[Swan] Policy groups

phil.nightowl at gmail.com phil.nightowl at gmail.com
Tue Jun 9 06:00:34 UTC 2020 

Hi everyone!

I was trying to set up a configuration using policy groups - and failed 
completely. While trying to debug the problem, I cut the config down as 
much as possible, arriving at the built-in conns/policies. Finally, I ended 
up at (considering only the config of the initiating host at this point):

/etc/ipsec.conf containing

config setup
	plutodebug=none
	virtual_private=<usual RFC 1918 address ranges>


/etc/ipsec.d/policies/clear containing

10.0.10.0/24   tcp  0   22
10.0.10.0/24   tcp  22   0


/etc/ipsec.d/policies/private containing

10.0.10.254/32


... and all the remaining config files either not present at all, or 
containing only comments.

Given this very short config (everything else being thus defaults), I 
expected the built-in policy groups to apply, causing any connection 
attempt to from 10.0.10.3 (which is the default interface's IP on that 
host) towards 10.0.10.254 (ping, http, whatever) to trigger the usual 
handshake/IKE activity. However, I do not see any of that and the outgoing 
packets are happily transmitted in clear.

Any hints to what am I missing would be greatly appreciated.

A little more debug output is attached below, do not hesitate to ask for 
more if needed.

Many thanks,


Phil


-----------

relevant 'ipsec whack --status' output:
000 using kernel interface: netkey
000 interface lo/lo 127.0.0.1 at 4500
000 interface lo/lo 127.0.0.1 at 500
000 interface enp2s3/enp2s3 10.0.10.3 at 4500
000 interface enp2s3/enp2s3 10.0.10.3 at 500
000  
000  
000 fips mode=disabled;
000 SElinux=disabled
000 seccomp=unsupported
000  
000 config setup options:
000  
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 nssdir=/var/lib/ipsec/nss, dumpdir=/run/pluto, statsbin=unset
000 dnssec-rootkey-file=/usr/share/dns/root.key, dnssec-trusted=<unset>
000 sbindir=/usr/sbin, libexecdir=/usr/lib/ipsec
000 pluto_version=3.27, pluto_vendorid=OE-Libreswan-3.27
000 nhelpers=-1, uniqueids=yes, dnssec-enable=yes, perpeerlog=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=300s
000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
000 ocsp-trust-name=<unset>
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
000 secctx-attr-type=32001
000 debug:
000  
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, 100.64.0.0/10, fd00::/8, fe80::/10
000  
000 Kernel algorithms supported:
...

000 algorithm IKE DH Key Exchange: name=DH31, bits=256
000  
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 
000  
000 Connection list:
000  
000 Total IPsec connections: loaded 0, active 0
000  
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(0), half-open(0), open(0), authenticated(0), anonymous(0)
000 IPsec SAs: total(0), authenticated(0), anonymous(0)
000  


'ip xfrm policy list' output is "all zeros":
src 0.0.0.0/0 dst 0.0.0.0/0 
        socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 

... and so on

More information about the Swan mailing list