[strongSwan] ANNOUNCE: strongswan-5.2.0 released
Hi, we are proud to announce the release of strongSwan 5.2.0 which offers a native port to Windows 7/8 and many other new features. For specifics read our blog entry: http://www.strongswan.org/blog/2014/07/09/strongswan-5.2.0-released.html or browse the detailed changelog: https://wiki.strongswan.org/versions/52 Best regards Tobias Brunner, Martin Willi, Andreas Steffen The strongSwan Team == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] libipsec/net2net-cert: Ipsec tunnel UP but decrypted traffic does not reach beyond GW: /etc/updown: no such file or directory
Hi Noel, Thank you for your reply. I have compiled with the option you specified and now I don't see the '/etc/updown: no such file or directory' in the log But still the behaviour is same i,e iptables rules are not populated. Rather flow in opposite direction is quite odd. To make sure my setup's routing is correct I have tested a scenario with traditional way of non TUN based setup with pre-shared key and AES cryptography and I can pass bidirectional traffic. What is happening now is that, for the below mentioned setup: Host 1---GW sun GW moon--Host 2 eth1 eth0eth0 eth2 10.0.0.103 10.0.0.101 12.0.0.167 12.0.0.189 11.0.0.18911.0.0.101 1) If I send traffic (UDP) from Host 2, traffic is seen in eth2 of moon GW but nothing is gone to eth0 of the same GW, let alone encryption/decryption. 2) If I send traffic from Host 1, traffic is encrypted an decrypted in eth0 or sun GW and moon GW respectively, but that traffic is not seen in eth2 of moon GW. The configuration looks like: moon: #cat ipsec.conf config setup conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 mobike=no conn test left=12.0.0.189 leftcert=moonCert.pem leftsubnet=11.0.0.0/24 leftid=m...@test.org leftupdown=/var/lib/strongswan/_updown right=12.0.0.167 rightcert=sunCert.pem rightsubnet=10.0.0.0/24 rightid=s...@test.org auto=add #ip route list table 220 10.0.0.0/24 dev ipsec0 proto static src 11.0.0.189 #cat strongswan.conf charon { load = aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-libipsec kernel-netlink resolve socket-default stroke updown xauth-generic multiple_authentication = no debug = 4 } sun: cat ipsec.conf config setup conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 mobike=no conn test left=12.0.0.167 leftcert=sunCert.pem leftsubnet=10.0.0.0/24 leftid=s...@test.org leftupdown=/var/lib/strongswan/_updown right=12.0.0.189 rightcert=moonCert.pem rightsubnet=11.0.0.0/24 rightid=m...@test.org auto=add ip route list table 220 11.0.0.0/24 via 12.0.0.189 dev eth0 proto static src 10.0.0.101 same strongswan.conf. How should we populate the Iptable rules? Thanks, Shahreen Shahreen Noor Ahmed Network Support Department Adax Europe Ltd url: www.adax.com e-mail: sah...@adax.co.uk Direct line: +44(0)118 952 2804 On 09/07/2014 12:33, Noel Kuntze wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, You probably didn't run ./configure with the correct parameters and set --with-ipsecdir=/usr/lib/strongswan. Regards, Noel Kuntze GPG Key id: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 09.07.2014 13:29, schrieb Shahreen Ahmed: Hi, Can you please help in this regard? I want to test max throughput based on Ipsec ESP userland encryption with libipsec. I configured Strongswan 5.1.3 with following option: --enable-kernel-libipsec While trying to make a setup following below link: http://www.strongswan.org/uml/testresults/libipsec/net2net-cert/ It seems that even though a Tunnel is UP based on X.509 authentication and a TUN interface 'ipsec0' is injected, NO firewall rules are present for routing through 'ipsec0' and encrypted traffic that is decrypted by the peer IPsec GW never reaches the site beyond that GW. Following log is visible in one of the GW's: Jul 9 11:46:25 ZNYX9210 charon: 08[IKE] restarting CHILD_SA test Jul 9 11:46:25 ZNYX9210 charon: 08[IKE] initiating IKE_SA test[2] to 12.0.0.167 Jul 9 11:46:25 ZNYX9210 charon: 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Jul 9 11:46:25 ZNYX9210 charon: 08[NET] sending packet: from 12.0.0.189[500] to 12.0.0.167[500] (708 bytes) Jul 9 11:46:25 ZNYX9210 charon: 14[NET] received packet: from 12.0.0.167[500] to 12.0.0.189[500] (457 bytes) Jul 9 11:46:25 ZNYX9210 charon: 14[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] Jul 9 11:46:25 ZNYX9210 charon: 14[IKE] remote host is behind NAT Jul 9 11:46:25 ZNYX9210 charon: 14[IKE] received cert request for C=CA, ST=PB, O=strongswan org, OU=strongswan root, CN=c...@test.org Jul 9 11:46:25 ZNYX9210 charon: 14[IKE] sending cert request for C=CA, ST=PB, O=strongswan org, OU=strongswan root, CN=c...@test.org Jul 9 11:46:25 ZNYX9210 charon: 14[IKE] authentication of 'C=CA, ST=PB, O=strongswan org, OU=strongswan peer2, CN=m...@test.org' (myself) with RSA signature
[strongSwan] Small Problems with 5.2
Hi, I hit two problems after upgrading to 5.2. System on both sides is a Debian wheezy 64. Strongswan compiled with: [client] ./configure --prefix=/usr --sysconfdir=/etc --enable-blowfish --enable-curl --enable-openssl --disable-ikev1 --enable-ntru [gateway] ./configure --prefix=/usr --sysconfdir=/etc --enable-blowfish --enable-curl --enable-eap-radius --enable-ha --enable-openssl --enable-xauth-eap --enable-eap-mschapv2 --enable-eap-identity --enable-sql --enable-attr-sql --enable-sqlite --enable-xauth-noauth --enable-ntru 1. I get this error on both systems after upgrade: ipsec_starter[3318]: notifying watcher failed: Broken pipe 2. I had to roll back to 5.1.3 on the gateway because I couldn't connect from other linux IKEv2 clients which authenticate via X.509 certificates. I got: no trusted RSA public key found for NAME On the other side IKEv1 connections from Mac/iOS with certificates and IKEv2 connections from Windows clients with eap-mschapv2 had no problems. (No Win7 Client with IKEv2 and X509 certificates try to connect that time) As the gateway is in productive use I coudn't debug the problem for long. I have a second server with the same configuration that I can use to dig deeper into the problem. What further information would you need, what debug levels should I use? All the while the gateway is back on 5.1.3 while my home client is still on 5.2 and can connect despite the Broken Pipe error. Best Regards Dirk ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Small Problems with 5.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello Dirk, Can you please provide your strongswan.conf? Regards, Noel Kuntze GPG Key id: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 10.07.2014 15:54, schrieb Dirk Hartmann: Hi, I hit two problems after upgrading to 5.2. System on both sides is a Debian wheezy 64. Strongswan compiled with: [client] ./configure --prefix=/usr --sysconfdir=/etc --enable-blowfish --enable-curl --enable-openssl --disable-ikev1 --enable-ntru [gateway] ./configure --prefix=/usr --sysconfdir=/etc --enable-blowfish --enable-curl --enable-eap-radius --enable-ha --enable-openssl --enable-xauth-eap --enable-eap-mschapv2 --enable-eap-identity --enable-sql --enable-attr-sql --enable-sqlite --enable-xauth-noauth --enable-ntru 1. I get this error on both systems after upgrade: ipsec_starter[3318]: notifying watcher failed: Broken pipe 2. I had to roll back to 5.1.3 on the gateway because I couldn't connect from other linux IKEv2 clients which authenticate via X.509 certificates. I got: no trusted RSA public key found for NAME On the other side IKEv1 connections from Mac/iOS with certificates and IKEv2 connections from Windows clients with eap-mschapv2 had no problems. (No Win7 Client with IKEv2 and X509 certificates try to connect that time) As the gateway is in productive use I coudn't debug the problem for long. I have a second server with the same configuration that I can use to dig deeper into the problem. What further information would you need, what debug levels should I use? All the while the gateway is back on 5.1.3 while my home client is still on 5.2 and can connect despite the Broken Pipe error. Best Regards Dirk ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTvsDcAAoJEDg5KY9j7GZY5NwQAJU4RfQJ763TjqYIGkMOZlzG sg7U66+Fxwe39pzyr6qL/vrSBMyMDrogc4unvT6N3vfRduK24n7ZOqo+UjcsM62X gJON8ODTNywIxP08zXm2zWkJwfXqr3H/ApBveVlMyPJ/9pBFe3o7vBoKN+XOJkrY b8oqhHxOJ0LTu+N03U7GjFLPE/RVVg4LzRrRXQoAISiCo9te0kFjC5Ah3xjwpABz zMFjt5fnKXN6nVvOboQSO7sAK9EHy0f6IqCQp6LApa809FBDrLvcOLd1Wes3K8L6 PD+PVRQKXtZhx8nBBo4sZAXCSTNDTlrTXfm8aMjzjNyJoqluga/qrj0o7NmsXqx9 wDYmNcSSwpqAiRT9fN8uHuMZK1m51ZD1anDM1+fzMbG33zkqwPKPKWbw8Rm8r1Xg p8/iHpQqFtAf7lElaCHboUXffz+YDFM/iDTRb0W2XFqe73CWL85gNUvdA1XEAcB+ hwjcY/1cgWeK9mJzQ2zl1rB7vLP4TD6wtY4EjFvvXRNfx5VO1gwq/m2GI5gEWtS4 MNb3aGtJmrq9ZvztoqwWJ8NEp7Tz1axB14VxwyhEI998R+Hyf9sFcujHW+oPkBis YlTrTXIqacObqcKf3q/gnUCgLK1OdFgp6bOHq+SGulKJ6w6pDXeDJr/GU8Uurjam wC7poreK5XYAjGTnpO6/ =f+Xu -END PGP SIGNATURE- ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Random IPSEC IKE1 Dropping
Can anyone help me out with this issue? I know I have very few details to go off of, but at this point, I don't know what else is needed and what needs to be provided. Thanks, Brad From: Turnbough, Bradley E. Sent: Wednesday, July 09, 2014 9:00 AM To: users@lists.strongswan.org Subject: Random IPSEC IKE1 Dropping Hello All, I'm currently running this config on an active strongswan box. I am running CentOS 6.5 (fully patched) along side of strongswan version Linux strongSwan U5.0.4/K2.6.32-431.3.1.el6.x86_6 We upgraded a while back from a version that still used pluto to this new version (which uses charon) We've started to experience random conn drops (primarilly on sa-01 and sa-05. The only way to resolve this that I've found is to perform a 'service strongswan restart' This is not the only conn which experiences this, so I'm thinking this may be a configuration issue or a bug. The problem is, is I don't necessarily know much about ipsec. I'm hoping someone can help me out. Can anyone? Please? conn customer-sa-01 auto=start rightsubnet=A.0.0.0/8 also=customer-default conn customer-sa-02 auto=start rightsubnet=B.C.0.0/16 also=customer-default conn customer-sa-03 auto=start rightsubnet=D.E.0.0/16 also=customer-default conn customer-sa-04 auto=start rightsubnet=F.G.0.0/15 also=customer-default conn customer-sa-05 auto=start rightsubnet=H.I.0.0/15 also=customer-default conn customer-sa-06 auto=start rightsubnet=J.K.0.0/16 also=customer-default conn customer-sa-07 auto=start rightsubnet=L.M.0.0/16 also=customer-default conn customer-sa-08 auto=start rightsubnet=N.O.P.Q/32 also=customer-default conn customer-default keyingtries=%forever authby=secret left=R.S.T.U leftsubnet=V.W.X.0/24 right=Y.Z.AA.BB rightallowany=yes keyexchange=ikev1 ikelifetime=480m keylife=3600s mobike=no ike=aes256-sha1-modp1024 esp=3des-md5 _ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Random IPSEC IKE1 Dropping
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello Bradley, Without a log file, I can only assume, that the tunnel gets torn down, because the communication to the peers get severed. I propose enabling dpd with dpdaction=restart, as well as closeaction=restart, so the tunnel gets reestablished, if it gets severed for some reason. Regards, Noel Kuntze GPG Key id: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 10.07.2014 19:42, schrieb Turnbough, Bradley E.: Can anyone help me out with this issue? I know I have very few details to go off of, but at this point, I don't know what else is needed and what needs to be provided. Thanks, Brad From: Turnbough, Bradley E. Sent: Wednesday, July 09, 2014 9:00 AM To: users@lists.strongswan.org Subject: Random IPSEC IKE1 Dropping Hello All, I'm currently running this config on an active strongswan box. I am running CentOS 6.5 (fully patched) along side of strongswan version Linux strongSwan U5.0.4/K2.6.32-431.3.1.el6.x86_6 We upgraded a while back from a version that still used pluto to this new version (which uses charon) We've started to experience random conn drops (primarilly on sa-01 and sa-05. The only way to resolve this that I've found is to perform a 'service strongswan restart' This is not the only conn which experiences this, so I'm thinking this may be a configuration issue or a bug. The problem is, is I don't necessarily know much about ipsec. I'm hoping someone can help me out. Can anyone? Please? conn customer-sa-01 auto=start rightsubnet=A.0.0.0/8 also=customer-default conn customer-sa-02 auto=start rightsubnet=B.C.0.0/16 also=customer-default conn customer-sa-03 auto=start rightsubnet=D.E.0.0/16 also=customer-default conn customer-sa-04 auto=start rightsubnet=F.G.0.0/15 also=customer-default conn customer-sa-05 auto=start rightsubnet=H.I.0.0/15 also=customer-default conn customer-sa-06 auto=start rightsubnet=J.K.0.0/16 also=customer-default conn customer-sa-07 auto=start rightsubnet=L.M.0.0/16 also=customer-default conn customer-sa-08 auto=start rightsubnet=N.O.P.Q/32 also=customer-default conn customer-default keyingtries=%forever authby=secret left=R.S.T.U leftsubnet=V.W.X.0/24 right=Y.Z.AA.BB rightallowany=yes keyexchange=ikev1 ikelifetime=480m keylife=3600s mobike=no ike=aes256-sha1-modp1024 esp=3des-md5 _ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTvu1nAAoJEDg5KY9j7GZYu6kP/38/l/0HtxYyEV1EDL4L+pi7 IsAoq07QwRFVOFn5LfAjbALfslPTyINoI+0dAxPcFSFxdvid2VgySoisTJctg+D3 Mxej/saCcsZFiJ7lUI62AeCpRpd7im8O6C24XhaNEbls4f0acwVCXjSK3awxnB0j oWfhsB8SoC9xCGiVIpHbrBvUrlSD3EvCKuY7TMmZXHlkP3TZBCRakTGSMVr6pWSp 2M4sGrVrxapUrRh7Z4YonrAY6k9j9klTtqh6TOuIveP3gQntPLl38gkzGVhhOATB 0eZrxrGmEzujuEhxCyx0UH7mtwS6VGwsJzTmSXMU+2qU2mJmRJxgm6FTaRnzDHOQ 3wrgRVV2gsYHZCfhNipICBKB+TQtHDo+Cvem/U28H8PSsa47aLPOCbTy31TNK3SU 8hcNYQnWWZj6Ldu8knsAW7J+P/ERm/SD86W4DoHWaSoTzYtdJUsP4JIoMBHBY7JE XkQZrJpIEPIDsErkM9LOSGygrnZV3SZ1n804g114dfSO6DaIIq7ZEe7OQYsl4SKB EziYAbZXJJIUUazfLihUpCkxCKIo1pl/cvkDjpoAKyyjHK1AWfxx6lZUsiFZfNlw feZmnHbg4yKK73d2cQ+wXQh2YcVzHJaene4rwrCEcdajVUSFdwLxxHr0hU6v8mOu lZNO9GrUWRrxd9+PgeL/ =xG9s -END PGP SIGNATURE- ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users