[strongSwan] Scepclien failed to generate certificate

2018-02-13 Thread Boris Levin 
Hi,

Im new to scepclient feature, im trying to get certificate and currently
with no success.

im using the exmples provided in scepclient man:

ipsec scepclient --out caCert --url * -f - finishes successfully
and generates 3 cert files under cacerts dir.


ipsec scepclient --out pkcs1=localKey.der --out cert==localCert.der --dn
'C=CH, CN=John Doe' -k 2048 -p password--url ** --in
cacert-enc=caCert-ra-2.der --in cacert-sig=caCert-ra-1.der -f

this command hangs on:

*building pkcs7 request*

what am i missing?

note: im building my kernel from sources suing buildroot.

BR.

--

Re: [strongSwan] Accessing VPN client from private network

2018-02-13 Thread Tobias Brunner 
Hi Marco,

> VPN Client -> Gateway -> internal network with some servers
> The VPN gets an IP from DHCP Server (i.e 192.168.1.100)
> Gateway has IP 192.168.1.10, can ping the VPN client 192.168.1.100
> Pinging the VPN client from a server in the network (e.g. 192.168.1.20) does 
> not work.
> 
> What am I missing?

See [1].

Regards,
Tobias

[1]
https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#Hosts-on-the-LAN

[strongSwan] Accessing VPN client from private network

2018-02-13 Thread Marco Spinola Durante 
Hi,

sorry if my question has already been posted, but could not find an answer:

Is it possible to access to a VPN client from the private network?

 I’ll make an example (I have strongswan in place for the VPN):

VPN Client -> Gateway -> internal network with some servers
The VPN gets an IP from DHCP Server (i.e 192.168.1.100)
Gateway has IP 192.168.1.10, can ping the VPN client 192.168.1.100
Pinging the VPN client from a server in the network (e.g. 192.168.1.20) does 
not work.

What am I missing?

BR
Marco

[strongSwan] Which strongSwan plugin to securely store/retrieve the PSKs ?

2018-02-13 Thread Abulius, Mugur (Nokia - FR/Paris-Saclay) 
Hello,
For a strongSwan client/server configuration using PSKs for IPsec 
authentication I am looking for a way to securely store/retrieve the PSKs.
The client uses a HW based TPM. The server uses an in-house CryptoAgent 
software with similar TPM functionalities.
I have seen the "Trusted Platform Module" plug-in 
(https://wiki.strongswan.org/projects/strongswan/wiki/TPMPlugin) and I wander 
if it is the good starting point for our problem.
Doers strongSwan invokes this plug-in when it needs to store/retrieve a PSK?
Thank you
Mugur

Re: [strongSwan] Pre-shared secret and digital certificate simultaneously

2018-02-13 Thread karthik kumar 
You can have server (responder) authenticate itself using certificate and
client (initiator) authenticate using PSK

something like this,

client
  leftauth=secret
  rightauth=pubkey

server
  leftauth=pubkey
  rightauth=secret


Yes you put both the entries in ipsec.secrets

: RSA  
: PSK 


Thanks




On Wed, Feb 7, 2018 at 6:33 AM, Newton, Benjamin David 
wrote:

> Can anyone tell me if strongswan is able to support Authentication using
> both a pre-shared secret and a digital certificate simultaneously?
>
>
> If so, can you give me any pointers on how to configure such a connecton?
> Do you keep authby=secret line?  Do you put both entries in the
> ipsec.secrets file?
>
>
> Thanks,
>
>   Ben Newton
>

Re: [strongSwan] can't connect to SonicWall VPN with strongSwan

2018-02-13 Thread Dave Schmidt 
I tried enabling the unity option as shown below but I still get the same
log output.

/etc/strongswan.d/charon.conf:# Send Cisco Unity vendor ID payload
(IKEv1 only).
/etc/strongswan.d/charon.conf:cisco_unity = yes
/etc/strongswan.d/charon/unity.conf:unity {
/etc/strongswan.d/charon/unity.conf-load = yes

Here is what I see in my terminal after 'sudo ipsec up test3' :

initiating Aggressive Mode IKE_SA test3[1] to xxx.yyy.xxx.yyy
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from 192.168.1.34[500] to xxx.yyy.xxx.yyy[500] (396 bytes)
received packet: from xxx.yyy.xxx.yyy[500] to 192.168.1.34[500] (408 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID V V V NAT-D NAT-D V V HASH ]
received unknown vendor ID: 40:4b:f4:39:52:2c:a3:f6
received unknown vendor ID: 5b:36:2b:c8:20:f6:00:07
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received XAuth vendor ID
local host is behind NAT, sending keep alives
generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
sending packet: from 192.168.1.34[4500] to xxx.yyy.xxx.yyy[4500] (108 bytes)
received packet: from xxx.yyy.xxx.yyy[4500] to 192.168.1.34[4500] (76 bytes)
parsed TRANSACTION request 375526604 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
generating TRANSACTION response 375526604 [ HASH CPRP(X_USER X_PWD) ]
sending packet: from 192.168.1.34[4500] to xxx.yyy.xxx.yyy[4500] (92 bytes)
received packet: from xxx.yyy.xxx.yyy[4500] to 192.168.1.34[4500] (92 bytes)
queueing INFORMATIONAL_V1 request as tasks still active
received packet: from xxx.yyy.xxx.yyy[4500] to 192.168.1.34[4500] (76 bytes)
parsed TRANSACTION request 1995451065 [ HASH CPS(X_STATUS) ]
XAuth authentication of 'dschmidt' (myself) successful
IKE_SA test3[1] established between 192.168.1.34[192.168.1.34]...
xxx.yyy.xxx.yyy[0017C56721AC]
scheduling reauthentication in 27800s
maximum IKE_SA lifetime 28340s
generating TRANSACTION response 1995451065 [ HASH CPA(X_STATUS) ]
sending packet: from 192.168.1.34[4500] to xxx.yyy.xxx.yyy[4500] (76 bytes)
parsed INFORMATIONAL_V1 request 3572062565 [ HASH N(INITIAL_CONTACT) ]
generating TRANSACTION request 3329385279 [ HASH CPRQ(ADDR DNS) ]
sending packet: from 192.168.1.34[4500] to xxx.yyy.xxx.yyy[4500] (76 bytes)
received packet: from xxx.yyy.xxx.yyy[4500] to 192.168.1.34[4500] (92 bytes)
parsed INFORMATIONAL_V1 request 184943178 [ HASH D ]
received DELETE for IKE_SA test3[1]
deleting IKE_SA test3[1] between 192.168.1.34[192.168.1.34]...
xxx.yyy.xxx.yyy[0017C56721AC]
initiating Aggressive Mode IKE_SA test3[2] to xxx.yyy.xxx.yyy
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from 192.168.1.34[500] to xxx.yyy.xxx.yyy[500] (396 bytes)
establishing connection 'test3' failed

Thanks,
Dave

On Tue, Feb 13, 2018 at 7:33 AM, Dave Schmidt 
wrote:

> Thanks Justin. I tried changing modecfg to pull and already had
> leftsourceip=%config. The connection still failed similarly but this time
> there was no attempt to assign an IP to the responder.
>
>

> These are the parameters from the Global VPN client in Windows that will
> successfully connect:
> negotiated phase I parameters:
> 3DES-CBC (192 bits)
> MD5
> XAuth with PSK
> DH Group 2
>
> negotiated phase II parameters:
> ESP
> UDP encapsulation tunnel
> AES (256 bits)
> HMAC-SHA
> DH Group 2
>
> Destination proxy IDs:
> network   subnet mask  port  state
> 10.1.11.0 255.255.255.0BOOTPS  complete
> 10.1.11.0 255.255.255.0any   idle
> 10.1.24.0 255.255.248.0any
> idle
> 255.255.255.255any   idle
>
> Packet sending:
> response timeout  3 sec
> maximum attempts 3
> dead peer detection automatic
> check for dead peer every 5 sec
> assume peer is dead after 5 failed checks
>
> Networking:
> NAT traversal: automatic
>
> Global VPN client usually assigns me this virtual IP: 10.1.11.63
>
> I also know that the internal IP of the sonicWall is 10.1.30.1.
>
> Here is my ipsec.conf file:
> conn %default
> keyexchange=ikev1
> #added by DS
> keyingtries=5
> ike=aes256-sha1-modp1024
> esp=aes256-sha1-modp1024
>
> #added by DS
> ikelifetime=28800s
> lifetime=28800s
> dpdaction=restart
> dpdtimeout=150s
> dpddelay=5s
>
> #from roadwarrior config example
> fragmentation=yes
>
> conntest3
> aggressive=yes
> authby=psk
> leftauth=psk
> rightauth=psk
> leftauth2=xauth
> xauth_identity=dschmidt
> #modeconfig=push
> modeconfig=pull
>
> right=
> rightauth=psk
> #rightsourceip=%config
> #rightsourceip=10.1.11.0/16
> #rightsourceip=10.1.30.1
> rightsubnet=0.0.0.0/0
> rightid=%any
>
> leftfirewall=yes
> #virtual IP page says leftsubnet defaults to %dynamic and must not be
> set if virtual IP is desired
> #leftsubnet=10.1.11.0/16
> leftid=192.168.1.34
> #documentation says required

Re: [strongSwan] can't connect to SonicWall VPN with strongSwan

2018-02-13 Thread Dave Schmidt 
Thanks Justin. I tried changing modecfg to pull and already had
leftsourceip=%config. The connection still failed similarly but this time
there was no attempt to assign an IP to the responder.

These are the parameters from the Global VPN client in Windows that will
successfully connect:
negotiated phase I parameters:
3DES-CBC (192 bits)
MD5
XAuth with PSK
DH Group 2

negotiated phase II parameters:
ESP
UDP encapsulation tunnel
AES (256 bits)
HMAC-SHA
DH Group 2

Destination proxy IDs:
network   subnet mask  port  state
10.1.11.0 255.255.255.0BOOTPS  complete
10.1.11.0 255.255.255.0any   idle
10.1.24.0 255.255.248.0any   idle
255.255.255.255any   idle

Packet sending:
response timeout  3 sec
maximum attempts 3
dead peer detection automatic
check for dead peer every 5 sec
assume peer is dead after 5 failed checks

Networking:
NAT traversal: automatic

Global VPN client usually assigns me this virtual IP: 10.1.11.63

I also know that the internal IP of the sonicWall is 10.1.30.1.

Here is my ipsec.conf file:
conn %default
keyexchange=ikev1
#added by DS
keyingtries=5
ike=aes256-sha1-modp1024
esp=aes256-sha1-modp1024

#added by DS
ikelifetime=28800s
lifetime=28800s
dpdaction=restart
dpdtimeout=150s
dpddelay=5s

#from roadwarrior config example
fragmentation=yes

conntest3
aggressive=yes
authby=psk
leftauth=psk
rightauth=psk
leftauth2=xauth
xauth_identity=dschmidt
#modeconfig=push
modeconfig=pull

right=
rightauth=psk
#rightsourceip=%config
#rightsourceip=10.1.11.0/16
#rightsourceip=10.1.30.1
rightsubnet=0.0.0.0/0
rightid=%any

leftfirewall=yes
#virtual IP page says leftsubnet defaults to %dynamic and must not be
set if virtual IP is desired
#leftsubnet=10.1.11.0/16
leftid=192.168.1.34
#documentation says required for arbitrary virtual IP for client from
responder
leftsourceip=%config
auto=add

Thanks again,
Dave

On Mon, Feb 12, 2018 at 11:48 PM, Justin Pryzby 
wrote:

> On Mon, Feb 12, 2018 at 11:33:05PM -0600, Dave Schmidt wrote:
> > This is what I see in my terminal after 'sudo ipsec up test3' starting
> > after IKE phase 1:
> > XAuth authentication of '' (myself) successful
> > IKE_SA TEST3[1] established between
> > 192.168.1.34[192.168.1.34]...xxx.xxx.xxx.xxx[yy]
> > scheduling reauthentication in 27855s
> > maximum IKE_SA lifetime 28395s
> > generating TRANSACTION response 1072426005 [ HASH CPA(X_STATUS) ]
> > sending packet: from 192.168.1.34[4500] to xxx.xxx.xxx.xxx[4500] (76
> bytes)
> > assigning new lease to 'yyy'
> > assigning virtual IP 10.1.30.1 to peer 'yyy'
> > generating TRANSACTION request 420617457 [ HASH CPS(ADDR) ]
> > sending packet: from 192.168.1.34[4500] to xxx.xxx.xxx.xxx[4500] (76
> bytes)
> > received packet: from xxx.xxx.xxx.xxx[4500] to 192.168.1.34[4500] (92
> bytes)
> > parsed INFORMATIONAL_V1 request 2093927451 [ HASH D ]
> > received DELETE for IKE_SA TEST3[1]
>
> I'm not sure, but it looks like strongswan is (trying to) assign an
> modecfg IP
> to the peer (which thinks of itself as a "server" and expects to be the one
> doing the assigning).
>
> Do you need to set modecfg=pull?
> leftsourceip=%config
>
> > If necessary I can share my ipsec.conf file.
> I assume this would help.
>
> Justin
>



-- 
GPG public key ID: 42AE9528
http://www.openpgp.org/

[strongSwan] Using ipsec.conf with sql-pools

2018-02-13 Thread Mike.Ettrich 
Hi!
We would like to become a little more control over the usage of the 
IP-addresses to lease, that for I think that SQL-IP-Pools could be a solution.
Until now we are using ipsec.conf to configure the Charon and I hope we 
shouldn't change that.

But I'm a little confused about using sql ip pools.
Is it possible to use a sql ip pool from the ipsec.conf?
If yes, are there examples or HowTo's to set up a SQL-IP-Pool other than the 
test scenarios?

MfG,
Mike.

[strongSwan] osx Sierra ikev2 connection successful but no traffic

2018-02-13 Thread karthik kumar 
Hi,
  I have successful connection from my Sierra Mac using strongswan-5.6.1 to
our vpn server

$ sudo ipsec up  vpn
Password:
initiating IKE_SA vpn[2] to 
*...*
*installing 10.245.250.251 as DNS server*
*installing 10.245.250.227 as DNS server*
*installing new virtual IP 10.244.15.1*
*created TUN device: utun2*
*CHILD_SA vpn{2} established with SPIs c13091e4_i c869298c_o and TS
10.244.15.1/32  === 0.0.0.0/32 *
*connection 'vpn' established successfully*

$ ifconfig utun2
utun2: flags=8051 mtu 1500
options=6403
inet 10.244.15.1 --> 10.244.15.1 netmask 0xff00

but no traffic is flowing, can't reach hosts/internet. Actually I am not
able to ping the VIP itself

$ ping 10.244.15.1
*PING 10.244.15.1 (10.244.15.1): 56 data bytes*
*Request timeout for icmp_seq 0*
*Request timeout for icmp_seq 1*
*^C*
*--- 10.244.15.1 ping statistics ---*
*3 packets transmitted, 0 packets received, 100.0% packet loss*

initiator configurations

config setup

conn %default
compress=yes
ikelifetime=20h
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2

conn vpn
left=%any
leftid=kart...@altiscale.com
rightid=@vpn02.rt1.altiscale.com
rightauth=pubkey
leftsourceip=%config
rightsubnet=0.0.0.0/0
auto=add
ike=aes256-sha512-modp4096!
esp=aes128-sha512!

The same configs work well on a linux initiator.

Any suggestions please ? Please let me know if you need more info

Thanks