avoiding loopback SAs w/ strongswan transport-mode IPv6 "trap-any"-style configuration for local subnet

Question

I have a StrongSWAN configuration inspired by the trap-any test case:

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1

conn lan
        right=%any
        leftsubnet=fd12:3456:7890:abcd::/64
        rightsubnet=fd12:3456:7890:abcd::/64
        type=transport
        authby=psk
        auto=route

This automatically negotiates a SA with any system on my local subnet I try to connect with; in general, it's doing the Right Thing.

However, when I multicast to my whole subnet:

ping6 -I fd12:3456:7890:abcd::1234 ff02::1

...not only do I get responses from, and set up security associations with, the other systems (yay!), but I have two separate security associations generated communicating with the local host itself, with fd12:3456:7890:abcd::1234 as both initiator and responder.

My first thought was to avoid this like so:

conn local
       type=passthrough
       left=fd12:3456:7890:abcd::1234
       right=fd12:3456:7890:abcd::1234

...but that doesn't actually prevent the loopback connections.

By contrast, with:

conn local
        type=passthrough
        right=%any
        rightsubnet=fd12:3456:7890:abcd::1234/128

...no security associations are established at all.

How can I avoid SAs for local traffic in this mode?

score 0 · Answer 1 · answered Mar 29 '17 at 23:10

Lessons learned:

Define both leftsubnet and rightsubnet
Don't forget auto=route even for a passthrough connection.

Thus:

conn local
        type=passthrough
        right=%any
        leftsubnet=fd12:3456:7890:abcd::1234/128
        rightsubnet=fd12:3456:7890:abcd::1234/128
        auto=route

Many thanks to Thermi in the #strongswan IRC channel.

avoiding loopback SAs w/ strongswan transport-mode IPv6 "trap-any"-style configuration for local subnet

1 Answers1