[strongSwan] strongswan network manager client using eap-radius
Hi, I'm trying to connect an Ubuntu client with the strongswan networkmanager-plugin to my strongswan VPN server, using the same configuration as for a Windows 7 client. The server is authenticated via certificate, the client is authenticated via eap-radius module. The Windows 7 client works fine, the Ubuntu not so much. /etc/ipsec.conf : conn %default ike=aes256-sha1-modp1536,aes256-sha1-modp1024! esp=aes256-sha1! dpdaction=clear dpddelay=300s rekeymargin=3m keyingtries=1 leftcert=vpncert.pem leftsubnet=0.0.0.0/0 leftid=C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=vpn6-pub.restena.lu, e=claude.tomp...@restena.lu leftfirewall=yes right=%any auto=add conn ikev2 keyexchange=ikev2 left=%any leftauth=pubkey eap_identity=%any rightauth=eap-radius rightsourceip=192.168.120.192/26 For the Ubuntu client : Address : vpn6-pub.restena.lu Certificate: The server's certificate Authentication : EAP Username : ctompers As options, I checked only Request an inner IP address Error Log : Jun 3 08:21:38 vpn6-test charon: 04[CFG] switching to peer config 'ikev2' Jun 3 08:21:38 vpn6-test charon: 04[IKE] initiating EAP-Identity request Jun 3 08:21:38 vpn6-test charon: 04[IKE] peer supports MOBIKE Jun 3 08:21:38 vpn6-test charon: 04[IKE] authentication of 'C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=vpn6-pub.restena.lu, e=claude.tomp...@restena.lu' (myself) with RSA signature successful Jun 3 08:21:38 vpn6-test charon: 04[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ] Jun 3 08:21:38 vpn6-test charon: 04[NET] sending packet: from 192.168.1.13[4500] to 192.168.3.19[4500] Jun 3 08:21:38 vpn6-test charon: 13[NET] received packet: from 192.168.3.19[4500] to 192.168.1.13[4500] Jun 3 08:21:38 vpn6-test charon: 13[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ] Jun 3 08:21:38 vpn6-test charon: 13[IKE] received EAP identity 'ctompers' Jun 3 08:21:38 vpn6-test charon: 13[IKE] initiating EAP_RADIUS method Jun 3 08:21:38 vpn6-test charon: 13[ENC] generating IKE_AUTH response 2 [ EAP/REQ/(25) ] Jun 3 08:21:38 vpn6-test charon: 13[NET] sending packet: from 192.168.1.13[4500] to 192.168.3.19[4500] Jun 3 08:21:38 vpn6-test charon: 10[NET] received packet: from 192.168.3.19[4500] to 192.168.1.13[4500] Jun 3 08:21:38 vpn6-test charon: 10[ENC] parsed IKE_AUTH request 3 [ EAP/RES/NAK ] Jun 3 08:21:38 vpn6-test charon: 10[IKE] received EAP_NAK, sending EAP_FAILURE Jun 3 08:21:38 vpn6-test charon: 10[ENC] generating IKE_AUTH response 3 [ EAP/FAIL ] Jun 3 08:21:38 vpn6-test charon: 10[NET] sending packet: from 192.168.1.13[4500] to 192.168.3.19[4500] Thanks a lot for all suggestions. kind regards Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] strongswan network manager client using eap-radius
Hi Martin, On Thursday 03 June 2010 09:26:56 you wrote: Hi Clause, Jun 3 08:21:38 vpn6-test charon: 10[IKE] received EAP_NAK, sending EAP_FAILURE Seems that the client does not like the EAP method offered. I assume you're using MSCHAPv2, so double check that the client has the eap-mschapv2 and the eap-identity modules installed and loaded. I changed the configuration in freeradius as well as in Windows 7 (easier to configure anyway ;) ). Now I get the same error for both Windows 7 and Ubuntu : Jun 3 09:47:02 vpn6-test charon: 02[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ] Jun 3 09:47:02 vpn6-test charon: 02[IKE] received EAP identity 'ctompers' Jun 3 09:47:02 vpn6-test charon: 02[IKE] initiating EAP_RADIUS method Jun 3 09:47:02 vpn6-test charon: 02[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ] Jun 3 09:47:02 vpn6-test charon: 02[NET] sending packet: from 192.168.1.13[4500] to 192.168.3.19[4500] Jun 3 09:47:03 vpn6-test charon: 12[NET] received packet: from 192.168.3.19[4500] to 192.168.1.13[4500] Jun 3 09:47:03 vpn6-test charon: 12[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ] Jun 3 09:47:03 vpn6-test charon: 12[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ] Jun 3 09:47:03 vpn6-test charon: 12[NET] sending packet: from 192.168.1.13[4500] to 192.168.3.19[4500] Jun 3 09:47:03 vpn6-test charon: 16[NET] received packet: from 192.168.3.19[4500] to 192.168.1.13[4500] Jun 3 09:47:03 vpn6-test charon: 16[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ] Jun 3 09:47:03 vpn6-test charon: 16[IKE] EAP method EAP_MSCHAPV2 succeeded, no MSK established Jun 3 09:47:03 vpn6-test charon: 16[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ] Jun 3 09:47:03 vpn6-test charon: 16[NET] sending packet: from 192.168.1.13[4500] to 192.168.3.19[4500] Jun 3 09:47:03 vpn6-test charon: 14[NET] received packet: from 192.168.3.19[4500] to 192.168.1.13[4500] Jun 3 09:47:03 vpn6-test charon: 14[ENC] parsed IKE_AUTH request 5 [ AUTH ] Jun 3 09:47:03 vpn6-test charon: 14[IKE] verification of AUTH payload without EAP MSK failed Jun 3 09:47:03 vpn6-test charon: 14[ENC] generating IKE_AUTH response 5 [ N(AUTH_FAILED) ] Jun 3 09:47:03 vpn6-test charon: 14[NET] sending packet: from 192.168.1.13[4500] to 192.168.3.19[4500] The strongswan server configuration is still the same. thanks very much kind regards Claude For more information about the client error, have a look at /var/log/daemon.log. Regards Martin -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] strongswan network manager client using eap-radius
16[IKE] EAP method EAP_MSCHAPV2 succeeded, no MSK established 14[IKE] verification of AUTH payload without EAP MSK failed Then I'd assume you are using FreeRADIUS :-). It does not include the MSK in MSCHAPv2 if used over EAP. IKEv2 however requires the MSK to calculate the AUTH payload. In its current form, you can't use FreeRADIUS for your setup, my apologies. One could extend FreeRADIUS to copy over the MPPE keys, but writing such a patch is not something I can do in a few minutes. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] [strongSwan IKEv2] Issue in CA certificate updates
Hi, This is incorrect as the Certificate of peer is signed by previous CA certificate, which has been deleted in step 4 above. The certificate is probably still in the cache, and therefore accepted. There is currently no way to flush the cache externally, you'll have to restart the daemon. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] strongswan network manager client using eap-radius
You assumed right. :) Ok I'll try to get it running with a proper ipsec.conf configuration without the network-manager plugin. thanks very much for your help kind regards Claude On Thursday 03 June 2010 10:08:48 Martin Willi wrote: 16[IKE] EAP method EAP_MSCHAPV2 succeeded, no MSK established 14[IKE] verification of AUTH payload without EAP MSK failed Then I'd assume you are using FreeRADIUS :-). It does not include the MSK in MSCHAPv2 if used over EAP. IKEv2 however requires the MSK to calculate the AUTH payload. In its current form, you can't use FreeRADIUS for your setup, my apologies. One could extend FreeRADIUS to copy over the MPPE keys, but writing such a patch is not something I can do in a few minutes. Regards Martin -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] charon: 11[IKE] no private key found for 'bla-bla-bla'
Help me please with follow error. I try to connect from Win7 client with IKEv2 to Debian strongswan 4.2.4 gateway. Connection stop with charon: 11[IKE] no private key found for... followed by gateway's cert ID. Private gateway's key is in /etc/ipsec.d/private/gw.superprime.ru-key.pem and not encrypted. Looks like strongswan didn't see private key gw.superprime.ru-key.pem. --- /etc/ipsec.conf -- config setup nat_traversal=yes charonstart=yes plutostart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 left=195.162.66.178 leftsubnet=192.168.0.0/24 #leftcert=gw.superprime.ru-cert.pem leftid=C=RU, ST=Tomsk region, O=Prime, OU=Central Office, CN=Prime Gateway, e=gate...@superprime.ru keyexchange=ikev1 type=tunnel pfs=yes pfsgroup=modp1024 ike=aes256-sha1-modp1024 xauth=server conn rw1 right=%any rightsourceip=192.168.2.1 rightsubnet=192.168.2.0/24 rightid=C=RU, ST=Tomsk region, O=Prime, OU=Central Office, CN=rw1, e=...@superprime.ru auto=add authby=rsasig keyexchange=ikev2 #authby=xauthrsasig conn rw2 right=%any rightsourceip=192.168.2.14 rightsubnet=192.168.2.0/24 rightid=C=RU, ST=Tomsk region, O=Prime, OU=Central Office, CN=rw2, e=...@superprime.ru auto=add authby=rsasig include /var/lib/strongswan/ipsec.conf.inc --- /etc/ipsec.conf -- --- /etc/ipsec.d/private/gw.superprime.ru-cert.pem Certificate: Data: Version: 3 (0x2) Serial Number: bc:55:54:34:82:1d:e1:82 Signature Algorithm: sha1WithRSAEncryption Issuer: C=RU, ST=Tomsk region, O=Prime Ltd, OU=Central Office, CN=Prime CA/emailaddress=postmas...@superprime.ru Validity Not Before: Jun 3 08:38:47 2010 GMT Not After : Jan 19 00:00:00 2038 GMT Subject: C=RU, ST=Tomsk region, O=Prime, OU=Central Office, CN=Prime Gateway/emailaddress=gate...@superprime.ru Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:db:80:f2:de:25:50:6b:b4:50:b8:b6:86:e2:87: 0e:14:91:f1:98:b0:b5:ee:4b:bd:31:36:26:75:68: 95:f3:d8:f4:98:d0:d8:eb:26:64:b9:df:35:ca:25: c6:92:fb:f3:ab:95:6d:c2:4e:26:d3:47:ba:22:3f: ea:99:9d:56:70:67:92:2b:18:11:77:45:35:42:59: 06:c0:18:a5:d0:65:bb:75:09:87:2b:d5:a6:c3:be: 86:75:fd:a1:36:a4:cb:a2:24:38:72:21:9c:12:19: c7:02:f4:0a:48:b8:7f:c7:31:80:36:ff:fb:52:46: fd:2f:35:72:0e:3a:05:0b:4f:0e:4f:13:10:61:ee: 63:44:3c:1f:87:e4:2c:95:10:05:f1:9c:77:a2:db: e0:ef:63:cd:d1:9c:74:d3:56:a1:df:e5:61:e4:fc: 83:39:4e:bd:a4:86:b9:28:67:7f:e9:98:9d:cf:2f: ed:3b:b8:a1:3f:38:c6:7d:c9:76:73:2a:2e:40:73: 90:f6:5c:ff:85:90:49:b9:67:f7:56:af:50:ba:9d: 10:7f:09:90:b6:c6:85:53:48:f2:65:21:11:2c:81: 3d:0b:2f:15:95:2c:af:1b:d4:b5:d7:0e:58:c7:ce: e7:80:41:8a:8a:a5:4a:5b:8d:a3:d3:0f:02:f4:2e: ce:9b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: Object Signing Netscape Comment: Prime Central Office Facility X509v3 Subject Alternative Name: DNS:saturn.superprime.ru X509v3 Subject Key Identifier: 1E:54:BC:89:56:34:7F:B8:13:96:EC:33:3E:E6:96:FE:AE:F3:1A:44 X509v3 Authority Key Identifier: keyid:0F:88:3E:32:CC:4E:24:2B:73:DC:61:7C:88:59:AE:03:A9:50:6E:D5 --- /etc/ipsec.d/private/gw.superprime.ru-cert.pem --- from private key /etc/ipsec.d/private/gw.superprime.ru-key.pem -- Private-Key: (2048 bit) modulus: 00:db:80:f2:de:25:50:6b:b4:50:b8:b6:86:e2:87: 0e:14:91:f1:98:b0:b5:ee:4b:bd:31:36:26:75:68: 95:f3:d8:f4:98:d0:d8:eb:26:64:b9:df:35:ca:25: c6:92:fb:f3:ab:95:6d:c2:4e:26:d3:47:ba:22:3f: ea:99:9d:56:70:67:92:2b:18:11:77:45:35:42:59: 06:c0:18:a5:d0:65:bb:75:09:87:2b:d5:a6:c3:be: 86:75:fd:a1:36:a4:cb:a2:24:38:72:21:9c:12:19: c7:02:f4:0a:48:b8:7f:c7:31:80:36:ff:fb:52:46: fd:2f:35:72:0e:3a:05:0b:4f:0e:4f:13:10:61:ee: 63:44:3c:1f:87:e4:2c:95:10:05:f1:9c:77:a2:db: e0:ef:63:cd:d1:9c:74:d3:56:a1:df:e5:61:e4:fc:
[strongSwan] How to disable ctrl-c for strongswan?
Dear all, When strongswan process is running and I tried to ping a destination, after I pressed ctrl-c to stop pinging, strongswan process stops as well. How to disable this? Thanks! ^^ B.R.Jessie ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Net2net and ip policy
Hi, Please, help me! I have got two strongswan servers and the connection is ok. I must put a router between left and leftsubnet: Before: 192.168.100.0/22===x.x.x.186---x.x.x.230===192.168.11.0/24 Now: 192.168.100.0/22==={router 192.168.100.254-x.x.x.185}===x.x.x.186---x.x.x.230===192.168.11.0/24 Ipsec.conf: config setup plutodebug=control charonstart=no conn %default left=%defaultroute leftsubnet=192.168.100.0/22 conn paks right=x.x.x.230 rightsubnet=192.168.11.0/24 authby=secret auth=esp auto=add Ip xfrm policy: src 192.168.100.0/22 dst 192.168.11.0/24 dir out priority 2408 ptype main tmpl src x.x.x.186 dst x.x.x.230 proto esp reqid 16385 mode tunnel src 192.168.11.0/24 dst 192.168.100.0/22 dir fwd priority 2408 ptype main tmpl src x.x.x.230 dst x.x.x.186 proto esp reqid 16385 mode tunnel src 192.168.11.0/24 dst 192.168.100.0/22 dir in priority 2408 ptype main tmpl src x.x.x.230 dst x.x.x.186 proto esp reqid 16385 mode tunnel Route: 192.168.100.0 x.x.x.185 255.255.252.0 UG0 00 eth1 0.0.0.0 x.x.x.180 0.0.0.0 UG0 00 eth1 The vpn tunnel has been established, of course, but the ping from 192.168.100.2 to 192.168.11.3 has been failed. Tcpdump: 12:45:51.760782 IP 192.168.100.2 192.168.11.3: ICMP echo request, id 512, seq 15360, length 40 12:45:51.760931 IP x.x.x.186.euroweb.hu 192.168.100.2: ICMP host 192.168.11.3 unreachable - admin prohibited, length 68 The ipsec.conf i did not change. I removed the direct network connection to 192.168.100.0/22 from the left server and i rewrote it the routing table. What it is necessary to do yet, that allowing let the route be? Thank you, Zsolt ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Net2net and ip policy
Hi, Sorry, I found it! It is working... An iptables command was left, which is prohibited! Thank you! Zsolt -Original Message- From: users-bounces+makai.zsolt=etv...@lists.strongswan.org [mailto:users-bounces+makai.zsolt=etv...@lists.strongswan.org] On Behalf Of Makai Zsolt Sent: Thursday, June 03, 2010 1:12 PM To: users@lists.strongswan.org Subject: [strongSwan] Net2net and ip policy Hi, Please, help me! I have got two strongswan servers and the connection is ok. I must put a router between left and leftsubnet: Before: 192.168.100.0/22===x.x.x.186---x.x.x.230===192.168.11.0/24 Now: 192.168.100.0/22==={router 192.168.100.254-x.x.x.185}===x.x.x.186---x.x.x.230===192.168.11.0/24 Ipsec.conf: config setup plutodebug=control charonstart=no conn %default left=%defaultroute leftsubnet=192.168.100.0/22 conn paks right=x.x.x.230 rightsubnet=192.168.11.0/24 authby=secret auth=esp auto=add Ip xfrm policy: src 192.168.100.0/22 dst 192.168.11.0/24 dir out priority 2408 ptype main tmpl src x.x.x.186 dst x.x.x.230 proto esp reqid 16385 mode tunnel src 192.168.11.0/24 dst 192.168.100.0/22 dir fwd priority 2408 ptype main tmpl src x.x.x.230 dst x.x.x.186 proto esp reqid 16385 mode tunnel src 192.168.11.0/24 dst 192.168.100.0/22 dir in priority 2408 ptype main tmpl src x.x.x.230 dst x.x.x.186 proto esp reqid 16385 mode tunnel Route: 192.168.100.0 x.x.x.185 255.255.252.0 UG0 0 0 eth1 0.0.0.0 x.x.x.180 0.0.0.0 UG0 0 0 eth1 The vpn tunnel has been established, of course, but the ping from 192.168.100.2 to 192.168.11.3 has been failed. Tcpdump: 12:45:51.760782 IP 192.168.100.2 192.168.11.3: ICMP echo request, id 512, seq 15360, length 40 12:45:51.760931 IP x.x.x.186.euroweb.hu 192.168.100.2: ICMP host 192.168.11.3 unreachable - admin prohibited, length 68 The ipsec.conf i did not change. I removed the direct network connection to 192.168.100.0/22 from the left server and i rewrote it the routing table. What it is necessary to do yet, that allowing let the route be? Thank you, Zsolt ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] strongswan with ocf or hardware accelator
Hi All, We are trying to implement the strongswan on our embedded product with freescale processor. B'coz of limitations of our processor we cann't use the software encryption. Is there any way the strongswan supports hardware acceleration? Thanks for your help Jayasri Sangu Come visit us at CommunicAsia 2010http://www.communicasia.com/ June 15-18, 2010 at Singapore Expo in the USA Pavilion, Stand 6H1-07 ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] strongswan with ocf or hardware accelator
Jayasri Sangu wrote: Hi All, We are trying to implement the strongswan on our embedded product with freescale processor. B'coz of limitations of our processor we cann't use the software encryption. Is there any way the strongswan supports hardware acceleration? Thanks for your help Jayasri Sangu *Come* *visit* *us at **CommunicAsia 2010* http://www.communicasia.com/ *June 15-18, 2010 at Singapore Expo in the **USA Pavilion,* *Stand 6H1-07* ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users Assumptions: 1) linux plaform 2) ESP 3) you want to accelerate the crypto+hash for each packet at the ESP level, not RSA crypto operations of IKE Strongswan uses the linux kernel to do ESP packet processing, therefore the questions to ask is: does the linux ESP implementation support hardware acceleration? Yes, linux ESP uses the linux kernel crypto api, which can support hardware acceleration. Look at the talitos driver in the linux kernel for an example. Beware that the linux crypto api is actively developed as we speak and is constantly changing. Dimitrios Siganos ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users