subject:"Re\: \[Shorewall\-users\] UDP Getting Blocked When Unblocked \(StrongSwan\)"

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

2017-12-27 Thread Colony.three via Shorewall-users

> Hm, I am not seeing any evidence that the daemon is picking up my
> /etc/strongswan/strongswan.d/bills-strongswan.conf  nor
> /etc/strongswan/ipdec.d/bills-ipsec.conf .  But then, it's not noting yours 
> either, assuming you have your own ipsec.conf and strongswan.conf .
>
> These are my main configuration files.  In my case there's virtually nothing 
> in /etc/strongswan/strongswan.conf and /etc/strongswan/ipsec.conf .
>
> Not picking up my config files would explain the consistent error I'm getting 
> and why almost no one else seems to have this.
>
> I also see that you're using .der certs and keys.  I don't understand this 
> as, before you can pile the key and cert into a .p12 file (which is required 
> by the Android app), they must be in .pem format.  And even when I copy my 
> user's cert to the phone and import using the CACert interface, the cert ends 
> up in Imported, and not in User.
>
> I don't understand what's wrong.

Ok, now I am starting to get errors that make sense.

I have moved my strongswan.d/*.conf and ipsec.d/*.conf files (where they are 
SUPPOSED to be) to /etc/strongswan/strongswan.conf and ipsec.conf respectively. 
 Looks like the devs have not implemented these PROPER .d subdirs like they 
should have. (GDammit) That's a loss of confidence in them...

Now startup looks like this:

Dec 27 16:17:37 zeta strongswan: charon stopped after 200 ms
Dec 27 16:17:37 zeta strongswan: ipsec starter stopped
Dec 27 16:17:37 zeta systemd: Started strongSwan IPsec IKEv1/IKEv2 daemon using 
ipsec.conf.
Dec 27 16:17:37 zeta systemd: Starting strongSwan IPsec IKEv1/IKEv2 daemon 
using ipsec.conf...
Dec 27 16:17:37 zeta strongswan: Starting strongSwan 5.5.3 IPsec [starter]...
Dec 27 16:17:37 zeta charon: 00[DMN] Starting IKE charon daemon (strongSwan 
5.5.3, Linux 4.13.0-1.el7.elrepo.x86_64, x86_64)
Dec 27 16:17:37 zeta charon: 00[LIB] openssl FIPS mode(2) - enabled
Dec 27 16:17:38 zeta charon: 00[CFG] loading ca certificates from 
'/etc/strongswan/ipsec.d/cacerts'
Dec 27 16:17:38 zeta charon: 00[CFG]   loaded ca certificate "C=US, 
O=QuantumEquities, CN=QuantumCA" from 
'/etc/strongswan/ipsec.d/cacerts/cacert.pem'
Dec 27 16:17:38 zeta charon: 00[CFG] loading aa certificates from 
'/etc/strongswan/ipsec.d/aacerts'
Dec 27 16:17:38 zeta charon: 00[CFG] loading ocsp signer certificates from 
'/etc/strongswan/ipsec.d/ocspcerts'
Dec 27 16:17:38 zeta charon: 00[CFG] loading attribute certificates from 
'/etc/strongswan/ipsec.d/acerts'
Dec 27 16:17:38 zeta charon: 00[CFG] loading crls from 
'/etc/strongswan/ipsec.d/crls'
Dec 27 16:17:38 zeta charon: 00[CFG] loading secrets from 
'/etc/strongswan/ipsec.secrets'
Dec 27 16:17:38 zeta charon: 00[CFG]   loaded RSA private key from 
'/etc/strongswan/ipsec.d/private/billsKey.pem'
Dec 27 16:17:38 zeta charon: 00[LIB] loaded plugins: charon aes des rc2 sha2 
sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 
pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 xcbc cmac 
hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke 
vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap 
xauth-generic xauth-eap xauth-pam xauth-noauth dhcp unity
Dec 27 16:17:38 zeta charon: 00[JOB] spawning 16 worker threads
Dec 27 16:17:38 zeta strongswan: charon (32350) started after 40 ms
Dec 27 16:17:38 zeta charon: 05[CFG] received stroke: add connection 'ipv4'
Dec 27 16:17:38 zeta charon: 05[CFG] left nor right host is our side, assuming 
left=local
Dec 27 16:17:38 zeta charon: 05[CFG] adding virtual IP address pool 
192.168.11.0/24
Dec 27 16:17:38 zeta charon: 05[CFG]   loaded certificate "C=US, O=Quantum, 
CN=cac...@quantum-equities.com" from 'billsCert.pem'
Dec 27 16:17:38 zeta charon: 05[CFG] added configuration 'ipv4'

NOW I can make some frickin' gol' damned SENSE out of this.  I'll resume 
tomorrow, when I am less drunk.--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

2017-12-27 Thread Colony.three via Shorewall-users

>  Original Message 
> Subject: Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)
> Local Time: December 27, 2017 3:51 PM
> UTC Time: December 27, 2017 11:51 PM
> From: teas...@shorewall.net
> To: shorewall-users@lists.sourceforge.net
>
> On 12/27/2017 03:46 PM, Colony.three via Shorewall-users wrote:
>
>>>  Original Message ----
>>> Subject: Re: [Shorewall-users] UDP Getting Blocked When Unblocked
>>> (StrongSwan)
>>> Local Time: December 27, 2017 3:31 PM
>>> UTC Time: December 27, 2017 11:31 PM
>>> From: teas...@shorewall.net
>>> To: shorewall-users@lists.sourceforge.net
>>> On 12/27/2017 03:27 PM, Colony.three via Shorewall-users wrote:
>>>
>>> Dec 27 15:20:49 zeta charon: 00[CFG] loading secrets from
>>> '/etc/strongswan/ipsec.secrets'
>>> Dec 27 15:20:49 zeta charon: 00[LIB]   opening
>>> '/etc/strongswan/ipsec.d/private/quantumKey.pem' failed: No such file
>>> or directory
>>> Dec 27 15:20:49 zeta charon: 00[LIB] building CRED_PRIVATE_KEY - RSA
>>> failed, tried 4 builders
>>> Dec 27 15:20:49 zeta charon: 00[CFG]   loading private key from
>>> '/etc/strongswan/ipsec.d/private/quantumKey.pem' failed
>>>
>>>
>>> The above messages certainly aren't good!
>>>
>>> -Tom
>>
>> Understand.  I was in the middle of something as noted in my prior
>> ().  Here it is again stabilized but still the same problem as all along:
>> Dec 27 15:38:59 zeta strongswan: ipsec starter stopped
>> Dec 27 15:39:02 zeta systemd: Started strongSwan IPsec IKEv1/IKEv2
>> daemon using ipsec.conf.
>> Dec 27 15:39:02 zeta systemd: Starting strongSwan IPsec IKEv1/IKEv2
>> daemon using ipsec.conf...
>> Dec 27 15:39:02 zeta strongswan: Starting strongSwan 5.5.3 IPsec
>> [starter]...
>> Dec 27 15:39:02 zeta strongswan: !! Your strongswan.conf contains
>> manual plugin load options for charon.
>> Dec 27 15:39:02 zeta strongswan: !! This is recommended for experts
>> only, see
>> Dec 27 15:39:02 zeta strongswan: !!
>> http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
>> Dec 27 15:39:02 zeta charon: 00[DMN] Starting IKE charon daemon
>> (strongSwan 5.5.3, Linux 4.13.0-1.el7.elrepo.x86_64, x86_64)
>> Dec 27 15:39:02 zeta charon: 00[CFG] loading ca certificates from
>> '/etc/strongswan/ipsec.d/cacerts'
>> Dec 27 15:39:02 zeta charon: 00[CFG]   loaded ca certificate "C=US,
>> O=QuantumEquities, CN=QuantumCA" from
>> '/etc/strongswan/ipsec.d/cacerts/cacert.pem'
>> Dec 27 15:39:02 zeta charon: 00[CFG] loading aa certificates from
>> '/etc/strongswan/ipsec.d/aacerts'
>> Dec 27 15:39:02 zeta charon: 00[CFG] loading ocsp signer certificates
>> from '/etc/strongswan/ipsec.d/ocspcerts'
>> Dec 27 15:39:02 zeta charon: 00[CFG] loading attribute certificates
>> from '/etc/strongswan/ipsec.d/acerts'
>> Dec 27 15:39:02 zeta charon: 00[CFG] loading crls from
>> '/etc/strongswan/ipsec.d/crls'
>> Dec 27 15:39:02 zeta charon: 00[CFG] loading secrets from
>> '/etc/strongswan/ipsec.secrets'
>> Dec 27 15:39:02 zeta charon: 00[CFG]   loaded RSA private key from
>> '/etc/strongswan/ipsec.d/private/carlsKey.pem'
>> Dec 27 15:39:02 zeta charon: 00[LIB] loaded plugins: charon random
>> nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke
>> kernel-netlink socket-default updown
>> Dec 27 15:39:02 zeta charon: 00[JOB] spawning 16 worker threads
>> Dec 27 15:39:02 zeta strongswan: charon (32155) started after 20 ms
>
> In by case, it goes on...
>
> loaded plugins: charon aesni aes rc2 sha2 sha1 md5 random nonce x509
> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
> pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve
> socket-default connmark stroke updown
> Dec 27 15:04:56 irssi charon: 00[LIB] dropped capabilities, running as
> uid 0, gid 0
> Dec 27 15:04:56 irssi charon: 00[JOB] spawning 16 worker threads
> Dec 27 15:04:56 irssi charon: 05[CFG] received stroke: add connection 'ipv4'
> Dec 27 15:04:56 irssi charon: 05[CFG] adding virtual IP address pool
> 172.20.3.0/24
> Dec 27 15:04:56 irssi charon: 05[CFG]   loaded certificate "C=US,
> O=Shorewall, CN=irssi" from 'irssiCert.der'
> Dec 27 15:04:56 irssi charon: 05[CFG] added configuration 'ipv4'
> Dec 27 15:04:56 irssi charon: 07[CFG] received stroke: add connection 'ipv6'
> Dec 27 15:04:56 irssi charon: 07[CFG] virtual IP pool too large,
> limiting to 2601:601:a000:16f7::/97
> Dec 27 15:04:56 irssi charon: 07[CFG] adding virtual IP address pool
>

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

2017-12-27 Thread Tom Eastep

On 12/27/2017 03:46 PM, Colony.three via Shorewall-users wrote:
>
>
>
>
>>  Original Message --------
>> Subject: Re: [Shorewall-users] UDP Getting Blocked When Unblocked
>> (StrongSwan)
>> Local Time: December 27, 2017 3:31 PM
>> UTC Time: December 27, 2017 11:31 PM
>> From: teas...@shorewall.net
>> To: shorewall-users@lists.sourceforge.net
>>
>> On 12/27/2017 03:27 PM, Colony.three via Shorewall-users wrote:
>>
>> Dec 27 15:20:49 zeta charon: 00[CFG] loading secrets from
>> '/etc/strongswan/ipsec.secrets'
>> Dec 27 15:20:49 zeta charon: 00[LIB]   opening
>> '/etc/strongswan/ipsec.d/private/quantumKey.pem' failed: No such file
>> or directory
>> Dec 27 15:20:49 zeta charon: 00[LIB] building CRED_PRIVATE_KEY - RSA
>> failed, tried 4 builders
>> Dec 27 15:20:49 zeta charon: 00[CFG]   loading private key from
>> '/etc/strongswan/ipsec.d/private/quantumKey.pem' failed
>>
>>
>>  
>> The above messages certainly aren't good!
>>  
>> -Tom
>>  
>>
> Understand.  I was in the middle of something as noted in my prior
> ().  Here it is again stabilized but still the same problem as all along:
>
> Dec 27 15:38:59 zeta strongswan: ipsec starter stopped
> Dec 27 15:39:02 zeta systemd: Started strongSwan IPsec IKEv1/IKEv2
> daemon using ipsec.conf.
> Dec 27 15:39:02 zeta systemd: Starting strongSwan IPsec IKEv1/IKEv2
> daemon using ipsec.conf...
> Dec 27 15:39:02 zeta strongswan: Starting strongSwan 5.5.3 IPsec
> [starter]...
> Dec 27 15:39:02 zeta strongswan: !! Your strongswan.conf contains
> manual plugin load options for charon.
> Dec 27 15:39:02 zeta strongswan: !! This is recommended for experts
> only, see
> Dec 27 15:39:02 zeta strongswan: !!
> http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
> Dec 27 15:39:02 zeta charon: 00[DMN] Starting IKE charon daemon
> (strongSwan 5.5.3, Linux 4.13.0-1.el7.elrepo.x86_64, x86_64)
> Dec 27 15:39:02 zeta charon: 00[CFG] loading ca certificates from
> '/etc/strongswan/ipsec.d/cacerts'
> Dec 27 15:39:02 zeta charon: 00[CFG]   loaded ca certificate "C=US,
> O=QuantumEquities, CN=QuantumCA" from
> '/etc/strongswan/ipsec.d/cacerts/cacert.pem'
> Dec 27 15:39:02 zeta charon: 00[CFG] loading aa certificates from
> '/etc/strongswan/ipsec.d/aacerts'
> Dec 27 15:39:02 zeta charon: 00[CFG] loading ocsp signer certificates
> from '/etc/strongswan/ipsec.d/ocspcerts'
> Dec 27 15:39:02 zeta charon: 00[CFG] loading attribute certificates
> from '/etc/strongswan/ipsec.d/acerts'
> Dec 27 15:39:02 zeta charon: 00[CFG] loading crls from
> '/etc/strongswan/ipsec.d/crls'
> Dec 27 15:39:02 zeta charon: 00[CFG] loading secrets from
> '/etc/strongswan/ipsec.secrets'
> Dec 27 15:39:02 zeta charon: 00[CFG]   loaded RSA private key from
> '/etc/strongswan/ipsec.d/private/carlsKey.pem'
> Dec 27 15:39:02 zeta charon: 00[LIB] loaded plugins: charon random
> nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke
> kernel-netlink socket-default updown
> Dec 27 15:39:02 zeta charon: 00[JOB] spawning 16 worker threads
> Dec 27 15:39:02 zeta strongswan: charon (32155) started after 20 ms
>
>
In by case, it goes on...

loaded plugins: charon aesni aes rc2 sha2 sha1 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve
socket-default connmark stroke updown
Dec 27 15:04:56 irssi charon: 00[LIB] dropped capabilities, running as
uid 0, gid 0
Dec 27 15:04:56 irssi charon: 00[JOB] spawning 16 worker threads
Dec 27 15:04:56 irssi charon: 05[CFG] received stroke: add connection 'ipv4'
Dec 27 15:04:56 irssi charon: 05[CFG] adding virtual IP address pool
172.20.3.0/24
Dec 27 15:04:56 irssi charon: 05[CFG]   loaded certificate "C=US,
O=Shorewall, CN=irssi" from 'irssiCert.der'
Dec 27 15:04:56 irssi charon: 05[CFG] added configuration 'ipv4'
Dec 27 15:04:56 irssi charon: 07[CFG] received stroke: add connection 'ipv6'
Dec 27 15:04:56 irssi charon: 07[CFG] virtual IP pool too large,
limiting to 2601:601:a000:16f7::/97
Dec 27 15:04:56 irssi charon: 07[CFG] adding virtual IP address pool
2601:601:a000:16f7::/64
Dec 27 15:04:56 irssi charon: 07[CFG]   loaded certificate "C=US,
O=Shorewall, CN=irssi" from 'irssiCert.der'
Dec 27 15:04:56 irssi charon: 07[CFG] added configuration 'ipv6'

This was on my DNATed endpoint.

-Tom

-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't 
http://shorewall.org \   understand
  \

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

2017-12-27 Thread Colony.three via Shorewall-users

>  Original Message 
> Subject: Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)
> Local Time: December 27, 2017 3:31 PM
> UTC Time: December 27, 2017 11:31 PM
> From: teas...@shorewall.net
> To: shorewall-users@lists.sourceforge.net
>
> On 12/27/2017 03:27 PM, Colony.three via Shorewall-users wrote:
>
>> Dec 27 15:20:49 zeta charon: 00[CFG] loading secrets from
>> '/etc/strongswan/ipsec.secrets'
>> Dec 27 15:20:49 zeta charon: 00[LIB]   opening
>> '/etc/strongswan/ipsec.d/private/quantumKey.pem' failed: No such file
>> or directory
>> Dec 27 15:20:49 zeta charon: 00[LIB] building CRED_PRIVATE_KEY - RSA
>> failed, tried 4 builders
>> Dec 27 15:20:49 zeta charon: 00[CFG]   loading private key from
>> '/etc/strongswan/ipsec.d/private/quantumKey.pem' failed
>
> The above messages certainly aren't good!
>
> -Tom

Understand.  I was in the middle of something as noted in my prior ().  Here it 
is again stabilized but still the same problem as all along:

Dec 27 15:38:59 zeta strongswan: ipsec starter stopped
Dec 27 15:39:02 zeta systemd: Started strongSwan IPsec IKEv1/IKEv2 daemon using 
ipsec.conf.
Dec 27 15:39:02 zeta systemd: Starting strongSwan IPsec IKEv1/IKEv2 daemon 
using ipsec.conf...
Dec 27 15:39:02 zeta strongswan: Starting strongSwan 5.5.3 IPsec [starter]...
Dec 27 15:39:02 zeta strongswan: !! Your strongswan.conf contains manual plugin 
load options for charon.
Dec 27 15:39:02 zeta strongswan: !! This is recommended for experts only, see
Dec 27 15:39:02 zeta strongswan: !! 
http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
Dec 27 15:39:02 zeta charon: 00[DMN] Starting IKE charon daemon (strongSwan 
5.5.3, Linux 4.13.0-1.el7.elrepo.x86_64, x86_64)
Dec 27 15:39:02 zeta charon: 00[CFG] loading ca certificates from 
'/etc/strongswan/ipsec.d/cacerts'
Dec 27 15:39:02 zeta charon: 00[CFG]   loaded ca certificate "C=US, 
O=QuantumEquities, CN=QuantumCA" from 
'/etc/strongswan/ipsec.d/cacerts/cacert.pem'
Dec 27 15:39:02 zeta charon: 00[CFG] loading aa certificates from 
'/etc/strongswan/ipsec.d/aacerts'
Dec 27 15:39:02 zeta charon: 00[CFG] loading ocsp signer certificates from 
'/etc/strongswan/ipsec.d/ocspcerts'
Dec 27 15:39:02 zeta charon: 00[CFG] loading attribute certificates from 
'/etc/strongswan/ipsec.d/acerts'
Dec 27 15:39:02 zeta charon: 00[CFG] loading crls from 
'/etc/strongswan/ipsec.d/crls'
Dec 27 15:39:02 zeta charon: 00[CFG] loading secrets from 
'/etc/strongswan/ipsec.secrets'
Dec 27 15:39:02 zeta charon: 00[CFG]   loaded RSA private key from 
'/etc/strongswan/ipsec.d/private/carlsKey.pem'
Dec 27 15:39:02 zeta charon: 00[LIB] loaded plugins: charon random nonce aes 
sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink 
socket-default updown
Dec 27 15:39:02 zeta charon: 00[JOB] spawning 16 worker threads
Dec 27 15:39:02 zeta strongswan: charon (32155) started after 20 ms--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

2017-12-27 Thread Tom Eastep

On 12/27/2017 03:27 PM, Colony.three via Shorewall-users wrote:
> Dec 27 15:20:49 zeta charon: 00[CFG] loading secrets from
> '/etc/strongswan/ipsec.secrets'
> Dec 27 15:20:49 zeta charon: 00[LIB]   opening
> '/etc/strongswan/ipsec.d/private/quantumKey.pem' failed: No such file
> or directory
> Dec 27 15:20:49 zeta charon: 00[LIB] building CRED_PRIVATE_KEY - RSA
> failed, tried 4 builders
> Dec 27 15:20:49 zeta charon: 00[CFG]   loading private key from
> '/etc/strongswan/ipsec.d/private/quantumKey.pem' failed

The above messages certainly aren't good!

-Tom

-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't 
http://shorewall.org \   understand
  \___




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

2017-12-27 Thread Colony.three via Shorewall-users

> The Cert isn't involved in the IKE_SA_INIT request. Verification of the
> cert occurs in the IKE_AUTH request. What are the messages generated
> when you start your local StrongSwan config?
>
> -Tom

I don't see anything abnormal...  although I do not see it calling 
strongswan.d/bills-strongswan.conf  nor  ipsec.d/bills-ipsec.conf.

/etc/strongswan/strongswan.conf has:
include strongswan.d/*.conf
... but /etc/strongswan/ipsec.conf doesn't have any such thing.

(The missing key is because I was experimenting at that moment)

Dec 27 15:20:43 zeta systemd: Stopped strongSwan IPsec IKEv1/IKEv2 daemon using 
ipsec.conf.
Dec 27 15:20:49 zeta systemd: Started strongSwan IPsec IKEv1/IKEv2 daemon using 
ipsec.conf.
Dec 27 15:20:49 zeta systemd: Starting strongSwan IPsec IKEv1/IKEv2 daemon 
using ipsec.conf...
Dec 27 15:20:49 zeta strongswan: Starting strongSwan 5.5.3 IPsec [starter]...
Dec 27 15:20:49 zeta strongswan: !! Your strongswan.conf contains manual plugin 
load options for charon.
Dec 27 15:20:49 zeta strongswan: !! This is recommended for experts only, see
Dec 27 15:20:49 zeta strongswan: !! 
http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
Dec 27 15:20:49 zeta charon: 00[DMN] Starting IKE charon daemon (strongSwan 
5.5.3, Linux 4.13.0-1.el7.elrepo.x86_64, x86_64)
Dec 27 15:20:49 zeta charon: 00[CFG] loading ca certificates from 
'/etc/strongswan/ipsec.d/cacerts'
Dec 27 15:20:49 zeta charon: 00[CFG]   loaded ca certificate "C=US, 
O=QuantumEquities, CN=QuantumCA" from 
'/etc/strongswan/ipsec.d/cacerts/cacert.pem'
Dec 27 15:20:49 zeta charon: 00[CFG] loading aa certificates from 
'/etc/strongswan/ipsec.d/aacerts'
Dec 27 15:20:49 zeta charon: 00[CFG] loading ocsp signer certificates from 
'/etc/strongswan/ipsec.d/ocspcerts'
Dec 27 15:20:49 zeta charon: 00[CFG] loading attribute certificates from 
'/etc/strongswan/ipsec.d/acerts'
Dec 27 15:20:49 zeta charon: 00[CFG] loading crls from 
'/etc/strongswan/ipsec.d/crls'
Dec 27 15:20:49 zeta charon: 00[CFG] loading secrets from 
'/etc/strongswan/ipsec.secrets'
Dec 27 15:20:49 zeta charon: 00[LIB]   opening 
'/etc/strongswan/ipsec.d/private/quantumKey.pem' failed: No such file or 
directory
Dec 27 15:20:49 zeta charon: 00[LIB] building CRED_PRIVATE_KEY - RSA failed, 
tried 4 builders
Dec 27 15:20:49 zeta charon: 00[CFG]   loading private key from 
'/etc/strongswan/ipsec.d/private/quantumKey.pem' failed
Dec 27 15:20:49 zeta charon: 00[LIB] loaded plugins: charon random nonce aes 
sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink 
socket-default updown
Dec 27 15:20:49 zeta charon: 00[JOB] spawning 16 worker threads
Dec 27 15:20:49 zeta strongswan: charon (32057) started after 20 ms--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

2017-12-27 Thread Tom Eastep

On 12/27/2017 03:02 PM, Colony.three via Shorewall-users wrote:
> Simple CA is the procedure I've been using too. 
>>>
>>> Dec 27 14:29:54 zeta charon: 05[NET] received packet: from
>>> 172.58.43.66[21321] to 192.168.111.16[500] (704 bytes)
>>> Dec 27 14:29:54 zeta charon: 05[ENC] parsed IKE_SA_INIT request 0 [
>>> SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
>>> Dec 27 14:29:54 zeta charon: 05[IKE] no IKE config found for
>>> 192.168.111.16...172.58.43.66, sending NO_PROPOSAL_CHOSEN
>>> Dec 27 14:29:54 zeta charon: 05[ENC] generating IKE_SA_INIT response
>>> 0 [ N(NO_PROP) ]
>>> Dec 27 14:29:54 zeta charon: 05[NET] sending packet: from
>>> 192.168.111.16[500] to 172.58.43.66[21321] (36 bytes)
>>>
>>> Well NAT-T definitely does not work.  I can not make this work,
>>> following the SimpleCA instructions to a T.  I did import the proper
>>> .p12, and separately the caCert.pem into Imported like you did. 
>>> 172.58.43.66 has nothing to do with my phone (100.196.9.93), and I
>>> think that is a clue to the problem.
>>>
>>> Maybe I should give up and put StrongSwan on the router and let the
>>> router have access to the rest of the LAN.  That just seems like a
>>> stupid thing to do but I simply have not been able to fix this
>>> problem after 2 weeks of trying full time.  I can't believe that this
>>> is impossible.
>>
>> As well, for cert generation I added --san:
>> # strongswan pki --pub --in private/quantumKey.pem --type rsa |
>> strongswan pki --issue --cacert certs/caCert.pem --cakey
>> private/caKey.pem --san quantum-equities.com --dn "C=US, O=Quantum,
>> CN=quantum-equities.com" --outform pem > certs/quantumCert.pem
>>
>> ... and in the SS Android app I put quantum-equities.com in Server
>> Identity like you did.
> 
> I've never had any cert end up in User certs, by importing the .p12
> using the connexion Edit.  Maybe that's the actual problem.
> 
> It pretends like it imports the .p12 just fine.

The Cert isn't involved in the IKE_SA_INIT request. Verification of the
cert occurs in the IKE_AUTH request. What are the messages generated
when you start your local StrongSwan config?

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

2017-12-27 Thread Colony.three via Shorewall-users

Simple CA is the procedure I've been using too.

>> Dec 27 14:29:54 zeta charon: 05[NET] received packet: from 
>> 172.58.43.66[21321] to 192.168.111.16[500] (704 bytes)
>> Dec 27 14:29:54 zeta charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No 
>> N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
>> Dec 27 14:29:54 zeta charon: 05[IKE] no IKE config found for 
>> 192.168.111.16...172.58.43.66, sending NO_PROPOSAL_CHOSEN
>> Dec 27 14:29:54 zeta charon: 05[ENC] generating IKE_SA_INIT response 0 [ 
>> N(NO_PROP) ]
>> Dec 27 14:29:54 zeta charon: 05[NET] sending packet: from 
>> 192.168.111.16[500] to 172.58.43.66[21321] (36 bytes)
>>
>> Well NAT-T definitely does not work.  I can not make this work, following 
>> the SimpleCA instructions to a T.  I did import the proper .p12, and 
>> separately the caCert.pem into Imported like you did.  172.58.43.66 has 
>> nothing to do with my phone (100.196.9.93), and I think that is a clue to 
>> the problem.
>>
>> Maybe I should give up and put StrongSwan on the router and let the router 
>> have access to the rest of the LAN.  That just seems like a stupid thing to 
>> do but I simply have not been able to fix this problem after 2 weeks of 
>> trying full time.  I can't believe that this is impossible.
>
> As well, for cert generation I added --san:
> # strongswan pki --pub --in private/quantumKey.pem --type rsa | strongswan 
> pki --issue --cacert certs/caCert.pem --cakey private/caKey.pem --san 
> quantum-equities.com --dn "C=US, O=Quantum, CN=quantum-equities.com" 
> --outform pem > certs/quantumCert.pem
>
> ... and in the SS Android app I put quantum-equities.com in Server Identity 
> like you did.

I've never had any cert end up in User certs, by importing the .p12 using the 
connexion Edit.  Maybe that's the actual problem.

It pretends like it imports the .p12 just fine.--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

2017-12-27 Thread Colony.three via Shorewall-users

Simple CA is the procedure I've been using too.

Dec 27 14:29:54 zeta charon: 05[NET] received packet: from 172.58.43.66[21321] 
to 192.168.111.16[500] (704 bytes)
Dec 27 14:29:54 zeta charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No 
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Dec 27 14:29:54 zeta charon: 05[IKE] no IKE config found for 
192.168.111.16...172.58.43.66, sending NO_PROPOSAL_CHOSEN
Dec 27 14:29:54 zeta charon: 05[ENC] generating IKE_SA_INIT response 0 [ 
N(NO_PROP) ]
Dec 27 14:29:54 zeta charon: 05[NET] sending packet: from 192.168.111.16[500] 
to 172.58.43.66[21321] (36 bytes)

Well NAT-T definitely does not work.  I can not make this work, following the 
SimpleCA instructions to a T.  I did import the proper .p12, and separately the 
caCert.pem into Imported like you did.  172.58.43.66 has nothing to do with my 
phone (100.196.9.93), and I think that is a clue to the problem.

Maybe I should give up and put StrongSwan on the router and let the router have 
access to the rest of the LAN.  That just seems like a stupid thing to do but I 
simply have not been able to fix this problem after 2 weeks of trying full 
time.  I can't believe that this is impossible.

>  Original Message 
> Subject: Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)
> Local Time: December 24, 2017 2:20 PM
> UTC Time: December 24, 2017 10:20 PM
> From: teas...@shorewall.net
> To: shorewall-users@lists.sourceforge.net
>
> On 12/24/2017 12:59 PM, Tom Eastep wrote:
>
>> On 12/24/2017 12:45 PM, Colony.three via Shorewall-users wrote:
>>
>>>> I saw something similar when I neglected to add a subjectAltName
>>>> (gateway.shorewall.net <http://gateway.shorewall.net>) to the
>>>> local endpoint's cert.
>>>>
>>>> FWIW, I've attached a log extract of a successful SA establishment.
>>>>
>>>> -Tom
>>>
>>> Hm, interesting.  I've consistently used scripts from SomeRandomDude on
>>> The Internets, and indeed it does not provide for subjectAltName.  Good
>>> lead, thanks, I'll look for SS's procedure for generating certs.  There
>>> is just a quagmire haystack of disorganized info out there about this,
>>> which I'll bet quietly defeats 90% of those who try this.
>>> Setting rightsourceip=192.168.11.0/24and restarting SS didn't change
>>> anything.
>>> I've never understood the interplay of IP ranges and addresses between
>>> left and right, as in some cases 'left' always means 'me', whether
>>> setting in local or remote, and in other cases it means as I'd
>>> understood it, 'left' is ipsec gateway and 'right' is remote laptop.
>>> Also I notice that everyone always references the -server- cert and key
>>> in ipsec.conf settings, whereas the StrongSwan Android app will only
>>> accept a .p12 file.  A .p12 file is genned by the RandomDude's scripts
>>> for -user- (as well as cert and key), and it also gens the -server- cert
>>> and key.  So I can only set the -user- cert (.p12) in the Android app.
>>> I'll investigate further.
>>
>> I'm just installing the StrongSwan Android app and will play with it as
>> well.
>
> After a bit of a hassle with certs, I got it working.
>
> a) I used the StrongSwan Simple CA
> (https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) to
> generate my certs, with a subjectAltName. The subjectAltName of the
> local endpoint is gateway.shorewall.net. On the Android, that must be
> placed in the Server Identity setting (Advanced Settings). I imported by
> CA cert separately (shows up under 'Imported' on the Android).
>
> b) Local Endpoint Configuration:
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=3
> keyexchange=ikev2
> authby=pubkey
>
> conn ipv4
> left=70.90.191.121
> leftid=gateway.shorewall.net
>
> leftsubnet=172.20.1.0/24,172.20.2.0/24,70.90.191.122/31,70.90.191.124/31
> leftcert=gatewayCert.der
> right=%any
> rightsourceip=172.20.3.0/24
> rightdns=172.20.1.253
> auto=add
>
> c) Android configuration:
>
> Server: 70.90.191.121
> VPN Type: IKEv2 Certificate
> User certificate: (CN=phone,O=Shorewall,C=US)
> Ca certificate: Imported CA cert
> Profile name: Shorewall IPv4
> Server Identity: gateway.shorewall.net
>
> -Tom
>
> Tom Eastep \ Q: What do you get when you cross a mobster with
> Shoreline, \ an international standard?
> Washington, USA \ A: Someone who makes you an offer you can't
> http://shorewall.org \ understand
> ___
>
> Check out the vibrant tech community on one of

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

2017-12-24 Thread Colony.three via Shorewall-users

> Just as a FYI: I have OpenVPN set up and working on my android phone.
>
> I generated a CA cert and then a cert for my phone using xca (GUI interface).
>
> Bill

Good to know.  I'd originally decided on IPSec because it's universally used in 
business, and is regarded to be the most secure, at least when used with certs. 
 But I have no illusions about how difficult it is.

I can't use LibreSwan as it doesn't play well with NAT-T.  If/when I fail with 
StrongSwan I'll go the OpenVPN route. (If I don't shoot myself in the head in 
the parking lot first)

Bill S.--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

2017-12-24 Thread Colony.three via Shorewall-users

>  Original Message 
> Subject: Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)
> Local Time: December 24, 2017 3:03 PM
> UTC Time: December 24, 2017 11:03 PM
> From: teas...@shorewall.net
> To: shorewall-users@lists.sourceforge.net
>
> On 12/24/2017 02:56 PM, Tom Eastep wrote:
>
>>> I'm now ready to try and set up the Android app.  I wasn't able to
>>> import a .pem cert, but maybe it'll let me import a .der cert.
>>
>> I successfully imported both the .pem CA cert and the .p12 bundle. The
>> former ended up in User Certificates and the latter in Imported.
>
> Other way around...
>
> CA Cert in Imported
> p12 in User
>
> -Tom

Everything goes well with the commands below, but when I try to import the .p12 
into the SS Android app, it seems to be happy, but no user shows up to choose 
from and no certs are in User nor Imported.

# cd /etc/strongswan/ipsec.d/
# strongswan pki --gen --type rsa --outform pem --size 4096 > private/caKey.pem
Self-sign a CA certificate using the generated key:
# strongswan pki --self --in private/caKey.pem --type rsa --dn "C=US, 
O=Quantum, CN=Quantum CA" --outform pem --ca > certs/caCert.pem
CA is ready to issue end-entity certificates.
For each peer, i.e. for all VPN clients and VPN gateways, generate an individual
Gen private key, and issue a matching certificate using new CA:
# strongswan pki --gen --type rsa --outform pem --size 4096 > 
private/quantumKey.pem
# strongswan pki --pub --in private/quantumKey.pem --type rsa | strongswan pki 
--issue --cacert certs/caCert.pem --cakey private/caKey.pem --san 
quantum-equities.com --dn "C=US, O=Quantum, CN=quantum-equities.com" --outform 
pem > certs/quantumCert.pem
# chmod -R 600 private

# openssl pkcs12 -in certs/quantumCert.pem -inkey private/quantumKey.pem 
-certfile certs/caCert.pem -export -out quantum.p12--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

2017-12-24 Thread Bill Shirley


Just as a FYI: I have OpenVPN set up and working on my android phone.

I generated a CA cert and then a cert for my phone using xca (GUI interface).

Bill


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

2017-12-24 Thread Tom Eastep

On 12/24/2017 02:56 PM, Tom Eastep wrote:

>>
>> I'm now ready to try and set up the Android app.  I wasn't able to
>> import a .pem cert, but maybe it'll let me import a .der cert.
> 
> I successfully imported both the .pem CA cert and the .p12 bundle. The
> former ended up in User Certificates and the latter in Imported.

Other way around...

CA Cert in Imported
p12 in User

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

2017-12-24 Thread Tom Eastep

On 12/24/2017 02:51 PM, Colony.three via Shorewall-users wrote:
> On 12/24/2017 12:59 PM, Tom Eastep wrote:
>>
>>
>> After a bit of a hassle with certs, I got it working.
>>  
>> a) I used the StrongSwan Simple CA
>> (https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) to
>> generate my certs, with a subjectAltName. The subjectAltName of the
>> local endpoint is gateway.shorewall.net
>> . On the Android, that must be
>> placed in the Server Identity setting (Advanced Settings). I
>> imported by
>> CA cert separately (shows up under 'Imported' on the Android).
>>  
>> b) Local Endpoint Configuration:
>>  
>> conn %default
>> ikelifetime=60m
>> keylife=20m
>> rekeymargin=3m
>> keyingtries=3
>> keyexchange=ikev2
>> authby=pubkey
>>  
>> conn ipv4
>> left=70.90.191.121
>> leftid=gateway.shorewall.net 
>>  
>> leftsubnet=172.20.1.0/24,172.20.2.0/24,70.90.191.122/31,70.90.191.124/31
>> leftcert=gatewayCert.der
>> right=%any
>> rightsourceip=172.20.3.0/24
>> rightdns=172.20.1.253
>> auto=add
>>  
>> c) Android configuration:
>>  
>> Server: 70.90.191.121
>> VPN Type: IKEv2 Certificate
>> User certificate: (CN=phone,O=Shorewall,C=US)
>> Ca certificate: Imported CA cert
>> Profile name: Shorewall IPv4
>> Server Identity: gateway.shorewall.net 
>>  
>> -Tom
>>
> 
> I'll be darned, it can actually work.  Thank you Tom.
> 
> I'm following the same track, and have now gone to the absurd lengths to
> manually gen certs.  It all distills down to these simple commands:
> # cd /etc/strongswan/ipsec.d
> # strongswan pki --gen --size 4096 > private/caKey.der
> Self-sign a CA certificate using the generated key:
> # strongswan pki --self --in private/caKey.der --dn "C=US, O=Quantum,
> CN=Quantum CA" --ca > certs/caCert.der
> CA is ready to issue end-entity certificates.
> For each peer, i.e. for all VPN clients and VPN gateways, generate an
> individual
> Gen private key, and issue a matching certificate using new CA:
> # strongswan pki --gen --size 4096 > private/quantumKey.der
> # strongswan pki --pub --in private/quantumKey.der | strongswan pki
> --issue --cacert certs/caCert.der --cakey private/caKey.der --san
> quantum-equities.com --dn "C=US, O=Quantum, CN=quantum-equities.com" >
> certs/quantumCert.der
> 
> I'm now ready to try and set up the Android app.  I wasn't able to
> import a .pem cert, but maybe it'll let me import a .der cert.

I successfully imported both the .pem CA cert and the .p12 bundle. The
former ended up in User Certificates and the latter in Imported.

I was also able to get the builtin Android VPN to connect, but it
wouldn't pass traffic for some reason.

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

2017-12-24 Thread Colony.three via Shorewall-users

On 12/24/2017 12:59 PM, Tom Eastep wrote:

> After a bit of a hassle with certs, I got it working.
>
> a) I used the StrongSwan Simple CA
> (https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) to
> generate my certs, with a subjectAltName. The subjectAltName of the
> local endpoint is gateway.shorewall.net. On the Android, that must be
> placed in the Server Identity setting (Advanced Settings). I imported by
> CA cert separately (shows up under 'Imported' on the Android).
>
> b) Local Endpoint Configuration:
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=3
> keyexchange=ikev2
> authby=pubkey
>
> conn ipv4
> left=70.90.191.121
> leftid=gateway.shorewall.net
>
> leftsubnet=172.20.1.0/24,172.20.2.0/24,70.90.191.122/31,70.90.191.124/31
> leftcert=gatewayCert.der
> right=%any
> rightsourceip=172.20.3.0/24
> rightdns=172.20.1.253
> auto=add
>
> c) Android configuration:
>
> Server: 70.90.191.121
> VPN Type: IKEv2 Certificate
> User certificate: (CN=phone,O=Shorewall,C=US)
> Ca certificate: Imported CA cert
> Profile name: Shorewall IPv4
> Server Identity: gateway.shorewall.net
>
> -Tom

I'll be darned, it can actually work.  Thank you Tom.

I'm following the same track, and have now gone to the absurd lengths to 
manually gen certs.  It all distills down to these simple commands:
# cd /etc/strongswan/ipsec.d
# strongswan pki --gen --size 4096 > private/caKey.der
Self-sign a CA certificate using the generated key:
# strongswan pki --self --in private/caKey.der --dn "C=US, O=Quantum, 
CN=Quantum CA" --ca > certs/caCert.der
CA is ready to issue end-entity certificates.
For each peer, i.e. for all VPN clients and VPN gateways, generate an individual
Gen private key, and issue a matching certificate using new CA:
# strongswan pki --gen --size 4096 > private/quantumKey.der
# strongswan pki --pub --in private/quantumKey.der | strongswan pki --issue 
--cacert certs/caCert.der --cakey private/caKey.der --san quantum-equities.com 
--dn "C=US, O=Quantum, CN=quantum-equities.com" > certs/quantumCert.der

I'm now ready to try and set up the Android app.  I wasn't able to import a 
.pem cert, but maybe it'll let me import a .der cert.--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

2017-12-24 Thread Tom Eastep

On 12/24/2017 12:59 PM, Tom Eastep wrote:
> On 12/24/2017 12:45 PM, Colony.three via Shorewall-users wrote:
>>
>>> I saw something similar when I neglected to add a subjectAltName
>>> (gateway.shorewall.net ) to the
>>> local endpoint's cert.
>>>  
>>> FWIW, I've attached a log extract of a successful SA establishment.
>>>  
>>> -Tom
>>>
>>
>> Hm, interesting.  I've consistently used scripts from SomeRandomDude on
>> The Internets, and indeed it does not provide for subjectAltName.  Good
>> lead, thanks, I'll look for SS's procedure for generating certs.  There
>> is just a quagmire haystack of disorganized info out there about this,
>> which I'll bet quietly defeats 90% of those who try this.
>>
>> Setting rightsourceip=192.168.11.0/24and restarting SS didn't change
>> anything.
>>
>> I've never understood the interplay of IP ranges and addresses between
>> left and right, as in some cases 'left' always means 'me', whether
>> setting in local or remote, and in other cases it means as I'd
>> understood it, 'left' is ipsec gateway and 'right' is remote laptop.
>>
>> Also I notice that everyone always references the -server- cert and key
>> in ipsec.conf settings, whereas the StrongSwan Android app will only
>> accept a .p12 file.  A .p12 file is genned by the RandomDude's scripts
>> for -user- (as well as cert and key), and it also gens the -server- cert
>> and key.  So I can only set the -user- cert (.p12) in the Android app.
>>
>> I'll investigate further.
>>
> 
> I'm just installing the StrongSwan Android app and will play with it as
> well.
> 

After a bit of a hassle with certs, I got it working.

a) I used the StrongSwan Simple CA
(https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) to
generate my certs, with a subjectAltName. The subjectAltName of the
local endpoint is gateway.shorewall.net. On the Android, that must be
placed in the Server Identity setting (Advanced Settings). I imported by
CA cert separately (shows up under 'Imported' on the Android).

b) Local Endpoint Configuration:

conn %default
 ikelifetime=60m
 keylife=20m
 rekeymargin=3m
 keyingtries=3
 keyexchange=ikev2
 authby=pubkey

conn  ipv4
  left=70.90.191.121
  leftid=gateway.shorewall.net

leftsubnet=172.20.1.0/24,172.20.2.0/24,70.90.191.122/31,70.90.191.124/31
  leftcert=gatewayCert.der
  right=%any
  rightsourceip=172.20.3.0/24
  rightdns=172.20.1.253
  auto=add

c) Android configuration:

Server: 70.90.191.121
VPN Type: IKEv2 Certificate
User certificate: (CN=phone,O=Shorewall,C=US)
Ca certificate: Imported CA cert
Profile name: Shorewall IPv4
Server Identity: gateway.shorewall.net

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

2017-12-24 Thread Tom Eastep

On 12/24/2017 12:45 PM, Colony.three via Shorewall-users wrote:
> 
>> I saw something similar when I neglected to add a subjectAltName
>> (gateway.shorewall.net ) to the
>> local endpoint's cert.
>>  
>> FWIW, I've attached a log extract of a successful SA establishment.
>>  
>> -Tom
>>
> 
> Hm, interesting.  I've consistently used scripts from SomeRandomDude on
> The Internets, and indeed it does not provide for subjectAltName.  Good
> lead, thanks, I'll look for SS's procedure for generating certs.  There
> is just a quagmire haystack of disorganized info out there about this,
> which I'll bet quietly defeats 90% of those who try this.
> 
> Setting rightsourceip=192.168.11.0/24and restarting SS didn't change
> anything.
> 
> I've never understood the interplay of IP ranges and addresses between
> left and right, as in some cases 'left' always means 'me', whether
> setting in local or remote, and in other cases it means as I'd
> understood it, 'left' is ipsec gateway and 'right' is remote laptop.
> 
> Also I notice that everyone always references the -server- cert and key
> in ipsec.conf settings, whereas the StrongSwan Android app will only
> accept a .p12 file.  A .p12 file is genned by the RandomDude's scripts
> for -user- (as well as cert and key), and it also gens the -server- cert
> and key.  So I can only set the -user- cert (.p12) in the Android app.
> 
> I'll investigate further.
> 

I'm just installing the StrongSwan Android app and will play with it as
well.

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

2017-12-24 Thread Colony.three via Shorewall-users

> I saw something similar when I neglected to add a subjectAltName
> (gateway.shorewall.net) to the local endpoint's cert.
>
> FWIW, I've attached a log extract of a successful SA establishment.
>
> -Tom

Hm, interesting.  I've consistently used scripts from SomeRandomDude on The 
Internets, and indeed it does not provide for subjectAltName.  Good lead, 
thanks, I'll look for SS's procedure for generating certs.  There is just a 
quagmire haystack of disorganized info out there about this, which I'll bet 
quietly defeats 90% of those who try this.

Setting rightsourceip=192.168.11.0/24and restarting SS didn't change anything.

I've never understood the interplay of IP ranges and addresses between left and 
right, as in some cases 'left' always means 'me', whether setting in local or 
remote, and in other cases it means as I'd understood it, 'left' is ipsec 
gateway and 'right' is remote laptop.

Also I notice that everyone always references the -server- cert and key in 
ipsec.conf settings, whereas the StrongSwan Android app will only accept a .p12 
file.  A .p12 file is genned by the RandomDude's scripts for -user- (as well as 
cert and key), and it also gens the -server- cert and key.  So I can only set 
the -user- cert (.p12) in the Android app.

I'll investigate further.--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

2017-12-24 Thread Tom Eastep

On 12/24/2017 11:21 AM, Colony.three via Shorewall-users wrote:
>  
>>
>>
>> IPSEC configuration issue. I previously posted Strongswan config files
>> for my working DNAT setup.
>>  
>> -Tom
>>
> 
> True, and I'm basing my endpoint (IPSEC gateway) config on that:
> 
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=3
> keyexchange=ikev2
> 
> conn ipv4
> left=192.168.111.16
> leftid=quantum-equities.com
> leftsubnet=192.168.111.0/24,10.1.1.0/24
> leftcert=carl-ipseccert.pem
> leftid=@quantum-equities.com
> 
> right=%any
> rightsourceip=192.168.111.0/24

I believe the above subnet must be distinct from those listed in leftsubnet.

> rightdns=192.168.111.10
> auto=add
> 
> 
> The StrongSwan app doesn't allow much flexibility in what can be set, so
> I think that's right:
> Server: quantum-equities.com
> VPN Type: IKEv2 Certificate
> User Cert: carl-ipsec's VPN cert
> User ID: c.a.c...@quantum-equities.com
> 
> CA Cert: Select automatically
> Profile Name: quantum-equities.com
> ... no Advanced Settings.
> 
> 
> The error has only changed once, when I added hosts and tunnels, and
> that change was only the source daemon. (went from strongswan to
> charon)  I'm putting my ipsec.conf file in /etc/strongswan/ipsec.d which
> should be picked up by the daemon, and seems to be from systemctl status
> strongswan.
> 
> ● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
>    Loaded: loaded (/usr/lib/systemd/system/strongswan.service; enabled;
> vendor preset: disabled)
>    Active: active (running) since Sun 2017-12-24 11:09:50 PST; 3s ago
> Main PID: 47590 (starter)
>    CGroup: /system.slice/strongswan.service
> 
>    ├─47590 /usr/libexec/strongswan/starter --daemon charon --nofork
>    └─47599 /usr/libexec/strongswan/charon
> 
> Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[CFG] loading aa
> certificates from '/etc/strongswan/ipsec.d/aacerts'
> Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[CFG] loading ocsp
> signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'
> Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[CFG] loading
> attribute certificates from '/etc/strongswan/ipsec.d/acerts'
> Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[CFG] loading crls
> from '/etc/strongswan/ipsec.d/crls'
> Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[CFG] loading
> secrets from '/etc/strongswan/ipsec.secrets'
> Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[CFG]   loaded RSA
> private key from '/etc/strongswan/ipsec.d/private/carl-ipseckey.pem'
> Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[LIB] loaded
> plugins: charon random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl
> revocation hmac stroke kernel-netlink socket-default updown
> Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[JOB] spawning 16
> worker threads
> Dec 24 11:09:50 zeta.darkmatter.org ipsec_starter[47590]: charon (47599)
> started after 20 ms
> Dec 24 11:09:50 zeta.darkmatter.org strongswan[47590]: charon (47599)
> started after 20 ms
> 
> For some reason the endpoint sees me trying to authenticate from
> 172.58.40.177 rather than from at 29.124.236.116, my phone's actual IP.
> 
> I must be consistently doing something fundamentally wrong, which few
> other people out there have done, judging from searches.  Two weeks
> full-time, trying to learn and fix this, and I am out of ideas.  It
> seems hopeless.
> 
> Dec 24 11:15:17 zeta charon: 05[NET] received packet: from
> 172.58.40.177[23037] to 192.168.111.16[500] (704 bytes)
> Dec 24 11:15:17 zeta charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA
> KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Dec 24 11:15:17 zeta charon: 05[IKE] no IKE config found for
> 192.168.111.16...172.58.40.177, sending NO_PROPOSAL_CHOSEN
> Dec 24 11:15:17 zeta charon: 05[ENC] generating IKE_SA_INIT response 0 [
> N(NO_PROP) ]
> Dec 24 11:15:17 zeta charon: 05[NET] sending packet: from
> 192.168.111.16[500] to 172.58.40.177[23037] (36 bytes)
> 

I saw something similar when I neglected to add a subjectAltName
(gateway.shorewall.net) to the local endpoint's cert.

FWIW, I've attached a log extract of a successful SA establishment.

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___
Dec 24 11:36:56 gateway ipsec[2126]: 06[NET] received packet: from 
172.20.1.131[500] to 70.90.191.121[500] (1300 bytes)
Dec 24 11:36:56 gateway charon: 12[IKE] authentication of 
'gateway.shorewall.net' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Dec 24 11:36:56 gateway ipsec[2126]: 06[ENC] parsed IKE_SA_INIT request 0 [ SA 
KE No N(NATD_S_IP) N(NATD_D_IP)

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

2017-12-24 Thread Colony.three via Shorewall-users

> IPSEC configuration issue. I previously posted Strongswan config files
> for my working DNAT setup.
>
> -Tom

True, and I'm basing my endpoint (IPSEC gateway) config on that:

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=3
keyexchange=ikev2

conn ipv4
left=192.168.111.16
leftid=quantum-equities.com
leftsubnet=192.168.111.0/24,10.1.1.0/24
leftcert=carl-ipseccert.pem
leftid=@quantum-equities.com

right=%any
rightsourceip=192.168.111.0/24
rightdns=192.168.111.10
auto=add

The StrongSwan app doesn't allow much flexibility in what can be set, so I 
think that's right:
Server: quantum-equities.com
VPN Type: IKEv2 Certificate
User Cert: carl-ipsec's VPN cert
User ID: c.a.c...@quantum-equities.com
CA Cert: Select automatically
Profile Name: quantum-equities.com
... no Advanced Settings.

The error has only changed once, when I added hosts and tunnels, and that 
change was only the source daemon. (went from strongswan to charon)  I'm 
putting my ipsec.conf file in /etc/strongswan/ipsec.d which should be picked up 
by the daemon, and seems to be from systemctl status strongswan.

● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
   Loaded: loaded (/usr/lib/systemd/system/strongswan.service; enabled; vendor 
preset: disabled)
   Active: active (running) since Sun 2017-12-24 11:09:50 PST; 3s ago
Main PID: 47590 (starter)
   CGroup: /system.slice/strongswan.service
   ├─47590 /usr/libexec/strongswan/starter --daemon charon --nofork
   └─47599 /usr/libexec/strongswan/charon

Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[CFG] loading aa 
certificates from '/etc/strongswan/ipsec.d/aacerts'
Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[CFG] loading ocsp signer 
certificates from '/etc/strongswan/ipsec.d/ocspcerts'
Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[CFG] loading attribute 
certificates from '/etc/strongswan/ipsec.d/acerts'
Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[CFG] loading crls from 
'/etc/strongswan/ipsec.d/crls'
Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[CFG] loading secrets from 
'/etc/strongswan/ipsec.secrets'
Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[CFG]   loaded RSA private 
key from '/etc/strongswan/ipsec.d/private/carl-ipseckey.pem'
Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[LIB] loaded plugins: 
charon random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac 
stroke kernel-netlink socket-default updown
Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[JOB] spawning 16 worker 
threads
Dec 24 11:09:50 zeta.darkmatter.org ipsec_starter[47590]: charon (47599) 
started after 20 ms
Dec 24 11:09:50 zeta.darkmatter.org strongswan[47590]: charon (47599) started 
after 20 ms

For some reason the endpoint sees me trying to authenticate from 172.58.40.177 
rather than from at 29.124.236.116, my phone's actual IP.

I must be consistently doing something fundamentally wrong, which few other 
people out there have done, judging from searches.  Two weeks full-time, trying 
to learn and fix this, and I am out of ideas.  It seems hopeless.

Dec 24 11:15:17 zeta charon: 05[NET] received packet: from 172.58.40.177[23037] 
to 192.168.111.16[500] (704 bytes)
Dec 24 11:15:17 zeta charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No 
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Dec 24 11:15:17 zeta charon: 05[IKE] no IKE config found for 
192.168.111.16...172.58.40.177, sending NO_PROPOSAL_CHOSEN
Dec 24 11:15:17 zeta charon: 05[ENC] generating IKE_SA_INIT response 0 [ 
N(NO_PROP) ]
Dec 24 11:15:17 zeta charon: 05[NET] sending packet: from 192.168.111.16[500] 
to 172.58.40.177[23037] (36 bytes)--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

2017-12-24 Thread Colony.three via Shorewall-users

> I would think you would want:
> interfaces:
> -eth0routefilter=0,logmartians=1
> hosts:
> vpn   eth0:172.58.43.0/24
> neteth0:0.0.0.0/0
>
> I'm assuming 172.58.43.0/24 is a private subnet (RFC1918).
>
> Bill

  172. is from my phone on a national carrier, and could be anything depending 
on where I am.  I don't have anything in hosts.

Tom's right, I should have included the standard details;  I was so distressed 
at the time I didn't think of it.  For two weeks I have been unable to make the 
StrongSwan Android app connect to my very first VPN, StrongSwan on CentOS.  
There were no Shorewall messages and I was getting despondent.  Then I tried 
the phone's 'add a VPN' function (instead of the SS app) and I got these noted 
blockages!  I am not notified of Shorewall blockages and I don't understand why.

The Shorewall support docs says I must have ipsec-tools installed, and I did 
not.  Its raccoon daemon is specifically for ikev1 and I'm only running v2, but 
there may be some other function it provides.  It's not called as a dependency 
of CentOS package StrongSwan though, which I don't understand.  When I 
installed ipsec-tools and restarted the SS daemon, it didn't change things;  
500 is still blocked.

Internet is otherwise working on this machine.  I've forwarded the 
shorewall_dump to Tom.

I'm trying to connect from my phone at 29.124.236.116 to my router (KVM VM 
running CentOS) at 50.35.109.212,  NATted through router 192.168.111.1 to the 
IPSec gateway at 192.168.111.16.  The errors and dump are from this last 
gateway machine.  I don't know what 172.58.43.* has to do with anything.--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

2017-12-24 Thread Bill Shirley


I would think you would want:
interfaces:
-            eth0        routefilter=0,logmartians=1
hosts:
vpn       eth0:172.58.43.0/24
net    eth0:0.0.0.0/0

I'm assuming 172.58.43.0/24 is a private subnet (RFC1918).

Bill


On 12/23/2017 7:52 PM, Colony.three via Shorewall-users wrote:

I don't understand this:

[184624.505739] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101 
DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10959 PROTO=UDP SPT=1024 DPT=500 LEN=388
[184627.506014] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101 
DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10960 PROTO=UDP SPT=1024 DPT=500 LEN=388
[184630.506281] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101 
DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10961 PROTO=UDP SPT=1024 DPT=500 LEN=388
[184633.506518] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101 
DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10962 PROTO=UDP SPT=1024 DPT=500 LEN=388
[184636.506136] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101 
DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10963 PROTO=UDP SPT=1024 DPT=500 LEN=388
[184639.506758] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101 
DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10964 PROTO=UDP SPT=1024 DPT=500 LEN=388
[184642.505948] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101 
DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10965 PROTO=UDP SPT=1024 DPT=500 LEN=388
[189767.312541] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=172.58.43.44 
DST=192.168.111.16 LEN=732 TOS=0x00 PREC=0x00 TTL=54 ID=46913 DF PROTO=UDP SPT=65138 DPT=500 LEN=712
[189769.362835] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=172.58.43.44 
DST=192.168.111.16 LEN=732 TOS=0x00 PREC=0x00 TTL=54 ID=46914 DF PROTO=UDP SPT=65138 DPT=500 LEN=712
[189772.174498] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=172.58.43.44 
DST=192.168.111.16 LEN=732 TOS=0x00 PREC=0x00 TTL=54 ID=46915 DF PROTO=UDP SPT=65138 DPT=500 LEN=712
[189776.045296] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=172.58.43.44 
DST=192.168.111.16 LEN=732 TOS=0x00 PREC=0x00 TTL=54 ID=46916 DF PROTO=UDP SPT=65138 DPT=500 LEN=712
[189781.611542] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=172.58.43.44 
DST=192.168.111.16 LEN=732 TOS=0x00 PREC=0x00 TTL=54 ID=46917 DF PROTO=UDP SPT=65138 DPT=500 LEN=712





... when policy has:
$FW all REJECT  info(uid)
net all DROP    info(uid)
vpn all DROP    info(uid)
#local  all REJECT  info(uid)
all all REJECT  info(uid)


... and rules has:
# VPN
ACCEPT  vpn $FW udp 500,ipsec-nat-t -
ACCEPT  net $FW udp 500,ipsec-nat-t -


In interfaces I only have:
-   lo  ignore
net eth0 tcpflags,nosmurfs,sourceroute=0

... with no vpn.  Could this be the problem?

And I don't understand why it is that in rules when I specify the port as isakmp (rather than 500), it gets blocked?  Same 
reason, whatever it is?






--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

2017-12-23 Thread Tom Eastep

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 12/23/2017 4:52 PM, Colony.three via Shorewall-users wrote:
> I don't understand this:
> 
> [184624.505739] Shorewall:net-fw:DROP:IN=eth0 OUT= 
> MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101 
> DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10959
> PROTO=UDP SPT=1024 DPT=500 LEN=388 [184627.506014]
> Shorewall:net-fw:DROP:IN=eth0 OUT= 
> MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101 
> DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10960
> PROTO=UDP SPT=1024 DPT=500 LEN=388 [184630.506281]
> Shorewall:net-fw:DROP:IN=eth0 OUT= 
> MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101 
> DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10961
> PROTO=UDP SPT=1024 DPT=500 LEN=388 [184633.506518]
> Shorewall:net-fw:DROP:IN=eth0 OUT= 
> MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101 
> DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10962
> PROTO=UDP SPT=1024 DPT=500 LEN=388 [184636.506136]
> Shorewall:net-fw:DROP:IN=eth0 OUT= 
> MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101 
> DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10963
> PROTO=UDP SPT=1024 DPT=500 LEN=388 [184639.506758]
> Shorewall:net-fw:DROP:IN=eth0 OUT= 
> MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101 
> DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10964
> PROTO=UDP SPT=1024 DPT=500 LEN=388 [184642.505948]
> Shorewall:net-fw:DROP:IN=eth0 OUT= 
> MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101 
> DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10965
> PROTO=UDP SPT=1024 DPT=500 LEN=388 [189767.312541]
> Shorewall:net-fw:DROP:IN=eth0 OUT= 
> MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=172.58.43.44 
> DST=192.168.111.16 LEN=732 TOS=0x00 PREC=0x00 TTL=54 ID=46913 DF 
> PROTO=UDP SPT=65138 DPT=500 LEN=712 [189769.362835]
> Shorewall:net-fw:DROP:IN=eth0 OUT= 
> MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=172.58.43.44 
> DST=192.168.111.16 LEN=732 TOS=0x00 PREC=0x00 TTL=54 ID=46914 DF 
> PROTO=UDP SPT=65138 DPT=500 LEN=712 [189772.174498]
> Shorewall:net-fw:DROP:IN=eth0 OUT= 
> MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=172.58.43.44 
> DST=192.168.111.16 LEN=732 TOS=0x00 PREC=0x00 TTL=54 ID=46915 DF 
> PROTO=UDP SPT=65138 DPT=500 LEN=712 [189776.045296]
> Shorewall:net-fw:DROP:IN=eth0 OUT= 
> MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=172.58.43.44 
> DST=192.168.111.16 LEN=732 TOS=0x00 PREC=0x00 TTL=54 ID=46916 DF 
> PROTO=UDP SPT=65138 DPT=500 LEN=712 [189781.611542]
> Shorewall:net-fw:DROP:IN=eth0 OUT= 
> MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=172.58.43.44 
> DST=192.168.111.16 LEN=732 TOS=0x00 PREC=0x00 TTL=54 ID=46917 DF 
> PROTO=UDP SPT=65138 DPT=500 LEN=712
> 
> 
> 
> 
> ... when policy has: $FW all REJECT  info(uid) net
> all DROPinfo(uid) vpn all DROP
> info(uid) #local  all REJECT  info(uid) all all
> REJECT  info(uid)
> 
> 
> ... and rules has: # VPN ACCEPT  vpn $FW udp
> 500,ipsec-nat-t - ACCEPT  net $FW udp 500,ipsec-nat-t
> -
> 
> 
> In interfaces I only have: -   lo  ignore net
> eth0 tcpflags,nosmurfs,sourceroute=0
> 
> ... with no vpn.  Could this be the problem?
> 
> And I don't understand why it is that in rules when I specify the
> port as isakmp (rather than 500), it gets blocked?  Same reason,
> whatever it is?
> 
> 

Well, the dropped packets are destined from the 'net' zone to the 'fw'
zone, so they should have been accepted by your second ACCEPT rule above
.

But as http://www.shorewall.org/support.htm#guidelines described, and
as I have repeated hundreds of times on this list when you have a
connection problem, I want to see the output of 'shorewall dump'
collected as described in that article; together with the other
information listed in that article.

- -Tom
- -- 
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJaPzTGAAoJEJbms/JCOk0Qw4sP/j0VXGnRQBPAfBv7hi4MhvDD
8XfjIbgnlHMtBukjdt6A5EsStd9y+42OkVX9Ls/AESvIIvtY2P9RXBritWkNoabr
Kh6EINucqQHhqXjO2uiVE3p8ghZkQZxacxS3t4lioglktlO3m81FZgIdqBkI7cLZ
wwDY/Yi6OTgGUcQZ88C9Oev9z1J8V6eQ6hpH1LpiLtYbLayIe1RXtQT+86E2AcCK
py3V4QrugF1mjqAv8wSmvNUrDPk0Lai6tn+9LaCQr3iWlguFvrJ/5v3MTsvZu4ks
Mt9IG727Bbals6wyg6rQTVFI7DS+4aWk4rEPa/oCMQ4i6kHKpo6pSYMc2XQF4mBr
OkgO3VjU5imi0hZSYK6CXTUbufN6Fj2qEtPZf+LD5hSL+YiLoiVJjzFLQioivmf8
nd+pkjdwhil2RvuJX6odhJUjV7BlM230XyfuOFg4czc2iJLN1pOeO7X/Y+/OJdib
S1AuR9wJRUg/k7vS6XYNLT8WAWd2oLNpfawp146PM1wmS2SfJ0bvadOYJSC+BgMt
UTBdByiD5wHF/Q6JP2U2c5prrN6Ys8JUtk0zh7rvUhfDT9ptqwun/O7CC3TiKHVB

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

23 matches

Site Navigation

Mail list logo

Footer information