SDP Gateway not adding rules to FWKNOP_INPUT chain after receiving SPA packet from Clients

[CaMpeeerrr]

Hello, as explained in the title ! something is missing in this Gateway Output instead of "Added Rule to FWKNOP_INPUT for ..." i get nothing(Line 5 and 6)

Sniffing interface: ens33
PCAP filter is: 'udp port 62201'
Starting fwknopd main event loop.
(stanza #0) SPA Packet from IP: 192.168.1.11 received with access source match

---

---

(sdp_message.c:272) Received service or access data message
(sdp_ctrl_client.c:675) Access data update received
Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY'
Added access entry for SDP ID 301
Created 1 hash table nodes from 1 json stanzas
Succeeded in modifying access data.

Hoping I'm missing a simple configuration somewhere.

[takahiro-ono]

In my test environment, I've got below message at SDP Gateway just after receiving SPA from a client.
Did you setup SDP Controller and configure its database?

fwknopd[1931]: (stanza #0) SPA Packet from IP: 10.0.128.84 received with access source match
fwknopd[1931]: Added connmark rule to FWKNOP_INPUT for 10.0.128.84 -> 0.0.0.0/0 port 80, expires at 1629249810
fwknopd[1931]: Added access rule to FWKNOP_INPUT for 10.0.128.84 -> 0.0.0.0/0 port 80, expires at 1629249810
sdp_ctrl_client[1931]: (sdp_message.c:272) Received service or access data message
sdp_ctrl_client[1931]: (sdp_ctrl_client.c:675) Access data update received
fwknopd[1931]: Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY'
fwknopd[1931]: Added access entry for SDP ID 3
fwknopd[1931]: Created 1 hash table nodes from 1 json stanzas
fwknopd[1931]: Succeeded in modifying access data.

[CaMpeeerrr]

Hey, thank you for responding,first of all im running all this operation on local nat ips,once it works i will try it on different public ips,im testing using an apache web server(port 5002 instead of 80) that resides in the in the gateway VM protectecd by iptables drop all, Controller and Database seem fine,all the data is exchanged properly its just that when ever i connect a client(with fwknop -n service_gate -v) the gateway wont open a path for him in iptables ,but when i run the client comment manualy it works with minor problemes with this command :

fwknop --verbose --sdp-id 301 -A tcp/5002 -a 192.168.1.11 -D 192.168.1.10 --use-hmac --key-base64-rijndael XXX == --key-base64-hmac XXX
Knowing that
301 is my client
5002 is the open port where my gateway and my Service(apache web site ) resides
192.168.1.11 client ip
192.168.1.10 gateway/service ip
192.168.1.9 Controller IP

After revising the DB it worked ! the client (with fwknop -n service_gate -v) got access to the service for a brief moment and then it disconnects him even tho the connection is established
results of conntrack -L
$
tcp 6 264 ESTABLISHED src=192.168.1.11 dst=192.168.1.10 sport=50382 dport=5002 [UNREPLIED] src=192.168.1.10 dst=192.168.1.11 sport=5002 dport=50382 mark=301 use=1
tcp 6 431990 ESTABLISHED src=192.168.1.10 dst=192.168.1.9 sport=48580 dport=5000 src=192.168.1.9 dst=192.168.1.10 sport=5000 dport=48580 [ASSURED] mark=0 use=1
conntrack v1.4.6 (conntrack-tools): 2 flow entries have been shown.
$
and i get this on the Gateway********************************* knowing that my Service Id is 401 and not 0

Starting fwknopd main event loop.
(stanza #0) SPA Packet from IP: 192.168.1.11 received with access source match
Added connmark rule to FWKNOP_INPUT for 192.168.1.11 -> 0.0.0.0/0 port 5002, expires at 1629281787
Added local NAT rule to FWKNOP_INPUT for 192.168.1.11 -> 0.0.0.0/0 port 5002, expires at 1629281787
Could not identify service using provided data
Unable to identify service for connection with following details:
SDP ID: 301
service ID: 0
protocol: tcp
src ip: 192.168.1.11
src port: 50382
dst ip: 192.168.1.10
dst port: 5002
nat dst ip:
nat dst port: 0
start time: Wed Aug 18 03:15:59 2021
end time: connection open
next: (nil)

Gateway closed connections meeting the following criteria:
-m 301 -p tcp -s 192.168.1.11 --sport 50382 -d 192.168.1.10 --dport 5002 --reply-port-src 5002

Gateway closed the following invalid connection from SDP ID 301:
SDP ID: 301
service ID: 0
protocol: tcp
src ip: 192.168.1.11
src port: 50382
dst ip: 192.168.1.10
dst port: 5002
nat dst ip:
nat dst port: 0
start time: Wed Aug 18 03:15:59 2021
end time: Wed Aug 18 03:15:59 2021
next: (nil)

Sending connection_update message (1 connections) to controller

create_connection_item_from_line() Failed to find connection details in line:
src=192.168.1.11 dst=192.168.1.10 sport=50382 dport=5002 [UNREPLIED] src=192.168.1.10 dst=192.168.1.11 sport=5002 dport=50382 mark=301 use=1

create_connection_item_from_line() Failed to find connection details in line:
src=192.168.1.11 dst=192.168.1.10 sport=50382 dport=5002 [UNREPLIED] src=192.168.1.10 dst=192.168.1.11 sport=5002 dport=50382 mark=301 use=1

create_connection_item_from_line() Failed to find connection details in line:
src=192.168.1.11 dst=192.168.1.10 sport=50382 dport=5002 [UNREPLIED] src=192.168.1.10 dst=192.168.1.11 sport=5002 dport=50382 mark=301 use=1

create_connection_item_from_line() Failed to find connection details in line:
src=192.168.1.11 dst=192.168.1.10 sport=50382 dport=5002 [UNREPLIED] src=192.168.1.10 dst=192.168.1.11 sport=5002 dport=50382 mark=301 use=1

create_connection_item_from_line() Failed to find connection details in line:
src=192.168.1.11 dst=192.168.1.10 sport=50382 dport=5002 [UNREPLIED] src=192.168.1.10 dst=192.168.1.11 sport=5002 dport=50382 mark=301 use=1

i thought maybe its about my Apache connection changing port with each connection so i Enabled Keep Alive in Apache
with this commands

KeepAlive: Enable/disable persistent connections

KeepAlive On

MaxKeepAliveRequests: How many requests to allow during a persistent connection.

You can set it 0 for unlimited requests, but it is not recommended.

MaxKeepAliveRequests 0

KeepAliveTimeout: Number of seconds to wait for the next request from the

same client on the same connection. Default is 5 seconds

KeepAliveTimeout 800

but still dissconects my client after a brief moment..

Thank you for your time.

[takahiro-ono]

Regarding the SDP Client, you need to use --services option instead of -A option.

fwknop --verbose --sdp-id 301 -A tcp/5002 -a 192.168.1.11 -D 192.168.1.10 --use-hmac --key-base64-rijndael XXX == --key-base64-hmac XXX

Please find below for the results in my test environment.
-A option is denied by the SDP Gateway because it uses legacy SPA format, which is different from SDP SPA.

fwknop --sdp-id 3 -A tcp/80 -a 10.0.128.84 -D 10.0.128.219 --use-hmac --key-base64-rijndael XXX --key-base64-hmac XXX

[SDP Gateway output]
fwknopd[1223]: (stanza #0) SPA Packet from IP: 10.0.128.84 received with access source match
fwknopd[1223]: [10.0.128.84] SPA packet made legacy access request, server configured to deny.

To use SDP SPA packet you need to use --services option.
I could send a SPA packet for service 2 by the following command.

fwknop --sdp-id 3 --services 2 -a 10.0.128.84 -D 10.0.128.219 --use-hmac --key-base64-rijndael XXX --key-base64-hmac XXX 

[SDP Gateway output]
fwknopd[1223]: (stanza #0) SPA Packet from IP: 10.0.128.84 received with access source match
fwknopd[1223]: Added connmark rule to FWKNOP_INPUT for 10.0.128.84 -> 0.0.0.0/0 port 80, expires at 1629376816
fwknopd[1223]: Added access rule to FWKNOP_INPUT for 10.0.128.84 -> 0.0.0.0/0 port 80, expires at 1629376816
fwknopd[1223]: Removed rule 1 from FWKNOP_INPUT with expire time of 1629376816
fwknopd[1223]: Removed rule 2 from FWKNOP_INPUT with expire time of 1629376816

You can define services and related ports on the SDP Gateway in SDP Controler Database.
After defining services, you need to grant access permission to the client SDP ID in sdpid_service table.

MariaDB [sdp]> select * from service;
+----+-------------+----------------------+
| id | name        | description          |
+----+-------------+----------------------+
|  1 | controller  | SDP Controller       |
|  2 | test_local  | Nginx on SDP Gateway | <- Define service ID
|  3 | test_remote | Nginx on Remote App  |
+----+-------------+----------------------+
3 rows in set (0.000 sec)

MariaDB [sdp]> select * from service_gateway;
+----+------------+---------------+----------+------+-------------+----------+
| id | service_id | gateway_sdpid | protocol | port | nat_ip      | nat_port |
+----+------------+---------------+----------+------+-------------+----------+
|  5 |          1 |             2 | tcp      | 5000 |             |        0 |
|  6 |          2 |             2 | tcp      |   80 |             |        0 | <- Assign Gateway port for service ID 2 (tcp/80)
|  7 |          3 |             2 | tcp      | 8080 | 10.0.129.22 |       80 |
|  8 |          1 |             1 | tcp      | 5000 |             |        0 |
+----+------------+---------------+----------+------+-------------+----------+
4 rows in set (0.000 sec)

MariaDB [sdp]> select * from sdpid_service;
+----+-------+------------+
| id | sdpid | service_id |
+----+-------+------------+
| 11 |     3 |          1 |
| 12 |     3 |          2 | <- Grant access to service 2 to SDP ID 3 (my client)
| 13 |     3 |          3 |
| 14 |     2 |          1 |
+----+-------+------------+
4 rows in set (0.000 sec)

MariaDB [sdp]>

Hope it helps you. Feel free to ask me if more information needed.

[CaMpeeerrr]

Ahh now i understand, Everythhing works perfectly fine thanks to you! Thank you

[shovradas]

Regarding the SDP Client, you need to use --services option instead of -A option.

fwknop --verbose --sdp-id 301 -A tcp/5002 -a 192.168.1.11 -D 192.168.1.10 --use-hmac --key-base64-rijndael XXX == --key-base64-hmac XXX

Please find below for the results in my test environment. -A option is denied by the SDP Gateway because it uses legacy SPA format, which is different from SDP SPA.

fwknop --sdp-id 3 -A tcp/80 -a 10.0.128.84 -D 10.0.128.219 --use-hmac --key-base64-rijndael XXX --key-base64-hmac XXX

[SDP Gateway output]
fwknopd[1223]: (stanza #0) SPA Packet from IP: 10.0.128.84 received with access source match
fwknopd[1223]: [10.0.128.84] SPA packet made legacy access request, server configured to deny.

To use SDP SPA packet you need to use --services option. I could send a SPA packet for service 2 by the following command.

fwknop --sdp-id 3 --services 2 -a 10.0.128.84 -D 10.0.128.219 --use-hmac --key-base64-rijndael XXX --key-base64-hmac XXX 

[SDP Gateway output]
fwknopd[1223]: (stanza #0) SPA Packet from IP: 10.0.128.84 received with access source match
fwknopd[1223]: Added connmark rule to FWKNOP_INPUT for 10.0.128.84 -> 0.0.0.0/0 port 80, expires at 1629376816
fwknopd[1223]: Added access rule to FWKNOP_INPUT for 10.0.128.84 -> 0.0.0.0/0 port 80, expires at 1629376816
fwknopd[1223]: Removed rule 1 from FWKNOP_INPUT with expire time of 1629376816
fwknopd[1223]: Removed rule 2 from FWKNOP_INPUT with expire time of 1629376816

You can define services and related ports on the SDP Gateway in SDP Controler Database. After defining services, you need to grant access permission to the client SDP ID in sdpid_service table.

MariaDB [sdp]> select * from service;
+----+-------------+----------------------+
| id | name        | description          |
+----+-------------+----------------------+
|  1 | controller  | SDP Controller       |
|  2 | test_local  | Nginx on SDP Gateway | <- Define service ID
|  3 | test_remote | Nginx on Remote App  |
+----+-------------+----------------------+
3 rows in set (0.000 sec)

MariaDB [sdp]> select * from service_gateway;
+----+------------+---------------+----------+------+-------------+----------+
| id | service_id | gateway_sdpid | protocol | port | nat_ip      | nat_port |
+----+------------+---------------+----------+------+-------------+----------+
|  5 |          1 |             2 | tcp      | 5000 |             |        0 |
|  6 |          2 |             2 | tcp      |   80 |             |        0 | <- Assign Gateway port for service ID 2 (tcp/80)
|  7 |          3 |             2 | tcp      | 8080 | 10.0.129.22 |       80 |
|  8 |          1 |             1 | tcp      | 5000 |             |        0 |
+----+------------+---------------+----------+------+-------------+----------+
4 rows in set (0.000 sec)

MariaDB [sdp]> select * from sdpid_service;
+----+-------+------------+
| id | sdpid | service_id |
+----+-------+------------+
| 11 |     3 |          1 |
| 12 |     3 |          2 | <- Grant access to service 2 to SDP ID 3 (my client)
| 13 |     3 |          3 |
| 14 |     2 |          1 |
+----+-------+------------+
4 rows in set (0.000 sec)

MariaDB [sdp]>

Hope it helps you. Feel free to ask me if more information needed.

Hi, thank you very much for sharing the table details. It helped a lot to configure the database. My setup is successfully running with service level permission. Now I want to assign permission based on the user/group. For an example I want service 9 to be accessed by John.

Here are the detail tables ...

MariaDB [sdp]> SELECT * FROM user;

id	last_name	first_name	country	state	locality	org	org_unit	alt_name	email
3	Doe	John	DE	XXX	XXX	XXX	XXX	NULL
4	Max	Mustermann	DE	XXX	XXX	XXX	XXX	NULL

2 rows in set (0.001 sec)

MariaDB [sdp]> SELECT * FROM group;

id	valid	name	Description
2	1	mygroup	not sure yet

1 row in set (0.000 sec)

MariaDB [sdp]> SELECT * FROM user_group;

id	user_id	group_id
2	3	2

1 row in set (0.000 sec)

MariaDB [sdp]> SELECT * FROM group_service;

id	group_id	service_id
2	2	9

1 row in set (0.000 sec)

Please suggest me what should I do next.

Thank you in advance!