strongSwan cannot install IPsec policies on OpenBSD

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

strongSwan cannot install IPsec policies on OpenBSD

Peter Müller
Hello openbsd-misc,

during some flaws in OpenIKED, I am forced to use strongSwan as an IPsec client on an
OpenBSD 6.6 machine. While establishing an IKE_SA works fine, installing policies for CHILD_SA
fails (as expected):

> unable to install IPsec policies (SPD) in kernel
> failed to establish CHILD_SA, keeping IKE_SA

To those who are running strongSwan as an IPsec client on OpenBSD: Which is the best
procedure in this case? Are there other methods of installing IPsec policies into the
kernel available?

Thanks for any help in advance.

Best regards,
Peter Müller

P.S.: In case anybody wonders about the "OpenIKED flaws", these are as follows:
(a) Restarting single connections is not possible
(b) Dead Peer Detection is missing (I am aware of ifstated as a "replacement", but since
    there seems to be no way of restarting a single IPsec connection, restarting the whole
    iked daemon causes operational tunnels to crash)
(c) IKE is missing AES-GCM support (while ESP does - not sure why this is)
(d) Does not seem to support more than one private key

Apart from that, I really appreciate OpenIKED especially for its configuration file
syntax, but unfortunately cannot use it primarily due to (a) and (d).

Reply | Threaded
Open this post in threaded view
|

Re: strongSwan cannot install IPsec policies on OpenBSD

Stuart Henderson
On 2020-02-14, Peter Müller <[hidden email]> wrote:

> Hello openbsd-misc,
>
> during some flaws in OpenIKED, I am forced to use strongSwan as an IPsec client on an
> OpenBSD 6.6 machine. While establishing an IKE_SA works fine, installing policies for CHILD_SA
> fails (as expected):
>
>> unable to install IPsec policies (SPD) in kernel
>> failed to establish CHILD_SA, keeping IKE_SA
>
> To those who are running strongSwan as an IPsec client on OpenBSD: Which is the best
> procedure in this case? Are there other methods of installing IPsec policies into the
> kernel available?

strongSwan's module to install policies to the kernel (kernel-pfkey) does
not support OpenBSD without making code changes. Not impossible but hasn't
been done. Only their userland setup that works with tun(4) devices
(slightly confusingly called kernel-ipsec) is available.


> P.S.: In case anybody wonders about the "OpenIKED flaws", these are as follows:
> (a) Restarting single connections is not possible
> (b) Dead Peer Detection is missing (I am aware of ifstated as a "replacement", but since
>     there seems to be no way of restarting a single IPsec connection, restarting the whole
>     iked daemon causes operational tunnels to crash)
> (c) IKE is missing AES-GCM support (while ESP does - not sure why this is)
> (d) Does not seem to support more than one private key

(e) no client side address-config
(f) doesn't work with intermediate certs
(plus some other missing things that would make life a lot easier, especially
punting EAP off to a radius server ;)

> Apart from that, I really appreciate OpenIKED especially for its configuration file
> syntax, but unfortunately cannot use it primarily due to (a) and (d).

Reply | Threaded
Open this post in threaded view
|

Re: strongSwan cannot install IPsec policies on OpenBSD

Peter Müller
Hello Stuart,

thanks for your quick reply.


> On 2020-02-14, Peter Müller <[hidden email]> wrote:
>> Hello openbsd-misc,
>>
>> during some flaws in OpenIKED, I am forced to use strongSwan as an IPsec client on an
>> OpenBSD 6.6 machine. While establishing an IKE_SA works fine, installing policies for CHILD_SA
>> fails (as expected):
>>
>>> unable to install IPsec policies (SPD) in kernel
>>> failed to establish CHILD_SA, keeping IKE_SA
>>
>> To those who are running strongSwan as an IPsec client on OpenBSD: Which is the best
>> procedure in this case? Are there other methods of installing IPsec policies into the
>> kernel available?
>
> strongSwan's module to install policies to the kernel (kernel-pfkey) does
> not support OpenBSD without making code changes. Not impossible but hasn't
> been done. Only their userland setup that works with tun(4) devices
> (slightly confusingly called kernel-ipsec) is available.

Hm, after fiddling around for a while, I am a bit helpless on this. Do you happen to have
some example configuration? If yes, I would be very grateful to see it. :-)

Thanks, and best regards,
Peter Müller

>
>
>> P.S.: In case anybody wonders about the "OpenIKED flaws", these are as follows:
>> (a) Restarting single connections is not possible
>> (b) Dead Peer Detection is missing (I am aware of ifstated as a "replacement", but since
>>     there seems to be no way of restarting a single IPsec connection, restarting the whole
>>     iked daemon causes operational tunnels to crash)
>> (c) IKE is missing AES-GCM support (while ESP does - not sure why this is)
>> (d) Does not seem to support more than one private key
>
> (e) no client side address-config
> (f) doesn't work with intermediate certs

Glad you mention it. I was bumping into something similar already and wondered why thinks
won't work...

> (plus some other missing things that would make life a lot easier, especially
> punting EAP off to a radius server ;)
>
>> Apart from that, I really appreciate OpenIKED especially for its configuration file
>> syntax, but unfortunately cannot use it primarily due to (a) and (d).
>

Reply | Threaded
Open this post in threaded view
|

Re: strongSwan cannot install IPsec policies on OpenBSD

Stuart Henderson
On 2020/02/16 18:25, Peter Müller wrote:

> Hello Stuart,
>
> thanks for your quick reply.
>
>
> > On 2020-02-14, Peter Müller <[hidden email]> wrote:
> >> Hello openbsd-misc,
> >>
> >> during some flaws in OpenIKED, I am forced to use strongSwan as an IPsec client on an
> >> OpenBSD 6.6 machine. While establishing an IKE_SA works fine, installing policies for CHILD_SA
> >> fails (as expected):
> >>
> >>> unable to install IPsec policies (SPD) in kernel
> >>> failed to establish CHILD_SA, keeping IKE_SA
> >>
> >> To those who are running strongSwan as an IPsec client on OpenBSD: Which is the best
> >> procedure in this case? Are there other methods of installing IPsec policies into the
> >> kernel available?
> >
> > strongSwan's module to install policies to the kernel (kernel-pfkey) does
> > not support OpenBSD without making code changes. Not impossible but hasn't
> > been done. Only their userland setup that works with tun(4) devices
> > (slightly confusingly called kernel-ipsec) is available.
>
> Hm, after fiddling around for a while, I am a bit helpless on this. Do you happen to have
> some example configuration? If yes, I would be very grateful to see it. :-)

I put a sanitized version of my config in the pkg-readme file in the
strongswan package - but I only used it for a very basic EAP-MSCHAP
client (and I don't know strongswan very well; I normally only use it
on Android with the gui configuration tool) so there is nothing fancy
in there.

Reply | Threaded
Open this post in threaded view
|

Re: strongSwan cannot install IPsec policies on OpenBSD

Peter Müller
Hello Stuart,

>>>
>>> strongSwan's module to install policies to the kernel (kernel-pfkey) does
>>> not support OpenBSD without making code changes. Not impossible but hasn't
>>> been done. Only their userland setup that works with tun(4) devices
>>> (slightly confusingly called kernel-ipsec) is available.
>>
>> Hm, after fiddling around for a while, I am a bit helpless on this. Do you happen to have
>> some example configuration? If yes, I would be very grateful to see it. :-)
>
> I put a sanitized version of my config in the pkg-readme file in the
> strongswan package - but I only used it for a very basic EAP-MSCHAP
> client (and I don't know strongswan very well; I normally only use it
> on Android with the gui configuration tool) so there is nothing fancy
> in there.
>

Thank you - unfortunately, it does not seem to work here. An IKE_SA is successfully
established, CHILD_SA fails with the same error message. If "installpolicy=no" is
appended to the appropriate connection in /etc/strongswan/ipsec.conf, both IKE_SA
and CHILD_SA can be established but no traffic will be routed through the tunnel:

> Status of IKE charon daemon (strongSwan 5.8.1, OpenBSD 6.6, amd64):
>   uptime: 2 minutes, since Feb 17 15:44:04 2020
>   worker threads: 6 of 16 idle, 6/0/4/0 working, job queue: 0/0/0/0, scheduled: 6
>   loaded plugins: charon pkcs11 aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem botan fips-prf gmp curve25519 chapoly xcbc cmac hmac gcm attr kernel-libipsec kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap counters
> Listening IP addresses:
>   94.xxx.xxx.xxx
>   2a03:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
> Connections:
>        N2NTESTCONN:  xxx...yyy  IKEv2, dpddelay=10s
>        N2NTESTCONN:   local:  [xxx] uses public key authentication
>        N2NTESTCONN:    cert:  "C=EU, O=xxx, CN=xxx"
>        N2NTESTCONN:   remote: [yyy] uses public key authentication
>        N2NTESTCONN:    cert:  "C=EU, O=yyy, CN=yyy"
>        N2NTESTCONN:   child:  10.xxx.xxx.2/32 === 10.yyy.yyy.0/24 TUNNEL, dpdaction=restart
> Security Associations (1 up, 0 connecting):
>        N2NTESTCONN[1]: ESTABLISHED 2 minutes ago, 94.xxx.xxx.xxx[xxx]...87.yyy.yyy.yyy[yyy]
>        N2NTESTCONN[1]: IKEv2 SPIs: a14ff33decbcc124_i* 2a6d95dc56127468_r, public key reauthentication in 2 hours
>        N2NTESTCONN[1]: IKE proposal: AES_GCM_16_256/PRF_HMAC_SHA2_512/CURVE_25519
>        N2NTESTCONN{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: f44fa42e_i cf5467e8_o
>        N2NTESTCONN{1}:  AES_GCM_16_256, 5040 bytes_i (60 pkts, 0s ago), 0 bytes_o, rekeying in 42 minutes
>        N2NTESTCONN{1}:   10.xxx.xxx.2/32 === 10.yyy.yyy.0/24

Traffic from the remote IPsec peer (which is a Linux machine) successfully reaches the
OpenBSD system ("5040 bytes_i"), but responses do not make it back ("0 bytes_o"). Actually,
this is where I need help - manually installing SAs does not make sense to me.

Thank you in advance for any hints.

Best regards,
Peter Müller

P.S.: Sorry, I thought I had sent this to <[hidden email]> already, but put in some
crappy To-Header. Sleep is no adequate substitution for caffeine... :-/

Reply | Threaded
Open this post in threaded view
|

Re: strongSwan cannot install IPsec policies on OpenBSD

Peter Müller
Hello openbsd-misc,

is anybody out there running strongSwan as an IPsec client for a net-to-net connection
on an OpenBSD machine?

If so, I would be very grateful to know which steps are necessary in order to successfully
route traffic through this n2n connection and what your ipsec.conf file (and other ones,
if necessary) looks like.

Sorry for bringing this up again, but I am out of ideas now and packaging strongSwan
for OpenBSD would not make sense if it could not be used properly. :-)

Thanks again for any advice on this.

Best regards,
Peter Müller

Reply | Threaded
Open this post in threaded view
|

Re: strongSwan cannot install IPsec policies on OpenBSD

Hrvoje Popovski
On 20.2.2020. 18:47, Peter Müller wrote:

> Hello openbsd-misc,
>
> is anybody out there running strongSwan as an IPsec client for a net-to-net connection
> on an OpenBSD machine?
>
> If so, I would be very grateful to know which steps are necessary in order to successfully
> route traffic through this n2n connection and what your ipsec.conf file (and other ones,
> if necessary) looks like.
>
> Sorry for bringing this up again, but I am out of ideas now and packaging strongSwan
> for OpenBSD would not make sense if it could not be used properly. :-)
>
> Thanks again for any advice on this.
>
> Best regards,
> Peter Müller
>

Maybe stupid question... can you use isakmpd on openbsd box and
strongswan on that other box ? i have working configuration for
site-to-site setup and it's working quite well ..


Reply | Threaded
Open this post in threaded view
|

Re: strongSwan cannot install IPsec policies on OpenBSD

Stuart Henderson
In reply to this post by Peter Müller
On 2020-02-20, Peter Müller <[hidden email]> wrote:

> Hello openbsd-misc,
>
> is anybody out there running strongSwan as an IPsec client for a net-to-net connection
> on an OpenBSD machine?
>
> If so, I would be very grateful to know which steps are necessary in order to successfully
> route traffic through this n2n connection and what your ipsec.conf file (and other ones,
> if necessary) looks like.
>
> Sorry for bringing this up again, but I am out of ideas now and packaging strongSwan
> for OpenBSD would not make sense if it could not be used properly. :-)
>
> Thanks again for any advice on this.
>
> Best regards,
> Peter Müller
>
>

strongSwan is packaged because it covers for some deficiencies in the
tools in base and works in some use cases (say, single machine connecting
to a VPN which needs EAP for authentication), that is a good enough use
case that it makes sense to package it.

I don't know how I could make it clearer than I already did in the
package description and pkg-readme file about the state of support - you
really want something else for lan-to-lan on OpenBSD.