[Swan] Policy groups
phil.nightowl at gmail.com
phil.nightowl at gmail.com
Tue Jun 9 06:00:34 UTC 2020
Hi everyone!
I was trying to set up a configuration using policy groups - and failed
completely. While trying to debug the problem, I cut the config down as
much as possible, arriving at the built-in conns/policies. Finally, I ended
up at (considering only the config of the initiating host at this point):
/etc/ipsec.conf containing
config setup
plutodebug=none
virtual_private=<usual RFC 1918 address ranges>
/etc/ipsec.d/policies/clear containing
10.0.10.0/24 tcp 0 22
10.0.10.0/24 tcp 22 0
/etc/ipsec.d/policies/private containing
10.0.10.254/32
... and all the remaining config files either not present at all, or
containing only comments.
Given this very short config (everything else being thus defaults), I
expected the built-in policy groups to apply, causing any connection
attempt to from 10.0.10.3 (which is the default interface's IP on that
host) towards 10.0.10.254 (ping, http, whatever) to trigger the usual
handshake/IKE activity. However, I do not see any of that and the outgoing
packets are happily transmitted in clear.
Any hints to what am I missing would be greatly appreciated.
A little more debug output is attached below, do not hesitate to ask for
more if needed.
Many thanks,
Phil
-----------
relevant 'ipsec whack --status' output:
000 using kernel interface: netkey
000 interface lo/lo 127.0.0.1 at 4500
000 interface lo/lo 127.0.0.1 at 500
000 interface enp2s3/enp2s3 10.0.10.3 at 4500
000 interface enp2s3/enp2s3 10.0.10.3 at 500
000
000
000 fips mode=disabled;
000 SElinux=disabled
000 seccomp=unsupported
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 nssdir=/var/lib/ipsec/nss, dumpdir=/run/pluto, statsbin=unset
000 dnssec-rootkey-file=/usr/share/dns/root.key, dnssec-trusted=<unset>
000 sbindir=/usr/sbin, libexecdir=/usr/lib/ipsec
000 pluto_version=3.27, pluto_vendorid=OE-Libreswan-3.27
000 nhelpers=-1, uniqueids=yes, dnssec-enable=yes, perpeerlog=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=300s
000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
000 ocsp-trust-name=<unset>
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
000 secctx-attr-type=32001
000 debug:
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, 100.64.0.0/10, fd00::/8, fe80::/10
000
000 Kernel algorithms supported:
...
000 algorithm IKE DH Key Exchange: name=DH31, bits=256
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 Connection list:
000
000 Total IPsec connections: loaded 0, active 0
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(0), half-open(0), open(0), authenticated(0), anonymous(0)
000 IPsec SAs: total(0), authenticated(0), anonymous(0)
000
'ip xfrm policy list' output is "all zeros":
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
... and so on
More information about the Swan
mailing list