[strongSwan] Testing

2016-10-28 Thread Andreas Steffen 

Testing the availability of the strongSwan mailing list server.
Please disregard

Andreas

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution!  www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==



smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Testing ISAKMP datagrams (unanswered ARP requests)

2013-02-08 Thread strongswan 

Hello list,

On Wed., Feb. 06, 2013, strongs...@encambio.com schrieb:
On Tues., Feb. 06, 2013, Andreas Steffen wrote:
On 02/05/2013 10:45 PM, strongs...@encambio.com wrote:
 My goal is building a IPv4 IPSec tunnel using IKEv1.
 
   Ubuntu 12.10 GNU/Linux AMD64
   Strongswan 4.5.2
 
If you change the setting in ipsec.conf to auto=start then

  ipsec start

will cause pluto to automatically negotiate the here connection
and with auto=route

  ipsec start

will install a trap in the kernel and the first IP payload packet
in direction to rightsubnet=192.168.1.0/24 will trigger
the IKE negotiation.

Seems this feature is buggy on my platform. While auto=add and later
ipsec up conn correctly sets up the tunnel, auto=route and ping
host-in-rightsubnet causes some pluto(8) activity (writes to log)
but in the end traffic is not forwarded.

Excellent answer, thank you. Finally pluto is encapsulating IP and
sending it to the 'right' place, but there's a new problem:

[...]

  192.168.1.1$ tcpdump -i lan  # the racoon computer's LAN subnet
  18:22:32.673240 IP 192.168.1.55.39347  192.168.1.88.80: Flags [S], seq 
 3091785373, win 14600, options [mss 1460,sackOK,TS val 5418801 ecr 
 0,nop,wscale 7], length 0
  18:22:32.678002 ARP, Request who-has 192.168.1.55 tell 192.168.1.88, length 
 46

PROBLEM

solved... The racoon(8) server was giving out %modeconfig IPs in
its own LAN space, causing other LAN attached hosts to query the
interface for ARP values assuming that the IPSec connected host
was participating in the same LAN segment.

SOLUTION

Set the IP described by %modeconfig to not be inside the foreign
LAN subnet.

Regards,
Michael

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Testing ISAKMP datagrams (unanswered ARP requests)

2013-02-06 Thread strongswan 

Hi Andreas,

On Tues., Feb. 06, 2013, Andreas Steffen wrote:
On 02/05/2013 10:45 PM, strongs...@encambio.com wrote:
 My goal is building a IPv4 IPSec tunnel using IKEv1.
 
   Ubuntu 12.10 GNU/Linux AMD64
   Strongswan 4.5.2
 
If you change the setting in ipsec.conf to auto=start then

  ipsec start

will cause pluto to automatically negotiate the here connection
and with auto=route

  ipsec start

will install a trap in the kernel and the first IP payload packet
in direction to rightsubnet=192.168.1.0/24 will trigger
the IKE negotiation.

Excellent answer, thank you. Finally pluto is encapsulating IP and
sending it to the 'right' place, but there's a new problem:

  # the host running pluto(8) connects to an remote LAN host over VPN
  192.168.0.22$ telnet 192.168.1.88 80

  192.168.0.1$ tcpdump -i wan  # the pluto's default router computer
  18:22:32.575725 IP 192.168.0.22.4500  12.34.56.78.4500: UDP-encap: 
ESP(spi=0xdeadbeef,seq=0x1), length 100

  12.34.56.78$ tcpdump -i wan  # the racoon's default router computer
  18:22:32.604422 IP [pluto's wan-public-address]  12.34.56.78: 
ESP(spi=0xdeadbeef,seq=0x1), length 100

  192.168.1.1$ tcpdump -i lan  # the racoon computer's LAN subnet
  18:22:32.673240 IP 192.168.1.55.39347  192.168.1.88.80: Flags [S], seq 
3091785373, win 14600, options [mss 1460,sackOK,TS val 5418801 ecr 0,nop,wscale 
7], length 0
  18:22:32.678002 ARP, Request who-has 192.168.1.55 tell 192.168.1.88, length 46

If I telnet in the oppossite direction the same unanswered
ARP broadcasts appear.

PROBLEM

So it seems that either pluto(8) is not correctly describing it's
origin IP in the ESP headers or racoon(8) is not parsing this
information?

The computer running raccoon(8) is pfsense, and it clearly labels
all IPSec tunnels with the incoming IP except for this case it is
empty. This case is different because of NAT and using pluto(8)
instead of raccoon(8).

 config 

/etc/strongswan.conf:
  pluto {
  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
  }

  libstrongswan {
  dh_exponent_ansi_x9_42 = no
  }

/etc/ipsec.conf:
  config setup
  charonstart=no
  plutostart=yes

  conn %default
  ikelifetime=60m
  keylife=20m
  rekeymargin=3m
  keyingtries=1
  keyexchange=ikev1
  authby=secret

  conn here
  left=%defaultroute# 192.168.0.22
  leftsourceip=%modeconfig  # 192.168.1.55
  right=12.34.56.78
  rightsubnet=192.168.1.0/24
  auto=start

/etc/ipsec.secrets:
  12.34.56.78 : PSK 

Any idea where the problem lies that ends with the ARP broadcast?

Regards,
Michael

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Testing the easiest config to send ISAKMP datagrams

2013-02-05 Thread strongswan 

Hello list,

My goal is building a IPv4 IPSec tunnel using IKEv1.

  Ubuntu 12.10 GNU/Linux AMD64
  Strongswan 4.5.2

/etc/strongswan.conf:
  pluto {
  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
  }

  libstrongswan {
  dh_exponent_ansi_x9_42 = no
  }

/etc/ipsec.conf:
  config setup
  plutodebug=all
  charonstart=no
  plutostart=yes

  conn %default
  ikelifetime=60m
  keylife=20m
  rekeymargin=3m
  keyingtries=1
  keyexchange=ikev1
  authby=secret

  conn here
  left=192.168.0.22
  right=12.34.56.78
  rightsubnet=192.168.1.0/24
  auto=add

/etc/ipsec.secrets:
  12.34.56.78 : PSK 

It would seem that the above config should suffice to at least send
UDP packets to host 12.34.56.78 ports 500 or 4500, but...

  192.168.0.22# /etc/init.d/ipsec start

  192.168.0.22# ps aux | grep pluto
  root3662 ... 18:08 /usr/lib/ipsec/pluto --nofork --uniqueids --debug-all

  192.168.0.22# /usr/lib/ipsec/whack --status
  000 here: 
192.168.0.22[192.168.0.22]...12.34.56.78[12.34.56.78]===192.168.1.0/24; 
unrouted; eroute owner; #0
  000 here:newest ISAKMP SA: #0; newest IPsec SA: #0;
  000

...when I run tcpdump(1) and socat(1) to test, it's clear that pluto
is not sending anything at all.

  12.34.56.78# socat UDP4-LISTEN:500,bind=12.34.56.77 -
  12.34.56.78# socat UDP4-LISTEN:4500,bind=12.34.56.77 -
  (nothing...)

  12.34.56.78# tcpdump -i eth0 port 500 or port 4500
  192.168.0.22# tcpdump -i eth0 port 500 or port 4500
  (nothing...)

Even after logging plutodebug=all I see no errors in /var/log/auth.log.
What do I need to change to make pluto(8) send IKE UDP datagrams?

Thanks,
Michael

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Testing Carol to Alice in IKEV2 RSA RW scenario

2012-08-18 Thread Richard Andrews 
Sounds feasible with some simple routes. Where does strongswan come into
the picture? You haven't described any tunnels in your setup.


On 17/08/12 22:58, Gia T. Nguyen wrote:
 Hi,

 I'm wondering if this is feasible.  I am trying to set up a portable
 StrongSwan demo
 environment using the IKEV2 RSA RW scenario.

 I have 2 Androids serving as Carol and Dave, and one laptop serving as the
 Moon StrongSwan GW.

 The laptop (Moon) is talking to the Android phones via WiFi on its wlan0
 interface.

 Now, I'd like to also connect Moon via its eth0 interface to an internal
 LAN, with a second laptop on the LAN serving as Alice.

 Scenario:
 
 Moon's wlan0 is on subnet 192.186.1.0/16.
 Carol and Dave (the Androids) are on subnet 192.168.1.0/16 via WiFi.

 Moon's eth0 is on subnet 192.168.0.0/16.
 Alice (the 2nd laptop) is on 192.168.0.0/16.

 I'd like to be able to ping from Carol (the Android) to Alice via Moon.
 Is it possible to bridge Moon's wlan0 to its eth0?

 Any advice would be appreciated.  Thank you.

 Best Regards,
 Gia Nguyen



 ___
 Users mailing list
 Users@lists.strongswan.org
 https://lists.strongswan.org/mailman/listinfo/users


___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Testing Carol to Alice in IKEV2 RSA RW scenario

2012-08-17 Thread Gia T. Nguyen 
Hi,

I'm wondering if this is feasible.  I am trying to set up a portable
StrongSwan demo
environment using the IKEV2 RSA RW scenario.

I have 2 Androids serving as Carol and Dave, and one laptop serving as the
Moon StrongSwan GW.

The laptop (Moon) is talking to the Android phones via WiFi on its wlan0
interface.

Now, I'd like to also connect Moon via its eth0 interface to an internal
LAN, with a second laptop on the LAN serving as Alice.

Scenario:

Moon's wlan0 is on subnet 192.186.1.0/16.
Carol and Dave (the Androids) are on subnet 192.168.1.0/16 via WiFi.

Moon's eth0 is on subnet 192.168.0.0/16.
Alice (the 2nd laptop) is on 192.168.0.0/16.

I'd like to be able to ping from Carol (the Android) to Alice via Moon.
Is it possible to bridge Moon's wlan0 to its eth0?

Any advice would be appreciated.  Thank you.

Best Regards,
Gia Nguyen



___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users