Re: [strongSwan] Strongswan. Address definition/Routing.
Hi, That is because Windows and MacOS implement crappy route based IPsec which conceptually can not protect traffic to the IKE peer's address (unless policy based routing is used, which neither Windows nor MacOS implement). Kind regards Noel On 13.09.2017 17:14, Aleksey Kravchenko wrote: > Hello.I need your advice. > The work of Strongswan + IKEv2 is configured. Everything works fine (on iOS, > macOS, windows, linux), but I noticed strange behavior in VPN's work. There > is a server on which Strongswan and Nginx are installed.When you connect to > the VPN and go to the site which is located in the same place as the > strongswan daemon, the nginx log shows different addresses for connections. > For instance:android / linux -> login from the address issued by the VPN > (for example, 192.168.1.2). > windows / macos -> login from the usual address (provider address). > But if you go to the IP detection server, the result for all devices is the > same: you logged in from the VPN server.Maybe you have any thoughts about > this? Thank you! signature.asc Description: OpenPGP digital signature
Re: [strongSwan] 24/7/365 tunnel?
Hi, DPD just checks if the remote peer is still "there" and reachable. It doesn't do anything with the CHILD_SAs. It only helps to keep up the IKE_SA and keep it working (e.g. it wouldn't work anymore if the NAT mapping on an intermediate NAT router would expire). Peers are free to delete CHILD_SAs and IKE_SAs without renegotiating new ones, destroying the tunnel. Use auto=route (swanctl equivalent is start_action=trap), as advised previously. Kind regards Noel On 13.09.2017 17:38, Michael Schwartzkopff wrote: > Am 13.09.2017 um 17:33 schrieb Eric Germann: >> Usually if it "takes down the tunnel" it's due to no traffic. Keep >> interesting traffic going and it will stay up. >> >> If you have the ability to set "auto = route" it will reestablish the tunnel >> as needed. We run several hundred tunnels this way in AWS without issue. >> >> EKG >> >> >>> On Sep 13, 2017, at 09:21, Turbo Fredrikssonwrote: >>> >>> I’m trying to setup a tunnel between two regions in >>> AWS. >>> >>> Works fine, other than the fact that Strongswan seems to take >>> down the tunnel automatically (?) after a few hours. >>> >>> How can I 1) make sure there’s no timeout (?) and 2) that IF >>> the tunnel goes down, for whatever reason, that it will reinitiate >>> the connection automatically? >>> > Dead Peer Detection (DPD) sends packets that keep the tunnel up. > > > Michael Schwartzkopff > > Mit freundlichen Grüßen, > signature.asc Description: OpenPGP digital signature
Re: [strongSwan] General Question about NFLOG
Hi, That is not possible in iptables, because there is no chain between *nat POSTROUTING and the XFRM encapsulation in Netfilter. However, I think you can work around that by loading the nftables kernel module at the same time and creating and using a chain with the correct[1] priority, so it is called after the iptables *nat POSTROUTING chain, but before the XFRM encapsulation. In that chain, you would then call the NFLOG target similiarly as you currently do in *mangle POSTROUTING. Kind regards Noel [1] The correct priority would be between the one of the *nat POSTROUTING chain and the XFRM encapsulation. I do not know those priorities from the top of my head, but you can find that probably somewhere on the WWW. PS: The route is irrelevant On 13.09.2017 20:20, Thomas Will wrote: > > Hello, > > I have a general question about nflog. > > When i establish a vpn-con like 192.168.200.0/24 - to - 192.168.44.0/24 > > and on my site there is an interface on vpn-gw like 192.168.200.1, i am able > > to capture the output decap traffic in nflog:5 with > > iptables -t mangle -I POSTROUTING -m policy --pol ipsec --dir out -j NFLOG > --nflog-group 5 > > and > > tcpdump -ni nflog:5 > > But when i establish a vpn-conn like 192.168.11.0/24 - to - 192.168.44.0/24 > > and my local subnet is still 192.168.200.0/24 ... so i have to snat my subnet > to 192.168..11.0/24 > > iptables -t nat -A POSTROUTING -s 192.168.200.0/24 -d 192.168.44.0/24 -o > $WAN -j NETMAP --to 192.168.11.0/24 > > there ist no route in table 220 ... and i am not able to capture the > decapsulated IPsec out traffic > > > > is there any way to do this anyway? > > regards > > -- > Thomas Will > > Xinux e.K. > Wichernstrasse 18 > 66482 Zweibruecken > > Registergericht > Amtsgericht Zweibruecken > HRA 1518 > > P: +49 6332 44040 > F: +49 6332 899227 > M: +49 170 5218548 > M: +49 176 97497102 > > E: thomas.w...@xinux.de > W: http://www.xinux.com 0x0739AD6C.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
[strongSwan] General Question about NFLOG
Hello, I have a general question about nflog. When i establish a vpn-con like 192.168.200.0/24 - to - 192.168.44.0/24 and on my site there is an interface on vpn-gw like 192.168.200.1, i am able to capture the output decap traffic in nflog:5 with iptables -t mangle -I POSTROUTING -m policy --pol ipsec --dir out -j NFLOG --nflog-group 5 and tcpdump -ni nflog:5 But when i establish a vpn-conn like 192.168.11.0/24 - to - 192.168.44.0/24 and my local subnet is still 192.168.200.0/24 ... so i have to snat my subnet to 192.168..11.0/24 iptables -t nat -A POSTROUTING -s 192.168.200.0/24 -d 192.168.44.0/24 -o $WAN -j NETMAP --to 192.168.11.0/24 there ist no route in table 220 ... and i am not able to capture the decapsulated IPsec out traffic is there any way to do this anyway? regards -- Thomas Will Xinux e.K. Wichernstrasse 18 66482 Zweibruecken Registergericht Amtsgericht Zweibruecken HRA 1518 P: +49 6332 44040 F: +49 6332 899227 M: +49 170 5218548 M: +49 176 97497102 E: thomas.w...@xinux.de W: http://www.xinux.com
Re: [strongSwan] strongswan not picking up traffic
What happened when you initiate host-host connection from any side? Can you share your ipsec.conf file contents so I could see if any mistakes over there? One more question how are your firewall rules configured? Do they allow udp 500,4500, ah, esp protocols from both side?Anvar Kuchkartaev an...@anvartay.com From: Chengcheng FuSent: miércoles, 13 de septiembre de 2017 06:27 p.m.To: users@lists.strongswan.orgSubject: [strongSwan] strongswan not picking up trafficHi,I'm trying to setup a GRE over IPSec.I have the GRE working, but Strongswan wouldn't pickup the gre traffic and encrypt it.Following is my topologyhub 192.168.23.193 - 192.168.23.203 spokeAnd here are my output.Hub side:Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64): uptime: 108 seconds, since Sep 14 00:23:00 2017 malloc: sbrk 2027520, mmap 0, used 273392, free 1754128 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-genericListening IP addresses: 192.168.23.193 192.168.34.1Connections: host-host: 192.168.23.193...%any IKEv2 host-host: local: [192.168.23.193] uses pre-shared key authentication host-host: remote: uses pre-shared key authentication host-host: child: dynamic[gre] === dynamic[gre] TRANSPORTSecurity Associations (0 up, 0 connecting): noneSpoke side:Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64): uptime: 4 seconds, since Sep 14 00:17:44 2017 malloc: sbrk 2289664, mmap 0, used 287184, free 2002480 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-genericListening IP addresses: 192.168.23.203 192.168.34.3Connections: host-host: 192.168.23.203...192.168.23.193 IKEv2 host-host: local: [192.168.23.203] uses pre-shared key authentication host-host: remote: [192.168.23.193] uses pre-shared key authentication host-host: child: dynamic[gre] === dynamic[gre] TRANSPORTSecurity Associations (0 up, 0 connecting): noneAny thoughts?Regards,Terry
[strongSwan] strongswan not picking up traffic
Hi, I'm trying to setup a GRE over IPSec. I have the GRE working, but Strongswan wouldn't pickup the gre traffic and encrypt it. Following is my topology hub 192.168.23.193 - 192.168.23.203 spoke And here are my output. Hub side: Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64): uptime: 108 seconds, since Sep 14 00:23:00 2017 malloc: sbrk 2027520, mmap 0, used 273392, free 1754128 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic Listening IP addresses: 192.168.23.193 192.168.34.1 Connections: host-host: 192.168.23.193...%any IKEv2 host-host: local: [192.168.23.193] uses pre-shared key authentication host-host: remote: uses pre-shared key authentication host-host: child: dynamic[gre] === dynamic[gre] TRANSPORT Security Associations (0 up, 0 connecting): none Spoke side: Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64): uptime: 4 seconds, since Sep 14 00:17:44 2017 malloc: sbrk 2289664, mmap 0, used 287184, free 2002480 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic Listening IP addresses: 192.168.23.203 192.168.34.3 Connections: host-host: 192.168.23.203...192.168.23.193 IKEv2 host-host: local: [192.168.23.203] uses pre-shared key authentication host-host: remote: [192.168.23.193] uses pre-shared key authentication host-host: child: dynamic[gre] === dynamic[gre] TRANSPORT Security Associations (0 up, 0 connecting): none Any thoughts? Regards, Terry
Re: [strongSwan] 24/7/365 tunnel?
Am 13.09.2017 um 17:33 schrieb Eric Germann: > Usually if it "takes down the tunnel" it's due to no traffic. Keep > interesting traffic going and it will stay up. > > If you have the ability to set "auto = route" it will reestablish the tunnel > as needed. We run several hundred tunnels this way in AWS without issue. > > EKG > > >> On Sep 13, 2017, at 09:21, Turbo Fredrikssonwrote: >> >> I’m trying to setup a tunnel between two regions in >> AWS. >> >> Works fine, other than the fact that Strongswan seems to take >> down the tunnel automatically (?) after a few hours. >> >> How can I 1) make sure there’s no timeout (?) and 2) that IF >> the tunnel goes down, for whatever reason, that it will reinitiate >> the connection automatically? >> Dead Peer Detection (DPD) sends packets that keep the tunnel up. Michael Schwartzkopff Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein signature.asc Description: OpenPGP digital signature
Re: [strongSwan] 24/7/365 tunnel?
Usually if it "takes down the tunnel" it's due to no traffic. Keep interesting traffic going and it will stay up. If you have the ability to set "auto = route" it will reestablish the tunnel as needed. We run several hundred tunnels this way in AWS without issue. EKG > On Sep 13, 2017, at 09:21, Turbo Fredrikssonwrote: > > I’m trying to setup a tunnel between two regions in > AWS. > > Works fine, other than the fact that Strongswan seems to take > down the tunnel automatically (?) after a few hours. > > How can I 1) make sure there’s no timeout (?) and 2) that IF > the tunnel goes down, for whatever reason, that it will reinitiate > the connection automatically? > smime.p7s Description: S/MIME cryptographic signature
[strongSwan] Strongswan. Address definition/Routing.
Hello.I need your advice. The work of Strongswan + IKEv2 is configured. Everything works fine (on iOS, macOS, windows, linux), but I noticed strange behavior in VPN's work. There is a server on which Strongswan and Nginx are installed.When you connect to the VPN and go to the site which is located in the same place as the strongswan daemon, the nginx log shows different addresses for connections. For instance:android / linux -> login from the address issued by the VPN (for example, 192.168.1.2). windows / macos -> login from the usual address (provider address). But if you go to the IP detection server, the result for all devices is the same: you logged in from the VPN server.Maybe you have any thoughts about this? Thank you!
[strongSwan] 24/7/365 tunnel?
I’m trying to setup a tunnel between two regions in AWS. Works fine, other than the fact that Strongswan seems to take down the tunnel automatically (?) after a few hours. How can I 1) make sure there’s no timeout (?) and 2) that IF the tunnel goes down, for whatever reason, that it will reinitiate the connection automatically? signature.asc Description: Message signed with OpenPGP