[Swan] How to force LibreSWAN to listen on a particular interface
Scott A. Wozny
sawozny at hotmail.com
Sat Sep 19 20:15:30 UTC 2020
Never mind. Figured it out. Apparently there is only one recognized "config setup" section in the base /etc/ipsec.conf file. I moved the listen directive in there and it worked exactly as expected.
Thanks,
Scott
________________________________
From: Swan <swan-bounces at lists.libreswan.org> on behalf of Scott A. Wozny <sawozny at hotmail.com>
Sent: September 18, 2020 8:11 PM
To: swan at lists.libreswan.org <swan at lists.libreswan.org>
Subject: [Swan] How to force LibreSWAN to listen on a particular interface
By default when I start LibreSWAN's ipsec it binds to UDP/500 and UDP/4500 on all interfaces as shown:
[sawozny at vpnnj ~]$ sudo ipsec --status
000 using kernel interface: netkey
000 interface lo/lo 127.0.0.1 at 4500
000 interface lo/lo 127.0.0.1 at 500
000 interface eth0/eth0 192.168.1.214 at 4500
000 interface eth0/eth0 192.168.1.214 at 500
000 interface ens8/ens8 10.1.2.2 at 4500
000 interface ens8/ens8 10.1.2.2 at 500
000 interface ens9/ens9 10.1.3.2 at 4500
000 interface ens9/ens9 10.1.3.2 at 500<mailto:10.1.3.2 at 500>
[sawozny at vpnca ~]$ sudo ipsec --status
000 using kernel interface: netkey
000 interface lo/lo 127.0.0.1 at 4500
000 interface lo/lo 127.0.0.1 at 500
000 interface eth0/eth0 192.168.1.215 at 4500
000 interface eth0/eth0 192.168.1.215 at 500
000 interface ens8/ens8 10.1.5.2 at 4500
000 interface ens8/ens8 10.1.5.2 at 500
000 interface ens9/ens9 10.1.6.2 at 4500
000 interface ens9/ens9 10.1.6.2 at 500<mailto:10.1.6.2 at 500>
I’d like to only bind to the IP on interface ens8 on each machine. I tried adding this listen= parameter in a config setup section on both sides of my config, but ipsec still attaches to all interfaces available.
Note, there’s a NAT device in the middle converting 10.1.2.2 to 172.16.1.2 and 10.1.5.2 to 172.16.1.10 which is why the configs are asymetrical.
[sawozny at vpnnj ~]$ sudo cat /etc/ipsec.d/intersitetunnel.conf
# /etc/ipsec.d/intersitetunnel.conf
config setup
listen=10.1.2.2
conn intersitetunnel
left=10.1.2.2
leftid=@vpnnj
leftsubnet=10.1.4.0/24
leftrsasigkey=0sAwEAAcQQa4wVLATC […]
right=172.16.1.10
rightid=@vpnca
rightsubnet=10.1.7.0/24
rightrsasigkey=0sAwEAAcp4iq2wyRG […]
authby=rsasig
auto=start
[sawozny at vpnca ~]$ sudo cat /etc/ipsec.d/intersitetunnel.conf
# /etc/ipsec.d/intersitetunnel.conf
config setup
listen=10.1.5.2
conn intersitetunnel
left=10.1.5.2
leftid=@vpnca
leftsubnet=10.1.7.0/24
leftrsasigkey=0sAwEAAcp4iq2wyRG […]
right=172.16.1.2
rightid=@vpnnj
rightsubnet=10.1.4.0/24
rightrsasigkey=0sAwEAAcQQa4wVLATC […]
authby=rsasig
auto=start
The tunnel itself comes up (although it doesn’t yet pass traffic which I’m troubleshooting now).
[sawozny at vpnnj ~]$ sudo ip xfrm policy
[sudo] password for sawozny:
src 10.1.4.0/24 dst 10.1.7.0/24
dir out priority 1042407 ptype main
tmpl src 10.1.2.2 dst 172.16.1.10
proto esp reqid 16389 mode tunnel
src 10.1.7.0/24 dst 10.1.4.0/24
dir fwd priority 1042407 ptype main
tmpl src 172.16.1.10 dst 10.1.2.2
proto esp reqid 16389 mode tunnel
src 10.1.7.0/24 dst 10.1.4.0/24
dir in priority 1042407 ptype main
tmpl src 172.16.1.10 dst 10.1.2.2
proto esp reqid 16389 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
[sawozny at vpnnj ~]$ sudo ip xfrm state
src 172.16.1.10 dst 10.1.2.2
proto esp spi 0x092a9183 reqid 16389 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x3298b10af98c345c36d1ec645571cb33fc364d20 96
enc cbc(aes) 0x87961e26af97aec8fa83b40d444648e5
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 10.1.2.2 dst 172.16.1.10
proto esp spi 0x691db0b7 reqid 16389 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x00208346d158ea51312b9f948cf321dc77aa51e0 96
enc cbc(aes) 0x7c3d3ceae35c4d8b97399a1bd5487765
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 172.16.1.10 dst 10.1.2.2
proto esp spi 0xbfa41218 reqid 16389 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x4cd4572e7f291034a70a6095671d5a212c3da06b 96
enc cbc(aes) 0x631d0eac41849e5be9a3d99031cc22be
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 10.1.2.2 dst 172.16.1.10
proto esp spi 0x9096b70e reqid 16389 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0xb40d645fb2f5d7aa159f8a855a2072baba29ec80 96
enc cbc(aes) 0xccd88264c98caf121a062be207618210
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
[sawozny at vpnca ~]$ sudo ip xfrm policy
[sudo] password for sawozny:
src 10.1.7.0/24 dst 10.1.4.0/24
dir out priority 1042407 ptype main
tmpl src 10.1.5.2 dst 172.16.1.2
proto esp reqid 16389 mode tunnel
src 10.1.4.0/24 dst 10.1.7.0/24
dir fwd priority 1042407 ptype main
tmpl src 172.16.1.2 dst 10.1.5.2
proto esp reqid 16389 mode tunnel
src 10.1.4.0/24 dst 10.1.7.0/24
dir in priority 1042407 ptype main
tmpl src 172.16.1.2 dst 10.1.5.2
proto esp reqid 16389 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
[sawozny at vpnca ~]$ sudo ip xfrm state
src 172.16.1.2 dst 10.1.5.2
proto esp spi 0x691db0b7 reqid 16389 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x00208346d158ea51312b9f948cf321dc77aa51e0 96
enc cbc(aes) 0x7c3d3ceae35c4d8b97399a1bd5487765
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 10.1.5.2 dst 172.16.1.2
proto esp spi 0x092a9183 reqid 16389 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x3298b10af98c345c36d1ec645571cb33fc364d20 96
enc cbc(aes) 0x87961e26af97aec8fa83b40d444648e5
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 172.16.1.2 dst 10.1.5.2
proto esp spi 0x9096b70e reqid 16389 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0xb40d645fb2f5d7aa159f8a855a2072baba29ec80 96
enc cbc(aes) 0xccd88264c98caf121a062be207618210
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 10.1.5.2 dst 172.16.1.2
proto esp spi 0xbfa41218 reqid 16389 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x4cd4572e7f291034a70a6095671d5a212c3da06b 96
enc cbc(aes) 0x631d0eac41849e5be9a3d99031cc22be
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
But both devices are still binding ipsec to all interfaces:
[sawozny at vpnnj ~]$ sudo ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 *:60859 *:* users:(("snmpd",pid=1045,fd=7))
udp UNCONN 0 0 *:161 *:* users:(("snmpd",pid=1045,fd=6))
udp UNCONN 0 0 127.0.0.1:323 *:* users:(("chronyd",pid=723,fd=5))
udp UNCONN 0 0 127.0.0.1:4500 *:* users:(("pluto",pid=30415,fd=23))
udp UNCONN 0 0 192.168.1.214:4500 *:* users:(("pluto",pid=30415,fd=21))
udp UNCONN 0 0 10.1.2.2:4500 *:* users:(("pluto",pid=30415,fd=19))
udp UNCONN 0 0 10.1.3.2:4500 *:* users:(("pluto",pid=30415,fd=17))
udp UNCONN 0 0 127.0.0.1:500 *:* users:(("pluto",pid=30415,fd=22))
udp UNCONN 0 0 192.168.1.214:500 *:* users:(("pluto",pid=30415,fd=20))
udp UNCONN 0 0 10.1.2.2:500 *:* users:(("pluto",pid=30415,fd=18))
udp UNCONN 0 0 10.1.3.2:500 *:* users:(("pluto",pid=30415,fd=16))
udp UNCONN 0 0 [::1]:323 [::]:* users:(("chronyd",pid=723,fd=6))
tcp LISTEN 0 128 *:22 *:* users:(("sshd",pid=1044,fd=3))
tcp LISTEN 0 100 127.0.0.1:25 *:* users:(("master",pid=1127,fd=13))
tcp LISTEN 0 128 127.0.0.1:199 *:* users:(("snmpd",pid=1045,fd=8))
[sawozny at vpnca ~]$ sudo ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 *:51169 *:* users:(("snmpd",pid=1047,fd=7))
udp UNCONN 0 0 *:161 *:* users:(("snmpd",pid=1047,fd=6))
udp UNCONN 0 0 127.0.0.1:323 *:* users:(("chronyd",pid=739,fd=5))
udp UNCONN 0 0 127.0.0.1:4500 *:* users:(("pluto",pid=20234,fd=23))
udp UNCONN 0 0 192.168.1.215:4500 *:* users:(("pluto",pid=20234,fd=21))
udp UNCONN 0 0 10.1.5.2:4500 *:* users:(("pluto",pid=20234,fd=19))
udp UNCONN 0 0 10.1.6.2:4500 *:* users:(("pluto",pid=20234,fd=17))
udp UNCONN 0 0 127.0.0.1:500 *:* users:(("pluto",pid=20234,fd=22))
udp UNCONN 0 0 192.168.1.215:500 *:* users:(("pluto",pid=20234,fd=20))
udp UNCONN 0 0 10.1.5.2:500 *:* users:(("pluto",pid=20234,fd=18))
udp UNCONN 0 0 10.1.6.2:500 *:* users:(("pluto",pid=20234,fd=16))
udp UNCONN 0 0 [::1]:323 [::]:* users:(("chronyd",pid=739,fd=6))
tcp LISTEN 0 128 *:22 *:* users:(("sshd",pid=1044,fd=3))
tcp LISTEN 0 100 127.0.0.1:25 *:* users:(("master",pid=1130,fd=13))
tcp LISTEN 0 128 127.0.0.1:199 *:* users:(("snmpd",pid=1047,fd=8))
Any ideas what I’m doing wrong?
Thanks,
Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200919/5e298cda/attachment-0001.html>
More information about the Swan
mailing list