search

strongswan / strongMan

Management UI for strongSwan
https://www.strongswan.org/
Other
117 stars 39 forks source link

Can the Remote traffic selector write to multiple subnets? #153

Closed TelDragon closed 7 months ago

TelDragon commented 8 months ago

Remote traffic selector

Remote traffic selectors to include inCHILD SA.Each selector is a ClDRsubnet definition, followed by anoptional proto/port selector. Thespecial value dynamic may be usedinstead of a subnet definition, whichgets replaced by the tunnel outeraddress or the virtual lP, if negotiatedThis is the default

By default, if it is empty, then my client traffic selector looks like this

remote_ts = 172.17.62.0/24
local_ts = 192.168.1.0/24

The client abandoned the connection because they could not find the matching traffic selector

received TS_UNACCEPTABLE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA

If a piece of data is written, it will match successfully and connect

Remote traffic selector           192.168.1.0/24

If multiple subnets are written, it will not take effect.Or is it because the format I filled in is incorrect?

Remote traffic selector           192.168.1.0/24,192.168.0.0/24
TelDragon commented 8 months ago

Okay, I accidentally chose everything, they can be connected. But I still want specific and different subnets

Remote traffic selector  0.0.0.0/0

swanctl --list-sas

Server_EAP_1: #1730, ESTABLISHED, IKEv2, 198558dca7e0119a_i a56c41514bc4df66_r*
  local  '**.com.cn' @ 172.17.62.205[4500]
  remote '192.168.0.188' @ **[4500] EAP: 'Tianyi_Cloud' [51.51.51.3]
  AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
  established 40s ago, rekeying in 12949s
  Server_EAP_1: #3643, reqid 2, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-128
    installed 40s ago, rekeying in 3250s, expires in 3920s
    in  c4333201,    168 bytes,     2 packets,    27s ago
    out ce3cf18f,    168 bytes,     2 packets,    28s ago
    local  172.17.62.0/24
    remote 192.168.0.0/24
Server_EAP_1: #1729, ESTABLISHED, IKEv2, e159f6350641f23a_i fb2cd52c14dbfae7_r*
  local  '**.com.cn' @ 172.17.62.205[4500]
  remote '192.168.1.5' @ **[9067] EAP: 'EPD_office' [51.51.51.2]
  AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
  established 78s ago, rekeying in 13549s
  Server_EAP_1: #3642, reqid 3, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-128
    installed 78s ago, rekeying in 3275s, expires in 3882s
    in  c14b0108,    336 bytes,     4 packets,    55s ago
    out c2a9bf5a,    336 bytes,     4 packets,    55s ago
    local  172.17.62.0/24
    remote 192.168.1.0/24
[root@iZ2zea13jdgtrkqnws5x3lZ ~]# ping 192.168.1.5
PING 192.168.1.5 (192.168.1.5) 56(84) bytes of data.
64 bytes from 192.168.1.5: icmp_seq=1 ttl=64 time=18.0 ms
64 bytes from 192.168.1.5: icmp_seq=2 ttl=64 time=18.0 ms
64 bytes from 192.168.1.5: icmp_seq=3 ttl=64 time=18.3 ms
^C
--- 192.168.1.5 ping statistics ---
4 packets transmitted, 3 received, 25% packet loss, time 3003ms
rtt min/avg/max/mdev = 18.009/18.150/18.399/0.235 ms
[root@iZ2zea13jdgtrkqnws5x3lZ ~]# ping 192.168.0.188
PING 192.168.0.188 (192.168.0.188) 56(84) bytes of data.
64 bytes from 192.168.0.188: icmp_seq=1 ttl=64 time=39.2 ms
64 bytes from 192.168.0.188: icmp_seq=2 ttl=64 time=39.2 ms
^C
tobiasbrunner commented 8 months ago

The client abandoned the connection because they could not find the matching traffic selector

The message indicates that such an error was received, not sent. You have to check the log on the other end for details (possibly increase the log level for cfg to 2).

If multiple subnets are written, it will not take effect.Or is it because the format I filled in is incorrect?

That probably depends on the other peer's config (and if it actually supports this, proprietary clients often do not). Read the logs.

TelDragon commented 8 months ago

I have reviewed the child node document in the swanctl configuration file, which indicates the use of comma separation.

https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html

.local_ts | [→] | Comma-separated list of local traffic selectors to include in CHILD_SA. Each selector is a CIDR subnet definition, followed by an optional proto/port selector. The special value dynamic may be used instead of a subnet definition, which gets replaced by the tunnel outer address or the virtual IP if negotiated. This is the default.A protocol/port selector is surrounded by opening and closing square brackets. Between these brackets, a numeric or getservent(3) protocol name may be specified. After the optional protocol restriction, an optional port restriction may be specified, separated by a slash. The port restriction may be numeric, a getservent(3) service name, or the special value opaque for RFC 4301 OPAQUE selectors. Port ranges may be specified as well, although none of the kernel backends currently supports them except the kernel-netlink plugin that is able to handle port ranges if they are defined by a bit mask (similar to a IP subnet mask) rather than an arbitrary range, see the following example for details.When IKEv1 is used, only the first selector is interpreted, except if the Cisco Unity extension plugin unity is used. This is due to a limitation of the IKEv1 protocol, which only allows a single pair of selectors per CHILD_SA. So to tunnel traffic matched by several pairs of selectors when using IKEv1 several children (CHILD_SAs) have to be defined that cover the selectors. The IKE daemon uses traffic selector narrowing for IKEv1, the same way it is standardized and implemented for IKEv2. However, this may lead to problems with other implementations. To avoid that, configure identical selectors in such scenarios. [dynamic] -- | -- | -- .remote_ts | [→] | Comma separated list of remote selectors to include in CHILD_SA. See local_ts for a description of the selector syntax. [dynamic] 


[→]

Comma-separated list of local traffic selectors to include in CHILD_SA. Each selector is a CIDR subnet definition, followed by an optional proto/port selector. The special value dynamic may be used instead of a subnet definition, which gets replaced by the tunnel outer address or the virtual IP if negotiated. This is the default.
A protocol/port selector is surrounded by opening and closing square brackets. Between these brackets, a numeric or getservent(3) protocol name may be specified. After the optional protocol restriction, an optional port restriction may be specified, separated by a slash. The port restriction may be numeric, a getservent(3) service name, or the special value opaque for [RFC 4301](https://datatracker.ietf.org/doc/html/rfc4301) OPAQUE selectors. Port ranges may be specified as well, although none of the kernel backends currently supports them except the kernel-netlink plugin that is able to handle port ranges if they are defined by a bit mask (similar to a IP subnet mask) rather than an arbitrary range, see the [following example](https://docs.strongswan.org/docs/5.9/config/quickstart.html#_for_specific_port_ranges) for details.
When IKEv1 is used, only the first selector is interpreted, except if the Cisco Unity extension plugin [unity](https://docs.strongswan.org/docs/5.9/plugins/unity.html) is used. This is due to a limitation of the IKEv1 protocol, which only allows a single pair of selectors per CHILD_SA. So to tunnel traffic matched by several pairs of selectors when using IKEv1 several children (CHILD_SAs) have to be defined that cover the selectors. The IKE daemon uses traffic selector narrowing for IKEv1, the same way it is standardized and implemented for IKEv2. However, this may lead to problems with other implementations. To avoid that, configure identical selectors in such scenarios. [dynamic]

<child>.remote_ts

[→]

Comma separated list of remote selectors to include in CHILD_SA. See local_ts for a description of the selector syntax. [dynamic]
TelDragon commented 8 months ago

The current configuration subnet order

Remote traffic selector           192.168.0.0/24,192.168.1.0/24

The server's list conns only display one,This may be a bug or functional improvement, Python parsing issue?

[root@iZ2zea13jdgtrkqnws5x3lZ log]# swanctl --list-conns
Server_EAP_1: IKEv2, no reauthentication, rekeying every 14400s
  local:  %any
  remote: %any
  local public key authentication:
    id: ***.com.cn
    certs: C=CH, O=51EPD, CN=***.com.cn
  remote EAP_MSCHAPV2 authentication:
    eap_id: %any
  Server_EAP_1: TUNNEL, rekeying every 3600s
    local:  172.17.62.0/24
    remote: 192.168.1.0/24
You have mail in /var/spool/mail/root

Here is the connection log for my second client

Wed, 2024-03-13, 23:51:40 08[IKE0] <Server_EAP_1|2> IKE_SA Server_EAP_1[2] established between 172.17.62.205[ipsec.51gcs.com.cn]...101.24.95.40[192.168.1.5]
Wed, 2024-03-13, 23:51:40 08[IKE2] <Server_EAP_1|2> IKE_SA Server_EAP_1[2] state change: CONNECTING => ESTABLISHED
Wed, 2024-03-13, 23:51:40 08[IKE1] <Server_EAP_1|2> scheduling rekeying in 13112s
Wed, 2024-03-13, 23:51:40 08[IKE1] <Server_EAP_1|2> maximum IKE_SA lifetime 14552s
Wed, 2024-03-13, 23:51:40 08[CFG2] <Server_EAP_1|2> looking for a child config for 172.17.62.0/24 === 192.168.1.0/24
Wed, 2024-03-13, 23:51:40 08[CFG2] <Server_EAP_1|2> proposing traffic selectors for us:
Wed, 2024-03-13, 23:51:40 08[CFG2] <Server_EAP_1|2>  172.17.62.0/24
Wed, 2024-03-13, 23:51:40 08[CFG2] <Server_EAP_1|2> proposing traffic selectors for other:
Wed, 2024-03-13, 23:51:40 08[CFG2] <Server_EAP_1|2>  192.168.0.0/24
Wed, 2024-03-13, 23:51:40 08[IKE1] <Server_EAP_1|2> traffic selectors 172.17.62.0/24 === 192.168.1.0/24 unacceptable
Wed, 2024-03-13, 23:51:40 08[ENC2] <Server_EAP_1|2> added payload of type NOTIFY to message
Wed, 2024-03-13, 23:51:40 08[IKE1] <Server_EAP_1|2> failed to establish CHILD_SA, keeping IKE_SA
Wed, 2024-03-13, 23:51:40 08[ENC2] <Server_EAP_1|2> order payloads in message
Wed, 2024-03-13, 23:51:40 08[ENC2] <Server_EAP_1|2> added payload of type AUTH to message

It seems to have only recognized my first subnet

After changing the subnet addition order

Remote traffic selector           192.168.1.0/24,192.168.0.0/24

It seems to have taken effect

Wed, 2024-03-13, 23:59:00 09[CFG2] <Server_EAP_1|7> looking for a child config for 172.17.62.0/24 === 192.168.1.0/24
Wed, 2024-03-13, 23:59:00 09[CFG2] <Server_EAP_1|7> proposing traffic selectors for us:
Wed, 2024-03-13, 23:59:00 09[CFG2] <Server_EAP_1|7>  172.17.62.0/24
Wed, 2024-03-13, 23:59:00 09[CFG2] <Server_EAP_1|7> proposing traffic selectors for other:
Wed, 2024-03-13, 23:59:00 09[CFG2] <Server_EAP_1|7>  192.168.1.0/24
Wed, 2024-03-13, 23:59:00 09[CFG2] <Server_EAP_1|7>   candidate "Server_EAP_1" with prio 5+5
Wed, 2024-03-13, 23:59:00 09[CFG2] <Server_EAP_1|7> found matching child config "Server_EAP_1" with prio 10
Wed, 2024-03-13, 23:59:00 09[CFG2] <Server_EAP_1|7> selecting proposal:
Wed, 2024-03-13, 23:59:00 09[CFG2] <Server_EAP_1|7>   proposal matches
Wed, 2024-03-13, 23:59:00 09[CFG2] <Server_EAP_1|7> received proposals: ESP:AES_GCM_16_128/NO_EXT_SEQ
Wed, 2024-03-13, 23:59:00 09[CFG2] <Server_EAP_1|7> configured proposals: ESP:AES_GCM_16_128/MODP_2048/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:AES_CTR_256/AES_CBC_256/AES_CTR_192/AES_CBC_192/AES_CTR_128/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/AES_CMAC_96/MODP_4096/CURVE_25519/MODP_3072/MODP_2048/NO_EXT_SEQ, ESP:AES_GCM_16_128/CURVE_25519/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ, ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/NO_EXT_SEQ
Wed, 2024-03-13, 23:59:00 09[CFG2] <Server_EAP_1|7> selecting traffic selectors for us:
Wed, 2024-03-13, 23:59:00 09[CFG2] <Server_EAP_1|7>  config: 172.17.62.0/24, received: 172.17.62.0/24 => match: 172.17.62.0/24
Wed, 2024-03-13, 23:59:00 09[CFG2] <Server_EAP_1|7> selecting traffic selectors for other:
Wed, 2024-03-13, 23:59:00 09[CFG2] <Server_EAP_1|7>  config: 192.168.1.0/24, received: 192.168.1.0/24 => match: 192.168.1.0/24
Wed, 2024-03-13, 23:59:02 10[CFG2] vici client 90 connected

Client logs

Mar 13 23:59:00 pve charon-systemd[334592]: parsed IKE_AUTH response 5 [ AUTH CPRP(ADDR) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Mar 13 23:59:00 pve charon-systemd[334592]: authentication of '**.com.cn' with EAP successful
Mar 13 23:59:00 pve charon-systemd[334592]: installing new virtual IP 51.51.51.1
Mar 13 23:59:00 pve charon-systemd[334592]: peer supports MOBIKE
Mar 13 23:59:00 pve charon-systemd[334592]: IKE_SA client1[1] established between 192.168.1.5[192.168.1.5]...**[ipsec.51gcs.com.cn]
Mar 13 23:59:00 pve charon-systemd[334592]: scheduling rekeying in 13439s
Mar 13 23:59:00 pve charon-systemd[334592]: maximum IKE_SA lifetime 14879s
Mar 13 23:59:00 pve charon-systemd[334592]: selected proposal: ESP:AES_GCM_16_128/NO_EXT_SEQ
Mar 13 23:59:00 pve charon-systemd[334592]: CHILD_SA client{1} established with SPIs c7046298_i cfa8165b_o and TS 192.168.1.0/24 === 172.17.62.>

But my second client, which has a subnet of 192.168.0.188, cannot connect.

tobiasbrunner commented 8 months ago

Well, that's because strongMan does not support multiple traffic selectors (similar to the issue with multiple DNS servers you encountered before).

TelDragon commented 8 months ago

Well, that's because strongMan does not support multiple traffic selectors (similar to the issue with multiple DNS servers you encountered before).

Thank you for your reply. Will multiple traffic selectors be supported?

tobiasbrunner commented 8 months ago

Maybe at some point. Since you already patched in support for multiple DNS servers, you might be able to add this in a similar fashion (pools and child configs might be handled quite differently, though).

TelDragon commented 8 months ago

Maybe at some point. Since you already patched in support for multiple DNS servers, you might be able to add this in a similar fashion (pools and child configs might be handled quite differently, though).

Sorry, the issue of multiple DNS servers was not raised by me, but I will work hard to learn and learn from it. thanks

https://github.com/strongswan/strongMan/issues/149

tobiasbrunner commented 8 months ago

Ah, sorry about that.