Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
Hello Jana, the log entry: ignoring informational payload, type NO_PROPOSAL_CHOSEN means that the CheckPoint box does not like your proposal. Is it really configuredd to do XAUTH with certificate-based mutual authentication? Regards Andreas Sucha Singh wrote: > Hi All, > > Thanks Martin, I've made some more progress, I am now getting the following > error when I run "ipsec up test": > > 002 "test" #2: initiating Main Mode > 104 "test" #2: STATE_MAIN_I1: initiate > 003 "test" #2: ignoring informational payload, type NO_PROPOSAL_CHOSEN > 010 "test" #2: STATE_MAIN_I1: retransmission; will wait 20s for response > 010 "test" #2: STATE_MAIN_I1: retransmission; will wait 40s for response > 031 "test" #2: max number of retransmissions (2) reached STATE_MAIN_I1. No > response (or no acceptable response) to our first IKE message > > My ipsec.conf now looks like this: > > # ipsec.conf - strongSwan IPsec configuration file > > # basic configuration > > config setup > plutostart=yes > nat_traversal=yes > plutodebug=all > > # Add connections here. > > conn test >auto=add >authby=xauthrsasig >forceencaps=yes >keyexchange=ikev1 >keyingtries=1 >type=tunnel >xauth=client >right= >left= > > # include /var/lib/strongswan/ipsec.conf.inc > >>From what sense I can make from the error, I assume it means that my client >>request has reached the VPN gateway, but the authentication/encryption >>protocols don't match? > > I sincerely appreciate the help you guys are providing. > > Regards, > > Jana > > --- On Wed, 3/3/10, Martin Willi wrote: > > From: Martin Willi > Subject: Re: [strongSwan] Please help - Using strongSwan to connect to > CheckPoint VPN-1 > To: "Sucha Singh" > Cc: "Daniel Mentz" , > users@lists.strongswan.org > Date: Wednesday, 3 March, 2010, 7:32 > > Hi, > >> conn test >> authby=xauthrsasig >> forceencaps=yes >> keyexchange=ikev1 >> keyingtries=1 >> type=tunnel >> xauth=client >> right= >> leftsourceip=%modeconfig > >> ipsec up test >> 021 no connection named "test" > > You additionally need the "auto" parameter. auto=add loads the > configuration to the IKE daemon. auto=start additionally starts the > connection automatically. man ipsec.conf for details. > > Regards > Martin == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
Hi All, Thanks Martin, I've made some more progress, I am now getting the following error when I run "ipsec up test": 002 "test" #2: initiating Main Mode 104 "test" #2: STATE_MAIN_I1: initiate 003 "test" #2: ignoring informational payload, type NO_PROPOSAL_CHOSEN 010 "test" #2: STATE_MAIN_I1: retransmission; will wait 20s for response 010 "test" #2: STATE_MAIN_I1: retransmission; will wait 40s for response 031 "test" #2: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message My ipsec.conf now looks like this: # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup plutostart=yes nat_traversal=yes plutodebug=all # Add connections here. conn test auto=add authby=xauthrsasig forceencaps=yes keyexchange=ikev1 keyingtries=1 type=tunnel xauth=client right= left= # include /var/lib/strongswan/ipsec.conf.inc >From what sense I can make from the error, I assume it means that my client >request has reached the VPN gateway, but the authentication/encryption >protocols don't match? I sincerely appreciate the help you guys are providing. Regards, Jana --- On Wed, 3/3/10, Martin Willi wrote: From: Martin Willi Subject: Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1 To: "Sucha Singh" Cc: "Daniel Mentz" , users@lists.strongswan.org Date: Wednesday, 3 March, 2010, 7:32 Hi, > conn test > authby=xauthrsasig > forceencaps=yes > keyexchange=ikev1 > keyingtries=1 > type=tunnel > xauth=client > right= > leftsourceip=%modeconfig > ipsec up test > 021 no connection named "test" You additionally need the "auto" parameter. auto=add loads the configuration to the IKE daemon. auto=start additionally starts the connection automatically. man ipsec.conf for details. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Issue regarding rekeying and updation of an IKE SA
Hi Stephen, > > Reinitiating the IKE_SA from > > scratch is also not possible on asymmetric connections. > > Can you elaborate on this point? What is an asymmetric connection? And why > is reinitiating an IKE_SA not possible in this case? Under asymmetric I meant an IKE_SA that can be initiated by one peer only, but not the other. This is the case for IKE_SAs with EAP authentication or if virtual IPs are acquired using configuration request/response messages: A gateway can not (re-)initiate connections to clients if they authenticate with EAP, the protocol does not allow this. > > As recreating an IKE_SA after an update is not always possible > > When is it not possible? If the connection has one of these asymmetric properties, I think EAP and configuration payloads are the only ones. > How exactly is it done by hand? > > I know about the "ipsec up/down " commands, by I thought these apply > to CHILD_SAs. No, the "down" command is very flexible: ipsec down \ connxy[] - close the first found IKE_SA named connxy connxy[*] - close all IKE_SAs named connxy connxy[1] - close IKE_SA connxy with number 1 (as in statusall) [1] - close IKE_SA connxy with number 1 connxy{} - close the first found CHILD_SA named connxy connxy{*} - close all CHILD_SAs named connxy connxy{1} - close CHILD_SA connxy with number 1 (as in statusall) {1} - close CHILD_SA connxy with number 1 > Is an IKE_SA brought down by bringing down all of the associated > connections? No. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Issue regarding rekeying and updation of an IKE SA
Hi Martin, I have some additional questions on this topic: > Reinitiating the IKE_SA from > scratch is also not possible on asymmetric connections. Can you elaborate on this point? What is an asymmetric connection? And why is reinitiating an IKE_SA not possible in this case? > As recreating an IKE_SA after an update is not always possible > (and not always wanted), you'll have to do this by hand. When is it not possible? How exactly is it done by hand? I know about the "ipsec up/down " commands, by I thought these apply to CHILD_SAs. Is an IKE_SA brought down by bringing down all of the associated connections? Regards, Stephen Hi, > when I do "ipsec update" the ike established should apply the new > parameters at the time of rekeying No, we currently do no relookup of an IKE_SA configuration. The existing IKE_SA has still a refcount to the old configuration and it is used until the SA gets closed. Rekeying is not always sufficient to apply a changed configuration, e.g. if the authentication methods change. Reinitiating the IKE_SA from scratch is also not possible on asymmetric connections. > how do I apply any change in a parameter of ipsec.conf to IKE SA > without bringing the IKE SA down? This is not possible, you'll have to reinitiate an IKE_SA to apply its config. Not all parameters of a IKE configuration are updated by rekeying. As recreating an IKE_SA after an update is not always possible (and not always wanted), you'll have to do this by hand. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] create_rng fails
> However when I try to load random, I get errors stating "undefined symbol: > lib". Seems that the plugin can not find symbols in the libstrongswan library. On what platform/architecture are you seeing this error? Using any non-standard tools/libraries? Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Possibly a bug in charon when auto=start
Hi Vladimir, I recommend not to depend on IPsec policies if you want to enforce that no unencrypted traffic leaves the gateway and that no unprotected traffic is accepted. Use the policy match provided by iptables. Here's an example: iptables -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT iptables -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT # Do not forward packets to or from xyz if ipsec is off iptables -A FORWARD -d 1.2.3.4/26 -j REJECT --reject-with icmp-net-unreachable iptables -A FORWARD -s 1.2.3.4/26 -j REJECT --reject-with icmp-net-unreachable -Daniel > Martin, thank you for clarification. > I think it will be good if this 'auto=start' feature will be documented in > ipsec.conf(5) man page. > Because a strongswan-newbie sysadmin may use this option without knowing that > unencrypted packets are not filtered if the tunnel is not up yet. This may be > a serious vulnerability of a system. > > Thank you! > Best regards, Vladimir > > >> Yes, this is the intended behavior. auto=start does not install policies >> until the tunnel has been negotiated. auto=route installs the policies >> and triggers a tunnel when required. > > > ___ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] create_rng fails
Hi All, Thanks for the info. However when I try to load random, I get errors stating "undefined symbol: lib". Regds Anil N -Original Message- From: Martin Willi [mailto:mar...@strongswan.org] Sent: Wednesday, March 03, 2010 1:01 PM To: NAGARAJAN, ANIL (ANIL) Cc: users@lists.strongswan.org Subject: Re: [strongSwan] create_rng fails Hi Anil, > While trying to run Pluto on my platform, create_rng function is > failing. RNGs are provided through plugins, by default via the "random" plugin. The plugin reads random data from /dev/random and /dev/urandom. Double check that the plugin is loaded properly and these files are available on your system. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Possibly a bug in charon when auto=start
Martin, thank you for clarification. I think it will be good if this 'auto=start' feature will be documented in ipsec.conf(5) man page. Because a strongswan-newbie sysadmin may use this option without knowing that unencrypted packets are not filtered if the tunnel is not up yet. This may be a serious vulnerability of a system. Thank you! Best regards, Vladimir > Yes, this is the intended behavior. auto=start does not install policies > until the tunnel has been negotiated. auto=route installs the policies > and triggers a tunnel when required. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users