[strongSwan] Filtering decap'd traffic on the strongswan GW
I have a use case where we’re connecting a remote subnet to a strongswan 5.3.5 or 5.4.0 gateway running in AWS. Because of the way the hosts are scattered amongst the VPC, we can’t group them in to a small block and advertise just that block (say a /28 worth of hosts out of the subnet).What I would like to do is filter the remote network to the hosts we do want to allow access to in the AWS subnet at the gateway via iptables. For example, remote network 192.168.10.0/24 is allowed access to 100.64.7.3 tcp port 3389.I’m drawing a blank as to how to properly filter it using iptables. There are FORWARDing rules in place installed by strongswan for ipsec for the two respective subnets.Which chain, if any, would handle filtering th deencapsulated traffic from the tunnel going out from the gateway to the left subnet?Basically, we want to ACL the traffic coming across the tunnel at the GW.Any thoughts or pointers appreciated.ThanksEKG___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] iOS and IKEv2/EAP-MSCHAPv2
On 18/04/2016 16:54, Tobias Brunner wrote: Typo? I was convinced it was a typo so I checked and double checked many times. I did ipsec rereadsecrets. I even restarted the actual service just in case. Nada. Only setting the password to the same as the username made it work. And I found that out only by accident after nearly giving up getting it to work. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Framed-Ip-Address not sent to client?
Hi Laurens, > When I change "rightsourceip=10.0.0.0/24" to "rightsourceip=%radius", > strongSwan is still giving out ip addresses from that initial pool > instead of using the Framed-Ip-Address (they are different subnets): How did you reload the config? Is there another config that defines the 10.0.0.0/24 pool (maybe post your complete config)? Regards, Tobias ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] iOS and IKEv2/EAP-MSCHAPv2
Hi Fred, > What could be causing this to fail? Typo? Regards, Tobias ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Mac OS 10.10 Client to Linux Strongswan server HASH N(AUTH_FAILED) error
Hi Jude, > Any insights into what I am missing in my setup, my hope is that this is > just some simple newbie mistake I am doing. Try reading the log: > Apr 18 09:45:42 RH7Standard charon: 12[CFG] looking for XAuthInitRSA peer > configs matching 10.0.11.200...10.0.11.160[C=US, O=BSI, CN=ju...@blansys.com] The client wants to initiate an XAuth/RSA connection (with its certificate's subject DN as identity). However, your config specifies: >leftauth=psk >rightauth=psk >rightauth2=xauth That is, you configured XAuth/PSK. You also set: >rightid=10.0.11.160 Which wouldn't match that subject DN even if the authentication methods were the same. You might want to have a look at [1]. Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/IOS_%28Apple%29 ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Mac OS 10.10 Client to Linux Strongswan server HASH N(AUTH_FAILED) error
I am attempting to setup a RHEL 7 based Strongswan server, with Macintosh based clients, using ipsec (the built in OS X Cisco client), and I am unable to get this to behave so far. It appears to be issue with the certs? I have regenerated them on both sides several times and that does not seem to be resolving my issue here. Any insights into what I am missing in my setup, my hope is that this is just some simple newbie mistake I am doing. My ipsec.conf file: config setup conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev1 authby=secret leftauth=psk rightauth=psk rightauth2=xauth leftid=10.0.11.200 rightid=10.0.11.160 conn rw-carol also=rw right=10.0.11.0/24 auto=add conn rw-dave also=rw right=10.0.11.0/24 auto=add conn rw left=10.0.11.200 leftsubnet=10.11.0.0/16 leftfirewall=yes This is my ipsec.secrets file: : RSA RH7Standard.vpnHostPrivateKey.der : PSK “Password" judeo %any : EAP "Password" judeo %any : XAUTH "Password" judeo %any : PSK "Password" This is the error I am seeing in the logs: Apr 18 09:45:41 RH7Standard charon: 10[IKE] 10.0.11.160 is initiating a Main Mode IKE_SA Apr 18 09:45:41 RH7Standard charon: 10[ENC] generating ID_PROT response 0 [ SA V V V ] Apr 18 09:45:41 RH7Standard charon: 10[NET] sending packet: from 10.0.11.200[500] to 10.0.11.160[500] (136 bytes) Apr 18 09:45:41 RH7Standard strongswan: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.2, Linux 3.10.0-327.4.5.el7.x86_64, x86_64) Apr 18 09:45:41 RH7Standard strongswan: 00[LIB] openssl FIPS mode(2) - enabled Apr 18 09:45:41 RH7Standard strongswan: 00[LIB] created TUN device: ipsec0 Apr 18 09:45:41 RH7Standard strongswan: 00[NET] could not open socket: Address family not supported by protocol Apr 18 09:45:41 RH7Standard strongswan: 00[NET] could not open IPv6 socket, IPv6 disabled Apr 18 09:45:41 RH7Standard strongswan: 00[KNL] received netlink error: Address family not supported by protocol (97) Apr 18 09:45:41 RH7Standard strongswan: 00[KNL] unable to create IPv6 routing table rule Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts' Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loaded ca certificate "C=US, O=BSI, CN=RH7Standard.blansys.com" from '/etc/strongswan/ipsec.d/cacerts/RH7Standard.SelfSigned.CA.cert.strongswanCert.der' Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loaded ca certificate "C=US, O=BSI, CN=RH7Standard.blansys.com" from '/etc/strongswan/ipsec.d/cacerts/RH7Standard.Converted.SelfSigned.CA.cert.pem' Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts' Apr 18 09:45:41 RH7Standard strongswan: 00[LIB] opening directory '/etc/strongswan/ipsec.d/aacerts' failed: No such file or directory Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] reading directory failed Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts' Apr 18 09:45:41 RH7Standard strongswan: 00[LIB] opening directory '/etc/strongswan/ipsec.d/ocspcerts' failed: No such file or directory Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] reading directory failed Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts' Apr 18 09:45:41 RH7Standard strongswan: 00[LIB] opening directory '/etc/strongswan/ipsec.d/acerts' failed: No such file or directory Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] reading directory failed Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls' Apr 18 09:45:41 RH7Standard strongswan: 00[LIB] opening directory '/etc/strongswan/ipsec.d/crls' failed: No such file or directory Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] reading directory failed Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets' Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loaded RSA private key from '/etc/strongswan/ipsec.d/private/RH7Standard.vpnHostPrivateKey.der' Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loaded IKE secret for %any Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loaded EAP secret for judeo %any Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loaded EAP secret for judeo %any Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loaded IKE secret for judeo %any Apr 18 09:45:41 RH7Standard strongswan: 00[CFG] loaded 0 RADIUS server configurations Apr 18 09:45:41 RH7Standard strongswan: 00[TNC] MAP server certificate not defined Apr 18 09:45:41 RH7Standard strongswan: 00[TNC] TNC recommendation policy is 'default' Apr 18 09:45:41 RH7Standard strongswan: 00[TNC] loading IMVs from '/etc/tnc_config' Apr 18 09:45:41 RH7Standard strongswan: 00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory Apr 18 09:
[strongSwan] iOS and IKEv2/EAP-MSCHAPv2
I have an interesting situation with an iOS 9 device connecting to strongswan 5.2.1 using username/password. I get the following output in syslog Apr 18 15:23:27 foobar charon: 03[IKE] authentication of 'boo.moo' (myself) with RSA signature successful Apr 18 15:23:27 foobar charon: 03[IKE] sending end entity cert "C=CH, O=strongSwan, CN=boo.moo" Apr 18 15:23:27 foobar charon: 03[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] Apr 18 15:23:27 foobar charon: 03[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[37407] (1504 bytes) Apr 18 15:23:27 foobar charon: 04[NET] received packet: from y.y.y.y[37407] to x.x.x.x[4500] (80 bytes) Apr 18 15:23:27 foobar charon: 04[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ] Apr 18 15:23:27 foobar charon: 04[IKE] received EAP identity 'user1' Apr 18 15:23:27 foobar charon: 04[IKE] initiating EAP_MSCHAPV2 method (id 0xB3) Apr 18 15:23:27 foobar charon: 04[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ] Apr 18 15:23:27 foobar charon: 04[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[37407] (112 bytes) Apr 18 15:23:27 foobar charon: 01[NET] received packet: from y.y.y.y[37407] to x.x.x.x[4500] (144 bytes) Apr 18 15:23:27 foobar charon: 01[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ] Apr 18 15:23:27 foobar charon: 01[IKE] EAP-MS-CHAPv2 verification failed, retry (1) Apr 18 15:23:29 foobar charon: 01[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ] Apr 18 15:23:29 foobar charon: 01[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[37407] (128 bytes) However, if I set the username and password to be the same (user1/user1), then then connection works. Obviously that's no good though. What could be causing this to fail? Fred ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users