Re: [strongSwan] xAuth request for VICI
1) Is there alternative for 'leftfirewall=yes' in the VICI interface to automatically setup iptables rules? There is no option for the default updown script, but you may manually specify ipsec _updown in the CHILD_SA updown configuration option. Actually, the command equivalent to `leftfirewall=yes` is `ipsec _updown iptables`. Regards, Tobias ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] xAuth request for VICI
Hi Sam, 1) Is there alternative for 'leftfirewall=yes' in the VICI interface to automatically setup iptables rules? There is no option for the default updown script, but you may manually specify ipsec _updown in the CHILD_SA updown configuration option. 2) What is the syntax for loading a secret in via VICI. My current format ( `load_shared({'type': 'xauth', 'data': 'test : XAUTH test'})` ) says it loads successfully but does not authenticate. data takes the raw secret string (test) only. The type is defined with the type keyword, and associated identities in a owners list of identity strings. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] xAuth request for VICI
Ok, thanks for the information. Two final (quick) questions: 1) Is there alternative for 'leftfirewall=yes' in the VICI interface to automatically setup iptables rules? 2) What is the syntax for loading a secret in via VICI. My current format ( `load_shared({'type': 'xauth', 'data': 'test : XAUTH test'})` ) says it loads successfully but does not authenticate. Thank you for your helping getting this setup. Best, Sam On Fri, Feb 27, 2015 at 4:19 AM, Martin Willi mar...@strongswan.org wrote: Hi, Your fix to use the ordered dictionary worked perfectly. Thank you very much. It is now accepting vpn connections. Great. I'll check how we can mention that issue in the documentation. Regarding the `vips` configuration, I thought that it was the replacement for the `rightsourceip` option in ipsec.conf (obviously I misinterpreted the documentation). No, the rightsourceip option is separated in swanctl.conf/vici to the pools and vips options for servers and clients, respectively. It does work when I create a pool as you specified, but if I want to give each connection a static pre-determined ip is there anyway to do that other than creating a pool for each connection? No, currently there is no way to directly specify an address with the pools option. You have to use dedicated pools, or use a pool backend that supports static leases (attr-sql). Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] xAuth request for VICI
Hi, Your fix to use the ordered dictionary worked perfectly. Thank you very much. It is now accepting vpn connections. Great. I'll check how we can mention that issue in the documentation. Regarding the `vips` configuration, I thought that it was the replacement for the `rightsourceip` option in ipsec.conf (obviously I misinterpreted the documentation). No, the rightsourceip option is separated in swanctl.conf/vici to the pools and vips options for servers and clients, respectively. It does work when I create a pool as you specified, but if I want to give each connection a static pre-determined ip is there anyway to do that other than creating a pool for each connection? No, currently there is no way to directly specify an address with the pools option. You have to use dedicated pools, or use a pool backend that supports static leases (attr-sql). Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] xAuth request for VICI
Sam, test: remote: uses XAuth authentication: any test: remote: [C=US, O=xx, CN=test] uses public key authentication The order of remote authentication rounds is wrong; XAuth follows public key, not vice-versa. As your config tree looks correct, most likely the order of authentication rounds gets swapped. The order must be preserved in your dictionary to make that work. Are you using the Python library? I think ruby gets this right, as it is guaranteed that Hashes enumerate their values in the order that the corresponding keys were inserted.. Probably not true for Python. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] xAuth request for VICI
Are you using the Python library? I think ruby gets this right, as it is guaranteed that Hashes enumerate their values in the order that the corresponding keys were inserted.. Probably not true for Python. Maybe using collections.OrderedDict to define your tree helps. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] xAuth request for VICI
Hello Martin, Your fix to use the ordered dictionary worked perfectly. Thank you very much. It is now accepting vpn connections. Regarding the `vips` configuration, I thought that it was the replacement for the `rightsourceip` option in ipsec.conf (obviously I misinterpreted the documentation). It does work when I create a pool as you specified, but if I want to give each connection a static pre-determined ip is there anyway to do that other than creating a pool for each connection? Best, Sam On Thu, Feb 26, 2015 at 4:32 AM, Martin Willi mar...@strongswan.org wrote: Are you using the Python library? I think ruby gets this right, as it is guaranteed that Hashes enumerate their values in the order that the corresponding keys were inserted.. Probably not true for Python. Maybe using collections.OrderedDict to define your tree helps. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] xAuth request for VICI
I have not tested the configuration in swanctl.conf yet, but my goal is to move away from configuration files so I can dynamically add/remove connections remotely. I will add it in to see if perhaps my dictionary has a syntax issue. The output of `ipsec statusall`: test: %any...%any IKEv1/2 test: local: [x.amazonaws.com] uses public key authentication test:cert: C=US, O=x, CN=xx.amazonaws.com test: remote: uses XAuth authentication: any test: remote: [C=US, O=xx, CN=test] uses public key authentication test: child: 31.13.69.80/32 === dynamic TUNNEL I have loaded in the serverCert/key and caCert/key using the vici commands as well. All returned a successfull completion message and are listed in `ipsec listcerts`. Additionally I loaded in a value for the xAuth connection. Best, Sam On Wed, Feb 25, 2015 at 11:49 AM, Martin Willi mar...@strongswan.org wrote: Hi, I have attempted to create the same configuration using a call to the VICI with this dictionary: Have you tried to configure that in swanctl.conf to avoid any problems with your dictionary? Here such an XAuth configuration works fine when defined in swanctl.conf. This keeps returning this error: `1 config found, none that allow xAuthInitRSA using MainMode` Not sure what exactly goes on. Can you confirm the the connection has been successfully loaded. What's the output of ipsec statusall (or swanctl --list-conns)? 'vips' : ['10.0.0.5'], This is probably not what you want, vips requests a virtual IP. Use the pools keyword and the appropriate pools section to define virtual IP pools, refer to swanctl.conf(5) for details. This is probably not the root cause of your issue, though. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] xAuth request for VICI
Hi, I have attempted to create the same configuration using a call to the VICI with this dictionary: Have you tried to configure that in swanctl.conf to avoid any problems with your dictionary? Here such an XAuth configuration works fine when defined in swanctl.conf. This keeps returning this error: `1 config found, none that allow xAuthInitRSA using MainMode` Not sure what exactly goes on. Can you confirm the the connection has been successfully loaded. What's the output of ipsec statusall (or swanctl --list-conns)? 'vips' : ['10.0.0.5'], This is probably not what you want, vips requests a virtual IP. Use the pools keyword and the appropriate pools section to define virtual IP pools, refer to swanctl.conf(5) for details. This is probably not the root cause of your issue, though. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users