[strongSwan] XFRM Policy Lookups

[Brian O'Connor]

In the diagram at [1], I understand there is a xfrm lookup missing from the 
forwarding path, as evidenced by
what I see in the output from the ip xfrm policy command, which shows three 
entries for a packet entering a
VPN responder in an IPsec tunnel, being decrypted, and then forwarded out 
another IPsec tunnel, if my
understanding of the ip xfrm policy output is correct. 

I understand the xfrm policy lookup in the input path triggers decryption of 
the incoming IPsec packet,
and the xfrm policy lookup in the output path triggers encryption of the 
outgoing packet.

My understanding of the packet flow through the diagram at [1] is probably 
highly erroneous, and I only
have a beginners level of IPsec knowledge overall, but what purpose does the 
xfrm lookup in the forwarding
path serve, please?

Where can I find a beginner's level description of the xfrm process, please? I 
find the ip xfrm man page
overwhelming.

 [1]   
https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg

Regards,
Brian O'Connor


___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Diagram

[Brian O'Connor]

Noel,

I note your last message clearly emphasised that packets from a local process 
are processed twice
via the output path of the graphic.

So, for forwarded traffic (as distinct from locally source packets), I 
understand the packet to
flow through the mangle and nat postrouting chains twice, and the other iptables
output chains for raw, mangle, nat and filter tables only once after encryption.

On the first pass through the mangle and nat postrouting chains, iptables rules 
would
operate on the unencrypted payload packet and on the second pass on the IP 
headers of
the encrypted IPsec packet.

Am I headed in the right direction please?

Brian

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Diagram

[Brian O'Connor]

Thank you, Noel.

I am trying to understand how the inner and outer IP headers for tunneled IPsec 
packets
are processed by iptables, to help troubleshoot an anomalous situation I found.

I think I have the decryption process clear but was not clear on the iptables 
processing for
encrypted packets.  From what you said, it looks like the NAT-T header is added 
after the
iptables processing of an outbound encrypted packet, on the second pass by the
outbound XFRM lookup. Is my understanding correct?

TIA,
Brian

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Diagram

[Brian O'Connor]

Hello,

The commonly quoted packet flow diagram at [1] does not show where NAT-T is 
implemented for
IPsec MOBIKE.  Questions are:

  1.  Where in the diagram is NAT-T de-capsulation performed?

  2.  Where in the diagram is NAT-T encapsulation performed?

  3.  Does the NAT-T UDP header have to be removed so the iptables IPsec policy 
module can operate?

  4.  Traffic from the topmost "local process" block flows to a "routing 
decision" block.  Is this to prevent
  a local IPsec connection (to loopback address, possibly ) from being 
encrypted?

  [1]  http://inai.de/images/nf-packet-flow.png

TIA,
Brian


___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Abbreviations

[Brian O'Connor]

Thank you,  Andreas.

Is there any way I can display the presently set numerical logging levels (-1 
to 4) for the
18 daemon subsystems that can originate log messages, please?

Thanks,
Brian

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Abbreviations

[Brian O'Connor]

Hi,

In the logging output of IKE exchanges, the terms 

[ HASH CPRQ(X_USER X_PWD) ]

[ HASH CPRP(X_USER X_PWD) ]

are often encountered.

What does CPRQ and CPRP stand for, please?  Is there a dictionary of strongSwan
abbreviations somewhere?

TIA,
Brian

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] IKEv1 XAuth EAP Plugin

[Brian O'Connor]

I have the XAuth EAP Plugin enabled in my IPsec VPN responder, along
with a number of eap plugins.  I did not build this version of strongSwan
(5.2.1) but downloaded it from a Raspberry Pi repository.

My /etc/ipsec.secrets file contains entries similar to:

Fred  :  EAP  "1234567"

fred   :  XAUTH  "deadbeef1234567"

Please note the different capitalisation of the letter f for the two different
usernames.


My iPhone 4 Cisco IPsec VPN client has an X.509 entity certificate
and is configured with username=fred and password=1234567

 My /etc/ipsec.conf file is configured as follows:

conn CiscoIPSec
keyexchange=ikev1
# forceencaps=yes
rightauth=pubkey
rightauth2=xauth
auto=add

As the iPhone password is not the same as the XAUTH password in
/etc/ipsec.secrets, I was not expecting authentication to succeed.

However [1] notes it may not be this simple.

The /xauth-eap/ plugin is an IKEv1 XAuth server backend. It requests
username/password XAuth credentials and verifies them against
any password based IKEv2 EAP plugin.

My experience suggests the password is checked but not the
username.  I was not expecting Fred's password to successfully
authenticate a request from user fred (note the lower case f).

The following log output suggests username is compared along with password.

01[ENC]  generating TRANSACTION request 2160949662 [ HASH 
CPRQ(X_USER X_PWD) ]
11[ENC]  parsed TRANSACTION response 2160949662 [ HASH 
CPRP(X_USER X_PWD) ]
11[IKE]  XAuth authentication of 'fred' successful

The other possible reason for my observed behaviour is that a truncated 
password is used in the hash
calculation,  but I would doubt that is the case.

My iPhone X.509 certificate has the serverAuth flag set as required by Windows 
7 but I don't think
this would explain what I am seeing.

Any help appreciated, thank you.


[1] https://wiki.strongswan.org/projects/strongswan/wiki/XAuthEAP

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] kernel-libipsec charon plugin and Android VPN Client

[Brian O'Connor]

Hello,

I have recently been doing some tests with an Android tablet version of
strongSwan.  It appears that the Android app uses the kernel-libipsec
charon plugin to avoid limitations imposed by the app running in a very
restricted user environment in the tablet.  My tablet is not rooted.

What I am seeing on the tablet is that it uses routing table 60, creates
interface tun0 and some routing policy database rules.  My tablet will
not let me access the iptables or ip xfrm commands. This is why I
suspect the Android strongSwan app, presumably running in a very
tightly constrained userspace environment, uses the charon
kernel-libipsec plugin. Is there a way to access iptables and ip  xfrm
functionality on a non-rooted tablet?

Given my assumption above, is it correct that the libipsec plugin
also does SNAT on outgoing encrypted packets?  The ip rule
command shows 100: from all fwmark 0x3c lookup 60.

The kernel netfilter packet flow diagram at [1] documents how
IPSec interacts with the xfrm process for IPSec encapsulation
and decapsulation, and iptables for SNAT.  Is there a diagram
somewhere that shows how the charon kernel-libipsec plugin
interacts  with diagram [1], please?  I sort of expect the charon
plugin operates entirely in the application layer, forward path,
local process, part of this diagram and that it also performs SNAT.

If not, how does a non-rooted Android tablet that cannot use
iptables to do SNAT and the xfrm process for IPSec processing
operate, please?

I am not a programmer and have not been able to find much on
the inner workings of the charon plugin.

 [1]  inai.de/images/nf-packet-flow.png 


Regards,
Brian



 
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users