Hi ,
I would like to know whether there exists a configuration which allows user to select IPSec device to act as either initiator or responder?
I could see that other vendors provide a checkbox to select and enforce device to act either as IPSec initiator or responder. I have to implement the same in my device, hence worrying whether it is possible to implement or configure the same using openwrt with strongswan package.
Thanks,
Wgoogy
mikma
November 11, 2019, 2:48pm
2
A connection in ipsec.conf can be configured as add, route or start (or ignore). You should use "add" if you don't want to be the initiator.
auto = ignore | add | route | start
what operation, if any, should be done automatically at IPsec startup. add loads a connection without
starting it. route loads a connection and installs kernel traps. If traffic is detected between
leftsubnet and rightsubnet , a connection is established. start loads a connection and brings
it up immediately. ignore ignores the connection. This is equal to deleting a connection from the config
file. Relevant only locally, other end need not agree on it.
1 Like
Thanks mikma for providing this information and a support !!! .
I will do this change and observe its behavior accordingly. Hope it will resolve my problem.
Hi Mikma,
I checked at it after adding 'auto=add' in ipsec.conf, but my device still acts as initiator.
I verified by looking at packets exchanged .
Is there something else which I can try?
I really appreciate if it works.
~wgoogy
mikma
November 14, 2019, 6:35pm
5
Really? I don't know why that happens. Though, you may need to disable re-keying if you don't want it to initiate that.
Yeah, not really sure. Configuration looks fine below. Now disabled 'rekey' and 'reauth' but still my 'device1' is always initiating a request.
root@my:/# cat /etc/ipsec.conf
generated by /etc/init.d/ipsec
config setup
conn %default
keyexchange=ikev2
mobike=no
leftupdown="/bin/insg/nat_updown.sh"
ipsectest config starts
conn ipsectest
leftid=device1
ikelifetime=3600s
keylife=28800s
leftsubnet=192.168.0.0/24
left=10.20.1.73
rightid=device2
rightsubnet=192.168.2.0/24
leftauth=psk
rightauth=psk
right=10.20.1.248
ike=aes128-sha1-modp1024
esp=aes128-sha1-modp1024
reauth=no
rekey=no
auto=add
ipsectest config end
root@my:/# 11:18:58.884208 IP 10.20.1.73.isakmp > 10.20.1.248.isakmp: isakmp: parent_sa ikev2_init[I]
11:18:59.710981 IP 10.20.1.248.isakmp > 10.20.1.73.isakmp: isakmp: parent_sa ikev2_init[R]
Can someone suggest or have a clue like what might goes wrong based on above ipsec.conf
configuration shared?
root@my:/# cat /etc/ipsec.conf
generated by /etc/init.d/ipsec
config setup
conn %default
keyexchange=ikev2
mobike=no
leftupdown="/bin/insg/nat_updown.sh"
STARTING-TUNNEL-CONFIG FOR ipsectest
conn ipsectest
rekeymargin=9m
keyingtries=0
leftid=device1
ikelifetime=3600s
keylife=28800s
leftsubnet=192.168.0.0/24
left=10.20.1.73
rightid=device2
rightsubnet=192.168.2.0/24
leftauth=psk
rightauth=psk
right=10.20.1.248
ike=aes128-sha1-modp1024
esp=aes128-sha1-modp1024
rekey=no
auto=add
ENDING-TUNNEL-CONFIG FOR ipsectest
Even after rekey is disabled which I could see in ipsec statusall out, my device1 10.20.1.73 is always creating a initiator request....
root@my:/# ipsec statusall
no files found matching '/etc/strongswan.d/.conf'
Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.14.77, armv7l):
uptime: 3 minutes, since Nov 20 09:56:42 2019
malloc: sbrk 303104, mmap 0, used 235984, free 67120
worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-netlink resolve socket-default farp stroke smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Listening IP addresses:
10.20.1.73
192.168.0.1
Connections:
ipsectest: 10.20.1.73...10.20.1.248 IKEv2
ipsectest: local: [device1] uses pre-shared key authentication
ipsectest: remote: [device2] uses pre-shared key authentication
ipsectest: child: 192.168.0.0/24 === 192.168.2.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
ipsectest[2]: ESTABLISHED 5 seconds ago, 10.20.1.73[device1]...10.20.1.248[device2]
ipsectest[2]: IKEv2 SPIs: c9aadfe597382e37_i c225cc22ffe0c82c_r, rekeying disabled
ipsectest[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
ipsectest{2}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c2b1c175_i ccaf4523_o
ipsectest{2}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying disabled <<<<<<<<<<
ipsectest{2}: 192.168.0.0/24 === 192.168.2.0/24
root@my:/#
root@my:/# tcpdump -r ipsecUP-responder-only.pcap
reading from file ipsecUP-responder-only.pcap, link-type EN10MB (Ethernet)
09:59:43.977533 IP 10.20.1.73.isakmp > 10.20.1.248.isakmp: isakmp: child_sa inf2[I]
09:59:44.449577 IP 10.20.1.248.isakmp > 10.20.1.73.isakmp: isakmp: child_sa inf2[R]
10:00:21.411398 IP 10.20.1.73.isakmp > 10.20.1.248.isakmp: isakmp: parent_sa ikev2_init[I]
10:00:22.113457 IP 10.20.1.248.isakmp > 10.20.1.73.isakmp: isakmp: parent_sa ikev2_init[R]
10:00:22.210147 IP 10.20.1.73.isakmp > 10.20.1.248.isakmp: isakmp: child_sa ikev2_auth[I]
10:00:22.556597 IP 10.20.1.248.isakmp > 10.20.1.73.isakmp: isakmp: child_sa ikev2_auth[R]
10:00:41.700450 IP 10.20.1.73.isakmp > 10.20.1.248.isakmp: isakmp: child_sa inf2[I]
10:00:41.909011 IP 10.20.1.248.isakmp > 10.20.1.73.isakmp: isakmp: child_sa inf2[R]
root@my:/# cat /tmp/ipsectest.txt
initiating IKE_SA ipsectest[2] to 10.20.1.248
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
sending packet: from 10.20.1.73[500] to 10.20.1.248[500] (1268 bytes)
received packet: from 10.20.1.248[500] to 10.20.1.73[500] (328 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
authentication of 'device1' (myself) with pre-shared key
establishing CHILD_SA ipsectest
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 10.20.1.73[500] to 10.20.1.248[500] (348 bytes)
received packet: from 10.20.1.248[500] to 10.20.1.73[500] (204 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
authentication of 'device2' with pre-shared key successful
IKE_SA ipsectest[2] established between 10.20.1.73[device1]...10.20.1.248[device2]
connection 'ipsectest' established successfullyroot@my:/#
root@my:/#
Can someone please help on it?