date:20150316

Re: [strongSwan] udp packet size

2015-03-16 Thread Steffen Plotner

Hi Fred,

 -Original Message-
 On 12/03/2015 02:35, Steffen Plotner wrote:
  Hi,
 
  Strongswan 5.2.2 on linux (centos 6) IKEv2 configuration for windows
 clients I have the following problem:
 
  Initiator sends IKE_SA_INIT
  Server responds with IKE_SA_INIT
  Initiator sends IKE_AUTH
  Server responds with a fragmented IP packet of 1514 bytes (the MTU is
 1500 on the outgoing interface).
 
 Just an update. Using ECDSA means these large packets are no longer an
 issue. Perhaps RSA is preferred from a security point of view; I don't
 know. But certainly the smaller key footprint without having to reduce
 the RSA keysize or use a short DN is maybe a good solution.

I actually did try the ECSDA cert and saw that the packet sizes are small 
enough to not fragment, but the Windows 7 client does not understand it. It 
ends up just hanging the connection process. I found a reference about that 
here:

https://www.mail-archive.com/users@lists.strongswan.org/msg04603.html

Steffen
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Kernel panic with VTI tunnel

2015-03-16 Thread André Valentin

Hi Mike,

that's right. I had no time to take a deeper look. Perhaps you have;-)

Kind regards,

André
Am 16.03.2015 um 10:30 schrieb Mike Noordermeer:
Hi,

In the mail conversation, Steffen mentions that the patch should never
be necessary, since outer_mode should not become NULL. So I doubt the
patch would be the proper fix? It may fix this issue, but if the
maintainer says the patch should not be necessary it seems like the
wrong fix to me.

Regards,

Mike

On 16 March 2015 at 10:19, André Valentin avalen...@marcant.net wrote:
Hi!

Please try the patch which is attached to the initial email. That shoud fix
it. There is another bug with IPv6 which at first I ahrought at, but that's
only with NAT. So please ignore that. So diffinig vanilla isn't needed.

Kind regards,

André

Am 16.03.2015 um 09:50 schrieb Mike Noordermeer:
Thanks... that looks very much like the same bug indeed. I will diff
the various files of the Debian kernel and 3.18 vanilla to see if I
can spot the change that introduced it.

Regards,

Mike

On 16 March 2015 at 09:42, André Valentin avalen...@marcant.net wrote:
Hi,

take a look at this thread:
http://marc.info/?t=14249509271r=1w=2
The initial mail is attached. I couldn't verfy the error with vanilla, but
your error looks like mine.
Have fun;-)

André

Am 16.03.2015 um 09:18 schrieb Mike Noordermeer:
Hi,

Do you happen to have any more specific info on this bugfix? I would
rather not deviate from the Debian default kernels, so it would be
nice if I could point the maintainers to a specific fix that should be
backported.

Thanks,

Mike

On 15 March 2015 at 17:02, Andre Valentin avalen...@marcant.net wrote:
Hi!

Try kernel 3.18. There's a bugfix for an issue like this.

Kind regards,

André

Am 15.03.2015 um 15:15 schrieb Mike Noordermeer:
Hi,

I am currently experiencing the same kernel panic on multiple hosts,
with a quite recent Linux kernel, and was wondering if anyone here has
an idea of what the issue could be, or how I could further debug it.
Any help is appreciated.

I am using Linux 3.16 (3.16.7-ckt4-3~bpo70+1 from Debian
wheezy-backports) and Strongswan 5.2.1 (5.2.1-5~bpo70+1 form Debian
wheezy-backports). I have a fairly 'simple' tunnel with a mark and a
left/right subnet of 0/0, and disabled install_routes in Strongswan.
Then I have a VTI device configured with the same mark. This all works
well, but causes a kernel panic every few hours, always on the same
spot. As far as I can see, no fixes for such an issue have been
committed to the kernel since version 3.16.

From the backtrace it seems that xfrm_input() in the kernel is hitting
a NULL dereference, when dereferencing 'outer_mode' in the xfrm_state
struct, this line to be precise:
https://github.com/torvalds/linux/blob/2e71029e2c32ecd59a2e8f351517bfbbad42ac11/include/net/xfrm.h#L1807

Any idea on why this could be NULL? Some config details and the full
backtrace are below.

Thanks,

Mike

Simplified ipsec.conf:

config setup

conn %default
keyexchange = ikev2
dpdaction = restart
esp = aes128gcm128-modp4096!
ike = aes128gcm128-prfsha256-modp4096!
mobike = no
auto = route

conn myconnection
left = x.x.x.x
leftcert = leftcert.crt
leftsubnet = 0.0.0.0/0
right = y.y.y.y
rightcert = rightcert.crt
rightsubnet = 0.0.0.0/0
mark = 15

ip xfrm policy

src 0.0.0.0/0 dst 0.0.0.0/0
dir fwd priority 3075 ptype main
mark 15/0x
tmpl src y.y.y.y dst x.x.x.x
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 3075 ptype main
mark 15/0x
tmpl src y.y.y.y dst x.x.x.x
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 3075 ptype main
mark 15/0x
tmpl src x.x.x.x dst y.y.y.y
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main

ip xfrm state

Re: [strongSwan] udp packet size

2015-03-16 Thread Fred


On 12/03/2015 02:35, Steffen Plotner wrote:

Hi,

Strongswan 5.2.2 on linux (centos 6) IKEv2 configuration for windows clients I 
have the following problem:

Initiator sends IKE_SA_INIT
Server responds with IKE_SA_INIT
Initiator sends IKE_AUTH
Server responds with a fragmented IP packet of 1514 bytes (the MTU is 1500 on 
the outgoing interface).


Just an update. Using ECDSA means these large packets are no longer an 
issue. Perhaps RSA is preferred from a security point of view; I don't 
know. But certainly the smaller key footprint without having to reduce 
the RSA keysize or use a short DN is maybe a good solution.


___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Kernel panic with VTI tunnel

2015-03-16 Thread Mike Noordermeer

Hi,

Regards,

Mike

On 16 March 2015 at 10:19, André Valentin avalen...@marcant.net wrote:
Hi!

Kind regards,

André

Regards,

Mike

On 16 March 2015 at 09:42, André Valentin avalen...@marcant.net wrote:
Hi,

take a look at this thread:
http://marc.info/?t=14249509271r=1w=2
The initial mail is attached. I couldn't verfy the error with vanilla, but
your error looks like mine.
Have fun;-)

André

Am 16.03.2015 um 09:18 schrieb Mike Noordermeer:
Hi,

Thanks,

Mike

On 15 March 2015 at 17:02, Andre Valentin avalen...@marcant.net wrote:
Hi!

Try kernel 3.18. There's a bugfix for an issue like this.

Kind regards,

André

Am 15.03.2015 um 15:15 schrieb Mike Noordermeer:
Hi,

Any idea on why this could be NULL? Some config details and the full
backtrace are below.

Thanks,

Mike

Simplified ipsec.conf:

config setup

conn %default
keyexchange = ikev2
dpdaction = restart
esp = aes128gcm128-modp4096!
ike = aes128gcm128-prfsha256-modp4096!
mobike = no
auto = route

conn myconnection
left = x.x.x.x
leftcert = leftcert.crt
leftsubnet = 0.0.0.0/0
right = y.y.y.y
rightcert = rightcert.crt
rightsubnet = 0.0.0.0/0
mark = 15

ip xfrm policy

ip xfrm state

Re: [strongSwan] ikev2 strongswan IKE_SA_INIT not have RFC 3947 Specification Vendor ID payload

2015-03-16 Thread Emeric POUPON

Hello,

Not sure this RFC is the correct one for IKEv2 implementations.
You should read this one: https://tools.ietf.org/html/rfc5996#section-2.23
You will find what you have read in the strongswan's wiki.

Regards,


- Mail original -
De: Deepak Khandelwal dazz...@gmail.com
À: users@lists.strongswan.org
Envoyé: Lundi 16 Mars 2015 18:06:36
Objet: [strongSwan] ikev2 strongswan IKE_SA_INIT not have RFC 3947 
Specification Vendor ID payload


Hi All, 

During our testing with IKEv2, we found that the 1 st packet(IKE_SA_INIT) does 
not have any information on vendor ID payload which is a MUST criteria as per 
the RFC. 

As per the RFC 3947. 
“ In the first two messages of Phase 1, the vendor id payload for this
specification MUST be sent if supported (and it MUST be received by both
sides) for the NAT- Traversal probe to continue. The content of
the payload is the MD5 hash of RFC 3947 


i checked strongswan wiki docs and here in below link 

https://wiki.strongswan.org/projects/strongswan/wiki/NatTraversal 

 The NAT_DETECTION_SOURCE/DESTINATION_IP notifications included in the 
IKE_SA_INIT exchange indicate the peers NAT-T capability and if a NAT situation 
is detected, UDP encapsulation is activated for IPsec. 

Does this mean ikev2 first exchange message(s) does not need to have any 
information on vendor ID payload for RFC 3947 specification. 
or is there any config option to enable this setting ? 


thanks ! 
best Regards, 
Deepak 

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Kernel panic with VTI tunnel

2015-03-16 Thread Mike Noordermeer

Hi,

Do you happen to have any more specific info on this bugfix? I would
rather not deviate from the Debian default kernels, so it would be
nice if I could point the maintainers to a specific fix that should be
backported.

Thanks,

Mike


On 15 March 2015 at 17:02, Andre Valentin avalen...@marcant.net wrote:
 Hi!

 Try kernel 3.18. There's a bugfix for an issue like this.

 Kind regards,

 André


 Am 15.03.2015 um 15:15 schrieb Mike Noordermeer:
 Hi,

 I am currently experiencing the same kernel panic on multiple hosts,
 with a quite recent Linux kernel, and was wondering if anyone here has
 an idea of what the issue could be, or how I could further debug it.
 Any help is appreciated.

 I am using Linux 3.16 (3.16.7-ckt4-3~bpo70+1 from Debian
 wheezy-backports) and Strongswan 5.2.1 (5.2.1-5~bpo70+1 form Debian
 wheezy-backports). I have a fairly 'simple' tunnel with a mark and a
 left/right subnet of 0/0, and disabled install_routes in Strongswan.
 Then I have a VTI device configured with the same mark. This all works
 well, but causes a kernel panic every few hours, always on the same
 spot. As far as I can see, no fixes for such an issue have been
 committed to the kernel since version 3.16.

 From the backtrace it seems that xfrm_input() in the kernel is hitting
 a NULL dereference, when dereferencing 'outer_mode' in the xfrm_state
 struct, this line to be precise:
 https://github.com/torvalds/linux/blob/2e71029e2c32ecd59a2e8f351517bfbbad42ac11/include/net/xfrm.h#L1807

 Any idea on why this could be NULL? Some config details and the full
 backtrace are below.

 Thanks,

 Mike

 
 Simplified ipsec.conf:
 

 config setup

 conn %default
 keyexchange = ikev2
 dpdaction = restart
 esp = aes128gcm128-modp4096!
 ike = aes128gcm128-prfsha256-modp4096!
 mobike = no
 auto = route

 conn myconnection
 left = x.x.x.x
 leftcert = leftcert.crt
 leftsubnet = 0.0.0.0/0
 right = y.y.y.y
 rightcert = rightcert.crt
 rightsubnet = 0.0.0.0/0
 mark = 15

 
 ip xfrm policy
 

 src 0.0.0.0/0 dst 0.0.0.0/0
 dir fwd priority 3075 ptype main
 mark 15/0x
 tmpl src y.y.y.y dst x.x.x.x
 proto esp reqid 1 mode tunnel
 src 0.0.0.0/0 dst 0.0.0.0/0
 dir in priority 3075 ptype main
 mark 15/0x
 tmpl src y.y.y.y dst x.x.x.x
 proto esp reqid 1 mode tunnel
 src 0.0.0.0/0 dst 0.0.0.0/0
 dir out priority 3075 ptype main
 mark 15/0x
 tmpl src x.x.x.x dst y.y.y.y
 proto esp reqid 1 mode tunnel
 src 0.0.0.0/0 dst 0.0.0.0/0
 socket in priority 0 ptype main
 src 0.0.0.0/0 dst 0.0.0.0/0
 socket out priority 0 ptype main
 src 0.0.0.0/0 dst 0.0.0.0/0
 socket in priority 0 ptype main
 src 0.0.0.0/0 dst 0.0.0.0/0
 socket out priority 0 ptype main
 src ::/0 dst ::/0
 socket in priority 0 ptype main
 src ::/0 dst ::/0
 socket out priority 0 ptype main
 src ::/0 dst ::/0
 socket in priority 0 ptype main
 src ::/0 dst ::/0
 socket out priority 0 ptype main

 
 ip xfrm state
 

 src x.x.x.x dst y.y.y.y
 proto esp spi 0xcb5c6f72 reqid 1 mode tunnel
 replay-window 32 flag af-unspec
 mark 15/0x
 aead rfc4106(gcm(aes)) 0x3d1c9ae2f921fc088b2e54a1d1efcd3e4441e502 128
 src y.y.y.y dst x.x.x.x
 proto esp spi 0xcd742975 reqid 1 mode tunnel
 replay-window 32 flag af-unspec
 mark 15/0x
 aead rfc4106(gcm(aes)) 0x439dd5bf790a1f7ba1979d798757bab94f62776c 128
 src x.x.x.x dst y.y.y.y
 proto esp spi 0xc79db590 reqid 1 mode tunnel
 replay-window 32 flag af-unspec
 mark 15/0x
 aead rfc4106(gcm(aes)) 0x7bf0811323a4df1118680d30d4117ed403b60bd8 128
 src y.y.y.y dst x.x.x.x
 proto esp spi 0xc8e198f5 reqid 1 mode tunnel
 replay-window 32 flag af-unspec
 mark 15/0x
 aead rfc4106(gcm(aes)) 0x1f1f32fc74a0d8ba38b9aab67fbbfff1024cf265 128

 
 Kernel oops backtrace
 

 [31202.487290] BUG: unable to handle kernel NULL pointer dereference
 at 0034
 [31202.499656] IP: [814e4a12] xfrm_input+0x3d2/0x590
 [31202.502444] PGD 0
 [31202.503479] Oops:  [#1] SMP
 [31202.505121] Modules linked in: seqiv xfrm6_mode_tunnel
 xfrm4_mode_tunnel xfrm_user xfrm4_tunnel tunnel4 ipcomp xfrm_ipcomp
 esp4 ah4 af_key xfrm_algo act_police cls_basic cls_flow cls_fw cls_u32
 sch_tbf sch_prio sch_hfsc sch_htb sch_ingress sch_sfq xt_statistic
 xt_CT xt_realm xt_LOG iptable_raw xt_connlimit xt_addrtype xt_comment
 xt_nat xt_recent ipt_ULOG ipt_REJECT ipt_MASQUERADE ipt_ECN
 ipt_CLUSTERIP ipt_ah nf_nat_tftp nf_nat_snmp_basic nf_conntrack_snmp
 nf_nat_sip

Re: [strongSwan] Kernel panic with VTI tunnel

2015-03-16 Thread André Valentin

Hi,

take a look at this thread:
http://marc.info/?t=14249509271r=1w=2
The initial mail is attached. I couldn't verfy the error with vanilla, but your 
error looks like mine.
Have  fun;-)

André


Am 16.03.2015 um 09:18 schrieb Mike Noordermeer:
 Hi,

 Do you happen to have any more specific info on this bugfix? I would
 rather not deviate from the Debian default kernels, so it would be
 nice if I could point the maintainers to a specific fix that should be
 backported.

 Thanks,

 Mike


 On 15 March 2015 at 17:02, Andre Valentin avalen...@marcant.net wrote:
 Hi!

 Try kernel 3.18. There's a bugfix for an issue like this.

 Kind regards,

 André


 Am 15.03.2015 um 15:15 schrieb Mike Noordermeer:
 Hi,

 I am currently experiencing the same kernel panic on multiple hosts,
 with a quite recent Linux kernel, and was wondering if anyone here has
 an idea of what the issue could be, or how I could further debug it.
 Any help is appreciated.

 I am using Linux 3.16 (3.16.7-ckt4-3~bpo70+1 from Debian
 wheezy-backports) and Strongswan 5.2.1 (5.2.1-5~bpo70+1 form Debian
 wheezy-backports). I have a fairly 'simple' tunnel with a mark and a
 left/right subnet of 0/0, and disabled install_routes in Strongswan.
 Then I have a VTI device configured with the same mark. This all works
 well, but causes a kernel panic every few hours, always on the same
 spot. As far as I can see, no fixes for such an issue have been
 committed to the kernel since version 3.16.

 From the backtrace it seems that xfrm_input() in the kernel is hitting
 a NULL dereference, when dereferencing 'outer_mode' in the xfrm_state
 struct, this line to be precise:
 https://github.com/torvalds/linux/blob/2e71029e2c32ecd59a2e8f351517bfbbad42ac11/include/net/xfrm.h#L1807

 Any idea on why this could be NULL? Some config details and the full
 backtrace are below.

 Thanks,

 Mike

 
 Simplified ipsec.conf:
 

 config setup

 conn %default
 keyexchange = ikev2
 dpdaction = restart
 esp = aes128gcm128-modp4096!
 ike = aes128gcm128-prfsha256-modp4096!
 mobike = no
 auto = route

 conn myconnection
 left = x.x.x.x
 leftcert = leftcert.crt
 leftsubnet = 0.0.0.0/0
 right = y.y.y.y
 rightcert = rightcert.crt
 rightsubnet = 0.0.0.0/0
 mark = 15

 
 ip xfrm policy
 

 src 0.0.0.0/0 dst 0.0.0.0/0
 dir fwd priority 3075 ptype main
 mark 15/0x
 tmpl src y.y.y.y dst x.x.x.x
 proto esp reqid 1 mode tunnel
 src 0.0.0.0/0 dst 0.0.0.0/0
 dir in priority 3075 ptype main
 mark 15/0x
 tmpl src y.y.y.y dst x.x.x.x
 proto esp reqid 1 mode tunnel
 src 0.0.0.0/0 dst 0.0.0.0/0
 dir out priority 3075 ptype main
 mark 15/0x
 tmpl src x.x.x.x dst y.y.y.y
 proto esp reqid 1 mode tunnel
 src 0.0.0.0/0 dst 0.0.0.0/0
 socket in priority 0 ptype main
 src 0.0.0.0/0 dst 0.0.0.0/0
 socket out priority 0 ptype main
 src 0.0.0.0/0 dst 0.0.0.0/0
 socket in priority 0 ptype main
 src 0.0.0.0/0 dst 0.0.0.0/0
 socket out priority 0 ptype main
 src ::/0 dst ::/0
 socket in priority 0 ptype main
 src ::/0 dst ::/0
 socket out priority 0 ptype main
 src ::/0 dst ::/0
 socket in priority 0 ptype main
 src ::/0 dst ::/0
 socket out priority 0 ptype main

 
 ip xfrm state
 

 src x.x.x.x dst y.y.y.y
 proto esp spi 0xcb5c6f72 reqid 1 mode tunnel
 replay-window 32 flag af-unspec
 mark 15/0x
 aead rfc4106(gcm(aes)) 0x3d1c9ae2f921fc088b2e54a1d1efcd3e4441e502 128
 src y.y.y.y dst x.x.x.x
 proto esp spi 0xcd742975 reqid 1 mode tunnel
 replay-window 32 flag af-unspec
 mark 15/0x
 aead rfc4106(gcm(aes)) 0x439dd5bf790a1f7ba1979d798757bab94f62776c 128
 src x.x.x.x dst y.y.y.y
 proto esp spi 0xc79db590 reqid 1 mode tunnel
 replay-window 32 flag af-unspec
 mark 15/0x
 aead rfc4106(gcm(aes)) 0x7bf0811323a4df1118680d30d4117ed403b60bd8 128
 src y.y.y.y dst x.x.x.x
 proto esp spi 0xc8e198f5 reqid 1 mode tunnel
 replay-window 32 flag af-unspec
 mark 15/0x
 aead rfc4106(gcm(aes)) 0x1f1f32fc74a0d8ba38b9aab67fbbfff1024cf265 128

 
 Kernel oops backtrace
 

 [31202.487290] BUG: unable to handle kernel NULL pointer dereference
 at 0034
 [31202.499656] IP: [814e4a12] xfrm_input+0x3d2/0x590
 [31202.502444] PGD 0
 [31202.503479] Oops:  [#1] SMP
 [31202.505121] Modules linked in: seqiv xfrm6_mode_tunnel
 xfrm4_mode_tunnel xfrm_user xfrm4_tunnel tunnel4 ipcomp xfrm_ipcomp
 esp4 ah4 af_key xfrm_algo act_police cls_basic cls_flow cls_fw cls_u32
 sch_tbf sch_prio sch_hfsc

Re: [strongSwan] Kernel panic with VTI tunnel

2015-03-16 Thread Mike Noordermeer

Thanks... that looks very much like the same bug indeed. I will diff
the various files of the Debian kernel and 3.18 vanilla to see if I
can spot the change that introduced it.

Regards,

Mike

On 16 March 2015 at 09:42, André Valentin avalen...@marcant.net wrote:
 Hi,

 take a look at this thread:
 http://marc.info/?t=14249509271r=1w=2
 The initial mail is attached. I couldn't verfy the error with vanilla, but 
 your error looks like mine.
 Have  fun;-)

 André


 Am 16.03.2015 um 09:18 schrieb Mike Noordermeer:
 Hi,

 Do you happen to have any more specific info on this bugfix? I would
 rather not deviate from the Debian default kernels, so it would be
 nice if I could point the maintainers to a specific fix that should be
 backported.

 Thanks,

 Mike


 On 15 March 2015 at 17:02, Andre Valentin avalen...@marcant.net wrote:
 Hi!

 Try kernel 3.18. There's a bugfix for an issue like this.

 Kind regards,

 André


 Am 15.03.2015 um 15:15 schrieb Mike Noordermeer:
 Hi,

 I am currently experiencing the same kernel panic on multiple hosts,
 with a quite recent Linux kernel, and was wondering if anyone here has
 an idea of what the issue could be, or how I could further debug it.
 Any help is appreciated.

 I am using Linux 3.16 (3.16.7-ckt4-3~bpo70+1 from Debian
 wheezy-backports) and Strongswan 5.2.1 (5.2.1-5~bpo70+1 form Debian
 wheezy-backports). I have a fairly 'simple' tunnel with a mark and a
 left/right subnet of 0/0, and disabled install_routes in Strongswan.
 Then I have a VTI device configured with the same mark. This all works
 well, but causes a kernel panic every few hours, always on the same
 spot. As far as I can see, no fixes for such an issue have been
 committed to the kernel since version 3.16.

 From the backtrace it seems that xfrm_input() in the kernel is hitting
 a NULL dereference, when dereferencing 'outer_mode' in the xfrm_state
 struct, this line to be precise:
 https://github.com/torvalds/linux/blob/2e71029e2c32ecd59a2e8f351517bfbbad42ac11/include/net/xfrm.h#L1807

 Any idea on why this could be NULL? Some config details and the full
 backtrace are below.

 Thanks,

 Mike

 
 Simplified ipsec.conf:
 

 config setup

 conn %default
 keyexchange = ikev2
 dpdaction = restart
 esp = aes128gcm128-modp4096!
 ike = aes128gcm128-prfsha256-modp4096!
 mobike = no
 auto = route

 conn myconnection
 left = x.x.x.x
 leftcert = leftcert.crt
 leftsubnet = 0.0.0.0/0
 right = y.y.y.y
 rightcert = rightcert.crt
 rightsubnet = 0.0.0.0/0
 mark = 15

 
 ip xfrm policy
 

 src 0.0.0.0/0 dst 0.0.0.0/0
 dir fwd priority 3075 ptype main
 mark 15/0x
 tmpl src y.y.y.y dst x.x.x.x
 proto esp reqid 1 mode tunnel
 src 0.0.0.0/0 dst 0.0.0.0/0
 dir in priority 3075 ptype main
 mark 15/0x
 tmpl src y.y.y.y dst x.x.x.x
 proto esp reqid 1 mode tunnel
 src 0.0.0.0/0 dst 0.0.0.0/0
 dir out priority 3075 ptype main
 mark 15/0x
 tmpl src x.x.x.x dst y.y.y.y
 proto esp reqid 1 mode tunnel
 src 0.0.0.0/0 dst 0.0.0.0/0
 socket in priority 0 ptype main
 src 0.0.0.0/0 dst 0.0.0.0/0
 socket out priority 0 ptype main
 src 0.0.0.0/0 dst 0.0.0.0/0
 socket in priority 0 ptype main
 src 0.0.0.0/0 dst 0.0.0.0/0
 socket out priority 0 ptype main
 src ::/0 dst ::/0
 socket in priority 0 ptype main
 src ::/0 dst ::/0
 socket out priority 0 ptype main
 src ::/0 dst ::/0
 socket in priority 0 ptype main
 src ::/0 dst ::/0
 socket out priority 0 ptype main

 
 ip xfrm state
 

 src x.x.x.x dst y.y.y.y
 proto esp spi 0xcb5c6f72 reqid 1 mode tunnel
 replay-window 32 flag af-unspec
 mark 15/0x
 aead rfc4106(gcm(aes)) 0x3d1c9ae2f921fc088b2e54a1d1efcd3e4441e502 128
 src y.y.y.y dst x.x.x.x
 proto esp spi 0xcd742975 reqid 1 mode tunnel
 replay-window 32 flag af-unspec
 mark 15/0x
 aead rfc4106(gcm(aes)) 0x439dd5bf790a1f7ba1979d798757bab94f62776c 128
 src x.x.x.x dst y.y.y.y
 proto esp spi 0xc79db590 reqid 1 mode tunnel
 replay-window 32 flag af-unspec
 mark 15/0x
 aead rfc4106(gcm(aes)) 0x7bf0811323a4df1118680d30d4117ed403b60bd8 128
 src y.y.y.y dst x.x.x.x
 proto esp spi 0xc8e198f5 reqid 1 mode tunnel
 replay-window 32 flag af-unspec
 mark 15/0x
 aead rfc4106(gcm(aes)) 0x1f1f32fc74a0d8ba38b9aab67fbbfff1024cf265 128

 
 Kernel oops backtrace
 

 [31202.487290] BUG: unable to handle kernel NULL pointer dereference
 at 0034
 [31202.499656] IP: [814e4a12] xfrm_input+0x3d2/0x590
 [31202.502444]

Re: [strongSwan] StrongSwan Mac OS X app questions

2015-03-16 Thread Martin Willi

Ken,

 Are there any issues with DNS  StrongSwan Mac OS X app?  

The osx-attr plugin prepends the negotiated DNS servers to the currently
configured ones. You may check with scutil if that works as expected.

Not sure if keeping the current DNS servers installed is the best
approach, maybe we should remove the previous servers. But we currently
just add them to have them as a fallback.

 2. EAP-GTC authentication.  I would like to use EAP-GTC authentication
with the Mac app and would be willing to modify the app to add this
feature.

Currently the eap-gtc plugin is not included in the build we provide.
But I can do so for a next release. You may also check the build
instructions [1] if you want to try that yourself (a note of warning:
you need a code signing certificate to get thinks working).

 3.  Machine authentication.  Why doesn’t the Mac app require a client
 certificate for machine authentication, as is required for the native
 Mac client?

The native OS X client uses IKEv1, and usually XAuth. XAuth does both,
Certificate and Password client authentication, but it also can use
Hybrid Mode which skips certification authentication.

The strongSwan App uses IKEv2, currently with EAP. In that protocol
certificate client authentication is not included unless you do EAP-TTLS
and a password based EAP method. Of course one could use Multiple
Authentication as per RFC 4739, but as of now there is no option to
configure that on the client.

 4. Password configuration.  It would be nice to be able to configure
the user’s password, instead of having to enter it on every tunnel
invocation.

I agree, but such a functionality is still missing. Patches welcome; but
we should rely on the Keychain to have some level of security for that
password.

 Does the client cache the password for the entire session lifetime?
 Does the Mac app present the original password during
 re-authentication?

No, I don't think that makes sense. If you want to re-evaluate user
credentials and check if the same user still sits on that client, you'd
need to re-prompt for the password.

If you don't want to do that, instead of caching the password you may
just disable re-authentication on the server, and use rekeying instead.
You may do so in ipsec.conf by setting reauth=no. There is no security
benefit in going through re-authentaction if you cache the password
anyway.

While re-prompting for the password in some scenarios might make sense,
I don't think that this currently works. So there is probably no way
around setting reauth=no on your server.

Regards
Martin

[1]https://github.com/strongswan/strongswan/blob/master/src/frontends/osx/README.md

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Kernel panic with VTI tunnel

2015-03-16 Thread André Valentin

Hi!

Please try the patch which is attached to the initial email. That shoud fix it.
There is another bug with IPv6 which at first I ahrought at, but that's only
with NAT. So please ignore that. So diffinig vanilla isn't needed.

Kind regards,

André

Regards,

Mike

On 16 March 2015 at 09:42, André Valentin avalen...@marcant.net wrote:
Hi,

take a look at this thread:
http://marc.info/?t=14249509271r=1w=2
The initial mail is attached. I couldn't verfy the error with vanilla, but
your error looks like mine.
Have fun;-)

André

Am 16.03.2015 um 09:18 schrieb Mike Noordermeer:
Hi,

Thanks,

Mike

On 15 March 2015 at 17:02, Andre Valentin avalen...@marcant.net wrote:
Hi!

Try kernel 3.18. There's a bugfix for an issue like this.

Kind regards,

André

Am 15.03.2015 um 15:15 schrieb Mike Noordermeer:
Hi,

Any idea on why this could be NULL? Some config details and the full
backtrace are below.

Thanks,

Mike

Simplified ipsec.conf:

config setup

conn %default
keyexchange = ikev2
dpdaction = restart
esp = aes128gcm128-modp4096!
ike = aes128gcm128-prfsha256-modp4096!
mobike = no
auto = route

conn myconnection
left = x.x.x.x
leftcert = leftcert.crt
leftsubnet = 0.0.0.0/0
right = y.y.y.y
rightcert = rightcert.crt
rightsubnet = 0.0.0.0/0
mark = 15

ip xfrm policy

ip xfrm state

src x.x.x.x dst y.y.y.y
proto esp spi 0xcb5c6f72 reqid 1 mode tunnel
replay-window 32 flag af-unspec
mark 15/0x
aead rfc4106(gcm(aes)) 0x3d1c9ae2f921fc088b2e54a1d1efcd3e4441e502 128
src y.y.y.y dst x.x.x.x
proto esp spi 0xcd742975 reqid 1 mode tunnel
replay-window 32 flag af-unspec
mark 15/0x
aead rfc4106(gcm(aes)) 0x439dd5bf790a1f7ba1979d798757bab94f62776c 128
src x.x.x.x dst y.y.y.y
proto esp spi 0xc79db590 reqid 1 mode tunnel
replay-window 32 flag af-unspec
mark 15/0x
aead rfc4106(gcm(aes)) 0x7bf0811323a4df1118680d30d4117ed403b60bd8 128
src y.y.y.y dst x.x.x.x
proto esp spi 0xc8e198f5 reqid 1 mode tunnel
replay-window 32 flag af-unspec
mark 15/0x
aead rfc4106(gcm(aes))

Re: [strongSwan] StrongSwan Mac OS X app questions

2015-03-16 Thread Fred


On 16/03/2015 08:23, Martin Willi wrote:

Ken,


Are there any issues with DNS  StrongSwan Mac OS X app?


The osx-attr plugin prepends the negotiated DNS servers to the currently
configured ones. You may check with scutil if that works as expected.

Not sure if keeping the current DNS servers installed is the best
approach, maybe we should remove the previous servers. But we currently
just add them to have them as a fallback.


In my case the local DNS server was being used instead of the DNS 
servers added by strongSwan. I could clearly see the them added in the 
both the strongSwan logfile and also in the output of scutil --dns.


If I deleted them all and then added just the ones via the VPN, it all 
worked fine.


Personally I think removing the previous servers would be better. This 
problem did go away in Yosemite so maybe it was a bug in previous 
versions of Mac OS X or odd expected behaviour.

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] udp packet size

Re: [strongSwan] Kernel panic with VTI tunnel

Re: [strongSwan] udp packet size

Re: [strongSwan] Kernel panic with VTI tunnel

Re: [strongSwan] ikev2 strongswan IKE_SA_INIT not have RFC 3947 Specification Vendor ID payload

Re: [strongSwan] Kernel panic with VTI tunnel

Re: [strongSwan] Kernel panic with VTI tunnel

Re: [strongSwan] Kernel panic with VTI tunnel

Re: [strongSwan] StrongSwan Mac OS X app questions

Re: [strongSwan] Kernel panic with VTI tunnel

Re: [strongSwan] StrongSwan Mac OS X app questions

11 matches

Site Navigation

Mail list logo

Footer information