Re: [strongSwan] Strongswan caching CRL's when setting is set to "no"

[Eric Germann]

> On Jun 2, 2022, at 3:50 AM, Tobias Brunner  wrote:
> 
> Hi Eric,
> 
>> Does ".reauth_time” and leaving “break_before_make” alone force a 
>> reauth and certificate validity check on IKE/ISAKMP from non-cached crl’s?
> 
> Could you please clarify your question (e.g. why do you mention 
> break_before_make in this context?

make_before_break defaults to no.  1) no interruptions in link 2) impact on CRL 
test

> what do you mean with "from non-cached CRLs”?

This was testing to see if it would pull the CRL on each wreath.  In my mind, 
if the CRL is hosted and changes and the CRL is never reloaded from its source, 
a revoked certificate can be used up until a start/restart occurs

> are you considering setting reath_time on the client or the server -

Yes.  No effect on reload CRL

> and with what type of authentication/config?

Certs for auth

> why do you mention ISAKMP, are you actually considering using IKEv1?).

Not considering IKEv1

Looks like if the server cert is revoked, I will need to reach out to all spoke 
instances to bounce so they’ll find out it’s revoked.


> 
> Regards,
> Tobias

Re: [strongSwan] Strongswan caching CRL's when setting is set to "no"

[Eric Germann]

Does ".reauth_time” and leaving “break_before_make” alone force a reauth 
and certificate validity check on IKE/ISAKMP from non-cached crl’s?

Apologies for all the questions.

Eric


> On Jun 1, 2022, at 10:43 AM, Tobias Brunner  wrote:
> 
> Hi Eric,
> 
>> 16[IKE] received end entity cert "CN=pfsense.semperen.net 
>> , C=US, ST=OH, L=Van Wert, O=The Semperen 
>> Group, OU=Network Operations"
>> 16[CFG]   using certificate "CN=pfsense.semperen.net 
>> , C=US, ST=OH, L=Van Wert, O=The Semperen 
>> Group, OU=Network Operations"
>> 16[CFG]   using trusted ca certificate "CN=semperen-ipsec-ca, C=US, ST=OH, 
>> L=Van Wert, O=The Semperen Group, OU=Network Operations"
>> 16[CFG] checking certificate status of "CN=pfsense.semperen.net 
>> , C=US, ST=OH, L=Van Wert, O=The Semperen 
>> Group, OU=Network Operations"
>> > 16[CFG]   fetching crl from 
>> > 'https://ipsec-crl.s3.us-east-2.amazonaws.com/Semperen%2BIPSec%2BSigning%2BAuthority%2BCRL.crl
>> >  
>> > '
>> >  … 
>> 16[CFG]   using trusted certificate "CN=semperen-ipsec-ca, C=US, ST=OH, 
>> L=Van Wert, O=The Semperen Group, OU=Network Operations"
>> 16[CFG]   crl correctly signed by "CN=semperen-ipsec-ca, C=US, ST=OH, L=Van 
>> Wert, O=The Semperen Group, OU=Network Operations"
>> 16[CFG]   crl is valid: until Oct 13 19:33:11 2049
>> 16[CFG] certificate status is good
>> 16[CFG]   reached self-signed root ca with a path length of 0
> 
> This happens on demand when the peer certificate is verified, not when the 
> daemon is started.
> 
> Regards,
> Tobias

Re: [strongSwan] Strongswan caching CRL's when setting is set to "no"

[Eric Germann]

crluri  = 
"https://ipsec-crl.s3.us-east-2.amazonaws.com/Semperen%2BIPSec%2BSigning%2BAuthority%2BCRL.crl;




16[IKE] received end entity cert "CN=pfsense.semperen.net, C=US, ST=OH, L=Van 
Wert, O=The Semperen Group, OU=Network Operations"
16[CFG]   using certificate "CN=pfsense.semperen.net, C=US, ST=OH, L=Van Wert, 
O=The Semperen Group, OU=Network Operations"
16[CFG]   using trusted ca certificate "CN=semperen-ipsec-ca, C=US, ST=OH, 
L=Van Wert, O=The Semperen Group, OU=Network Operations"
16[CFG] checking certificate status of "CN=pfsense.semperen.net, C=US, ST=OH, 
L=Van Wert, O=The Semperen Group, OU=Network Operations"
>>>>> 16[CFG]   fetching crl from 
>>>>> 'https://ipsec-crl.s3.us-east-2.amazonaws.com/Semperen%2BIPSec%2BSigning%2BAuthority%2BCRL.crl'
>>>>>  … <<<<
16[CFG]   using trusted certificate "CN=semperen-ipsec-ca, C=US, ST=OH, L=Van 
Wert, O=The Semperen Group, OU=Network Operations"
16[CFG]   crl correctly signed by "CN=semperen-ipsec-ca, C=US, ST=OH, L=Van 
Wert, O=The Semperen Group, OU=Network Operations"
16[CFG]   crl is valid: until Oct 13 19:33:11 2049
16[CFG] certificate status is good
16[CFG]   reached self-signed root ca with a path length of 0
16

---
Eric Germann
ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
LinkedIn: https://www.linkedin.com/in/ericgermann 
<https://www.linkedin.com/in/ericgermann>
Medium: https://ekgermann.medium.com <https://ekgermann.medium.com/> 
Twitter: @ekgermann
Telegram || Signal || Skype || Phone +1 {dash} 419 {dash} 513 {dash} 0712

GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1







> On Jun 1, 2022, at 3:39 AM, Tobias Brunner  wrote:
> 
> Hi Eric,
> 
>> What's the point of SS having an option to auto fetch a CRL at startup 
> 
> There is no such option.
> 
> Regards,
> Tobias

[strongSwan] PGP Key used for signing

[Eric Germann]

What PGP key is used for signing of the source files?

---
Eric Germann
ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
LinkedIn: https://www.linkedin.com/in/ericgermann
Twitter: @ekgermann
Telegram || Signal || Phone +1 {dash} 419 {dash} 513 {dash} 0712

GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1

Re: [strongSwan] Route based VPN Strongswan IPsec tunnel

[Eric Germann]

I did them by building GRE tunnels, then wrapping GRE inside IPSec. 

It’s been a while so not sure if there is a simpler way, but then ran BGP over 
the GRE tunnel for dynamic routing

EKG


> On Jul 24, 2018, at 13:08, Kaushal Shriyan  wrote:
> 
> Hi,
> 
> Are there any steps to set up route based VPN using Strongswan IPsec tunnel?
> 
> Thanks in Advance.
> 
> Best Regards,
> 
> Kaushal
> 


smime.p7s
Description: S/MIME cryptographic signature

Re: [strongSwan] Making pcrypt stick across boots

[Eric Germann]

I started (in /etc/rc.local) with

/usr/sbin/modprobe tcrypt alg="pcrypt(rfc4106(gcm(aes)))" type=3
/usr/sbin/modprobe tcrypt alg="pcrypt(rfc4106(gcm(aes-aesni)))" type=3

That dropped me in to a reboot loop with Centos 7 on AWS.

I then moved to (in /etc/rc.modules)

modprobe tcrypt alg="pcrypt(rfc4106(gcm(aes)))" type=3
modprobe tcrypt alg="pcrypt(rfc4106(gcm(aes-aesni)))" type=3

No reboot loop, but no effect either.  I do ignore the output (saw that part of 
the doc on the site)

EKG


> On Oct 2, 2017, at 2:46 AM, Noel Kuntze 
> <noel.kuntze+strongswan-users-ml@thermi.consulting> wrote:
> 
> Hi Ericm
> 
>> I’ve gone down the path of exploring parallelization of crypto in Strongswan 
>> from [1].
> 
> s/Strongswan/Linux kernel/
> 
> 
>> My question to the group is, how does one make it stick across boots?  I 
>> tried the trick of putting the modprobe in /etc/rc.local and That Was Bad 
>> (continuous reboot loop).  Backed it out and we’re ok.  Obviously there has 
>> to be a better way.  Wondering what the proper way in Centos 7 is for this 
>> module.
> 
> Well, load pcrypt, but then load tcrypt with the parameters *and do not care 
> about the exit code*. Loading tcrypt will always error out, even if it 
> configured everything as you wanted.
> 
> What did you do exactly?
> 
> Kind regards
> 
> Noel
> 
> On 02.10.2017 02:24, Eric Germann wrote:
>> I’ve gone down the path of exploring parallelization of crypto in Strongswan 
>> from [1].
>> 
>> It seems to be working as a) the expected output shows up in ‘cat 
>> /proc/crypto’ and b) under load in htop, it’s now showing kernel activity on 
>> all cores vs. a single core before (not sophisticated, but it definitely 
>> changed after the modprobe).
>> 
>> My question to the group is, how does one make it stick across boots?  I 
>> tried the trick of putting the modprobe in /etc/rc.local and That Was Bad 
>> (continuous reboot loop).  Backed it out and we’re ok.  Obviously there has 
>> to be a better way.  Wondering what the proper way in Centos 7 is for this 
>> module.
>> 
>> The process in [2] doesn’t seem to work for installing them.
>> 
>> Thanks for sharing any experiences.
>> 
>> EKG
>> 
>> [1] https://wiki.strongswan.org/projects/strongswan/wiki/Pcrypt
>> [2] 
>> https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-kernel-modules-persistant.html
> 

[strongSwan] Making pcrypt stick across boots

[Eric Germann]

I’ve gone down the path of exploring parallelization of crypto in Strongswan 
from [1].

It seems to be working as a) the expected output shows up in ‘cat /proc/crypto’ 
and b) under load in htop, it’s now showing kernel activity on all cores vs. a 
single core before (not sophisticated, but it definitely changed after the 
modprobe).

My question to the group is, how does one make it stick across boots?  I tried 
the trick of putting the modprobe in /etc/rc.local and That Was Bad (continuous 
reboot loop).  Backed it out and we’re ok.  Obviously there has to be a better 
way.  Wondering what the proper way in Centos 7 is for this module.

The process in [2] doesn’t seem to work for installing them.

Thanks for sharing any experiences.

EKG

[1] https://wiki.strongswan.org/projects/strongswan/wiki/Pcrypt 

[2] 
https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-kernel-modules-persistant.html
 


smime.p7s
Description: S/MIME cryptographic signature

Re: [strongSwan] Fun with AWS, primary connection there but can't route out to remote subnets

[Eric Germann]

Do your SG’s on the AWS side allow the remote IP’s inbound to the target IP’s 
on the AWS side?

Also, we set reqid to a value on the conn block in ipsec.conf (although I don’t 
think it’s necessarily required if you’re OK with random reqid’s).

In /etc/sysconfig/iptables, we then set:

-A FORWARD -m comment --comment "Process inbound IPsec traffic"
-A FORWARD -s 100.126.4.208/28 -i eth0 -m policy --dir in  --pol ipsec --reqid 
1 --proto esp -j ACCEPT

-A FORWARD -m comment --comment "Process outbound IPsec traffic"
-A FORWARD -d 100.126.4.208/28 -o eth0 -m policy --dir out --pol ipsec --reqid 
1 --proto esp -j ACCEPT


If we don’t set reqid’s, we can get away without specifying them and have 
something along the lines of

-A FORWARD -s 100.126.4.208/28 -j ACCEPT
-A FORWARD -d 100.125.4.208/28 -j ACCEPT

N.B. you’ll need forward stanzas for your VPC network block also.  

Also, our routers are Centos 6/7

Email me off list if you want to get deeper.  We have hundreds to tunnels on 
AWS using StrongSwan.

EKG



> On Sep 23, 2017, at 3:24 PM, Whit Blauvelt  wrote:
> 
> A small bit of evidence on where I'm stuck:
> 
> Both ends can ping through the tunnel each other on any of their several
> IPs.
> 
> When the non-Amazon end pings addresses behind the AWS instance, those pings
> make it to the AwS instance. When the AWS instance pings addresses behind
> the non-Amazon end, the pings don't make it that far. 
> 
> So something's screwed up with the routing out of Amazon. I do have a
> routing table set up in AWS to send traffic for the office-side subnets to
> the interface ID of the strongSwan instance.
> 
> So this route, to an IP on the strongSwan box, works for pings:
> 
> # ip ro get 172.17.10.3
> 172.17.10.3 via 172.18.30.1 dev eth0  src 172.18.30.93 
>cache 
> 
> This, to another IP on that same subnet, does not get to 172.17.10.3 as it
> should:
> 
> # ip ro get 172.17.10.2
> 172.17.10.2 via 172.18.30.1 dev eth0  src 172.18.30.93 
>cache 
> 
> However it routes to the public just fine:
> 
> # ip ro get 8.8.8.8
> 8.8.8.8 via 172.18.30.1 dev eth0  src 172.18.30.93 
>cache 
> 
> I don't really know what Amazon has at 172.18.30.1, nor what's required to
> clear that in the right way. Perhaps it's not Netfilter at all, but just the
> opaque operations of AWS that block me. 
> 
> Thanks,
> Whit



smime.p7s
Description: S/MIME cryptographic signature

Re: [strongSwan] Is there good documentation on Netfilter/iptables strategies with strongSwan?

[Eric Germann]

First off in AWS, if you’re going to be a router, have you disabled 
“Source/Destination Check” (or something to that effect) in the instance 
properties?  If not, the instance will work across the tunnel, but you won’t be 
able to route through it. 

EKG


> On Sep 23, 2017, at 10:37, Whit Blauvelt  wrote:
> 
> Hi,
> 
> I find discussion three years ago in this list on using iptables marks with
> strongSwan, and see suggestions there may be some of that it does
> automatically in the background. There was discussion three years back about
> researching different advanced methods. If it reached a clear conclusion, I
> haven't found it.
> 
> I have also found a partial discussion elsewhere of possible conflicts
> between strongSwan's methods and the marking techniques used by FireHOL, but
> again without full resolution or a final summary document. In my own case
> I'm finding FireHOL and its link-balancer utility invaluable.
> 
> I'm also not yet routing correctly to the subnets behind a system with those
> on one end and the subnets behind one on AWS on the other -- where the AWS
> instance has a slight complication in that it's got several interfaces, one
> on a VPC, the other -- which strongSwan is connecting to -- not.
> 
> A few years back, when running openswan, I'd set up iptables like this:
> 
>  iptables -t mangle -A PREROUTING -p 17 --dport 500 -j MARK --set-mark 1 # 
> udp/isakmp
>  iptables -t mangle -A PREROUTING -p 50 -j MARK --set-mark 1 # esp
>  iptables -t filter -A INPUT -m mark --mark 1 -j ACCEPT
>  iptables -t filter -A FORWARD -m mark --mark 1 -j ACCEPT
>  iptables -t filter -A OUTPUT -m mark --mark 1 -j ACCEPT
> 
> Worked well there. Obviously it's not a good formula for strongSwan (I've of
> course tried it). Can someone please point me to either a good background
> discussion or a good current set of examples showing how to get strongSwan
> and Netfilter working correctly together?
> 
> I realize strongSwan works on platforms other than Linux, so documenting
> Netfilter or pf or whatever isn't central to its mission. Still, in an ideal
> world its documents will expand to include theory and recipes for the
> various firewalls it is commonly used with.
> 
> Best,
> Whit


smime.p7s
Description: S/MIME cryptographic signature

Re: [strongSwan] Trying to work out why connection not being established from AWS

[Eric Germann]

Not sure what your config is, but in our AWS deployments of Strongswan, we set

left = the IP address of the instance within the VPC (the address assigned to 
the interface)
leftid = the Elastic IP

Make sure your Security Groups reflect UDP 500 and 4500 from the remote IP as 
it will try and use NAT-T (or should).

Works like a champ.

EKG


> On Sep 22, 2017, at 10:03 AM, Whit Blauvelt  wrote:
> 
> On Thu, Sep 21, 2017 at 11:50:43PM +0200, Noel Kuntze wrote:
>> 1. Always provide all the information that is listed on the HelpRequests[1] 
>> page when you want something solved
> 
> Thanks for the reference. Hadn't see that page.
> 
>> 2. Read your damn logs, they tell you what's wrong.
> 
> Did, and they don't. Perhaps I have to set a log level higher somewhere?
> 
>> 3.
>>> Listening IP addresses:
>>>  172.18.30.93
>>>  172.18.14.157
>>>  10.60.30.1
>>> Connections:
>>>   ny2or:  ela.sti.cip.245...pub.lic.ip.108  IKEv2
>> [...]
>>> Security Associations (0 up, 1 connecting):
>>>   ny2or[1]: CONNECTING, ela.sti.cip.245[%any]...pub.lic.ip.108[%any]
>> 
>> No ela.sti.cip.245 IP on this host, so you obviously can't send any
>> packets from that IP address. charon likely logs error -22 when trying to
>> send the packets. Do not set left. charon can figure out the right IP by
>> itself.
> 
> First I tried setting that to the LAN IP which connects to the elastic IP,
> but that didn't work either; failed in just the same way. Also, the elastic
> IP set does exist on the VM, as it's been assigned as an alias to lo (a
> trick the libreswan people recommend). 
> 
>> In any case, do not use tutorials from other sites. Always use the ones on
>> the wiki. They are actually maintained, "good" and you have someone to
>> complain about the quality and errors. You can even fix them yourself, if
>> you have a wiki account (or register for one).
> 
> That's just wrong. The wiki was the first place I looked. See
> https://wiki.strongswan.org/projects/strongswan/wiki/AwsVpc 
> , which says "DO
> NOT USE - ANCIENT ARTICLE." Since this is the first thing found by Google on
> putting in pertinent terms, if there's another article on the site which is
> current, please point me towards it, and I'll add a cross-reference on that
> wiki page.
> 
> Best,
> Whit



smime.p7s
Description: S/MIME cryptographic signature

Re: [strongSwan] 24/7/365 tunnel?

[Eric Germann]

I’ve found auto=route to be much more stable in AWS.  Spins up when it’s down 
but needed and starts passing traffic.

EKG

> On Sep 14, 2017, at 6:21 AM, Turbo Fredriksson <tu...@bayour.com> wrote:
> 
> I’ve been playing with:
> 
>type=tunnel
>auto=start
>dpdaction=restart
>dpddelay=2400s
> 
> which never worked. I’ve now changed this to:
> 
>type=tunnel
>auto=start
>dpdaction=restart
>dpddelay=10
>dpdtimeout=60
> 
> and so far so good. Although I haven’t waited long enough, so I’m
> going to let it be for the next few days to see if that works in the long
> run.
> 
> Would it help to set ‘auto=route’ instead? Thing is, I need this link to
> be started at boot AND be up 24/7/365 - I have a (bunch of) web apps
> in London that need access to databases in Ireland to work.
> 
> 
> I’m considering setting up DBs in London as well, but that will both
> cost a small fortune AND replication/updates on the DBs will be
> problematic. So I’d prefer a “perfect” link between them...
> 
> 
>> On 13 Sep 2017, at 20:16, Noel Kuntze 
>> <noel.kuntze+strongswan-users-ml@thermi.consulting> wrote:
>> 
>> Hi,
>> 
>> DPD just checks if the remote peer is still "there" and reachable. It 
>> doesn't do anything with the CHILD_SAs.
>> It only helps to keep up the IKE_SA and keep it working (e.g. it wouldn't 
>> work anymore if the NAT mapping on an intermediate NAT router
>> would expire). Peers are free to delete CHILD_SAs and IKE_SAs without 
>> renegotiating new ones, destroying the tunnel.
>> 
>> Use auto=route (swanctl equivalent is start_action=trap), as advised 
>> previously.
>> 
>> Kind regards
>> 
>> Noel
>> 
>> On 13.09.2017 17:38, Michael Schwartzkopff wrote:
>>> Am 13.09.2017 um 17:33 schrieb Eric Germann:
>>>> Usually if it "takes down the tunnel" it's due to no traffic. Keep 
>>>> interesting traffic going and it will stay up.
>>>> 
>>>> If you have the ability to set "auto = route" it will reestablish the 
>>>> tunnel as needed. We run several hundred tunnels this way in AWS without 
>>>> issue.
>>>> 
>>>> EKG
>>>> 
>>>> 
>>>>> On Sep 13, 2017, at 09:21, Turbo Fredriksson <tu...@bayour.com> wrote:
>>>>> 
>>>>> I’m trying to setup a tunnel between two regions in
>>>>> AWS.
>>>>> 
>>>>> Works fine, other than the fact that Strongswan seems to take
>>>>> down the tunnel automatically (?) after a few hours.
>>>>> 
>>>>> How can I 1) make sure there’s no timeout (?) and 2) that IF
>>>>> the tunnel goes down, for whatever reason, that it will reinitiate
>>>>> the connection automatically?
>>>>> 
>>> Dead Peer Detection (DPD) sends packets that keep the tunnel up.
>>> 
>>> 
>>> Michael Schwartzkopff
>>> 
>>> Mit freundlichen Grüßen,
>>> 
>> 
> 



signature.asc
Description: Message signed with OpenPGP

Re: [strongSwan] 24/7/365 tunnel?

[Eric Germann]

Usually if it "takes down the tunnel" it's due to no traffic. Keep interesting 
traffic going and it will stay up.

If you have the ability to set "auto = route" it will reestablish the tunnel as 
needed. We run several hundred tunnels this way in AWS without issue.  

EKG


> On Sep 13, 2017, at 09:21, Turbo Fredriksson  wrote:
> 
> I’m trying to setup a tunnel between two regions in
> AWS.
> 
> Works fine, other than the fact that Strongswan seems to take
> down the tunnel automatically (?) after a few hours.
> 
> How can I 1) make sure there’s no timeout (?) and 2) that IF
> the tunnel goes down, for whatever reason, that it will reinitiate
> the connection automatically?
> 


smime.p7s
Description: S/MIME cryptographic signature

Re: [strongSwan] strongSwan in a virtualized environment

[Eric Germann]

What are your strong requirements?

We routinely get 400Mbps out of a t2.small on AWS (1 CPU, 2GB RAM) running 
aes128gcm16-prfsha256-curve25519

EKG

> On Sep 11, 2017, at 9:18 AM, mike.ettr...@bertelsmann.de wrote:
> 
> Hi!
> We are planning to run a strongSwan installation in a virtualized 
> environment, but the performance requirements are very strong. May be you 
> have experiences with such an environment and you have answers to our 
> questions. 
>  
> Do you know if there are special requirements to the environment to run 
> strongSwan in a virtualized environment?
> Do you know the reduction of vpn-throughput when using a virtual network?
> Do you have measurement values due to virtualized environments?
>  
> Kind regards,
> Mike.



smime.p7s
Description: S/MIME cryptographic signature

Re: [strongSwan] configured DH group CURVE_25519 not supported

[Eric Germann]

You want --disable-curve25519 to be --enable-curve25519

EKG

> On Aug 30, 2017, at 4:24 AM, Gyula Kovács  
> wrote:
> 
> Hi All,
> 
> I've just updated strongSwan from 5.5.1 to 5.6.0.
> After the update, I got the "configured DH group CURVE_25519 not supported" 
> error message.
> The target was working fine before the update, the configuration files were 
> not changed during the update.
> I found some information on the internet, so I know that Curve25519 support 
> was introduced in 5.5.2.
> I checked the build configuration options, and disabled the curve25519 
> support (--disable-curve25519), but it did not help.
> I have no idea what might cause the problem.
> Any help would be appreciated.
> 
> Best regards,
> Gyula Kovacs
> 
> I added the technical details here.
> 
> Target system:
> - Linux 3.18.31 #1 PREEMPT Tue Aug 29 12:27:09 CEST 2017 armv7l GNU/Linux
> - OpenSSL 1.0.2l  25 May 2017
> - strongSwan configuration options:
>   --build=x86_64-linux --host=arm-oe-linux-gnueabi 
> --target=arm-oe-linux-gnueabi
>   --prefix=/usr --exec_prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin
>   --libexecdir=/usr/lib/strongswan --datadir=/usr/share --sysconfdir=/etc
>   --sharedstatedir=/com --localstatedir=/var --libdir=/usr/lib 
> --includedir=/usr/include
>   --oldincludedir=/usr/include --infodir=/usr/share/info 
> --mandir=/usr/share/man
>   --disable-silent-rules --disable-dependency-tracking 
> --with-libtool-sysroot=/oe-core/build/tmp-glibc/sysroots/
>   --without-lib-prefix --without-systemdsystemunitdir --disable-aesni 
> --enable-charon --enable-curl --disable-curve25519
>   --enable-gmp --disable-ldap --disable-mysql --enable-openssl 
> --disable-scepclient --disable-soup --enable-sqlite
>   --enable-stroke --disable-swanctl --disable-systemd
> 
> Opponent:
> - Linux 3.16.0-4-586 #1 Debian 3.16.43-2 (2017-04-30) i686 GNU/Linux
> - OpenSSL 1.0.1t  3 May 2016
> - strongSwan configuration options:
>   ./configure --prefix=/usr --sysconfdir=/etc --disable-curve25519
> 
> Error message:
> root@mdm9640:~# ipsec up host-host-psk-lan
> initiating IKE_SA host-host-psk-lan[1] to 160.48.99.124
> configured DH group CURVE_25519 not supported
> tried to checkin and delete nonexisting IKE_SA
> establishing connection 'host-host-psk-lan' failed
> root@mdm9640:~#
> 
> root@mdm9640:~# ipsec statusall
> Status of IKE charon daemon (strongSwan 5.6.0, Linux 3.18.31, armv7l):
>   uptime: 13 seconds, since Jan 01 00:01:30 1970
>   malloc: sbrk 540672, mmap 0, used 229400, free 311272
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
> scheduled: 0
>   loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 
> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem 
> openssl gmp xcbc cmac hmac curl sqlite attr kernel-netlink resolve 
> socket-default stroke vici updown xauth-generic
> Listening IP addresses:
>   160.48.99.98
>   160.48.199.98
> Connections:
> host-host-psk-lan:  160.48.99.98...160.48.99.124  IKEv2
> host-host-psk-lan:   local:  [160.48.99.98] uses pre-shared key authentication
> host-host-psk-lan:   remote: [160.48.99.124] uses pre-shared key 
> authentication
> host-host-psk-lan:   child:  dynamic === dynamic TRANSPORT
> Security Associations (0 up, 0 connecting):
>   none
> root@mdm9640:~#
> 
> Log files:
> root@mdm9640:~# cat /var/log/charon.log
> Jan  1 00:03:35 00[DMN] Starting IKE charon daemon (strongSwan 5.6.0, Linux 
> 3.18.31, armv7l)
> Jan  1 00:03:35 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> Jan  1 00:03:35 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> Jan  1 00:03:35 00[CFG] loading ocsp signer certificates from 
> '/etc/ipsec.d/ocspcerts'
> Jan  1 00:03:35 00[CFG] loading attribute certificates from 
> '/etc/ipsec.d/acerts'
> Jan  1 00:03:35 00[CFG] loading crls from '/etc/ipsec.d/crls'
> Jan  1 00:03:35 00[CFG] loading secrets from '/etc/ipsec.secrets'
> Jan  1 00:03:35 00[CFG]   loaded IKE secret for 160.48.99.124
> Jan  1 00:03:35 00[CFG]   loaded IKE secret for 160.48.199.124
> Jan  1 00:03:35 00[CFG]   loaded RSA private key from 
> '/etc/ipsec.d/private/ATM-02_IPsec-internal.key'
> Jan  1 00:03:35 00[CFG]   loaded RSA private key from 
> '/etc/ipsec.d/private/ATM-02_IPsec-internal.key'
> Jan  1 00:03:35 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 
> random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp 
> dnskey sshkey pem openssl gmp xcbc cmac hmac curl sqlite attr kernel-netlink 
> resolve socket-default stroke vici updown xauth-generic
> Jan  1 00:03:35 00[JOB] spawning 16 worker threads
> Jan  1 00:03:35 05[CFG] received stroke: add connection 'host-host-psk-lan'
> Jan  1 00:03:35 05[CFG] added configuration 'host-host-psk-lan'
> Jan  1 00:03:54 07[CFG] received stroke: initiate 'host-host-psk-lan'
> Jan  1 00:03:54 09[IKE]  initiating IKE_SA 
> host-host-psk-lan[1] to 160.48.99.124
> Jan 

Re: [strongSwan] CONFIGURATION OF MULTIPLE CHILD SAs IN IPSEC.CONF FILE

[Eric Germann]

You can’t do it in Strongswan directly, but if you combine SS + iptables you 
can (assuming Linux here, but concept is same).

rightsubnet = 172.27.186.64/28  # This puts 172.27.186.64 -> 80 in the tunnel 
scope
leftsubnet = 172.30.200.172/29  # This puts 172.30.200.172 -> 180 in the tunnel 
scope


Then in iptables, do explicit FORWARD statement for the hosts (/32’s) you want 
to forward.  You can get as fancy or simple as you want, from all 
ports/protocols to individual port/protocol combinations with state tracking.

Let SS do the forwarding/crypto and the FW do the access control.

EKG

> On May 26, 2017, at 8:27 AM, Noel Kuntze 
>  wrote:
> 
> Hello Chris,
> 
> You can't.
> 
> Kind regards,
> Noel
> 
> On 26.05.2017 10:30, christopher kamutumwa wrote:
>> Hello all,
>> 
>> I have a query how can i configure multiple ChildSAs in a range on ips in 
>> the ipsec.conf file e.g below ips
>> 
>> right subnet = 172.27.186.71-74
>> right subnet = 172.27.186.64-66
>> left subnet = 172.30.200.172-176
>> 
>> will appreciate any help rendered
>> 
>> regards
>> 
>> chris
>> 
>> 
> 
> <0x0739AD6C.asc>



signature.asc
Description: Message signed with OpenPGP

Re: [strongSwan] Meshed VPN with dynamic routing

[Eric Germann]

Build GRE tunnels between sites.

Wrap GRE in IPSec for encryption.

Run BGP over the GRE interfaces.

I do this to tunnel traffic from Cloud providers across the globe.

EKG

> On May 3, 2017, at 4:32 PM, Michael Schwartzkopff  wrote:
> 
> Hi,
> 
> I am thinking about a fully meshed VPN like described in
> 
> https://wiki.strongswan.org/projects/strongswan/wiki/SubnetsBehindMoreThanTwoGateways
> 
> But I want to make the routing dynamic. So if the link between site A and site
> B is interrupted the traffic between the subnets can be routed via the site C.
> Is such a scenario possible? How? Any hints?
> 
> Mit freundlichen Grüßen,
> 
> Michael Schwartzkopff
> 
> --
> 
> [*] sys4 AG
> 
> http://sys4.de, +49 (89) 30 90 46 64
> Schleißheimer Straße 26/MG, 80333 München
> 
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
> Aufsichtsratsvorsitzender: Florian 
> Kirstein___
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users



signature.asc
Description: Message signed with OpenPGP
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

[Eric Germann]

> On Jan 18, 2017, at 1:25 PM, Noel Kuntze  wrote:
> 
> 





Show me how to get SNMP stats per connection definition so we don’t have to use 
NetFlow and I’m all in.

> Unrelated to the topic: Please try to avoid using the old, unmaintained, bug 
> ridden net-tools. Use iproute2 for everything (which you can do!).
> 
> -- 
> 
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
> 
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658



smime.p7s
Description: S/MIME cryptographic signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

[Eric Germann]

Just a minor point.  OpenVPN can create tun interfaces, although that one 
interface is associated with all the clients connecting to that port

tun0  Link encap:UNSPEC  HWaddr 
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
  inet addr:172.28.100.1  P-t-P:172.28.100.1  Mask:255.255.255.0
  inet6 addr: 2001:470:e2fc:100::1/64 Scope:Global
  UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
  RX packets:0 errors:0 dropped:0 overruns:0 frame:0
  TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:100
  RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

EKG


> On Jan 18, 2017, at 12:38 PM, Noel Kuntze  wrote:
> 
> On 18.01.2017 18:37, Varun Singh wrote:
>> Okay, so is 'not-creating-new-interfaces' a feature unique to
>> strongSwan or is it common for all VPN servers? Reason I am asking is,
>> may be I have misunderstood what the expert was saying. If not, I
>> should discuss this with him.
> Neither strongSwan, nor openvpn do that. I have never seen something like 
> that. 
> -- 
> 
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
> 
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> 
> 
> ___
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users



smime.p7s
Description: S/MIME cryptographic signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Question regarding site-to-site multiple tunnel setup.

[Eric Germann]

You could get creative with subnet masks in left/right subnet and group them 
and send 64 towards one, 64 towards the second, using their route tables on the 
200 machines.

EKG

> On Jan 16, 2017, at 3:29 PM, Scott Walker <scott.wal...@framestore.com> wrote:
> 
> Fast I know not a wonderful answer.
> 
> The more throughput we can get the better. Right now I am pushing 440-470 
> Mbit/s thru 1 tunnel. Ideally I'd like to get 3-4 tunnels up.
> 
> The other end of the tunnel is going to ~200 compute nodes pulling/pushing 
> data.
> 
> I'm just not sure on the specifics of multiple tunnels ummm bonded? (do you 
> even bond them?)
> 
> On 11 January 2017 at 20:55, Eric Germann <ekgerm...@semperen.com 
> <mailto:ekgerm...@semperen.com>> wrote:
> What kind of throughput are you looking for?
> 
> AES-GCM with HW that supports AESNI, we routinely get 300+Mbps
> 
> EKG
> 
> > On Jan 11, 2017, at 4:48 PM, Scott Walker <scott.wal...@framestore.com 
> > <mailto:scott.wal...@framestore.com>> wrote:
> >
> > I'm looking to build an infra that is
> >
> >
> > local site -> remote site
> >
> > But using multiple tunnels in order to get the B/W I need. (plenty of 
> > servers at the remote end talking back so I want to be sure it's not all 
> > rammed down one tunnel).
> >
> > Most of the docs I'm finding revolve around this type of config but for VPC 
> > (AWS, GCE, etc).
> >
> > I do admit I'm a bit lost right now as to how I go about this approach.
> >
> > So if I have say 3-4 servers on local site and 3-4 servers on remote 
> > dedicated as VPN end points.
> >
> > Would I configure a 1-1 ratio? Create a mesh? How on local would I do 
> > routing? I'm not looking for HA this is for PURE speed reasons.
> >
> > I'm reading everything I can find but I'm still in the dark.
> > ___
> > Users mailing list
> > Users@lists.strongswan.org <mailto:Users@lists.strongswan.org>
> > https://lists.strongswan.org/mailman/listinfo/users 
> > <https://lists.strongswan.org/mailman/listinfo/users>
> 
> 

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Question regarding site-to-site multiple tunnel setup.

[Eric Germann]

What kind of throughput are you looking for?

AES-GCM with HW that supports AESNI, we routinely get 300+Mbps

EKG

> On Jan 11, 2017, at 4:48 PM, Scott Walker  wrote:
> 
> I'm looking to build an infra that is
> 
> 
> local site -> remote site
> 
> But using multiple tunnels in order to get the B/W I need. (plenty of servers 
> at the remote end talking back so I want to be sure it's not all rammed down 
> one tunnel).
> 
> Most of the docs I'm finding revolve around this type of config but for VPC 
> (AWS, GCE, etc).
> 
> I do admit I'm a bit lost right now as to how I go about this approach.
> 
> So if I have say 3-4 servers on local site and 3-4 servers on remote 
> dedicated as VPN end points.
> 
> Would I configure a 1-1 ratio? Create a mesh? How on local would I do 
> routing? I'm not looking for HA this is for PURE speed reasons.
> 
> I'm reading everything I can find but I'm still in the dark. 
> ___
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Parallel crypto questions on Centos 7

[Eric Germann]

Hello all,

I’m working through trying to parallelize crypto as found in 
https://wiki.strongswan.org/projects/strongswan/wiki/Pcrypt 


Running Centos 7 HVM AMI in AWS supplied by the Centos project.

Linux ip-100-125-0-18.ec2.internal 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 
16:09:20 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux


The crypto I’m using is

ike = aes128gcm16-aes128gmac-prfsha256-ecp256!
esp = aes128gcm16-ecp256!


When I load the drivers:

modprobe pcrypt
modprobe tcrypt alg="pcrypt(rfc4106(gcm(aes)))" type=3


I don’t see the expected messages in dmesg.

[ 7532.356768] tcrypt: one or more tests failed!

Further up in dmesg, I see:

[3.542310] alg: No test for __gcm-aes-aesni (__driver-gcm-aes-aesni)

Questions:

1)  Are the messages benign (and the wiki is a bit out of date for C7?
2)  I don’t see a significant change in performance between the two hosts 
(shooting a 1GB file via nc over the link).  Should I or does it need to be 
loaded up with multiple flows going on to see an impact?

For reference, here’s the output of /proc/crypto


name : rfc4106(gcm(aes))
driver   : pcrypt(rfc4106-gcm-aesni)
module   : pcrypt
priority : 500
refcnt   : 1
selftest : passed
type : aead
async: yes
blocksize: 1
ivsize   : 8
maxauthsize  : 16
geniv: seqiv

name : __ctr-aes-aesni
driver   : cryptd(__driver-ctr-aes-aesni)
module   : cryptd
priority : 50
refcnt   : 1
selftest : passed
type : ablkcipher
async: yes
blocksize: 1
min keysize  : 16
max keysize  : 32
ivsize   : 16
geniv: 

name : ctr(aes)
driver   : ctr-aes-aesni
module   : kernel
priority : 400
refcnt   : 1
selftest : passed
type : givcipher
async: yes
blocksize: 1
min keysize  : 16
max keysize  : 32
ivsize   : 16
geniv: chainiv

name : __gcm-aes-aesni
driver   : cryptd(__driver-gcm-aes-aesni)
module   : cryptd
priority : 50
refcnt   : 14
selftest : passed
type : aead
async: yes
blocksize: 1
ivsize   : 0
maxauthsize  : 0
geniv: 

name : rfc4106(gcm(aes))
driver   : rfc4106-gcm-aesni
module   : kernel
priority : 400
refcnt   : 14
selftest : passed
type : aead
async: yes
blocksize: 1
ivsize   : 8
maxauthsize  : 16
geniv: seqiv

name : stdrng
driver   : drbg_nopr_hmac_sha256
module   : drbg
priority : 221
refcnt   : 2
selftest : passed
type : rng
seedsize : 0

name : stdrng
driver   : drbg_nopr_hmac_sha512
module   : drbg
priority : 220
refcnt   : 1
selftest : passed
type : rng
seedsize : 0

name : stdrng
driver   : drbg_nopr_hmac_sha384
module   : drbg
priority : 219
refcnt   : 1
selftest : passed
type : rng
seedsize : 0

name : stdrng
driver   : drbg_nopr_hmac_sha1
module   : drbg
priority : 218
refcnt   : 1
selftest : passed
type : rng
seedsize : 0

name : stdrng
driver   : drbg_nopr_sha256
module   : drbg
priority : 217
refcnt   : 1
selftest : passed
type : rng
seedsize : 0

name : stdrng
driver   : drbg_nopr_sha512
module   : drbg
priority : 216
refcnt   : 1
selftest : passed
type : rng
seedsize : 0

name : stdrng
driver   : drbg_nopr_sha384
module   : drbg
priority : 215
refcnt   : 1
selftest : passed
type : rng
seedsize : 0

name : stdrng
driver   : drbg_nopr_sha1
module   : drbg
priority : 214
refcnt   : 1
selftest : passed
type : rng
seedsize : 0

name : stdrng
driver   : drbg_nopr_ctr_aes256
module   : drbg
priority : 213
refcnt   : 1
selftest : passed
type : rng
seedsize : 0

name : stdrng
driver   : drbg_nopr_ctr_aes192
module   : drbg
priority : 212
refcnt   : 1
selftest : passed
type : rng
seedsize : 0

name : stdrng
driver   : drbg_nopr_ctr_aes128
module   : drbg
priority : 211
refcnt   : 1
selftest : passed
type : rng
seedsize : 0

name : stdrng
driver   : drbg_pr_hmac_sha256
module   : drbg
priority : 210
refcnt   : 1
selftest : passed
type : rng
seedsize : 0

name : stdrng
driver   : drbg_pr_hmac_sha512
module   : drbg
priority : 209
refcnt   : 1
selftest : passed
type : rng
seedsize : 0

name : stdrng
driver   : drbg_pr_hmac_sha384
module   : drbg
priority : 208
refcnt   : 1
selftest : passed
type : rng
seedsize : 0

name : stdrng
driver   : drbg_pr_hmac_sha1
module   : drbg

Re: [strongSwan] Strongswan on public Amazon EC2 instance

[Eric Germann]

Are your encaps/decaps increasing for the SA when it’s up and you’re trying to 
ping?

We use a number of instances on AWS to connect to about everything under the 
sun that does IPSec.

Several notes:

- Put the AWS IPSec appliance on a public subnet with an IGW
- Associate an Elastic IP with the appliance instance.
- Make sure the Security Group associated with it permits udp/500 and udp/4500 
since they’re doing NAT and NAT-T
- on the AWS appliance in ipsec.conf make sure left = is the internal IP of the 
appliance.  Make sure leftid = the EIP associated with the instance.
- set right = to be the external IP of the Cisco appliance  
- leftsubnet = the internal subnet of the VPC (we set it to the supernet 
associated with the whole VPC)
- rightsubnet = what’s behind the Cisco
- make sure your Security Groups allow the remote subnets (from the Cisco side) 
to connect to things
- add routes to the remote Cisco networks to the routing table(s)
- manually or automatically (leftfirewall, rightfirewall = yes) get the 
iptables rules updated to forward.
- Forwarding needs to be on in /etc/sysctl.conf
- I usually bump up UDP send/receive buffers

Works for me.

EKG



> On Aug 31, 2016, at 4:40 PM, John Gathm  wrote:
> 
> Hi Strongswan User list
> 
> I am trying to do a fake "site to site" IPSec tunnel to a service provider.
> My instance of Strongswan in hosted on an Amazon EC2 instance, and I am 
> trying to reach a service on a server behind a Cisco VPN gateway
> 
> 
> I am trying to do the following thing (IP are fake)
> 
> 
> Amazon EC2 instance:
> 123.123.22.22/32  (dummy linux interface  local 
> subnet, only one ip for the instance, this is my leftsubnet
> private EC2 IP:
> 10.0.0.5
> 
> AWS NAT internet gateway EC2 IP
> 10.0.0.1
> public EC2 IP
> 81.98.242.23
> 
> 
> Cisco VPN public IP:
> 82.58.243.24
> Cisco Private IP:
> 192.168.0.1
> 
> Server to access
> 192.168.0.5 (righsubnet = 192.168.0.5/24 )
> 
> I manage to get the ipsec tunnel up and running (stable in "ipsec 
> statusall"), however I cannot get to reach 192.168.0.5 from my EC2 instance, 
> using interface 123.123.22.22
> 
> first question is 
> 1) is it possible to reach the remote server through the Strongswan IPSEC 
> gateway itself ?
> 2) does it require special routes& policies not added by Strongswan ?
> 3) would you recommend another setup than using a dummy interface ?
> 
> thanks for any hints
> 
> best  regards
> J.G
> ___
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users



smime.p7s
Description: S/MIME cryptographic signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Redundant ASA 5505's to single Strongswan 5.4.0

[Eric Germann]

Colleagues,

Running Strongswan 5.4.0 in AWS and have a customer who wants to terminate 
their VPN tunnel on a pair of ASA 5505’s running active/standby on two separate 
adjacent IP’s (two different datacenter in same city with redundant providers 
running BGP).

I’m trying to think this through on the Strongswan side of things.  Since the 
devices will mirror their configs (sans the external IP), the connection 
parameters should be the same.

If I do a range of IP’s for the “right” parameter, am I correct in 
understanding it will accept from either IP?

Obviously, their end which is active will be the initiator and we’ll answer 
appropriately, but if WE need to be the initiator, does Strongswan cycle 
through the range of IP’s specified in the right parameter to connect to them 
or does it randomly pick one to connect to?

Looking to swap experiences (even off list) with someone who has done something 
similar before.

Thanks in advance

EKG



smime.p7s
Description: S/MIME cryptographic signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Filtering decap'd traffic on the strongswan GW

[Eric Germann]

I have a use case where we’re connecting a remote subnet to a strongswan 5.3.5 or 5.4.0 gateway running in AWS.  Because of the way the hosts are scattered amongst the VPC, we can’t group them in to a small block and advertise just that block (say a /28 worth of hosts out of the subnet).What I would like to do is filter the remote network to the hosts we do want to allow access to in the AWS subnet at the gateway via iptables.  For example, remote network 192.168.10.0/24 is allowed access to 100.64.7.3 tcp port 3389.I’m drawing a blank as to how to properly filter it using iptables.  There are FORWARDing rules in place installed by strongswan for ipsec for the two respective subnets.Which chain, if any, would handle filtering th deencapsulated traffic from the tunnel going out from the gateway to the left subnet?Basically, we want to ACL the traffic coming across the tunnel at the GW.Any thoughts or pointers appreciated.ThanksEKG___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Hardware for 1gbp/s

[Eric Germann]

Hmm.

As a random datapoint, we routinely sustain 450Mbps+ on instances in Amazon 
using a Centos 6.7 image on a c3.large instance type

2 cores : CPU0: Intel(R) Xeon(R) CPU E5-2680 v2 @ 2.80GHz stepping 04

4GB of RAM

We do NAT-T which pushes it to udp/4500 and we tweaked the buffers there.

Haven’t played too much more with it because that was sufficient for us, but 
you can sustain almost half a gig on a lightweight instance.

EKG

> On Apr 11, 2016, at 1:34 PM, Hose  wrote:
> 
> What you say...Fred (curious_fre...@gmsl.co.uk):
> 
>> 
>> What kind of hardware is required to maintain a point to point ipsec link
>> with 1gbp/s b/w with Strongswan at each end.
>> 
>> Are there any things/overheads to be aware of from the Strongswan side of
>> things? Performance degradation, lower throughput etc as a result of running
>> the actual crypto.
>> 
>> Fred.
> 
> Good luck with this. Unfortunately no one seems to have any concrete
> information (asked about this previously). My testing shows that there's
> a bottleneck somewhere between 200-300mb/s most likely in the kernel
> somewhere, as throwing more cores and attempting to parallelize it
> improves nothing. Those things may help with multiple IPsec tunnels, but
> a single tunnel doesn't show any improvement.
> 
> This was on Debian 8.3 with various kernels in there
> ranging from 3.2 to 3.16; a newer kernel may help, but that's just
> speculation.
> 
> hose
> ___
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users



smime.p7s
Description: S/MIME cryptographic signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] stongswan tunnel up but child subnets not pinging

[Eric Germann]

IP forwarding enabled in /etc/sysctl.conf

net.ipv4.ip_forward = 1


> On Feb 16, 2016, at 4:52 AM, christopher kamutumwa  
> wrote:
> 
> hello i managed to install strongswan and managed to establish a connection 
> to remote partner but child subnets are not pinging each other what could be 
> the problem? attached is ipsec.conf, statusall , iptables, routing table and 
> tail var/log/messages.
> 
> kindly advise why am not able to ping other side
> 
> Thanks
> 
> 
>  table.txt> 1402.txt>___
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users



smime.p7s
Description: S/MIME cryptographic signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Flapping tunnel and hundreds or queued QUICK_MODE tasks

[Eric Germann]

Hello all,

I’ve got a Strongswan 5.3.5 installation compiled from source installed on 
Centos 6.7 box connecting to a Cisco ASA which exhibits the following behavior.

On start it runs fine for an indeterminate period of time, then the tunnels 
begin to flap up and down.  Time could be several days to several weeks.

When running an ‘ipsec statusall’ it shows (truncated to remove tunnel configs):


Status of IKE charon daemon (strongSwan 5.3.5, Linux 2.6.32-573.8.1.el6.x86_64, 
x86_64):
  uptime: 4 days, since Dec 02 21:19:31 2015
  malloc: sbrk 913408, mmap 0, used 545392, free 368016
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
scheduled: 340
  loaded plugins: charon aesni aes des rc2 sha1 sha2 md5 random nonce x509 
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem 
openssl gcrypt f
ips-prf gmp xcbc cmac hmac gcm attr kernel-netlink resolve socket-default 
connmark stroke updown xauth-generic
Listening IP addresses:
  100.93.64.90

Security Associations (1 up, 0 connecting):
xxx-yyy-zzz-10-228-0-0-16[2621]: ESTABLISHED 29 seconds ago, 
100.93.64.90[52.89.229.66]...166.108.248.1[166.108.248.1]
xxx-yyy-zzz-10-228-0-0-16[2621]: IKEv1 SPIs: 88c593b6b7148d7d_i* 
c11b33192527a0f2_r, pre-shared key reauthentication in 7 hours
xxx-yyy-zzz-10-228-0-0-16[2621]: IKE proposal: 
3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
xxx-yyy-zzz-10-228-0-0-16[2621]: Tasks queued: QUICK_MODE QUICK_MODE QUICK_MODE 
QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MOD
E QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE 
QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE 
QUICK_MODE Q
UICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE 
QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE 
QUICK_MODE QUIC
K_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE 
QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE 
QUICK_MODE QUICK_M
ODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE 
QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE 
QUICK_MODE QUICK_MODE
 QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE 
QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE 
QUICK_MODE QU
ICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE 
QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE 
QUICK_MODE QUICK
_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE 
QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE 
QUICK_MODE QUICK_MO
DE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE 
QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE 
QUICK_MODE
QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE 
QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE 
QUICK_MODE QUI
CK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE 
QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE 
QUICK_MODE QUICK_
MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE 
QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE 
QUICK_MODE QUICK_MOD
E QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE 
QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE 
QUICK_MODE Q
UICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE 
QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE 
QUICK_MODE QUIC
K_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE 
QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE 
QUICK_MODE QUICK_M
ODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE 
QUICK_MODE QUICK_MODE QUICK_MODE …
xxx-yyy-zzz-10-228-0-0-16[2621]: Tasks active: QUICK_MODE
xxx-yyy-zzz-10-228-0-0-16[2621]: Tasks passive: QUICK_MODE QUICK_MODE QUICK_MODE


We updated to 5.3.5 hoping we’d fix this because when it’s showing this, we see 
in the logs

Dec  7 18:24:39 ip-100-93-64-90 charon: 07[ENC] invalid HASH_V1 payload length, 
decryption failed?
Dec  7 18:24:39 ip-100-93-64-90 charon: 07[ENC] could not decrypt payloads
Dec  7 18:24:39 ip-100-93-64-90 charon: 07[IKE] message parsing failed
Dec  7 18:24:39 ip-100-93-64-90 charon: 07[ENC] generating INFORMATIONAL_V1 
request 2524142361 [ HASH N(PLD_MAL) ]


It looked like the below resolved fix would resolve it, but I seem to be 
missing a piece.

https://wiki.strongswan.org/issues/1120 


Restarting ipsec doesn’t seem to fix it, only a reboot of the machine at this 
point, leading me to a resource exhaustion thought.

Any thoughts on what we can do to stabilize 

Re: [strongSwan] net2net with nat example

[Eric Germann]

This worked for me:  This end is in Amazon in a VPC with NAT-T.  Other end is a 
Cisco ASA.  IP’s are examples and sanitized, but you’ll get the idea.

ipsec.conf
conn vpc-customerXXX

left= 172.16.1.1
leftsubnet  = 172.16.1.0/24
leftfirewall= yes
leftauth= psk
leftid  = 100.1.1.1

right   = 100.2.2.2
rightsubnet = 192.168.1.0/24
rightauth   = psk
rightfirewall   = yes

closeaction = restart
auto= route
fragmentation   = yes
keyexchange = ikev1
reauth  = yes
forceencaps = yes
rekey   = yes
installpolicy   = yes
type= tunnel
dpdaction   = restart
dpddelay= 10s
dpdtimeout  = 60s
auto= route
ikelifetime = 3600s
lifetime= 3600s
ike = aes256-sha1-modp1536!
esp = aes256-sha1-modp1024!
aggressive  = no

ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA myKey.der

172.16.1.1 : PSK “abcd
100.2.2.2  : PSK “abcd



Left is you, right is them.

They connect with your “leftid”.  When I connect to another Strongswan 
instance, I put in the ‘rightid' the same as ‘right’.  On the other end, just 
invert the stanzas is it’s Strongswan and that is behind NAT (i.e. Amazon 
region to region using Strongswan).

Secrets need to reference your left (internal IP) and their right (external IP).

May be redundant, or have some overkill, but it works and is rock solid.

EKG



 On Jul 8, 2015, at 5:28 PM, Colin Burrows colinburrow...@gmail.com wrote:
 
 hi
 
 i've been looking at https://www.strongswan.org/testresults.html 
 https://www.strongswan.org/testresults.html in order to try to find an 
 example of a net2net setup where one device is behind a nat. i intend to use 
 such a setup and was hoping for something i could copy but i did not find any 
 examples.
 
 could you kindly send me a link to such an example if one is available.
 
 thanks
 
 colin
 ___
 Users mailing list
 Users@lists.strongswan.org
 https://lists.strongswan.org/mailman/listinfo/users



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users