Strongswan: Transport mode with non-specific remote hosts

Question

I am using strongSwan 5.2.1 on Debian Jessie, and am having trouble configuring it to do what I want.

Premise

In a test environment, I am seeking to use transport mode IPsec between a Linux virtual machine, and a Windows virtual machine configured as an FTP server in active mode. The IPsec will be applied only to FTP traffic; that is, traffic to/from TCP ports 20 and 21 on the Windows VM. All other traffic between the two hosts (e.g. pings) should be unencrypted.

In the real-world scenario I am doing this for, the FTP server's IP address will vary, thus I would like my strongSwan configuration to not have to reference a specific remote IP.

ipsec.conf file on Linux

Contents are as follows:

# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
    # strictcrlpolicy=yes
    # uniqueid =  no
# Add connections here.
include /var/lib/strongswan/ipsec.conf.inc
conn main
    type=transport
    left=%any
    right=10.1.1.2
    leftauth=psk
    rightauth=psk
    ike=3des-sha1-modp1024
    esp=3des-sha1
    keyexchange=ikev1

conn data
    also=main
    rightsubnet=%dynamic[6/20]
    auto=route

conn command
    also=main
    rightsubnet=%dynamic[6/21]
    auto=route

The Issue

The IPsec.conf above does everything I want to do, except that the FTP server's IP address is specified in the file by the line right=10.1.1.2.

The also=route parameter means that the key exchange is only initiated when traffic is detected going to/from 10.1.1.2 on TCP ports 20 or 21. I want a configuration that initiates key exchange to any IP address when traffic is detected going to/from that address' TCP ports 20 and 21.

Is such a configuration possible in strongSwan, and if not, is there any other keying daemon for Linux that can do what I want to achieve?

Additional Notes

Setting right=%any does not achieve what I want. This setting allows any remote host to initiate a key exchange with the local host; it does not mean that the local host will initiate a key exchange with any remote host.
The Windows host's IPsec configuration is set to use Any IP Address on both ends of the connection, and successfully behaves in the way that I want.
The use of IKEv1 in my configuration is for legacy compatibility.

Thank you.

score 1 · Answer 1 · answered Sep 07 '16 at 07:24

1

To use right=%any with transport mode trap policies (i.e. auto=route) you need at least strongSwan 5.3.3. Refer to the ikev2/trap-any scenario for an example.

answered Sep 07 '16 at 07:24

ecdsa

3,973
15
29

Strongswan: Transport mode with non-specific remote hosts

1 Answers1