0.1.0/24"[1] ...10.0.1.21 esp.5ea67249 at 10.0.1.21 esp.1248e35f at 10.0.1.100 tun.0 at 10.0.1.21 tun.0 at 10.0.1.100 ref=0 refhim=0 Traffic: ESPin=4KB ESPout=5KB! ESPmax=0B 
000 #1: "private-or-clear#10.0.1.0/24"[1] ...10.0.1.21:500 STATE_PARENT_I3 (PARENT SA established); EVENT_v2_SA_REPLACE_IF_USED_IKE in 2837s; newest ISAKMP; isakmp#0; idle; import:local rekey
000 #1: "private-or-clear#10.0.1.0/24"[1] ...10.0.1.21 ref=0 refhim=0 Traffic: 
000  
000 Bare Shunt list:
000  
000 10.0.1.100/32:0 -0-> 10.0.1.22/32:0 => %unk-0 0    oe-failed

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20171130/56b41226/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5455 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20171130/56b41226/attachment-0001.p7s>

More information about the Swan mailing list