date:20170118

Re: [strongSwan] Issue with loading critical plugin features (using strongswan -5.2.2)

2017-01-18 Thread Chinmaya Dwibedy

Hi All,

 Good Morning!!!

 The `configure'shell script attempts to guess correct values for 
varioussystem-dependent variables used during compilation.  It uses those 
values tocreate a `Makefile' in each directory of the package. >From the build 
logs, Ifind it does not build shared libraries. Here goes the log. checking 
forx86_64-wrs-linux-gcc... x86_64-wrs-linux-gcc -m64 -march=corei7 
-mtune=corei7-mfpmath=sse 
-msse4.2--sysroot=/opt/windriver/wrlinux-cgl/8.0-intel-x86-64/sysroots/corei7-64-wrs-linux

checking whetherthe C compiler works... yes

checking for Ccompiler default output file name... a.out

checking for suffixof executables...

checking whether weare cross compiling... yes





 checking whetherthe x86_64-wrs-linux-gcc -m64 -march=corei7 -mtune=corei7 
-mfpmath=sse 
-msse4.2--sysroot=/opt/windriver/wrlinux-cgl/8.0-intel-x86-64/sysroots/corei7-64-wrs-linuxlinker
 (x86_64-wrs-linux-g++ -m64 -march=corei7 -mtune=corei7 
-mfpmath=sse-msse4.2--sysroot=/opt/windriver/wrlinux-cgl/8.0-intel-x86-64/sysroots/corei7-64-wrs-linux-m
 elf_x86_64) supports shared libraries... no

checking dynamiclinker characteristics... GNU/Linux ld.so

checking how tohardcode library paths into programs... unsupported

checking whetherstripping libraries is possible... yes

checking if libtoolsupports shared libraries... no

checking whether tobuild shared libraries... no

checking whether tobuild static libraries... yes

 

The strongswan doc(at https://wiki.strongswan.org/issues/1299) says, we can't 
build the Charon daemon completely statically. As a result of whichwhen I run 
on Wind River Linux system , Charon aborts . Can anyone pleaseconfirm if the 
below crash/abort issue is because shared libraries are not being built ?

 

[root@TEMP/MEG-1]opt# /opt/sbin/ipsec start --nofork

Starting strongSwan5.2.2 IPsec [starter]...

00[DMN] StartingIKE charon daemon (strongSwan 5.2.2, Linux 
4.1.21-WR8.0.0.6_cgl, x86_64)

00[LIB] featureCUSTOM:libcharon in critical plugin 'charon' has unmet 
dependency: NONCE_GEN

00[LIB] featureCUSTOM:libcharon-receiver in critical plugin 'charon' has unmet 
dependency:HASHER:HASH_SHA1

00[LIB] failed toload 2 critical plugin features

00[DMN]initialization failed - aborting charon

charon has quit:initialization failed

charon refused tobe started

ipsec starterstopped

[root@TEMP/MEG-1]opt#charon refused to be started

ipsec starterstopped

 I also used --enable-shared& --enable-monolithic configure option but got the 
same issue .Can anyone please let me know what might be the cause behind the 
below (i.e., thelinker does not support shared libraries) and how to get rid of 
this issue? 

 checking whetherthe x86_64-wrs-linux-gcc -m64 -march=corei7 -mtune=corei7 
-mfpmath=sse 
-msse4.2--sysroot=/opt/windriver/wrlinux-cgl/8.0-intel-x86-64/sysroots/corei7-64-wrs-linuxlinker
 (x86_64-wrs-linux-g++ -m64 -march=corei7 -mtune=corei7 
-mfpmath=sse-msse4.2--sysroot=/opt/windriver/wrlinux-cgl/8.0-intel-x86-64/sysroots/corei7-64-wrs-linux-m
 elf_x86_64) supports shared libraries... no

  Thank you inadvance for your time and support. Anticipating an early 
response. 

 Regards,

Chinmaya


 
 

On Tuesday, January 17, 2017 4:33 PM, Chinmaya Dwibedy 
 wrote:
 

 Hi,
I am using the following configure options(using strongswan -5.2.2) 
./configure --prefix=/opt/chinmaya/--sysconfdir=/opt/ chinmaya /etc 
--libdir=/opt/ chinmaya /lib--enable-load-tester --enable-ctr --enable-ccm 
--enable-gcm --enable-vici--enable-error-notify --enable-opensslWhile trying to 
start the Charon on Wind RiverLinux , getting the below errors [root@local 
TEMP/MEG-1] opt# ./chinmaya/sbin/ipsecstart --noforkStarting strongSwan 5.2.2 
IPsec[starter]...00[DMN] Starting IKE charon daemon(strongSwan 5.2.2, Linux 
4.1.21-WR8.0.0.6_cgl, x86_64)00[LIB] feature CUSTOM:libcharon incritical plugin 
'charon' has unmet dependency: NONCE_GEN00[LIB] feature 
CUSTOM:libcharon-receiverin critical plugin 'charon' has unmet dependency: 
HASHER:HASH_SHA100[LIB] failed to load 2 critical pluginfeatures00[DMN] 
initialization failed - abortingcharoncharon has quit: initialization 
failedcharon refused to be startedipsec starter stopped[root@local TEMP/MEG-1] 
opt#  Can anyone please let me know what are the criticalplugin features it 
fails to load and aborting ? Thank you in advance for yoursupport and time.
Regards,Chinmaya

   ___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] macos SIerra as Client with IKEv2 and certificates?

2017-01-18 Thread Johannes Kastl

Dear Kai,

On 17.01.17 09:48 Kai Bojens wrote:

>> As OSX apparently did not understand certificates before Sierra,
>> what kind of connection did you have before Sierra?
>> 
> 
> eap-tls – and it worked fine until I upgraded to Sierra. 

I see, my Yosemite did not accept that, and I never used El Capitan.

> The first
> problem was that the upgrade to Sierra discarded our CA certificate
> without telling so. 

I just had a look and really, the CA is no longer trusted.

> That was big fun. But even after trusting the
> CA again the connection didn't work. The connection would be
> established but not traffic appeared anywhere.

I get no connection at all, two seconds between connect and disconnect.

I'll give this some time and try again, once Sierra seems to have
settled a little bit...

Johannes

signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] stroke rereadsecrets fails to include strongswan.conf

2017-01-18 Thread Sirisha Alla


Hi,

I am using strongswan version 5.0.2. This installation seems to work 
quite well till recently. I am not sure what have caused this error. 
When we run the command ipsec secrets this command fails with the below 
error.


[etc]$ sudo bash -x /usr/local/sbin/ipsec secrets
+ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin
+ export PATH
++ uname -s
+ OS_NAME=Linux
+ IPSEC_NAME=strongSwan
++ uname -r
+ IPSEC_VERSION=U5.0.2/K2.6.39-400.17.1.el6uek.x86_64
+ IPSEC_DIR=/usr/local/libexec/ipsec
+ IPSEC_SBINDIR=/usr/local/sbin
+ IPSEC_CONFDIR=/usr/local/etc
+ IPSEC_PIDDIR=/var/run
+ IPSEC_SCRIPT=ipsec
+ IPSEC_STARTER_PID=/var/run/starter.pid
+ IPSEC_CHARON_PID=/var/run/charon.pid
+ IPSEC_STROKE=/usr/local/libexec/ipsec/stroke
+ IPSEC_STARTER=/usr/local/libexec/ipsec/starter
+ export IPSEC_DIR IPSEC_SBINDIR IPSEC_CONFDIR IPSEC_PIDDIR IPSEC_SCRIPT 
IPSEC_VERSION IPSEC_NAME IPSEC_STARTER_PID IPSEC_CHARON_PID
+ IPSEC_DISTRO='Institute for Internet Technologies and 
Applications\nUniversity of Applied Sciences Rapperswil, Switzerland'

+ case "$1" in
+ rc=7
+ '[' -e /var/run/charon.pid ']'
+ /usr/local/libexec/ipsec/stroke rereadsecrets
*parsing value failed near**
**failed to include '/tmp/*-strongswan.conf'*

[etc]$ ls -lrt /tmp/*-strongswan.conf
-rw-r--r-- 1 root root 1490 Oct 19 08:30 /tmp/strongSwan-strongswan.conf
-rw-r--r-- 1 root root0 Jan 18 21:43 
/tmp/strongSwan-init-strongswan.conf


and /tmp/strongSwan-strongswan.conf file is as follows:

charon {
install_virtual_ip = no

filelog {
/var/log/charon.log {
# add a timestamp prefix
time_format = %b %e %T
# loggers to files also accept the append option to 
open files in

# append mode at startup (default is yes)
append = yes
# the default loglevel for all daemon subsystems 
(defaults to 1).

default = 1
# flush each line to disk
flush_line = yes
}
stderr {
# more detailed loglevel for a specific subsystem, 
overriding the

# default loglevel.
ike = 2
knl = 3
# prepend connection name, simplifies grepping
ike_name = yes
   }
  }
  # And two loggers using syslog. The subsections define the 
facility to log

  # to, currently one of: daemon, auth.
  syslog {
# optional identifier used with openlog(3), prepended to each 
log message
# by syslog. if not configured, openlog(3) is not called, so 
the value will

# depend on system defaults (usually the program name)
identifier = charon-custom
# default level to the LOG_DAEMON facility
daemon {
default = 0
}
# very minimalistic IKE auditing logs to LOG_AUTHPRIV
auth {
default = -1
ike = 0
}
}
}

Can somebody help me in identifying what exactly is the issue? I am 
suspecting some thing related to configuration.


Thanks,
Sirisha
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Android TNC server basic setup

2017-01-18 Thread Mark M

Andreas,
Which strongswan.conf config is required to see the results shown in the 
Android BYOD guide https://wiki.strongswan.org/projects/strongswan/wiki/BYOD

Thanks, 

On Tuesday, January 17, 2017 5:51 AM, Mark M  wrote:
 

 Here is the log from the Android client;
Jan 17 05:18:01 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1rc1, Linux 
3.10.61-8352520, aarch64)
Jan 17 05:18:01 00[LIB] libimcv initialized
Jan 17 05:18:01 00[IMC] IMC 1 "Android" initialized
Jan 17 05:18:01 00[TNC] IMC 1 "Android" loaded
Jan 17 05:18:01 00[LIB] loaded plugins: androidbridge android-byod charon 
android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 
pem xcbc hmac socket-default eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls 
eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20
Jan 17 05:18:01 00[JOB] spawning 16 worker threads
Jan 17 05:18:01 07[IKE] initiating IKE_SA android[1] to 192.168.1.5
Jan 17 05:18:01 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No 
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 17 05:18:01 07[NET] sending packet: from 192.168.1.11[38969] to 
192.168.1.5[500] (744 bytes)
Jan 17 05:18:01 08[NET] received packet: from 192.168.1.5[500] to 
192.168.1.11[38969] (38 bytes)
Jan 17 05:18:01 08[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Jan 17 05:18:01 08[IKE] peer didn't accept DH group ECP_256, it requested 
MODP_3072
Jan 17 05:18:01 08[IKE] initiating IKE_SA android[1] to 192.168.1.5
Jan 17 05:18:01 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No 
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 17 05:18:01 08[NET] sending packet: from 192.168.1.11[38969] to 
192.168.1.5[500] (1064 bytes)
Jan 17 05:18:01 11[NET] received packet: from 192.168.1.5[500] to 
192.168.1.11[38969] (584 bytes)
Jan 17 05:18:01 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) 
N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Jan 17 05:18:01 11[IKE] faking NAT situation to enforce UDP encapsulation
Jan 17 05:18:01 11[IKE] sending cert request for "C=US, ST=MD, L=TNC, O=TNC, 
OU=TNC, CN=192.168.1.5"
Jan 17 05:18:01 11[IKE] establishing CHILD_SA android
Jan 17 05:18:01 11[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) 
CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) 
N(NO_ADD_ADDR) N(EAP_ONLY) ]
Jan 17 05:18:01 11[NET] sending packet: from 192.168.1.11[35898] to 
192.168.1.5[4500] (544 bytes)
Jan 17 05:18:01 12[NET] received packet: from 192.168.1.5[4500] to 
192.168.1.11[35898] (1236 bytes)
Jan 17 05:18:01 12[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Jan 17 05:18:01 12[ENC] received fragment #1 of 2, waiting for complete IKE 
message
Jan 17 05:18:01 12[NET] received packet: from 192.168.1.5[4500] to 
192.168.1.11[35898] (148 bytes)
Jan 17 05:18:01 12[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Jan 17 05:18:01 12[ENC] received fragment #2 of 2, reassembling fragmented IKE 
message
Jan 17 05:18:01 12[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/TTLS 
]
Jan 17 05:18:01 12[IKE] received end entity cert "C=US, ST=MD, L=TNC, OU=TNC, 
CN=192.168.1.5"
Jan 17 05:18:01 12[CFG]   using certificate "C=US, ST=MD, L=TNC, OU=TNC, 
CN=192.168.1.5"
Jan 17 05:18:01 12[CFG]   using trusted ca certificate "C=US, ST=MD, L=TNC, 
O=TNC, OU=TNC, CN=192.168.1.5"
Jan 17 05:18:01 12[CFG]   reached self-signed root ca with a path length of 0
Jan 17 05:18:01 12[IKE] authentication of 'C=US, ST=MD, L=TNC, OU=TNC, 
CN=192.168.1.5' with RSA_EMSA_PKCS1_SHA2_256 successful
Jan 17 05:18:01 12[IKE] server requested EAP_TTLS authentication (id 0xBC)
Jan 17 05:18:01 12[TLS] EAP_TTLS version is v0
Jan 17 05:18:01 12[ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ]
Jan 17 05:18:01 12[NET] sending packet: from 192.168.1.11[35898] to 
192.168.1.5[4500] (240 bytes)
Jan 17 05:18:01 15[NET] received packet: from 192.168.1.5[4500] to 
192.168.1.11[35898] (1104 bytes)
Jan 17 05:18:01 15[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ]
Jan 17 05:18:01 15[ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ]
Jan 17 05:18:01 15[NET] sending packet: from 192.168.1.11[35898] to 
192.168.1.5[4500] (80 bytes)
Jan 17 05:18:01 14[NET] received packet: from 192.168.1.5[4500] to 
192.168.1.11[35898] (464 bytes)
Jan 17 05:18:01 14[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ]
Jan 17 05:18:01 14[TLS] negotiated TLS 1.2 using suite 
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Jan 17 05:18:01 14[TLS] received TLS server certificate 'C=US, ST=MD, L=TNC, 
OU=TNC, CN=192.168.1.5'
Jan 17 05:18:01 14[CFG]   using certificate "C=US, ST=MD, L=TNC, OU=TNC, 
CN=192.168.1.5"
Jan 17 05:18:01 14[CFG]   using trusted ca certificate "C=US, ST=MD, L=TNC, 
O=TNC, OU=TNC, CN=192.168.1.5"
Jan 17 05:18:01 14[CFG]   reached self-signed root ca with a path length of 0
Jan 17 05:18:01 14[TLS] received TLS cert request for 'C=US, ST=MD, L=TNC, 
O=TNC, OU=TNC, CN=192.168.1.5
Jan 17 05:18:01 14[TLS] no TLS peer certificate found for 
'ca...@strongswan.org', skipping client authentic

Re: [strongSwan] Android TNC server basic setup

2017-01-18 Thread Mark M

Here is the log from the Android client;
Jan 17 05:18:01 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1rc1, Linux 
3.10.61-8352520, aarch64)
Jan 17 05:18:01 00[LIB] libimcv initialized
Jan 17 05:18:01 00[IMC] IMC 1 "Android" initialized
Jan 17 05:18:01 00[TNC] IMC 1 "Android" loaded
Jan 17 05:18:01 00[LIB] loaded plugins: androidbridge android-byod charon 
android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 
pem xcbc hmac socket-default eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls 
eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20
Jan 17 05:18:01 00[JOB] spawning 16 worker threads
Jan 17 05:18:01 07[IKE] initiating IKE_SA android[1] to 192.168.1.5
Jan 17 05:18:01 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No 
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 17 05:18:01 07[NET] sending packet: from 192.168.1.11[38969] to 
192.168.1.5[500] (744 bytes)
Jan 17 05:18:01 08[NET] received packet: from 192.168.1.5[500] to 
192.168.1.11[38969] (38 bytes)
Jan 17 05:18:01 08[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Jan 17 05:18:01 08[IKE] peer didn't accept DH group ECP_256, it requested 
MODP_3072
Jan 17 05:18:01 08[IKE] initiating IKE_SA android[1] to 192.168.1.5
Jan 17 05:18:01 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No 
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 17 05:18:01 08[NET] sending packet: from 192.168.1.11[38969] to 
192.168.1.5[500] (1064 bytes)
Jan 17 05:18:01 11[NET] received packet: from 192.168.1.5[500] to 
192.168.1.11[38969] (584 bytes)
Jan 17 05:18:01 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) 
N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Jan 17 05:18:01 11[IKE] faking NAT situation to enforce UDP encapsulation
Jan 17 05:18:01 11[IKE] sending cert request for "C=US, ST=MD, L=TNC, O=TNC, 
OU=TNC, CN=192.168.1.5"
Jan 17 05:18:01 11[IKE] establishing CHILD_SA android
Jan 17 05:18:01 11[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) 
CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) 
N(NO_ADD_ADDR) N(EAP_ONLY) ]
Jan 17 05:18:01 11[NET] sending packet: from 192.168.1.11[35898] to 
192.168.1.5[4500] (544 bytes)
Jan 17 05:18:01 12[NET] received packet: from 192.168.1.5[4500] to 
192.168.1.11[35898] (1236 bytes)
Jan 17 05:18:01 12[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Jan 17 05:18:01 12[ENC] received fragment #1 of 2, waiting for complete IKE 
message
Jan 17 05:18:01 12[NET] received packet: from 192.168.1.5[4500] to 
192.168.1.11[35898] (148 bytes)
Jan 17 05:18:01 12[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Jan 17 05:18:01 12[ENC] received fragment #2 of 2, reassembling fragmented IKE 
message
Jan 17 05:18:01 12[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/TTLS 
]
Jan 17 05:18:01 12[IKE] received end entity cert "C=US, ST=MD, L=TNC, OU=TNC, 
CN=192.168.1.5"
Jan 17 05:18:01 12[CFG]   using certificate "C=US, ST=MD, L=TNC, OU=TNC, 
CN=192.168.1.5"
Jan 17 05:18:01 12[CFG]   using trusted ca certificate "C=US, ST=MD, L=TNC, 
O=TNC, OU=TNC, CN=192.168.1.5"
Jan 17 05:18:01 12[CFG]   reached self-signed root ca with a path length of 0
Jan 17 05:18:01 12[IKE] authentication of 'C=US, ST=MD, L=TNC, OU=TNC, 
CN=192.168.1.5' with RSA_EMSA_PKCS1_SHA2_256 successful
Jan 17 05:18:01 12[IKE] server requested EAP_TTLS authentication (id 0xBC)
Jan 17 05:18:01 12[TLS] EAP_TTLS version is v0
Jan 17 05:18:01 12[ENC] generating IKE_AUTH request 2 [ EAP/RES/TTLS ]
Jan 17 05:18:01 12[NET] sending packet: from 192.168.1.11[35898] to 
192.168.1.5[4500] (240 bytes)
Jan 17 05:18:01 15[NET] received packet: from 192.168.1.5[4500] to 
192.168.1.11[35898] (1104 bytes)
Jan 17 05:18:01 15[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TTLS ]
Jan 17 05:18:01 15[ENC] generating IKE_AUTH request 3 [ EAP/RES/TTLS ]
Jan 17 05:18:01 15[NET] sending packet: from 192.168.1.11[35898] to 
192.168.1.5[4500] (80 bytes)
Jan 17 05:18:01 14[NET] received packet: from 192.168.1.5[4500] to 
192.168.1.11[35898] (464 bytes)
Jan 17 05:18:01 14[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/TTLS ]
Jan 17 05:18:01 14[TLS] negotiated TLS 1.2 using suite 
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Jan 17 05:18:01 14[TLS] received TLS server certificate 'C=US, ST=MD, L=TNC, 
OU=TNC, CN=192.168.1.5'
Jan 17 05:18:01 14[CFG]   using certificate "C=US, ST=MD, L=TNC, OU=TNC, 
CN=192.168.1.5"
Jan 17 05:18:01 14[CFG]   using trusted ca certificate "C=US, ST=MD, L=TNC, 
O=TNC, OU=TNC, CN=192.168.1.5"
Jan 17 05:18:01 14[CFG]   reached self-signed root ca with a path length of 0
Jan 17 05:18:01 14[TLS] received TLS cert request for 'C=US, ST=MD, L=TNC, 
O=TNC, OU=TNC, CN=192.168.1.5
Jan 17 05:18:01 14[TLS] no TLS peer certificate found for 
'ca...@strongswan.org', skipping client authentication
Jan 17 05:18:01 14[ENC] generating IKE_AUTH request 4 [ EAP/RES/TTLS ]
Jan 17 05:18:01 14[NET] sending packet: from 192.168.1.11[35898] to 
192.168.1.5[4500] (240 bytes)
Jan 17 05:18:01 07[NET] received packet: from 192.168.1.

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

2017-01-18 Thread Michael Schwartzkopff

Am Mittwoch, 18. Januar 2017, 13:27:58 schrieb Eric Germann:
> > On Jan 18, 2017, at 1:25 PM, Noel Kuntze  wrote:
> 
> 
> 
> 
> Show me how to get SNMP stats per connection definition so we don’t have to
> use NetFlow and I’m all in.
> > Unrelated to the topic: Please try to avoid using the old, unmaintained,
> > bug ridden net-tools. Use iproute2 for everything (which you can do!).

If I find time and / or money I would write a SNMP subagent for strongswan.

But I got not really much feedback last time when this topic was discussed 
here on the list.

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

signature.asc
Description: This is a digitally signed message part.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

2017-01-18 Thread Noel Kuntze

On 18.01.2017 19:27, Eric Germann wrote:
> Show me how to get SNMP stats per connection definition so we don’t have to 
> use NetFlow and I’m all in.
What are SNMP stats for you? What `netstat` prints? iproute2 has `ss` for that.

-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658




signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

2017-01-18 Thread Eric Germann


> On Jan 18, 2017, at 1:25 PM, Noel Kuntze  wrote:
> 
> 





Show me how to get SNMP stats per connection definition so we don’t have to use 
NetFlow and I’m all in.

> Unrelated to the topic: Please try to avoid using the old, unmaintained, bug 
> ridden net-tools. Use iproute2 for everything (which you can do!).
> 
> -- 
> 
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
> 
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658



smime.p7s
Description: S/MIME cryptographic signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

2017-01-18 Thread Noel Kuntze

On 18.01.2017 19:23, Eric Germann wrote:
> Just a minor point.  OpenVPN can create tun interfaces, although that one 
> interface is associated with all the clients connecting to that port
> 
> tun0  Link encap:UNSPEC  HWaddr 
> 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
>   inet addr:172.28.100.1  P-t-P:172.28.100.1  Mask:255.255.255.0
>   inet6 addr: 2001:470:e2fc:100::1/64 Scope:Global
>   UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
>   RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>   TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>   collisions:0 txqueuelen:100
>   RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

I know that. The point is, that it's not creating one for every client, which 
is what we were discussing.

Unrelated to the topic: Please try to avoid using the old, unmaintained, bug 
ridden net-tools. Use iproute2 for everything (which you can do!).

-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658




signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

2017-01-18 Thread Eric Germann

Just a minor point.  OpenVPN can create tun interfaces, although that one 
interface is associated with all the clients connecting to that port

tun0  Link encap:UNSPEC  HWaddr 
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
  inet addr:172.28.100.1  P-t-P:172.28.100.1  Mask:255.255.255.0
  inet6 addr: 2001:470:e2fc:100::1/64 Scope:Global
  UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
  RX packets:0 errors:0 dropped:0 overruns:0 frame:0
  TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:100
  RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

EKG


> On Jan 18, 2017, at 12:38 PM, Noel Kuntze  wrote:
> 
> On 18.01.2017 18:37, Varun Singh wrote:
>> Okay, so is 'not-creating-new-interfaces' a feature unique to
>> strongSwan or is it common for all VPN servers? Reason I am asking is,
>> may be I have misunderstood what the expert was saying. If not, I
>> should discuss this with him.
> Neither strongSwan, nor openvpn do that. I have never seen something like 
> that. 
> -- 
> 
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
> 
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> 
> 
> ___
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users



smime.p7s
Description: S/MIME cryptographic signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Connect strongSwan and Squid on same server

2017-01-18 Thread Moataz Elmasry


Ah, I just saw now the TCP_DENIED error in your squid access.log
Actually this means that your old iptable rule is working fine and 
redirecting the traffic to squid. This is now definitely a squid problem.
I assume somewhere in your squid config file there is a "http_access 
deny all rule" rule defined before the "http_access allow all" which is 
causing all your traffic to be denied.
But to really judge that, you should post your complete squid.conf file 
on the squid mailing list


Cheers,
Moataz

On 01/18/2017 06:50 PM, Varun Singh wrote:

On Wed, Jan 18, 2017 at 10:28 PM, Moataz Elmasry
 wrote:

Correct. No additional rules should be needed


On 01/18/2017 05:47 PM, Varun Singh wrote:

On Wed, Jan 18, 2017 at 10:11 PM, Moataz Elmasry
 wrote:

Hi,

I just had a similar problem, here's how I solved it:
- Assume strongswan is configured to hand out IPs from 10.3.0.0/16
Then:
iptables -t nat -A POSTROUTING -s 10.3.0.0/16 -o eth0 -j MASQUERADE
iptables -t nat -I PREROUTING  -s 10.3.0.0/16 -p tcp --dport 80 -j
REDIRECT
--to-ports 3128

The first rule will masquarde the traffic as usual from the private to
the
public network. You need this anyway
The second rule will redirect the traffic ONLY from your subnet to squid.




On 01/18/2017 05:33 PM, Varun Singh wrote:

Hi,
I have installed strongSwan and Squid HTTP Proxy on the same Ubuntu
16.04 server and I am trying to connect both. By connect I mean, I am
trying to achieve following:

[VPN Client] <--> [VPN Server] <-> [Squid] <--> [Internet]

My objective is to connect a VPN client to VPN server and use Squid
for filtering out blocked Urls. strongSwan and Squid work fine on
their own. I can access internet when connected to VPN server and also
when configured HTTP Proxy without VPN.

   From what I understand, to achieve what I want, I am supposed to
redirect incoming HTTP traffic from port 80 to port using IPTables. I
enter following IPTables rule:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 3128

Once I do this and try to access internet from a connected VPN client,
I get error. Pasting a log of /var/log/squid/access.log


1484738365.632  0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
api-glb-sin.smoot.apple.com:443 - HIER_NONE/- text/html
1484738365.642  0 114.143.194.190 TCP_DENIED/403 4870 GET


http://www.apple.com/ac/globalfooter/2.0/en_US/styles/ac-globalfooter.built.css
- HIER_NONE/- text/html
1484738365.643  0 114.143.194.190 TCP_DENIED/403 4852 GET

http://www.apple.com/ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css
- HIER_NONE/- text/html
1484738365.731  0 114.143.194.190 TCP_DENIED/403 4753 GET
http://www.apple.com/wss/fonts/? - HIER_NONE/- text/html
1484738365.760  0 114.143.194.190 TCP_DENIED/403 4817 GET
http://www.apple.com/metrics/ac-analytics/1.1/scripts/ac-analytics.js
- HIER_NONE/- text/html
1484738367.798  0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
init.itunes.apple.com:443 - HIER_NONE/- text/html
1484738367.922  0 114.143.194.190 TCP_DENIED/403 4334 GET
http://www.apple.com/apple-touch-icon-76x76-precomposed.png -
HIER_NONE/- text/html
1484738367.963  0 114.143.194.190 TCP_DENIED/403 4025 CONNECT
gsp10-ssl.apple.com:443 - HIER_NONE/- text/html
1484738368.036  0 114.143.194.190 TCP_DENIED/403 4298 GET
http://www.apple.com/apple-touch-icon-76x76.png - HIER_NONE/-
text/html
1484738368.148  0 114.143.194.190 TCP_DENIED/403 4352 GET
http://www.apple.com/apple-touch-icon.png - HIER_NONE/- text/html
1484738368.255  0 114.143.194.190 TCP_DENIED/403 4352 GET
http://www.apple.com/apple-touch-icon.png - HIER_NONE/- text/html
1484738368.296  0 114.143.194.190 TCP_DENIED/403 4316 GET
http://www.apple.com/apple-touch-icon-precomposed.png - HIER_NONE/-
text/html
1484738368.348  0 114.143.194.190 TCP_DENIED/403 4253 GET
http://www.apple.com/favicon.ico - HIER_NONE/- text/html
1484738376.374  0 114.143.194.190 TCP_DENIED/403 4655 GET
http://www.apple.com/ - HIER_NONE/- text/html
1484738376.456  0 114.143.194.190 TCP_DENIED/403 4711 GET
http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
HIER_NONE/- text/html
1484738385.761  0 114.143.194.190 TCP_DENIED/403 4655 GET
http://www.apple.com/ - HIER_NONE/- text/html
1484738385.828  0 114.143.194.190 TCP_DENIED/403 4747 GET
http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
HIER_NONE/- text/html
1484738858.272  0 10.99.1.1 TAG_NONE/400 4154 GET


/assets/com_apple_MobileAsset_SafariCloudHistoryConfiguration/com_apple_MobileAsset_SafariCloudHistoryConfiguration.xml
- HIER_NONE/- text/html
1484738858.990  0 10.99.1.1 TAG_NONE/400 4004 GET
/us/shop/bag/status?apikey=SFX9YPYY9PPXCU9KH - HIER_NONE/- text/html
1484738860.362  0 10.99.1.1 TAG_NONE/400 5350 GET


/b/ss/appleglobal,applehome,applestoreww,applestoreamr,applestoreus/1/H.27/s5505031635984?AQB=1&ndh=1&t=18%2F0%2F2017%2016%3A57%3A40%203%20-330&fid=21A4DCCB11396F92-26B205C305B2B2DF&pageName=apple%20-%2

Re: [strongSwan] Connect strongSwan and Squid on same server

2017-01-18 Thread Varun Singh

On Wed, Jan 18, 2017 at 10:28 PM, Moataz Elmasry
 wrote:
> Correct. No additional rules should be needed
>
>
> On 01/18/2017 05:47 PM, Varun Singh wrote:
>>
>> On Wed, Jan 18, 2017 at 10:11 PM, Moataz Elmasry
>>  wrote:
>>>
>>> Hi,
>>>
>>> I just had a similar problem, here's how I solved it:
>>> - Assume strongswan is configured to hand out IPs from 10.3.0.0/16
>>> Then:
>>> iptables -t nat -A POSTROUTING -s 10.3.0.0/16 -o eth0 -j MASQUERADE
>>> iptables -t nat -I PREROUTING  -s 10.3.0.0/16 -p tcp --dport 80 -j
>>> REDIRECT
>>> --to-ports 3128
>>>
>>> The first rule will masquarde the traffic as usual from the private to
>>> the
>>> public network. You need this anyway
>>> The second rule will redirect the traffic ONLY from your subnet to squid.
>>>
>>>
>>>
>>>
>>> On 01/18/2017 05:33 PM, Varun Singh wrote:

 Hi,
 I have installed strongSwan and Squid HTTP Proxy on the same Ubuntu
 16.04 server and I am trying to connect both. By connect I mean, I am
 trying to achieve following:

 [VPN Client] <--> [VPN Server] <-> [Squid] <--> [Internet]

 My objective is to connect a VPN client to VPN server and use Squid
 for filtering out blocked Urls. strongSwan and Squid work fine on
 their own. I can access internet when connected to VPN server and also
 when configured HTTP Proxy without VPN.

   From what I understand, to achieve what I want, I am supposed to
 redirect incoming HTTP traffic from port 80 to port using IPTables. I
 enter following IPTables rule:

 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
 --to-port 3128

 Once I do this and try to access internet from a connected VPN client,
 I get error. Pasting a log of /var/log/squid/access.log


 1484738365.632  0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
 api-glb-sin.smoot.apple.com:443 - HIER_NONE/- text/html
 1484738365.642  0 114.143.194.190 TCP_DENIED/403 4870 GET


 http://www.apple.com/ac/globalfooter/2.0/en_US/styles/ac-globalfooter.built.css
 - HIER_NONE/- text/html
 1484738365.643  0 114.143.194.190 TCP_DENIED/403 4852 GET

 http://www.apple.com/ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css
 - HIER_NONE/- text/html
 1484738365.731  0 114.143.194.190 TCP_DENIED/403 4753 GET
 http://www.apple.com/wss/fonts/? - HIER_NONE/- text/html
 1484738365.760  0 114.143.194.190 TCP_DENIED/403 4817 GET
 http://www.apple.com/metrics/ac-analytics/1.1/scripts/ac-analytics.js
 - HIER_NONE/- text/html
 1484738367.798  0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
 init.itunes.apple.com:443 - HIER_NONE/- text/html
 1484738367.922  0 114.143.194.190 TCP_DENIED/403 4334 GET
 http://www.apple.com/apple-touch-icon-76x76-precomposed.png -
 HIER_NONE/- text/html
 1484738367.963  0 114.143.194.190 TCP_DENIED/403 4025 CONNECT
 gsp10-ssl.apple.com:443 - HIER_NONE/- text/html
 1484738368.036  0 114.143.194.190 TCP_DENIED/403 4298 GET
 http://www.apple.com/apple-touch-icon-76x76.png - HIER_NONE/-
 text/html
 1484738368.148  0 114.143.194.190 TCP_DENIED/403 4352 GET
 http://www.apple.com/apple-touch-icon.png - HIER_NONE/- text/html
 1484738368.255  0 114.143.194.190 TCP_DENIED/403 4352 GET
 http://www.apple.com/apple-touch-icon.png - HIER_NONE/- text/html
 1484738368.296  0 114.143.194.190 TCP_DENIED/403 4316 GET
 http://www.apple.com/apple-touch-icon-precomposed.png - HIER_NONE/-
 text/html
 1484738368.348  0 114.143.194.190 TCP_DENIED/403 4253 GET
 http://www.apple.com/favicon.ico - HIER_NONE/- text/html
 1484738376.374  0 114.143.194.190 TCP_DENIED/403 4655 GET
 http://www.apple.com/ - HIER_NONE/- text/html
 1484738376.456  0 114.143.194.190 TCP_DENIED/403 4711 GET
 http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
 HIER_NONE/- text/html
 1484738385.761  0 114.143.194.190 TCP_DENIED/403 4655 GET
 http://www.apple.com/ - HIER_NONE/- text/html
 1484738385.828  0 114.143.194.190 TCP_DENIED/403 4747 GET
 http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
 HIER_NONE/- text/html
 1484738858.272  0 10.99.1.1 TAG_NONE/400 4154 GET


 /assets/com_apple_MobileAsset_SafariCloudHistoryConfiguration/com_apple_MobileAsset_SafariCloudHistoryConfiguration.xml
 - HIER_NONE/- text/html
 1484738858.990  0 10.99.1.1 TAG_NONE/400 4004 GET
 /us/shop/bag/status?apikey=SFX9YPYY9PPXCU9KH - HIER_NONE/- text/html
 1484738860.362  0 10.99.1.1 TAG_NONE/400 5350 GET


 /b/ss/appleglobal,applehome,applestoreww,applestoreamr,applestoreus/1/H.27/s5505031635984?AQB=1&ndh=1&t=18%2F0%2F2017%2016%3A57%3A40%203%20-330&fid=21A4DCCB11396F92-26B205C305B2B2DF&pageName=apple%20-%20index%2Ftab%20%28us%29&g=http%3A%2F%2Fwww.apple.com%2F&cc=USD&ch=www.us.homepage

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

2017-01-18 Thread Noel Kuntze

On 18.01.2017 18:42, Michael Schwartzkopff wrote:
> Old versions of openswan / freeswan did create interfaces.
KLIPS, which libreswan also supports, right?

-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658




signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

2017-01-18 Thread Michael Schwartzkopff

Am Mittwoch, 18. Januar 2017, 18:38:51 schrieb Noel Kuntze:
> On 18.01.2017 18:37, Varun Singh wrote:
> > Okay, so is 'not-creating-new-interfaces' a feature unique to
> > strongSwan or is it common for all VPN servers? Reason I am asking is,
> > may be I have misunderstood what the expert was saying. If not, I
> > should discuss this with him.
> 
> Neither strongSwan, nor openvpn do that. I have never seen something like
> that.

Old versions of openswan / freeswan did create interfaces.

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

signature.asc
Description: This is a digitally signed message part.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

2017-01-18 Thread Varun Singh

On Wed, Jan 18, 2017 at 11:08 PM, Noel Kuntze  wrote:
> On 18.01.2017 18:37, Varun Singh wrote:
>> Okay, so is 'not-creating-new-interfaces' a feature unique to
>> strongSwan or is it common for all VPN servers? Reason I am asking is,
>> may be I have misunderstood what the expert was saying. If not, I
>> should discuss this with him.
> Neither strongSwan, nor openvpn do that. I have never seen something like 
> that.
> --
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
>

Okay thanks. I will discuss this with him tomorrow then.

-- 
Regards,
Varun
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

2017-01-18 Thread Noel Kuntze

On 18.01.2017 18:37, Varun Singh wrote:
> Okay, so is 'not-creating-new-interfaces' a feature unique to
> strongSwan or is it common for all VPN servers? Reason I am asking is,
> may be I have misunderstood what the expert was saying. If not, I
> should discuss this with him.
Neither strongSwan, nor openvpn do that. I have never seen something like that. 
-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658




signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

2017-01-18 Thread Varun Singh

On Wed, Jan 18, 2017 at 11:00 PM, Noel Kuntze  wrote:
> On 18.01.2017 18:23, Varun Singh wrote:
>> Okay. Surprisingly I was told in a discussion with a networking expert
>> that a new virtual network interface is created on server every time a
>> VPN client connects. Is there is link or document which states in
>> detail how server's network module functions when a client makes a
>> connection? Thanks.
> Sounds like he/she's not a very good expert then.
> strongSwan manipulates the kernel's SAD and SPD, which are implemented
> by XFRM on Linux. It doesn't create any new interfaces. Only the IPsec 
> policies
> are applied to traffic.
> There's no such document. Take a look at the list of IPsec and related 
> standards[1]
> to get information about what strongSwan implements. strongSwan does different
> things in detail based on the underlying operating system and if you use 
> kernel-libipsec
> or not.
> In very rough terms, the peers authenticate each other (IKE_SA), then 
> negotiate CHILD_SAs,
> which are used to transport traffic and when negotiating the CHILD_SAs, the 
> peer each insert
> corresponding SAs and SPs into the SAD and SPD on the local host.
> Even if you use kernel-libipsec (which you shouldn't), strongSwan only 
> creates a single
> interface.
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/IpsecStandards
>
>
> --
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
>

Okay, so is 'not-creating-new-interfaces' a feature unique to
strongSwan or is it common for all VPN servers? Reason I am asking is,
may be I have misunderstood what the expert was saying. If not, I
should discuss this with him.

-- 
Regards,
Varun
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

2017-01-18 Thread Noel Kuntze

On 18.01.2017 18:23, Varun Singh wrote:
> Okay. Surprisingly I was told in a discussion with a networking expert
> that a new virtual network interface is created on server every time a
> VPN client connects. Is there is link or document which states in
> detail how server's network module functions when a client makes a
> connection? Thanks.
Sounds like he/she's not a very good expert then.
strongSwan manipulates the kernel's SAD and SPD, which are implemented
by XFRM on Linux. It doesn't create any new interfaces. Only the IPsec policies
are applied to traffic.
There's no such document. Take a look at the list of IPsec and related 
standards[1]
to get information about what strongSwan implements. strongSwan does different
things in detail based on the underlying operating system and if you use 
kernel-libipsec
or not.
In very rough terms, the peers authenticate each other (IKE_SA), then negotiate 
CHILD_SAs,
which are used to transport traffic and when negotiating the CHILD_SAs, the 
peer each insert
corresponding SAs and SPs into the SAD and SPD on the local host.
Even if you use kernel-libipsec (which you shouldn't), strongSwan only creates 
a single
interface.

[1] https://wiki.strongswan.org/projects/strongswan/wiki/IpsecStandards


-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658




signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

2017-01-18 Thread Varun Singh

On Wed, Jan 18, 2017 at 10:44 PM, Noel Kuntze  wrote:
> On 18.01.2017 18:11, Varun Singh wrote:
>> Yet another concern related to this. From what I know, VPN server
>> creates a new virtual network interface for every VPN client
>> connected.
> It doesn't.
>
>
> --
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
>

Okay. Surprisingly I was told in a discussion with a networking expert
that a new virtual network interface is created on server every time a
VPN client connects. Is there is link or document which states in
detail how server's network module functions when a client makes a
connection? Thanks.

-- 
Regards,
Varun
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

2017-01-18 Thread Noel Kuntze

On 18.01.2017 18:11, Varun Singh wrote:
> Yet another concern related to this. From what I know, VPN server
> creates a new virtual network interface for every VPN client
> connected.
It doesn't.


-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658




signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

2017-01-18 Thread Varun Singh

On Mon, Jan 16, 2017 at 7:24 PM, Varun Singh  wrote:
> On Mon, Jan 16, 2017 at 7:02 PM, Michael Schwartzkopff  wrote:
>> Am Montag, 16. Januar 2017, 18:55:35 schrieben Sie:
>>> On Mon, Jan 16, 2017 at 6:32 PM, Michael Schwartzkopff  wrote:
>>> > Am Montag, 16. Januar 2017, 18:30:15 schrieb Varun Singh:
>>> >> On Mon, Jan 16, 2017 at 6:18 PM, Michael Schwartzkopff  
>>> >> wrote:
>>> >> > Am Montag, 16. Januar 2017, 18:09:00 schrieb Varun Singh:
>>> >> >> On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff 
>> wrote:
>>> >> >> > Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen:
>>> >> >> >> Hi Varun,
>>> >> >> >>
>>> >> >> >> we have customers who have successfully been running up to 60k
>>> >> >> >> concurrent tunnels. In order to maximize performance please have
>>> >> >> >> a look at the use of hash tables for IKE_SA lookup
>>> >> >> >>
>>> >> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable
>>> >> >> >>
>>> >> >> >> as well as job priority management
>>> >> >> >>
>>> >> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority
>>> >> >> >>
>>> >> >> >> We also recommend to use file-based logging since writing to syslog
>>> >> >> >> extremely slows down the charon daemon
>>> >> >> >>
>>> >> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfi
>>> >> >> >>gur
>>> >> >> >>ati
>>> >> >> >>on
>>> >> >> >>
>>> >> >> >> The bottleneck for IKE processing is the Diffie-Hellman key
>>> >> >> >> exchange
>>> >> >> >> where 70-80 % of the computing effort is spent. Use the ecp256 or
>>> >> >> >> the new curve25519 (available with strongSwan 5.5.2) DH groups for
>>> >> >> >> maximum performance.
>>> >> >> >>
>>> >> >> >> ESP throughput is limited by the number of available cores and the
>>> >> >> >> processor clock frequency. Use aes128gcm16 for maximum performance.
>>> >> >> >>
>>> >> >> >> Best regards
>>> >> >> >>
>>> >> >> >> Andreas
>>> >> >> >>
>>> >> >> >> On 16.01.2017 19:00, Varun Singh wrote:
>>> >> >> >> > Hi,
>>> >> >> >> > As I understand, strongSwan supports scalability from 4.x
>>> >> >> >> > onwards. I
>>> >> >> >> > am new to strongSwan and to VPN in general.
>>> >> >> >> > I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS.
>>> >> >> >> > Though I have read that strongSwan supports scalability, I
>>> >> >> >> > couldn't
>>> >> >> >> > find stats to support it.
>>> >> >> >> > Before adopting strongSwan, my team wanted to know *if it can
>>> >> >> >> > support
>>> >> >> >> > upto 100k simultaneous connections*. Hence I need to find
>>> >> >> >> > pointers
>>> >> >> >> > to
>>> >> >> >> > obtain this kind of information.
>>> >> >> >
>>> >> >> > hi,
>>> >> >> >
>>> >> >> > I think further scaling might be possible with loadbalancers. But
>>> >> >> > this
>>> >> >> > is
>>> >> >> > topic of deeper investigation of the project.
>>> >> >> >
>>> >> >> > Mit freundlichen Grüßen,
>>> >> >> >
>>> >> >> > Michael Schwartzkopff
>>> >> >> >
>>> >> >> > --
>>> >> >> > [*] sys4 AG
>>> >> >> >
>>> >> >> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
>>> >> >> > Schleißheimer Straße 26/MG, 80333 München
>>> >> >> >
>>> >> >> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>>> >> >> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer
>>> >> >> > Aufsichtsratsvorsitzender: Florian Kirstein
>>> >> >> > ___
>>> >> >> > Users mailing list
>>> >> >> > Users@lists.strongswan.org
>>> >> >> > https://lists.strongswan.org/mailman/listinfo/users
>>> >> >>
>>> >> >> Thanks Michael,
>>> >> >> I was just searching whether load balancing is supported by strongSwan
>>> >> >> or not. Came across this thread:
>>> >> >> https://lists.strongswan.org/pipermail/users/2013-November/005615.html
>>> >> >>
>>> >> >> But this didn't lead to any conclusion.
>>> >> >> So is load balancing supported by strongSwan?
>>> >> >
>>> >> > if you use LVS before the VPN server does not know about the load
>>> >> > balancing. You would have to find a solution for the reverse traffic,
>>> >> > i.e. IP pools on the VPN server.
>>> >> >
>>> >> > LVS offers a feature to do loadbalancing with firewall marks. This
>>> >> > might
>>> >> > be
>>> >> > nescessary for balancing IKE and ESP together.
>>> >> >
>>> >> > I don't know if a SA sync between strongswan servers is possible.
>>> >> >
>>> >> > But anyway: This setup shold be designed and tested very carefully.
>>> >> >
>>> >> >
>>> >> > Mit freundlichen Grüßen,
>>> >> >
>>> >> > Michael Schwartzkopff
>>> >> >
>>> >> > --
>>> >> > [*] sys4 AG
>>> >> >
>>> >> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
>>> >> > Schleißheimer Straße 26/MG, 80333 München
>>> >> >
>>> >> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>>> >> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer
>>> >> > Aufsichtsratsvorsitzender: Florian Kirstein
>>> >> >
>>> >> > ___
>>> >> > Users mailing l

Re: [strongSwan] Connect strongSwan and Squid on same server

2017-01-18 Thread Moataz Elmasry


Correct. No additional rules should be needed

On 01/18/2017 05:47 PM, Varun Singh wrote:

On Wed, Jan 18, 2017 at 10:11 PM, Moataz Elmasry
 wrote:

Hi,

I just had a similar problem, here's how I solved it:
- Assume strongswan is configured to hand out IPs from 10.3.0.0/16
Then:
iptables -t nat -A POSTROUTING -s 10.3.0.0/16 -o eth0 -j MASQUERADE
iptables -t nat -I PREROUTING  -s 10.3.0.0/16 -p tcp --dport 80 -j REDIRECT
--to-ports 3128

The first rule will masquarde the traffic as usual from the private to the
public network. You need this anyway
The second rule will redirect the traffic ONLY from your subnet to squid.




On 01/18/2017 05:33 PM, Varun Singh wrote:

Hi,
I have installed strongSwan and Squid HTTP Proxy on the same Ubuntu
16.04 server and I am trying to connect both. By connect I mean, I am
trying to achieve following:

[VPN Client] <--> [VPN Server] <-> [Squid] <--> [Internet]

My objective is to connect a VPN client to VPN server and use Squid
for filtering out blocked Urls. strongSwan and Squid work fine on
their own. I can access internet when connected to VPN server and also
when configured HTTP Proxy without VPN.

  From what I understand, to achieve what I want, I am supposed to
redirect incoming HTTP traffic from port 80 to port using IPTables. I
enter following IPTables rule:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 3128

Once I do this and try to access internet from a connected VPN client,
I get error. Pasting a log of /var/log/squid/access.log


1484738365.632  0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
api-glb-sin.smoot.apple.com:443 - HIER_NONE/- text/html
1484738365.642  0 114.143.194.190 TCP_DENIED/403 4870 GET

http://www.apple.com/ac/globalfooter/2.0/en_US/styles/ac-globalfooter.built.css
- HIER_NONE/- text/html
1484738365.643  0 114.143.194.190 TCP_DENIED/403 4852 GET
http://www.apple.com/ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css
- HIER_NONE/- text/html
1484738365.731  0 114.143.194.190 TCP_DENIED/403 4753 GET
http://www.apple.com/wss/fonts/? - HIER_NONE/- text/html
1484738365.760  0 114.143.194.190 TCP_DENIED/403 4817 GET
http://www.apple.com/metrics/ac-analytics/1.1/scripts/ac-analytics.js
- HIER_NONE/- text/html
1484738367.798  0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
init.itunes.apple.com:443 - HIER_NONE/- text/html
1484738367.922  0 114.143.194.190 TCP_DENIED/403 4334 GET
http://www.apple.com/apple-touch-icon-76x76-precomposed.png -
HIER_NONE/- text/html
1484738367.963  0 114.143.194.190 TCP_DENIED/403 4025 CONNECT
gsp10-ssl.apple.com:443 - HIER_NONE/- text/html
1484738368.036  0 114.143.194.190 TCP_DENIED/403 4298 GET
http://www.apple.com/apple-touch-icon-76x76.png - HIER_NONE/-
text/html
1484738368.148  0 114.143.194.190 TCP_DENIED/403 4352 GET
http://www.apple.com/apple-touch-icon.png - HIER_NONE/- text/html
1484738368.255  0 114.143.194.190 TCP_DENIED/403 4352 GET
http://www.apple.com/apple-touch-icon.png - HIER_NONE/- text/html
1484738368.296  0 114.143.194.190 TCP_DENIED/403 4316 GET
http://www.apple.com/apple-touch-icon-precomposed.png - HIER_NONE/-
text/html
1484738368.348  0 114.143.194.190 TCP_DENIED/403 4253 GET
http://www.apple.com/favicon.ico - HIER_NONE/- text/html
1484738376.374  0 114.143.194.190 TCP_DENIED/403 4655 GET
http://www.apple.com/ - HIER_NONE/- text/html
1484738376.456  0 114.143.194.190 TCP_DENIED/403 4711 GET
http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
HIER_NONE/- text/html
1484738385.761  0 114.143.194.190 TCP_DENIED/403 4655 GET
http://www.apple.com/ - HIER_NONE/- text/html
1484738385.828  0 114.143.194.190 TCP_DENIED/403 4747 GET
http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
HIER_NONE/- text/html
1484738858.272  0 10.99.1.1 TAG_NONE/400 4154 GET

/assets/com_apple_MobileAsset_SafariCloudHistoryConfiguration/com_apple_MobileAsset_SafariCloudHistoryConfiguration.xml
- HIER_NONE/- text/html
1484738858.990  0 10.99.1.1 TAG_NONE/400 4004 GET
/us/shop/bag/status?apikey=SFX9YPYY9PPXCU9KH - HIER_NONE/- text/html
1484738860.362  0 10.99.1.1 TAG_NONE/400 5350 GET

/b/ss/appleglobal,applehome,applestoreww,applestoreamr,applestoreus/1/H.27/s5505031635984?AQB=1&ndh=1&t=18%2F0%2F2017%2016%3A57%3A40%203%20-330&fid=21A4DCCB11396F92-26B205C305B2B2DF&pageName=apple%20-%20index%2Ftab%20%28us%29&g=http%3A%2F%2Fwww.apple.com%2F&cc=USD&ch=www.us.homepage&server=new%20approach%20ac-analytics&v3=aos%3A%20us&c4=D%3Dg&c5=ipad&c9=ios%209.3.5&c19=aos%3A%20us%3A%20apple%20-%20index%2Ftab%20%28us%29&c20=aos%3A%20us&c25=direct%20entry&c48=4&c49=D%3D2C39962A85032063-4000118780008FDC&v54=http%3A%2F%2Fwww.apple.com%2F&h1=www.us.homepage&s=768x1024&c=32&j=1.6&v=N&k=Y&bw=768&bh=960&AQE=1
- HIER_NONE/- text/html
1484739056.258  0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/-
text/html
1484739056.480  0 10.99.1.1 TCP_DENIED/403 4290 GET
http://ip-172-31-9-90:3128/squid-internal-stat

Re: [strongSwan] Connect strongSwan and Squid on same server

2017-01-18 Thread Varun Singh

On Wed, Jan 18, 2017 at 10:11 PM, Moataz Elmasry
 wrote:
> Hi,
>
> I just had a similar problem, here's how I solved it:
> - Assume strongswan is configured to hand out IPs from 10.3.0.0/16
> Then:
> iptables -t nat -A POSTROUTING -s 10.3.0.0/16 -o eth0 -j MASQUERADE
> iptables -t nat -I PREROUTING  -s 10.3.0.0/16 -p tcp --dport 80 -j REDIRECT
> --to-ports 3128
>
> The first rule will masquarde the traffic as usual from the private to the
> public network. You need this anyway
> The second rule will redirect the traffic ONLY from your subnet to squid.
>
>
>
>
> On 01/18/2017 05:33 PM, Varun Singh wrote:
>>
>> Hi,
>> I have installed strongSwan and Squid HTTP Proxy on the same Ubuntu
>> 16.04 server and I am trying to connect both. By connect I mean, I am
>> trying to achieve following:
>>
>> [VPN Client] <--> [VPN Server] <-> [Squid] <--> [Internet]
>>
>> My objective is to connect a VPN client to VPN server and use Squid
>> for filtering out blocked Urls. strongSwan and Squid work fine on
>> their own. I can access internet when connected to VPN server and also
>> when configured HTTP Proxy without VPN.
>>
>>  From what I understand, to achieve what I want, I am supposed to
>> redirect incoming HTTP traffic from port 80 to port using IPTables. I
>> enter following IPTables rule:
>>
>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
>> --to-port 3128
>>
>> Once I do this and try to access internet from a connected VPN client,
>> I get error. Pasting a log of /var/log/squid/access.log
>>
>>
>> 1484738365.632  0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
>> api-glb-sin.smoot.apple.com:443 - HIER_NONE/- text/html
>> 1484738365.642  0 114.143.194.190 TCP_DENIED/403 4870 GET
>>
>> http://www.apple.com/ac/globalfooter/2.0/en_US/styles/ac-globalfooter.built.css
>> - HIER_NONE/- text/html
>> 1484738365.643  0 114.143.194.190 TCP_DENIED/403 4852 GET
>> http://www.apple.com/ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css
>> - HIER_NONE/- text/html
>> 1484738365.731  0 114.143.194.190 TCP_DENIED/403 4753 GET
>> http://www.apple.com/wss/fonts/? - HIER_NONE/- text/html
>> 1484738365.760  0 114.143.194.190 TCP_DENIED/403 4817 GET
>> http://www.apple.com/metrics/ac-analytics/1.1/scripts/ac-analytics.js
>> - HIER_NONE/- text/html
>> 1484738367.798  0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
>> init.itunes.apple.com:443 - HIER_NONE/- text/html
>> 1484738367.922  0 114.143.194.190 TCP_DENIED/403 4334 GET
>> http://www.apple.com/apple-touch-icon-76x76-precomposed.png -
>> HIER_NONE/- text/html
>> 1484738367.963  0 114.143.194.190 TCP_DENIED/403 4025 CONNECT
>> gsp10-ssl.apple.com:443 - HIER_NONE/- text/html
>> 1484738368.036  0 114.143.194.190 TCP_DENIED/403 4298 GET
>> http://www.apple.com/apple-touch-icon-76x76.png - HIER_NONE/-
>> text/html
>> 1484738368.148  0 114.143.194.190 TCP_DENIED/403 4352 GET
>> http://www.apple.com/apple-touch-icon.png - HIER_NONE/- text/html
>> 1484738368.255  0 114.143.194.190 TCP_DENIED/403 4352 GET
>> http://www.apple.com/apple-touch-icon.png - HIER_NONE/- text/html
>> 1484738368.296  0 114.143.194.190 TCP_DENIED/403 4316 GET
>> http://www.apple.com/apple-touch-icon-precomposed.png - HIER_NONE/-
>> text/html
>> 1484738368.348  0 114.143.194.190 TCP_DENIED/403 4253 GET
>> http://www.apple.com/favicon.ico - HIER_NONE/- text/html
>> 1484738376.374  0 114.143.194.190 TCP_DENIED/403 4655 GET
>> http://www.apple.com/ - HIER_NONE/- text/html
>> 1484738376.456  0 114.143.194.190 TCP_DENIED/403 4711 GET
>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>> HIER_NONE/- text/html
>> 1484738385.761  0 114.143.194.190 TCP_DENIED/403 4655 GET
>> http://www.apple.com/ - HIER_NONE/- text/html
>> 1484738385.828  0 114.143.194.190 TCP_DENIED/403 4747 GET
>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>> HIER_NONE/- text/html
>> 1484738858.272  0 10.99.1.1 TAG_NONE/400 4154 GET
>>
>> /assets/com_apple_MobileAsset_SafariCloudHistoryConfiguration/com_apple_MobileAsset_SafariCloudHistoryConfiguration.xml
>> - HIER_NONE/- text/html
>> 1484738858.990  0 10.99.1.1 TAG_NONE/400 4004 GET
>> /us/shop/bag/status?apikey=SFX9YPYY9PPXCU9KH - HIER_NONE/- text/html
>> 1484738860.362  0 10.99.1.1 TAG_NONE/400 5350 GET
>>
>> /b/ss/appleglobal,applehome,applestoreww,applestoreamr,applestoreus/1/H.27/s5505031635984?AQB=1&ndh=1&t=18%2F0%2F2017%2016%3A57%3A40%203%20-330&fid=21A4DCCB11396F92-26B205C305B2B2DF&pageName=apple%20-%20index%2Ftab%20%28us%29&g=http%3A%2F%2Fwww.apple.com%2F&cc=USD&ch=www.us.homepage&server=new%20approach%20ac-analytics&v3=aos%3A%20us&c4=D%3Dg&c5=ipad&c9=ios%209.3.5&c19=aos%3A%20us%3A%20apple%20-%20index%2Ftab%20%28us%29&c20=aos%3A%20us&c25=direct%20entry&c48=4&c49=D%3D2C39962A85032063-4000118780008FDC&v54=http%3A%2F%2Fwww.apple.com%2F&h1=www.us.homepage&s=768x1024&c=32&j=1.6&v=N&k=Y&bw=768&bh=960&AQE=1
>> - HIER_NONE/- text/html
>> 1484739056.258  0 10.

Re: [strongSwan] Connect strongSwan and Squid on same server

2017-01-18 Thread Moataz Elmasry


Hi,

I just had a similar problem, here's how I solved it:
- Assume strongswan is configured to hand out IPs from 10.3.0.0/16
Then:
iptables -t nat -A POSTROUTING -s 10.3.0.0/16 -o eth0 -j MASQUERADE
iptables -t nat -I PREROUTING  -s 10.3.0.0/16 -p tcp --dport 80 -j 
REDIRECT --to-ports 3128


The first rule will masquarde the traffic as usual from the private to 
the public network. You need this anyway

The second rule will redirect the traffic ONLY from your subnet to squid.



On 01/18/2017 05:33 PM, Varun Singh wrote:

Hi,
I have installed strongSwan and Squid HTTP Proxy on the same Ubuntu
16.04 server and I am trying to connect both. By connect I mean, I am
trying to achieve following:

[VPN Client] <--> [VPN Server] <-> [Squid] <--> [Internet]

My objective is to connect a VPN client to VPN server and use Squid
for filtering out blocked Urls. strongSwan and Squid work fine on
their own. I can access internet when connected to VPN server and also
when configured HTTP Proxy without VPN.

 From what I understand, to achieve what I want, I am supposed to
redirect incoming HTTP traffic from port 80 to port using IPTables. I
enter following IPTables rule:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 3128

Once I do this and try to access internet from a connected VPN client,
I get error. Pasting a log of /var/log/squid/access.log


1484738365.632  0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
api-glb-sin.smoot.apple.com:443 - HIER_NONE/- text/html
1484738365.642  0 114.143.194.190 TCP_DENIED/403 4870 GET
http://www.apple.com/ac/globalfooter/2.0/en_US/styles/ac-globalfooter.built.css
- HIER_NONE/- text/html
1484738365.643  0 114.143.194.190 TCP_DENIED/403 4852 GET
http://www.apple.com/ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css
- HIER_NONE/- text/html
1484738365.731  0 114.143.194.190 TCP_DENIED/403 4753 GET
http://www.apple.com/wss/fonts/? - HIER_NONE/- text/html
1484738365.760  0 114.143.194.190 TCP_DENIED/403 4817 GET
http://www.apple.com/metrics/ac-analytics/1.1/scripts/ac-analytics.js
- HIER_NONE/- text/html
1484738367.798  0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
init.itunes.apple.com:443 - HIER_NONE/- text/html
1484738367.922  0 114.143.194.190 TCP_DENIED/403 4334 GET
http://www.apple.com/apple-touch-icon-76x76-precomposed.png -
HIER_NONE/- text/html
1484738367.963  0 114.143.194.190 TCP_DENIED/403 4025 CONNECT
gsp10-ssl.apple.com:443 - HIER_NONE/- text/html
1484738368.036  0 114.143.194.190 TCP_DENIED/403 4298 GET
http://www.apple.com/apple-touch-icon-76x76.png - HIER_NONE/-
text/html
1484738368.148  0 114.143.194.190 TCP_DENIED/403 4352 GET
http://www.apple.com/apple-touch-icon.png - HIER_NONE/- text/html
1484738368.255  0 114.143.194.190 TCP_DENIED/403 4352 GET
http://www.apple.com/apple-touch-icon.png - HIER_NONE/- text/html
1484738368.296  0 114.143.194.190 TCP_DENIED/403 4316 GET
http://www.apple.com/apple-touch-icon-precomposed.png - HIER_NONE/-
text/html
1484738368.348  0 114.143.194.190 TCP_DENIED/403 4253 GET
http://www.apple.com/favicon.ico - HIER_NONE/- text/html
1484738376.374  0 114.143.194.190 TCP_DENIED/403 4655 GET
http://www.apple.com/ - HIER_NONE/- text/html
1484738376.456  0 114.143.194.190 TCP_DENIED/403 4711 GET
http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
HIER_NONE/- text/html
1484738385.761  0 114.143.194.190 TCP_DENIED/403 4655 GET
http://www.apple.com/ - HIER_NONE/- text/html
1484738385.828  0 114.143.194.190 TCP_DENIED/403 4747 GET
http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
HIER_NONE/- text/html
1484738858.272  0 10.99.1.1 TAG_NONE/400 4154 GET
/assets/com_apple_MobileAsset_SafariCloudHistoryConfiguration/com_apple_MobileAsset_SafariCloudHistoryConfiguration.xml
- HIER_NONE/- text/html
1484738858.990  0 10.99.1.1 TAG_NONE/400 4004 GET
/us/shop/bag/status?apikey=SFX9YPYY9PPXCU9KH - HIER_NONE/- text/html
1484738860.362  0 10.99.1.1 TAG_NONE/400 5350 GET
/b/ss/appleglobal,applehome,applestoreww,applestoreamr,applestoreus/1/H.27/s5505031635984?AQB=1&ndh=1&t=18%2F0%2F2017%2016%3A57%3A40%203%20-330&fid=21A4DCCB11396F92-26B205C305B2B2DF&pageName=apple%20-%20index%2Ftab%20%28us%29&g=http%3A%2F%2Fwww.apple.com%2F&cc=USD&ch=www.us.homepage&server=new%20approach%20ac-analytics&v3=aos%3A%20us&c4=D%3Dg&c5=ipad&c9=ios%209.3.5&c19=aos%3A%20us%3A%20apple%20-%20index%2Ftab%20%28us%29&c20=aos%3A%20us&c25=direct%20entry&c48=4&c49=D%3D2C39962A85032063-4000118780008FDC&v54=http%3A%2F%2Fwww.apple.com%2F&h1=www.us.homepage&s=768x1024&c=32&j=1.6&v=N&k=Y&bw=768&bh=960&AQE=1
- HIER_NONE/- text/html
1484739056.258  0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/- text/html
1484739056.480  0 10.99.1.1 TCP_DENIED/403 4290 GET
http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
HIER_NONE/- text/html
1484739057.106  0 10.99.1.1 TAG_NONE/400 3994 GET
/apple-touch-icon-76x76-precomposed.png - HIER_NONE/- te

[strongSwan] Connect strongSwan and Squid on same server

2017-01-18 Thread Varun Singh

Hi,
I have installed strongSwan and Squid HTTP Proxy on the same Ubuntu
16.04 server and I am trying to connect both. By connect I mean, I am
trying to achieve following:

[VPN Client] <--> [VPN Server] <-> [Squid] <--> [Internet]

My objective is to connect a VPN client to VPN server and use Squid
for filtering out blocked Urls. strongSwan and Squid work fine on
their own. I can access internet when connected to VPN server and also
when configured HTTP Proxy without VPN.

From what I understand, to achieve what I want, I am supposed to
redirect incoming HTTP traffic from port 80 to port using IPTables. I
enter following IPTables rule:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 3128

Once I do this and try to access internet from a connected VPN client,
I get error. Pasting a log of /var/log/squid/access.log


1484738365.632  0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
api-glb-sin.smoot.apple.com:443 - HIER_NONE/- text/html
1484738365.642  0 114.143.194.190 TCP_DENIED/403 4870 GET
http://www.apple.com/ac/globalfooter/2.0/en_US/styles/ac-globalfooter.built.css
- HIER_NONE/- text/html
1484738365.643  0 114.143.194.190 TCP_DENIED/403 4852 GET
http://www.apple.com/ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css
- HIER_NONE/- text/html
1484738365.731  0 114.143.194.190 TCP_DENIED/403 4753 GET
http://www.apple.com/wss/fonts/? - HIER_NONE/- text/html
1484738365.760  0 114.143.194.190 TCP_DENIED/403 4817 GET
http://www.apple.com/metrics/ac-analytics/1.1/scripts/ac-analytics.js
- HIER_NONE/- text/html
1484738367.798  0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
init.itunes.apple.com:443 - HIER_NONE/- text/html
1484738367.922  0 114.143.194.190 TCP_DENIED/403 4334 GET
http://www.apple.com/apple-touch-icon-76x76-precomposed.png -
HIER_NONE/- text/html
1484738367.963  0 114.143.194.190 TCP_DENIED/403 4025 CONNECT
gsp10-ssl.apple.com:443 - HIER_NONE/- text/html
1484738368.036  0 114.143.194.190 TCP_DENIED/403 4298 GET
http://www.apple.com/apple-touch-icon-76x76.png - HIER_NONE/-
text/html
1484738368.148  0 114.143.194.190 TCP_DENIED/403 4352 GET
http://www.apple.com/apple-touch-icon.png - HIER_NONE/- text/html
1484738368.255  0 114.143.194.190 TCP_DENIED/403 4352 GET
http://www.apple.com/apple-touch-icon.png - HIER_NONE/- text/html
1484738368.296  0 114.143.194.190 TCP_DENIED/403 4316 GET
http://www.apple.com/apple-touch-icon-precomposed.png - HIER_NONE/-
text/html
1484738368.348  0 114.143.194.190 TCP_DENIED/403 4253 GET
http://www.apple.com/favicon.ico - HIER_NONE/- text/html
1484738376.374  0 114.143.194.190 TCP_DENIED/403 4655 GET
http://www.apple.com/ - HIER_NONE/- text/html
1484738376.456  0 114.143.194.190 TCP_DENIED/403 4711 GET
http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
HIER_NONE/- text/html
1484738385.761  0 114.143.194.190 TCP_DENIED/403 4655 GET
http://www.apple.com/ - HIER_NONE/- text/html
1484738385.828  0 114.143.194.190 TCP_DENIED/403 4747 GET
http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
HIER_NONE/- text/html
1484738858.272  0 10.99.1.1 TAG_NONE/400 4154 GET
/assets/com_apple_MobileAsset_SafariCloudHistoryConfiguration/com_apple_MobileAsset_SafariCloudHistoryConfiguration.xml
- HIER_NONE/- text/html
1484738858.990  0 10.99.1.1 TAG_NONE/400 4004 GET
/us/shop/bag/status?apikey=SFX9YPYY9PPXCU9KH - HIER_NONE/- text/html
1484738860.362  0 10.99.1.1 TAG_NONE/400 5350 GET
/b/ss/appleglobal,applehome,applestoreww,applestoreamr,applestoreus/1/H.27/s5505031635984?AQB=1&ndh=1&t=18%2F0%2F2017%2016%3A57%3A40%203%20-330&fid=21A4DCCB11396F92-26B205C305B2B2DF&pageName=apple%20-%20index%2Ftab%20%28us%29&g=http%3A%2F%2Fwww.apple.com%2F&cc=USD&ch=www.us.homepage&server=new%20approach%20ac-analytics&v3=aos%3A%20us&c4=D%3Dg&c5=ipad&c9=ios%209.3.5&c19=aos%3A%20us%3A%20apple%20-%20index%2Ftab%20%28us%29&c20=aos%3A%20us&c25=direct%20entry&c48=4&c49=D%3D2C39962A85032063-4000118780008FDC&v54=http%3A%2F%2Fwww.apple.com%2F&h1=www.us.homepage&s=768x1024&c=32&j=1.6&v=N&k=Y&bw=768&bh=960&AQE=1
- HIER_NONE/- text/html
1484739056.258  0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/- text/html
1484739056.480  0 10.99.1.1 TCP_DENIED/403 4290 GET
http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
HIER_NONE/- text/html
1484739057.106  0 10.99.1.1 TAG_NONE/400 3994 GET
/apple-touch-icon-76x76-precomposed.png - HIER_NONE/- text/html
1484739057.166  0 10.99.1.1 TAG_NONE/400 3970 GET
/apple-touch-icon-76x76.png - HIER_NONE/- text/html
1484739057.211  0 10.99.1.1 TAG_NONE/400 3958 GET
/apple-touch-icon.png - HIER_NONE/- text/html
1484739057.267  0 10.99.1.1 TAG_NONE/400 3958 GET
/apple-touch-icon.png - HIER_NONE/- text/html
1484739057.340  0 10.99.1.1 TAG_NONE/400 3982 GET
/apple-touch-icon-precomposed.png - HIER_NONE/- text/html
1484739057.436  0 10.99.1.1 TAG_NONE/400 3940 GET /favicon.ico -
HIER_NONE/- text/html
1484739060.563

Re: [strongSwan] Issue with loading critical plugin features (using strongswan -5.2.2)

Re: [strongSwan] macos SIerra as Client with IKEv2 and certificates?

[strongSwan] stroke rereadsecrets fails to include strongswan.conf

Re: [strongSwan] Android TNC server basic setup

Re: [strongSwan] Android TNC server basic setup

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

Re: [strongSwan] Connect strongSwan and Squid on same server

Re: [strongSwan] Connect strongSwan and Squid on same server

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

Re: [strongSwan] Connect strongSwan and Squid on same server

Re: [strongSwan] Connect strongSwan and Squid on same server

Re: [strongSwan] Connect strongSwan and Squid on same server

[strongSwan] Connect strongSwan and Squid on same server

25 matches

Site Navigation

Mail list logo

Footer information