Re: [strongSwan] How do I setup IPsec VPN server/gateway using StrongSwan?

[bls s]

Also, if you’re using an APT-based system (Debian, Ubuntu, etc) have a look at 
https://github.com/gitbls/pistrong, which simplifies installation and 
management of strongSwan with Cert-based authentication.

Videos at:

Install a strongSwan site-to-site VPN: 
https://www.youtube.com/watch?v=mUitM2JeKRc
Install strongSwan for incoming Client connections:  
https://www.youtube.com/watch?v=gDvglvgtYzY

From: Users  On Behalf Of Ettore Tagarelli
Sent: Friday, May 6, 2022 9:16 AM
To: users@lists.strongswan.org
Subject: [strongSwan] How do I setup IPsec VPN server/gateway using StrongSwan?

This is the right place to start with:
https://wiki.strongswan.org/projects/strongswan/wiki/UserDocumentation
bye

Re: [strongSwan] Replacing Racoon2 with strongswan

[bls s]

Here's what I use. Definitely works with ikev2 without  --enable-ikev2. Can't 
speak to ikev1. I use it with certificate-based authentication.

./configure --prefix= --enable-eap-mschapv2 --enable-eap-identity 
--enable-openssl --enable-eap-md5 --enable-eap-tls --enable-eap-dynamic 
--enable-systemd --enable-swanctl --disable-charon --disable-stroke 
--disable-scepclient --enable-counters

From: Users  On Behalf Of Paramashivaiah, 
Sunil
Sent: Tuesday, July 20, 2021 4:53 AM
To: users@lists.strongswan.org
Cc: Bhattacharjee, Debapriyo (c) ; Shivakumar Poojari 

Subject: Re: [strongSwan] Replacing Racoon2 with strongswan

Hi All,

  If we configure strongswan  using the below options will it be 
sufficient to use it for Ikev1 and Ikev2.
  Please let me know if we need to add any more plugins like 
--enable-libipsec --enable-kernel-libipsec

   ./configure --prefix=/usr --sysconfdir=/etc --enable-charon  
--enable-swanctl --enable-ikev2 --enable-ikev1 --enable-acert --enable-openssl

 Also by default will there be any plugins that will be enabled. Do we 
need to disable any plugins. Please suggest.

Thanks and Regards,
Sunil

From: Paramashivaiah, Sunil
Sent: Tuesday, July 20, 2021 1:47 PM
To: users@lists.strongswan.org
Cc: Shivakumar Poojari 
mailto:shivakumar.pooj...@rbbn.com>>; 
Bhattacharjee, Debapriyo (c) 
mailto:dbhattachar...@rbbn.com>>
Subject: Replacing Racoon2 with strongswan

Hi All,

   We are planning to replace racoon2 with stongswan in our product for 
IPsec Ikev1 and Ikve2 functionality.
   We are trying to build strongswan on debian10 Linux and we find that 
there are lot of optional plugins available.
   Could anyone please guide us with required set of plugins that  we need 
to use to build strongswan for Ikev1 and Ikev2
   functionality.

Thanks and Regards,
Sunil


Notice: This e-mail together with any attachments may contain information of 
Ribbon Communications Inc. and its Affiliates that is confidential and/or 
proprietary for the sole use of the intended recipient. Any review, disclosure, 
reliance or distribution by others or forwarding without express permission is 
strictly prohibited. If you are not the intended recipient, please notify the 
sender immediately and then delete all copies, including any attachments.

Re: [strongSwan] Strongswan IKEv2 certificates - "user authentication failed" ????

[bls s]

I use nearly the same. Here’s the complete connection definition for iOS as 
generated by my pistrong strongSwan management tool:

ios-pubkey-ikev2 {
version = 2
proposals = 
aes256-sha1-modp1024,aes192-sha256-modp3072,aes128-sha1-modp1536,aes128-sha256-modp1536,aes128-sha256-modp2048,default
rekey_time = 0s
pools = primary-pool-ipv4
fragmentation = no
dpd_delay = 30s
send_cert = always

local-1 {
 auth = pubkey
 cacerts = strongSwanCACert.pem
 certs = ios-strongSwanVPNCert.pem
 id = ios.crystix.com
}

remote-1 {
 auth = eap-tls
 id = %any
}

children {
 net-ios {
 local_ts = 0.0.0.0/0
 rekey_time = 0s
 dpd_action = clear
 esp_proposals = 
aes256-sha1-modp1024,aes192-sha256-modp3072,aes128-sha1-modp1536,aes128-sha256-modp1536,aes128-sha256-modp2048,default
 }
}
}

primary-pool-ipv4 {
addrs = 10.92.10.0/24
dns = 192.168.92.3
}
}
From: Users  On Behalf Of Jafar Al-Gharaibeh
Sent: Monday, April 26, 2021 8:21 AM
To: pLAN9 Administrator ; users@lists.strongswan.org
Subject: Re: [strongSwan] Strongswan IKEv2 certificates - "user authentication 
failed" 


Try the following for "remote":

remote {
auth = eap-tls
eap_id = %any
}

--Jafar


On 4/24/21 10:33 PM, pLAN9 Administrator wrote:

I am trying to set up Strongswan to act as a remote access  server for an 
iPhone using IKEv2 certificate auth. It is a major headache!

I have made sure to set the SAN in both the server and phone certificate. Here 
is the the server SAN:

X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:echo.pLAN9.co
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication

Here is the phone SAN:

X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:pLAN9-iPhone.pLAN9.co
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication

Here is /etc/swanctl/swanctl.conf

connections {
RA {
local_addrs = %any
local {
auth = pubkey
certs = ECHO.crt
id = @echo.pLAN9.co
}
remote {
auth = pubkey
id = %any
}
children {
net {
local_ts = 0.0.0.0/0
esp_proposals = aes256-sha256
}
}
version = 2
proposals = aes256-sha256-modp2048
send_certreq = no
pools = pool
}
}
pools {
pool {
addrs = 172.16.16.64/29
dns = 172.16.16.1
}
}



Here is the output of a connection:



01[NET] received packet: from IPHONE_IP[9975] to STRONGSWAN_IP[500] (604 bytes)
01[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) 
N(NATD_D_IP) N(FRAG_SUP) ]
01[IKE] IPHONE_IP is initiating an IKE_SA
01[CFG] selected proposal: 
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
01[IKE] remote host is behind NAT
01[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
01[NET] sending packet: from STRONGSWAN_IP[500] to IPHONE_IP[9975] (456 bytes)
10[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] (532 bytes)
10[ENC] parsed IKE_AUTH request 1 [ EF(1/4) ]
13[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] (532 bytes)
10[ENC] received fragment #1 of 4, waiting for complete IKE message
13[ENC] parsed IKE_AUTH request 1 [ EF(2/4) ]
13[ENC] received fragment #2 of 4, waiting for complete IKE message
14[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] (532 bytes)
14[ENC] parsed IKE_AUTH request 1 [ EF(3/4) ]
01[NET] received packet: from IPHONE_IP[9959] to STRONGSWAN_IP[4500] (180 bytes)
14[ENC] received fragment #3 of 4, waiting for complete IKE message
01[ENC] parsed IKE_AUTH request 1 [ EF(4/4) ]
01[ENC] received fragment #4 of 4, reassembled fragmented IKE message (1552 
bytes)
01[ENC] unknown attribute type INTERNAL_DNS_DOMAIN
01[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) IDr AUTH CPRQ(ADDR 
MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA 
TSi TSr N(MOBIKE_SUP) ]
01[IKE] received end entity cert "CN=pLAN9-iPhone"
01[CFG] looking for peer configs matching 
STRONGSWAN_IP[echo.plan9.co]...IPHONE_IP[pLAn9-iPhone.pLAN9.co]
01[CFG] selected peer config 'RA'

Re: [strongSwan] Windows 10 IKEv2 VPN Not Connecting

[bls s]

Another resource for information on installing strongSwan certs on Windows,  
besides https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs is 
https://github.com/gitbls/pistrong/blob/master/CertInstall.md. Although 
slightly discussed in the context of pistrong, it explicitly details how to 
properly install Certs on Windows 10.

From: Karl Denninger
Sent: Tuesday, November 3, 2020 9:27 AM
To: users@lists.strongswan.org
Subject: Re: [strongSwan] Windows 10 IKEv2 VPN Not Connecting


This works with a user certificate here -- make SURE Windows put the 
certificate in the correct store.  The StrongSwan Wiki has instructions; if it 
goes in the wrong certificate store Windows will not find it and you'll get 
exactly what you're seeing.

https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs

The other thing is that for Win10 you have to go into the NETWORK panel (NOT 
the Windows 10 network panel, the old control panel one) and drill down into 
the connection and set the default gateway on the remote network or you will 
get split routing and only the subnet that you get back from the server will go 
over the VPN.

This is the stanza that I have in my ipsec.conf for Windows clients:

conn WinUserCert
left=%any
leftsubnet=0.0.0.0/0
leftcert=ipgw-rsa.denninger.net.crt
leftauth=pubkey
right=%any
rightsourceip=192.168.2.0/24
rightauth=eap-tls
eap_identity=%identity
auto=add
dpdaction=clear
dpddelay=300s
ike=aes256-sha2_256-prfsha256-modp1024

This gives the client machine an address out of 192.168.2.x/24; note that 
"rightauth" has to be set to eap-tls for Windows clients.

There was a long-standing problem with IKE fragmentation in the internal 
Windows client that used to be bedevil me beyond words that would often prevent 
connections from coming up at all but it has been fixed now for about a year 
provided you have a reasonably-recent Win10 version.

I put this stanza first in the configuration since EAP-TLS isn't something 
anything else that connects to my gateway (Macs, Unix Machines, IOS and Android 
phones) will ask for and this way I'm sure Windows will get it first (Windows 
is a bit odd.)
On 11/3/2020 11:59, Mike Hill wrote:
Hi all,

I’m trying to get Windows 10 clients connecting to our StrongSwan server with 
machine certificates (only), but I’m hitting a roadblock with the following 
error:

“Verifying username and password...IKE failed to find valid machine 
certificate. Contact your Network Security Administrator about installing a 
valid certificate in the appropriate Certificate Store.”

Error in Windows Event Viewer is 13806, which appears to be pretty common, but 
despite looking at various sources, I cannot make it work.

We’re using a PKI-as-a-service (SecureW2) for our certs and have placed 
intermediate and root CA certs into /etc/ipsec.d/cacerts, along with StrongSwan 
server’s cert in /etc/ipsec.d/certs and its private key in 
/etc/ipsec.d/private/. Server device cert has Server and Client authentication 
set for EKU and hostname.domain.com for CN and SAN.

The Windows test device has its own cert in the machine store, along with CA 
intermediate and root certs in the appropriate cert stores. VPN connection is 
configured with PowerShell, and MachineCertificate set as authentication method 
and VPN address is hostname.domain.com which matches CN on StrongSwan device 
cert. Machine cert is hostname.domain.com for CN and SAN and has Client 
Authentication set for EKU.

Events from /var/log/syslog:


Nov  3 16:40:18 swan charon: 07[NET] received packet: from XXX.XXX.XXX.XXX[500] 
to XXX.XXX.XXX.XXX [500] (344 bytes)
Nov  3 16:40:18 swan charon: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No 
N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Nov  3 16:40:18 swan charon: 07[CFG] looking for an ike config for 
XXX.XXX.XXX.XXX... XXX.XXX.XXX.XXX
Nov  3 16:40:18 swan charon: 07[CFG]   candidate: %any...%any, prio 28
Nov  3 16:40:18 swan charon: 07[CFG] found matching ike config: %any...%any 
with prio 28
Nov  3 16:40:18 swan charon: 07[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Nov  3 16:40:18 swan charon: 07[IKE] received MS-Negotiation Discovery Capable 
vendor ID
Nov  3 16:40:18 swan charon: 07[IKE] received Vid-Initial-Contact vendor ID
Nov  3 16:40:18 swan charon: 07[ENC] received unknown vendor ID: 
01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Nov  3 16:40:18 swan charon: 07[IKE] XXX.XXX.XXX.XXX is initiating an IKE_SA
Nov  3 16:40:18 swan charon: 07[IKE] IKE_SA (unnamed)[7] state change: CREATED 
=> CONNECTING
Nov  3 16:40:18 swan charon: 07[CFG] selecting proposal:
Nov  3 16:40:18 swan charon: 07[CFG]   proposal matches
Nov  3 16:40:18 swan charon: 07[CFG] received proposals: 
IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256
Nov  3 16:40:18 swan charon: 07[CFG] configured proposals: 

Re: [strongSwan] initiate from both sides

[bls s]

I can’t speak to “support”, but it definitely works.  See 
https://github.com/gitbls/pistrong. The makeTunnel script can build this.



From: Christoph Harder
Sent: Friday, November 13, 2020 12:08 AM
To: users@lists.strongswan.org
Subject: [strongSwan] initiate from both sides

Hello everyone,

I'm using Strongswan on FreeBSD and wanted to ask if it is possible to have a 
tunnel initiated by both sides?
Currently I have one side witch uses start/restart/start for the start/dpd/stop 
actions and one side that uses trap/trap/trap.
However since I have dynamic ips on both sides, I'm relying on dynamic dns to 
find the other host. But propagation of the new address takes a while, which 
results in delays after the ip of the responder changes.
If both sides would be initiating/reinitiating the tunnels, the problem would 
be solved because if one side can't initiate the tunnel, due to dns propagation 
delays the other side would be able to connect. (Well, unless both sides get 
new ips at the same time.)
Is this kond of configuration supported?

Best regards,
Christoph

[strongSwan] Build a complete strongSwan configuration in 30 minutes!

[bls s]

[Posting this for others who may be interested in getting started with 
strongSwan with a near-zero learning curve]

Looking for a quick and easy way to set up a strongSwan VPN for testing, 
proof-of-concepts, etc? pistrong may be what you need. It's not a solution for 
corporate VPN implementations, or for many of the complex configurations that 
people write about on this DL, but some potential strongSwan users may find 
this to be an attractive way to get started with strongSwan.

pistrong WILL make the simple Roadwarrior and site-to-site VPN configuration 
(with strongSwan on both ends) trivial.

pistrong is a command-line management tool for strongSwan. It is:

* Easy to Install - A separate Install script installs strongSwan and required 
Python modules if needed. Zero to connected Client in way less than an hour.

* Easy to Configure - A Certificate Authority supporting iOS, Windows, and 
Linux Clients can be built in just a few minutes. (NOTE: MacOS and Android 
devices both work with strongSwan. I don't mention them here since I don't have 
any to use for testing. Any volunteers to help test and document MacOS and 
Android?)

* Easy to be Secure - Easy to configure, implement, and manage secure 
certificate-based authentication

* Easy to Use - Standard command line parsing with lots of help and complete 
documentation

* Easy to Install Certs onto Client Devices

  * pistrong can send email with links to the cert files, or you can get them 
via a file transfer mechanism (samba, ftp, rsync, USB stick, etc).
  * Simple and fully documented client Cert installation for iOS, Linux, and 
Windows systems
  * pistrong Linux VPN Cert Packs are easy to create and install on a Linux 
Client VPN system
  * Flexible but prescriptive naming conventions minimize frustration and 
maximize sanity retention and success

Creating a Cert for a new device is super-simple:

  vpnserver/usr/local/bin# pistrong add bls --dev ipad --remoteid 
ios.mydomain.net --mail b...@mydomain.net
  % Copying '/etc/swanctl/p12/bls-ipad-vpnserver.p12' to 
'/var/www/html/vpn/bls-ipad-vpnserver.p12'
  % Copying '/etc/swanctl/x509ca/strongSwanCACert.pem' to 
'/var/www/html/vpn/strongSwanCACert.pem'
  % Mail sent to b...@mydomain.net
  % Added bls-ipad with Remote ID 'ios.mydomain.net' using CA Cert strongSwan

And here's the email content that was sent:

  Root CA cert: 
http://vpnserver.mydomain.net/vpn/strongSwanCACert.pem
  Your device certificate:  
http://vpnserver.mydomain.net/vpn/bls-ipad-vpnserver.p12

  iOS devices: Browse the links to install both certificates (Install CA Cert 
first).
Then create a new IKEV2 VPN connection using the iOS profile 
bls-ipad-vpnser...@myvpn.net
and this information:
  Server:vpnserver.mydomain.net
  Remote ID: ios.mydomain.net
  Local ID:  bls-ipad-vpnser...@myvpn.net
And select the newly-installed device certificate.

  Other devices: See the CertInstall.md guide at 
https://github.com/gitbls/pistrong
  for details on importing the certificate onto your device and creating the 
VPN configuration

  The password for this certificate is in a separate email message

To be clear, the password referred to is the password required to install the 
Certificate. Once the Cert is successfully installed onto the device, no 
further password is needed to use the VPN.

In the interest of full disclosure, pistrong has a couple of shortcomings:

* Although I tried, I couldn't completely eliminate ALL config file editing. A 
minimal bit of config file editing is necessary to set up the required firewall 
rules. Linux firewall configuration can be done in many ways, so the Installer 
doesn't try to divine how your system firewall is configured. But it does build 
a file with the rules, making it more-or-less a cut-and-paste edit.

* No GUI. If you've typed any commands at the Linux command line, you'll likely 
be successful in implementing a strongSwan/pistrong VPN. A robust command line 
simplifies scripting, for instance, batch building Certs for many users.

* Minimal connection monitoring/management. I've been focusing on building 
robust and secure connections, and relying on the system journal/log for 
monitoring. fail2ban can be used to monitor and block failed connection 
attempts and alert on successful connections. I will share my fail2ban 
configuration additions if there's interest.

* Many distros don't carry the correct version of strongSwan. The Install 
script will install strongSwan from source (which is where most of the Install 
time is spent). The installer takes about 10 minutes to build and install 
strongSwan on a Raspberry Pi4. If the correct version of strongSwan is already 
installed, you don't need to reinstall it.

* Your router still needs to be configured to forward UDP ports 500 and 4500 to 
your VPN server.

* If using an external IP address instead of a DNS name to access the VPN and 
the external IP address changes, all the 

Re: [strongSwan] initiate failed: missing configuration name

[bls s]

We could guess, but it would be very helpful if you’d post your swanctl.conf 
and the complete swanctl –initiate command that you’re using.

From: Peter Wit
Sent: Friday, November 15, 2019 1:27 AM
To: users@lists.strongswan.org
Subject: [strongSwan] initiate failed: missing configuration name

Hi,

I've setup a IKEv2 PSK configuration in /etc/swanctl/swanctl.conf and loaded 
connection successfully. But when running the command  "sudo swanctl 
--initiate" the error message "initiate failed: missing configuration name" is 
displayed. What do I need to provide?

Regards,
Peter

Re: [strongSwan] updown on client side not called strongSwan 5.8.1

[bls s]

Slaps forehead, says "Doh! Thank you for saving my sanity, Tobias!" 


From: Tobias Brunner 
Sent: Monday, September 9, 2019 12:59 AM
To: bls s ; users@lists.strongswan.org 

Subject: Re: [strongSwan] updown on client side not called strongSwan 5.8.1
 
Hi,

> And here's the Client connection from the client's /etc/swanctl/swanctl.conf
> ...
>         children {
>             theclient-theserver {
>                 ikev2-pubkey {

You see your mistake?

Regards,
Tobias

Re: [strongSwan] updown on client side not called strongSwan 5.8.1

[bls s]

Forgot the logs.

Client log:   https://pastebin.com/Lb0ZsrC4 
Server log:  https://pastebin.com/x3uHLnLV


From: Users  on behalf of bls s 

Sent: Saturday, September 7, 2019 5:22 PM
To: users@lists.strongswan.org 
Subject: [strongSwan] updown on client side not called strongSwan 5.8.1

I'm trying to set up a Linux roadwarrior client on Raspbian Buster (strongSwan 
5.8.1) connecting to a Raspbian Buster server
(strongSwan 5.8.0) using /etc/swanctl.conf. strongSwan was built from source on 
both systems. The client is connected to the network via my phone hotspot to 
test an outside-the-firewall connection.

When I swanctl --initiate theclient-theserver --child theclient-theserver the 
connection and the child (from the client), the VPN
connection and child connection appear to be established.

iptables seems to be set up correctly on the server, but there are no iptables 
entries added on the client.

I added a 'printenv >> /tmp/updown.log" to /libexec/ipsec/_updown on both ends. 
The printenv output is logged on the server side, but the client side never 
calls the updown script. There are no iptables entries made for the connection, 
and of course, no traffic is passed over the VPN.

I'm stumped as to why my updown script isn't called. Any thoughts?

Thanks!

Here's the Server connection from the server's /etc/swanctl/swanctl.conf

    ikev2-pubkey-linux {
        version = 2
        proposals = 
aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
        rekey_time = 0s
        pools = primary-pool-ipv4
        fragmentation = yes
        dpd_delay = 30s
        local-1 {
             auth = pubkey
             cacerts = strongSwanCACert.pem
             certs = linux-strongSwanVPNCert.pem
             id = linux.domain.com
        }
        remote-1 {
             auth = pubkey
        }
        children {
            ikev2-pubkey {
                local_ts  = 0.0.0.0/0
                updown = /libexec/ipsec/_updown iptables
            }
        }
    }

And here's the Client connection from the client's /etc/swanctl/swanctl.conf

    theclient-theserver {
        version = 2
        local_addrs  = %any
        remote_addrs = theserver.domain.com
        vips = 0.0.0.0
        mobike = no
        reauth_time = 10800

        local-1 {
        auth = pubkey
            certs = theclient-pi-theserverCert.pem
             id = theclient-pi-theser...@myvpn.net
        }
        remote-1 {
            id = linux.domain.com
        }
        children {
            theclient-theserver {
                ikev2-pubkey {
                    remote_ts = 0.0.0.0/0
                    updown = /libexec/ipsec/_updown iptables
        esp_proposals = aes128gcm128-x25519
                }
            }
        }
    }

>From the server:

theserver/libexec/ipsec# swanctl --list-sas
ikev2-pubkey-linux: #2, ESTABLISHED, IKEv2, 087489bd226c45e3_i 
43a903a639bf6081_r*
  local  'linux.domain.com' @ 192.168.92.3[4500]
  remote 'theclient-pi-theser...@myvpn.net' @ my.phone.ip.address[54007] 
[10.92.10.1]
  AES_GCM_16-192/PRF_HMAC_SHA2_256/ECP_256
  established 990s ago
  ikev2-pubkey: #2, reqid 2, INSTALLED, TUNNEL-in-UDP, 
ESP:AES_CBC-128/HMAC_SHA2_256_128
    installed 990s ago, rekeying in 2373s, expires in 2970s
    in  c638a5f3,      0 bytes,     0 packets
    out c6a7423c,      0 bytes,     0 packets
    local  my.external.ip.address/32
    remote 10.92.10.1/32

>From the client:

theclient/etc/swanctl# swanctl --list-sas
theclient-theserver: #2, ESTABLISHED, IKEv2, 087489bd226c45e3_i* 
43a903a639bf6081_r
  local  'theclient-pi-theser...@myvpn.net' @ 172.20.10.6[4500] [10.92.10.1]
  remote 'linux.domain.com' @ my.external.ip.address[4500]
  AES_GCM_16-192/PRF_HMAC_SHA2_256/ECP_256
  established 1034s ago, reauth in 9763s
  theclient-theserver: #2, reqid 2, INSTALLED, TUNNEL-in-UDP, 
ESP:AES_CBC-128/HMAC_SHA2_256_128
    installed 1034s ago, rekeying in 2409s, expires in 2926s
    in  c6a7423c,      0 bytes,     0 packets
    out c638a5f3,      0 bytes,     0 packets
    local  10.92.10.1/32
    remote my.external.ip.address/32

[strongSwan] updown on client side not called strongSwan 5.8.1

[bls s]

I'm trying to set up a Linux roadwarrior client on Raspbian Buster (strongSwan 
5.8.1) connecting to a Raspbian Buster server
(strongSwan 5.8.0) using /etc/swanctl.conf. strongSwan was built from source on 
both systems. The client is connected to the network
via my phone hotspot to test an outside-the-firewall connection.

When I swanctl --initiate theclient-theserver --child theclient-theserver the 
connection and the child (from the client), the VPN
connection and child connection appear to be established.

iptables seems to be set up correctly on the server, but there are no iptables 
entries added on the client.

I added a 'printenv >> /tmp/updown.log" to /libexec/ipsec/_updown on both ends. 
The printenv output is logged on the server side,
but the client side never calls the updown script. There are no iptables 
entries made for the connection, and of course, no traffic
is passed over the VPN.

I'm stumped as to why my updown script isn't called. Any thoughts?

Thanks!

Here's the Server connection from the server's /etc/swanctl/swanctl.conf

    ikev2-pubkey-linux {
        version = 2
        proposals = 
aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
        rekey_time = 0s
        pools = primary-pool-ipv4
        fragmentation = yes
        dpd_delay = 30s
        local-1 {
             auth = pubkey
             cacerts = strongSwanCACert.pem
             certs = linux-strongSwanVPNCert.pem
             id = linux.domain.com
        }
        remote-1 {
             auth = pubkey
        }
        children {
            ikev2-pubkey {
                local_ts  = 0.0.0.0/0
                updown = /libexec/ipsec/_updown iptables
            }
        }
    }

And here's the Client connection from the client's /etc/swanctl/swanctl.conf

    theclient-theserver {
        version = 2
        local_addrs  = %any
        remote_addrs = theserver.domain.com
        vips = 0.0.0.0
        mobike = no
        reauth_time = 10800

        local-1 {
     auth = pubkey
            certs = theclient-pi-theserverCert.pem
             id = theclient-pi-theser...@myvpn.net
        }
        remote-1 {
            id = linux.domain.com
        }
        children {
            theclient-theserver {
                ikev2-pubkey {
                    remote_ts = 0.0.0.0/0
                    updown = /libexec/ipsec/_updown iptables
      esp_proposals = aes128gcm128-x25519
                }
            }
        }
    }

>From the server:

theserver/libexec/ipsec# swanctl --list-sas
ikev2-pubkey-linux: #2, ESTABLISHED, IKEv2, 087489bd226c45e3_i 
43a903a639bf6081_r*
  local  'linux.domain.com' @ 192.168.92.3[4500]
  remote 'theclient-pi-theser...@myvpn.net' @ my.phone.ip.address[54007] 
[10.92.10.1]
  AES_GCM_16-192/PRF_HMAC_SHA2_256/ECP_256
  established 990s ago
  ikev2-pubkey: #2, reqid 2, INSTALLED, TUNNEL-in-UDP, 
ESP:AES_CBC-128/HMAC_SHA2_256_128
    installed 990s ago, rekeying in 2373s, expires in 2970s
    in  c638a5f3,      0 bytes,     0 packets
    out c6a7423c,      0 bytes,     0 packets
    local  my.external.ip.address/32
    remote 10.92.10.1/32

>From the client:

theclient/etc/swanctl# swanctl --list-sas
theclient-theserver: #2, ESTABLISHED, IKEv2, 087489bd226c45e3_i* 
43a903a639bf6081_r
  local  'theclient-pi-theser...@myvpn.net' @ 172.20.10.6[4500] [10.92.10.1]
  remote 'linux.domain.com' @ my.external.ip.address[4500]
  AES_GCM_16-192/PRF_HMAC_SHA2_256/ECP_256
  established 1034s ago, reauth in 9763s
  theclient-theserver: #2, reqid 2, INSTALLED, TUNNEL-in-UDP, 
ESP:AES_CBC-128/HMAC_SHA2_256_128
    installed 1034s ago, rekeying in 2409s, expires in 2926s
    in  c6a7423c,      0 bytes,     0 packets
    out c638a5f3,      0 bytes,     0 packets
    local  10.92.10.1/32
    remote my.external.ip.address/32

Re: [strongSwan] Windows Client - Multiple Connections, Multiple Certs

[bls s]

IIRC from when I looked at this, I was able to have two completely different 
servers configured on my Win10 client, and it worked correctly. I think the 
trick is to make sure that each VPN server has a different hostname (duh), and 
that the VPN SAN keys in the certs contain the FQDN hostname.



From: Tobias Brunner
Sent: Monday, February 25, 2019 3:30 AM
To: Tom Rymes; 
users@lists.strongswan.org
Subject: Re: [strongSwan] Windows Client - Multiple Connections, Multiple Certs



Hi Tom,

> I do not see anywhere that I
> can specify which certificate the client should use for a given connection.

I think you can only do that with EAP-TLS (i.e. not with machine
certificates) where you might actually get prompted for a certificate if
there are multiple and the advanced VPN options (via adapter options on
Windows 10) even provide a setting to pre-select a specific certificate
to use (via issuer/CA and/or EKU).

Regards,
Tobias

Re: [strongSwan] fail2ban

[bls s]

As far as I know, there’s nothing in strongSwan for this. Here’s the fail2ban 
bits that I did for strongSwan. strongSwan catches and blocks offenders. 
Xmonitor (if enabled) sends mail when a VPN connection is made.



https://1drv.ms/u/s!AnwsNfAZbYjHiPxBZqlfAiZRGxQx-g



Enjoy!



From: lejeczek
Sent: Thursday, December 27, 2018 7:16 AM
To: users@lists.strongswan.org
Subject: [strongSwan] fail2ban



hi guys

would you know if there are bits that fail2ban could use to look after
Strongswan?

Obviously I mean actions & filters for fail2ban and I'm thinking best
would be if those came from Strongswan devel as who knows Swan better
than they do.

many thanks, L.

Re: [strongSwan] leftcert ikev2

[bls s]

I’m using the new swanctl strongSwan support, but I’m pretty sure that the 
certs item in a connection’s local description is the same as leftcert.

My understanding is that the cert is used by the client to validate that it’s 
talking to the server that it thinks it connected to. Obviously the CA can be 
validated. Windows and iOS clients also validate against the altNames to 
provide an extra level of assurance. Windows checks that the hostname it 
connected to is one of the altNames, and iOS checks that the RemoteID in the 
VPN configuration is one of the altNames.

Not sure about MacOS and Android (yet), but they are undoubtedly similar.

From: Markus Maurer
Sent: Tuesday, October 23, 2018 7:16 AM
To: users@lists.strongswan.org
Subject: [strongSwan] leftcert ikev2

Hi,
can anybody explain me why leftcert is needed in ikev2? What is it used for? I 
couldn't find an explanation about it.

Thanks in advance!


--
This email was Malware checked by UTM 9. http://www.sophos.com

Re: [strongSwan] Ikev2 wildcards with MacOs clients

[bls s]

Ah, good catch, Jean-Daniel. If that works, it would indeed address Matthieu’s 
concerns.

From: Jean-Daniel Dupas<mailto:jddu...@xooloo.com>
Sent: Thursday, October 11, 2018 7:44 AM
To: users@lists.strongswan.org<mailto:users@lists.strongswan.org>
Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients

I don't have many experience with ipsec, but I think it is possible to specify 
different accepted CA for each connection when using swanctl.conf.

"
connections..remote.cacerts: Comma separated list of CA 
certificates to accept for authentication. The certificates may use a relative 
path from the swanctl x509ca directory or an absolute path.
"

So you should just generate cert with one CA for the first group, and an other 
CA for the second group.


Le 11 oct. 2018 à 16:34, bls s 
mailto:bls3...@outlook.com>> a écrit :

In the general sense it’s secure, since the connection is validated by the 
certs. However, in your particular use case, it does seem that a user could 
change the Remote ID and access the other VPN subnet. I can’t think of a way 
offhand to use a cert-based implementation to avoid that, other than using two 
VPNs, one for each subnet group (with each VPN having a separate root CA cert 
so no crossover is possible).

Even if you went to an id/password-based mechanism, you’ll need some way to 
distinguish the groups. A connection per user would get you there, but that 
will dramatically increase management complexity, so two VPN servers might be a 
more management-efficient approach.

From: Matthieu Nantern<mailto:matthieu.nant...@margo.com>
Sent: Thursday, October 11, 2018 6:47 AM
To: bls3...@outlook.com<mailto:bls3...@outlook.com>
Cc: users@lists.strongswan.org<mailto:users@lists.strongswan.org>
Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients

It's working but I'm wondering if it's really secure ? A user can just change 
its Remote ID and gain access to the other networks, no ?

I want something that is server side. I can create one connection for each user 
but it's ugly !

Le lun. 8 oct. 2018 à 21:05, bls s 
mailto:bls3...@outlook.com>> a écrit :
Definitely interested in seeing it replicated. As an aside, I updated my CA 
management app https://github.com/gitbls/pistrong with more flexibility to 
generate this type of VPN cert. Unfortunately, it’s fully built around 
swanctl/systemd, not the legacy ipsec/ipsec.conf/… configuration. But, if you 
run into any issues, happy to help you wrangle it into debug mode to use that 
part of the tool.

From: Matthieu Nantern<mailto:matthieu.nant...@margo.com>
Sent: Sunday, October 7, 2018 11:23 PM
To: bls3...@outlook.com<mailto:bls3...@outlook.com>
Cc: users@lists.strongswan.org<mailto:users@lists.strongswan.org>
Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients

Very good idea ! I will try that this week and will let you know if it works !

Thank you !

Le dim. 7 oct. 2018 à 00:17, bls s 
mailto:bls3...@outlook.com>> a écrit :

I just did a quick test using my iPhone, and it appears to work just fine. 
Using 2 strongSwan profiles, each profile has a different VPN cert, with 
different altNames in the cert. By changing the Remote ID on iOS I was able to 
authenticate with each of the 2 profiles.



From: bls s<mailto:bls3...@outlook.com>
Sent: Friday, October 5, 2018 6:54 AM
To: Matthieu Nantern<mailto:matthieu.nant...@margo.com>
Cc: users@lists.strongswan.org<mailto:users@lists.strongswan.org>
Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients


I haven't looked into this in detail, but could you use different VPN certs for 
each subnet? Each VPN cert would be in a different conn section, and they would 
have different altNames (SAN). If I understand the MacOS VPN config correctly 
(looks a lot like iOS), when certs are installed onto MacOS, you can specify 
the Remote ID, which is the SAN that matches that of the VPN cert.

From: Matthieu Nantern 
mailto:matthieu.nant...@margo.com>>
Sent: Thursday, October 4, 2018 11:31 PM
To: bls3...@outlook.com<mailto:bls3...@outlook.com>
Cc: users@lists.strongswan.org<mailto:users@lists.strongswan.org>
Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients

We are using certificates (one for each client device) but I have 2 networks: 
n1 and n2. And I want that some users can access n1 and others n1 + n2.


I wanted to make the distinction by using a conf like that:


conn alice
leftsubnet=10.1.0.10/32<http://10.1.0.10/32>
right=%any
rightid="C=CH, O=Linux strongSwan, OU=Research, CN=*"
auto=add

conn venus
leftsubnet=10.1.0.20/32<http://10.1.0.20/32>
right=%any
rightid="C=CH, O=Linux strongSwan, OU=Accounting, CN=*"
auto=add
But unfortunately with MacOs client I don't have the Distinguished Names but 
only the FQDN:


ikev2-pubkey[1216]: ESTABLISHED 2 min

Re: [strongSwan] Ikev2 wildcards with MacOs clients

[bls s]

In the general sense it’s secure, since the connection is validated by the 
certs. However, in your particular use case, it does seem that a user could 
change the Remote ID and access the other VPN subnet. I can’t think of a way 
offhand to use a cert-based implementation to avoid that, other than using two 
VPNs, one for each subnet group (with each VPN having a separate root CA cert 
so no crossover is possible).

Even if you went to an id/password-based mechanism, you’ll need some way to 
distinguish the groups. A connection per user would get you there, but that 
will dramatically increase management complexity, so two VPN servers might be a 
more management-efficient approach.

From: Matthieu Nantern<mailto:matthieu.nant...@margo.com>
Sent: Thursday, October 11, 2018 6:47 AM
To: bls3...@outlook.com<mailto:bls3...@outlook.com>
Cc: users@lists.strongswan.org<mailto:users@lists.strongswan.org>
Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients

It's working but I'm wondering if it's really secure ? A user can just change 
its Remote ID and gain access to the other networks, no ?

I want something that is server side. I can create one connection for each user 
but it's ugly !

Le lun. 8 oct. 2018 à 21:05, bls s 
mailto:bls3...@outlook.com>> a écrit :
Definitely interested in seeing it replicated. As an aside, I updated my CA 
management app https://github.com/gitbls/pistrong with more flexibility to 
generate this type of VPN cert. Unfortunately, it’s fully built around 
swanctl/systemd, not the legacy ipsec/ipsec.conf/… configuration. But, if you 
run into any issues, happy to help you wrangle it into debug mode to use that 
part of the tool.

From: Matthieu Nantern<mailto:matthieu.nant...@margo.com>
Sent: Sunday, October 7, 2018 11:23 PM
To: bls3...@outlook.com<mailto:bls3...@outlook.com>
Cc: users@lists.strongswan.org<mailto:users@lists.strongswan.org>
Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients

Very good idea ! I will try that this week and will let you know if it works !

Thank you !

Le dim. 7 oct. 2018 à 00:17, bls s 
mailto:bls3...@outlook.com>> a écrit :

I just did a quick test using my iPhone, and it appears to work just fine. 
Using 2 strongSwan profiles, each profile has a different VPN cert, with 
different altNames in the cert. By changing the Remote ID on iOS I was able to 
authenticate with each of the 2 profiles.



From: bls s<mailto:bls3...@outlook.com>
Sent: Friday, October 5, 2018 6:54 AM
To: Matthieu Nantern<mailto:matthieu.nant...@margo.com>
Cc: users@lists.strongswan.org<mailto:users@lists.strongswan.org>
Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients



I haven't looked into this in detail, but could you use different VPN certs for 
each subnet? Each VPN cert would be in a different conn section, and they would 
have different altNames (SAN). If I understand the MacOS VPN config correctly 
(looks a lot like iOS), when certs are installed onto MacOS, you can specify 
the Remote ID, which is the SAN that matches that of the VPN cert.

From: Matthieu Nantern 
mailto:matthieu.nant...@margo.com>>
Sent: Thursday, October 4, 2018 11:31 PM
To: bls3...@outlook.com<mailto:bls3...@outlook.com>
Cc: users@lists.strongswan.org<mailto:users@lists.strongswan.org>
Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients

We are using certificates (one for each client device) but I have 2 networks: 
n1 and n2. And I want that some users can access n1 and others n1 + n2.


I wanted to make the distinction by using a conf like that:


conn alice
leftsubnet=10.1.0.10/32<http://10.1.0.10/32>
right=%any
rightid="C=CH, O=Linux strongSwan, OU=Research, CN=*"
auto=add

conn venus
leftsubnet=10.1.0.20/32<http://10.1.0.20/32>
right=%any
rightid="C=CH, O=Linux strongSwan, OU=Accounting, CN=*"
auto=add
But unfortunately with MacOs client I don't have the Distinguished Names but 
only the FQDN:


ikev2-pubkey[1216]: ESTABLISHED 2 minutes ago, 
10.8.1.113[vpn.test.net<http://vpn.test.net>]...213.41.12.162[firstname.lastn...@test.com<mailto:firstname.lastn...@test.com>]
ikev2-pubkey{2102}:  INSTALLED, TUNNEL, reqid 325, ESP in UDP SPIs: c4d64307_i 
0c4df008_o


And if you compare that with the StrongSwan Android client:


ikev2-pubkey[1217]: ESTABLISHED 4 seconds ago, 
10.8.1.113[vpn.test.net<http://vpn.test.net>]...213.41.12.162[C=FR, O=Test, 
OU=Prod, CN=firstname.lastn...@test.com<mailto:firstname.lastn...@test.com>]
ikev2-pubkey{2103}:  INSTALLED, TUNNEL, reqid 326, ESP in UDP SPIs: c3b37b06_i 
be7247e0_o


So I cannot route my users according to their certificates and I was wondering 
what can I do ?



Le jeu. 4 oct. 2018 à 19:42, bls s 
mailto:bls3...@outlook.com>> a écrit :

Someone will likely explain why using certificates sucks, but if you use 
ce

Re: [strongSwan] Ikev2 wildcards with MacOs clients

[bls s]

Definitely interested in seeing it replicated. As an aside, I updated my CA 
management app https://github.com/gitbls/pistrong with more flexibility to 
generate this type of VPN cert. Unfortunately, it’s fully built around 
swanctl/systemd, not the legacy ipsec/ipsec.conf/… configuration. But, if you 
run into any issues, happy to help you wrangle it into debug mode to use that 
part of the tool.

From: Matthieu Nantern<mailto:matthieu.nant...@margo.com>
Sent: Sunday, October 7, 2018 11:23 PM
To: bls3...@outlook.com<mailto:bls3...@outlook.com>
Cc: users@lists.strongswan.org<mailto:users@lists.strongswan.org>
Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients

Very good idea ! I will try that this week and will let you know if it works !

Thank you !

Le dim. 7 oct. 2018 à 00:17, bls s 
mailto:bls3...@outlook.com>> a écrit :

I just did a quick test using my iPhone, and it appears to work just fine. 
Using 2 strongSwan profiles, each profile has a different VPN cert, with 
different altNames in the cert. By changing the Remote ID on iOS I was able to 
authenticate with each of the 2 profiles.



From: bls s<mailto:bls3...@outlook.com>
Sent: Friday, October 5, 2018 6:54 AM
To: Matthieu Nantern<mailto:matthieu.nant...@margo.com>
Cc: users@lists.strongswan.org<mailto:users@lists.strongswan.org>
Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients



I haven't looked into this in detail, but could you use different VPN certs for 
each subnet? Each VPN cert would be in a different conn section, and they would 
have different altNames (SAN). If I understand the MacOS VPN config correctly 
(looks a lot like iOS), when certs are installed onto MacOS, you can specify 
the Remote ID, which is the SAN that matches that of the VPN cert.

From: Matthieu Nantern 
mailto:matthieu.nant...@margo.com>>
Sent: Thursday, October 4, 2018 11:31 PM
To: bls3...@outlook.com<mailto:bls3...@outlook.com>
Cc: users@lists.strongswan.org<mailto:users@lists.strongswan.org>
Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients

We are using certificates (one for each client device) but I have 2 networks: 
n1 and n2. And I want that some users can access n1 and others n1 + n2.


I wanted to make the distinction by using a conf like that:


conn alice
leftsubnet=10.1.0.10/32<http://10.1.0.10/32>
right=%any
rightid="C=CH, O=Linux strongSwan, OU=Research, CN=*"
auto=add

conn venus
leftsubnet=10.1.0.20/32<http://10.1.0.20/32>
right=%any
rightid="C=CH, O=Linux strongSwan, OU=Accounting, CN=*"
auto=add
But unfortunately with MacOs client I don't have the Distinguished Names but 
only the FQDN:


ikev2-pubkey[1216]: ESTABLISHED 2 minutes ago, 
10.8.1.113[vpn.test.net<http://vpn.test.net>]...213.41.12.162[firstname.lastn...@test.com<mailto:firstname.lastn...@test.com>]
ikev2-pubkey{2102}:  INSTALLED, TUNNEL, reqid 325, ESP in UDP SPIs: c4d64307_i 
0c4df008_o


And if you compare that with the StrongSwan Android client:


ikev2-pubkey[1217]: ESTABLISHED 4 seconds ago, 
10.8.1.113[vpn.test.net<http://vpn.test.net>]...213.41.12.162[C=FR, O=Test, 
OU=Prod, CN=firstname.lastn...@test.com<mailto:firstname.lastn...@test.com>]
ikev2-pubkey{2103}:  INSTALLED, TUNNEL, reqid 326, ESP in UDP SPIs: c3b37b06_i 
be7247e0_o


So I cannot route my users according to their certificates and I was wondering 
what can I do ?



Le jeu. 4 oct. 2018 à 19:42, bls s 
mailto:bls3...@outlook.com>> a écrit :

Someone will likely explain why using certificates sucks, but if you use 
certificates (one for each client device) you'll have fine-grained user access 
control (by revoking/deleting certs), and you don't need to list all the 
enabled certs anywhere in your config file.
From: Users 
mailto:users-boun...@lists.strongswan.org>> 
on behalf of Matthieu Nantern 
mailto:matthieu.nant...@margo.com>>
Sent: Thursday, October 4, 2018 8:41 AM
To: users@lists.strongswan.org<mailto:users@lists.strongswan.org>
Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients

Is it possible to have multiple email address in the “rightid“ parameter ? 
Maybe I can list all authorized users for each server instead of relying on 
Distinguished Names ?



Le mer. 3 oct. 2018 à 08:42, Matthieu Nantern 
mailto:matthieu.nant...@margo.com>> a écrit :

Hi !


I installed StrongSwan to allow my users (mainly MacOs X clients) to use the 
native ikev2 authentication. Everything is working fine.


Now I would like to implement something like that : 
https://www.strongswan.org/testing/testresults/ikev2/wildcards/index.html ; 
allowing some clients to access some network and not the others.


Unfortunately I didn't see (or understand) the issue on that page 
(https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile) :


ASN.1 Distinguished Names can't be

Re: [strongSwan] Ikev2 wildcards with MacOs clients

[bls s]

I just did a quick test using my iPhone, and it appears to work just fine. 
Using 2 strongSwan profiles, each profile has a different VPN cert, with 
different altNames in the cert. By changing the Remote ID on iOS I was able to 
authenticate with each of the 2 profiles.



From: bls s<mailto:bls3...@outlook.com>
Sent: Friday, October 5, 2018 6:54 AM
To: Matthieu Nantern<mailto:matthieu.nant...@margo.com>
Cc: users@lists.strongswan.org<mailto:users@lists.strongswan.org>
Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients



I haven't looked into this in detail, but could you use different VPN certs for 
each subnet? Each VPN cert would be in a different conn section, and they would 
have different altNames (SAN). If I understand the MacOS VPN config correctly 
(looks a lot like iOS), when certs are installed onto MacOS, you can specify 
the Remote ID, which is the SAN that matches that of the VPN cert.

From: Matthieu Nantern 
Sent: Thursday, October 4, 2018 11:31 PM
To: bls3...@outlook.com
Cc: users@lists.strongswan.org
Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients

We are using certificates (one for each client device) but I have 2 networks: 
n1 and n2. And I want that some users can access n1 and others n1 + n2.


I wanted to make the distinction by using a conf like that:


conn alice
leftsubnet=10.1.0.10/32
right=%any
rightid="C=CH, O=Linux strongSwan, OU=Research, CN=*"
auto=add

conn venus
leftsubnet=10.1.0.20/32
right=%any
rightid="C=CH, O=Linux strongSwan, OU=Accounting, CN=*"
auto=add
But unfortunately with MacOs client I don't have the Distinguished Names but 
only the FQDN:


ikev2-pubkey[1216]: ESTABLISHED 2 minutes ago, 
10.8.1.113[vpn.test.net]...213.41.12.162[firstname.lastn...@test.com]
ikev2-pubkey{2102}:  INSTALLED, TUNNEL, reqid 325, ESP in UDP SPIs: c4d64307_i 
0c4df008_o


And if you compare that with the StrongSwan Android client:


ikev2-pubkey[1217]: ESTABLISHED 4 seconds ago, 
10.8.1.113[vpn.test.net]...213.41.12.162[C=FR, O=Test, OU=Prod, 
CN=firstname.lastn...@test.com]
ikev2-pubkey{2103}:  INSTALLED, TUNNEL, reqid 326, ESP in UDP SPIs: c3b37b06_i 
be7247e0_o


So I cannot route my users according to their certificates and I was wondering 
what can I do ?



Le jeu. 4 oct. 2018 à 19:42, bls s  a écrit :

Someone will likely explain why using certificates sucks, but if you use 
certificates (one for each client device) you'll have fine-grained user access 
control (by revoking/deleting certs), and you don't need to list all the 
enabled certs anywhere in your config file.
From: Users  on behalf of Matthieu Nantern 

Sent: Thursday, October 4, 2018 8:41 AM
To: users@lists.strongswan.org
Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients

Is it possible to have multiple email address in the “rightid“ parameter ? 
Maybe I can list all authorized users for each server instead of relying on 
Distinguished Names ?



Le mer. 3 oct. 2018 à 08:42, Matthieu Nantern  a 
écrit :

Hi !


I installed StrongSwan to allow my users (mainly MacOs X clients) to use the 
native ikev2 authentication. Everything is working fine.


Now I would like to implement something like that : 
https://www.strongswan.org/testing/testresults/ikev2/wildcards/index.html ; 
allowing some clients to access some network and not the others.


Unfortunately I didn't see (or understand) the issue on that page 
(https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile) :


ASN.1 Distinguished Names can't be used as identities because the client 
currently sends them as identities of type FQDN.


As a result when I put rightid in my configuration it's not working because 
MacOsX is only sending a fqdn (an email address in my case) and not the 
Distinguished Name.



My question is how can allow (or deny) some network to some user?



I have a file that associates email address to "role" but I don't know how to 
use it. Maybe a plugin?


Any ideas/links?


Thank you!

--

Matthieu Nantern


--

Matthieu Nantern
SRE, Margo Bank
+33683148506


--

Matthieu Nantern
SRE, Margo Bank
+33683148506

Re: [strongSwan] Config doesnt work on Windows 10 and Android

[bls s]

My directions for importing certificates into Windows 10 can be found at 
https://github.com/gitbls/pistrong/blob/master/CertInstall.md I've never tested 
them with Windows 10 Home, so I'd be interested in knowing if they work there.

As an aside, I started using strongSwan following the directions on the 
zeitgest site you mentioned, and found them to be usable but not easily 
repeatable, so I built pistrong that codifies my learnings in a script that 
makes it all easily repeatable. You can find it at 
https://github.com/gitbls/pistrong 

Good luck, and do let me know if my directions work with Windows 10 Home.

From: Users  on behalf of Sebastian Pfohl 

Sent: Friday, October 5, 2018 12:59 PM
To: users@lists.strongswan.org
Subject: [strongSwan] Config doesnt work on Windows 10 and Android
 
I would like to connect to the VPN server with the native Windows 10 Client, 
but i cant connect. I have followed a tutorial at 
https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/ but 
the connection isnt succesfully. I struggle to import the certificates, because 
the option to import a machine certificate is greyed out in Windows 10 Home. 
However, i can select manually a user certificate. I dont know if that is ok. I 
couldnt find any information about Windows 10 Home Edition. Is there any better 
instruction available, how to make a connection from Windows 10 home to a 
Strongswan VPN? Here is my current config:

config setup
    charondebug="ike 2, knl 1, cfg 2, dmn 2, net 2"
   
conn %default
    keyexchange=ikev2
    ike=aes256-sha1-modp1024,aes256-sha384-ecp384!
    esp=aes256-sha1,aes256-sha384-ecp384!
    dpdaction=clear
    dpddelay=300s
    rekey=no
   
    left=%any
    leftsubnet=0.0.0.0/0
    leftcert=vpnHostCert.pem
    right=%any
    rightdns=8.8.8.8,8.8.4.4
    rightsourceip=%dhcp

conn IPSec-IKEv2
    keyexchange=ikev2
    auto=add

conn IPSec-IKEv2-EAP
    also="IPSec-IKEv2"
    rightauth=eap-mschapv2
    rightsendcert=never
    eap_identity=%any

Additionally, i use a Samsung Galaxy 7. There i can create a VPN connection 
with "IPSec IKEv2 RSA" with the build-in Client. I cant connect from here to. 
The connection is refused. I tought the above configuration should work the VPN 
type in Samsung Galaxy. Can someone please help to make a proper config please?

Re: [strongSwan] Ikev2 wildcards with MacOs clients

[bls s]

I haven't looked into this in detail, but could you use different VPN certs for 
each subnet? Each VPN cert would be in a different conn section, and they would 
have different altNames (SAN). If I understand the MacOS VPN config correctly 
(looks a lot like iOS), when certs are installed onto MacOS, you can specify 
the Remote ID, which is the SAN that matches that of the VPN cert.

From: Matthieu Nantern 
Sent: Thursday, October 4, 2018 11:31 PM
To: bls3...@outlook.com
Cc: users@lists.strongswan.org
Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients
 
We are using certificates (one for each client device) but I have 2 networks: 
n1 and n2. And I want that some users can access n1 and others n1 + n2.


I wanted to make the distinction by using a conf like that:


conn alice
leftsubnet=10.1.0.10/32
right=%any
rightid="C=CH, O=Linux strongSwan, OU=Research, CN=*"
auto=add

conn venus
leftsubnet=10.1.0.20/32
right=%any
rightid="C=CH, O=Linux strongSwan, OU=Accounting, CN=*"
auto=add
But unfortunately with MacOs client I don't have the Distinguished Names but 
only the FQDN:


ikev2-pubkey[1216]: ESTABLISHED 2 minutes ago, 
10.8.1.113[vpn.test.net]...213.41.12.162[firstname.lastn...@test.com]
ikev2-pubkey{2102}:  INSTALLED, TUNNEL, reqid 325, ESP in UDP SPIs: c4d64307_i 
0c4df008_o


And if you compare that with the StrongSwan Android client:


ikev2-pubkey[1217]: ESTABLISHED 4 seconds ago, 
10.8.1.113[vpn.test.net]...213.41.12.162[C=FR, O=Test, OU=Prod, 
CN=firstname.lastn...@test.com]
ikev2-pubkey{2103}:  INSTALLED, TUNNEL, reqid 326, ESP in UDP SPIs: c3b37b06_i 
be7247e0_o


So I cannot route my users according to their certificates and I was wondering 
what can I do ?



Le jeu. 4 oct. 2018 à 19:42, bls s  a écrit :

Someone will likely explain why using certificates sucks, but if you use 
certificates (one for each client device) you'll have fine-grained user access 
control (by revoking/deleting certs), and you don't need to list all the 
enabled certs anywhere in your config file.
From: Users  on behalf of Matthieu Nantern 

Sent: Thursday, October 4, 2018 8:41 AM
To: users@lists.strongswan.org
Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients
 
Is it possible to have multiple email address in the “rightid“ parameter ? 
Maybe I can list all authorized users for each server instead of relying on 
Distinguished Names ?



Le mer. 3 oct. 2018 à 08:42, Matthieu Nantern  a 
écrit :

Hi !


I installed StrongSwan to allow my users (mainly MacOs X clients) to use the 
native ikev2 authentication. Everything is working fine.


Now I would like to implement something like that : 
https://www.strongswan.org/testing/testresults/ikev2/wildcards/index.html ; 
allowing some clients to access some network and not the others.


Unfortunately I didn't see (or understand) the issue on that page 
(https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile) :


ASN.1 Distinguished Names can't be used as identities because the client 
currently sends them as identities of type FQDN.


As a result when I put rightid in my configuration it's not working because 
MacOsX is only sending a fqdn (an email address in my case) and not the 
Distinguished Name.



My question is how can allow (or deny) some network to some user?



I have a file that associates email address to "role" but I don't know how to 
use it. Maybe a plugin?


Any ideas/links?


Thank you!

--

Matthieu Nantern


--

Matthieu Nantern
SRE, Margo Bank
+33683148506


--

Matthieu Nantern
SRE, Margo Bank
+33683148506

Re: [strongSwan] Ikev2 wildcards with MacOs clients

[bls s]

Someone will likely explain why using certificates sucks, but if you use 
certificates (one for each client device) you'll have fine-grained user access 
control (by revoking/deleting certs), and you don't need to list all the 
enabled certs anywhere in your config file.

From: Users  on behalf of Matthieu Nantern 

Sent: Thursday, October 4, 2018 8:41 AM
To: users@lists.strongswan.org
Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients

Is it possible to have multiple email address in the “rightid“ parameter ? 
Maybe I can list all authorized users for each server instead of relying on 
Distinguished Names ?

Le mer. 3 oct. 2018 à 08:42, Matthieu Nantern 
mailto:matthieu.nant...@margo.com>> a écrit :
Hi !

I installed StrongSwan to allow my users (mainly MacOs X clients) to use the 
native ikev2 authentication. Everything is working fine.

Now I would like to implement something like that : 
https://www.strongswan.org/testing/testresults/ikev2/wildcards/index.html ; 
allowing some clients to access some network and not the others.

Unfortunately I didn't see (or understand) the issue on that page 
(https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile) :


  *   ASN.1 Distinguished Names can't be used as identities because the client 
currently sends them as identities of type FQDN.

As a result when I put rightid in my configuration it's not working because 
MacOsX is only sending a fqdn (an email address in my case) and not the 
Distinguished Name.

My question is how can allow (or deny) some network to some user?

I have a file that associates email address to "role" but I don't know how to 
use it. Maybe a plugin?

Any ideas/links?

Thank you!
--

Matthieu Nantern


--

Matthieu Nantern
SRE, Margo Bank
+33683148506

Re: [strongSwan] Help! I can't configure Windows 10 to send remote id (leftid) for IKEv2

[bls s]

Not trying to muddy the waters, but I think it depends on what Auth method 
you're using. If you're using cert-based auth with IKEV2 I don't think that 
there's any way to send an ID. On the other hand, if you're using IPSEC with a 
pre-shared key, I think you can coerce the selection of a different connection. 

It would definitely be interesting to get some definitive input and validated 
testing on this!

From: Users  on behalf of Marwan Khalili 

Sent: Wednesday, September 26, 2018 5:16 AM
To: Christian Salway
Cc: users@lists.strongswan.org
Subject: Re: [strongSwan] Help! I can't configure Windows 10 to send remote id 
(leftid) for IKEv2
 
I have looked through the options but can not find it. Would be very grateful 
if you could describe how to do it when you have time.


I am using the VPN client built-in Windows 10. I have searched for an option 
corresponding the "Remote ID" in macOS in the following locations to no avail:
 - Settings -> Network & Internet -> VPN
 - Control Panel -> Network and Internet -> Network Connections
 - rasphone.pbk - %APPDATA%\Microsoft\Network\Connections\Pbk\rasphone.pbk
 - PowerShell documentation for Add-VpnConnection and 
Set-VpnConnectionIPsecConfiguration


From: Christian Salway 
Sent: Wednesday, September 26, 2018 01:29
To: bls s
Cc: Marwan Khalili; users@lists.strongswan.org
Subject: Re: [strongSwan] Help! I can't configure Windows 10 to send remote id 
(leftid) for IKEv2
 
You can set the ID in windows 10 if you go through the options for the 
connection you will see it. Not near a computer otherwise I’d get you the 
instructions.

On 26 Sep 2018, at 02:30, bls s  wrote:


I'm curious about this as well. From my work on pistrong (see elsewhere), it 
looks to me like Windows doesn't have a way to send an ID that you can use for 
matching. I haven't tried this, but you might be able to make it work by using 
a separate "VPN certificate" for the Windows connection that has an altname in 
it corresponding to a secondary DNS name for your server. You can then have 
Windows connect to the secondary DNS name and, in theory, it would eventually 
match that connection.


Again, just a theory, I'm definitely interested in other approaches to solving 
this.

From: Users  on behalf of Marwan Khalili 

Sent: Tuesday, September 25, 2018 7:47 AM
To: users@lists.strongswan.org
Subject: [strongSwan] Help! I can't configure Windows 10 to send remote id 
(leftid) for IKEv2
 
Hello,


I have a strongSwan server running with the ipsec.conf pasted below. 



The clients are using Windows 10 and macOS and they must be able to choose 
connection. I am trying to separate the connections using "leftid" with 
different subdomains for each connection (e.g. vpn1.example.org, 
vpn2.example.org).


My solution below works in macOS by matching "Remote ID" with the appropriate 
"leftid", however I can't get it to work in Windows 10. 


I am very grateful to any help or ideas of how I can solve this. 




ipsec.conf
--
conn %default

  auto=add

  dpdaction=clear

  dpddelay=180s

  eap_identity=%any

  esp=aes256-sha256,aes256-sha1,3des-sha1!

  forceencaps=yes

  ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!

  keyexchange=ikev2

  leftcert=cert.pem

  leftsendcert=always

  rightauth=eap-mschapv2

  rightsendcert=never



conn conn1

  left=%any

  leftid=@vpn1.example.org

  leftsubnet=0.0.0.0/0

  right=%any

  rightid=%any

  rightdns=8.8.8.8,8.8.4.4

  rightsourceip=10.10.10.1/24



conn conn2
  left=%any

  leftid=@vpn2.khalili.xyz

  leftsubnet=0.0.0.0/0

  right=%any

  rightid=%any

  rightdns=8.8.8.8,8.8.4.4

  rightsourceip=10.10.10.2/24

Re: [strongSwan] Help! I can't configure Windows 10 to send remote id (leftid) for IKEv2

[bls s]

I'm curious about this as well. From my work on pistrong (see elsewhere), it 
looks to me like Windows doesn't have a way to send an ID that you can use for 
matching. I haven't tried this, but you might be able to make it work by using 
a separate "VPN certificate" for the Windows connection that has an altname in 
it corresponding to a secondary DNS name for your server. You can then have 
Windows connect to the secondary DNS name and, in theory, it would eventually 
match that connection.

Again, just a theory, I'm definitely interested in other approaches to solving 
this.

From: Users  on behalf of Marwan Khalili 

Sent: Tuesday, September 25, 2018 7:47 AM
To: users@lists.strongswan.org
Subject: [strongSwan] Help! I can't configure Windows 10 to send remote id 
(leftid) for IKEv2

Hello,

I have a strongSwan server running with the ipsec.conf pasted below.

The clients are using Windows 10 and macOS and they must be able to choose 
connection. I am trying to separate the connections using "leftid" with 
different subdomains for each connection (e.g. vpn1.example.org, 
vpn2.example.org).

My solution below works in macOS by matching "Remote ID" with the appropriate 
"leftid", however I can't get it to work in Windows 10.

I am very grateful to any help or ideas of how I can solve this.


ipsec.conf
--
conn %default
  auto=add
  dpdaction=clear
  dpddelay=180s
  eap_identity=%any
  esp=aes256-sha256,aes256-sha1,3des-sha1!
  forceencaps=yes
  ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
  keyexchange=ikev2
  leftcert=cert.pem
  leftsendcert=always
  rightauth=eap-mschapv2
  rightsendcert=never

conn conn1
  left=%any
  leftid=@vpn1.example.org
  leftsubnet=0.0.0.0/0
  right=%any
  rightid=%any
  rightdns=8.8.8.8,8.8.4.4
  rightsourceip=10.10.10.1/24

conn conn2
  left=%any
  leftid=@vpn2.khalili.xyz
  leftsubnet=0.0.0.0/0
  right=%any
  rightid=%any
  rightdns=8.8.8.8,8.8.4.4
  rightsourceip=10.10.10.2/24

[strongSwan] Introducing pistrong

[bls s]

(Sending this to the users list so that others might find the link more easily)

Short and sweet: pistrong simplifies strongSwan CA and road warrior user/device 
cert management. This is the initial release.

Check it out at https://github.com/gitbls/pistrong/tree/master

Appreciate all feedback, of course! And thanks to Noel Kuntze for his great 
feedback.

[strongSwan] CRL: Parsing x509 certificate failed

[bls s]

I'm working with CRLs. I have what I believe is a well-formed CRL using 
strongSwan 5.6.3:

Rpi31/etc/swanctl# pki --print --in /etc/swanctl/x509/revoked.der --type crl
  issuer:   "C=US, O=rpi31-strongSwan, CN=strongSwan rpi31 Root CA"
  update:this on Sep 08 08:05:51 2018, ok
 next on Sep 15 08:05:51 2018, ok (expires in 6 days)
  serial:01
  authKeyId: 58:5e:05:3b:53:6e:00:2f:99:a2:1e:3b:ce:c0:86:c7:37:fb:89:fc
  1 revoked certificate:
72:50:d2:f7:36:0d:08:af: Sep 08 08:05:51 2018, superseded

However, swanctl --load-creds reports:

Rpi31/etc/swanctl# swanctl --load-creds
loaded certificate from '/etc/swanctl/x509/bls-iPhone7-rpi31Cert.pem'
loaded certificate from '/etc/swanctl/x509/strongSwanCert.pem'
loading '/etc/swanctl/x509/revoked.der' failed: parsing X509 certificate failed
loaded certificate from '/etc/swanctl/x509/bls-android-rpi31Cert.pem'
loaded certificate from '/etc/swanctl/x509/bls-scout-rpi31Cert.pem'

In another thread I saw a mention that pem must be loaded, and it appears that 
it is:

Sep  7 14:30:05 rpi31 charon-systemd[31880]: loaded plugins: charon-systemd 
charon-systemd aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation 
constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl 
fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve 
socket-default vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic 
eap-tls xauth-generic counters

Greatly appreciate solutions, suggestions, or pointers to help resolve.

Thanks!

Re: [strongSwan] Logging configuration with swanctl.conf

[bls s]

Christian, thanks for the reply. File permissions were fine, but you pointed me 
in precisely the right direction. I had the logging info in 
/etc/swanctl/swanctl.conf. Moving it to /etc/strongswan.d/charon-systemd.conf 
did the trick.

Thanks!

From: Christian Salway 
Sent: Tuesday, August 7, 2018 9:42 PM
To: bls s
Cc: users@lists.strongswan.org
Subject: Re: [strongSwan] Logging configuration with swanctl.conf

Hi bls,

Configuration looks good. This is what I use.  Make sure you have saved to the 
correct file and that you have permission to write to /var/log


cat <<'EOF' > /etc/strongswan.d/charon-systemd.conf
charon-systemd {
  filelog {
/var/log/strongswan.log {
time_format = %b %e %T
flush_line = yes
default = -1
cfg = 2
ike = 2
}
  }
}
EOF


On 8 Aug 2018, at 01:25, bls s 
mailto:bls3...@outlook.com>> wrote:

I'm trying to enable strongswan logging in order to submit a question, but I 
can't seem to get logging set up correctly with swanctl.conf Here's what I 
added to swanctl.conf. How can I get logging enabled in this configuration? 
This is strongswan 5.6.3 on latest Raspbian/Debian.

Thanks!

charon-systemd {
filelog {
/var/log/charon_debug.log {
time_format = %a, %Y-%m-%d %R
default = 2
mgr = 0
net = 1
enc = 1
asn = 1
job = 1
ike_name = yes
append = no
flush_line = yes
}
}

[strongSwan] Logging configuration with swanctl.conf

[bls s]

I'm trying to enable strongswan logging in order to submit a question, but I 
can't seem to get logging set up correctly with swanctl.conf Here's what I 
added to swanctl.conf. How can I get logging enabled in this configuration? 
This is strongswan 5.6.3 on latest Raspbian/Debian.

Thanks!

charon-systemd {
filelog {
/var/log/charon_debug.log {
time_format = %a, %Y-%m-%d %R
default = 2
mgr = 0
net = 1
enc = 1
asn = 1
job = 1
ike_name = yes
append = no
flush_line = yes
}
}

Re: [strongSwan] dpd not getting triggered

[bls s]

By default dpdaction=none, which disables sending dpd messages.



From: Kalyani Garigipati (kagarigi)
Sent: Thursday, January 11, 2018 10:47 AM
To: users@lists.strongswan.org
Subject: [strongSwan] dpd not getting triggered



Hi,

I am using strongswan version 5.6.1
I found that even though I configured dpd using dpddelay and dpdtimeout, dpd is 
not getting triggered from strongswan client at all even though there is no 
traffic passing.
Please let me know how to debug this.


config setup
 charondebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
# nat_traversal=yes
# charonstart=no

conn %default
   ikelifetime=100m
   keylife=20m
   rekeymargin=8m
   keyingtries=1
   authby=psk
   keyexchange=ikev2
   ike=aes256-sha256-modp1024
   esp=3des-sha1
   mobike=yes
   dpddelay=5s
   dpdtimeout=150s

# Add connections here.

# Add connections here.
conn net-net
left=10.127.47.104
leftsubnet=10.127.47.104/32
leftid=10.127.47.104
right=10.104.108.110
rightsubnet=10.104.108.110/32
rightid=10.104.108.110
auto=start

~
Regards,
kalyani

Re: [strongSwan] Very strange strongSwan log entries

[bls s]

Hi, just wanted to let everyone know that in switching to Charon-systemd all of 
these bogus log entries have gone away (which was my hope when I started down 
the path of switching!). In case anyone else is using a similar configuration, 
here’s the equivalent swanctl.conf for the prior ipsec.conf

connections {

ikev2-eap-mschapv2 {
version = 2
#proposals = 
aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
rekey_time = 0s
pools = primary-pool-ipv4
fragmentation = yes
dpd_delay = 30s
mobike = yes

 local-1 {
 certs = strongswanCert.pem
 id = ipsec.server.starwhite
 auth = psk
 }

 remote-1 {
 auth = eap-mschapv2
 id = ipsec.client.starwhite
 eap_id = %any
}

children {
ikev2-eap-mschapv2 {
local_ts = 0.0.0.0/0
rekey_time = 0s
dpd_action = clear
#esp_proposals = 
aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072,default
esp_proposals = 
aes256-sha1-modp1024,aes192-sha256-modp3072,default
#   updown = /libexec/ipsec/_updown iptables
}
}
}
ikev2-pubkey {
 version = 2
 proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
 rekey_time = 0s
 pools = primary-pool-ipv4
 fragmentation = yes
 dpd_delay = 30s

 local-1 {
 certs = vpnHostCert.pem
 id = ipsec.server.starwhite
 }

 remote-1 {   # defaults are fine
 }

 children {
 ikev2-pubkey {
 local_ts = 0.0.0.0/0
 rekey_time = 0s
 dpd_action = clear
 esp_proposals = 
aes256-sha1-modp1024,aes192-sha256-modp3072,default
 }
}
}
}

pools {
primary-pool-ipv4 {
addrs = 10.92.10.0/24
dns = 192.168.92.3, 8.8.8.8
}
}

include conf.d/*.conf

And here is the secrets file from /etc/swanctl/conf.d/swanctl-secrets.conf. I 
put it in a separate file to simplify my script for generating secrets and 
.mobileconfig files.

secrets {
ike-psk {
secret=biglongsecretstring
}
eap-xxx@mydomain {
id = xxx@mydomain
secret=biglongsecretstring2
}
}

From: bls s<mailto:bls3...@outlook.com>
Sent: Tuesday, November 21, 2017 3:47 PM
To: users@lists.strongswan.org<mailto:users@lists.strongswan.org>
Subject: Very strange strongSwan log entries

I'm REALLY confused about what I'm seeing in the strongSwan log! I've probably 
got a serious configuration error, and would really appreciate some pointers 
toward fixing this. A summary description would be "VPN road warrior 
connections established with one client generate log activity to/from another 
IP address".

Thanks!

Here's my configuration information:
* Strongswan V5.6.0 on OpenSuse 42.3 with one VPN user configured at the moment 
(me on my iPhone).
* Build command line:
  $ ./configure --enable-eap-mschapv2 --enable-eap-identity --enable-openssl 
--enable-eap-md5 --enable-eap-tls --enable-eap-dynamic --enable-tools

* ipsec.conf:

config setup
strictcrlpolicy=no
uniqueids=no

conn %default
dpdaction=clear
dpddelay=35s
dpdtimeout=120s
fragmentation=yes
rekey=no
left=%any
leftsubnet=0.0.0.0/0
right=%any
rightdns=192.168.92.2,8.8.8.8
rightsourceip=10.92.10.1/24

conn iOS-IKEV2
keyexchange=ikev2
auto=add
mobike=yes
eap_identity=%any
leftauth=psk
leftid=net.mydomain.ipsec.server
leftfirewall=yes
rightsendcert=always
rightauth=eap-mschapv2
rightid=net.mydomain.ipsec.client

These bullets discuss the log snippet which follows at the end of this message. 
Except for 1 and 2, each one of these connections happened on a different day.

* [Connection 1]: You can see that a connection is made to the VPN from 
166.176.187.128. But several lines later, ipsec reports a connection to 
166.176.185.112 (See ***). I'm pretty sure that my cellphone doesn't get new IP 
addresses that fast! But then, after ipsec reports the IP lease going offline 
(See ), there is additional activity reported with the original IP address 
of 166.176.187.128, including recreating the whole VPN session.

* [Connection 2]: This is a random hacker trying to connect to the VPN. I 
monitor the VPN with fail2ban, and this attempt blocked udp ports 500 and 4500 
for 196.52.43.60.

* [Connection 3]: Another random connection. IP 168.1.128.76 blocked by 
fail

[strongSwan] 'closing CHILD' log entry not always present with charon-systemd

[bls s]

I’m using charon-systemd with two different connection types: eap-mschapv2 (for 
iOS) and pubkey for use with Windows. The ‘closing CHILD’ log entry IS present 
with pubkey connections as in:

Dec  1 08:47:34 xunil charon-systemd[708]: closing CHILD_SA ikev2-pubkey{4} 
with SPIs c700f912_i (1201208 bytes) 57fa7898_o (48931713 bytes) and TS 
0.0.0.0/0 === 10.92.10.2/32

But there is no such entry with eap-mschapv2.

Why is it not included with eap-mschapv2?

Thanks

Re: [strongSwan] swanctl.conf EAP credential information

[bls s]

Tobias, Thank you! Indeed your suggested workaround to delete the dots in 
section names fixed the issue.



From: Tobias Brunner<mailto:tob...@strongswan.org>
Sent: Thursday, November 30, 2017 8:49 AM
To: bls s<mailto:bls3...@outlook.com>; Noel 
Kuntze<mailto:noel.kuntze+strongswan-users-ml@thermi.consulting>; 
users@lists.strongswan.org<mailto:users@lists.strongswan.org>
Subject: Re: [strongSwan] swanctl.conf EAP credential information



Hi,

The problem are the dots in the section names of your EAP secrets.  For
instance:

  eap-us...@mydomain.com {
id = us...@mydomain.com
secret=secret1
  }

When enumerating the id... keys in these sections the current section
name was written to a string buffer instead of using the parameter
evaluation provided by settings_t.  All dots in strings are interpreted
as section separators so the dot there caused a lookup of the section:

  eap-user1@mydomain {
com {
  ...
}
  }

But since that doesn't exist no id... key was found in this section and
the secrets were not associated with any identities:

> Wed, 2017-11-29 10:59 07[CFG] vici client 1 requests: load-shared
> Wed, 2017-11-29 10:59 07[CFG] loaded EAP shared key with id 
> 'eap-...@mydomain.net' for: '%any'

This basically caused the first of these secrets to get used for all
clients.

I pushed a fix to the swanctl-enumerate-kv branch (for connections and
their subsections dots still can't be used, though).

As a workaround don't use any dots in these section names.

Regards,
Tobias

Re: [strongSwan] swanctl.conf EAP credential information

[bls s]

Thanks. Here is swanctl –stats (after a service restart). 2 charon_debug 
logfiles attached, one with a successful connection (the userid in question at 
the end of the list) and one with a failed connection (userid in question at 
the front of the list).



Xunil/var/log# swanctl --stats

uptime: 10 seconds, since Nov 29 11:11:07 2017

worker threads: 16 total, 11 idle, working: 4/0/1/0

job queues: 0/0/0/0

jobs scheduled: 0

IKE_SAs: 0 total, 0 half-open

mallinfo: sbrk 2564096, mmap 0, used 401792, free 2162304

loaded plugins: charon-systemd charon-systemd aes des rc2 sha2 sha1 md5 mgf1 
random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp 
dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac attr 
kernel-netlink resolve socket-default vici updown eap-identity eap-md5 
eap-mschapv2 eap-dynamic eap-tls xauth-generic

Xunil/var/log#





From: Noel Kuntze<mailto:noel.kuntze+strongswan-users-ml@thermi.consulting>
Sent: Wednesday, November 29, 2017 10:31 AM
To: bls s<mailto:bls3...@outlook.com>; 
users@lists.strongswan.org<mailto:users@lists.strongswan.org>
Subject: Re: [strongSwan] swanctl.conf EAP credential information



Hi,

Please provide a log file created with the logger configuration from the 
HelpRequests[1] page
and the output of `swanctl --stats`.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

On 29.11.2017 19:27, bls s wrote:
>
> Curiously, if eap-user1 is at the end of the list, it authenticates 
> correctly, but not if first or second in the list.
>
>
>
> *From: *bls s <mailto:bls3...@outlook.com>
> *Sent: *Tuesday, November 28, 2017 4:43 PM
> *To: *users@lists.strongswan.org <mailto:users@lists.strongswan.org>
> *Subject: *[strongSwan] swanctl.conf EAP credential information
>
>
>
> I’m switching over from using IPsec.conf to charon-systemd. Everything is 
> working for the first user, but I have run into a strange issue (or a dumb 
> user error!) with the ‘secrets’ section when trying to implement multiple eap 
> passwords.
>
>
>
> If my secrets section has only one eap id/password in it, the client 
> authenticates correctly. But, if the secrets section has more than one eap 
> id/password in it, the MSCHAPv2 authentication fails.
>
>
>
> Here’s the failing configuration. If I remove the 2^nd and 3^rd entries, 
> user1 works correctly. However, using the full secrets section below, user1 
> fails to authenticate.
>
>
>
> connections {
>
>
>
> ikev2-eap-mschapv2 {
>
> version = 2
>
> #proposals = 
> aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
>
> proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
>
> rekey_time = 0s
>
> pools = primary-pool-ipv4
>
> fragmentation = yes
>
> dpd_delay = 30s
>
> mobike = yes
>
>
>
>  local-1 {
>
>  certs = strongswanCert.pem
>
>  id = serverid1
>
>  auth = psk
>
>  }
>
>
>
>  remote-1 {
>
>  auth = eap-mschapv2
>
>  id = clientid1
>
>  eap_id = %any
>
> }
>
>
>
> children {
>
> ikev2-eap-mschapv2 {
>
> local_ts = 0.0.0.0/0
>
> rekey_time = 0s
>
> dpd_action = clear
>
> #esp_proposals = 
> aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072,default
>
> esp_proposals = 
> aes256-sha1-modp1024,aes192-sha256-modp3072,default
>
> #   updown = /libexec/ipsec/_updown iptables
>
> }
>
> }
>
> }
>
> ikev2-pubkey {
>
>  version = 2
>
>  proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
>
>  rekey_time = 0s
>
>  pools = primary-pool-ipv4
>
>  fragmentation = yes
>
>  dpd_delay = 30s
>
>
>
>  local-1 {
>
>  certs = vpnHostCert.pem
>
>  id = server1
>
>  }
>
>
>
>  remote-1 {   # defaults are fine
>
>  }
>
>
>
>  children {
>
>  ikev2-pubkey {
>
>  local_ts = 0.0.0.0/0
>
>  rekey_time = 0s
>
>  dpd_action = clear
>
>  esp_proposals = 
> aes256-sha1-modp1024,aes192-sha256-modp3072,default
>
>  }
>
>  

Re: [strongSwan] swanctl.conf EAP credential information

[bls s]

Curiously, if eap-user1 is at the end of the list, it authenticates correctly, 
but not if first or second in the list.

From: bls s<mailto:bls3...@outlook.com>
Sent: Tuesday, November 28, 2017 4:43 PM
To: users@lists.strongswan.org<mailto:users@lists.strongswan.org>
Subject: [strongSwan] swanctl.conf EAP credential information

I’m switching over from using IPsec.conf to charon-systemd. Everything is 
working for the first user, but I have run into a strange issue (or a dumb user 
error!) with the ‘secrets’ section when trying to implement multiple eap 
passwords.

If my secrets section has only one eap id/password in it, the client 
authenticates correctly. But, if the secrets section has more than one eap 
id/password in it, the MSCHAPv2 authentication fails.

Here’s the failing configuration. If I remove the 2nd and 3rd entries, user1 
works correctly. However, using the full secrets section below, user1 fails to 
authenticate.

connections {

ikev2-eap-mschapv2 {
version = 2
#proposals = 
aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
rekey_time = 0s
pools = primary-pool-ipv4
fragmentation = yes
dpd_delay = 30s
mobike = yes

 local-1 {
 certs = strongswanCert.pem
 id = serverid1
 auth = psk
 }

 remote-1 {
 auth = eap-mschapv2
 id = clientid1
 eap_id = %any
}

children {
ikev2-eap-mschapv2 {
local_ts = 0.0.0.0/0
rekey_time = 0s
dpd_action = clear
#esp_proposals = 
aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072,default
esp_proposals = 
aes256-sha1-modp1024,aes192-sha256-modp3072,default
#   updown = /libexec/ipsec/_updown iptables
}
}
}
ikev2-pubkey {
 version = 2
 proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
 rekey_time = 0s
 pools = primary-pool-ipv4
 fragmentation = yes
 dpd_delay = 30s

 local-1 {
 certs = vpnHostCert.pem
 id = server1
 }

 remote-1 {   # defaults are fine
 }

 children {
 ikev2-pubkey {
 local_ts = 0.0.0.0/0
 rekey_time = 0s
 dpd_action = clear
 esp_proposals = 
aes256-sha1-modp1024,aes192-sha256-modp3072,default
 }
}
}
}
pools {
primary-pool-ipv4 {
addrs = 10.92.10.0/24
dns = 192.168.92.3, 8.8.8.8
}
}

secrets {
ike-psk {
secret=somepsk
}
eap-us...@mydomain.com<mailto:eap-us...@mydomain.com> {
id = us...@mydomain.com
secret=secret1
}
eap-us...@mydomain.com<mailto:eap-us...@mydomain.com> {
id = us...@mydomain.com
secret=secret2
}
eap-us...@mydomain.com<mailto:eap-us...@mydomain.com> {
id = us...@mydomain.com
secret=secret3
}

[strongSwan] swanctl.conf EAP credential information

[bls s]

I’m switching over from using IPsec.conf to charon-systemd. Everything is 
working for the first user, but I have run into a strange issue (or a dumb user 
error!) with the ‘secrets’ section when trying to implement multiple eap 
passwords.

If my secrets section has only one eap id/password in it, the client 
authenticates correctly. But, if the secrets section has more than one eap 
id/password in it, the MSCHAPv2 authentication fails.

Here’s the failing configuration. If I remove the 2nd and 3rd entries, user1 
works correctly. However, using the full secrets section below, user1 fails to 
authenticate.

connections {

ikev2-eap-mschapv2 {
version = 2
#proposals = 
aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
rekey_time = 0s
pools = primary-pool-ipv4
fragmentation = yes
dpd_delay = 30s
mobike = yes

 local-1 {
 certs = strongswanCert.pem
 id = serverid1
 auth = psk
 }

 remote-1 {
 auth = eap-mschapv2
 id = clientid1
 eap_id = %any
}

children {
ikev2-eap-mschapv2 {
local_ts = 0.0.0.0/0
rekey_time = 0s
dpd_action = clear
#esp_proposals = 
aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072,default
esp_proposals = 
aes256-sha1-modp1024,aes192-sha256-modp3072,default
#   updown = /libexec/ipsec/_updown iptables
}
}
}
ikev2-pubkey {
 version = 2
 proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
 rekey_time = 0s
 pools = primary-pool-ipv4
 fragmentation = yes
 dpd_delay = 30s

 local-1 {
 certs = vpnHostCert.pem
 id = server1
 }

 remote-1 {   # defaults are fine
 }

 children {
 ikev2-pubkey {
 local_ts = 0.0.0.0/0
 rekey_time = 0s
 dpd_action = clear
 esp_proposals = 
aes256-sha1-modp1024,aes192-sha256-modp3072,default
 }
}
}
}
pools {
primary-pool-ipv4 {
addrs = 10.92.10.0/24
dns = 192.168.92.3, 8.8.8.8
}
}

secrets {
ike-psk {
secret=somepsk
}
eap-us...@mydomain.com {
id = us...@mydomain.com
secret=secret1
}
eap-us...@mydomain.com {
id = us...@mydomain.com
secret=secret2
}
eap-us...@mydomain.com {
id = us...@mydomain.com
secret=secret3
}

[strongSwan] Very strange strongSwan log entries

[bls s]

I'm REALLY confused about what I'm seeing in the strongSwan log! I've probably 
got a serious configuration error, and would really appreciate some pointers 
toward fixing this. A summary description would be "VPN road warrior 
connections established with one client generate log activity to/from another 
IP address".

Thanks!

Here's my configuration information:
* Strongswan V5.6.0 on OpenSuse 42.3 with one VPN user configured at the moment 
(me on my iPhone).
* Build command line:
  $ ./configure --enable-eap-mschapv2 --enable-eap-identity --enable-openssl 
--enable-eap-md5 --enable-eap-tls --enable-eap-dynamic --enable-tools

* ipsec.conf:

config setup
strictcrlpolicy=no
uniqueids=no

conn %default
dpdaction=clear
dpddelay=35s
dpdtimeout=120s
fragmentation=yes
rekey=no
left=%any
leftsubnet=0.0.0.0/0
right=%any
rightdns=192.168.92.2,8.8.8.8
rightsourceip=10.92.10.1/24

conn iOS-IKEV2
keyexchange=ikev2
auto=add
mobike=yes
eap_identity=%any
leftauth=psk
leftid=net.mydomain.ipsec.server
leftfirewall=yes
rightsendcert=always
rightauth=eap-mschapv2
rightid=net.mydomain.ipsec.client

These bullets discuss the log snippet which follows at the end of this message. 
Except for 1 and 2, each one of these connections happened on a different day.

* [Connection 1]: You can see that a connection is made to the VPN from 
166.176.187.128. But several lines later, ipsec reports a connection to 
166.176.185.112 (See ***). I'm pretty sure that my cellphone doesn't get new IP 
addresses that fast! But then, after ipsec reports the IP lease going offline 
(See ), there is additional activity reported with the original IP address 
of 166.176.187.128, including recreating the whole VPN session.

* [Connection 2]: This is a random hacker trying to connect to the VPN. I 
monitor the VPN with fail2ban, and this attempt blocked udp ports 500 and 4500 
for 196.52.43.60.

* [Connection 3]: Another random connection. IP 168.1.128.76 blocked by 
fail2ban.

* [Connection 4]: Another random connection. IP 92.53.47.72 blocked by fail2ban.

* [Connection 5]: This occurred last night. All of the IP addresses mentioned 
in connections 2,3,4 are still blocked via fail2ban. Then, there is a 
connection from 196.52.43.54, which generates a "received proposals 
inacceptable" error, and then immediately following that there is ipsec log 
activity from a completely different address (166.176.187.128, which you may 
recall from Connection 1) which authenticates to the VPN. Then, following this 
there is traffic from 168.1.128.76 (Connection 2), and then traffic from 
92.53.47.72 (Connection 4).

Logfiles snippets:

... [Connection 1]

Nov 17 08:55:22 myhost charon[22748]: 12[NET] received packet: from 
166.176.187.128[56885] to 192.168.92.2[500] (300 bytes)
Nov 17 08:55:22 myhost charon[22748]: 12[ENC] parsed IKE_SA_INIT request 0 [ SA 
KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Nov 17 08:55:22 myhost charon[22748]: 12[IKE] 166.176.187.128 is initiating an 
IKE_SA
Nov 17 08:55:22 myhost charon[22748]: 12[IKE] 166.176.187.128 is initiating an 
IKE_SA
Nov 17 08:55:22 myhost charon[22748]: 12[IKE] local host is behind NAT, sending 
keep alives
Nov 17 08:55:22 myhost charon[22748]: 12[IKE] remote host is behind NAT
Nov 17 08:55:22 myhost charon[22748]: 12[IKE] sending cert request for "C=CH, 
O=strongSwan, CN=strongSwan Root CA"
Nov 17 08:55:22 myhost charon[22748]: 12[ENC] generating IKE_SA_INIT response 0 
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Nov 17 08:55:22 myhost charon[22748]: 12[NET] sending packet: from 
192.168.92.2[500] to 166.176.187.128[56885] (341 bytes)
Nov 17 08:55:22 myhost charon[22748]: 13[NET] received packet: from 
166.176.187.128[30852] to 192.168.92.2[4500] (364 bytes)
Nov 17 08:55:22 myhost charon[22748]: 13[ENC] unknown attribute type (25)
Nov 17 08:55:22 myhost charon[22748]: 13[ENC] parsed IKE_AUTH request 1 [ IDi 
N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 
(25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Nov 17 08:55:22 myhost charon[22748]: 13[CFG] looking for peer configs matching 
192.168.92.2[net.mydomain.ipsec.server]...166.176.187.128[net.mydomain.ipsec.client]
Nov 17 08:55:22 myhost charon[22748]: 13[CFG] selected peer config 'iOS-IKEV2'
Nov 17 08:55:22 myhost charon[22748]: 13[IKE] initiating EAP_IDENTITY method 
(id 0x00)
Nov 17 08:55:22 myhost charon[22748]: 13[IKE] received 
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Nov 17 08:55:22 myhost charon[22748]: 13[IKE] peer supports MOBIKE
Nov 17 08:55:22 myhost charon[22748]: 13[IKE] authentication of 
'net.mydomain.ipsec.server' (myself) with pre-shared key
Nov 17 08:55:22 myhost charon[22748]: 13[ENC] generating IKE_AUTH response 1 [ 
IDr AUTH EAP/REQ/ID ]
Nov 17 08:55:22 

[strongSwan] Windows Client to Linux server question

[bls s]

I had a problem enabling a Windows client to access strongSwan 5.5.1 on 
OpenSUSE 42.2. I was able get it working, but I'd like to understand why the 
workaround I identified was required. Appreciate your thoughts on this.

I first got iOS phone connecting to it, which was the primary driver for 
installing strongSwan. Next on the list was Windows 10-1703 (Latest).

Updated  ipsec.conf, created the certs and keys (script at end of message) and 
ipsec reload, copied the relvant bits to the Windows system and installed them 
via certmgr into the correct cert stores. When Windows tried to connect, it had 
a generic error. strongSwan said:

 Apr 12 19:27:09 host charon[5115]: 07[CFG] no IDr configured, fall back on IP 
address
 Apr 12 19:27:09 host charon[5115]: 07[IKE] no private key found for 
'192.168.x.x'
 Apr 12 19:27:09 host charon[5115]: 07[ENC] generating IKE_AUTH response 1 [ 
N(AUTH_FAILED) ]

This was true whether I tried from on the same LAN or from outside the firewall.
After a bit of head-scratching, added the server's internal IP address to the 
VPN host cert by adding "--san 192.168.x.x" (when creating vpnHostCert.pem)

ipsec pki --pub --in private/vpnHostKey.pem --type rsa | \
   ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.pem 
--cakey private/strongswanKey.pem \
   --dn "C=CH, O=strongSwan, CN=host.domain.xxx" --san host.domain.xxx 
--san 192.168.x.x \
   --flag serverAuth --flag ikeIntermediate --outform pem > 
certs/vpnHostCert.pem
That fixed the problem, which is great, but based on everything I read, I 
shouldn't have needed to do that. The relevant log output now is:
 Apr 12 19:31:23 host charon[5528]: 15[CFG] no IDr configured, fall back on IP 
address
 Apr 12 19:31:23 host charon[5528]: 15[IKE] authentication of '192.168.x.x' 
(myself) with RSA signature successful
 Apr 12 19:31:23 host charon[5528]: 15[IKE] IKE_SA IPSec-IKEV2[1] established 
between 192.168.x.x[192.168.x.x]...192.168.x.9[C=CH, O=strongSwan, 
CN=myem...@domain.xxx]

What other alternatives are there to make this work without adding the IP 
address? (aka the correct way)
Thanks
Network: Internet <---> Router (ports 500 and 4500 forwarded) <---> Linux 
system (192.168.x.x)
ipsec.conf
--
config setup
strictcrlpolicy=no
uniqueids=no
#nat_traversal=yes
conn %default
dpdaction=clear
dpddelay=35s
dpdtimeout=200s
fragmentation=yes
rekey=no
left=%any
left=%defaultroute
leftsubnet=0.0.0.0/0
right=%any
rightdns=192.168.x.x,8.8.8.8
rightsourceip=10.92.10.1/24
conn iOS-IKEV2
keyexchange=ikev2
auto=add
mobike=yes
eap_identity=%any
leftauth=psk
leftid=xxx.domain.ipsec.server
leftfirewall=yes
rightauth=eap-mschapv2
rightid=xxxt.domain.ipsec.client

conn IPSec-IKEV2
keyexchange=ikev2
auto=add
conn IPSec-IKEV2-EAP
also=IPSec-IKEV2
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
mobike=yes
leftauth=pubkey
leftcert=vpnHostCert.pem
leftid=host.domain.xxx
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any

Key and Cert creation
-
#!/bin/bash
# Create CA
# This is based on 
https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/
#
ipsec pki --gen --type rsa --size 4096 --outform pem > private/strongswanKey.pem
chmod 600 private/strongswanKey.pem
# Create self-signed root CA Cert
ipsec pki --self --ca --lifetime 3650 --in private/strongswanKey.pem --type rsa 
\
  --dn "C=CH, O=strongSwan, CN=strongSwan Root CA" --outform pem > 
cacerts/strongswanCert.pem
ipsec pki --print --in cacerts/strongswanCert.pem
# Create VPN Host Key
ipsec pki --gen --type rsa --size 2048 --outform pem > private/vpnHostKey.pem
chmod 600 private/vpnHostKey.pem
# Create VPN Host Cert
ipsec pki --pub --in private/vpnHostKey.pem --type rsa | \
   ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.pem 
--cakey private/strongswanKey.pem \
   --dn "C=CH, O=strongSwan, CN=host.domain.xxx" --san host.domain.xxx 
--san 192.168.x.x \
   --flag serverAuth --flag ikeIntermediate --outform pem > 
certs/vpnHostCert.pem
ipsec pki --print --in certs/vpnHostCert.pem
# Creat Client Key
ipsec pki --gen --type rsa --size 2048 --outform pem > private/windowsKey.pem
chmod 600 private/windowsKey.pem
# Create Client Cert
ipsec pki --pub --in private/windowsKey.pem --type rsa | \
  ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.pem 
--cakey private/strongswanKey.pem \
  --dn "C=CH, O=strongSwan, CN=myem...@domain.xxx" --san myem...@domain.xxx 
--outform pem > certs/winhostCert.pem
#
# Export Client Cert as a PKCS#12 file
#
openssl pkcs12 -export -inkey private/windowsKey.pem \
 -in certs/windowsCert.pem -name "windows VPN Certificate" \
 -certfile cacerts/strongswanCert.pem \
 -caname "strongSwan Root CA" \
 -out windows.p12


___
Users mailing list
Users@lists.strongswan.org