Re: [strongSwan] no matching peer config found
Hi, I can not find the daemon.log on moon side. charon by default logs to the DAEMON syslog facility. But it depends on your syslogger configuration to which file syslogger logs to. The moon side is Fedora Core 9 Linux. Our (rather old) Fedora box uses /var/log/daemon. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] get inner virtual IP
Hi, I have tried the IKEV2 config-payload example as http://www.strongswan.org/uml/testresults43/ikev2/config-payload/ successfully. I want to get the inner virtual IP address that are assigned by config-payload for later use in my application by SHELL command or TCL. Is there an easy way to get it? Currently I can only see it by ipsec status home and check the last line. This is easy for manual, but not easy for code to get it accurate. So I want to ask if there is an easy and accurate way to get it? [r...@localhost etc]# ipsec statusall home Status of IKEv2 charon daemon (strongSwan 4.3.4): uptime: 28 minutes, since Aug 28 14:57:39 2009 worker threads: 9 idle of 16, job queue load: 0, scheduled events: 3 loaded plugins: aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown resolv-conf Listening IP addresses: 135.252.131.87 Connections: home: 135.252.131.87...135.252.130.87 home: local: [moon.strongswan.org] uses public key authentication home:cert: C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel-lucent.com home: remote: [sun.strongswan.org] uses any authentication home: child: dynamic === 10.1.0.0/16 Security Associations: home[1]: ESTABLISHED 27 minutes ago, 135.252.131.87[moon.strongswan.org]...135.252.130.87[sun.strongswan.org] home[1]: IKE SPIs: 69208f149b5fab33_i* ca28924955c169b3_r, public key reauthentication in 23 minutes home[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 home{1}: INSTALLED, TUNNEL, ESP SPIs: caf62dcc_i ccae8f3e_o home{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 3 minutes home{1}: 10.3.0.1/32 === 10.1.0.0/16 Thanks, Roger ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Pluto has died ??
Hi all! Today, I try install strongswan 4.3.4 and run some tests in testing/tests/openssl-ikev1/ecdsa-certs directory. when I start ipsec and then view log in /var/log/secure, I get this: ... ipsec_starter [ 10388] : pluto has died --restart scheduled (5sec) I try restart ipsec many times but still no result for good. What is this problem? how can i solve it ? My linux kernel version: 2.6.18 (download at kernel.org and recompiled) Thanks in advanced! ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Pluto has died ??
Hi, in order to help you I need the complete log plus your ipsec.conf file. Regards Andreas Nguyễn Hoàng Anh wrote: Hi all! Today, I try install strongswan 4.3.4 and run some tests in testing/tests/openssl-ikev1/ecdsa-certs directory. when I start ipsec and then view log in /var/log/secure, I get this: ... ipsec_starter [ 10388] : pluto has died --restart scheduled (5sec) I try restart ipsec many times but still no result for good. What is this problem? how can i solve it ? My linux kernel version: 2.6.18 (download at kernel.org and recompiled) Thanks in advanced! ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] unable to initiate to %any
Hi Martin, Hi all, When I try to find out the mechanism of virtual IP and initiate the strongswan with the following configuration, but I always got the error indication: unable to initiate to %any. Please give me a clue to trace down this problem , thanks. Configuration of two peers: [moon]- config setup strictcrlpolicy=no plutostart=no keep_alive=40m conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn host-host left=172.19.2.13 leftfirewall=yes leftcert=/usr/local/etc/ipsec.d/certs/moonCert.pem leftsubnet=192.168.253.0/24 right=%any rightsourcip=%config auto=add --[sun]--- config setup strictcrlpolicy=no plutostart=no keep_alive=40m conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn home left=172.19.2.88 leftsourceip=192.168.253.88 leftcert=/usr/local/etc/ipsec.d/certs/sunCert.pem leftfirewall=yes right=172.19.2.13 rightsubnet=192.168.253.0/24 auto=add - BTW, I still have the following two questions: 1) What's the mechanism of virtual ip? 2) If I can simulate one gateway by setting the secondary ip address of linux pc? If it is feasible, and then how? Best Regards, David ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] get inner virtual IP
Hi Roger, the assigned virtual IP Address is available in the environmental variable $PLUTO_MY_SOURCEIP in the /usr/libexec/ipsec/_updown script which is called by the charon daemon after the IPsec SA has been established successfully. You could adapt the _updown script so that it communicates the virtual IP address to your application. Alternatively your application could call the system command ip addr list dev eth0 and extract the virtual IP assigned to the physical interface. Regards Andreas Zhang, Long (Roger) wrote: Hi, I have tried the IKEV2 config-payload example as http://www.strongswan.org/uml/testresults43/ikev2/config-payload/ successfully. I want to get the inner virtual IP address that are assigned by config-payload for later use in my application by SHELL command or TCL. Is there an easy way to get it? Currently I can only see it by ipsec status home and check the last line. This is easy for manual, but not easy for code to get it accurate. So I want to ask if there is an easy and accurate way to get it? [r...@localhost etc]# ipsec statusall home Status of IKEv2 charon daemon (strongSwan 4.3.4): uptime: 28 minutes, since Aug 28 14:57:39 2009 worker threads: 9 idle of 16, job queue load: 0, scheduled events: 3 loaded plugins: aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown resolv-conf Listening IP addresses: 135.252.131.87 Connections: home: 135.252.131.87...135.252.130.87 home: local: [moon.strongswan.org] uses public key authentication home:cert: C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel-lucent.com home: remote: [sun.strongswan.org] uses any authentication home: child: dynamic === 10.1.0.0/16 Security Associations: home[1]: ESTABLISHED 27 minutes ago, 135.252.131.87[moon.strongswan.org]...135.252.130.87[sun.strongswan.org] home[1]: IKE SPIs: 69208f149b5fab33_i* ca28924955c169b3_r, public key reauthentication in 23 minutes home[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 home{1}: INSTALLED, TUNNEL, ESP SPIs: caf62dcc_i ccae8f3e_o home{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 3 minutes home{1}: 10.3.0.1/32 === 10.1.0.0/16 Thanks, Roger == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] unable to initiate to %any
Hi David, with right=%any you cannot actively initiate a connection as an initiator since the peer's IP address is not known. You can only act as a passive responder waiting for the other side to initiate. Regards Andreas weiping deng wrote: Hi Martin, Hi all, When I try to find out the mechanism of virtual IP and initiate the strongswan with the following configuration, but I always got the error indication: unable to initiate to %any. Please give me a clue to trace down this problem , thanks. Configuration of two peers: [moon]- config setup strictcrlpolicy=no plutostart=no keep_alive=40m conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn host-host left=172.19.2.13 leftfirewall=yes leftcert=/usr/local/etc/ipsec.d/certs/moonCert.pem leftsubnet=192.168.253.0/24 right=%any rightsourcip=%config auto=add --[sun]--- config setup strictcrlpolicy=no plutostart=no keep_alive=40m conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn home left=172.19.2.88 leftsourceip=192.168.253.88 leftcert=/usr/local/etc/ipsec.d/certs/sunCert.pem leftfirewall=yes right=172.19.2.13 rightsubnet=192.168.253.0/24 auto=add - BTW, I still have the following two questions: 1) What's the mechanism of virtual ip? 2) If I can simulate one gateway by setting the secondary ip address of linux pc? If it is feasible, and then how? Best Regards, David === Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Understanding IPsec through a firewall
We've come across a problem sending UDP packets through a tunnel when the tunnel goes through a firewall and I was hoping someone can explain/confirm what is going on (please). Our machine sets up a tunnel to a secure gateway and then opens a UDP socket through that tunnel to a machine on the far side of the secure gateway. We have found that although we can send UDP packets to the far machine, the return UDP packets were not reaching the local application UNTIL we opened up the left UDP port in the firewall (all UDP ports are blocked by default). So, it appears that the UDP packets come through the tunnel, are decrypted and then looped-back through the firewall ? I'm not too keen on opening the firewall to all UDP packets using that UDP port number. Is there a more elegant method ? I've a sneaking suspicion someone is going to suggest setting left=firewall in ipsec.conf and letting charon call _updown to adjust the iptables ? I can imagine that charon knows how to invoke the __updown script with the correct left and right IP addresses, but how does it know which UDP ports we will be using through the tunnel ? Regards, Graham. P. S. As ever, if there is a webpage that explains this all, I would be glad of any pointers! ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Understanding IPsec through a firewall
Hi Graham, So, it appears that the UDP packets come through the tunnel, are decrypted and then looped-back through the firewall ? That is correct. I'm not too keen on opening the firewall to all UDP packets using that UDP port number. Is there a more elegant method ? Yes, you could use the policy match of iptables. E.g. -m policy --pol ipsec matches only pakets coming in decrypted or going out encrypted. If you have several different ipsec connections needing different treatment in your firewall, you have to differentiate with the ips as the policy match doesn't know about the strongswan connection names. Kind regards, Gerd ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] 答复: unable to initiate to % any
Hi Andreas, I got it. Thanks for your help. I have another question to ask: If the leftid and rightid can not be provided when I configure two peers? If I did not provided these information, it will adopt the subject id in the certificate. Is it right? Best Regards, David -邮件原件- 发件人: Andreas Steffen [mailto:andreas.stef...@strongswan.org] 发送时间: 2009年8月27日 18:58 收件人: weiping deng 抄送: 'Martin Willi'; users@lists.strongswan.org 主题: Re: [strongSwan] unable to initiate to %any Hi David, with right=%any you cannot actively initiate a connection as an initiator since the peer's IP address is not known. You can only act as a passive responder waiting for the other side to initiate. Regards Andreas weiping deng wrote: Hi Martin, Hi all, When I try to find out the mechanism of virtual IP and initiate the strongswan with the following configuration, but I always got the error indication: unable to initiate to %any. Please give me a clue to trace down this problem , thanks. Configuration of two peers: [moon]- config setup strictcrlpolicy=no plutostart=no keep_alive=40m conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn host-host left=172.19.2.13 leftfirewall=yes leftcert=/usr/local/etc/ipsec.d/certs/moonCert.pem leftsubnet=192.168.253.0/24 right=%any rightsourcip=%config auto=add --[sun]--- config setup strictcrlpolicy=no plutostart=no keep_alive=40m conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn home left=172.19.2.88 leftsourceip=192.168.253.88 leftcert=/usr/local/etc/ipsec.d/certs/sunCert.pem leftfirewall=yes right=172.19.2.13 rightsubnet=192.168.253.0/24 auto=add - BTW, I still have the following two questions: 1) What's the mechanism of virtual ip? 2) If I can simulate one gateway by setting the secondary ip address of linux pc? If it is feasible, and then how? Best Regards, David === Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] get inner virtual IP
Andreas, I found the $PLUTO_MY_SOURCEIP is empty after the IPSec SA is established successfully. I want to get the virtual IP by this env that this will introduce greate convenience to my application coding. [r...@localhost etc]# ipsec up home initiating IKE_SA home[1] to 135.252.130.87 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from 135.252.131.87[500] to 135.252.130.87[500] received packet: from 135.252.130.87[500] to 135.252.131.87[500] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] received cert request for C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, e=zha...@alcatel-lucent.com sending cert request for C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, e=zha...@alcatel-lucent.com authentication of 'moon.strongswan.org' (myself) with RSA signature successful sending end entity cert C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel-lucent.com establishing CHILD_SA home generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH CP SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ] sending packet: from 135.252.131.87[4500] to 135.252.130.87[4500] received packet: from 135.252.130.87[4500] to 135.252.131.87[4500] parsed IKE_AUTH response 1 [ IDr CERT AUTH CP SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ] received end entity cert C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, e=...@alcatel-lucent.com using certificate C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, e=...@alcatel-lucent.com using trusted ca certificate C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, e=zha...@alcatel-lucent.com checking certificate status of C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, e=...@alcatel-lucent.com certificate status is not available authentication of 'sun.strongswan.org' with RSA signature successful scheduling reauthentication in 3413s maximum IKE_SA lifetime 3593s IKE_SA home[1] established between 135.252.131.87[moon.strongswan.org]...135.252.130.87[sun.strongswan.org] installing new virtual IP 10.3.0.1 [r...@localhost etc]# echo $PLUTO_MY_SOURCEIP [r...@localhost etc]# cd /usr/local/ Charon log in messages Aug 29 09:21:57 localhost charon: 09[CFG] received stroke: initiate 'home' Aug 29 09:21:57 localhost charon: 12[IKE] initiating IKE_SA home[1] to 135.252.130.87 Aug 29 09:21:57 localhost charon: 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Aug 29 09:21:57 localhost charon: 12[NET] sending packet: from 135.252.131.87[500] to 135.252.130.87[500] Aug 29 09:21:57 localhost charon: 13[NET] received packet: from 135.252.130.87[500] to 135.252.131.87[500] Aug 29 09:21:57 localhost charon: 13[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Aug 29 09:21:57 localhost charon: 13[IKE] received cert request for C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, e=zha...@alcatel-lucent.com Aug 29 09:21:57 localhost charon: 13[IKE] sending cert request for C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, e=zha...@alcatel-lucent.com Aug 29 09:21:57 localhost charon: 13[IKE] authentication of 'moon.strongswan.org' (myself) with RSA signature successful Aug 29 09:21:57 localhost charon: 13[IKE] sending end entity cert C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel-lucent.com Aug 29 09:21:57 localhost charon: 13[IKE] establishing CHILD_SA home Aug 29 09:21:57 localhost charon: 13[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH CP SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ] Aug 29 09:21:57 localhost charon: 13[NET] sending packet: from 135.252.131.87[4500] to 135.252.130.87[4500] Aug 29 09:21:57 localhost charon: 14[NET] received packet: from 135.252.130.87[4500] to 135.252.131.87[4500] Aug 29 09:21:57 localhost charon: 14[ENC] received end entity cert C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, e=...@alcatel-lucent.com D_ug 29 09:21:57 localhost charon: 14[CFG] using certificate C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, e=...@alcatel-lucent.com Aug 29 09:21:57 localhost charon: 14[IKE] using trusted ca certificate C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, e=zha...@alcatel-lucent.com Aug 29 09:21:57 localhost charon: 14[CFG] checking certificate status of C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, e=...@alcatel-lucent.com Aug 29 09:21:57 localhost charon: 14[CFG] certificate status is not available Aug 29 09:21:57 localhost charon: 14[CFG] authentication of 'sun.strongswan.org' with RSA signature successful Aug 29 09:21:57 localhost charon: 14[CFG] scheduling reauthentication in 3413s Aug 29 09:21:57 localhost charon: 14[IKE] maximum IKE_SA lifetime 3593s Aug 29 09:21:57 localhost charon: 14[IKE] IKE_SA home[1] established between
[strongSwan] 答复: 答复: unable to initia te to %any
Hi Andreas, I always think it is inconvenient to let users configure leftid and rightid with complete DN or AltSubjectName. If the current version of strongswan supports the automatic acquired of these two information even if certificate is configured as never to be send? if not supported, is there a plan for supporting this? Best Regards, David -邮件原件- 发件人: users-boun...@lists.strongswan.org [mailto:users-boun...@lists.strongswan.org] 代表 weiping deng 发送时间: 2009年8月28日 10:24 收件人: 'Andreas Steffen' 抄送: users@lists.strongswan.org 主题: [strongSwan] 答复: unable to initiate to %any Hi Andreas, I got it. Thanks for your help. I have another question to ask: If the leftid and rightid can not be provided when I configure two peers? If I did not provided these information, it will adopt the subject id in the certificate. Is it right? Best Regards, David -邮件原件- 发件人: Andreas Steffen [mailto:andreas.stef...@strongswan.org] 发送时间: 2009年8月27日 18:58 收件人: weiping deng 抄送: 'Martin Willi'; users@lists.strongswan.org 主题: Re: [strongSwan] unable to initiate to %any Hi David, with right=%any you cannot actively initiate a connection as an initiator since the peer's IP address is not known. You can only act as a passive responder waiting for the other side to initiate. Regards Andreas weiping deng wrote: Hi Martin, Hi all, When I try to find out the mechanism of virtual IP and initiate the strongswan with the following configuration, but I always got the error indication: unable to initiate to %any. Please give me a clue to trace down this problem , thanks. Configuration of two peers: [moon]- config setup strictcrlpolicy=no plutostart=no keep_alive=40m conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn host-host left=172.19.2.13 leftfirewall=yes leftcert=/usr/local/etc/ipsec.d/certs/moonCert.pem leftsubnet=192.168.253.0/24 right=%any rightsourcip=%config auto=add --[sun]--- config setup strictcrlpolicy=no plutostart=no keep_alive=40m conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn home left=172.19.2.88 leftsourceip=192.168.253.88 leftcert=/usr/local/etc/ipsec.d/certs/sunCert.pem leftfirewall=yes right=172.19.2.13 rightsubnet=192.168.253.0/24 auto=add - BTW, I still have the following two questions: 1) What's the mechanism of virtual ip? 2) If I can simulate one gateway by setting the secondary ip address of linux pc? If it is feasible, and then how? Best Regards, David === Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users