[Swan] Incorrect XFRM policy with dynamic client IPs
Brady Johnson
bradyjoh at redhat.com
Tue Feb 14 14:34:50 EET 2023
Hello,
I have a Libreswan server and client and get different XFRM policies on the
client when the client's IP is statically set versus when it is dynamically
set from the server with rightaddresspool. This is with VTI route-based
encryption.
# ipsec version
Linux Libreswan 4.5 (XFRM) on 4.18.0-372.40.1.el8_6.x86_64
(client/server configs below for static and dynamic client IPs)
When the client IP is statically set, I get the following xfrm policy on
the client side. In this case everything works as expected. That is, static
host routes directed at the VTI port cause traffic to be put on the tunnel.
$ sudo ip xfrm policy
src 0.0.0.0/0 dst 172.16.2.0/24
dir out priority 2097102 ptype main
mark 0x5/0xffffffff
tmpl src 172.16.1.10 dst 192.168.43.55
proto esp reqid 16401 mode tunnel
src 172.16.2.0/24 dst 0.0.0.0/0
dir fwd priority 2097102 ptype main
mark 0x5/0xffffffff
tmpl src 192.168.43.55 dst 172.16.1.10
proto esp reqid 16401 mode tunnel
src 172.16.2.0/24 dst 0.0.0.0/0
dir in priority 2097102 ptype main
mark 0x5/0xffffffff
tmpl src 192.168.43.55 dst 172.16.1.10
proto esp reqid 16401 mode tunnel
But when the client IP is dynamically set from a server addresspool, I get
the following xfrm policy on the client side:
$ sudo ip xfrm policy
src 172.16.111.10/32 dst 172.16.2.0/24
dir out priority 2080718 ptype main
mark 0x5/0xffffffff
tmpl src 172.16.1.10 dst 192.168.43.55
proto esp reqid 16401 mode tunnel
src 172.16.2.0/24 dst 172.16.111.10/32
dir fwd priority 2080718 ptype main
mark 0x5/0xffffffff
tmpl src 192.168.43.55 dst 172.16.1.10
proto esp reqid 16401 mode tunnel
src 172.16.2.0/24 dst 172.16.111.10/32
dir in priority 2080718 ptype main
mark 0x5/0xffffffff
tmpl src 192.168.43.55 dst 172.16.1.10
proto esp reqid 16401 mode tunnel
Why do the policies get created differently? This is a problem for us,
since not all packets are put on the tunnel, even though there is a static
host route sending them to the VTI port. Is this a bug in this version or
is there a way to configure Libreswan to not do this? I tried manually
deleting the incorrect XFRM policies and creating them with '0.0.0.0/' as
seen above, but that did not work.
Server config with address pool:
-------------------------------------------
conn vpnserver.dl110-05.xyz.com
# right is remote(client), left is local(server)
left=192.168.43.55
leftid="O=XYZ,CN=vpnserver.dl110-05.xyz.com"
leftsubnet=172.16.2.55/24
leftrsasigkey=%cert
leftcert=vpnserver.dl110-05.xyz.com
leftsendcert=always
# Clients
right=%any
rightrsasigkey=%cert
rightid=%fromcert
rightca=%same
rightsubnet=0.0.0.0/0
rightaddresspool="172.16.111.10-172.16.111.99"
# recommended dpd/liveness to cleanup vanished clients
dpddelay=5
dpdtimeout=30
dpdaction=clear
auto=add
rekey=no
ikelifetime=86400s
salifetime=3600s
ikev2=insist
phase2=esp
fragmentation=yes
ike=aes256-sha1
phase2alg=aes256-sha1
Client config with dynamic IP:
---------------------------------------
conn vpnclient.dl110-00.xyz.com
right=192.168.43.55
rightid="O=XYZ,CN=vpnserver.dl110-05.xyz.com"
rightsubnet=172.16.2.55/24
rightrsasigkey=%cert
left=172.16.1.10
leftrsasigkey=%cert
leftid="O=XYZ,CN=vpnclient.dl110-00.xyz.com"
leftcert=vpnclient.dl110-00.xyz.com
leftupdown="/bin/ipsec_tunnel_tool_updown.xfrm.sh"
leftsubnet=0.0.0.0/0
leftmodecfgclient=yes
mark=5/0xffffffff
vti-interface=vti01
vti-routing=yes
vti-shared=no
dpddelay=5
dpdtimeout=30
dpdaction=restart
rekey=yes
auto=start
ikelifetime=86400s
salifetime=3600s
phase2=esp
fragmentation=yes
ike=aes256-sha1
phase2alg=aes256-sha1
Server config with static client IP:
--------------------------------------------
conn vpnserver.dl110-05.xyz.com
left=192.168.43.55
leftid="O=XYZ,CN=vpnserver.dl110-05.xyz.com"
leftsubnet=172.16.2.55/24
leftrsasigkey=%cert
leftcert=vpnserver.dl110-05.xyz.com
leftsendcert=always
# Clients
right=%any
rightrsasigkey=%cert
rightid=%fromcert
rightca=%same
rightsubnet=0.0.0.0/0
dpddelay=5
dpdtimeout=30
dpdaction=clear
auto=add
rekey=no
ikelifetime=86400s
salifetime=3600s
ikev2=insist
phase2=esp
fragmentation=yes
ike=aes256-sha1
phase2alg=aes256-sha1
Client config with static IP:
---------------------------------------
conn vpnclient.dl110-00.xyz.com
right=192.168.43.55
rightid="O=XYZ,CN=vpnserver.dl110-05.xyz.com"
rightsubnet=172.16.2.55/24
rightrsasigkey=%cert
left=172.16.1.10
leftrsasigkey=%cert
leftid="O=XYZ,CN=vpnclient.dl110-00.xyz.com"
leftcert=vpnclient.dl110-00.xyz.com
leftupdown="/bin/ipsec_tunnel_tool_updown.xfrm.sh"
leftsourceip=172.16.111.10
leftsubnet=0.0.0.0/0
leftvti=172.16.111.10/24
mark=5/0xffffffff
vti-interface=vti01
vti-routing=yes
vti-shared=no
# The rest of the config is the same as the dynamic IP config
Regards,
*Brady Johnson*
Principal Software Engineer
Telco Solutions & Enablement
brady.johnson at redhat.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20230214/9138decd/attachment.htm>
More information about the Swan
mailing list