Project

General

Profile

Issue #2887

route

Added by li yang 3 months ago. Updated 2 months ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.7.2
Resolution:
No change required

Description

Hi expert,

We have a scenario that local configured with "auto=route", remote with "auto=add".
When remote peer stop ipsec service, SA is cleaned up in local.
Then remote peer start ipsec service, and send traffic, no SA is triggered to be created in local.

As I understand from ConnSection,traffic from remote or local will trigger connection establishment.

route loads a connection and installs kernel traps. If traffic is detected between
leftsubnet and rightsubnet, a connection is established.

And "auto=route" is recommened by strongSwan in SecurityRecommendations

It is strongly advised to use auto=route in site-to-site setups to make sure that the kernel tells strongSwan
to establish a CHILD_SA when there's no SA for a security policy.

Please correct me if my understanding is wrong.

And how to handle such case from your expert view? Please note it is hard for us to require remote peer (other manufactures) support route.

Regards,
Mavis

History

#1 Updated by li yang 3 months ago

Sorry that the title should be "connection creation when local with auto=route and remote with auto=add".

#2 Updated by Noel Kuntze 3 months ago

Traffic from local will trigger connection establishment. If a remote host wants to send traffic, an IKE SA and CHILD_SA need to be established first. THis requires einteraction with the IKE daemon on the local host. Unprotected traffic that the policies state must be protected is dropped and does not generate any acquires.

#3 Updated by Tobias Brunner 3 months ago

  • Tracker changed from Feature to Issue
  • Status changed from New to Feedback
  • Start date deleted (15.01.2019)
  • Affected version set to 5.7.2

There is an old patch in the trap-policies-out-only branch (probably does not apply to the current master without fixes) that adds an option to only install outbound trap policies, which would allow unencrypted inbound traffic and any response to such packets would then trigger the outbound trap policies to create the tunnel.

#4 Updated by li yang 3 months ago

Hi Tobias and Noel,

Thanks for your reply and clarification.

Customer would like to drop the incoming data if no connection. Local is configured as "auto=start", remote peer is configured as "auto=add", since remote peer is acting as a server, local is acting as a client. So the patch trap-policies-out-only can't be applied.

We'll add a patch to schedule a job initiating connection when the connection is cleaned up by remote peer (remote peer reboot).

Do you think it make sense?

Regards,
Mavis

#5 Updated by Tobias Brunner 3 months ago

Customer would like to drop the incoming data if no connection.

That's what you get with auto=route plus the connection will be brought up automatically if matching traffic is sent (that's not the case with auto=start in case there is a fatal error or the connection goes down for other reasons).

So the patch trap-policies-out-only can't be applied.

It could on the client, but inbound traffic would not be blocked.

We'll add a patch to schedule a job initiating connection when the connection is cleaned up by remote peer (remote peer reboot).

With auto=route the client will automatically create the connection again after the server is rebooted or the SA is closed for other reasons when traffic matches the trap policies again. With auto=start you'd need to configure additional settings for that (closeaction/dpdaction) and it might still not be 100% stable.

#6 Updated by li yang 2 months ago

Hi Tobias,
Thanks for your reply.
Our scenario is remote peer is configured with "auto=add" only, which does not support "auto=route". In this case, we have to add patch to re-create the connection.
Please close this ticket. Thanks.

Regards,
Mavis

#7 Updated by Tobias Brunner 2 months ago

  • Category set to configuration
  • Status changed from Feedback to Closed
  • Resolution set to No change required

Also available in: Atom PDF