Thursday, August 13, 2020

Strongswan routed config not working

I'm currently working on a PoC to interconnect multiple sites through IPSec using StrongSwan. The goal is to create backup links through other sites if a direct connection to a site goes down.

I've created a docker-composed based lab setup and I'm currently so far that I have active IPSEC tunnels between 3 hosts and that I can ping between them. This is policy based so I can't send traffic from host 1 to host 3 through host 2.

Now I want to switch to route based (using https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN as a lead) using xfrm interfaces, but it appears that I'm missing some glue to tie the policies to the interfaces. The docs state that "No awkward configuration via GRE keys and XFRM marks. Instead, a new identifier (XFRM interface ID) links policies and SAs with XFRM interfaces.", so I would assume that I shouldn't need to specify the mask in the policy, but doesn't mention how this matching is done. If I specify mask in the policy with the value of the interface_id, no traffic goes over the tunnel.

I've created the interface like so:

ip link add ipsec2 type xfrm dev eth0 if_id 0xff02 sysctl -w net.ipv4.conf.ipsec2.disable_policy=1 ip link set ipsec2 up ip route add 192.168.102.0/24 dev ipsec2 metric 10 ip route add 192.168.103.0/24 dev ipsec2 metric 20 ip link add ipsec3 type xfrm dev eth0 if_id 0xff03 sysctl -w net.ipv4.conf.ipsec3.disable_policy=1 ip link set ipsec3 up ip route add 192.168.103.0/24 dev ipsec3 metric 10 ip route add 192.168.102.0/24 dev ipsec3 metric 20

And ipsec.conf looks like this:

conn sts-base fragmentation=yes dpdaction=restart ike=aes256-sha256-modp2048 esp=aes256-sha256-modp2048 keyingtries=%forever leftid=192.168.100.101 leftauth=secret rightauth=secret leftsubnet=192.168.101.0/24 conn STRONG-2 also=sts-base keyexchange=ikev2 right=192.168.100.102 rightsubnet=192.168.102.0/24 auto=start # mark=0xff02 conn STRONG-3 also=sts-base keyexchange=ikev2 right=192.168.100.103 rightsubnet=192.168.103.0/24 auto=start # mark=0xff03

I've got the entire docker-compose based setup, including all used config files, up at GitHub, so if anyone want to have a go at it, you can easely replicate my entire setup: https://github.com/TomCan/strongswan-xfrm-poc

I know the current config isn't complete for the redundancty (probably need 0.0.0.0/0 selectors), but step 1 is to get this simple setup working route-based instead of policy based.



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)