date:20180508

Re: [strongSwan] Sudden issues with Windows 10 clients

2018-05-08 Thread Jafar Al-Gharaibeh


Houman,

 No need to configure a prf, it is already assumed when you 
configured a DH group; so you can drop prfsha256. And as Christian 
suggested, if all your clients support strong encryption  drop all weak 
algorithms/proposals from  the server end i.e 3des, sha1, modp1024. I 
can't believe that  Microsoft still in 2018 offer these as the default 
options and expects users to go tinker with obscured registery keys  to 
enable stronger options.


For ESP, I'd connect the Windows client and see what the offered 
proposals in the logs at the server side, just as you did with ike. You 
can then limit the proposals at the server end to the good ones. If I 
remember well, AES256 was an option, but esp didn't allow a DH group so 
you might need to drop that, but I could be wrong.


Cheers,
Jafar


On 5/8/2018 1:55 PM, Houman wrote:

Thank you both Christian and Jafar for the clear proposals.

So yes, if I wanted to support Windows 10, iOS/OSX and Linux with the 
stronger set of encryption. Do I set *aes256-sha256-prfsha256-modp2048 
*into *ike* only?  Or both in *ike* and *esp*?


This part wasn't quite clear to me.

Yeah, I have already set [NegotiateDH2048_AES256] in Windows 10.

Many Thanks,
Houman



On 8 May 2018 at 08:40, Christian Salway > wrote:


The problem with Windows (10 at least) is that it offers the
weakest ciphers first, so you should remove sha1 and 3des.

The minimum proposals you should have and which are compatible
with Windows 10, OSX, IOS and Linux are the following.

*proposals = aes256-sha256-prfsha256-modp2048-modp1024*

Although I would recommend adding the Windows 10 registry key
[NegotiateDH2048_AES256] to use strong ciphers and then you can
remove MODP1024





On 7 May 2018, at 15:50, Jafar Al-Gharaibeh > wrote:

Houman,

  The Windows client proposals do not match your configured
proposals. Your Windows client expect DG group 15 (MODP2048),
where as you have:

aes256-3des-sha1-modp1024

change that to:

aes256-3des-sha1-modp2048

I'd also add sha256 at least before sha1 (deemed insecure). If
you still have other clients expecting modp1024, make it:

aes256-3des-sha256-sha1-modp2048-modp1024

That should get you covered.

Regards,
Jafar


On 5/7/2018 8:17 AM, Houman wrote:

Hello,

Until a week ago a user with Windows 10 had no issue connecting
to the StrongSwan server. But now out of the blue, he can't
connect to the StrongSwan server anymore.

The log on the server is:

May  7 12:31:06 vpn-p1 charon: 08[IKE] received proposals
inacceptable
May  7 12:31:06 vpn-p1 charon: 08[ENC] generating IKE_SA_INIT
response 0 [ N(NO_PROP) ]
May  7 12:31:06 vpn-p1 charon: 08[NET] sending packet: from
xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes)
May  7 12:32:09 vpn-p1 systemd[1]: Started Session 35 of user root.
May  7 12:46:21 vpn-p1 systemd[1]: Starting Cleanup of Temporary
Directories...
May  7 12:46:21 vpn-p1 systemd-tmpfiles[7016]:
[/usr/lib/tmpfiles.d/var.conf:14] Duplicate line for path
"/var/log", ignoring.
May  7 12:46:21 vpn-p1 systemd[1]: Started Cleanup of Temporary
Directories.
May  7 13:00:13 vpn-p1 systemd[1]: Starting Certbot...
May  7 13:00:13 vpn-p1 systemd[1]: Started Certbot.
May  7 13:08:20 vpn-p1 systemd[1]: Started Session 36 of user root.
May  7 13:11:27 vpn-p1 charon: 12[NET] received packet: from
91.98.xxx.xxx[500] to xxx.x.xx.92[500] (624 bytes)
May  7 13:11:27 vpn-p1 charon: 12[ENC] parsed IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
May  7 13:11:27 vpn-p1 charon: 12[IKE] received MS NT5
ISAKMPOAKLEY v9 vendor ID
May  7 13:11:27 vpn-p1 charon: 12[IKE] received MS-Negotiation
Discovery Capable vendor ID
May  7 13:11:27 vpn-p1 charon: 12[IKE] received
Vid-Initial-Contact vendor ID
May  7 13:11:27 vpn-p1 charon: 12[ENC] received unknown vendor
ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
May  7 13:11:27 vpn-p1 charon: 12[IKE] 91.98.xxx.xxx is
initiating an IKE_SA
May  7 13:11:27 vpn-p1 charon: 12[CFG] received proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
May  7 13:11:27 vpn-p1 charon: 12[CFG] configured proposals:
IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384,
IKE:AES_CBC_256/3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
May  7 13:11:27 vpn-p1 charon: 12[IKE] remote host is behind NAT
May  7 13:11:27 vpn-p1 charon: 12[IKE] received proposals
inacceptable
May  7 13:11:27 vpn-p1

Re: [strongSwan] Sudden issues with Windows 10 clients

2018-05-08 Thread Christian Salway

I don’t change the default ESP ciphers, only the IKE ones.  I should probably 
look into them at some point.


> On 8 May 2018, at 19:55, Houman  wrote:
> 
> Thank you both Christian and Jafar for the clear proposals.
> 
> So yes, if I wanted to support Windows 10, iOS/OSX and Linux with the 
> stronger set of encryption. Do I set aes256-sha256-prfsha256-modp2048 into 
> ike only?  Or both in ike and esp?
> 
> This part wasn't quite clear to me.
> 
> Yeah, I have already set [NegotiateDH2048_AES256] in Windows 10.  
> 
> Many Thanks,
> Houman
> 
> 
> 
> On 8 May 2018 at 08:40, Christian Salway  > wrote:
> The problem with Windows (10 at least) is that it offers the weakest ciphers 
> first, so you should remove sha1 and 3des.
> 
> The minimum proposals you should have and which are compatible with Windows 
> 10, OSX, IOS and Linux are the following.
> 
> proposals = aes256-sha256-prfsha256-modp2048-modp1024
> 
> Although I would recommend adding the Windows 10 registry key 
> [NegotiateDH2048_AES256] to use strong ciphers and then you can remove 
> MODP1024
> 
> 
>  
> 
>> On 7 May 2018, at 15:50, Jafar Al-Gharaibeh > > wrote:
>> 
>> Houman,
>> 
>>   The Windows client proposals do not match your configured proposals. Your 
>> Windows client expect DG group 15 (MODP2048), where as you have:
>> 
>> aes256-3des-sha1-modp1024
>> 
>> change that to:
>> 
>> aes256-3des-sha1-modp2048
>> 
>> I'd also add sha256 at least before sha1 (deemed insecure). If you still 
>> have other clients expecting modp1024, make it:
>> 
>> aes256-3des-sha256-sha1-modp2048-modp1024
>> 
>> That should get you covered. 
>> 
>> Regards,
>> Jafar
>> 
>> 
>> On 5/7/2018 8:17 AM, Houman wrote:
>>> Hello,
>>> 
>>> Until a week ago a user with Windows 10 had no issue connecting to the 
>>> StrongSwan server. But now out of the blue, he can't connect to the 
>>> StrongSwan server anymore.
>>> 
>>> The log on the server is:
>>> 
>>> May  7 12:31:06 vpn-p1 charon: 08[IKE] received proposals inacceptable
>>> May  7 12:31:06 vpn-p1 charon: 08[ENC] generating IKE_SA_INIT response 0 [ 
>>> N(NO_PROP) ]
>>> May  7 12:31:06 vpn-p1 charon: 08[NET] sending packet: from 
>>> xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes)
>>> May  7 12:32:09 vpn-p1 systemd[1]: Started Session 35 of user root.
>>> May  7 12:46:21 vpn-p1 systemd[1]: Starting Cleanup of Temporary 
>>> Directories...
>>> May  7 12:46:21 vpn-p1 systemd-tmpfiles[7016]: 
>>> [/usr/lib/tmpfiles.d/var.conf:14] Duplicate line for path "/var/log", 
>>> ignoring.
>>> May  7 12:46:21 vpn-p1 systemd[1]: Started Cleanup of Temporary Directories.
>>> May  7 13:00:13 vpn-p1 systemd[1]: Starting Certbot...
>>> May  7 13:00:13 vpn-p1 systemd[1]: Started Certbot.
>>> May  7 13:08:20 vpn-p1 systemd[1]: Started Session 36 of user root.
>>> May  7 13:11:27 vpn-p1 charon: 12[NET] received packet: from 
>>> 91.98.xxx.xxx[500] to xxx.x.xx.92[500] (624 bytes)
>>> May  7 13:11:27 vpn-p1 charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE 
>>> No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
>>> May  7 13:11:27 vpn-p1 charon: 12[IKE] received MS NT5 ISAKMPOAKLEY v9 
>>> vendor ID
>>> May  7 13:11:27 vpn-p1 charon: 12[IKE] received MS-Negotiation Discovery 
>>> Capable vendor ID
>>> May  7 13:11:27 vpn-p1 charon: 12[IKE] received Vid-Initial-Contact vendor 
>>> ID
>>> May  7 13:11:27 vpn-p1 charon: 12[ENC] received unknown vendor ID: 
>>> 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
>>> May  7 13:11:27 vpn-p1 charon: 12[IKE] 91.98.xxx.xxx is initiating an IKE_SA
>>> May  7 13:11:27 vpn-p1 charon: 12[CFG] received proposals: 
>>> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, 
>>> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, 
>>> IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
>>> May  7 13:11:27 vpn-p1 charon: 12[CFG] configured proposals: 
>>> IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521, 
>>> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, 
>>> IKE:AES_CBC_256/3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>>> May  7 13:11:27 vpn-p1 charon: 12[IKE] remote host is behind NAT
>>> May  7 13:11:27 vpn-p1 charon: 12[IKE] received proposals inacceptable
>>> May  7 13:11:27 vpn-p1 charon: 12[ENC] generating IKE_SA_INIT response 0 [ 
>>> N(NO_PROP) ]
>>> May  7 13:11:27 vpn-p1 charon: 12[NET] sending packet: from 
>>> xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes)
>>> May  7 13:11:28 vpn-p1 charon: 16[NET] received packet: from 
>>> 91.98.xxx.xxx[500] to xxx.x.xx.92[500] (624 bytes)
>>> May  7 13:11:28 vpn-p1 charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE 
>>> No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
>>> May  7 13:11:28 vpn-p1 charon: 16[IKE] received MS NT5 ISAKMPOAKLEY v9 
>>> vendor ID
>>> May  7 13:11:28 vpn-p1 charon: 16[IKE] received MS-Negotiation Discovery 
>>> Capable vendor

Re: [strongSwan] Sudden issues with Windows 10 clients

2018-05-08 Thread Houman

Thank you both Christian and Jafar for the clear proposals.

So yes, if I wanted to support Windows 10, iOS/OSX and Linux with the
stronger set of encryption. Do I set *aes256-sha256-prfsha256-modp2048 *into
*ike* only?  Or both in *ike* and *esp*?

This part wasn't quite clear to me.

Yeah, I have already set [NegotiateDH2048_AES256] in Windows 10.

Many Thanks,
Houman



On 8 May 2018 at 08:40, Christian Salway 
wrote:

> The problem with Windows (10 at least) is that it offers the weakest
> ciphers first, so you should remove sha1 and 3des.
>
> The minimum proposals you should have and which are compatible with
> Windows 10, OSX, IOS and Linux are the following.
>
> *proposals = aes256-sha256-prfsha256-modp2048-modp1024*
>
> Although I would recommend adding the Windows 10 registry key [
> NegotiateDH2048_AES256] to use strong ciphers and then you can remove
> MODP1024
>
>
> 
>
> On 7 May 2018, at 15:50, Jafar Al-Gharaibeh  wrote:
>
> Houman,
>
>   The Windows client proposals do not match your configured proposals.
> Your Windows client expect DG group 15 (MODP2048), where as you have:
>
> aes256-3des-sha1-modp1024
>
> change that to:
>
> aes256-3des-sha1-modp2048
>
> I'd also add sha256 at least before sha1 (deemed insecure). If you still
> have other clients expecting modp1024, make it:
>
> aes256-3des-sha256-sha1-modp2048-modp1024
>
> That should get you covered.
>
> Regards,
> Jafar
>
>
> On 5/7/2018 8:17 AM, Houman wrote:
>
> Hello,
>
> Until a week ago a user with Windows 10 had no issue connecting to the
> StrongSwan server. But now out of the blue, he can't connect to the
> StrongSwan server anymore.
>
> The log on the server is:
>
> May  7 12:31:06 vpn-p1 charon: 08[IKE] received proposals inacceptable
> May  7 12:31:06 vpn-p1 charon: 08[ENC] generating IKE_SA_INIT response 0 [
> N(NO_PROP) ]
> May  7 12:31:06 vpn-p1 charon: 08[NET] sending packet: from
> xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes)
> May  7 12:32:09 vpn-p1 systemd[1]: Started Session 35 of user root.
> May  7 12:46:21 vpn-p1 systemd[1]: Starting Cleanup of Temporary
> Directories...
> May  7 12:46:21 vpn-p1 systemd-tmpfiles[7016]:
> [/usr/lib/tmpfiles.d/var.conf:14] Duplicate line for path "/var/log",
> ignoring.
> May  7 12:46:21 vpn-p1 systemd[1]: Started Cleanup of Temporary
> Directories.
> May  7 13:00:13 vpn-p1 systemd[1]: Starting Certbot...
> May  7 13:00:13 vpn-p1 systemd[1]: Started Certbot.
> May  7 13:08:20 vpn-p1 systemd[1]: Started Session 36 of user root.
> May  7 13:11:27 vpn-p1 charon: 12[NET] received packet: from
> 91.98.xxx.xxx[500] to xxx.x.xx.92[500] (624 bytes)
> May  7 13:11:27 vpn-p1 charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA
> KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
> May  7 13:11:27 vpn-p1 charon: 12[IKE] received MS NT5 ISAKMPOAKLEY v9
> vendor ID
> May  7 13:11:27 vpn-p1 charon: 12[IKE] received MS-Negotiation Discovery
> Capable vendor ID
> May  7 13:11:27 vpn-p1 charon: 12[IKE] received Vid-Initial-Contact vendor
> ID
> May  7 13:11:27 vpn-p1 charon: 12[ENC] received unknown vendor ID:
> 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
> May  7 13:11:27 vpn-p1 charon: 12[IKE] 91.98.xxx.xxx is initiating an
> IKE_SA
> May  7 13:11:27 vpn-p1 charon: 12[CFG] received proposals:
> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
> IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
> May  7 13:11:27 vpn-p1 charon: 12[CFG] configured proposals:
> IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521,
> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384,
> IKE:AES_CBC_256/3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> May  7 13:11:27 vpn-p1 charon: 12[IKE] remote host is behind NAT
> May  7 13:11:27 vpn-p1 charon: 12[IKE] received proposals inacceptable
> May  7 13:11:27 vpn-p1 charon: 12[ENC] generating IKE_SA_INIT response 0 [
> N(NO_PROP) ]
> May  7 13:11:27 vpn-p1 charon: 12[NET] sending packet: from
> xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes)
> May  7 13:11:28 vpn-p1 charon: 16[NET] received packet: from
> 91.98.xxx.xxx[500] to xxx.x.xx.92[500] (624 bytes)
> May  7 13:11:28 vpn-p1 charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA
> KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
> May  7 13:11:28 vpn-p1 charon: 16[IKE] received MS NT5 ISAKMPOAKLEY v9
> vendor ID
> May  7 13:11:28 vpn-p1 charon: 16[IKE] received MS-Negotiation Discovery
> Capable vendor ID
> May  7 13:11:28 vpn-p1 charon: 16[IKE] received Vid-Initial-Contact vendor
> ID
> May  7 13:11:28 vpn-p1 charon: 16[ENC] received unknown vendor ID:
> 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
> May  7 13:11:28 vpn-p1 charon: 16[IKE] 91.98.xxx.xxx is initiating an
> IKE_SA
> May  7 13:11:28 vpn-p1 charon: 16[CFG] received proposals:
> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
>

Re: [strongSwan] Multiple ChildSA

2018-05-08 Thread Naveen Neelakanta

Hi All,

I am using the ikev1, i see this multiple ChildSA INSTALLED , i have
enabled make before break.
I am not to reproduce this issue. But when this happens my traffic is
effected.  Below is the config that i am trying to reproduce.

{ "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid": "@Dr_an",
"text": "06[CFG]  conn sl20:", "_fac": "local1", "_level": "info" }

{ "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid":
"@07VRwC", "text": "06[CFG]   child sl20childsa:", "_fac": "local1",
"_level": "info" }

{ "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid":
"@iFuhtB", "text": "06[CFG]rekey_time = 100", "_fac": "local1",
"_level": "info" }

{ "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid":
"@Py5B_C", "text": "06[CFG]life_time = 150", "_fac": "local1",
"_level": "info" }

{ "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid":
"@RscO8D", "text": "06[CFG]rand_time = 50", "_fac": "local1", "_level":
"info" }

{ "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid":
"@kOwrfC", "text": "06[CFG]rekey_bytes = 0", "_fac": "local1",
"_level": "info" }

{ "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid":
"@NcePjB", "text": "06[CFG]life_bytes = 0", "_fac": "local1", "_level":
"info" }

{ "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid":
"@ySflTB", "text": "06[CFG]rand_bytes = 0", "_fac": "local1", "_level":
"info" }

{ "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid":
"@7bKJCD", "text": "06[CFG]rekey_packets = 0", "_fac": "local1",
"_level": "info" }

{ "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid": "@ounha",
"text": "06[CFG]life_packets = 0", "_fac": "local1", "_level": "info" }

{ "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid":
"@pibZ9D", "text": "06[CFG]rand_packets = 0", "_fac": "local1",
"_level": "info" }

{ "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon", "_msgid":
"@GKtK2D", "text": "06[CFG]updown = (null)", "_fac": "local1",
"_level": "info" }

{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@7v8q5C", "text": "06[CFG]hostaccess = 0", "_fac": "local1", "_level":
"info" }

{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@E6R_wB", "text": "06[CFG]ipcomp = 0", "_fac": "local1", "_level":
"info" }

{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@OXIEO",
"text": "06[CFG]mode = TUNNEL", "_fac": "local1", "_level": "info" }

{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@aZ8jZB", "text": "06[CFG]policies = 1", "_fac": "local1", "_level":
"info" }

{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@kZYOj",
"text": "06[CFG]policies_fwd_out = 0", "_fac": "local1", "_level":
"info" }

{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@WR3uwD", "text": "06[CFG]dpd_action = restart", "_fac": "local1",
"_level": "info" }

{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@-yRFqD", "text": "06[CFG]start_action = clear", "_fac": "local1",
"_level": "info" }

{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@RfO9GD", "text": "06[CFG]close_action = clear", "_fac": "local1",
"_level": "info" }

{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@CetbUC", "text": "06[CFG]reqid = 0", "_fac": "local1", "_level":
"info" }

{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@CGw7NC", "text": "06[CFG]tfc = 0", "_fac": "local1", "_level": "info"
}

{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@kXj8sD", "text": "06[CFG]priority = 0", "_fac": "local1", "_level":
"info" }

{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@b4xDE",
"text": "06[CFG]interface = (null)", "_fac": "local1", "_level": "info"
}

{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@3fu6-B", "text": "06[CFG]mark_in = 20/4294967295", "_fac": "local1",
"_level": "info" }

{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@obPY4B", "text": "06[CFG]mark_in_sa = 1", "_fac": "local1", "_level":
"info" }

{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@oXu69C", "text": "06[CFG]mark_out = 20/4294967295", "_fac": "local1",
"_level": "info" }

{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@zw-OuB", "text": "06[CFG]inactivity = 0", "_fac": "local1", "_level":
"info" }

{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@Vx5JF",
"text": "06[CFG]proposals =
ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ", "_fac": "local1",
"_level": "info" }

{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@zuQWzD", "text": "06[CFG]local_ts = 0.0.0.0/0", "_fac": "local1",
"_level": "info" }

{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@6d6OxD", "text": "06[CFG]remote_ts =

Re: [strongSwan] multiple id for same ipsec peer

2018-05-08 Thread Marco Berizzi

Hi Tobias,

> There is currently no exact equivalent for
> the `also` keyword in swanctl.conf

a nice feature to add in a future relase :-)

Re: [strongSwan] starting strongswan without starter

2018-05-08 Thread Marco Berizzi

Hi Andreas, Hi everyone,

thanks but there is no 'start-stop-daemon' on Slackware.
I will keep building strongswan without the 'disable-stroke'
as suggested by Tobias.

As a suggestion, it would be beautiful to get starter
working also without the presence of the /etc/ipsec.conf :-)

Re: [strongSwan] starting strongswan without starter

2018-05-08 Thread Tobias Brunner

Hi Marco,

> Which is the correct way to start strongswan
> without 'ipsec start' ?

You could start charon directly (see e.g. the script from our testing
environment that Andreas referenced).  On the other hand, you could also
just continue to use starter (i.e. build with --enable-stroke) and just
leave the ipsec.conf/ipsec.secrets files empty and don't load the stroke
plugin (i.e. define charon.plugins.stroke.load = no in strongswan.conf
or the config snipped in /etc/strongswan.d/charon).

Regards,
Tobias

Re: [strongSwan] starting strongswan without starter

2018-05-08 Thread Andreas Steffen


Hi Marco,

you can put the following script

https://github.com/strongswan/strongswan/blob/master/testing/hosts/default/etc/init.d/charon

into /etc/init.d/ and either start and stop the charon daemon
manually with

  service charon start|stop

or put the a link to the script into the appropriate runlevel
directories.

Regards

Andreas

On 08.05.2018 11:33, Marco Berizzi wrote:

Hello everyone,

I have compiled strongswan on slackware linux with:

--disable-stroke

and the starter is not builded anymore.

Slackware is one the the few distro which is
not (yet) systemd based.

Which is the correct way to start strongswan
without 'ipsec start' ?



--
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution!  www.strongswan.org
Institute for Networked Solutions
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[INS-HSR]==



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [strongSwan] multiple id for same ipsec peer

2018-05-08 Thread Tobias Brunner

Hi Marco,

> I would like to ask if this swanctl.conf file is
> equivalent to the above ipsec.conf:

No, you just redefined the value of `id`.  There is currently no exact
equivalent for the `also` keyword in swanctl.conf, so you have to work
with `include`.  That is, you extract all the shared settings into a
separate file, e.g.

customer.conf:

  local_addrs  = my_public
  remote_addrs = customer_public

  local {
 auth = psk
 id = my_public
  }
  remote {
 auth = psk
  }
  children {
 customer-networks {
local_ts  = 10.28.155.0/24
remote_ts = 10.10.92.0
esp_proposals = aes256-sha384-ecp521
 }
  }
  proposals = aes256-sha384-ecp521
  send_cert = never
  send_certreq = no

and then you include that file where appropriate and override settings
that are different, i.e. this is what the `connections` section of
swanctl.conf could look like:

connections {

   customer-public {
  include customer.conf

  remote {
 id = customer_public
  }
  children {
 customer-networks {
start_action = trap
 }
  }
   }

   customer-private {
  include customer.conf

  remote {
 id = 192.168.53.22
  }
   }
}

Similarly, you redefined the ID that is associated with the PSK.
However, there you can define multiple identities (as suggested by
Christian) by adding multiple keys with the `id` prefix.

Regards,
Tobias

Re: [strongSwan] starting strongswan without starter

2018-05-08 Thread Christian Salway

or completely ignore that because you just said no systemd :(  Sorry!

 

> On 8 May 2018, at 10:34, Christian Salway  
> wrote:
> 
> and dont forget to enable the service 
> 
> systemctl enable strongswan-swanctl.service
> 
> 
> 
>> On 8 May 2018, at 10:33, Marco Berizzi > > wrote:
>> 
>> Hello everyone,
>> 
>> I have compiled strongswan on slackware linux with:
>> 
>> --disable-stroke
>> 
>> and the starter is not builded anymore.
>> 
>> Slackware is one the the few distro which is
>> not (yet) systemd based.
>> 
>> Which is the correct way to start strongswan
>> without 'ipsec start' ?
>> 
>

Re: [strongSwan] starting strongswan without starter

2018-05-08 Thread Christian Salway

and dont forget to enable the service 

systemctl enable strongswan-swanctl.service



> On 8 May 2018, at 10:33, Marco Berizzi  wrote:
> 
> Hello everyone,
> 
> I have compiled strongswan on slackware linux with:
> 
> --disable-stroke
> 
> and the starter is not builded anymore.
> 
> Slackware is one the the few distro which is
> not (yet) systemd based.
> 
> Which is the correct way to start strongswan
> without 'ipsec start' ?
>

Re: [strongSwan] starting strongswan without starter

2018-05-08 Thread Christian Salway

To manually build StrongSwan, I use the following

wget http://download.strongswan.org/strongswan.tar.bz2
tar xjvf strongswan.tar.bz2; cd strongswan*
./configure --prefix=/usr --sysconfdir=/etc \
  --enable-systemd --enable-swanctl \
  --disable-charon --disable-stroke --disable-scepclient \
  --enable-eap-identity --enable-eap-mschapv2 --enable-md4 \
  --enable-eap-tls --enable-eap-dynamic \
  --enable-curl --enable-gcm --enable-openssl
make
make install

 

> On 8 May 2018, at 10:33, Marco Berizzi  wrote:
> 
> Hello everyone,
> 
> I have compiled strongswan on slackware linux with:
> 
> --disable-stroke
> 
> and the starter is not builded anymore.
> 
> Slackware is one the the few distro which is
> not (yet) systemd based.
> 
> Which is the correct way to start strongswan
> without 'ipsec start' ?
>

[strongSwan] starting strongswan without starter

2018-05-08 Thread Marco Berizzi

Hello everyone,

I have compiled strongswan on slackware linux with:

--disable-stroke

and the starter is not builded anymore.

Slackware is one the the few distro which is
not (yet) systemd based.

Which is the correct way to start strongswan
without 'ipsec start' ?

Re: [strongSwan] multiple id for same ipsec peer

2018-05-08 Thread Christian Salway

 id = customer_public
 id1 = 192.168.53.22

You have to use different id identities


> On 8 May 2018, at 10:20, Marco Berizzi  wrote:
> 
>  id = customer_public
>  id = 192.168.53.22

[strongSwan] multiple id for same ipsec peer

2018-05-08 Thread Marco Berizzi

Hello everyone,

I'm running strongswan 5.6.3dr1 on Slackware linux.
On this strongswan box it is configured an ikev2 tunnel
to a customer checkpoint R77.30 gateway.

Sometimes, for an unknown reason, the checkpoint will
try to initiate the IKE_SA, but instead of using its
public ip address as the id, it is using another ip
address. Here is the relevant log:

12[NET] received packet: from customer_public[500] to my_public[500] (260 
bytes) 
12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 
12[IKE] customer_public is initiating an IKE_SA 
12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(MULT_AUTH) ] 
12[NET] sending packet: from my_public[500] to customer_public[500] (280 bytes) 
04[NET] received packet: from customer_public[500] to my_public[500] (336 
bytes) 
04[ENC] parsed IKE_AUTH request 1 [ IDi AUTH N((47997)) SA TSi TSr 
N(INIT_CONTACT) V N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ] 
04[CFG] looking for peer configs matching 
my_public[%any]...customer_public[192.168.53.22] 
04[CFG] selected peer config 'customer-10.10.92.0' 
04[IKE] authentication of '192.168.53.22' with pre-shared key successful 
04[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding 
04[IKE] authentication of 'my_public' (myself) with pre-shared key 
04[IKE] IKE_SA customer-10.10.92.0[10] established between 
my_public[my_public]...customer_public[192.168.53.22] 

I have bypassed this checkpoint crazy behaviour
adding another conn section to the ipsec.conf file,
and configuring it only as responder (auto=add):

conn customer
left=my_public
right=customer_public
leftsubnet=10.28.155.0/24
leftauth=secret
rightauth=secret
leftid=my_public
rightid=customer_public

conn customer-10.10.92.0
auto=route
also=customer

conn customer-10.10.92.0-192.168.53.22
auto=add
also=customer
rightid=192.168.53.22

Now I would like to move this configuration to the
new swanctl.conf file format.

I would like to ask if this swanctl.conf file is
equivalent to the above ipsec.conf:

connections {

   customer {
  local_addrs  = my_public
  remote_addrs = customer_public

  local {
 auth = psk
 id = my_public
  }
  remote {
 auth = psk
 id = customer_public
 id = 192.168.53.22
  }
  children {
 customer-networks {
local_ts  = 10.28.155.0/24
remote_ts = 10.10.92.0
start_action = trap
esp_proposals = aes256-sha384-ecp521
 }
  }
  proposals = aes256-sha384-ecp521
  send_cert = never
  send_certreq = no
   }
}

secrets {
   ike-customer {
  id = customer_public
  id = 192.168.53.22
  secret = "blablabla"
   }
}

Thanks

Re: [strongSwan] Sudden issues with Windows 10 clients

2018-05-08 Thread Christian Salway

The problem with Windows (10 at least) is that it offers the weakest ciphers 
first, so you should remove sha1 and 3des.

The minimum proposals you should have and which are compatible with Windows 10, 
OSX, IOS and Linux are the following.

proposals = aes256-sha256-prfsha256-modp2048-modp1024

Although I would recommend adding the Windows 10 registry key 
[NegotiateDH2048_AES256] to use strong ciphers and then you can remove MODP1024


 

> On 7 May 2018, at 15:50, Jafar Al-Gharaibeh  wrote:
> 
> Houman,
> 
>   The Windows client proposals do not match your configured proposals. Your 
> Windows client expect DG group 15 (MODP2048), where as you have:
> 
> aes256-3des-sha1-modp1024
> 
> change that to:
> 
> aes256-3des-sha1-modp2048
> 
> I'd also add sha256 at least before sha1 (deemed insecure). If you still have 
> other clients expecting modp1024, make it:
> 
> aes256-3des-sha256-sha1-modp2048-modp1024
> 
> That should get you covered. 
> 
> Regards,
> Jafar
> 
> 
> On 5/7/2018 8:17 AM, Houman wrote:
>> Hello,
>> 
>> Until a week ago a user with Windows 10 had no issue connecting to the 
>> StrongSwan server. But now out of the blue, he can't connect to the 
>> StrongSwan server anymore.
>> 
>> The log on the server is:
>> 
>> May  7 12:31:06 vpn-p1 charon: 08[IKE] received proposals inacceptable
>> May  7 12:31:06 vpn-p1 charon: 08[ENC] generating IKE_SA_INIT response 0 [ 
>> N(NO_PROP) ]
>> May  7 12:31:06 vpn-p1 charon: 08[NET] sending packet: from xxx.x.xx.92[500] 
>> to 91.98.xxx.xxx[500] (36 bytes)
>> May  7 12:32:09 vpn-p1 systemd[1]: Started Session 35 of user root.
>> May  7 12:46:21 vpn-p1 systemd[1]: Starting Cleanup of Temporary 
>> Directories...
>> May  7 12:46:21 vpn-p1 systemd-tmpfiles[7016]: 
>> [/usr/lib/tmpfiles.d/var.conf:14] Duplicate line for path "/var/log", 
>> ignoring.
>> May  7 12:46:21 vpn-p1 systemd[1]: Started Cleanup of Temporary Directories.
>> May  7 13:00:13 vpn-p1 systemd[1]: Starting Certbot...
>> May  7 13:00:13 vpn-p1 systemd[1]: Started Certbot.
>> May  7 13:08:20 vpn-p1 systemd[1]: Started Session 36 of user root.
>> May  7 13:11:27 vpn-p1 charon: 12[NET] received packet: from 
>> 91.98.xxx.xxx[500] to xxx.x.xx.92[500] (624 bytes)
>> May  7 13:11:27 vpn-p1 charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE 
>> No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
>> May  7 13:11:27 vpn-p1 charon: 12[IKE] received MS NT5 ISAKMPOAKLEY v9 
>> vendor ID
>> May  7 13:11:27 vpn-p1 charon: 12[IKE] received MS-Negotiation Discovery 
>> Capable vendor ID
>> May  7 13:11:27 vpn-p1 charon: 12[IKE] received Vid-Initial-Contact vendor ID
>> May  7 13:11:27 vpn-p1 charon: 12[ENC] received unknown vendor ID: 
>> 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
>> May  7 13:11:27 vpn-p1 charon: 12[IKE] 91.98.xxx.xxx is initiating an IKE_SA
>> May  7 13:11:27 vpn-p1 charon: 12[CFG] received proposals: 
>> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, 
>> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, 
>> IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
>> May  7 13:11:27 vpn-p1 charon: 12[CFG] configured proposals: 
>> IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521, 
>> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, 
>> IKE:AES_CBC_256/3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>> May  7 13:11:27 vpn-p1 charon: 12[IKE] remote host is behind NAT
>> May  7 13:11:27 vpn-p1 charon: 12[IKE] received proposals inacceptable
>> May  7 13:11:27 vpn-p1 charon: 12[ENC] generating IKE_SA_INIT response 0 [ 
>> N(NO_PROP) ]
>> May  7 13:11:27 vpn-p1 charon: 12[NET] sending packet: from xxx.x.xx.92[500] 
>> to 91.98.xxx.xxx[500] (36 bytes)
>> May  7 13:11:28 vpn-p1 charon: 16[NET] received packet: from 
>> 91.98.xxx.xxx[500] to xxx.x.xx.92[500] (624 bytes)
>> May  7 13:11:28 vpn-p1 charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE 
>> No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
>> May  7 13:11:28 vpn-p1 charon: 16[IKE] received MS NT5 ISAKMPOAKLEY v9 
>> vendor ID
>> May  7 13:11:28 vpn-p1 charon: 16[IKE] received MS-Negotiation Discovery 
>> Capable vendor ID
>> May  7 13:11:28 vpn-p1 charon: 16[IKE] received Vid-Initial-Contact vendor ID
>> May  7 13:11:28 vpn-p1 charon: 16[ENC] received unknown vendor ID: 
>> 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
>> May  7 13:11:28 vpn-p1 charon: 16[IKE] 91.98.xxx.xxx is initiating an IKE_SA
>> May  7 13:11:28 vpn-p1 charon: 16[CFG] received proposals: 
>> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, 
>> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, 
>> IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
>> May  7 13:11:28 vpn-p1 charon: 16[CFG] configured proposals: 
>> IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521, 
>> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, 
>> IKE:AES_CBC_256/3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>> May  7 13:11:28 vpn-p1

Re: [strongSwan] Sudden issues with Windows 10 clients

Re: [strongSwan] Sudden issues with Windows 10 clients

Re: [strongSwan] Sudden issues with Windows 10 clients

Re: [strongSwan] Multiple ChildSA

Re: [strongSwan] multiple id for same ipsec peer

Re: [strongSwan] starting strongswan without starter

Re: [strongSwan] starting strongswan without starter

Re: [strongSwan] starting strongswan without starter

Re: [strongSwan] multiple id for same ipsec peer

Re: [strongSwan] starting strongswan without starter

Re: [strongSwan] starting strongswan without starter

Re: [strongSwan] starting strongswan without starter

[strongSwan] starting strongswan without starter

Re: [strongSwan] multiple id for same ipsec peer

[strongSwan] multiple id for same ipsec peer

Re: [strongSwan] Sudden issues with Windows 10 clients

16 matches

Site Navigation

Mail list logo

Footer information