[strongSwan] strongSwan integration with Active Directory

2018-09-16 Thread Christian Salway 
It would be great if strongSwan could interact with Active Directory in the 
same way that, for example, freeRadius does - by using ntlm_auth -- winbind

https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory

Re: [strongSwan] DNS LoadBalancing and Failover

2018-09-16 Thread Markus P. Beckhaus 
Hi,

all the different approaches like local traffic LBs, client wrappers with 
gateway failure detection and even multiple simultaneous tunnels from the 
client to different gateways have been on the table, were evaluated and most of 
them are already in use in other projects successfully. 

The DNS idea is just another option which has some advantages in large scale, 
so I wanted to discuss this approach, how it is supported by strongswan 
standard behaviour. If it is not, there is still the option the write a wrapper 
or Vici event handler that reloads the connection to force the DNS refresh.

Best Regards

Markus  
 

Am 16.09.18, 14:53 schrieb "Users im Auftrag von Michael Schwartzkopff" 
:

_

Sicherheitsprüfung  /  2018-09-16  14:53:05
Nachricht: nicht verschlüsselt 
Signatur: Nicht überprüfbar (Unterzeichner unbekannt)
_

Am 16.09.2018 um 13:23 schrieb Markus P. Beckhaus:
> Hi Michael,
>
> thanks for your fast reply. The background of my question is to implement 
failover with strongswan standard mechanisms wherever possible.
>
> In fact I do have *swan implementations in the field with wrappers for 
load distribution and failover, but I'd rather get rid of as much individual 
code as I can.
>
> Best Regards
>
> Markus 
>
>
>
> Am 16.09.18, 10:42 schrieb "Users im Auftrag von Michael Schwartzkopff" 
:
>
> _
> 
> Sicherheitsprüfung  /  2018-09-16  10:42:21
> Nachricht: nicht verschlüsselt 
> Signatur: Nicht überprüfbar (Unterzeichner unbekannt)
> _
> 
> Am 16.09.2018 um 09:34 schrieb Markus P. Beckhaus:
> > Dear all,
> >
> > we are thinking about using a DNS Load-Balancer to distribute a 
huge count of strongswan clients to multiple VPN gatweways. Also, the DNS 
Load-Balancer should detect the failure of VPN gateways and remove them from 
the DNS responses, thus poviding a kind of availability and failover.
> >
> > Here is the challenge:
> > If the strongswan clients detects the failure of a connection (e.g. 
DPD), it must send a new DNS request to retrieve a list of still available 
gateways and reconnect to one of them.
> >
> > From what I have read, I believe strongswan only does the DNS 
resolution of the peer only once, when it reads the connection configuration.
> >
> > Does anyone have an idea, how solve the described requirement. 
Naturally, any alternative proposals to address this load distribution and 
failover requirements are welcome.
> >
> > Best Regards
> > --
> > Markus
> >
> 
> hi,
> 
> 
> we implemented a kind of such solution.
> 
> 
> We had all VPN server in one or two datacenters that were close to 
each
> other. So need for a geographic distribution of the clients.
> 
> DNS also was our first idea, but for some reasons we finally chose a
> wrapper solution fot the client config.
> 
> 
> DNS also should be possible and finally be superior solution. But you
> really want to implement DNSsec. You also could distribute keys or
> certificates of the servers in DNS. Thus the need to install (and
> update) the server authority on the clients is solved.
> 
> 
> After all, this should work quite well.
> 
> 
> Mit freundlichen Grüßen,
> 
> -- 
> 
> [*] sys4 AG
>  
> https://sys4.de, +49 (89) 30 90 46 64
> Schleißheimer Straße 26/MG,80333 München
>  
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
> Aufsichtsratsvorsitzender: Florian Kirstein
> 
> 
> 
>

Hi,


answering to the list, since it might be of general interest.


first of all, in my opinion you want to have a local loadbalancer in a
datacenter. It distrobutes the clients to the several servers in the
datacenter. Especially if you have some 100k clients, you need multiple
servers in each datacenter.

loadbalancers detect outages of servers and redirect the client to the
next available server.


DNS RR distribution: The problems as far as I see, is that the ipsec
client cannot detect the availability of a VPN server and automaticaly
failover to the next available server. When the clients starts and the
fqdn of the server is configued

[strongSwan] dpd action restart

2018-09-16 Thread Michael Schwartzkopff 
Hi,


what does the ipsec client exactly do when the dpd action "restart" is
configured? Ok, it tries to reestablish the VPN connection. But does the
client to a new DNS resolution if a FQDN is configured as the "right"
parameter?

Is there any hook to force the client to do a new DNS lookup?

Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] DNS LoadBalancing and Failover

2018-09-16 Thread Michael Schwartzkopff 
Am 16.09.2018 um 13:23 schrieb Markus P. Beckhaus:
> Hi Michael,
>
> thanks for your fast reply. The background of my question is to implement 
> failover with strongswan standard mechanisms wherever possible.
>
> In fact I do have *swan implementations in the field with wrappers for load 
> distribution and failover, but I'd rather get rid of as much individual code 
> as I can.
>
> Best Regards
>
> Markus 
>
>
>
> Am 16.09.18, 10:42 schrieb "Users im Auftrag von Michael Schwartzkopff" 
> :
>
> _
> 
> Sicherheitsprüfung  /  2018-09-16  10:42:21
> Nachricht: nicht verschlüsselt 
> Signatur: Nicht überprüfbar (Unterzeichner unbekannt)
> _
> 
> Am 16.09.2018 um 09:34 schrieb Markus P. Beckhaus:
> > Dear all,
> >
> > we are thinking about using a DNS Load-Balancer to distribute a huge 
> count of strongswan clients to multiple VPN gatweways. Also, the DNS 
> Load-Balancer should detect the failure of VPN gateways and remove them from 
> the DNS responses, thus poviding a kind of availability and failover.
> >
> > Here is the challenge:
> > If the strongswan clients detects the failure of a connection (e.g. 
> DPD), it must send a new DNS request to retrieve a list of still available 
> gateways and reconnect to one of them.
> >
> > From what I have read, I believe strongswan only does the DNS 
> resolution of the peer only once, when it reads the connection configuration.
> >
> > Does anyone have an idea, how solve the described requirement. 
> Naturally, any alternative proposals to address this load distribution and 
> failover requirements are welcome.
> >
> > Best Regards
> > --
> > Markus
> >
> 
> hi,
> 
> 
> we implemented a kind of such solution.
> 
> 
> We had all VPN server in one or two datacenters that were close to each
> other. So need for a geographic distribution of the clients.
> 
> DNS also was our first idea, but for some reasons we finally chose a
> wrapper solution fot the client config.
> 
> 
> DNS also should be possible and finally be superior solution. But you
> really want to implement DNSsec. You also could distribute keys or
> certificates of the servers in DNS. Thus the need to install (and
> update) the server authority on the clients is solved.
> 
> 
> After all, this should work quite well.
> 
> 
> Mit freundlichen Grüßen,
> 
> -- 
> 
> [*] sys4 AG
>  
> https://sys4.de, +49 (89) 30 90 46 64
> Schleißheimer Straße 26/MG,80333 München
>  
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
> Aufsichtsratsvorsitzender: Florian Kirstein
> 
> 
> 
>

Hi,


answering to the list, since it might be of general interest.


first of all, in my opinion you want to have a local loadbalancer in a
datacenter. It distrobutes the clients to the several servers in the
datacenter. Especially if you have some 100k clients, you need multiple
servers in each datacenter.

loadbalancers detect outages of servers and redirect the client to the
next available server.


DNS RR distribution: The problems as far as I see, is that the ipsec
client cannot detect the availability of a VPN server and automaticaly
failover to the next available server. When the clients starts and the
fqdn of the server is configued, it looks up the A (or ) RR in DNS.
It tries to connect to that IP address even, if it not available any more.

A wrapper does nothing else to check the availability of the VPN server
in use and reconfigres the connection to the next best available server
if the server got down. The wrapper also can measure the answering time
to choose the next best available.


The wrapper is completely separate from the VPN client (ipsec) software
that established the connection. The wrapper uses the swnctl interface
to re-configure the vpn client in case.


DNS with DNSsec is cool since you can use it to do the authentication of
the VPN server completely in DNS. No thirds party CAs any more that you
have to distribute to your clients.


Greetings,


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] DNS LoadBalancing and Failover

2018-09-16 Thread Markus P. Beckhaus 
Hi Michael,

thanks for your fast reply. The background of my question is to implement 
failover with strongswan standard mechanisms wherever possible.

In fact I do have *swan implementations in the field with wrappers for load 
distribution and failover, but I'd rather get rid of as much individual code as 
I can.

Best Regards

Markus 



Am 16.09.18, 10:42 schrieb "Users im Auftrag von Michael Schwartzkopff" 
:

_

Sicherheitsprüfung  /  2018-09-16  10:42:21
Nachricht: nicht verschlüsselt 
Signatur: Nicht überprüfbar (Unterzeichner unbekannt)
_

Am 16.09.2018 um 09:34 schrieb Markus P. Beckhaus:
> Dear all,
>
> we are thinking about using a DNS Load-Balancer to distribute a huge 
count of strongswan clients to multiple VPN gatweways. Also, the DNS 
Load-Balancer should detect the failure of VPN gateways and remove them from 
the DNS responses, thus poviding a kind of availability and failover.
>
> Here is the challenge:
> If the strongswan clients detects the failure of a connection (e.g. DPD), 
it must send a new DNS request to retrieve a list of still available gateways 
and reconnect to one of them.
>
> From what I have read, I believe strongswan only does the DNS resolution 
of the peer only once, when it reads the connection configuration.
>
> Does anyone have an idea, how solve the described requirement. Naturally, 
any alternative proposals to address this load distribution and failover 
requirements are welcome.
>
> Best Regards
> --
> Markus
>

hi,


we implemented a kind of such solution.


We had all VPN server in one or two datacenters that were close to each
other. So need for a geographic distribution of the clients.

DNS also was our first idea, but for some reasons we finally chose a
wrapper solution fot the client config.


DNS also should be possible and finally be superior solution. But you
really want to implement DNSsec. You also could distribute keys or
certificates of the servers in DNS. Thus the need to install (and
update) the server authority on the clients is solved.


After all, this should work quite well.


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein






smime.p7s
Description: S/MIME cryptographic signature

Re: [strongSwan] PEAP

2018-09-16 Thread Andreas Steffen 
Hi Christian,

add --enable-eap-mschapv2 as a configure option since MSCHAP-V2 based
password authentication is done within the PEAP tunnel.

Regards

Andreas

On 15.09.2018 11:38, Christian Salway wrote:
> I'm trying to set up PEAP but getting an error.  I connect to an NPS and
> have enabled PEAP with MSCHAPv2 on the connection
> 
> 
> Sep 15 09:31:39 16[IKE] sending tunneled EAP-PEAP AVP [EAP/REQ/ID]
> Sep 15 09:31:39 16[ENC] generating IKE_AUTH response 8 [ EAP/REQ/PEAP ]
> Sep 15 09:31:39 16[NET] sending packet: from 10.0.1.82[4500] to
> 86.2.58.36[60210] (128 bytes)
> Sep 15 09:31:39 04[NET] sending packet: from 10.0.1.82[4500] to
> 86.2.58.36[60210]
> Sep 15 09:31:39 03[NET] waiting for data on sockets
> Sep 15 09:31:40 03[NET] received packet: from 86.2.58.36[60210] to
> 10.0.1.82[4500]
> Sep 15 09:31:40 06[NET] received packet: from 86.2.58.36[60210] to
> 10.0.1.82[4500] (160 bytes)
> Sep 15 09:31:40 06[ENC] parsed IKE_AUTH request 9 [ EAP/RES/PEAP ]
> Sep 15 09:31:40 06[IKE] received tunneled EAP-PEAP AVP [EAP/RES/ID]
> Sep 15 09:31:40 06[IKE] received EAP identity 'christian.salway'
> Sep 15 09:31:40 06[IKE] phase2 method EAP_MSCHAPV2 selected
> *Sep 15 09:31:40 06[IKE] EAP_MSCHAPV2 method not available*
> Sep 15 09:31:40 06[ENC] generating IKE_AUTH response 9 [ EAP/REQ/PEAP ]
> 
> 
> ./configure --prefix=/usr --sysconfdir=/etc \
> --enable-eap-identity --enable-eap-radius --enable-openssl \
> --enable-eap-peap
> 
> NPS
> 
> 
> 
> 
> 
> Windows 10 reports:
> 

-- 
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution!  www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[INS-HSR]==



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [strongSwan] DNS LoadBalancing and Failover

2018-09-16 Thread Michael Schwartzkopff 
Am 16.09.2018 um 09:34 schrieb Markus P. Beckhaus:
> Dear all,
>
> we are thinking about using a DNS Load-Balancer to distribute a huge count of 
> strongswan clients to multiple VPN gatweways. Also, the DNS Load-Balancer 
> should detect the failure of VPN gateways and remove them from the DNS 
> responses, thus poviding a kind of availability and failover.
>
> Here is the challenge:
> If the strongswan clients detects the failure of a connection (e.g. DPD), it 
> must send a new DNS request to retrieve a list of still available gateways 
> and reconnect to one of them.
>
> From what I have read, I believe strongswan only does the DNS resolution of 
> the peer only once, when it reads the connection configuration.
>
> Does anyone have an idea, how solve the described requirement. Naturally, any 
> alternative proposals to address this load distribution and failover 
> requirements are welcome.
>
> Best Regards
> --
> Markus
>

hi,


we implemented a kind of such solution.


We had all VPN server in one or two datacenters that were close to each
other. So need for a geographic distribution of the clients.

DNS also was our first idea, but for some reasons we finally chose a
wrapper solution fot the client config.


DNS also should be possible and finally be superior solution. But you
really want to implement DNSsec. You also could distribute keys or
certificates of the servers in DNS. Thus the need to install (and
update) the server authority on the clients is solved.


After all, this should work quite well.


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

[strongSwan] DNS LoadBalancing and Failover

2018-09-16 Thread Markus P. Beckhaus 
Dear all,

we are thinking about using a DNS Load-Balancer to distribute a huge count of 
strongswan clients to multiple VPN gatweways. Also, the DNS Load-Balancer 
should detect the failure of VPN gateways and remove them from the DNS 
responses, thus poviding a kind of availability and failover.

Here is the challenge:
If the strongswan clients detects the failure of a connection (e.g. DPD), it 
must send a new DNS request to retrieve a list of still available gateways and 
reconnect to one of them.

From what I have read, I believe strongswan only does the DNS resolution of the 
peer only once, when it reads the connection configuration.

Does anyone have an idea, how solve the described requirement. Naturally, any 
alternative proposals to address this load distribution and failover 
requirements are welcome.

Best Regards
--
Markus



smime.p7s
Description: S/MIME cryptographic signature