0

Is there something like local = left which I could use in the strongSwan configuration?

I don’t want to use any IP-addresses, as they might change. And I don’t want the server to guess it, I want to fix it that way beyond any doubt.

In all of my “client-to-site” configurations I could not copy over the configuration to the other side unmodified. Not even the connection-section alone. Together with the fact that there seems no way to force it, this left/right-division is really not to my liking...

Robert Siemer
  • 542
  • 9
  • 19

1 Answers1

1

left = local is the default. Only if an IP or resolved FQDN defined in right matches a local IP will the sides be switched. The left|right distinction is a legacy from FreeS/WAN and obviously mostly useful in site-to-site and host-to-host scenarios.

Edit: The charon.plugins.stroke.allow_swap option mentioned in the comments that allows to ensure left = local is supported since strongSwan 5.3.3.

An alternative is to use a VICI / swanctl based config, which allows to clearly specify local and remote addresses.

ecdsa
  • 3,973
  • 15
  • 29
  • But if the local IP/hostname is in `right` the config wouldn't work anyway, right? And yes, FQDNs are resolved by the _stroke_ plugin when it does this check. – ecdsa Jul 31 '15 at 08:56
  • That is exactly the problem: if the config works or not has to be ensured by the admin (there is no guarantee that it doesn’t work). – This is why I don’t like this “automatic” left/right thing! – Robert Siemer Jul 31 '15 at 11:38
  • Yeah, well it's there fore legacy reasons. But if you adhere to the _l_eft=_l_ocal, _r_ight=_r_emote convention there shouldn't really be any problems. – ecdsa Jul 31 '15 at 15:09
  • 1
    I adhere to that convention, but strongSwan might not! ← That’s my problem. – I want to configure strongSwan that way, i.e. I want to make sure there is no way that strongSwan can be tricked into swapping those around. – Robert Siemer Jul 31 '15 at 15:14
  • How can it get "tricked" into swapping them around? And what problem do you see with that exactly? – ecdsa Aug 03 '15 at 10:36
  • Imagine the administrator creates a web-configuration-tool, where some parameters can be entered freely by a user. E.g. the user is free to fix it’s IP in the configuration of strongSwan. The administrator is responsible to sanitize all parameters given. If the user passes an IP, where he maliciously uses the IP of the server, the administrator ends up with right being local, which he might not have had in mind. It will depend on the actual configuration if this swap is dangerous or not. – The correct fix would be to include something in the configuration that assures that left is local. – Robert Siemer Aug 03 '15 at 14:14
  • 1
    For such scenarios other configuration backends, like _sql_ or _vici_, might be better suited than writing ipsec.conf snippets. And you could always block the server's IP and not allow hostnames. But I get that it could be problematic in this situation. I pushed a patch to the [stroke-swap branch](https://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/stroke-swap) of the strongSwan Git repository, that allows you to disable the _left|right_ check globally by disabling the `charon.plugins.stroke.allow_swap` strongswan.conf option. – ecdsa Aug 03 '15 at 17:43