Project

General

Profile

Issue #2302

drop policy affects interfaces where IP set in "left" is not bound to

Added by Harshal Haridas almost 4 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.2.0
Resolution:
No change required

Description

I have a single instance of charon and starter that services 4 independent interfaces. This is on Strongswan 5.2.0

I have defined the following:
strongswan.conf
interfaces_use=eth0,eth1
interfaces_ignore=eth2,eth3

Additionally, I have defined the following policies on eth0 and eth1
conn CloseAll
left=IP_eth0
right=%any
type=drop
auto=route

However, when the above connection is enabled, it seems to be affecting eth1, eth2 and eth3

Any information how the type=drop is intended to work. Just read that left and leftauth is not checked at all.

The IP IP_eth0 is where I want to apply the drop type only while not affecting eth1, eth2 and eth3.

History

#1 Updated by Harshal Haridas almost 4 years ago

The policy provided should be only read to be on eth0.

#2 Updated by Noel Kuntze almost 4 years ago

  • Status changed from New to Feedback
  • Priority changed from Immediate to Normal

Harshal Haridas wrote:

I have defined the following:
strongswan.conf
interfaces_use=eth0,eth1
interfaces_ignore=eth2,eth3

That is irrelevant for any XFRM policies. It only pertains the userspace daemon "charon", and not anything that the kernel does.

Additionally, I have defined the following policies on eth0 and eth1
conn CloseAll
left=IP_eth0
right=%any
type=drop
auto=route

That drops all packets from that IP to any other host (0.0.0.0/0).

However, when the above connection is enabled, it seems to be affecting eth1, eth2 and eth3

Duh. Explained above.

Any information how the type=drop is intended to work. Just read that left and leftauth is not checked at all.

Drops the packets that match the traffic selector, just like any other ipsec policy type works with what the TS defines.

The IP IP_eth0 is where I want to apply the drop type only while not affecting eth1, eth2 and eth3.

Are you talking about the primary IP address of eth0 and do you want the drop policy to not affect any traffic that has any IP on eth1, eth2 or eth3 in the source or destination fields?

You need to be exact in your use of language. eth0 is a physical interface. The primary IP of eth0 is an IP. XFRM only cares about IPs, not about interfaces.

You can disable the policy lookup for specific interfaces by setting disable_policy to 1 in sysctl for the traffic on those interfaces you don't want any IPsec policies to be applied on.

#3 Updated by Harshal Haridas almost 4 years ago

Noel Kuntze wrote:

Harshal Haridas wrote:

The IP IP_eth0 is where I want to apply the drop type only while not affecting eth1, eth2 and eth3.

Are you talking about the primary IP address of eth0 and do you want the drop policy to not affect any traffic that has any IP on eth1, eth2 or eth3 in the source or destination fields?

IP_eth0 is the primary IP of eth0. Yes, I want drop policy on this IP only and to not affect traffic on eth1, eth2 or eth3

You need to be exact in your use of language. eth0 is a physical interface. The primary IP of eth0 is an IP. XFRM only cares about IPs, not about interfaces.

You can disable the policy lookup for specific interfaces by setting disable_policy to 1 in sysctl for the traffic on those interfaces you don't want any IPsec policies to be applied on.

Thank you. You can mark this issue resolved.

#4 Updated by Noel Kuntze almost 4 years ago

  • Category changed from charon to configuration
  • Status changed from Feedback to Closed
  • Resolution set to No change required

#5 Updated by Noel Kuntze almost 4 years ago

  • Subject changed from How does type=drop policy works (Strongswan 5.2.0)? to drop policy affects interfaces where IP set in "left" is not bound to

Also available in: Atom PDF