Re: [strongSwan] Issue of "no IKE config found for ..., sending NO_PROPOSAL_CHOSEN"
After several days of debugging, I finally figured out it is due
to libstrongswan-standard-plugins not installed in my docker image. Thanks
for the replies in this thread!
Jianjun
On Mon, Sep 2, 2019 at 3:03 PM Jianjun Shen Shen wrote:
> Hello,
>
> I am using strongswan (U5.3.5/K4.4.0-87-generic) on Ubuntu (16.04.3 LTS).
>
> Running "/usr/lib/ipsec/charon --debug-cfg 4 --debug-ike 4" got the
> following log messages:
> 00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux
> 4.4.0-87-generic, x86_64)
> 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/etc/ipsec.secrets'
> 00[CFG] loaded IKE secret for 0.0.0.0 10.162.19.54
> 00[CFG] secret: 73:77:6f:72:64:66:69:73:68
> 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5
> random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12
> pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve
> socket-default stroke updown
> 00[LIB] dropped capabilities, running as uid 0, gid 0
> 00[JOB] spawning 16 worker threads
> 05[NET] received packet: from 10.162.19.54[500] to 10.162.19.55[500] (660
> bytes)
> 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(HASH_ALG) ]
> 05[CFG] looking for an ike config for 10.162.19.55...10.162.19.54
> 05[IKE] no IKE config found for 10.162.19.55...10.162.19.54, sending
> NO_PROPOSAL_CHOSEN
> 05[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
> 05[NET] sending packet: from 10.162.19.55[500] to 10.162.19.54[500] (36
> bytes)
> 05[IKE] IKE_SA (unnamed)[1] state change: CREATED => DESTROYING
>
> And my ipsec.conf is quite simple:
> config setup
> uniqueids=yes
>
> conn %default
> keyingtries=%forever
> type=transport
> keyexchange=ikev2
> auto=route
> ike=aes256gcm16-sha256-modp2048
> esp=aes256gcm16-modp2048
>
> conn host54
> left=0.0.0.0
> right=10.162.19.54
> authby=psk
> leftprotoport=gre
> rightprotoport=gre
>
> "ipsec statusall" shows the following:
> Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-87-generic,
> x86_64):
> uptime: 3 seconds, since Sep 02 22:00:24 2019
> malloc: sbrk 1216512, mmap 0, used 251808, free 964704
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 0
> loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
> nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
> dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve
> socket-default stroke updown
> Listening IP addresses:
> 10.162.19.55
> fd01:0:101:2616:20c:29ff:fe2f:26c4
> 172.17.0.1
> 192.168.0.55
> Connections:
> host54: 0.0.0.0...10.162.19.54 IKEv2
> host54: local: uses pre-shared key authentication
> host54: remote: [10.162.19.54] uses pre-shared key authentication
> host54: child: dynamic[gre] === dynamic[gre] TRANSPORT
> Routed Connections:
> host54 {1}: ROUTED, TRANSPORT, reqid 1
> host54 {1}: 10.162.19.55/32[gre]
> === 10.162.19.54/32[gre]
> Security Associations (0 up, 0 connecting):
> none
>
> So, I could not see anything wrong. Could you please help?
>
> Regards,
> Jianjun
>
>
>
>
Re: [strongSwan] (Vici) How to disconnect a VPN connection on the server side?
Hi Houman, > Do you think that is possible to do via FreeRadius? See [1]. > Just to be > clear there is always a 1:1 relationship between IKE_SA and a user at a > time, correct? Probably, that is, if you don't allow multiple IKE_SAs per user identity. > If I end an IKE_SA, I won't be kicking several users by > mistake? Not if you do so by unique ID (by name wouldn't be a good idea because all IKE_SAs by roadwarriors will share the name of the connection). > So in other words what > I'm trying to achieve is possible with Vici right? Yes. Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius#Session-Timeout-and-Dynamic-Authorization-Extension
Re: [strongSwan] (Vici) How to disconnect a VPN connection on the server side?
Hello Tobias,
Thank you for your reply.
Not directly (at least not via vici, it might be possible via RADIUS,
> depending on the RADIUS server).
>
This is concerning if this wasn't possible. I have FreeRadius 3.0.16, maybe
I should explain the use case I'm trying to achieve.
I have setup a limit by monthly-usage in FreeRadius. Each user can use 10
GB and after that, any attempt to connect to the VPN server fails.
echo 'ATTRIBUTE Monthly-Usage 3001integer64' >>
/etc/freeradius/3.0/dictionary
sed -i '/authorize {/a\
update request {\
Monthly-Usage = "%{sql:SELECT
COALESCE((SUM(`acctoutputoctets`)), 0) FROM radacct WHERE
`username`='"'"'%{User-Name}'"'"' AND
Month(acctupdatetime)=(Month(NOW())) AND
Year(acctupdatetime)=Year(NOW())}"\
}\
' /etc/freeradius/3.0/sites-enabled/default
INSERT INTO radcheck (username,attribute,op,VALUE) VALUES
('houman','Monthly-Usage','<',100);
This works, however, once the limit has been reached, he continues to
remain connected, nothing forces him out. Only if he disconnects and tries
to connect again, he would be prevented. I was thinking to check every 5
minutes to see if someone has reached the monthly usage and is still
connected to kick him out.
Do you think that is possible to do via FreeRadius?
What do you mean? [1] provides an overview and has a link to the
> README.md file that describes the available commands and even contains
> simple code examples. The Python bindings are basically a wrapper that
> provides a convenient interface for these commands.
>
Ah my bad. I was looking at https://pypi.org/project/vici/ but I found more
documentation at the github project.
That returns the configured connections, so that's not really useful to
> you. More interesting will be the list of established IKE_SAs
> (s.list_sas).
There is no option to filter by remote/user ID, so you have
to enumerate the established SAs (list-sa documents the returned
> information) and check remote-(eap-)id yourself.
>
>
Perfect. I think the username in Radcheck is the same as the
remote-(eap-)id you mentioned. So I have to find a way to filter that
within the IKE_SA and then to terminate the IKE_SA itself. Just to be
clear there is always a 1:1 relationship between IKE_SA and a user at a
time, correct? If I end an IKE_SA, I won't be kicking several users by
mistake? It will be only the one user using that? So in other words what
I'm trying to achieve is possible with Vici right?
Many Thanks,
Houman
