<div dir="ltr"><div><div>Hi List<br><br></div>Hoping someone can help me understand the behaviour of an policy group based OE setup (<a href="http://0.0.0.0/0">0.0.0.0/0</a> in private-or-clear). Specifically what happens when there are no TXT or IPSECKEY RR for either host.<br>
<br></div>I've been trying to simulate a "default fail open" scenario where neither of host A or host B have TXT or IPSECKEY published RSA keys. My understanding was that specifying failureshunt=passthrough on conn private-or-clear would install a %pass rule on ipsec eroute when OE attempts failed. This contradicts what I am seeing in pluto.log.<br>
<br>I see the initial acquire-pfkey caused by the connection attempt<br><div><br>| add bare shunt 0x7f631eb121d0 <a href="http://10.236.54.8/32:0">10.236.54.8/32:0</a> --0--> <a href="http://10.236.33.242/32:0">10.236.33.242/32:0</a> => %hold 0 %acquire-pfkey<br>
initiate on demand from <a href="http://10.236.54.8:0">10.236.54.8:0</a> to <a href="http://10.236.33.242:0">10.236.33.242:0</a> proto=0 state: fos_start because: acquire<br><br>.. connection private-or-clear#<a href="http://0.0.0.0/0">0.0.0.0/0</a> being chosen<br>
<br>| find_connection: looking for policy for connection: <a href="http://10.236.54.8:0/0">10.236.54.8:0/0</a> -> <a href="http://10.236.33.242:0/0">10.236.33.242:0/0</a><br>| find_connection: conn "private-or-clear#<a href="http://0.0.0.0/0">0.0.0.0/0</a>" has compatible peers: <a href="http://10.236.54.8/32">10.236.54.8/32</a> -> <a href="http://0.0.0.0/0">0.0.0.0/0</a> [pri: 16777229]<br>
| find_connection: comparing best "private-or-clear#<a href="http://0.0.0.0/0">0.0.0.0/0</a>" [pri:16777229]{0x7f631eb20c10} (child none) to "private-or-clear#<a href="http://0.0.0.0/0">0.0.0.0/0</a>" [pri:16777229]{0x7f631eb20c10} (child none)<br>
| find_connection: concluding with "private-or-clear#<a href="http://0.0.0.0/0">0.0.0.0/0</a>" [pri:16777229]{0x7f631eb20c10} kind=CK_TEMPLATE<br>| creating new instance from "private-or-clear#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"<br>
| initiate on demand from 10.236.54.8 to 10.236.33.242 new state: fos_start with ugh: ok<br><br>.. TXT lookup and failure for our explicitly specified leftid (purposefully not in DNS)<br><br>| DNS query 7 for TXT for is01.infrasec.orion.altus. (gw: @is01.infrasec.orion.altus)<br>
| * processed 0 messages from cryptographic helpers<br>| next event EVENT_PENDING_DDNS in 23 seconds<br>| next event EVENT_PENDING_DDNS in 23 seconds<br>|<br>| * processed 0 messages from cryptographic helpers<br>| next event EVENT_PENDING_DDNS in 23 seconds<br>
| next event EVENT_PENDING_DDNS in 23 seconds<br>|<br>| *received adns message<br>| asynch DNS answer 7 no TXT record for is01.infrasec.orion.altus.<br><br> .. IPSECKEY lookup and failure<br><br>| continuing from failed DNS lookup for our IPSECKEY record, 10.236.54.8 to <a href="http://10.236.33.242">10.236.33.242</a>: no TXT record for is01.infrasec.orion.altus.<br>
initiate on demand from <a href="http://10.236.54.8:0">10.236.54.8:0</a> to <a href="http://10.236.33.242:0">10.236.33.242:0</a> proto=0 state: fos_our_txt because: our IPSECKEY record<br>| find_connection: looking for policy for connection: <a href="http://10.236.54.8:0/0">10.236.54.8:0/0</a> -> <a href="http://10.236.33.242:0/0">10.236.33.242:0/0</a><br>
| find_connection: conn "private-or-clear#<a href="http://0.0.0.0/0">0.0.0.0/0</a>" has compatible peers: <a href="http://10.236.54.8/32">10.236.54.8/32</a> -> <a href="http://0.0.0.0/0">0.0.0.0/0</a> [pri: 16777229]<br>
| find_connection: comparing best "private-or-clear#<a href="http://0.0.0.0/0">0.0.0.0/0</a>" [pri:16777229]{0x7f631eb20c10} (child none) to "private-or-clear#<a href="http://0.0.0.0/0">0.0.0.0/0</a>" [pri:16777229]{0x7f631eb20c10} (child none)<br>
| find_connection: concluding with "private-or-clear#<a href="http://0.0.0.0/0">0.0.0.0/0</a>" [pri:16777229]{0x7f631eb20c10} kind=CK_TEMPLATE<br>| creating new instance from "private-or-clear#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"<br>
| started looking for secret for @is01.infrasec.orion.altus->(none) of kind PPK_RSA<br>| actually looking for secret for @is01.infrasec.orion.altus->(none) of kind PPK_RSA<br>| line 1: key type PPK_RSA(@is01.infrasec.orion.altus) to type PPK_RSA<br>
| 1: compared key (none) to @is01.infrasec.orion.altus/ (none) -> 2<br>| 2: compared key (none) to @is01.infrasec.orion.altus/ (none) -> 2<br>| line 1: match=2<br>| best_match 0>2 best=0x7f631eb1fa60 (line=1)<br>
| concluding with best_match=2 best=0x7f631eb1fa60 (lineno=1)<br><br></div><div>and finally a "no explicit failure shunt" message and removal of the hold shunt (where I assumed a %pass rule would be installed)<br>
</div><div><br>| initiate on demand from 10.236.54.8 to 10.236.33.242 new state: fos_our_txt with ugh: no IPSECKEY RR for us<br>Can not opportunistically initiate for 10.236.54.8 to <a href="http://10.236.33.242">10.236.33.242</a>: no IPSECKEY RR for us<br>
| no explicit failure shunt for 10.236.54.8 to 10.236.33.242; removing spurious hold shunt<br>| removing specific host-to-host bare shunt<br>| no IPSECKEY RR for us eroute <a href="http://10.236.54.8/32:0">10.236.54.8/32:0</a> --0-> <a href="http://10.236.33.242/32:0">10.236.33.242/32:0</a> => %unk-0 (raw_eroute)<br>
<br><br></div><div>My full config is<br><br>root@is01:~# ipsec readwriteconf<br>#conn is01-is02-ptp loaded<br>#conn clear loaded<br>#conn clear-or-private loaded<br>#conn private-or-clear loaded<br>#conn private loaded<br>
#conn block loaded<br>config setup<br> klipsdebug="all xmit tunnel-xmit netlink xform eroute spi radij esp ah rcv tunnel pfkey comp"<br> plutodebug="all raw crypt parsing emitting control lifecycle kernel dns oppo oppoinfo controlmore x509 dpd pfkey natt nattraversal klips netkey"<br>
plutorestartoncrash=yes<br> perpeerlog=yes<br> nat_traversal=yes<br> interfaces=%defaultroute<br> plutostderrlog=/var/log/pluto.log<br> dumpdir=/var/run/pluto/<br> perpeerlogdir=/var/log/pluto/peer/<br>
virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10</a><br>
protostack=klips<br><br><br># begin conn is01-is02-ptp<br>conn is01-is02-ptp<br> left=10.236.54.8<br> leftrsasigkey=0sAQPNFN3fcdyfu5uNbinu64WYwnXaLzjOEVLDPCA0Zav9MXckXTDprur1V64wordf8+fGku5zYe+Omof92NEIUgwDRLX6j7MSGu6q494yKbefg19yhNiQEwqOAmno1FW10ObG85IUAYmFRuR7oWjCCkH0oCjz1JkhA26KcWgn5w2AdJtHCAlZnvwj6J83H1BD2uk2YK5DiYRpOTpKLkF9sF06FvH/4SgLxv/tZEFgRCdFfM8q7E8f7tZy3sBzwer7ri0EaS9lxvNeylwqdWsu6bv4+Bgi4f5z9jERSUQOMrdkhQyGqpQN4UMtN4mzRLNhdg57DXbaMyL1vN1NRtaqVkJtwe6ZKalStVbRQ7RPXccNksRHbHKoEs/eFqWaz3jg89MRnaCqv0PFB0PI69ostlNQP/I7ztkXkYZ5N1QRiEreNHyTwHsOvX7Rsg4Sd1Rz5+AYhR3QwVa91vDf1Kqx4kKFy8D8BWivPJg3TuzNs+pASdOJ8i3udDEoslFF0V7s<br>
right=10.236.54.7<br> rightrsasigkey=0sAQO/pPptL7AHfE5Uz4aZz+ZVD7lmUxG0nnbdNrt67RsK6ToycJqP4h7at6A3uaqhdZJ1TDFI31/vIQf/u4NSDxDAaLk6hdAP9fibf+QjbGrbjUJFQXYqOEcH2S/Lws7OrGXkkhNQGOcIMfKkGETcCdHiTrlAygLkF7usgOKi75JN2Vz4ic9FTRxnLkM8t9lJhxlNZNjeJTkGrHg3THQ4NTuQPohfJC0g0L7wkcbvp+BM9JGRmv+uUR72Oxyhcwg6sgAoXZtX+ESjiO05gjOB7jd6tHZwmQIz0QGymsCZCXaxhSu3NzfKeAcJxZg2SUwU8nyI4tpo8/4N5gkfq3Agqsbh/eMW/4m1Xy/4ke/T8xYyP1Xz4tpZM/iEfxnHBOgXDVKayLbdX4AJi23O97y8AaF3iVu4Lom4xA0K8XbQJAbCfm9LpwObJkH/sla49D8CSO5g7Z01yqLkLaEYZYc6PhDBDBnfJk77hTMPwzUUtTYBTxyq//oIfdkpI9T0DGgr<br>
failureshunt=passthrough<br> dpddelay=120<br> dpdtimeout=60<br> dpdaction=clear<br> auto==start<br> type=tunnel<br> compress=no<br> pfs=yes<br> ikepad=yes<br>
rekey=yes<br> overlapip=yes<br> authby=rsasig<br> phase2=esp<br># end conn is01-is02-ptp<br><br># begin conn clear<br>conn clear<br> left=%defaultroute<br> right=%group<br> authby=never<br>
auto==ondemand<br> type=passthrough<br># end conn clear<br><br># begin conn clear-or-private<br>conn clear-or-private<br> left=%defaultroute<br> leftid="@is01.infrasec.orion.altus"<br>
right=%opportunisticgroup<br> salifetime=3600<br> rekey=no<br> keyingtries=2<br> ikelifetime=3600<br> failureshunt=passthrough<br> auto==ondemand<br> type=passthrough<br>
# end conn clear-or-private<br><br># begin conn private-or-clear<br>conn private-or-clear<br> left=%defaultroute<br> leftid="@is01.infrasec.orion.altus"<br> right=%opportunisticgroup<br> salifetime=3600<br>
rekey=no<br> keyingtries=2<br> ikelifetime=3600<br> failureshunt=passthrough<br> auto==ondemand<br> type=tunnel<br> compress=no<br> pfs=yes<br> ikepad=yes<br>
rekey=no<br> overlapip=yes<br> authby=rsasig<br> phase2=esp<br># end conn private-or-clear<br><br># begin conn private<br>conn private<br> left=%defaultroute<br> leftid="@is01.infrasec.orion.altus"<br>
right=%opportunisticgroup<br> salifetime=3600<br> rekey=no<br> keyingtries=2<br> ikelifetime=3600<br> failureshunt=drop<br> auto==ondemand<br> type=tunnel<br> compress=no<br>
pfs=yes<br> ikepad=yes<br> rekey=no<br> overlapip=yes<br> authby=rsasig<br> phase2=esp<br># end conn private<br><br># begin conn block<br>conn block<br> left=%defaultroute<br>
right=%group<br> authby=never<br> auto==ondemand<br> type=reject<br># end conn block<br><br># end of config<br>root@is01:~#<br></div><div><br>root@is01:~# ipsec eroute<br>25 <a href="http://10.236.54.8/32">10.236.54.8/32</a> -> <a href="http://0.0.0.0/0">0.0.0.0/0</a> => %trap<br>
1994 <a href="http://10.236.54.8/32">10.236.54.8/32</a> -> <a href="http://10.236.54.7/32">10.236.54.7/32</a> => <a href="mailto:tun0x1004@10.236.54.7">tun0x1004@10.236.54.7</a><br>0 <a href="http://10.236.54.8/32">10.236.54.8/32</a> -> <a href="http://128.8.10.90/32">128.8.10.90/32</a> => %pass<br>
0 <a href="http://10.236.54.8/32">10.236.54.8/32</a> -> <a href="http://128.63.2.53/32">128.63.2.53/32</a> => %pass<br>0 <a href="http://10.236.54.8/32">10.236.54.8/32</a> -> <a href="http://192.5.5.241/32">192.5.5.241/32</a> => %pass<br>
0 <a href="http://10.236.54.8/32">10.236.54.8/32</a> -> <a href="http://192.33.4.12/32">192.33.4.12/32</a> => %pass<br>0 <a href="http://10.236.54.8/32">10.236.54.8/32</a> -> <a href="http://192.36.148.17/32">192.36.148.17/32</a> => %pass<br>
0 <a href="http://10.236.54.8/32">10.236.54.8/32</a> -> <a href="http://192.58.128.30/32">192.58.128.30/32</a> => %pass<br>0 <a href="http://10.236.54.8/32">10.236.54.8/32</a> -> <a href="http://192.112.36.4/32">192.112.36.4/32</a> => %pass<br>
0 <a href="http://10.236.54.8/32">10.236.54.8/32</a> -> <a href="http://192.203.230.10/32">192.203.230.10/32</a> => %pass<br>0 <a href="http://10.236.54.8/32">10.236.54.8/32</a> -> <a href="http://192.228.79.201/32">192.228.79.201/32</a> => %pass<br>
0 <a href="http://10.236.54.8/32">10.236.54.8/32</a> -> <a href="http://193.0.14.129/32">193.0.14.129/32</a> => %pass<br>12 <a href="http://10.236.54.8/32">10.236.54.8/32</a> -> $ip_of_my_local_dns_server_1/32 => %pass<br>
13 <a href="http://10.236.54.8/32">10.236.54.8/32</a> -> $ip_of_my_local_dns_server_2/32 => %pass<br>0 <a href="http://10.236.54.8/32">10.236.54.8/32</a> -> <a href="http://198.41.0.4/32">198.41.0.4/32</a> => %pass<br>
0 <a href="http://10.236.54.8/32">10.236.54.8/32</a> -> <a href="http://199.7.83.42/32">199.7.83.42/32</a> => %pass<br>0 <a href="http://10.236.54.8/32">10.236.54.8/32</a> -> <a href="http://202.12.27.33/32">202.12.27.33/32</a> => %pass<br>
root@is01:~#<br><br>root@is01:~# cat /etc/ipsec.d/policies/clear<br># This file defines the set of CIDRs (network/mask-length) to which<br># communication should always be in the clear.<br>#<br># See /usr/local/share/doc/libreswan/policygroups.html for details.<br>
#<br><br># root name servers should be in the clear<br><a href="http://192.58.128.30/32">192.58.128.30/32</a><br><a href="http://198.41.0.4/32">198.41.0.4/32</a><br><a href="http://192.228.79.201/32">192.228.79.201/32</a><br>
<a href="http://192.33.4.12/32">192.33.4.12/32</a><br><a href="http://128.8.10.90/32">128.8.10.90/32</a><br><a href="http://192.203.230.10/32">192.203.230.10/32</a><br><a href="http://192.5.5.241/32">192.5.5.241/32</a><br>
<a href="http://192.112.36.4/32">192.112.36.4/32</a><br><a href="http://128.63.2.53/32">128.63.2.53/32</a><br><a href="http://192.36.148.17/32">192.36.148.17/32</a><br><a href="http://193.0.14.129/32">193.0.14.129/32</a><br>
<a href="http://199.7.83.42/32">199.7.83.42/32</a><br><a href="http://202.12.27.33/32">202.12.27.33/32</a><br>#Local DNS Servers<br>$ip_of_my_local_dns_server_1/32<br>$ip_of_my_local_dns_server_2/32<br>root@is01:~#<br><br>
root@is01:~# cat /etc/ipsec.d/policies/private-or-clear<br># This file defines the set of CIDRs (network/mask-length) to which<br># communication should be private, if possible, but in the clear otherwise.<br>#<br># If the target has a TXT (later IPSECKEY) record that specifies<br>
# authentication material, we will require private (i.e. encrypted)<br># communications. If no such record is found, communications will be<br># in the clear.<br>#<br># See /usr/local/share/doc/libreswan/policygroups.html for details.<br>
#<br># $Id: <a href="http://private-or-clear.in">private-or-clear.in</a>,v 1.5 2003/02/17 02:22:15 mcr Exp $<br>#<br><a href="http://0.0.0.0/0">0.0.0.0/0</a><br>root@is01:~#<br><br><br></div><div>Any pointers would be much appreciated.<br>
<br></div><div>Thanks!<br>Mark<br><br></div></div>