Does OpenWrt platform provide mechanism to configure IPSec device as initiator only or responder only?

fopenwrt · November 11, 2019, 11:35am

Hi ,

I would like to know whether there exists a configuration which allows user to select IPSec device to act as either initiator or responder?

I could see that other vendors provide a checkbox to select and enforce device to act either as IPSec initiator or responder. I have to implement the same in my device, hence worrying whether it is possible to implement or configure the same using openwrt with strongswan package.

Thanks,
Wgoogy

mikma · November 11, 2019, 2:48pm

A connection in ipsec.conf can be configured as add, route or start (or ignore). You should use "add" if you don't want to be the initiator.

auto = ignore | add | route | start

what operation, if any, should be done automatically at IPsec startup. add loads a connection without
starting it. route loads a connection and installs kernel traps. If traffic is detected between
leftsubnet and rightsubnet , a connection is established. start loads a connection and brings
it up immediately. ignore ignores the connection. This is equal to deleting a connection from the config
file. Relevant only locally, other end need not agree on it.

fopenwrt · November 12, 2019, 6:29am

Thanks mikma for providing this information and a support !!! .
I will do this change and observe its behavior accordingly. Hope it will resolve my problem.

fopenwrt · November 14, 2019, 10:46am

Hi Mikma,

I checked at it after adding 'auto=add' in ipsec.conf, but my device still acts as initiator.
I verified by looking at packets exchanged .
Is there something else which I can try?
I really appreciate if it works.

~wgoogy

mikma · November 14, 2019, 6:35pm

Really? I don't know why that happens. Though, you may need to disable re-keying if you don't want it to initiate that.

fopenwrt · November 15, 2019, 11:22am

Yeah, not really sure. Configuration looks fine below. Now disabled 'rekey' and 'reauth' but still my 'device1' is always initiating a request.

root@my:/# cat /etc/ipsec.conf

generated by /etc/init.d/ipsec

config setup

conn %default
keyexchange=ikev2
mobike=no
leftupdown="/bin/insg/nat_updown.sh"

ipsectest config starts

conn ipsectest
leftid=device1
ikelifetime=3600s
keylife=28800s
leftsubnet=192.168.0.0/24
left=10.20.1.73
rightid=device2
rightsubnet=192.168.2.0/24
leftauth=psk
rightauth=psk
right=10.20.1.248
ike=aes128-sha1-modp1024
esp=aes128-sha1-modp1024
reauth=no
rekey=no
auto=add

ipsectest config end

root@my:/# 11:18:58.884208 IP 10.20.1.73.isakmp > 10.20.1.248.isakmp: isakmp: parent_sa ikev2_init[I]
11:18:59.710981 IP 10.20.1.248.isakmp > 10.20.1.73.isakmp: isakmp: parent_sa ikev2_init[R]

fopenwrt · November 19, 2019, 7:13am

Can someone suggest or have a clue like what might goes wrong based on above ipsec.conf
configuration shared?

fopenwrt · November 20, 2019, 10:04am

root@my:/# cat /etc/ipsec.conf

generated by /etc/init.d/ipsec

config setup

conn %default
keyexchange=ikev2
mobike=no
leftupdown="/bin/insg/nat_updown.sh"

STARTING-TUNNEL-CONFIG FOR ipsectest

conn ipsectest
rekeymargin=9m
keyingtries=0
leftid=device1
ikelifetime=3600s
keylife=28800s
leftsubnet=192.168.0.0/24
left=10.20.1.73
rightid=device2
rightsubnet=192.168.2.0/24
leftauth=psk
rightauth=psk
right=10.20.1.248
ike=aes128-sha1-modp1024
esp=aes128-sha1-modp1024
rekey=no
auto=add

ENDING-TUNNEL-CONFIG FOR ipsectest

Even after rekey is disabled which I could see in ipsec statusall out, my device1 10.20.1.73 is always creating a initiator request....

root@my:/# ipsec statusall
no files found matching '/etc/strongswan.d/.conf'
Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.14.77, armv7l):
uptime: 3 minutes, since Nov 20 09:56:42 2019
malloc: sbrk 303104, mmap 0, used 235984, free 67120
worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-netlink resolve socket-default farp stroke smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Listening IP addresses:
10.20.1.73
192.168.0.1
Connections:
ipsectest: 10.20.1.73...10.20.1.248 IKEv2
ipsectest: local: [device1] uses pre-shared key authentication
ipsectest: remote: [device2] uses pre-shared key authentication
ipsectest: child: 192.168.0.0/24 === 192.168.2.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
ipsectest[2]: ESTABLISHED 5 seconds ago, 10.20.1.73[device1]...10.20.1.248[device2]
ipsectest[2]: IKEv2 SPIs: c9aadfe597382e37_i c225cc22ffe0c82c_r, rekeying disabled
ipsectest[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
ipsectest{2}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c2b1c175_i ccaf4523_o
ipsectest{2}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying disabled <<<<<<<<<<
ipsectest{2}: 192.168.0.0/24 === 192.168.2.0/24
root@my:/#
root@my:/# tcpdump -r ipsecUP-responder-only.pcap
reading from file ipsecUP-responder-only.pcap, link-type EN10MB (Ethernet)
09:59:43.977533 IP 10.20.1.73.isakmp > 10.20.1.248.isakmp: isakmp: child_sa inf2[I]
09:59:44.449577 IP 10.20.1.248.isakmp > 10.20.1.73.isakmp: isakmp: child_sa inf2[R]
10:00:21.411398 IP 10.20.1.73.isakmp > 10.20.1.248.isakmp: isakmp: parent_sa ikev2_init[I]
10:00:22.113457 IP 10.20.1.248.isakmp > 10.20.1.73.isakmp: isakmp: parent_sa ikev2_init[R]
10:00:22.210147 IP 10.20.1.73.isakmp > 10.20.1.248.isakmp: isakmp: child_sa ikev2_auth[I]
10:00:22.556597 IP 10.20.1.248.isakmp > 10.20.1.73.isakmp: isakmp: child_sa ikev2_auth[R]
10:00:41.700450 IP 10.20.1.73.isakmp > 10.20.1.248.isakmp: isakmp: child_sa inf2[I]
10:00:41.909011 IP 10.20.1.248.isakmp > 10.20.1.73.isakmp: isakmp: child_sa inf2[R]
root@my:/# cat /tmp/ipsectest.txt
initiating IKE_SA ipsectest[2] to 10.20.1.248
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
sending packet: from 10.20.1.73[500] to 10.20.1.248[500] (1268 bytes)
received packet: from 10.20.1.248[500] to 10.20.1.73[500] (328 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
authentication of 'device1' (myself) with pre-shared key
establishing CHILD_SA ipsectest
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 10.20.1.73[500] to 10.20.1.248[500] (348 bytes)
received packet: from 10.20.1.248[500] to 10.20.1.73[500] (204 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
authentication of 'device2' with pre-shared key successful
IKE_SA ipsectest[2] established between 10.20.1.73[device1]...10.20.1.248[device2]
connection 'ipsectest' established successfullyroot@my:/#
root@my:/#

Can someone please help on it?