Re: [strongSwan] NATing around a subnet conflict

2020-09-15 Thread Tom Rymes 

On 09/15/2020 4:47 AM, Tobias Brunner wrote:

Hi Tom,


Any help and pointers to the appropriate documentation would be appreciated.


Please have a look at the ikev2/net2net-same-nets test scenario [1].

Regards,
Tobias

[1] https://www.strongswan.org/testing/testresults/ikev2/net2net-same-nets/


Thank you so much for the link, Tobias, it's a big help. There doesn't 
seem to be a copy of the "mark_updown" script for sun defined under the 
/etc/ipsec.conf file.


I'll eventually figure out how to recreate it on my own, but if there's 
already a version floating around, it would be quite helpful in tying 
the whole thing together.


Many thanks,

Tom

Re: [strongSwan] Connectivity between Windows 2019 server and Ubuntu 16.04 stops; can TS be explicitly specified

2020-09-15 Thread Karuna Sagar Krishna 
Hi Tobias,

Would `ipsec update` also work when I update the cert thumbprint in
ipsec.secrets file? i.e. on IKE SA re-negotiation would it use the new cert
thumbprint? I'm assuming that until the IKE SA is re-negotiated the
existing IKE SA and child ESP SA will continue to work, correct?

--karuna


On Tue, Sep 8, 2020 at 10:57 AM Karuna Sagar Krishna 
wrote:

> Thank you!
>
> --karuna
>
>
> On Tue, Sep 8, 2020 at 6:03 AM Tobias Brunner 
> wrote:
>
>> Hi Karuna,
>>
>> > 1. I'm only adding or removing connections in ipsec.conf and not
>> > modifying existing connections. And also I only use complete IP
>> > addresses for both left and right. So, would `ipsec update` be better
>> > suited and would still cause any other known issues?
>>
>> Just never use `ipsec reload` unless you know why you do so.  And if you
>> don't modify existing connections using `ipsec update` should be fine
>> (however, if you remove connections, note that this does not affect
>> existing SAs, so you'd have to terminate those manually, before or after
>> removing the config).
>>
>> > 2. Yes I looked at left|rightsubnet and I don't want to restrict
>> > protocol/port rather would like to apply to all protocol and all ports.
>> > And if I understand correctly, the default values for left|rightsubnet
>> > is all protocol and all port. Correct?
>>
>> Yes, by default all traffic between the local and remote IP addresses
>> will be covered.
>>
>> > 3. The charon.ignore_acquire_ts would apply to outbound traffic correct?
>> > From what I understand (based on below logs), the issue occurs on
>> > the inbound traffic, strongswan is not accepting the remote TS? Because
>> > the left|rightsubnet is not configured i.e. default values, so shouldn't
>> > it be accepting every remote TS?
>>
>> Yes, the option applies when outbound traffic hits a trap policy and the
>> kernel triggers an acquire.  And no, the daemon won't accept just any
>> TS, only a TS that matches the local and remote IPs is accepted if you
>> don't configure any traffic selectors.  Since this apparently is the
>> case here (according to the log), the problem is probably caused by
>> `ipsec reload` (i.e. there simply is no child config to match the
>> received traffic selectors against).
>>
>> > 4. Or would TSi and TSr need to match for the CREATE_CHILD_SA to be
>> > successful? In which case, TS_UNACCEPT can happen on both inbound and
>> > outbound traffic? I guess, I'm asking under what circumstances
>> > TS_UNACCEPT error is seen?
>>
>> Simply when there is no config with matching TS (could have different
>> reasons).
>>
>> > 4. Would strongswan.conf work along with ipsec.conf/starter?
>>
>> strongswan.conf contains global settings, which apply to all daemons and
>> config backends.  You may mix config backends (e.g. swanctl.conf/vici
>> and ipsec.conf/starter) but I'd not recommend that unless you know
>> exactly what you are doing.  So either use one or the other.  It's fine
>> to start the daemon via starter for either of them, though (when using
>> swanctl, just leave ipsec.conf/ipsec.secrets and the directories under
>> ipsec.d empty).
>>
>> Regards,
>> Tobias
>>
>

Re: [strongSwan] Connection to AWS-VPC

2020-09-15 Thread Noel Kuntze 
I did it a couple of times. Not that that specific piece of information would 
help you in any way.

Am 15.09.20 um 15:40 schrieb Dominik Reusser:
> The security group settings should be fine. It does work with open swan with 
> the same credentials.
> 
> Am Di., 15. Sept. 2020 um 08:47 Uhr schrieb Aurélien Vallée 
> mailto:vallee.aurel...@gmail.com>>:
> 
> We do use strongswan successfully as VPN to connect to AWS gateways in a 
> VPC.
> Did you check the security groups to make sure strongswan traffic can 
> pass through?
> 
> On Tue, Sep 15, 2020 at 2:20 PM Dominik Reusser  > wrote:
> 
> Has anyone successfully connected to AWS VPC? My connection is 
> established and ICMP-Pakets are routed through the AWS cloud. However, UDP 
> and TCP packets - while being sent towards the AWS server (from tcp dump on 
> the client side) - do not appear in the logs of the VPC.
> 
> With a corresponding setup with OpenSwan I get a working connection. 
> However, I would prefer to use strong Swan.
> 
> If you have successfully connected to AWS VPC, could you please share 
> your configuration files?
> 
> Thanks
> Kind regards
> Dominik
> 
> 
> 
> -- 
> Aurélien Vallée
> Phone +33 9 77 19 85 61
> 



signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] Connection to AWS-VPC

2020-09-15 Thread Dominik Reusser 
The security group settings should be fine. It does work with open swan
with the same credentials.

Am Di., 15. Sept. 2020 um 08:47 Uhr schrieb Aurélien Vallée <
vallee.aurel...@gmail.com>:

> We do use strongswan successfully as VPN to connect to AWS gateways in a
> VPC.
> Did you check the security groups to make sure strongswan traffic can pass
> through?
>
> On Tue, Sep 15, 2020 at 2:20 PM Dominik Reusser 
> wrote:
>
>> Has anyone successfully connected to AWS VPC? My connection is
>> established and ICMP-Pakets are routed through the AWS cloud. However, UDP
>> and TCP packets - while being sent towards the AWS server (from tcp dump on
>> the client side) - do not appear in the logs of the VPC.
>>
>> With a corresponding setup with OpenSwan I get a working connection.
>> However, I would prefer to use strong Swan.
>>
>> If you have successfully connected to AWS VPC, could you please share
>> your configuration files?
>>
>> Thanks
>> Kind regards
>> Dominik
>>
>
>
> --
> Aurélien Vallée
> Phone +33 9 77 19 85 61
>

Re: [strongSwan] NATing around a subnet conflict

2020-09-15 Thread Tobias Brunner 
Hi Tom,

> Any help and pointers to the appropriate documentation would be appreciated.

Please have a look at the ikev2/net2net-same-nets test scenario [1].

Regards,
Tobias

[1] https://www.strongswan.org/testing/testresults/ikev2/net2net-same-nets/

Re: [strongSwan] KEY_ID encoding

2020-09-15 Thread Tobias Brunner 
Hi Volodymyr,

>  ikev2-cisoasa {
> remote_addrs = %any
> local { ... }
> remote {
>   auth = psk
>   id = @#636973636f617361

This can't work.  The # character is used for comments, so you basically
configured an empty FQDN identity.  Either wrap this string in quotes

 id = "@#636973636f617361"

or use the keyid: prefix

 id = keyid:ciscoasa

Regards,
Tobias

Re: [strongSwan] Android client - Use MSCHAPv2

2020-09-15 Thread Tobias Brunner 
Hi,

> I just have to find out how to do that.. Charon does not seem to
> have any incidence on what is proposed to the client. My understanding
> now is radius is responsible for all of the possible EAP methods. Am I
> correct? 

Yes, if you use eap-radius, charon is not involved in this at all.

Regards,
Tobias