Re: [strongSwan] access to multiple subnets

2017-01-16 Thread Yudi V 
On Tue, Jan 17, 2017 at 1:12 AM, Mirko Parthey  wrote:

> On Mon, Jan 16, 2017 at 01:51:00AM +1100, Yudi V wrote:
> > Got strongswan VPN  on an openwrt gateway acting as the server. Openwrt
> router
> > has two VLANS (say 192.168.1.0/24, 192.168.2.0/24), I used
> rightsourceip=%dhcp
> > and let the remote peer get IP from 192.168.1.0/24.
> >
> > This works fine and I can access resources (mostly network shares) in
> > 192.168.1.0/24 but I would also like to access resources in
> 192.168.2.0/24. I
> > cannot seem to figure out how to do this.
> >
> > Normally when I am connected to the openwrt gateway directly I can
> access the
> > resources in both VLANs (has appropriate rules in the firewall).
> >
> > I did not add any specific firewall rules relating to strongswan setup
> except
> > for esp, ah, port 500 and 4500 on wan side.  Not sure what settings need
> to be
> > changed to get access to the other subnets.
> > I would appreciate any suggestions.
>
> Hello Yudi,
>
> I would suggest to find out where the traffic to 192.168.2.0/24 is
> dropped,
> on which machine and by which firewall rule / IPsec policy.
> For example, send an ICMP echo request (ping) from a remote machine,
> also try a larger size such as 1500.
>
> Does it arrive at the target machine?
> Is the request dropped, or the reply?
>


> Linux IPsec has byte and packet counters, which can be shown with the
> strongSwan command "ipsec statusall". It also shows other useful
> information,
> so please post the output of this command after the connection has been
> established.
> Also enable logging in the OpenWrt firewall and look at the log (logread)
> and the netfilter rule counters (iptables -vL).
>
> This diagram shows the processing order of the netfilter hooks:
> http://inai.de/images/nf-packet-flow.png
> Please note that decapsulated IPsec traffic is processed by the network
> layer hooks a second time. This should be covered by the rules
> automatically inserted with leftfirewall=yes, but is worth checking.
>
> Are your routes set up correctly - on the client, the OpenWrt gateway,
> and the target machine in 192.168.2.0/24?
> Remember that you will need valid routes for both directions.
> Do machines in 192.168.2.0/24 send all traffic to 192.168.1.0/24 via
> the OpenWrt gateway, or is there another router?
>
> You could also try to use an address range for the remote clients
> which is disjoint from the internal subnets. You will see if it breaks
> access to 192.168.1.0/24 as well, and this can be a base for
> further investigations.
>
> Regards,
> Mirko
>

Thank you for the reply.

The problem was not strongswan or openwrt, but windows 10. When the
connection is created, it uses split-tunneling by default, so anything not
destined to 192.168.1.0/64 was being router to the internet and obviously
was failing. Once I disabled split-tunneling, everything was being sent to
the remote gateway. All ok.

Another thing I noticed with openwrt is I have to use the DNS domain suffix
(.lan) for hostnames to resolve properly over the VPN.

-- 
Kind regards,
Yudi
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Android TNC server basic setup

2017-01-16 Thread Mark M 
Andreas,
I had to change the password again with the "manage.py setpassword" and now I 
can edit everything.
So i finally got my device to start showing in the policy manager but it does 
not look like the scans are actually being performed on the device.
Here is my config and log;

 cat /etc/tnc_configIMV "Attestation" 
/usr/lib/ipsec/imcvs/imv-attestation.soIMV "Scanner" 
/usr/lib/ipsec/imcvs/imv-scanner.so

ipsec.conf;
conn rw-allow     rightgroups=allow     rightsourceip=192.168.3.55     
leftsubnet=192.168.10.0/24     also=rw222     auto=add
conn rw-isolate     rightgroups=isolate     leftsubnet=10.1.0.16/28     
also=rw222     auto=add
conn rw222     leftcert=tnc3.crt     leftid=@192.168.1.5     
rightsourceip=192.168.3.55     leftauth=pubkey     rightauth=eap-ttls     
rightid=*@strongswan.org     rightsendcert=never     right=%any
strongswan.conf;
charon {       multiple_authentication = no
  filelog {          /var/log/strongswan.log {          append = no          
default = 1          flush_line = yes          }}  plugins {    eap-ttls {      
phase2_method = md5      phase2_piggyback = yes      phase2_tnc = yes    }    
eap-tnc {      protocol = tnccs-2.0    }    tnc-imv {      
recommendation_policy = default    }  }}
libimcv {  database= sqlite:///etc/pts/config.db  policy_script = ipsec 
imv_policy_manager  plugins {    imv-test {      rounds = 1    }    imv-scanner 
{      closed_port_policy = yes      udp_ports = 500 4500      tcp_ports = 22   
 }  }}
00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux 4.8.0-22-generic, 
x86_64)00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'00[CFG]   
loaded ca certificate "C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5" from 
'/etc/ipsec.d/cacerts/rootCA.crt'00[CFG] loading aa certificates from 
'/etc/ipsec.d/aacerts'00[CFG] loading ocsp signer certificates from 
'/etc/ipsec.d/ocspcerts'00[CFG] loading attribute certificates from 
'/etc/ipsec.d/acerts'00[CFG] loading crls from '/etc/ipsec.d/crls'00[CFG] 
loading secrets from '/etc/ipsec.secrets'00[CFG]   loaded RSA private key from 
'/etc/ipsec.d/private/tnc3.key'00[CFG]   loaded EAP secret for 
carol@strongswan.org00[TNC] TNC recommendation policy is 'default'00[TNC] 
loading IMVs from '/etc/tnc_config'00[LIB] libimcv initialized00[IMV] IMV 1 
"Attestation" initialized00[PTS] no PTS cacerts directory defined00[TNC] IMV 1 
"Attestation" loaded from '/usr/lib/ipsec/imcvs/imv-attestation.so'00[IMV] IMV 
2 "Scanner" initialized00[TNC] IMV 2 "Scanner" loaded from 
'/usr/lib/ipsec/imcvs/imv-scanner.so'00[LIB] loaded plugins: charon des rc2 
random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp 
dnskey sshkey pem openssl xcbc cmac hmac curl sqlite attr kernel-netlink 
resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 
eap-dynamic eap-ttls eap-tnc xauth-generic tnc-imv tnc-tnccs tnccs-2000[JOB] 
spawning 16 worker threads04[CFG] received stroke: add connection 
'rw-allow'04[CFG] adding virtual IP address pool 192.168.3.5504[CFG]   loaded 
certificate "C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5" from 'tnc3.crt'04[CFG] 
  id '192.168.1.5' not confirmed by certificate, defaulting to 'C=US, ST=MD, 
L=TNC, OU=TNC, CN=192.168.1.5'04[CFG] added configuration 'rw-allow'14[CFG] 
received stroke: add connection 'rw-isolate'14[CFG] reusing virtual IP address 
pool 192.168.3.5514[CFG]   loaded certificate "C=US, ST=MD, L=TNC, OU=TNC, 
CN=192.168.1.5" from 'tnc3.crt'14[CFG]   id '192.168.1.5' not confirmed by 
certificate, defaulting to 'C=US, ST=MD, L=TNC, OU=TNC, CN=192.168.1.5'14[CFG] 
added configuration 'rw-isolate'04[NET] received packet: from 
192.168.1.11[40384] to 192.168.1.5[500] (732 bytes)04[ENC] parsed IKE_SA_INIT 
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) 
N(REDIR_SUP) ]04[IKE] 192.168.1.11 is initiating an IKE_SA04[IKE] remote host 
is behind NAT04[IKE] DH group ECP_256 inacceptable, requesting MODP_307204[ENC] 
generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]04[NET] sending packet: from 
192.168.1.5[500] to 192.168.1.11[40384] (38 bytes)11[NET] received packet: from 
192.168.1.11[40384] to 192.168.1.5[500] (1052 bytes)11[ENC] parsed IKE_SA_INIT 
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) 
N(REDIR_SUP) ]11[IKE] 192.168.1.11 is initiating an IKE_SA11[IKE] remote host 
is behind NAT11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) 
N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]11[NET] sending packet: from 
192.168.1.5[500] to 192.168.1.11[40384] (584 bytes)09[NET] received packet: 
from 192.168.1.11[35458] to 192.168.1.5[4500] (528 bytes)09[ENC] parsed 
IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) 
N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]09[IKE] 
received cert request for "C=US, ST=MD, L=TNC, O=TNC, OU=TNC, 
CN=192.168.1.5"09[CFG] looking for peer configs matching 
192.168.1.5[%any]...192.168.1.11[ca...@strongswan.org

Re: [strongSwan] Android TNC server basic setup

2017-01-16 Thread Andreas Steffen 

Hi Mark,

did you exactly follow the instructions on how to initialize the
PTS database?

https://wiki.strongswan.org/projects/strongswan/wiki/StrongTnc#Initialize-PTS-Database

Is the path to config.db set correctly in /etc/strongTNC/settings.ini?

https://wiki.strongswan.org/projects/strongswan/wiki/StrongTnc#Initialize-PTS-Database

From my experience it seems that setting DEBUG=1 might help.

Regards

Andreas

On 16.01.2017 20:24, Mark M wrote:

Andreas,

I finally got the policy manager installed. However, I am not seeing the
device when I form the connection and the android device disconnects.

Any ideas on what could be wrong?

This is what the stats page in the policy manager looks like -
https://i.imgur.com/9M0sMa8.jpg

Also the add groups button does not work and there are no entries under
the policies and enforcement's? Hard to say if everything is working
correctly.


00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux
4.8.0-22-generic, x86_64)
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG]   loaded ca certificate "C=US, ST=MD, L=TNC, O=TNC, OU=TNC,
CN=192.168.1.5" from '/etc/ipsec.d/cacerts/rootCA.crt'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/tnc2.key'
00[CFG]   loaded EAP secret for ca...@strongswan.org
00[TNC] TNC recommendation policy is 'default'
00[TNC] loading IMVs from '/etc/tnc_config'
00[LIB] libimcv initialized
00[IMV] IMV 1 "Attestation" initialized
00[PTS] no PTS cacerts directory defined
00[TNC] IMV 1 "Attestation" loaded from
'/usr/lib/ipsec/imcvs/imv-attestation.so'
00[IMV] IMV 2 "Scanner" initialized
00[TNC] IMV 2 "Scanner" loaded from '/usr/lib/ipsec/imcvs/imv-scanner.so'
00[LIB] loaded plugins: charon des rc2 random nonce x509 revocation
constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
openssl xcbc cmac hmac curl sqlite attr kernel-netlink resolve
socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2
eap-dynamic eap-ttls eap-tnc xauth-generic tnc-imv tnc-tnccs tnccs-20
00[JOB] spawning 16 worker threads
16[CFG] received stroke: add connection 'rw-allow'
16[CFG] adding virtual IP address pool 192.168.3.55
16[CFG]   loaded certificate "C=US, ST=MD, L=TNC, O=TNC, OU=TNC,
CN=192.168.1.5" from 'tncserver.crt'
16[CFG]   id '192.168.1.5' not confirmed by certificate, defaulting to
'C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5'
16[CFG] added configuration 'rw-allow'
06[CFG] received stroke: add connection 'rw-isolate'
06[CFG] adding virtual IP address pool 192.168.4.0/24
06[CFG]   loaded certificate "C=US, ST=MD, L=TNC, O=TNC, OU=TNC,
CN=192.168.1.5" from 'tncserver.crt'
06[CFG]   id '192.168.1.5' not confirmed by certificate, defaulting to
'C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5'
06[CFG] added configuration 'rw-isolate'
07[NET] received packet: from 192.168.1.11[51631] to 192.168.1.5[500]
(732 bytes)
07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
07[IKE] 192.168.1.11 is initiating an IKE_SA
07[IKE] remote host is behind NAT
07[IKE] DH group ECP_256 inacceptable, requesting MODP_3072
07[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
07[NET] sending packet: from 192.168.1.5[500] to 192.168.1.11[51631] (38
bytes)
05[NET] received packet: from 192.168.1.11[51631] to 192.168.1.5[500]
(1052 bytes)
05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
05[IKE] 192.168.1.11 is initiating an IKE_SA
05[IKE] remote host is behind NAT
05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
05[NET] sending packet: from 192.168.1.5[500] to 192.168.1.11[51631]
(592 bytes)
16[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
(544 bytes)
16[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ
CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP)
N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
16[IKE] received cert request for "C=US, ST=MD, L=TNC, O=TNC, OU=TNC,
CN=192.168.1.5"
16[CFG] looking for peer configs matching
192.168.1.5[%any]...192.168.1.11[ca...@strongswan.org]
16[CFG] selected peer config 'rw-allow'
16[IKE] initiating EAP_TTLS method (id 0x4F)
16[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
16[IKE] peer supports MOBIKE
16[ENC] generating IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ]
16[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660]
(176 bytes)
12[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500]
(240 bytes)
12[ENC] parsed IKE_AUTH request 2 [ EAP/RES/TTLS ]
12[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_

Re: [strongSwan] Question regarding site-to-site multiple tunnel setup.

2017-01-16 Thread Eric Germann 
You could get creative with subnet masks in left/right subnet and group them 
and send 64 towards one, 64 towards the second, using their route tables on the 
200 machines.

EKG

> On Jan 16, 2017, at 3:29 PM, Scott Walker  wrote:
> 
> Fast I know not a wonderful answer.
> 
> The more throughput we can get the better. Right now I am pushing 440-470 
> Mbit/s thru 1 tunnel. Ideally I'd like to get 3-4 tunnels up.
> 
> The other end of the tunnel is going to ~200 compute nodes pulling/pushing 
> data.
> 
> I'm just not sure on the specifics of multiple tunnels ummm bonded? (do you 
> even bond them?)
> 
> On 11 January 2017 at 20:55, Eric Germann  > wrote:
> What kind of throughput are you looking for?
> 
> AES-GCM with HW that supports AESNI, we routinely get 300+Mbps
> 
> EKG
> 
> > On Jan 11, 2017, at 4:48 PM, Scott Walker  > > wrote:
> >
> > I'm looking to build an infra that is
> >
> >
> > local site -> remote site
> >
> > But using multiple tunnels in order to get the B/W I need. (plenty of 
> > servers at the remote end talking back so I want to be sure it's not all 
> > rammed down one tunnel).
> >
> > Most of the docs I'm finding revolve around this type of config but for VPC 
> > (AWS, GCE, etc).
> >
> > I do admit I'm a bit lost right now as to how I go about this approach.
> >
> > So if I have say 3-4 servers on local site and 3-4 servers on remote 
> > dedicated as VPN end points.
> >
> > Would I configure a 1-1 ratio? Create a mesh? How on local would I do 
> > routing? I'm not looking for HA this is for PURE speed reasons.
> >
> > I'm reading everything I can find but I'm still in the dark.
> > ___
> > Users mailing list
> > Users@lists.strongswan.org 
> > https://lists.strongswan.org/mailman/listinfo/users 
> > 
> 
> 

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Question regarding site-to-site multiple tunnel setup.

2017-01-16 Thread Scott Walker 
Fast I know not a wonderful answer.

The more throughput we can get the better. Right now I am pushing 440-470
Mbit/s thru 1 tunnel. Ideally I'd like to get 3-4 tunnels up.

The other end of the tunnel is going to ~200 compute nodes pulling/pushing
data.

I'm just not sure on the specifics of multiple tunnels ummm bonded? (do you
even bond them?)

On 11 January 2017 at 20:55, Eric Germann  wrote:

> What kind of throughput are you looking for?
>
> AES-GCM with HW that supports AESNI, we routinely get 300+Mbps
>
> EKG
>
> > On Jan 11, 2017, at 4:48 PM, Scott Walker 
> wrote:
> >
> > I'm looking to build an infra that is
> >
> >
> > local site -> remote site
> >
> > But using multiple tunnels in order to get the B/W I need. (plenty of
> servers at the remote end talking back so I want to be sure it's not all
> rammed down one tunnel).
> >
> > Most of the docs I'm finding revolve around this type of config but for
> VPC (AWS, GCE, etc).
> >
> > I do admit I'm a bit lost right now as to how I go about this approach.
> >
> > So if I have say 3-4 servers on local site and 3-4 servers on remote
> dedicated as VPN end points.
> >
> > Would I configure a 1-1 ratio? Create a mesh? How on local would I do
> routing? I'm not looking for HA this is for PURE speed reasons.
> >
> > I'm reading everything I can find but I'm still in the dark.
> > ___
> > Users mailing list
> > Users@lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
>
>
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] access to multiple subnets

2017-01-16 Thread Mirko Parthey 
On Mon, Jan 16, 2017 at 01:51:00AM +1100, Yudi V wrote:
> Got strongswan VPN  on an openwrt gateway acting as the server. Openwrt router
> has two VLANS (say 192.168.1.0/24, 192.168.2.0/24), I used rightsourceip=%dhcp
> and let the remote peer get IP from 192.168.1.0/24.
> 
> This works fine and I can access resources (mostly network shares) in
> 192.168.1.0/24 but I would also like to access resources in 192.168.2.0/24. I
> cannot seem to figure out how to do this.
> 
> Normally when I am connected to the openwrt gateway directly I can access the
> resources in both VLANs (has appropriate rules in the firewall).
> 
> I did not add any specific firewall rules relating to strongswan setup except
> for esp, ah, port 500 and 4500 on wan side.  Not sure what settings need to be
> changed to get access to the other subnets.
> I would appreciate any suggestions.

Hello Yudi,

I would suggest to find out where the traffic to 192.168.2.0/24 is dropped,
on which machine and by which firewall rule / IPsec policy.
For example, send an ICMP echo request (ping) from a remote machine, 
also try a larger size such as 1500. 

Does it arrive at the target machine?
Is the request dropped, or the reply?

Linux IPsec has byte and packet counters, which can be shown with the
strongSwan command "ipsec statusall". It also shows other useful information,
so please post the output of this command after the connection has been
established.
Also enable logging in the OpenWrt firewall and look at the log (logread)
and the netfilter rule counters (iptables -vL).

This diagram shows the processing order of the netfilter hooks:
http://inai.de/images/nf-packet-flow.png
Please note that decapsulated IPsec traffic is processed by the network
layer hooks a second time. This should be covered by the rules
automatically inserted with leftfirewall=yes, but is worth checking.

Are your routes set up correctly - on the client, the OpenWrt gateway,
and the target machine in 192.168.2.0/24?
Remember that you will need valid routes for both directions.
Do machines in 192.168.2.0/24 send all traffic to 192.168.1.0/24 via
the OpenWrt gateway, or is there another router?

You could also try to use an address range for the remote clients
which is disjoint from the internal subnets. You will see if it breaks
access to 192.168.1.0/24 as well, and this can be a base for
further investigations.

Regards,
Mirko
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

2017-01-16 Thread Varun Singh 
On Mon, Jan 16, 2017 at 7:02 PM, Michael Schwartzkopff  wrote:
> Am Montag, 16. Januar 2017, 18:55:35 schrieben Sie:
>> On Mon, Jan 16, 2017 at 6:32 PM, Michael Schwartzkopff  wrote:
>> > Am Montag, 16. Januar 2017, 18:30:15 schrieb Varun Singh:
>> >> On Mon, Jan 16, 2017 at 6:18 PM, Michael Schwartzkopff  
>> >> wrote:
>> >> > Am Montag, 16. Januar 2017, 18:09:00 schrieb Varun Singh:
>> >> >> On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff 
> wrote:
>> >> >> > Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen:
>> >> >> >> Hi Varun,
>> >> >> >>
>> >> >> >> we have customers who have successfully been running up to 60k
>> >> >> >> concurrent tunnels. In order to maximize performance please have
>> >> >> >> a look at the use of hash tables for IKE_SA lookup
>> >> >> >>
>> >> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable
>> >> >> >>
>> >> >> >> as well as job priority management
>> >> >> >>
>> >> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority
>> >> >> >>
>> >> >> >> We also recommend to use file-based logging since writing to syslog
>> >> >> >> extremely slows down the charon daemon
>> >> >> >>
>> >> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfi
>> >> >> >>gur
>> >> >> >>ati
>> >> >> >>on
>> >> >> >>
>> >> >> >> The bottleneck for IKE processing is the Diffie-Hellman key
>> >> >> >> exchange
>> >> >> >> where 70-80 % of the computing effort is spent. Use the ecp256 or
>> >> >> >> the new curve25519 (available with strongSwan 5.5.2) DH groups for
>> >> >> >> maximum performance.
>> >> >> >>
>> >> >> >> ESP throughput is limited by the number of available cores and the
>> >> >> >> processor clock frequency. Use aes128gcm16 for maximum performance.
>> >> >> >>
>> >> >> >> Best regards
>> >> >> >>
>> >> >> >> Andreas
>> >> >> >>
>> >> >> >> On 16.01.2017 19:00, Varun Singh wrote:
>> >> >> >> > Hi,
>> >> >> >> > As I understand, strongSwan supports scalability from 4.x
>> >> >> >> > onwards. I
>> >> >> >> > am new to strongSwan and to VPN in general.
>> >> >> >> > I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS.
>> >> >> >> > Though I have read that strongSwan supports scalability, I
>> >> >> >> > couldn't
>> >> >> >> > find stats to support it.
>> >> >> >> > Before adopting strongSwan, my team wanted to know *if it can
>> >> >> >> > support
>> >> >> >> > upto 100k simultaneous connections*. Hence I need to find
>> >> >> >> > pointers
>> >> >> >> > to
>> >> >> >> > obtain this kind of information.
>> >> >> >
>> >> >> > hi,
>> >> >> >
>> >> >> > I think further scaling might be possible with loadbalancers. But
>> >> >> > this
>> >> >> > is
>> >> >> > topic of deeper investigation of the project.
>> >> >> >
>> >> >> > Mit freundlichen Grüßen,
>> >> >> >
>> >> >> > Michael Schwartzkopff
>> >> >> >
>> >> >> > --
>> >> >> > [*] sys4 AG
>> >> >> >
>> >> >> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
>> >> >> > Schleißheimer Straße 26/MG, 80333 München
>> >> >> >
>> >> >> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>> >> >> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer
>> >> >> > Aufsichtsratsvorsitzender: Florian Kirstein
>> >> >> > ___
>> >> >> > Users mailing list
>> >> >> > Users@lists.strongswan.org
>> >> >> > https://lists.strongswan.org/mailman/listinfo/users
>> >> >>
>> >> >> Thanks Michael,
>> >> >> I was just searching whether load balancing is supported by strongSwan
>> >> >> or not. Came across this thread:
>> >> >> https://lists.strongswan.org/pipermail/users/2013-November/005615.html
>> >> >>
>> >> >> But this didn't lead to any conclusion.
>> >> >> So is load balancing supported by strongSwan?
>> >> >
>> >> > if you use LVS before the VPN server does not know about the load
>> >> > balancing. You would have to find a solution for the reverse traffic,
>> >> > i.e. IP pools on the VPN server.
>> >> >
>> >> > LVS offers a feature to do loadbalancing with firewall marks. This
>> >> > might
>> >> > be
>> >> > nescessary for balancing IKE and ESP together.
>> >> >
>> >> > I don't know if a SA sync between strongswan servers is possible.
>> >> >
>> >> > But anyway: This setup shold be designed and tested very carefully.
>> >> >
>> >> >
>> >> > Mit freundlichen Grüßen,
>> >> >
>> >> > Michael Schwartzkopff
>> >> >
>> >> > --
>> >> > [*] sys4 AG
>> >> >
>> >> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
>> >> > Schleißheimer Straße 26/MG, 80333 München
>> >> >
>> >> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>> >> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer
>> >> > Aufsichtsratsvorsitzender: Florian Kirstein
>> >> >
>> >> > ___
>> >> > Users mailing list
>> >> > Users@lists.strongswan.org
>> >> > https://lists.strongswan.org/mailman/listinfo/users
>> >>
>> >> "You would have to find a solution for the reverse traffic, i.e.

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

2017-01-16 Thread Varun Singh 
On Mon, Jan 16, 2017 at 7:03 PM, Andreas Steffen
 wrote:
> On 16.01.2017 20:39, Varun Singh wrote:
>>
>> On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff  wrote:
>>>
>>> Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen:

 Hi Varun,

 we have customers who have successfully been running up to 60k
 concurrent tunnels. In order to maximize performance please have
 a look at the use of hash tables for IKE_SA lookup

 https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable

 as well as job priority management

 https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority

 We also recommend to use file-based logging since writing to syslog
 extremely slows down the charon daemon


 https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration

 The bottleneck for IKE processing is the Diffie-Hellman key exchange
 where 70-80 % of the computing effort is spent. Use the ecp256 or
 the new curve25519 (available with strongSwan 5.5.2) DH groups for
 maximum performance.

 ESP throughput is limited by the number of available cores and the
 processor clock frequency. Use aes128gcm16 for maximum performance.

 Best regards

 Andreas

 On 16.01.2017 19:00, Varun Singh wrote:
>
> Hi,
> As I understand, strongSwan supports scalability from 4.x onwards. I
> am new to strongSwan and to VPN in general.
> I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS.
> Though I have read that strongSwan supports scalability, I couldn't
> find stats to support it.
> Before adopting strongSwan, my team wanted to know *if it can support
> upto 100k simultaneous connections*. Hence I need to find pointers to
> obtain this kind of information.
>>>
>>>
>>> hi,
>>>
>>> I think further scaling might be possible with loadbalancers. But this is
>>> topic of deeper investigation of the project.
>>>
>>> Mit freundlichen Grüßen,
>>>
>>> Michael Schwartzkopff
>>>
>>> --
>>> [*] sys4 AG
>>>
>>> http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
>>> Schleißheimer Straße 26/MG, 80333 München
>>>
>>> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>>> Vorstand: Patrick Ben Koetter, Marc Schiffbauer
>>> Aufsichtsratsvorsitzender: Florian Kirstein
>>> ___
>>> Users mailing list
>>> Users@lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>
>> Thanks Michael,
>> I was just searching whether load balancing is supported by strongSwan
>> or not. Came across this thread:
>> https://lists.strongswan.org/pipermail/users/2013-November/005615.html
>>
>> But this didn't lead to any conclusion.
>> So is load balancing supported by strongSwan?
>>
> Have a look at strongSwan's High Availability (HA) solution
>
>   https://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability
>
> which can be run in an active-active mode where the load-balancing
> is achieved by Cluster IP.
>
> Andreas
>
>
> ==
> Andreas Steffen andreas.stef...@strongswan.org
> strongSwan - the Open Source VPN Solution!  www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===[ITA-HSR]==
>

Thanks for the pointers.

-- 
Regards,
Varun
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

2017-01-16 Thread Andreas Steffen 

On 16.01.2017 20:39, Varun Singh wrote:

On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff  wrote:

Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen:

Hi Varun,

we have customers who have successfully been running up to 60k
concurrent tunnels. In order to maximize performance please have
a look at the use of hash tables for IKE_SA lookup

https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable

as well as job priority management

https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority

We also recommend to use file-based logging since writing to syslog
extremely slows down the charon daemon

https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration

The bottleneck for IKE processing is the Diffie-Hellman key exchange
where 70-80 % of the computing effort is spent. Use the ecp256 or
the new curve25519 (available with strongSwan 5.5.2) DH groups for
maximum performance.

ESP throughput is limited by the number of available cores and the
processor clock frequency. Use aes128gcm16 for maximum performance.

Best regards

Andreas

On 16.01.2017 19:00, Varun Singh wrote:

Hi,
As I understand, strongSwan supports scalability from 4.x onwards. I
am new to strongSwan and to VPN in general.
I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS.
Though I have read that strongSwan supports scalability, I couldn't
find stats to support it.
Before adopting strongSwan, my team wanted to know *if it can support
upto 100k simultaneous connections*. Hence I need to find pointers to
obtain this kind of information.


hi,

I think further scaling might be possible with loadbalancers. But this is
topic of deeper investigation of the project.

Mit freundlichen Grüßen,

Michael Schwartzkopff

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users


Thanks Michael,
I was just searching whether load balancing is supported by strongSwan
or not. Came across this thread:
https://lists.strongswan.org/pipermail/users/2013-November/005615.html

But this didn't lead to any conclusion.
So is load balancing supported by strongSwan?


Have a look at strongSwan's High Availability (HA) solution

  https://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability

which can be run in an active-active mode where the load-balancing
is achieved by Cluster IP.

Andreas

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution!  www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==



smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

2017-01-16 Thread Michael Schwartzkopff 
Am Montag, 16. Januar 2017, 18:55:35 schrieben Sie:
> On Mon, Jan 16, 2017 at 6:32 PM, Michael Schwartzkopff  wrote:
> > Am Montag, 16. Januar 2017, 18:30:15 schrieb Varun Singh:
> >> On Mon, Jan 16, 2017 at 6:18 PM, Michael Schwartzkopff  
> >> wrote:
> >> > Am Montag, 16. Januar 2017, 18:09:00 schrieb Varun Singh:
> >> >> On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff  
wrote:
> >> >> > Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen:
> >> >> >> Hi Varun,
> >> >> >> 
> >> >> >> we have customers who have successfully been running up to 60k
> >> >> >> concurrent tunnels. In order to maximize performance please have
> >> >> >> a look at the use of hash tables for IKE_SA lookup
> >> >> >> 
> >> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable
> >> >> >> 
> >> >> >> as well as job priority management
> >> >> >> 
> >> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority
> >> >> >> 
> >> >> >> We also recommend to use file-based logging since writing to syslog
> >> >> >> extremely slows down the charon daemon
> >> >> >> 
> >> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfi
> >> >> >>gur
> >> >> >>ati
> >> >> >>on
> >> >> >> 
> >> >> >> The bottleneck for IKE processing is the Diffie-Hellman key
> >> >> >> exchange
> >> >> >> where 70-80 % of the computing effort is spent. Use the ecp256 or
> >> >> >> the new curve25519 (available with strongSwan 5.5.2) DH groups for
> >> >> >> maximum performance.
> >> >> >> 
> >> >> >> ESP throughput is limited by the number of available cores and the
> >> >> >> processor clock frequency. Use aes128gcm16 for maximum performance.
> >> >> >> 
> >> >> >> Best regards
> >> >> >> 
> >> >> >> Andreas
> >> >> >> 
> >> >> >> On 16.01.2017 19:00, Varun Singh wrote:
> >> >> >> > Hi,
> >> >> >> > As I understand, strongSwan supports scalability from 4.x
> >> >> >> > onwards. I
> >> >> >> > am new to strongSwan and to VPN in general.
> >> >> >> > I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS.
> >> >> >> > Though I have read that strongSwan supports scalability, I
> >> >> >> > couldn't
> >> >> >> > find stats to support it.
> >> >> >> > Before adopting strongSwan, my team wanted to know *if it can
> >> >> >> > support
> >> >> >> > upto 100k simultaneous connections*. Hence I need to find
> >> >> >> > pointers
> >> >> >> > to
> >> >> >> > obtain this kind of information.
> >> >> > 
> >> >> > hi,
> >> >> > 
> >> >> > I think further scaling might be possible with loadbalancers. But
> >> >> > this
> >> >> > is
> >> >> > topic of deeper investigation of the project.
> >> >> > 
> >> >> > Mit freundlichen Grüßen,
> >> >> > 
> >> >> > Michael Schwartzkopff
> >> >> > 
> >> >> > --
> >> >> > [*] sys4 AG
> >> >> > 
> >> >> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
> >> >> > Schleißheimer Straße 26/MG, 80333 München
> >> >> > 
> >> >> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> >> >> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer
> >> >> > Aufsichtsratsvorsitzender: Florian Kirstein
> >> >> > ___
> >> >> > Users mailing list
> >> >> > Users@lists.strongswan.org
> >> >> > https://lists.strongswan.org/mailman/listinfo/users
> >> >> 
> >> >> Thanks Michael,
> >> >> I was just searching whether load balancing is supported by strongSwan
> >> >> or not. Came across this thread:
> >> >> https://lists.strongswan.org/pipermail/users/2013-November/005615.html
> >> >> 
> >> >> But this didn't lead to any conclusion.
> >> >> So is load balancing supported by strongSwan?
> >> > 
> >> > if you use LVS before the VPN server does not know about the load
> >> > balancing. You would have to find a solution for the reverse traffic,
> >> > i.e. IP pools on the VPN server.
> >> > 
> >> > LVS offers a feature to do loadbalancing with firewall marks. This
> >> > might
> >> > be
> >> > nescessary for balancing IKE and ESP together.
> >> > 
> >> > I don't know if a SA sync between strongswan servers is possible.
> >> > 
> >> > But anyway: This setup shold be designed and tested very carefully.
> >> > 
> >> > 
> >> > Mit freundlichen Grüßen,
> >> > 
> >> > Michael Schwartzkopff
> >> > 
> >> > --
> >> > [*] sys4 AG
> >> > 
> >> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
> >> > Schleißheimer Straße 26/MG, 80333 München
> >> > 
> >> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> >> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer
> >> > Aufsichtsratsvorsitzender: Florian Kirstein
> >> > 
> >> > ___
> >> > Users mailing list
> >> > Users@lists.strongswan.org
> >> > https://lists.strongswan.org/mailman/listinfo/users
> >> 
> >> "You would have to find a solution for the reverse traffic, i.e. IP pools
> >> on the VPN server."
> >> -> This is what I am mainly concerned about. There is something called
> >> clusterIP. I need to figure out what it is

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

2017-01-16 Thread Varun Singh 
On Mon, Jan 16, 2017 at 6:32 PM, Michael Schwartzkopff  wrote:
> Am Montag, 16. Januar 2017, 18:30:15 schrieb Varun Singh:
>> On Mon, Jan 16, 2017 at 6:18 PM, Michael Schwartzkopff  wrote:
>> > Am Montag, 16. Januar 2017, 18:09:00 schrieb Varun Singh:
>> >> On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff  
>> >> wrote:
>> >> > Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen:
>> >> >> Hi Varun,
>> >> >>
>> >> >> we have customers who have successfully been running up to 60k
>> >> >> concurrent tunnels. In order to maximize performance please have
>> >> >> a look at the use of hash tables for IKE_SA lookup
>> >> >>
>> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable
>> >> >>
>> >> >> as well as job priority management
>> >> >>
>> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority
>> >> >>
>> >> >> We also recommend to use file-based logging since writing to syslog
>> >> >> extremely slows down the charon daemon
>> >> >>
>> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfigur
>> >> >>ati
>> >> >>on
>> >> >>
>> >> >> The bottleneck for IKE processing is the Diffie-Hellman key exchange
>> >> >> where 70-80 % of the computing effort is spent. Use the ecp256 or
>> >> >> the new curve25519 (available with strongSwan 5.5.2) DH groups for
>> >> >> maximum performance.
>> >> >>
>> >> >> ESP throughput is limited by the number of available cores and the
>> >> >> processor clock frequency. Use aes128gcm16 for maximum performance.
>> >> >>
>> >> >> Best regards
>> >> >>
>> >> >> Andreas
>> >> >>
>> >> >> On 16.01.2017 19:00, Varun Singh wrote:
>> >> >> > Hi,
>> >> >> > As I understand, strongSwan supports scalability from 4.x onwards. I
>> >> >> > am new to strongSwan and to VPN in general.
>> >> >> > I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS.
>> >> >> > Though I have read that strongSwan supports scalability, I couldn't
>> >> >> > find stats to support it.
>> >> >> > Before adopting strongSwan, my team wanted to know *if it can
>> >> >> > support
>> >> >> > upto 100k simultaneous connections*. Hence I need to find pointers
>> >> >> > to
>> >> >> > obtain this kind of information.
>> >> >
>> >> > hi,
>> >> >
>> >> > I think further scaling might be possible with loadbalancers. But this
>> >> > is
>> >> > topic of deeper investigation of the project.
>> >> >
>> >> > Mit freundlichen Grüßen,
>> >> >
>> >> > Michael Schwartzkopff
>> >> >
>> >> > --
>> >> > [*] sys4 AG
>> >> >
>> >> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
>> >> > Schleißheimer Straße 26/MG, 80333 München
>> >> >
>> >> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>> >> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer
>> >> > Aufsichtsratsvorsitzender: Florian Kirstein
>> >> > ___
>> >> > Users mailing list
>> >> > Users@lists.strongswan.org
>> >> > https://lists.strongswan.org/mailman/listinfo/users
>> >>
>> >> Thanks Michael,
>> >> I was just searching whether load balancing is supported by strongSwan
>> >> or not. Came across this thread:
>> >> https://lists.strongswan.org/pipermail/users/2013-November/005615.html
>> >>
>> >> But this didn't lead to any conclusion.
>> >> So is load balancing supported by strongSwan?
>> >
>> > if you use LVS before the VPN server does not know about the load
>> > balancing. You would have to find a solution for the reverse traffic,
>> > i.e. IP pools on the VPN server.
>> >
>> > LVS offers a feature to do loadbalancing with firewall marks. This might
>> > be
>> > nescessary for balancing IKE and ESP together.
>> >
>> > I don't know if a SA sync between strongswan servers is possible.
>> >
>> > But anyway: This setup shold be designed and tested very carefully.
>> >
>> >
>> > Mit freundlichen Grüßen,
>> >
>> > Michael Schwartzkopff
>> >
>> > --
>> > [*] sys4 AG
>> >
>> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
>> > Schleißheimer Straße 26/MG, 80333 München
>> >
>> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer
>> > Aufsichtsratsvorsitzender: Florian Kirstein
>> >
>> > ___
>> > Users mailing list
>> > Users@lists.strongswan.org
>> > https://lists.strongswan.org/mailman/listinfo/users
>>
>> "You would have to find a solution for the reverse traffic, i.e. IP pools on
>> the VPN server."
>> -> This is what I am mainly concerned about. There is something called
>> clusterIP. I need to figure out what it is and how can I use it for
>> load balancing.
>>
>>
>> "I don't know if a SA sync between strongswan servers is possible."
>> -> I guess this will be needed if server_1 fails and the user should
>> automatically be switched to server_2. Is that right?
>
> these questions depend on your concept / design / inplementation.
>
> if you can afford a little downtime, DPD could be an option for you.
>
>
>
>

Re: [strongSwan] macos SIerra as Client with IKEv2 and certificates?

2017-01-16 Thread Noel Kuntze 
On 16.01.2017 14:01, Johannes Kastl wrote:
> As I said, authentication with username/password works fine, I was
> just wondering if using certificates was also working for anybody.
WEll, configure a conn with EAP-TLS authentication and take a look if it works
and what the logs say.

-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658




signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

2017-01-16 Thread Michael Schwartzkopff 
Am Montag, 16. Januar 2017, 18:30:15 schrieb Varun Singh:
> On Mon, Jan 16, 2017 at 6:18 PM, Michael Schwartzkopff  wrote:
> > Am Montag, 16. Januar 2017, 18:09:00 schrieb Varun Singh:
> >> On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff  
> >> wrote:
> >> > Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen:
> >> >> Hi Varun,
> >> >> 
> >> >> we have customers who have successfully been running up to 60k
> >> >> concurrent tunnels. In order to maximize performance please have
> >> >> a look at the use of hash tables for IKE_SA lookup
> >> >> 
> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable
> >> >> 
> >> >> as well as job priority management
> >> >> 
> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority
> >> >> 
> >> >> We also recommend to use file-based logging since writing to syslog
> >> >> extremely slows down the charon daemon
> >> >> 
> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfigur
> >> >>ati
> >> >>on
> >> >> 
> >> >> The bottleneck for IKE processing is the Diffie-Hellman key exchange
> >> >> where 70-80 % of the computing effort is spent. Use the ecp256 or
> >> >> the new curve25519 (available with strongSwan 5.5.2) DH groups for
> >> >> maximum performance.
> >> >> 
> >> >> ESP throughput is limited by the number of available cores and the
> >> >> processor clock frequency. Use aes128gcm16 for maximum performance.
> >> >> 
> >> >> Best regards
> >> >> 
> >> >> Andreas
> >> >> 
> >> >> On 16.01.2017 19:00, Varun Singh wrote:
> >> >> > Hi,
> >> >> > As I understand, strongSwan supports scalability from 4.x onwards. I
> >> >> > am new to strongSwan and to VPN in general.
> >> >> > I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS.
> >> >> > Though I have read that strongSwan supports scalability, I couldn't
> >> >> > find stats to support it.
> >> >> > Before adopting strongSwan, my team wanted to know *if it can
> >> >> > support
> >> >> > upto 100k simultaneous connections*. Hence I need to find pointers
> >> >> > to
> >> >> > obtain this kind of information.
> >> > 
> >> > hi,
> >> > 
> >> > I think further scaling might be possible with loadbalancers. But this
> >> > is
> >> > topic of deeper investigation of the project.
> >> > 
> >> > Mit freundlichen Grüßen,
> >> > 
> >> > Michael Schwartzkopff
> >> > 
> >> > --
> >> > [*] sys4 AG
> >> > 
> >> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
> >> > Schleißheimer Straße 26/MG, 80333 München
> >> > 
> >> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> >> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer
> >> > Aufsichtsratsvorsitzender: Florian Kirstein
> >> > ___
> >> > Users mailing list
> >> > Users@lists.strongswan.org
> >> > https://lists.strongswan.org/mailman/listinfo/users
> >> 
> >> Thanks Michael,
> >> I was just searching whether load balancing is supported by strongSwan
> >> or not. Came across this thread:
> >> https://lists.strongswan.org/pipermail/users/2013-November/005615.html
> >> 
> >> But this didn't lead to any conclusion.
> >> So is load balancing supported by strongSwan?
> > 
> > if you use LVS before the VPN server does not know about the load
> > balancing. You would have to find a solution for the reverse traffic,
> > i.e. IP pools on the VPN server.
> > 
> > LVS offers a feature to do loadbalancing with firewall marks. This might
> > be
> > nescessary for balancing IKE and ESP together.
> > 
> > I don't know if a SA sync between strongswan servers is possible.
> > 
> > But anyway: This setup shold be designed and tested very carefully.
> > 
> > 
> > Mit freundlichen Grüßen,
> > 
> > Michael Schwartzkopff
> > 
> > --
> > [*] sys4 AG
> > 
> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
> > Schleißheimer Straße 26/MG, 80333 München
> > 
> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer
> > Aufsichtsratsvorsitzender: Florian Kirstein
> > 
> > ___
> > Users mailing list
> > Users@lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
> 
> "You would have to find a solution for the reverse traffic, i.e. IP pools on
> the VPN server."
> -> This is what I am mainly concerned about. There is something called
> clusterIP. I need to figure out what it is and how can I use it for
> load balancing.
> 
> 
> "I don't know if a SA sync between strongswan servers is possible."
> -> I guess this will be needed if server_1 fails and the user should
> automatically be switched to server_2. Is that right?

these questions depend on your concept / design / inplementation.

if you can afford a little downtime, DPD could be an option for you.




Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Schleißheimer Straße 26/MG, 80333 München

Re: [strongSwan] macos SIerra as Client with IKEv2 and certificates?

2017-01-16 Thread Johannes Kastl 
On 16.01.17 13:47 Noel Kuntze wrote:
> On 16.01.2017 12:04, Johannes Kastl wrote:
>> Seems like OSX always requests EAP somehow.

> It probably tries to use EAP-TLS, which is perfectly fine. 

May be.

> If you
> talk about EAP, please specify the exact EAP method that Mac OSX
> tries to use. The different methods work differently and use
> different data for authentication.

I just see this line in the logs:

> [...] peer requested EAP, config inacceptable
> [...] switching to peer config 'OSX_Sierra_EAP

As I said, authentication with username/password works fine, I was
just wondering if using certificates was also working for anybody.

Johannes



signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

2017-01-16 Thread Varun Singh 
On Mon, Jan 16, 2017 at 6:18 PM, Michael Schwartzkopff  wrote:
> Am Montag, 16. Januar 2017, 18:09:00 schrieb Varun Singh:
>> On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff  wrote:
>> > Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen:
>> >> Hi Varun,
>> >>
>> >> we have customers who have successfully been running up to 60k
>> >> concurrent tunnels. In order to maximize performance please have
>> >> a look at the use of hash tables for IKE_SA lookup
>> >>
>> >>https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable
>> >>
>> >> as well as job priority management
>> >>
>> >>https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority
>> >>
>> >> We also recommend to use file-based logging since writing to syslog
>> >> extremely slows down the charon daemon
>> >>
>> >>https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfigurati
>> >>on
>> >>
>> >> The bottleneck for IKE processing is the Diffie-Hellman key exchange
>> >> where 70-80 % of the computing effort is spent. Use the ecp256 or
>> >> the new curve25519 (available with strongSwan 5.5.2) DH groups for
>> >> maximum performance.
>> >>
>> >> ESP throughput is limited by the number of available cores and the
>> >> processor clock frequency. Use aes128gcm16 for maximum performance.
>> >>
>> >> Best regards
>> >>
>> >> Andreas
>> >>
>> >> On 16.01.2017 19:00, Varun Singh wrote:
>> >> > Hi,
>> >> > As I understand, strongSwan supports scalability from 4.x onwards. I
>> >> > am new to strongSwan and to VPN in general.
>> >> > I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS.
>> >> > Though I have read that strongSwan supports scalability, I couldn't
>> >> > find stats to support it.
>> >> > Before adopting strongSwan, my team wanted to know *if it can support
>> >> > upto 100k simultaneous connections*. Hence I need to find pointers to
>> >> > obtain this kind of information.
>> >
>> > hi,
>> >
>> > I think further scaling might be possible with loadbalancers. But this is
>> > topic of deeper investigation of the project.
>> >
>> > Mit freundlichen Grüßen,
>> >
>> > Michael Schwartzkopff
>> >
>> > --
>> > [*] sys4 AG
>> >
>> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
>> > Schleißheimer Straße 26/MG, 80333 München
>> >
>> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer
>> > Aufsichtsratsvorsitzender: Florian Kirstein
>> > ___
>> > Users mailing list
>> > Users@lists.strongswan.org
>> > https://lists.strongswan.org/mailman/listinfo/users
>>
>> Thanks Michael,
>> I was just searching whether load balancing is supported by strongSwan
>> or not. Came across this thread:
>> https://lists.strongswan.org/pipermail/users/2013-November/005615.html
>>
>> But this didn't lead to any conclusion.
>> So is load balancing supported by strongSwan?
>
> if you use LVS before the VPN server does not know about the load balancing.
> You would have to find a solution for the reverse traffic, i.e. IP pools on 
> the
> VPN server.
>
> LVS offers a feature to do loadbalancing with firewall marks. This might be
> nescessary for balancing IKE and ESP together.
>
> I don't know if a SA sync between strongswan servers is possible.
>
> But anyway: This setup shold be designed and tested very carefully.
>
>
> Mit freundlichen Grüßen,
>
> Michael Schwartzkopff
>
> --
> [*] sys4 AG
>
> http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
> Schleißheimer Straße 26/MG, 80333 München
>
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer
> Aufsichtsratsvorsitzender: Florian Kirstein
>
> ___
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


"You would have to find a solution for the reverse traffic, i.e. IP pools on the
VPN server."
-> This is what I am mainly concerned about. There is something called
clusterIP. I need to figure out what it is and how can I use it for
load balancing.


"I don't know if a SA sync between strongswan servers is possible."
-> I guess this will be needed if server_1 fails and the user should
automatically be switched to server_2. Is that right?

-- 
Regards,
Varun
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] strongSwan behind loadbalancers? (Was: Can strongSwan support 100k concurrent connections?)

2017-01-16 Thread Michael Schwartzkopff 
Am Montag, 16. Januar 2017, 12:52:48 schrieb Turbo Fredriksson:
> On 16 Jan 2017, at 12:34, Michael Schwartzkopff  wrote:
> > I think further scaling might be possible with loadbalancers. But this is
> > topic of deeper investigation of the project.
> 
> Actually, I’ve been thinking in those terms myself. At the moment, my VPN
> endpoint is a single-point-of-failure, which was kinda “intentional”
> (meaning, I figured it was to much of a hassle to do it any other way at
> the moment).
> 
> But eventually (within the next six months probably), I’m going to have to
> make it more resilient (it’s in AWS, which means that Amazon can kill my
> current instance “at any time”). Starting a new one only takes five, ten
> minutes, which is why I haven’t bothered before.

You can use cluster solutions like pacemaker to make the VPN server HA. Then 
you have your failover in 30 sec.


> But roughly, what’s required to run strongSwan behind a load balancer?
> 
> Is it as simple as create the LB, ‘forward’ the 50-51/500/4500 ports to the
> instance(s)? Because the AWS ELB can’t do UDP load balancing, how do I get
> around that limitation?

Use LVS or haproxy.


Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

signature.asc
Description: This is a digitally signed message part.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] strongSwan behind loadbalancers? (Was: Can strongSwan support 100k concurrent connections?)

2017-01-16 Thread Noel Kuntze 
On 16.01.2017 13:52, Turbo Fredriksson wrote:
> Because the AWS ELB can’t do UDP load balancing, how do I get around that
> limitation?
You can't then and have to build your own load balancer. IPsec is built to 
behave like
IP. The only spec that uses TCP is the special CISCO TCP encapsulation, but 
strongSwan
doesn't implement that.

-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658




signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] strongSwan behind loadbalancers? (Was: Can strongSwan support 100k concurrent connections?)

2017-01-16 Thread Turbo Fredriksson 
On 16 Jan 2017, at 12:34, Michael Schwartzkopff  wrote:

> I think further scaling might be possible with loadbalancers. But this is 
> topic of deeper investigation of the project.

Actually, I’ve been thinking in those terms myself. At the moment, my VPN
endpoint is a single-point-of-failure, which was kinda “intentional” (meaning,
I figured it was to much of a hassle to do it any other way at the moment).

But eventually (within the next six months probably), I’m going to have to
make it more resilient (it’s in AWS, which means that Amazon can kill my
current instance “at any time”). Starting a new one only takes five, ten
minutes, which is why I haven’t bothered before.


But roughly, what’s required to run strongSwan behind a load balancer?

Is it as simple as create the LB, ‘forward’ the 50-51/500/4500 ports to the 
instance(s)?
Because the AWS ELB can’t do UDP load balancing, how do I get around that
limitation?
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

2017-01-16 Thread Michael Schwartzkopff 
Am Montag, 16. Januar 2017, 18:09:00 schrieb Varun Singh:
> On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff  wrote:
> > Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen:
> >> Hi Varun,
> >> 
> >> we have customers who have successfully been running up to 60k
> >> concurrent tunnels. In order to maximize performance please have
> >> a look at the use of hash tables for IKE_SA lookup
> >> 
> >>https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable
> >> 
> >> as well as job priority management
> >> 
> >>https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority
> >> 
> >> We also recommend to use file-based logging since writing to syslog
> >> extremely slows down the charon daemon
> >> 
> >>https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfigurati
> >>on
> >> 
> >> The bottleneck for IKE processing is the Diffie-Hellman key exchange
> >> where 70-80 % of the computing effort is spent. Use the ecp256 or
> >> the new curve25519 (available with strongSwan 5.5.2) DH groups for
> >> maximum performance.
> >> 
> >> ESP throughput is limited by the number of available cores and the
> >> processor clock frequency. Use aes128gcm16 for maximum performance.
> >> 
> >> Best regards
> >> 
> >> Andreas
> >> 
> >> On 16.01.2017 19:00, Varun Singh wrote:
> >> > Hi,
> >> > As I understand, strongSwan supports scalability from 4.x onwards. I
> >> > am new to strongSwan and to VPN in general.
> >> > I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS.
> >> > Though I have read that strongSwan supports scalability, I couldn't
> >> > find stats to support it.
> >> > Before adopting strongSwan, my team wanted to know *if it can support
> >> > upto 100k simultaneous connections*. Hence I need to find pointers to
> >> > obtain this kind of information.
> > 
> > hi,
> > 
> > I think further scaling might be possible with loadbalancers. But this is
> > topic of deeper investigation of the project.
> > 
> > Mit freundlichen Grüßen,
> > 
> > Michael Schwartzkopff
> > 
> > --
> > [*] sys4 AG
> > 
> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
> > Schleißheimer Straße 26/MG, 80333 München
> > 
> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer
> > Aufsichtsratsvorsitzender: Florian Kirstein
> > ___
> > Users mailing list
> > Users@lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
> 
> Thanks Michael,
> I was just searching whether load balancing is supported by strongSwan
> or not. Came across this thread:
> https://lists.strongswan.org/pipermail/users/2013-November/005615.html
> 
> But this didn't lead to any conclusion.
> So is load balancing supported by strongSwan?

if you use LVS before the VPN server does not know about the load balancing. 
You would have to find a solution for the reverse traffic, i.e. IP pools on the 
VPN server.

LVS offers a feature to do loadbalancing with firewall marks. This might be 
nescessary for balancing IKE and ESP together.

I don't know if a SA sync between strongswan servers is possible.

But anyway: This setup shold be designed and tested very carefully.


Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

signature.asc
Description: This is a digitally signed message part.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] macos SIerra as Client with IKEv2 and certificates?

2017-01-16 Thread Noel Kuntze 
On 16.01.2017 12:04, Johannes Kastl wrote:
> Seems like OSX always requests EAP somehow.
It probably tries to use EAP-TLS, which is perfectly fine.
If you talk about EAP, please specify the exact EAP method that Mac OSX tries 
to use.
The different methods work differently and use different data for 
authentication.

-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658




signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] macos SIerra as Client with IKEv2 and certificates?

2017-01-16 Thread Johannes Kastl 
Hello Kai,

On 16.01.17 12:20 Kai Bojens wrote:

> I'm trying to get this combination running but had no success so
> far. It doesn't make a difference if I'm using the Apple
> Configurator or the GUI – nothing really works so far and there are
> no error messages I could work with. 

I think I read somewhere that the GUI would not support that,  but
that was El Capitan-based information. I have yet to try to configure
the VPN manually, but was hoping someone would step up and tell me the
GUI works before I dig into non-GUI...

> Everything worked fine until I
> upgrade to Sierra and now I can't get this back to work. Right now
> I'm assuming that MacOS Sierra indeed has some serious problems
> with IKEv2.

I can get IKEv2 with EAP (username and password) working trough the
GUI just fine. Does that not work for you? Or did you just try
certificates?

As OSX apparently did not understand certificates before Sierra, what
kind of connection did you have before Sierra?

Confused,
Johannes ;-)



signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

2017-01-16 Thread Varun Singh 
On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff  wrote:
> Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen:
>> Hi Varun,
>>
>> we have customers who have successfully been running up to 60k
>> concurrent tunnels. In order to maximize performance please have
>> a look at the use of hash tables for IKE_SA lookup
>>
>>https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable
>>
>> as well as job priority management
>>
>>https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority
>>
>> We also recommend to use file-based logging since writing to syslog
>> extremely slows down the charon daemon
>>
>>https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
>>
>> The bottleneck for IKE processing is the Diffie-Hellman key exchange
>> where 70-80 % of the computing effort is spent. Use the ecp256 or
>> the new curve25519 (available with strongSwan 5.5.2) DH groups for
>> maximum performance.
>>
>> ESP throughput is limited by the number of available cores and the
>> processor clock frequency. Use aes128gcm16 for maximum performance.
>>
>> Best regards
>>
>> Andreas
>>
>> On 16.01.2017 19:00, Varun Singh wrote:
>> > Hi,
>> > As I understand, strongSwan supports scalability from 4.x onwards. I
>> > am new to strongSwan and to VPN in general.
>> > I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS.
>> > Though I have read that strongSwan supports scalability, I couldn't
>> > find stats to support it.
>> > Before adopting strongSwan, my team wanted to know *if it can support
>> > upto 100k simultaneous connections*. Hence I need to find pointers to
>> > obtain this kind of information.
>
> hi,
>
> I think further scaling might be possible with loadbalancers. But this is
> topic of deeper investigation of the project.
>
> Mit freundlichen Grüßen,
>
> Michael Schwartzkopff
>
> --
> [*] sys4 AG
>
> http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
> Schleißheimer Straße 26/MG, 80333 München
>
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer
> Aufsichtsratsvorsitzender: Florian Kirstein
> ___
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

Thanks Michael,
I was just searching whether load balancing is supported by strongSwan
or not. Came across this thread:
https://lists.strongswan.org/pipermail/users/2013-November/005615.html

But this didn't lead to any conclusion.
So is load balancing supported by strongSwan?

-- 
Regards,
Varun
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

2017-01-16 Thread Michael Schwartzkopff 
Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen:
> Hi Varun,
> 
> we have customers who have successfully been running up to 60k
> concurrent tunnels. In order to maximize performance please have
> a look at the use of hash tables for IKE_SA lookup
> 
>https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable
> 
> as well as job priority management
> 
>https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority
> 
> We also recommend to use file-based logging since writing to syslog
> extremely slows down the charon daemon
> 
>https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
> 
> The bottleneck for IKE processing is the Diffie-Hellman key exchange
> where 70-80 % of the computing effort is spent. Use the ecp256 or
> the new curve25519 (available with strongSwan 5.5.2) DH groups for
> maximum performance.
> 
> ESP throughput is limited by the number of available cores and the
> processor clock frequency. Use aes128gcm16 for maximum performance.
> 
> Best regards
> 
> Andreas
> 
> On 16.01.2017 19:00, Varun Singh wrote:
> > Hi,
> > As I understand, strongSwan supports scalability from 4.x onwards. I
> > am new to strongSwan and to VPN in general.
> > I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS.
> > Though I have read that strongSwan supports scalability, I couldn't
> > find stats to support it.
> > Before adopting strongSwan, my team wanted to know *if it can support
> > upto 100k simultaneous connections*. Hence I need to find pointers to
> > obtain this kind of information.

hi,

I think further scaling might be possible with loadbalancers. But this is 
topic of deeper investigation of the project.

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

signature.asc
Description: This is a digitally signed message part.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Android TNC server basic setup

2017-01-16 Thread Mark M 
Andreas,
I finally got the policy manager installed. However, I am not seeing the device 
when I form the connection and the android device disconnects. 
Any ideas on what could be wrong?
This is what the stats page in the policy manager looks like - 
https://i.imgur.com/9M0sMa8.jpg
Also the add groups button does not work and there are no entries under the 
policies and enforcement's? Hard to say if everything is working correctly.

 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux 4.8.0-22-generic, 
x86_64)00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'00[CFG]   
loaded ca certificate "C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5" from 
'/etc/ipsec.d/cacerts/rootCA.crt'00[CFG] loading aa certificates from 
'/etc/ipsec.d/aacerts'00[CFG] loading ocsp signer certificates from 
'/etc/ipsec.d/ocspcerts'00[CFG] loading attribute certificates from 
'/etc/ipsec.d/acerts'00[CFG] loading crls from '/etc/ipsec.d/crls'00[CFG] 
loading secrets from '/etc/ipsec.secrets'00[CFG]   loaded RSA private key from 
'/etc/ipsec.d/private/tnc2.key'00[CFG]   loaded EAP secret for 
carol@strongswan.org00[TNC] TNC recommendation policy is 'default'00[TNC] 
loading IMVs from '/etc/tnc_config'00[LIB] libimcv initialized00[IMV] IMV 1 
"Attestation" initialized00[PTS] no PTS cacerts directory defined00[TNC] IMV 1 
"Attestation" loaded from '/usr/lib/ipsec/imcvs/imv-attestation.so'00[IMV] IMV 
2 "Scanner" initialized00[TNC] IMV 2 "Scanner" loaded from 
'/usr/lib/ipsec/imcvs/imv-scanner.so'00[LIB] loaded plugins: charon des rc2 
random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp 
dnskey sshkey pem openssl xcbc cmac hmac curl sqlite attr kernel-netlink 
resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 
eap-dynamic eap-ttls eap-tnc xauth-generic tnc-imv tnc-tnccs tnccs-2000[JOB] 
spawning 16 worker threads16[CFG] received stroke: add connection 
'rw-allow'16[CFG] adding virtual IP address pool 192.168.3.5516[CFG]   loaded 
certificate "C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5" from 
'tncserver.crt'16[CFG]   id '192.168.1.5' not confirmed by certificate, 
defaulting to 'C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5'16[CFG] added 
configuration 'rw-allow'06[CFG] received stroke: add connection 
'rw-isolate'06[CFG] adding virtual IP address pool 192.168.4.0/2406[CFG]   
loaded certificate "C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5" from 
'tncserver.crt'06[CFG]   id '192.168.1.5' not confirmed by certificate, 
defaulting to 'C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5'06[CFG] added 
configuration 'rw-isolate'07[NET] received packet: from 192.168.1.11[51631] to 
192.168.1.5[500] (732 bytes)07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No 
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]07[IKE] 
192.168.1.11 is initiating an IKE_SA07[IKE] remote host is behind NAT07[IKE] DH 
group ECP_256 inacceptable, requesting MODP_307207[ENC] generating IKE_SA_INIT 
response 0 [ N(INVAL_KE) ]07[NET] sending packet: from 192.168.1.5[500] to 
192.168.1.11[51631] (38 bytes)05[NET] received packet: from 192.168.1.11[51631] 
to 192.168.1.5[500] (1052 bytes)05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No 
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]05[IKE] 
192.168.1.11 is initiating an IKE_SA05[IKE] remote host is behind NAT05[ENC] 
generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]05[NET] sending packet: from 
192.168.1.5[500] to 192.168.1.11[51631] (592 bytes)16[NET] received packet: 
from 192.168.1.11[33660] to 192.168.1.5[4500] (544 bytes)16[ENC] parsed 
IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) 
N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) 
N(EAP_ONLY) ]16[IKE] received cert request for "C=US, ST=MD, L=TNC, O=TNC, 
OU=TNC, CN=192.168.1.5"16[CFG] looking for peer configs matching 
192.168.1.5[%any]...192.168.1.11[ca...@strongswan.org]16[CFG] selected peer 
config 'rw-allow'16[IKE] initiating EAP_TTLS method (id 0x4F)16[IKE] received 
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding16[IKE] peer supports 
MOBIKE16[ENC] generating IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ]16[NET] 
sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660] (176 
bytes)12[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500] 
(240 bytes)12[ENC] parsed IKE_AUTH request 2 [ EAP/RES/TTLS ]12[TLS] negotiated 
TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA12[TLS] sending TLS 
server certificate 'C=US, ST=MD, L=TNC, O=TNC, OU=TNC, CN=192.168.1.5'12[TLS] 
sending TLS cert request for 'C=US, ST=MD, L=TNC, O=TNC, OU=TNC, 
CN=192.168.1.5'12[ENC] generating IKE_AUTH response 2 [ EAP/REQ/TTLS ]12[NET] 
sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660] (1104 
bytes)06[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500] 
(80 bytes)06[ENC] parsed IKE_AUTH request 3 [ EAP/RES/TTL

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

2017-01-16 Thread Andreas Steffen 

Hi Varun,

we have customers who have successfully been running up to 60k
concurrent tunnels. In order to maximize performance please have
a look at the use of hash tables for IKE_SA lookup

  https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable

as well as job priority management

  https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority

We also recommend to use file-based logging since writing to syslog
extremely slows down the charon daemon

  https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration

The bottleneck for IKE processing is the Diffie-Hellman key exchange
where 70-80 % of the computing effort is spent. Use the ecp256 or
the new curve25519 (available with strongSwan 5.5.2) DH groups for
maximum performance.

ESP throughput is limited by the number of available cores and the
processor clock frequency. Use aes128gcm16 for maximum performance.

Best regards

Andreas

On 16.01.2017 19:00, Varun Singh wrote:

Hi,
As I understand, strongSwan supports scalability from 4.x onwards. I
am new to strongSwan and to VPN in general.
I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS.
Though I have read that strongSwan supports scalability, I couldn't
find stats to support it.
Before adopting strongSwan, my team wanted to know *if it can support
upto 100k simultaneous connections*. Hence I need to find pointers to
obtain this kind of information.



--
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution!  www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==



smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] macos SIerra as Client with IKEv2 and certificates?

2017-01-16 Thread Kai Bojens 
Johannes Kastl  schrieb am Mo., 16. Jan. 2017 um 12:04 Uhr:


> Has anyone setup macos Sierra as a client with IKEv2 and Certificates?
>

I'm trying to get this combination running but had no success so far. It
doesn't make a difference if I'm using the Apple Configurator or the GUI –
nothing really works so far and there are no error messages I could work
with. Everything worked fine until I upgrade to Sierra and now I can't get
this back to work. Right now I'm assuming that MacOS Sierra indeed has some
serious problems with IKEv2.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] macos SIerra as Client with IKEv2 and certificates?

2017-01-16 Thread Johannes Kastl 
Hi everyone,

as I find a lot of different and incomplete information across the web:

Has anyone setup macos Sierra as a client with IKEv2 and Certificates?

I can setup the connection in the system settings with username and
password (aka EAP), but as soon as I switch to using a certificate I
get no connection? Seems like OSX always requests EAP somehow.

Any hands-on experiences?

Thanks in advance,
Johannes



signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Can strongSwan support 100k concurrent connections?

2017-01-16 Thread Varun Singh 
Hi,
As I understand, strongSwan supports scalability from 4.x onwards. I
am new to strongSwan and to VPN in general.
I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS.
Though I have read that strongSwan supports scalability, I couldn't
find stats to support it.
Before adopting strongSwan, my team wanted to know *if it can support
upto 100k simultaneous connections*. Hence I need to find pointers to
obtain this kind of information.

-- 
Regards,
Varun
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users