[strongSwan] Testing
Testing the availability of the strongSwan mailing list server. Please disregard Andreas == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Testing ISAKMP datagrams (unanswered ARP requests)
Hello list, On Wed., Feb. 06, 2013, strongs...@encambio.com schrieb: On Tues., Feb. 06, 2013, Andreas Steffen wrote: On 02/05/2013 10:45 PM, strongs...@encambio.com wrote: My goal is building a IPv4 IPSec tunnel using IKEv1. Ubuntu 12.10 GNU/Linux AMD64 Strongswan 4.5.2 If you change the setting in ipsec.conf to auto=start then ipsec start will cause pluto to automatically negotiate the here connection and with auto=route ipsec start will install a trap in the kernel and the first IP payload packet in direction to rightsubnet=192.168.1.0/24 will trigger the IKE negotiation. Seems this feature is buggy on my platform. While auto=add and later ipsec up conn correctly sets up the tunnel, auto=route and ping host-in-rightsubnet causes some pluto(8) activity (writes to log) but in the end traffic is not forwarded. Excellent answer, thank you. Finally pluto is encapsulating IP and sending it to the 'right' place, but there's a new problem: [...] 192.168.1.1$ tcpdump -i lan # the racoon computer's LAN subnet 18:22:32.673240 IP 192.168.1.55.39347 192.168.1.88.80: Flags [S], seq 3091785373, win 14600, options [mss 1460,sackOK,TS val 5418801 ecr 0,nop,wscale 7], length 0 18:22:32.678002 ARP, Request who-has 192.168.1.55 tell 192.168.1.88, length 46 PROBLEM solved... The racoon(8) server was giving out %modeconfig IPs in its own LAN space, causing other LAN attached hosts to query the interface for ARP values assuming that the IPSec connected host was participating in the same LAN segment. SOLUTION Set the IP described by %modeconfig to not be inside the foreign LAN subnet. Regards, Michael ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Testing ISAKMP datagrams (unanswered ARP requests)
Hi Andreas, On Tues., Feb. 06, 2013, Andreas Steffen wrote: On 02/05/2013 10:45 PM, strongs...@encambio.com wrote: My goal is building a IPv4 IPSec tunnel using IKEv1. Ubuntu 12.10 GNU/Linux AMD64 Strongswan 4.5.2 If you change the setting in ipsec.conf to auto=start then ipsec start will cause pluto to automatically negotiate the here connection and with auto=route ipsec start will install a trap in the kernel and the first IP payload packet in direction to rightsubnet=192.168.1.0/24 will trigger the IKE negotiation. Excellent answer, thank you. Finally pluto is encapsulating IP and sending it to the 'right' place, but there's a new problem: # the host running pluto(8) connects to an remote LAN host over VPN 192.168.0.22$ telnet 192.168.1.88 80 192.168.0.1$ tcpdump -i wan # the pluto's default router computer 18:22:32.575725 IP 192.168.0.22.4500 12.34.56.78.4500: UDP-encap: ESP(spi=0xdeadbeef,seq=0x1), length 100 12.34.56.78$ tcpdump -i wan # the racoon's default router computer 18:22:32.604422 IP [pluto's wan-public-address] 12.34.56.78: ESP(spi=0xdeadbeef,seq=0x1), length 100 192.168.1.1$ tcpdump -i lan # the racoon computer's LAN subnet 18:22:32.673240 IP 192.168.1.55.39347 192.168.1.88.80: Flags [S], seq 3091785373, win 14600, options [mss 1460,sackOK,TS val 5418801 ecr 0,nop,wscale 7], length 0 18:22:32.678002 ARP, Request who-has 192.168.1.55 tell 192.168.1.88, length 46 If I telnet in the oppossite direction the same unanswered ARP broadcasts appear. PROBLEM So it seems that either pluto(8) is not correctly describing it's origin IP in the ESP headers or racoon(8) is not parsing this information? The computer running raccoon(8) is pfsense, and it clearly labels all IPSec tunnels with the incoming IP except for this case it is empty. This case is different because of NAT and using pluto(8) instead of raccoon(8). config /etc/strongswan.conf: pluto { load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink } libstrongswan { dh_exponent_ansi_x9_42 = no } /etc/ipsec.conf: config setup charonstart=no plutostart=yes conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev1 authby=secret conn here left=%defaultroute# 192.168.0.22 leftsourceip=%modeconfig # 192.168.1.55 right=12.34.56.78 rightsubnet=192.168.1.0/24 auto=start /etc/ipsec.secrets: 12.34.56.78 : PSK Any idea where the problem lies that ends with the ARP broadcast? Regards, Michael ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Testing the easiest config to send ISAKMP datagrams
Hello list, My goal is building a IPv4 IPSec tunnel using IKEv1. Ubuntu 12.10 GNU/Linux AMD64 Strongswan 4.5.2 /etc/strongswan.conf: pluto { load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink } libstrongswan { dh_exponent_ansi_x9_42 = no } /etc/ipsec.conf: config setup plutodebug=all charonstart=no plutostart=yes conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev1 authby=secret conn here left=192.168.0.22 right=12.34.56.78 rightsubnet=192.168.1.0/24 auto=add /etc/ipsec.secrets: 12.34.56.78 : PSK It would seem that the above config should suffice to at least send UDP packets to host 12.34.56.78 ports 500 or 4500, but... 192.168.0.22# /etc/init.d/ipsec start 192.168.0.22# ps aux | grep pluto root3662 ... 18:08 /usr/lib/ipsec/pluto --nofork --uniqueids --debug-all 192.168.0.22# /usr/lib/ipsec/whack --status 000 here: 192.168.0.22[192.168.0.22]...12.34.56.78[12.34.56.78]===192.168.1.0/24; unrouted; eroute owner; #0 000 here:newest ISAKMP SA: #0; newest IPsec SA: #0; 000 ...when I run tcpdump(1) and socat(1) to test, it's clear that pluto is not sending anything at all. 12.34.56.78# socat UDP4-LISTEN:500,bind=12.34.56.77 - 12.34.56.78# socat UDP4-LISTEN:4500,bind=12.34.56.77 - (nothing...) 12.34.56.78# tcpdump -i eth0 port 500 or port 4500 192.168.0.22# tcpdump -i eth0 port 500 or port 4500 (nothing...) Even after logging plutodebug=all I see no errors in /var/log/auth.log. What do I need to change to make pluto(8) send IKE UDP datagrams? Thanks, Michael ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Testing Carol to Alice in IKEV2 RSA RW scenario
Sounds feasible with some simple routes. Where does strongswan come into the picture? You haven't described any tunnels in your setup. On 17/08/12 22:58, Gia T. Nguyen wrote: Hi, I'm wondering if this is feasible. I am trying to set up a portable StrongSwan demo environment using the IKEV2 RSA RW scenario. I have 2 Androids serving as Carol and Dave, and one laptop serving as the Moon StrongSwan GW. The laptop (Moon) is talking to the Android phones via WiFi on its wlan0 interface. Now, I'd like to also connect Moon via its eth0 interface to an internal LAN, with a second laptop on the LAN serving as Alice. Scenario: Moon's wlan0 is on subnet 192.186.1.0/16. Carol and Dave (the Androids) are on subnet 192.168.1.0/16 via WiFi. Moon's eth0 is on subnet 192.168.0.0/16. Alice (the 2nd laptop) is on 192.168.0.0/16. I'd like to be able to ping from Carol (the Android) to Alice via Moon. Is it possible to bridge Moon's wlan0 to its eth0? Any advice would be appreciated. Thank you. Best Regards, Gia Nguyen ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Testing Carol to Alice in IKEV2 RSA RW scenario
Hi, I'm wondering if this is feasible. I am trying to set up a portable StrongSwan demo environment using the IKEV2 RSA RW scenario. I have 2 Androids serving as Carol and Dave, and one laptop serving as the Moon StrongSwan GW. The laptop (Moon) is talking to the Android phones via WiFi on its wlan0 interface. Now, I'd like to also connect Moon via its eth0 interface to an internal LAN, with a second laptop on the LAN serving as Alice. Scenario: Moon's wlan0 is on subnet 192.186.1.0/16. Carol and Dave (the Androids) are on subnet 192.168.1.0/16 via WiFi. Moon's eth0 is on subnet 192.168.0.0/16. Alice (the 2nd laptop) is on 192.168.0.0/16. I'd like to be able to ping from Carol (the Android) to Alice via Moon. Is it possible to bridge Moon's wlan0 to its eth0? Any advice would be appreciated. Thank you. Best Regards, Gia Nguyen ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users