[strongSwan] issue connecting strongswan from EC2 instance to Cisco device
Hello, I'm trying to connect a Strongswan Client hosted on Amazon EC2 public (not VPC) to a Cisco device over ikev1. Since we are hosted on EC2, we have the EC2 gateway NAT in front of our instance. I have done a Virtuabox simulation setup using 4 Linux VM and Strongswan, ie Linux1 /my EC2 <--> Linux 2 / 1:1 NAT <---> Linux 3 / Cisco VPN <--> Linux 4 / remote server to access. Using this, I have validated my "Linux1/EC2" is should be to communicate over IPSec with NAT-T over a 1:1 NAT. It works... with Strongswan as server. However, it does not work with the Cisco VPN device we're trying to connect to the Strongswan clients keeps rekeying phase 1 (ie ipsec status all keps looping between CONNECTING/ESTABLISHED continuously) Adding modeconfig=push as suggested by the documentation makes the Security Association stable, however the connections get stuck trying to negociate phase 2, in tasks queued: QUICK_MODE I can see with tcpdump that NAT-T packets are sent, I see the first response from the Cisco device over NAT-T but nothing more. 16:56:28.391047 IP ip-10-104-164-139.eu-west-1.compute.internal.isakmp > vpn_cisco_gateway.isakmp: isakmp: phase 1 I ident 16:56:28.470397 IP vpn_cisco_gateway.isakmp > ip-10-104-164-139.eu-west-1.compute.internal.isakmp: isakmp: phase 1 R ident 16:56:28.485469 IP ip-10-104-164-139.eu-west-1.compute.internal.isakmp > vpn_cisco_gateway.isakmp: isakmp: phase 1 I ident 16:56:28.566259 IP vpn_cisco_gateway.isakmp > ip-10-104-164-139.eu-west-1.compute.internal.isakmp: isakmp: phase 1 R ident 16:56:28.648297 IP ip-10-104-164-139.eu-west-1.compute.internal.ipsec-nat-t > vpn_cisco_gateway.ipsec-nat-t: NONESP-encap: isakmp: phase 1 I ident[E] 16:56:28.731272 IP vpn_cisco_gateway.ipsec-nat-t > ip-10-104-164-139.eu-west-1.compute.internal.ipsec-nat-t: NONESP-encap: isakmp: phase 1 R ident[E] 16:56:52.596800 IP ip-10-104-164-139.eu-west-1.compute.internal.ipsec-nat-t > vpn_cisco_gateway.ipsec-nat-t: isakmp-nat-keep-alive and nothing more exept keepalives Any help or suggestion to help how to troubleshoot further the issue are welcome. regards J.G the local and remote configurations are, with context: 123.123.22.22: using some public ip address for the internal network, on purpose to avoid collision with VPN provider PUBLIC_EC2_IP_ADDRESS is our public EC2 elastic IP address. VPN_GATEWAY_PUBLIC_IP the public IP address of the remote VPN Cisco device VPN_GATEWAY_INTERNAL_IP internal IP address of the remote VPN Cisco device SERVER_IP_BEHIND_VPN_GATEWAY is the address of remote server we want to access from our EC2 instance over the IPSEC Tunnel VPN_REMOTE_NETWORK the remote network & mask that includes the two previous hosts OUR_VPN_PROVIDER_GATEWAY is the next hop gateway for the Cisco VPN to reach the internet config setup charondebug="knl 3, ike 4,esp 4,cfg 4, mgr 4, net4" conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev1 authby=secret conn test left=%any leftsourceip=123.123.22.22 leftid=PUBLIC_EC2_IP_ADDRESS leftfirewall=yes right=VPN_GATEWAY_PUBLIC_IP rightid=VPN_GATEWAY_PUBLIC_IP rightsubnet=VPN_REMOTE_NETWORK / 27 auto=add modeconfig=push #or disable ike=3des-md5-modp1024! esp=aes-sha1! the Cisco device configuration is : crypto keyring keyring_customer pre-shared-key address PUBLIC_EC2_IP_ADDRESS key THE_SECRET_PSK ! crypto isakmp profile profile_customer vrf vrf_customer keyring keyring_customer match identity address PUBLIC_EC2_IP_ADDRESS 255.255.255.255 ! crypto map cmallserv1 130 ipsec-isakmp description customer_vpn set peer PUBLIC_EC2_IP_ADDRESS set transform-set ts-esp-aes256-esp-sha-hmac set isakmp-profile profile_customer match address access_list_customer ! ip route PUBLIC_EC2_IP_ADDRESS 255.255.255.255 TenGigabitEthernet0/1/0.1300 OUR_VPN_PROVIDER_GATEWAY ip route vrf vrf_customer 123.123.22.22 255.255.255.255 TenGigabitEthernet0/1/0.1300 OUR_VPN_PROVIDER_GATEWAY global ! ip access-list extended access_list_customer permit ip host VPN_GATEWAY_INTERNAL_IP host 123.123.22.22 permit ip host SERVER_IP_BEHIND_VPN_GATEWAY host 123.123.22.22 ! router bgp 6000 scope vrf icssmsc:vrf_customer address-family ipv4 redistribute static ! end ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Empty CRL cache
Hi Fabrice, I don't know what your problem might be. In our KVM scenario running strongswan 5.5.0 under Debian 8, the CRL is written to a file: https://www.strongswan.org/testing/testresults/ikev2/crl-to-cache/ Best regards Andreas On 13.09.2016 14:15, Fabrice Barconnière wrote: > Hello, > > I still have problem with CRL cache with strongSwan 5.3.5 and Ubuntu 16.04. > > Certificates status are checked with CRL as we can see in log file. > ipsec listcrls output command gives: > > List of X.509 CRLs: > > issuer: "C=FR, O=Education Nationale, OU=0002 110043015, CN=AC EN > Scolarite et Formation" > serial:09:43 > revoked: 13 certificates > updates: this Sep 13 00:00:06 2016 > next Sep 20 00:00:06 2016, ok (expires in 6 days) > authkey: cc:2e:37:0f:06:b2:b9:b5:e9:2d:ff:be:52:37:c6:1d:b4:b7:07:17 > > But ll /etc/ipsec.d/crls/ gives : > total 8 > drwxr-xr-x 2 root root 4096 avril 5 15:44 ./ > drwxr-xr-x 11 root root 4096 août 30 21:01 ../ > > With ubuntu 14.04 and strongSwan 5.1.2 (after apparmor profile correction) > > ll /etc/ipsec.d/crls/ gives : > total 12 > drwxr-xr-x 2 root root 4096 sept. 13 09:18 ./ > drwxr-xr-x 11 root root 4096 sept. 10 01:04 ../ > -rw-r--r-- 1 root root 1307 sept. 13 09:18 > cc2e370f06b2b9b5e92dffbe5237c61db4b70717.crl > > What can i check other ? > > > > Le 09/09/2016 à 14:50, Fabrice Barconnière a écrit : >> Hi all, >> >> /etc/ipsec.d/crls directory is still empty after established connections. >> >> OS: Ubuntu 16.04 >> Version: 5.3.5-1ubuntu3 >> >> >> * ipsec.conf : >> >> config setup >> uniqueids = yes >> cachecrls = yes >> strictcrlpolicy = no >> ... >> ... >> >> >> * ipsec statusall : >> >> Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-36-generic, >> x86_64): >> uptime: 17 minutes, since Sep 09 14:13:12 2016 >> malloc: sbrk 5275648, mmap 532480, used 1125024, free 4150624 >> worker threads: 27 of 32 idle, 5/0/0/0 working, job queue: 0/0/0/0, >> scheduled: 6 >> loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha1 >> sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 >> pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem gcrypt af-alg >> fips-prf gmp chapoly xcbc cmac hmac ctr ccm ntru bliss curl soup mysql >> sqlite attr kernel-netlink resolve socket-default farp stroke updown >> eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 >> eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 >> eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic >> xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 >> tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr >> addrblock unity >> Listening IP addresses: >> 192.168.0.11 >> 172.30.101.11 >> Connections: >> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1: >> 192.168.0.11...192.168.0.31 IKEv1/2, dpddelay=120s >> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1: >> local: [C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015, >> CN=sphynx.ac-test.fr] uses public key authentication >> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1: >> cert: "C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015, >> CN=sphynx.ac-test.fr" >> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1: >> remote: [C=FR, L=Toulouse, O=Education Nationale, OU=ac-toulouse, >> OU=0002 110043015, CN=0120101V-01-TEST.ac-toulouse.fr] uses public key >> authentication >> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1: >> child: 172.30.101.0/24 === 10.1.1.0/24 TUNNEL, dpdaction=clear >> Security Associations (1 up, 0 connecting): >> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[2]: >> ESTABLISHED 10 minutes ago, 192.168.0.11[C=FR, L=Dijon, O=Education >> Nationale, OU=0002 110043015, CN=sphynx.ac-test.fr]...192.168.0.31[C=FR, >> L=Toulouse, O=Education Nationale, OU=ac-toulouse, OU=0002 110043015, >> CN=0120101V-01-TEST.ac-toulouse.fr] >> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[2]: >> IKEv2 SPIs: b858dddc617a4ac3_i d7697a226ce94911_r*, public key >> reauthentication in 2 hours >> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[2]: >> IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 >> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1{2}: >> INSTALLED, TUNNEL, reqid 2, ESP SPIs: c84807a5_i c234d7e7_o >> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1{2}: >> AES_GCM_16_128, 336 bytes_i (4 pkts, 6s ago), 336 bytes_o (4 pkts, 6s >> ago), rekeying in 32 minutes >> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1{2}: >> 172.30.101.0/24 === 10.1.1.0/24 >> >> >> * Logs : >> >> 2016-09-09T14:35:48.169931+02:00 sphynx.ac-test.lan charon: 00[DMN] >> Starting IKE charon daemon (strongSwan 5.3.5, Linux
Re: [strongSwan] Empty CRL cache
Hello, I still have problem with CRL cache with strongSwan 5.3.5 and Ubuntu 16.04. Certificates status are checked with CRL as we can see in log file. ipsec listcrls output command gives: List of X.509 CRLs: issuer: "C=FR, O=Education Nationale, OU=0002 110043015, CN=AC EN Scolarite et Formation" serial:09:43 revoked: 13 certificates updates: this Sep 13 00:00:06 2016 next Sep 20 00:00:06 2016, ok (expires in 6 days) authkey: cc:2e:37:0f:06:b2:b9:b5:e9:2d:ff:be:52:37:c6:1d:b4:b7:07:17 But ll /etc/ipsec.d/crls/ gives : total 8 drwxr-xr-x 2 root root 4096 avril 5 15:44 ./ drwxr-xr-x 11 root root 4096 août 30 21:01 ../ With ubuntu 14.04 and strongSwan 5.1.2 (after apparmor profile correction) ll /etc/ipsec.d/crls/ gives : total 12 drwxr-xr-x 2 root root 4096 sept. 13 09:18 ./ drwxr-xr-x 11 root root 4096 sept. 10 01:04 ../ -rw-r--r-- 1 root root 1307 sept. 13 09:18 cc2e370f06b2b9b5e92dffbe5237c61db4b70717.crl What can i check other ? Le 09/09/2016 à 14:50, Fabrice Barconnière a écrit : > Hi all, > > /etc/ipsec.d/crls directory is still empty after established connections. > > OS: Ubuntu 16.04 > Version: 5.3.5-1ubuntu3 > > > * ipsec.conf : > > config setup > uniqueids = yes > cachecrls = yes > strictcrlpolicy = no > ... > ... > > > * ipsec statusall : > > Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-36-generic, > x86_64): > uptime: 17 minutes, since Sep 09 14:13:12 2016 > malloc: sbrk 5275648, mmap 532480, used 1125024, free 4150624 > worker threads: 27 of 32 idle, 5/0/0/0 working, job queue: 0/0/0/0, > scheduled: 6 > loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha1 > sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 > pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem gcrypt af-alg > fips-prf gmp chapoly xcbc cmac hmac ctr ccm ntru bliss curl soup mysql > sqlite attr kernel-netlink resolve socket-default farp stroke updown > eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 > eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 > eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic > xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 > tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr > addrblock unity > Listening IP addresses: > 192.168.0.11 > 172.30.101.11 > Connections: > aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1: > 192.168.0.11...192.168.0.31 IKEv1/2, dpddelay=120s > aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1: > local: [C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015, > CN=sphynx.ac-test.fr] uses public key authentication > aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1: > cert: "C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015, > CN=sphynx.ac-test.fr" > aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1: > remote: [C=FR, L=Toulouse, O=Education Nationale, OU=ac-toulouse, > OU=0002 110043015, CN=0120101V-01-TEST.ac-toulouse.fr] uses public key > authentication > aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1: > child: 172.30.101.0/24 === 10.1.1.0/24 TUNNEL, dpdaction=clear > Security Associations (1 up, 0 connecting): > aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[2]: > ESTABLISHED 10 minutes ago, 192.168.0.11[C=FR, L=Dijon, O=Education > Nationale, OU=0002 110043015, CN=sphynx.ac-test.fr]...192.168.0.31[C=FR, > L=Toulouse, O=Education Nationale, OU=ac-toulouse, OU=0002 110043015, > CN=0120101V-01-TEST.ac-toulouse.fr] > aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[2]: > IKEv2 SPIs: b858dddc617a4ac3_i d7697a226ce94911_r*, public key > reauthentication in 2 hours > aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[2]: > IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 > aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1{2}: > INSTALLED, TUNNEL, reqid 2, ESP SPIs: c84807a5_i c234d7e7_o > aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1{2}: > AES_GCM_16_128, 336 bytes_i (4 pkts, 6s ago), 336 bytes_o (4 pkts, 6s > ago), rekeying in 32 minutes > aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1{2}: > 172.30.101.0/24 === 10.1.1.0/24 > > > * Logs : > > 2016-09-09T14:35:48.169931+02:00 sphynx.ac-test.lan charon: 00[DMN] > Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-36-generic, > x86_64) > 2016-09-09T14:35:48.220738+02:00 sphynx.ac-test.lan charon: 00[CFG] > disabling load-tester plugin, not configured > 2016-09-09T14:35:48.221002+02:00 sphynx.ac-test.lan charon: 00[LIB] > plugin 'load-tester': failed to load - load_tester_plugin_create > returned NULL > 2016-09-09T14:35:48.229358+02:00 sphynx.ac-test.lan charon: 00[CFG] > dnscert plugin is disabled > 2016-09-09T14:35:48.229716+02:00 sphynx.ac-test.lan
[strongSwan] successful ipsec link but no traffic with strongswan 5.5.0 and kernel 4.4.20
Hello, I am in need of some help. I had a perfectly fine (and simpleish) strongswan setup on my home server: a router with a pppoe connection to the ISP which provides me with a dynamic non-NAT-ed IP and a DDNS setup with my domain provider. On top of this I set up a basic roadwarrior IKEv2 VPN with strongswan. Everything was running an ARCHLINUX with kernel 3.18. After updating the kernel to 4.4.20 the VPN stopped working. I get the connection established, but no traffic goes through it. If I roll back to kernel 3.18 everything works fine again. Is anyone aware of any changes related to IPSEC/VPN/TUNNELS or ROUTING that might have changed. Please see my logs below: />ipsec statusall --- Status of IKE charon daemon (strongSwan 5.5.0, Linux 4.4.20, armv7l): uptime: 5 minutes, since Sep 13 12:37:32 2016 malloc: sbrk 1339392, mmap 0, used 355624, free 983768 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2 loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp chapoly xcbc cmac hmac curl sqlite attr kernel-netlink resolve socket-default connmark forecast farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp radattr unity Virtual IP pools (size/online/offline): 10.0.1.0/24: 254/1/0 Listening IP addresses: 192.168.2.10 192.168.7.1 90.203.141.93 Connections: windows: %any...%any IKEv2, dpddelay=300s windows: local: [mihaiordean.com] uses public key authentication windows:cert: "C=GB, O=mihaiordean.com, CN=mihaiordean.com" windows: remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any' windows: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear android: %any...%any IKEv2, dpddelay=300s android: local: [mihaiordean.com] uses public key authentication android:cert: "C=GB, O=mihaiordean.com, CN=mihaiordean.com" android: remote: [C=GB, O=mihaiordean.com, CN=vpn-client] uses public key authentication android:cert: "C=GB, O=mihaiordean.com, CN=vpn-client" android: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear Security Associations (1 up, 0 connecting): android[10]: ESTABLISHED 24 seconds ago, 90.203.141.93[mihaiordean.com]...147.188.254.72[C=GB, O=mihaiordean.com, CN=vpn-client] android[10]: IKEv2 SPIs: 446cfc0fce52fc90_i 95cc24497fefd7b9_r*, rekeying disabled android[10]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 android{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cde084f3_i 1c5743ef_o android{1}: AES_CBC_128/HMAC_SHA2_256_128, 1570 bytes_i, 0 bytes_o, rekeying disabled android{1}: 0.0.0.0/0 === 10.0.1.1/32 />ip route show table 220 -- 10.0.1.1 via 147.188.254.72 dev ppp64 proto static />iptables -L --- Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- 192.168.7.0/24 anywhere REJECT all -- 192.168.7.0/24 anywhere reject-with icmp-port-unreachable ACCEPT icmp -- anywhere 5acb8d5d.bb.sky.com ACCEPT all -- anywhere 5acb8d5d.bb.sky.com ctstate RELATED,ESTABLISHED ACCEPT udp -- anywhere 5acb8d5d.bb.sky.com ctstate NEW,RELATED,ESTABLISHED udp dpt:isakmp ACCEPT udp -- anywhere 5acb8d5d.bb.sky.com ctstate NEW,RELATED,ESTABLISHED udp dpt:ipsec-nat-t ACCEPT ah -- anywhere 5acb8d5d.bb.sky.com ctstate NEW,RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere policy match dir in pol ipsec proto esp ACCEPT tcp -- anywhere 5acb8d5d.bb.sky.com ctstate NEW,RELATED,ESTABLISHED tcp dpt:http ACCEPT tcp -- anywhere 5acb8d5d.bb.sky.com ctstate NEW,RELATED,ESTABLISHED tcp dpt:https ACCEPT tcp -- anywhere 5acb8d5d.bb.sky.com ctstate NEW,RELATED,ESTABLISHED tcp dpt:telnet ACCEPT tcp -- anywhere ironbox.meehien.lan ctstate NEW,RELATED,ESTABLISHED tcp dpt:51413 ACCEPT udp -- anywhere ironbox.meehien.lan ctstate NEW,RELATED,ESTABLISHED udp dpt:51413 ACCEPT tcp -- anywhere anywhere tcp spt:bootpc dpt:bootps ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain FORWARD (policy DROP) target prot opt source destination TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS