[Swan] How to force LibreSWAN to listen on a particular interface

Scott A. Wozny sawozny at hotmail.com
Sat Sep 19 20:15:30 UTC 2020


Never mind.  Figured it out.  Apparently there is only one recognized "config setup" section in the base /etc/ipsec.conf file.  I moved the listen directive in there and it worked exactly as expected.

Thanks,

Scott

________________________________
From: Swan <swan-bounces at lists.libreswan.org> on behalf of Scott A. Wozny <sawozny at hotmail.com>
Sent: September 18, 2020 8:11 PM
To: swan at lists.libreswan.org <swan at lists.libreswan.org>
Subject: [Swan] How to force LibreSWAN to listen on a particular interface


By default when I start LibreSWAN's ipsec it binds to UDP/500 and UDP/4500 on all interfaces as shown:


[sawozny at vpnnj ~]$ sudo ipsec --status

000 using kernel interface: netkey

000 interface lo/lo 127.0.0.1 at 4500

000 interface lo/lo 127.0.0.1 at 500

000 interface eth0/eth0 192.168.1.214 at 4500

000 interface eth0/eth0 192.168.1.214 at 500

000 interface ens8/ens8 10.1.2.2 at 4500

000 interface ens8/ens8 10.1.2.2 at 500

000 interface ens9/ens9 10.1.3.2 at 4500

000 interface ens9/ens9 10.1.3.2 at 500<mailto:10.1.3.2 at 500>


[sawozny at vpnca ~]$ sudo ipsec --status

000 using kernel interface: netkey

000 interface lo/lo 127.0.0.1 at 4500

000 interface lo/lo 127.0.0.1 at 500

000 interface eth0/eth0 192.168.1.215 at 4500

000 interface eth0/eth0 192.168.1.215 at 500

000 interface ens8/ens8 10.1.5.2 at 4500

000 interface ens8/ens8 10.1.5.2 at 500

000 interface ens9/ens9 10.1.6.2 at 4500

000 interface ens9/ens9 10.1.6.2 at 500<mailto:10.1.6.2 at 500>


I’d like to only bind to the IP on interface ens8 on each machine. I tried adding this listen= parameter in a config setup section on both sides of my config, but ipsec still attaches to all interfaces available.


Note, there’s a NAT device in the middle converting 10.1.2.2 to 172.16.1.2 and 10.1.5.2 to 172.16.1.10 which is why the configs are asymetrical.


[sawozny at vpnnj ~]$ sudo cat /etc/ipsec.d/intersitetunnel.conf

# /etc/ipsec.d/intersitetunnel.conf

config setup

listen=10.1.2.2


conn intersitetunnel

left=10.1.2.2

leftid=@vpnnj

leftsubnet=10.1.4.0/24

leftrsasigkey=0sAwEAAcQQa4wVLATC […]

right=172.16.1.10

rightid=@vpnca

rightsubnet=10.1.7.0/24

rightrsasigkey=0sAwEAAcp4iq2wyRG […]

authby=rsasig

auto=start


[sawozny at vpnca ~]$ sudo cat /etc/ipsec.d/intersitetunnel.conf

# /etc/ipsec.d/intersitetunnel.conf

config setup

listen=10.1.5.2


conn intersitetunnel

left=10.1.5.2

leftid=@vpnca

leftsubnet=10.1.7.0/24

leftrsasigkey=0sAwEAAcp4iq2wyRG […]

right=172.16.1.2

rightid=@vpnnj

rightsubnet=10.1.4.0/24

rightrsasigkey=0sAwEAAcQQa4wVLATC […]

authby=rsasig

auto=start


The tunnel itself comes up (although it doesn’t yet pass traffic which I’m troubleshooting now).


[sawozny at vpnnj ~]$ sudo ip xfrm policy

[sudo] password for sawozny:

src 10.1.4.0/24 dst 10.1.7.0/24

dir out priority 1042407 ptype main

tmpl src 10.1.2.2 dst 172.16.1.10

proto esp reqid 16389 mode tunnel

src 10.1.7.0/24 dst 10.1.4.0/24

dir fwd priority 1042407 ptype main

tmpl src 172.16.1.10 dst 10.1.2.2

proto esp reqid 16389 mode tunnel

src 10.1.7.0/24 dst 10.1.4.0/24

dir in priority 1042407 ptype main

tmpl src 172.16.1.10 dst 10.1.2.2

proto esp reqid 16389 mode tunnel

src 0.0.0.0/0 dst 0.0.0.0/0

socket out priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

socket in priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

socket out priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

socket in priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

socket out priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

socket in priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

socket out priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

socket in priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

socket out priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

socket in priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

socket out priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

socket in priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

socket out priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

socket in priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

socket out priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

socket in priority 0 ptype main

[sawozny at vpnnj ~]$ sudo ip xfrm state

src 172.16.1.10 dst 10.1.2.2

proto esp spi 0x092a9183 reqid 16389 mode tunnel

replay-window 32 flag af-unspec

auth-trunc hmac(sha1) 0x3298b10af98c345c36d1ec645571cb33fc364d20 96

enc cbc(aes) 0x87961e26af97aec8fa83b40d444648e5

encap type espinudp sport 4500 dport 4500 addr 0.0.0.0

anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000

src 10.1.2.2 dst 172.16.1.10

proto esp spi 0x691db0b7 reqid 16389 mode tunnel

replay-window 32 flag af-unspec

auth-trunc hmac(sha1) 0x00208346d158ea51312b9f948cf321dc77aa51e0 96

enc cbc(aes) 0x7c3d3ceae35c4d8b97399a1bd5487765

encap type espinudp sport 4500 dport 4500 addr 0.0.0.0

anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000

src 172.16.1.10 dst 10.1.2.2

proto esp spi 0xbfa41218 reqid 16389 mode tunnel

replay-window 32 flag af-unspec

auth-trunc hmac(sha1) 0x4cd4572e7f291034a70a6095671d5a212c3da06b 96

enc cbc(aes) 0x631d0eac41849e5be9a3d99031cc22be

encap type espinudp sport 4500 dport 4500 addr 0.0.0.0

anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000

src 10.1.2.2 dst 172.16.1.10

proto esp spi 0x9096b70e reqid 16389 mode tunnel

replay-window 32 flag af-unspec

auth-trunc hmac(sha1) 0xb40d645fb2f5d7aa159f8a855a2072baba29ec80 96

enc cbc(aes) 0xccd88264c98caf121a062be207618210

encap type espinudp sport 4500 dport 4500 addr 0.0.0.0

anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000


[sawozny at vpnca ~]$ sudo ip xfrm policy

[sudo] password for sawozny:

src 10.1.7.0/24 dst 10.1.4.0/24

dir out priority 1042407 ptype main

tmpl src 10.1.5.2 dst 172.16.1.2

proto esp reqid 16389 mode tunnel

src 10.1.4.0/24 dst 10.1.7.0/24

dir fwd priority 1042407 ptype main

tmpl src 172.16.1.2 dst 10.1.5.2

proto esp reqid 16389 mode tunnel

src 10.1.4.0/24 dst 10.1.7.0/24

dir in priority 1042407 ptype main

tmpl src 172.16.1.2 dst 10.1.5.2

proto esp reqid 16389 mode tunnel

src 0.0.0.0/0 dst 0.0.0.0/0

socket out priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

socket in priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

socket out priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

socket in priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

socket out priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

socket in priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

socket out priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

socket in priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

socket out priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

socket in priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

socket out priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

socket in priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

socket out priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

socket in priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

socket out priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

socket in priority 0 ptype main

[sawozny at vpnca ~]$ sudo ip xfrm state

src 172.16.1.2 dst 10.1.5.2

proto esp spi 0x691db0b7 reqid 16389 mode tunnel

replay-window 32 flag af-unspec

auth-trunc hmac(sha1) 0x00208346d158ea51312b9f948cf321dc77aa51e0 96

enc cbc(aes) 0x7c3d3ceae35c4d8b97399a1bd5487765

encap type espinudp sport 4500 dport 4500 addr 0.0.0.0

anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000

src 10.1.5.2 dst 172.16.1.2

proto esp spi 0x092a9183 reqid 16389 mode tunnel

replay-window 32 flag af-unspec

auth-trunc hmac(sha1) 0x3298b10af98c345c36d1ec645571cb33fc364d20 96

enc cbc(aes) 0x87961e26af97aec8fa83b40d444648e5

encap type espinudp sport 4500 dport 4500 addr 0.0.0.0

anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000

src 172.16.1.2 dst 10.1.5.2

proto esp spi 0x9096b70e reqid 16389 mode tunnel

replay-window 32 flag af-unspec

auth-trunc hmac(sha1) 0xb40d645fb2f5d7aa159f8a855a2072baba29ec80 96

enc cbc(aes) 0xccd88264c98caf121a062be207618210

encap type espinudp sport 4500 dport 4500 addr 0.0.0.0

anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000

src 10.1.5.2 dst 172.16.1.2

proto esp spi 0xbfa41218 reqid 16389 mode tunnel

replay-window 32 flag af-unspec

auth-trunc hmac(sha1) 0x4cd4572e7f291034a70a6095671d5a212c3da06b 96

enc cbc(aes) 0x631d0eac41849e5be9a3d99031cc22be

encap type espinudp sport 4500 dport 4500 addr 0.0.0.0

anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000


But both devices are still binding ipsec to all interfaces:


[sawozny at vpnnj ~]$ sudo ss -tulpn

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port

udp UNCONN 0 0 *:60859 *:* users:(("snmpd",pid=1045,fd=7))

udp UNCONN 0 0 *:161 *:* users:(("snmpd",pid=1045,fd=6))

udp UNCONN 0 0 127.0.0.1:323 *:* users:(("chronyd",pid=723,fd=5))

udp UNCONN 0 0 127.0.0.1:4500 *:* users:(("pluto",pid=30415,fd=23))

udp UNCONN 0 0 192.168.1.214:4500 *:* users:(("pluto",pid=30415,fd=21))

udp UNCONN 0 0 10.1.2.2:4500 *:* users:(("pluto",pid=30415,fd=19))

udp UNCONN 0 0 10.1.3.2:4500 *:* users:(("pluto",pid=30415,fd=17))

udp UNCONN 0 0 127.0.0.1:500 *:* users:(("pluto",pid=30415,fd=22))

udp UNCONN 0 0 192.168.1.214:500 *:* users:(("pluto",pid=30415,fd=20))

udp UNCONN 0 0 10.1.2.2:500 *:* users:(("pluto",pid=30415,fd=18))

udp UNCONN 0 0 10.1.3.2:500 *:* users:(("pluto",pid=30415,fd=16))

udp UNCONN 0 0 [::1]:323 [::]:* users:(("chronyd",pid=723,fd=6))

tcp LISTEN 0 128 *:22 *:* users:(("sshd",pid=1044,fd=3))

tcp LISTEN 0 100 127.0.0.1:25 *:* users:(("master",pid=1127,fd=13))

tcp LISTEN 0 128 127.0.0.1:199 *:* users:(("snmpd",pid=1045,fd=8))


[sawozny at vpnca ~]$ sudo ss -tulpn

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port

udp UNCONN 0 0 *:51169 *:* users:(("snmpd",pid=1047,fd=7))

udp UNCONN 0 0 *:161 *:* users:(("snmpd",pid=1047,fd=6))

udp UNCONN 0 0 127.0.0.1:323 *:* users:(("chronyd",pid=739,fd=5))

udp UNCONN 0 0 127.0.0.1:4500 *:* users:(("pluto",pid=20234,fd=23))

udp UNCONN 0 0 192.168.1.215:4500 *:* users:(("pluto",pid=20234,fd=21))

udp UNCONN 0 0 10.1.5.2:4500 *:* users:(("pluto",pid=20234,fd=19))

udp UNCONN 0 0 10.1.6.2:4500 *:* users:(("pluto",pid=20234,fd=17))

udp UNCONN 0 0 127.0.0.1:500 *:* users:(("pluto",pid=20234,fd=22))

udp UNCONN 0 0 192.168.1.215:500 *:* users:(("pluto",pid=20234,fd=20))

udp UNCONN 0 0 10.1.5.2:500 *:* users:(("pluto",pid=20234,fd=18))

udp UNCONN 0 0 10.1.6.2:500 *:* users:(("pluto",pid=20234,fd=16))

udp UNCONN 0 0 [::1]:323 [::]:* users:(("chronyd",pid=739,fd=6))

tcp LISTEN 0 128 *:22 *:* users:(("sshd",pid=1044,fd=3))

tcp LISTEN 0 100 127.0.0.1:25 *:* users:(("master",pid=1130,fd=13))

tcp LISTEN 0 128 127.0.0.1:199 *:* users:(("snmpd",pid=1047,fd=8))


Any ideas what I’m doing wrong?


Thanks,


Scott

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200919/5e298cda/attachment-0001.html>


More information about the Swan mailing list