Re: [strongSwan] Strongswan. Address definition/Routing.

[Noel Kuntze]

Hi,

That is because Windows and MacOS implement crappy route based IPsec which 
conceptually can not protect traffic to the IKE peer's
address (unless policy based routing is used, which neither Windows nor MacOS 
implement).

Kind regards

Noel

On 13.09.2017 17:14, Aleksey Kravchenko wrote:
> Hello.I need your advice.
> The work of Strongswan + IKEv2 is configured. Everything works fine (on iOS, 
> macOS, windows, linux), but I noticed strange behavior in VPN's work. There 
> is a server on which Strongswan and Nginx are installed.When you connect to 
> the VPN and go to the site which is located in the same place as the 
> strongswan daemon, the nginx log shows different addresses for connections. 
> For instance:android / linux -> login from the address issued by the VPN  
> (for example, 192.168.1.2).
> windows / macos -> login from the usual address (provider address).
> But if you go to the IP detection server, the result for all devices is the 
> same: you logged in from the VPN server.Maybe you have any thoughts about 
> this? Thank you!



signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] 24/7/365 tunnel?

[Noel Kuntze]

Hi,

DPD just checks if the remote peer is still "there" and reachable. It doesn't 
do anything with the CHILD_SAs.
It only helps to keep up the IKE_SA and keep it working (e.g. it wouldn't work 
anymore if the NAT mapping on an intermediate NAT router
would expire). Peers are free to delete CHILD_SAs and IKE_SAs without 
renegotiating new ones, destroying the tunnel.

Use auto=route (swanctl equivalent is start_action=trap), as advised previously.

Kind regards

Noel

On 13.09.2017 17:38, Michael Schwartzkopff wrote:
> Am 13.09.2017 um 17:33 schrieb Eric Germann:
>> Usually if it "takes down the tunnel" it's due to no traffic. Keep 
>> interesting traffic going and it will stay up.
>>
>> If you have the ability to set "auto = route" it will reestablish the tunnel 
>> as needed. We run several hundred tunnels this way in AWS without issue.  
>>
>> EKG
>>
>>
>>> On Sep 13, 2017, at 09:21, Turbo Fredriksson  wrote:
>>>
>>> I’m trying to setup a tunnel between two regions in
>>> AWS.
>>>
>>> Works fine, other than the fact that Strongswan seems to take
>>> down the tunnel automatically (?) after a few hours.
>>>
>>> How can I 1) make sure there’s no timeout (?) and 2) that IF
>>> the tunnel goes down, for whatever reason, that it will reinitiate
>>> the connection automatically?
>>>
> Dead Peer Detection (DPD) sends packets that keep the tunnel up.
>
>
> Michael Schwartzkopff
>
> Mit freundlichen Grüßen,
>



signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] General Question about NFLOG

[Noel Kuntze]

Hi,

That is not possible in iptables, because there is no chain between *nat 
POSTROUTING and the XFRM encapsulation in Netfilter.

However, I think you can work around that by loading the nftables kernel module 
at the same time and creating and using
a chain with the correct[1] priority, so it is called after the iptables *nat 
POSTROUTING chain, but before the XFRM encapsulation.

In that chain, you would then call the NFLOG target similiarly as you currently 
do in *mangle POSTROUTING.

Kind regards

Noel

[1] The correct priority would be between the one of the *nat POSTROUTING chain 
and the XFRM encapsulation. I do not know those priorities
 from the top of my head, but you can find that probably somewhere on the 
WWW.

PS: The route is irrelevant

On 13.09.2017 20:20, Thomas Will wrote:
>
> Hello,
>
> I have a general question about nflog.
>
> When i establish a vpn-con like  192.168.200.0/24 - to - 192.168.44.0/24
>
> and on my site there is an interface on vpn-gw like 192.168.200.1, i am able
>
> to capture the output decap traffic in nflog:5 with 
>
> iptables -t mangle -I POSTROUTING  -m policy --pol ipsec --dir out -j NFLOG 
> --nflog-group 5
>
> and
>
> tcpdump -ni nflog:5
>
> But when i establish a vpn-conn like  192.168.11.0/24 - to - 192.168.44.0/24
>
> and my local subnet is still 192.168.200.0/24 ... so i have to snat my subnet 
>  to 192.168..11.0/24
>
> iptables -t nat -A POSTROUTING -s 192.168.200.0/24 -d 192.168.44.0/24  -o 
> $WAN -j NETMAP --to 192.168.11.0/24
>
> there ist no route in table 220 ... and i am not able to capture the 
> decapsulated IPsec out traffic
>
> 
>
> is there any way to do this anyway?
>
> regards
>
> -- 
> Thomas Will 
>
> Xinux e.K.
> Wichernstrasse 18
> 66482 Zweibruecken
>
> Registergericht
> Amtsgericht Zweibruecken
> HRA 1518
>
> P: +49 6332 44040
> F: +49 6332 899227
> M: +49 170 5218548
> M: +49 176 97497102
>
> E: thomas.w...@xinux.de
> W: http://www.xinux.com


0x0739AD6C.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature

[strongSwan] General Question about NFLOG

[Thomas Will]

Hello,

I have a general question about nflog.

When i establish a vpn-con like  192.168.200.0/24 - to - 192.168.44.0/24

and on my site there is an interface on vpn-gw like 192.168.200.1, i am 
able


to capture the output decap traffic in nflog:5 with

iptables -t mangle -I POSTROUTING  -m policy --pol ipsec --dir out -j 
NFLOG --nflog-group 5


and

tcpdump -ni nflog:5

But when i establish a vpn-conn like  192.168.11.0/24 - to - 192.168.44.0/24

and my local subnet is still 192.168.200.0/24 ... so i have to snat my 
subnet  to 192.168..11.0/24


iptables -t nat -A POSTROUTING -s 192.168.200.0/24 -d 192.168.44.0/24  
-o $WAN -j NETMAP --to 192.168.11.0/24


there ist no route in table 220 ... and i am not able to capture the 
decapsulated IPsec out traffic




is there any way to do this anyway?

regards

--
Thomas Will

Xinux e.K.
Wichernstrasse 18
66482 Zweibruecken

Registergericht
Amtsgericht Zweibruecken
HRA 1518

P: +49 6332 44040
F: +49 6332 899227
M: +49 170 5218548
M: +49 176 97497102

E: thomas.w...@xinux.de
W: http://www.xinux.com

Re: [strongSwan] strongswan not picking up traffic

[Anvar Kuchkartaev]

  What happened when you initiate host-host connection from any side? Can you share your ipsec.conf file contents ‎so I could see if any mistakes over there? One more question how are your firewall rules configured? Do they allow udp 500,4500, ah, esp protocols from both side?Anvar Kuchkartaev an...@anvartay.com From: Chengcheng FuSent: miércoles, 13 de septiembre de 2017 06:27 p.m.To: users@lists.strongswan.orgSubject: [strongSwan] strongswan not picking up trafficHi,I'm trying to setup a GRE over IPSec.I have the GRE working, but Strongswan wouldn't pickup the gre traffic and encrypt it.Following is my topologyhub 192.168.23.193 - 192.168.23.203 spokeAnd here are my output.Hub side:Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64): uptime: 108 seconds, since Sep 14 00:23:00 2017 malloc: sbrk 2027520, mmap 0, used 273392, free 1754128 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-genericListening IP addresses: 192.168.23.193 192.168.34.1Connections: host-host: 192.168.23.193...%any IKEv2 host-host: local: [192.168.23.193] uses pre-shared key authentication host-host: remote: uses pre-shared key authentication host-host: child: dynamic[gre] === dynamic[gre] TRANSPORTSecurity Associations (0 up, 0 connecting): noneSpoke side:Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64): uptime: 4 seconds, since Sep 14 00:17:44 2017 malloc: sbrk 2289664, mmap 0, used 287184, free 2002480 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-genericListening IP addresses: 192.168.23.203 192.168.34.3Connections: host-host: 192.168.23.203...192.168.23.193 IKEv2 host-host: local: [192.168.23.203] uses pre-shared key authentication host-host: remote: [192.168.23.193] uses pre-shared key authentication host-host: child: dynamic[gre] === dynamic[gre] TRANSPORTSecurity Associations (0 up, 0 connecting): noneAny thoughts?Regards,Terry

[strongSwan] strongswan not picking up traffic

[Chengcheng Fu]

Hi,

I'm trying to setup a GRE over IPSec.

I have the GRE working, but Strongswan wouldn't pickup the gre traffic and 
encrypt it.

Following is my topology

hub 192.168.23.193 - 192.168.23.203 spoke


And here are my output.
Hub side:
Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64):
uptime: 108 seconds, since Sep 14 00:23:00 2017
malloc: sbrk 2027520, mmap 0, used 273392, free 1754128
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation 
constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp 
curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke 
vici updown xauth-generic
Listening IP addresses:
192.168.23.193
192.168.34.1
Connections:
host-host: 192.168.23.193...%any IKEv2
host-host: local: [192.168.23.193] uses pre-shared key authentication
host-host: remote: uses pre-shared key authentication
host-host: child: dynamic[gre] === dynamic[gre] TRANSPORT
Security Associations (0 up, 0 connecting):
none



Spoke side:
Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64):
uptime: 4 seconds, since Sep 14 00:17:44 2017
malloc: sbrk 2289664, mmap 0, used 287184, free 2002480
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation 
constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp 
curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke 
vici updown xauth-generic
Listening IP addresses:
192.168.23.203
192.168.34.3
Connections:
host-host: 192.168.23.203...192.168.23.193 IKEv2
host-host: local: [192.168.23.203] uses pre-shared key authentication
host-host: remote: [192.168.23.193] uses pre-shared key authentication
host-host: child: dynamic[gre] === dynamic[gre] TRANSPORT
Security Associations (0 up, 0 connecting):
none



Any thoughts?

Regards,

Terry

Re: [strongSwan] 24/7/365 tunnel?

[Michael Schwartzkopff]

Am 13.09.2017 um 17:33 schrieb Eric Germann:
> Usually if it "takes down the tunnel" it's due to no traffic. Keep 
> interesting traffic going and it will stay up.
>
> If you have the ability to set "auto = route" it will reestablish the tunnel 
> as needed. We run several hundred tunnels this way in AWS without issue.  
>
> EKG
>
>
>> On Sep 13, 2017, at 09:21, Turbo Fredriksson  wrote:
>>
>> I’m trying to setup a tunnel between two regions in
>> AWS.
>>
>> Works fine, other than the fact that Strongswan seems to take
>> down the tunnel automatically (?) after a few hours.
>>
>> How can I 1) make sure there’s no timeout (?) and 2) that IF
>> the tunnel goes down, for whatever reason, that it will reinitiate
>> the connection automatically?
>>
Dead Peer Detection (DPD) sends packets that keep the tunnel up.


Michael Schwartzkopff

Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] 24/7/365 tunnel?

[Eric Germann]

Usually if it "takes down the tunnel" it's due to no traffic. Keep interesting 
traffic going and it will stay up.

If you have the ability to set "auto = route" it will reestablish the tunnel as 
needed. We run several hundred tunnels this way in AWS without issue.  

EKG


> On Sep 13, 2017, at 09:21, Turbo Fredriksson  wrote:
> 
> I’m trying to setup a tunnel between two regions in
> AWS.
> 
> Works fine, other than the fact that Strongswan seems to take
> down the tunnel automatically (?) after a few hours.
> 
> How can I 1) make sure there’s no timeout (?) and 2) that IF
> the tunnel goes down, for whatever reason, that it will reinitiate
> the connection automatically?
> 


smime.p7s
Description: S/MIME cryptographic signature

[strongSwan] Strongswan. Address definition/Routing.

[Aleksey Kravchenko]

Hello.I need your advice.
The work of Strongswan + IKEv2 is configured. Everything works fine (on
iOS, macOS, windows, linux), but I noticed strange behavior in VPN's work.
There is a server on which Strongswan and Nginx are installed.When you
connect to the VPN and go to the site which is located in the same place as
the strongswan daemon, the nginx log shows different addresses for
connections. For instance:android / linux -> login from the address issued
by the VPN  (for example, 192.168.1.2).
windows / macos -> login from the usual address (provider address).
But if you go to the IP detection server, the result for all devices is the
same: you logged in from the VPN server.Maybe you have any thoughts about
this? Thank you!

[strongSwan] 24/7/365 tunnel?

[Turbo Fredriksson]

I’m trying to setup a tunnel between two regions in
AWS.

Works fine, other than the fact that Strongswan seems to take
down the tunnel automatically (?) after a few hours.

How can I 1) make sure there’s no timeout (?) and 2) that IF
the tunnel goes down, for whatever reason, that it will reinitiate
the connection automatically?



signature.asc
Description: Message signed with OpenPGP