Home / server / Questions / 841437
In Process
Charles Duffy
Asked: 2017-03-30 14:52:28 +0800 CST

avoiding loopback SAs w/ strongswan transport-mode IPv6 "trap-any"-style configuration for local subnet

  • 772

I have a StrongSWAN configuration inspired by the trap-any test case:

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1

conn lan
        right=%any
        leftsubnet=fd12:3456:7890:abcd::/64
        rightsubnet=fd12:3456:7890:abcd::/64
        type=transport
        authby=psk
        auto=route

This automatically negotiates a SA with any system on my local subnet I try to connect with; in general, it's doing the Right Thing.

However, when I multicast to my whole subnet:

ping6 -I fd12:3456:7890:abcd::1234 ff02::1

...not only do I get responses from, and set up security associations with, the other systems (yay!), but I have two separate security associations generated communicating with the local host itself, with fd12:3456:7890:abcd::1234 as both initiator and responder.

My first thought was to avoid this like so:

conn local
       type=passthrough
       left=fd12:3456:7890:abcd::1234
       right=fd12:3456:7890:abcd::1234

...but that doesn't actually prevent the loopback connections.

By contrast, with:

conn local
        type=passthrough
        right=%any
        rightsubnet=fd12:3456:7890:abcd::1234/128

...no security associations are established at all.

How can I avoid SAs for local traffic in this mode?

ipsec

1 Answers

  1. Lessons learned:

    • Define both leftsubnet and rightsubnet
    • Don't forget auto=route even for a passthrough connection.

    Thus:

    conn local
        type=passthrough
        right=%any
        leftsubnet=fd12:3456:7890:abcd::1234/128
        rightsubnet=fd12:3456:7890:abcd::1234/128
        auto=route

    Many thanks to Thermi in the #strongswan IRC channel.

    • 0