Andreas, Thank you again for responding. Indeed, the explanation concerning asymmetry for leftprotoport= and rightprotoportin= is quite simple.
Do you confirm that calling: "ipsec up net-net" on the 'net-net' connection from your example will create IPsec SAs only corresponding to "conn net-net" and to "conn host-host" (because specified by also=host-host), but connections "conn proto1" and "conn proto2" are not started yet? If this is true, then the CHILD_SAs created at this stage (after the first "ipsec up") cover all protocols between specified subnets (because proto1 & proto2 are not started). Then, when proto1 and proto2 are started the traffic is narrowed down to specified protocols (via a rekeying of CHILD_SAs??). Do you confirm? If this is confirmed, then IPsec-ed traffic depends, when using 'also=', on the order of calling "ipsec up" and requires that both ends of the tunnel to start-up connections on the same order. Best Regards Mugur -----Original Message----- From: Andreas Steffen [mailto:andreas.stef...@strongswan.org] Sent: samedi 26 décembre 2009 17:31 To: ABULIUS, MUGUR (MUGUR) Cc: users@lists.strongswan.org; Pisano, Stephen G (Stephen); ROSSI, MICHEL MR (MICHEL) Subject: Re: [strongSwan] Several TS on a same connection ABULIUS, MUGUR (MUGUR) wrote: > Hello Andreas, > > Thank you for your help. > > From your answer I conclude that between two peers at most one IKE_SA > (= at most one IPsec tunnel) can be created regardless how multiple > "conn" directives are specified (with or without %default or 'also='). > Yes, this is true. But you can execute e.g. ipsec up net-net several times and multiple IPsec SAs for the same traffic selectors are created. Usually only the last-created SA is actually used for traffic, though. On of our pending projects intends to create multiple tunnels for different QoS classes but this would require some fundamental changes in the Linux kernel. > I don't really understand the asymmetry of values for > leftprotoport=tcp and rightprotoportin=tcp/http in your example. My > understanding of the example is that all tcp packets from local > (=left) to remote (=right) are tunneled but only http packets from > remote to local are tunneled. Is my assumption correct? > The explanation is quite simple: If an application wants to reach a service under a well-known port (e.g. 80 for http or 25 for smtp) then the source port will be an arbitrary higher port which we cannot predict. Therefore we include all possible TCP or UDP ports since port range restrictions are not currently supported by the Linux kernel. > In this case which data flows (subnets and protos) are exactly > protected by the first CHILD_SA and which by the second CHILD_SA? > The first CHILD_SA would set up the IPsec SA for the following policy: 10.5.0.0/16[tcp/0] .. 10.6.0.0/16[tcp/http] and the second: 10.5.0.0/16[tcp/0] .. 10.6.0.0/16[tcp/smtp] Actually there was a copy-and-paste error in my previous email. rightsubnet was supposed to be 10.6.0.0/16. Best regards Andreas > Best Regards Mugur > > > -----Original Message----- From: Andreas Steffen > [mailto:andreas.stef...@strongswan.org] Sent: samedi 26 décembre 2009 > 14:48 To: ABULIUS, MUGUR (MUGUR) Cc: users@lists.strongswan.org > Subject: Re: [strongSwan] Several TS on a same connection > > Hello Mugur, > > it does not matter if you define each tunnel between two peers > independently or if you use conn %default or an also= construct to > save typing work. All tunnels, i.e. a definition of traffic selectors > are grouped under the same IKE_SA which is going to be established > between the two peers. > > The IKEv2 charon daemon allows the enumeration of several traffic > selectors for the same CHILD_SA using left|rightsubnet: > > leftsubnet=10.1.0.0/16,10.3.0.0/16 > rightsubnet=10.2.0.0/16,10.4.0.0/16 > > will establish the following four IPsec SAs with a single CHILD_SA: > > 10.1.0.0/16 - 10.2.0.0/16 10.1.0.0/16 - 10.4.0.0/16 10.3.0.0/16 - > 10.2.0.0/16 10.3.0.0/16 - 10.4.0.0/16 > > Currently traffic selectors with protocol/port restrictions using the > left|rightprotoport parameters cannot be grouped together in a single > CHILD_SA. You will have to define a separate conn description for each > protocol/port combination resulting in a separate CHILD_SA exchange. > Thus the example > > conn net-net also=host-host leftsubnet=10.1.0.0/16,10.3.0.0/16 > rightsubnet=10.2.0.0/16,10.4.0.0/16 auto=start > > conn proto1 also=host-host leftsubnet=10.5.0.0/16 > rightsubnet=10.5.0.0/16 leftprotoport=tcp rightprotoport=tcp/http > auto=start > > conn proto2 also=host-host leftsubnet=10.5.0.0/16 > rightsubnet=10.5.0.0/16 leftprotoport=tcp rightprotoport=tcp/smtp > auto=start > > conn host-host left=<IP address of left> right=<IP address of right> > > would create six IPsec SAs between left and right, using a primary > IKE_AUTH and two additional CHILD_SA exchanges. > > Best regards > > Andreas > > ABULIUS, MUGUR (MUGUR) wrote: >> Hello, >> >> I looked to strongSwan connection parameters >> (http://wiki.strongswan.org/wiki/1/ConnSection) and I am not sure how >> to define several tunnels between the same endpoints, each tunnel >> with several traffic selectors. >> >> In my understanding an independent tunnel is defined by a "conn >> <name>" directive with the condition that its body does not contain >> an "also = <section name>" directive. >> >> Now, I want, for each tunnel to include several traffic selectors; >> i.e. several "left|rightprotoport = <protocol>/<port>" and several >> "left|rightsubnet = <ip subnet>". >> >> Moreover I want to combine traffic selectors in a specific way for a >> same connection. For example to specify somehow >> >> leftprotoport=icmp ONLY for leftsubnet= 192.168.10.0/24 and >> leftprotoport=UDP ONLY for leftsubnet= 172.16.10.0/24 >> >> Can you please specify which are all possibilities of using the >> IKEv2 extended traffic selector concept with strongSwan. >> >> Thank you Mugur ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
