[strongSwan] strongSwan consulting

2017-11-20 Thread Jeff 
Does the strongSwan project still provide consulting services?  I have
been unable to reach the posted consulting contact
andreas.stef...@strongswan.org .

thanks,
Jeff

Re: [strongSwan] StrongSwan Android app, NO_PROPOSAL_CHOSEN error & Digital Ocean's VPN tutorial

2017-11-20 Thread Bugakov, Alexander 
Sorry for wasting your time; I instead used a recipe provided at
https://github.com/jawj/IKEv2-setup and it configured StrongSwan for
me flawlessly - now works with Android and Windows 10 clients.

Works like a charm, much faster and better than commercial VPN providers.

On Mon, Nov 20, 2017 at 8:15 PM, Anvar Kuchkartaev  wrote:
>
> You can try to remove/comment out lines of ike= and esp= and try to connect 
> to server (leaving it to use default strongswan ciphers).
>
> Anvar Kuchkartaev
> an...@anvartay.com
>   Original Message
> From: Bugakov, Alexander
> Sent: lunes, 20 de noviembre de 2017 04:30 p.m.
> To: users@lists.strongswan.org
> Reply To: a...@bougakov.com
> Subject: [strongSwan] StrongSwan Android app, NO_PROPOSAL_CHOSEN error & 
> Digital Ocean's VPN tutorial
>
>
> Hello,
>
> I tried to install StrongSwan IKEv2 on DigitalOcean's freshly
> configured server using this tutorial -
> https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-16-04
>
> I created fresh Ubuntu instance, got an IP address 128.199.36.88 and
> followed all steps in the guide. I've saved server-root-ca.pem to my
> Android phone and installed it. I obtained StrongSwan client from
> Google Play and added profile, choosing the cert, and specifying my
> password and login name.
>
> I am getting the following in the charon's log on Android:
>
> Nov 20 17:54:40 00[DMN] Starting IKE charon daemon (strongSwan
> 5.6.1dr3, Android 7.0 - NRD90M/2017-10-01, MI 5s Plus -
> Xiaomi/natrium/Xiaomi, Linux 3.18.31-perf-gb46523a, aarch64)
> Nov 20 17:54:40 00[LIB] loaded plugins: androidbridge charon
> android-log openssl fips-prf random nonce pubkey chapoly curve25519
> pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity
> eap-mschapv2 eap-md5 eap-gtc eap-tls x509
> Nov 20 17:54:40 00[JOB] spawning 16 worker threads
> Nov 20 17:54:40 10[IKE] initiating IKE_SA android[4] to 128.199.36.88
> Nov 20 17:54:40 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Nov 20 17:54:40 10[NET] sending packet: from 10.220.173.129[46526] to
> 128.199.36.88[500] (704 bytes)
> Nov 20 17:54:40 09[NET] received packet: from 128.199.36.88[500] to
> 10.220.173.129[46526] (36 bytes)
> Nov 20 17:54:40 09[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
> Nov 20 17:54:40 09[IKE] received NO_PROPOSAL_CHOSEN notify error
>
> Here is the log on the server's side:
>
> Nov 20 14:49:01 vpn charon: 12[NET] received packet: from
> 31.173.82.18[62259] to 128.199.36.88[500] (704 bytes)
> Nov 20 14:49:01 vpn charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA
> KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Nov 20 14:49:01 vpn charon: 12[IKE] 31.173.82.18 is initiating an IKE_SA
> Nov 20 14:49:01 vpn charon: 12[IKE] remote host is behind NAT
> Nov 20 14:49:01 vpn charon: 12[IKE] received proposals inacceptable
> Nov 20 14:49:01 vpn charon: 12[ENC] generating IKE_SA_INIT response 0
> [ N(NO_PROP) ]
> Nov 20 14:49:01 vpn charon: 12[NET] sending packet: from
> 128.199.36.88[500] to 31.173.82.18[62259] (36 bytes)
> Nov 20 14:54:38 vpn charon: 13[NET] received packet: from
> 31.173.82.18[56711] to 128.199.36.88[500] (704 bytes)
> Nov 20 14:54:38 vpn charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA
> KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Nov 20 14:54:38 vpn charon: 13[IKE] 31.173.82.18 is initiating an IKE_SA
> Nov 20 14:54:38 vpn charon: 13[IKE] remote host is behind NAT
> Nov 20 14:54:38 vpn charon: 13[IKE] received proposals inacceptable
> Nov 20 14:54:38 vpn charon: 13[ENC] generating IKE_SA_INIT response 0
> [ N(NO_PROP) ]
> Nov 20 14:54:38 vpn charon: 13[NET] sending packet: from
> 128.199.36.88[500] to 31.173.82.18[56711] (36 bytes)
> N
>
> Here is my /etc/ipsec.conf:
>
> config setup
> charondebug="ike 1, knl 1, cfg 0"
> uniqueids=no
>
> conn ikev2-vpn
> auto=add
> compress=no
> type=tunnel
> keyexchange=ikev2
> fragmentation=yes
> forceencaps=yes
> ike=aes256-sha1-modp1024,3des-sha1-modp1024!
> esp=aes256-sha1,3des-sha1!
> dpdaction=clear
> dpddelay=300s
> rekey=no
> left=%any
> leftid=128.199.36.88
> leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
> leftsendcert=always
> leftsubnet=0.0.0.0/0
> right=%any
> rightid=%any
> rightauth=eap-mschapv2
> rightdns=8.8.8.8,8.8.4.4
> rightsourceip=10.10.10.0/24
> rightsendcert=never
> eap_identity=%identity
>
> My /etc/ipsec.secrets contains:
>
> 128.199.36.88 : RSA "/etc/ipsec.d/private/vpn-server-key.pem"
> vpnusername %any% : EAP "vpnpasswordredacted"
>
> What might be the issue?
>
> Thank you.
>
> A.
>
>

Re: [strongSwan] StrongSwan Android app, NO_PROPOSAL_CHOSEN error & Digital Ocean's VPN tutorial

2017-11-20 Thread Anvar Kuchkartaev 
You can try to remove/comment out lines of ike= and esp= and try to connect to 
server (leaving it to use default strongswan ciphers).

Anvar Kuchkartaev 
an...@anvartay.com 
  Original Message  
From: Bugakov, Alexander
Sent: lunes, 20 de noviembre de 2017 04:30 p.m.
To: users@lists.strongswan.org
Reply To: a...@bougakov.com
Subject: [strongSwan] StrongSwan Android app, NO_PROPOSAL_CHOSEN error & 
Digital Ocean's VPN tutorial


Hello,

I tried to install StrongSwan IKEv2 on DigitalOcean's freshly
configured server using this tutorial -
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-16-04

I created fresh Ubuntu instance, got an IP address 128.199.36.88 and
followed all steps in the guide. I've saved server-root-ca.pem to my
Android phone and installed it. I obtained StrongSwan client from
Google Play and added profile, choosing the cert, and specifying my
password and login name.

I am getting the following in the charon's log on Android:

Nov 20 17:54:40 00[DMN] Starting IKE charon daemon (strongSwan
5.6.1dr3, Android 7.0 - NRD90M/2017-10-01, MI 5s Plus -
Xiaomi/natrium/Xiaomi, Linux 3.18.31-perf-gb46523a, aarch64)
Nov 20 17:54:40 00[LIB] loaded plugins: androidbridge charon
android-log openssl fips-prf random nonce pubkey chapoly curve25519
pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity
eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Nov 20 17:54:40 00[JOB] spawning 16 worker threads
Nov 20 17:54:40 10[IKE] initiating IKE_SA android[4] to 128.199.36.88
Nov 20 17:54:40 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Nov 20 17:54:40 10[NET] sending packet: from 10.220.173.129[46526] to
128.199.36.88[500] (704 bytes)
Nov 20 17:54:40 09[NET] received packet: from 128.199.36.88[500] to
10.220.173.129[46526] (36 bytes)
Nov 20 17:54:40 09[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
Nov 20 17:54:40 09[IKE] received NO_PROPOSAL_CHOSEN notify error

Here is the log on the server's side:

Nov 20 14:49:01 vpn charon: 12[NET] received packet: from
31.173.82.18[62259] to 128.199.36.88[500] (704 bytes)
Nov 20 14:49:01 vpn charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Nov 20 14:49:01 vpn charon: 12[IKE] 31.173.82.18 is initiating an IKE_SA
Nov 20 14:49:01 vpn charon: 12[IKE] remote host is behind NAT
Nov 20 14:49:01 vpn charon: 12[IKE] received proposals inacceptable
Nov 20 14:49:01 vpn charon: 12[ENC] generating IKE_SA_INIT response 0
[ N(NO_PROP) ]
Nov 20 14:49:01 vpn charon: 12[NET] sending packet: from
128.199.36.88[500] to 31.173.82.18[62259] (36 bytes)
Nov 20 14:54:38 vpn charon: 13[NET] received packet: from
31.173.82.18[56711] to 128.199.36.88[500] (704 bytes)
Nov 20 14:54:38 vpn charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Nov 20 14:54:38 vpn charon: 13[IKE] 31.173.82.18 is initiating an IKE_SA
Nov 20 14:54:38 vpn charon: 13[IKE] remote host is behind NAT
Nov 20 14:54:38 vpn charon: 13[IKE] received proposals inacceptable
Nov 20 14:54:38 vpn charon: 13[ENC] generating IKE_SA_INIT response 0
[ N(NO_PROP) ]
Nov 20 14:54:38 vpn charon: 13[NET] sending packet: from
128.199.36.88[500] to 31.173.82.18[56711] (36 bytes)
N

Here is my /etc/ipsec.conf:

config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no

conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes256-sha1-modp1024,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=128.199.36.88
leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.10.10.0/24
rightsendcert=never
eap_identity=%identity

My /etc/ipsec.secrets contains:

128.199.36.88 : RSA "/etc/ipsec.d/private/vpn-server-key.pem"
vpnusername %any% : EAP "vpnpasswordredacted"

What might be the issue?

Thank you.

A.

Re: [strongSwan] StrongSwan Android app, NO_PROPOSAL_CHOSEN error & Digital Ocean's VPN tutorial

2017-11-20 Thread Andreas Steffen 
Hi Alexander,

could you increase the debug level to "cfg 2" on the server which would
show the received and installed crypto algorithms.

Regards

Andreas

On 20.11.2017 16:30, Bugakov, Alexander wrote:
>  Hello,
> 
> I tried to install StrongSwan IKEv2 on DigitalOcean's freshly
> configured server using this tutorial -
> https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-16-04
> 
> I created fresh Ubuntu instance, got an IP address 128.199.36.88 and
> followed all steps in the guide. I've saved server-root-ca.pem to my
> Android phone and installed it. I obtained StrongSwan client from
> Google Play and added profile, choosing the cert, and specifying my
> password and login name.
> 
> I am getting the following in the charon's log on Android:
> 
> Nov 20 17:54:40 00[DMN] Starting IKE charon daemon (strongSwan
> 5.6.1dr3, Android 7.0 - NRD90M/2017-10-01, MI 5s Plus -
> Xiaomi/natrium/Xiaomi, Linux 3.18.31-perf-gb46523a, aarch64)
> Nov 20 17:54:40 00[LIB] loaded plugins: androidbridge charon
> android-log openssl fips-prf random nonce pubkey chapoly curve25519
> pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity
> eap-mschapv2 eap-md5 eap-gtc eap-tls x509
> Nov 20 17:54:40 00[JOB] spawning 16 worker threads
> Nov 20 17:54:40 10[IKE] initiating IKE_SA android[4] to 128.199.36.88
> Nov 20 17:54:40 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Nov 20 17:54:40 10[NET] sending packet: from 10.220.173.129[46526] to
> 128.199.36.88[500] (704 bytes)
> Nov 20 17:54:40 09[NET] received packet: from 128.199.36.88[500] to
> 10.220.173.129[46526] (36 bytes)
> Nov 20 17:54:40 09[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
> Nov 20 17:54:40 09[IKE] received NO_PROPOSAL_CHOSEN notify error
> 
> Here is the log on the server's side:
> 
> Nov 20 14:49:01 vpn charon: 12[NET] received packet: from
> 31.173.82.18[62259] to 128.199.36.88[500] (704 bytes)
> Nov 20 14:49:01 vpn charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA
> KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Nov 20 14:49:01 vpn charon: 12[IKE] 31.173.82.18 is initiating an IKE_SA
> Nov 20 14:49:01 vpn charon: 12[IKE] remote host is behind NAT
> Nov 20 14:49:01 vpn charon: 12[IKE] received proposals inacceptable
> Nov 20 14:49:01 vpn charon: 12[ENC] generating IKE_SA_INIT response 0
> [ N(NO_PROP) ]
> Nov 20 14:49:01 vpn charon: 12[NET] sending packet: from
> 128.199.36.88[500] to 31.173.82.18[62259] (36 bytes)
> Nov 20 14:54:38 vpn charon: 13[NET] received packet: from
> 31.173.82.18[56711] to 128.199.36.88[500] (704 bytes)
> Nov 20 14:54:38 vpn charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA
> KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Nov 20 14:54:38 vpn charon: 13[IKE] 31.173.82.18 is initiating an IKE_SA
> Nov 20 14:54:38 vpn charon: 13[IKE] remote host is behind NAT
> Nov 20 14:54:38 vpn charon: 13[IKE] received proposals inacceptable
> Nov 20 14:54:38 vpn charon: 13[ENC] generating IKE_SA_INIT response 0
> [ N(NO_PROP) ]
> Nov 20 14:54:38 vpn charon: 13[NET] sending packet: from
> 128.199.36.88[500] to 31.173.82.18[56711] (36 bytes)
> N
> 
> Here is my /etc/ipsec.conf:
> 
> config setup
> charondebug="ike 1, knl 1, cfg 0"
> uniqueids=no
> 
> conn ikev2-vpn
> auto=add
> compress=no
> type=tunnel
> keyexchange=ikev2
> fragmentation=yes
> forceencaps=yes
> ike=aes256-sha1-modp1024,3des-sha1-modp1024!
> esp=aes256-sha1,3des-sha1!
> dpdaction=clear
> dpddelay=300s
> rekey=no
> left=%any
> leftid=128.199.36.88
> leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
> leftsendcert=always
> leftsubnet=0.0.0.0/0
> right=%any
> rightid=%any
> rightauth=eap-mschapv2
> rightdns=8.8.8.8,8.8.4.4
> rightsourceip=10.10.10.0/24
> rightsendcert=never
> eap_identity=%identity
> 
> My  /etc/ipsec.secrets contains:
> 
> 128.199.36.88 : RSA "/etc/ipsec.d/private/vpn-server-key.pem"
> vpnusername %any% : EAP "vpnpasswordredacted"
> 
> What might be the issue?
> 
> Thank you.
> 
> A.
> 

-- 
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution!  www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[INS-HSR]==



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [strongSwan] what the use (effect) of "righthostaccess=yes"

2017-11-20 Thread Rajiv Kulkarni 
Hello Andreas

Thanks for the help..

Yes!!! It works!I did just as mentioned in the example shown by you


==
root@lssimgw2:/usr/local/etc#
root@lssimgw2:/usr/local/etc#
root@lssimgw2:/usr/local/etc# ipsec statusall
Status of IKE charon daemon (weakSwan 5.5.1, Linux 4.4.0-31-generic, i686):
  uptime: 20 seconds, since Nov 20 22:20:41 2017
  malloc: sbrk 2449408, mmap 0, used 315904, free 2133504
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 4
  loaded plugins: charon ldap aes des blowfish rc2 sha2 sha1 md4 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac ctr ccm gcm
sqlite attr kernel-netlink resolve socket-default forecast farp stroke vici
updown eap-identity eap-sim eap-aka eap-simaka-pseudonym eap-md5 eap-gtc
eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc
xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs dhcp lookip
error-notify unity
Listening IP addresses:
  2.2.2.59
  192.168.110.25
  192.168.24.25
  10.232.90.125
  192.168.33.25
  172.17.1.25
  192.168.25.1
Connections:
   togw1:  2.2.2.59...97.1.1.201  IKEv1, dpddelay=30s
   togw1:   local:  [2.2.2.59] uses pre-shared key authentication
   togw1:   remote: [97.1.1.201] uses pre-shared key authentication
   togw1:   child:  192.168.25.0/24 === 192.168.22.0/24 TUNNEL,
dpdaction=clear
Routed Connections:
   togw1{1}:  ROUTED, TUNNEL, reqid 1
   togw1{1}:   192.168.25.0/24 === 192.168.22.0/24
Security Associations (1 up, 0 connecting):
   togw1[1]: ESTABLISHED 8 seconds ago,
2.2.2.59[2.2.2.59]...97.1.1.201[97.1.1.201]
   togw1[1]: IKEv1 SPIs: 61cc45661e76b9e7_i 9182e288ae7b2058_r*,
pre-shared key reauthentication in 23 hours
   togw1[1]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
   togw1{2}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c4c01d32_i
c25a27dc_o
   togw1{2}:  AES_CBC_128/HMAC_SHA1_96, 168 bytes_i (2 pkts, 7s ago),
168 bytes_o (2 pkts, 7s ago), rekeying in 17 hours
   togw1{2}:   192.168.25.0/24 === 192.168.22.0/24
root@lssimgw2:/usr/local/etc#
root@lssimgw2:/usr/local/etc#
root@lssimgw2:/usr/local/etc#
root@lssimgw2:/usr/local/etc#
root@lssimgw2:/usr/local/etc# iptables -nvL
Chain INPUT (policy ACCEPT 116 packets, 19111 bytes)
 pkts bytes target prot opt in out source
destination
2   168 ACCEPT all  --  eth0   *   192.168.22.0/24
192.168.25.0/24  policy match dir in pol ipsec reqid 1 proto 50

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source
destination
0 0 ACCEPT all  --  eth0   *   192.168.22.0/24
192.168.25.0/24  policy match dir in pol ipsec reqid 1 proto 50
0 0 ACCEPT all  --  *  eth0192.168.25.0/24
192.168.22.0/24  policy match dir out pol ipsec reqid 1 proto 50

Chain OUTPUT (policy ACCEPT 70 packets, 10236 bytes)
 pkts bytes target prot opt in out source
destination
2   168 ACCEPT all  --  *  eth0192.168.25.0/24
192.168.22.0/24  policy match dir out pol ipsec reqid 1 proto 50
root@lssimgw2:/usr/local/etc#
root@lssimgw2:/usr/local/etc# cat ipsec.conf
# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
strictcrlpolicy=no
charondebug="ike 1,chd 1,knl 1,cfg 1"

conn %default
ikelifetime=24h
keylife=18h
mobike=no
dpddelay=30s
dpdtimeout=90s
dpdaction=clear
rightfirewall=yes
righthostaccess=yes

conn togw1
right=2.2.2.59
left=97.1.1.201
leftsubnet=192.168.22.0/24
rightsubnet=192.168.25.0/24
leftauth=psk
rightauth=psk
type=tunnel
keyexchange=ikev1
ike=aes128-sha1-modp1024!
esp=aes128-sha1!
auto=route
root@lssimgw2:/usr/local/etc#
=


Never expected or rather never knew that we could swap the left/right roles
too...Its just what you assign...

Thank you...learnt something worthwhile today

regards
Rajiv




On Mon, Nov 20, 2017 at 8:59 PM, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:

> Hi Rajiv,
>
> if "left" is local and "right" is remote then only
> leftfirewall and lefthostaccess are defined.
>
> rightfirewall and righthostaccess are used when
> "right" is local and "left" is remote as in the
> following scenario where sides are swapped:
>
>
> https://www.strongswan.net/testing/testresults/ikev2/config-
> payload-swapped/
>
> Regards
>
> Andreas
>
> On 20.11.2017 15:15, Rajiv Kulkarni wrote:
>
>> Hi
>>
>> I have a ipsec tunnel deployed/configured as below:
>>
>> PC1(lan)[GW1](wan)=IPSEC(wan)[GW2](lan)---PC2
>>
>> PC1-ipaddr: 192.168.22.x
>> PC2-ipaddr: 192.168.25.x
>>
>> GW1-lan-ipaddr: 192.168.22.1
>> GW2-lan-ipaddr: 192.168.25.1

[strongSwan] StrongSwan reply to system in error case

2017-11-20 Thread Alexander.Camek 
Hi,

Currently StrongSwan logs every information. Additionally, you can get a lot of 
information when you start ipsec with --nofork --all. But, is it possible to 
get a reply directly from strongswan? Especially, when there is a certificate 
error or mismatch, or if ipsec / ike has some other errors? Or is it only 
possible to get the information by using the vici Plugin, and not directly by 
strongswan itself?

Thanks for your help.

Kind regards

Alexander Camek

Re: [strongSwan] what the use (effect) of "righthostaccess=yes"

2017-11-20 Thread Andreas Steffen 

Hi Rajiv,

if "left" is local and "right" is remote then only
leftfirewall and lefthostaccess are defined.

rightfirewall and righthostaccess are used when
"right" is local and "left" is remote as in the
following scenario where sides are swapped:


https://www.strongswan.net/testing/testresults/ikev2/config-payload-swapped/

Regards

Andreas

On 20.11.2017 15:15, Rajiv Kulkarni wrote:

Hi

I have a ipsec tunnel deployed/configured as below:

PC1(lan)[GW1](wan)=IPSEC(wan)[GW2](lan)---PC2

PC1-ipaddr: 192.168.22.x
PC2-ipaddr: 192.168.25.x

GW1-lan-ipaddr: 192.168.22.1
GW2-lan-ipaddr: 192.168.25.1


I see that to allow access to 192.168.22.1 from PC2 (via the ipsec
tunnel) i should use the options "lefthostaccess=yes" (and also
leftfirewall=yes)  on GW1

And when we use the options..we have the following iptable rules added
on GW1 (thru the updown script automatically whenever the tunnel is UP)

---
root@lssimgw1:/usr/local/etc# iptables -nvL
Chain INPUT (policy ACCEPT 52 packets, 4680 bytes)
  pkts bytes target prot opt in out source
destination
 0 0 ACCEPT all  --  eth0   * 192.168.22.0/24
 192.168.25.0/24 
policy match dir in pol ipsec reqid 1 proto 50

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target prot opt in out source
destination
 0 0 ACCEPT all  --  eth0   * 192.168.22.0/24
 192.168.25.0/24 
policy match dir in pol ipsec reqid 1 proto 50
 0 0 ACCEPT all  --  *  eth0 192.168.25.0/24
 192.168.22.0/24 
policy match dir out pol ipsec reqid 1 proto 50

Chain OUTPUT (policy ACCEPT 40 packets, 3976 bytes)
  pkts bytes target prot opt in out source
destination
 0 0 ACCEPT all  --  *  eth0 192.168.25.0/24
 192.168.22.0/24 
policy match dir out pol ipsec reqid 1 proto 50
root@lssimgw1:/usr/local/etc#


- so once we have the above fw rules in place in the INPUT/OUTPUT
chain,..we can access the GW1-lan-ip from PC2 via the ipsec tunnel
successfully...
- The similar observation is also made for using the lefthostaccess
option on GW2 too..



Now if i use "righthostaccess=yes"...i dont see any rules getting added
in the INPUT/OUTPUT chain...neither in GW1 or in GW2

- So my query is: whats the use of the option
"righthostaccess=yes"...where and when do we use this option?


thanks & regards
Rajiv





--
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution!  www.strongswan.org
Institute for Networked Solutions
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[INS-HSR]==



smime.p7s
Description: S/MIME Cryptographic Signature

[strongSwan] StrongSwan Android app, NO_PROPOSAL_CHOSEN error & Digital Ocean's VPN tutorial

2017-11-20 Thread Bugakov, Alexander 
 Hello,

I tried to install StrongSwan IKEv2 on DigitalOcean's freshly
configured server using this tutorial -
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-16-04

I created fresh Ubuntu instance, got an IP address 128.199.36.88 and
followed all steps in the guide. I've saved server-root-ca.pem to my
Android phone and installed it. I obtained StrongSwan client from
Google Play and added profile, choosing the cert, and specifying my
password and login name.

I am getting the following in the charon's log on Android:

Nov 20 17:54:40 00[DMN] Starting IKE charon daemon (strongSwan
5.6.1dr3, Android 7.0 - NRD90M/2017-10-01, MI 5s Plus -
Xiaomi/natrium/Xiaomi, Linux 3.18.31-perf-gb46523a, aarch64)
Nov 20 17:54:40 00[LIB] loaded plugins: androidbridge charon
android-log openssl fips-prf random nonce pubkey chapoly curve25519
pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity
eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Nov 20 17:54:40 00[JOB] spawning 16 worker threads
Nov 20 17:54:40 10[IKE] initiating IKE_SA android[4] to 128.199.36.88
Nov 20 17:54:40 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Nov 20 17:54:40 10[NET] sending packet: from 10.220.173.129[46526] to
128.199.36.88[500] (704 bytes)
Nov 20 17:54:40 09[NET] received packet: from 128.199.36.88[500] to
10.220.173.129[46526] (36 bytes)
Nov 20 17:54:40 09[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
Nov 20 17:54:40 09[IKE] received NO_PROPOSAL_CHOSEN notify error

Here is the log on the server's side:

Nov 20 14:49:01 vpn charon: 12[NET] received packet: from
31.173.82.18[62259] to 128.199.36.88[500] (704 bytes)
Nov 20 14:49:01 vpn charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Nov 20 14:49:01 vpn charon: 12[IKE] 31.173.82.18 is initiating an IKE_SA
Nov 20 14:49:01 vpn charon: 12[IKE] remote host is behind NAT
Nov 20 14:49:01 vpn charon: 12[IKE] received proposals inacceptable
Nov 20 14:49:01 vpn charon: 12[ENC] generating IKE_SA_INIT response 0
[ N(NO_PROP) ]
Nov 20 14:49:01 vpn charon: 12[NET] sending packet: from
128.199.36.88[500] to 31.173.82.18[62259] (36 bytes)
Nov 20 14:54:38 vpn charon: 13[NET] received packet: from
31.173.82.18[56711] to 128.199.36.88[500] (704 bytes)
Nov 20 14:54:38 vpn charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Nov 20 14:54:38 vpn charon: 13[IKE] 31.173.82.18 is initiating an IKE_SA
Nov 20 14:54:38 vpn charon: 13[IKE] remote host is behind NAT
Nov 20 14:54:38 vpn charon: 13[IKE] received proposals inacceptable
Nov 20 14:54:38 vpn charon: 13[ENC] generating IKE_SA_INIT response 0
[ N(NO_PROP) ]
Nov 20 14:54:38 vpn charon: 13[NET] sending packet: from
128.199.36.88[500] to 31.173.82.18[56711] (36 bytes)
N

Here is my /etc/ipsec.conf:

config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no

conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes256-sha1-modp1024,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=128.199.36.88
leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.10.10.0/24
rightsendcert=never
eap_identity=%identity

My  /etc/ipsec.secrets contains:

128.199.36.88 : RSA "/etc/ipsec.d/private/vpn-server-key.pem"
vpnusername %any% : EAP "vpnpasswordredacted"

What might be the issue?

Thank you.

A.

[strongSwan] what the use (effect) of "righthostaccess=yes"

2017-11-20 Thread Rajiv Kulkarni 
Hi

I have a ipsec tunnel deployed/configured as below:

PC1(lan)[GW1](wan)=IPSEC(wan)[GW2](lan)---PC2

PC1-ipaddr: 192.168.22.x
PC2-ipaddr: 192.168.25.x

GW1-lan-ipaddr: 192.168.22.1
GW2-lan-ipaddr: 192.168.25.1


I see that to allow access to 192.168.22.1 from PC2 (via the ipsec tunnel)
i should use the options "lefthostaccess=yes" (and also leftfirewall=yes)
on GW1

And when we use the options..we have the following iptable rules added on
GW1 (thru the updown script automatically whenever the tunnel is UP)

---
root@lssimgw1:/usr/local/etc# iptables -nvL
Chain INPUT (policy ACCEPT 52 packets, 4680 bytes)
 pkts bytes target prot opt in out source
destination
0 0 ACCEPT all  --  eth0   *   192.168.22.0/24
192.168.25.0/24  policy match dir in pol ipsec reqid 1 proto 50

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source
destination
0 0 ACCEPT all  --  eth0   *   192.168.22.0/24
192.168.25.0/24  policy match dir in pol ipsec reqid 1 proto 50
0 0 ACCEPT all  --  *  eth0192.168.25.0/24
192.168.22.0/24  policy match dir out pol ipsec reqid 1 proto 50

Chain OUTPUT (policy ACCEPT 40 packets, 3976 bytes)
 pkts bytes target prot opt in out source
destination
0 0 ACCEPT all  --  *  eth0192.168.25.0/24
192.168.22.0/24  policy match dir out pol ipsec reqid 1 proto 50
root@lssimgw1:/usr/local/etc#


- so once we have the above fw rules in place in the INPUT/OUTPUT
chain,..we can access the GW1-lan-ip from PC2 via the ipsec tunnel
successfully...
- The similar observation is also made for using the lefthostaccess option
on GW2 too..



Now if i use "righthostaccess=yes"...i dont see any rules getting added in
the INPUT/OUTPUT chain...neither in GW1 or in GW2

- So my query is: whats the use of the option "righthostaccess=yes"...where
and when do we use this option?


thanks & regards
Rajiv

Re: [strongSwan] IPSec+L2TP connection randomly drops

2017-11-20 Thread Noel Kuntze 
It's certainly not something with strongSwan. Maybe Windows tries to access 
some URL to check connectivity, like Android and iOS do.

On 19.11.2017 17:03, Mek wrote:
> In the meantime, the connection dropped even if it was active, e.g. there was 
> a video stream going through. And the connection dropped on both clients I 
> was testing, simultaneously, and that makes me think there is something wrong 
> with the VPN server, not clients. Also L2TP IPSec connection works without 
> interruption from the same clients when connecting to a Mikrotik.
> 
> 
> Dňa 19.11.2017 o 14:00 Noel Kuntze napísal(a):
>> Hi,
>>
>> As you can see for yourself, the initiator deletes the CHILD_SA in every 
>> case. Windows 10's VPN implementation was broken a lot of times in the past, 
>> so I wouldn't be surprised if they did not implement inactivity timers
>> and reestablishment correctly. AFAIK the Windows 10 VPN implementation does 
>> not try to keep the CHILD_SA up at all times and you can't change that.
>>
>> Kind regards
>>
>> Noel
>>
>> On 18.11.2017 22:52, Mek wrote:
>>> Hello,
>>>
>>> I successfully configured strongswan + xl2tpd and it works but connection 
>>> is randomly dropped and not re-established. I need the tunnel to be 
>>> permanently established, with no inactivity timeouts and such stuff. Once 
>>> it was dropped after (roughly) 9 hours of inactivity, second time after a 
>>> few hours of inactivity, and last time after half an hour of inactivity 
>>> (this last time I tested it with 2 clients and both got disconnected at the 
>>> same time so I guess the problem is somewhere on the server). Clients are 
>>> Windows 10 machines and are behind NAT. Server is not behind NAT and has a 
>>> public IP, no firewall. I am using a pre-shared key with mschapv2, no 
>>> certificates. On server, all software is latest versions.
>>>
>>> Output of ipsec statusall:
>>>
>>> Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.9.0-4-amd64, x86_64):
>>>    uptime: 17 days, since Nov 01 14:19:07 2017
>>>    malloc: sbrk 1486848, mmap 0, used 417888, free 1068960
>>>    worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
>>> scheduled: 26
>>>    loaded plugins: charon aes rc2 sha2 sha1 md5 random nonce x509 
>>> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey 
>>> pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve 
>>> socket-default connmark stroke updown
>>> Listening IP addresses:
>>>    (public server IPv4 address)
>>>    (public server IPv6 address)
>>> Connections:
>>>    bypass:  (public server IPv4 address)...%any  IKEv1/2
>>>    bypass:   local:  [(public server IPv4 address)] uses public key 
>>> authentication
>>>    bypass:   remote: uses public key authentication
>>>    bypass:   child:  dynamic === 158.193.0.0/16 PASS
>>> L2TP-PSK-noNAT:  (public server IPv4 address)...%any  IKEv1/2, dpddelay=10s
>>> L2TP-PSK-noNAT:   local:  [(public server IPv4 address)] uses pre-shared 
>>> key authentication
>>> L2TP-PSK-noNAT:   remote: uses pre-shared key authentication
>>> L2TP-PSK-noNAT:   child:  dynamic[udp/l2f] === dynamic[udp] TRANSPORT, 
>>> dpdaction=clear
>>> Shunted Connections:
>>>    bypass:  dynamic === 158.193.0.0/16 PASS
>>> Security Associations (0 up, 0 connecting):
>>>    none
>>>
>>> Note I have censored IPv4 and IPv6 addresses of the server. The 
>>> 158.193.0.0/16 is just a network I was testing split tunnelling which 
>>> didn't work but I don't think it has anything to do with the connections 
>>> being dropped. Server is configured to hand out IPs in range 172.27.27.2 - 
>>> 254, IP 172.27.27.1 should be the server (or gateway) itself.
>>>
>>> Anyway, syslog output is this - it is from 17 Nov 10:56 when such 
>>> disconnection after 9 hours happened (sorry it's a bit lengthy):
>>>
>>> Nov 17 10:56:25 frogy-vpn charon: 06[NET] received packet: from (client 
>>> public IP)[4500] to (server public IP)[4500] (92 bytes)
>>> Nov 17 10:56:25 frogy-vpn charon: 06[ENC] parsed INFORMATIONAL_V1 request 
>>> 718827516 [ HASH D ]
>>> Nov 17 10:56:25 frogy-vpn charon: 06[IKE] received DELETE for IKE_SA 
>>> L2TP-PSK-noNAT[123]
>>> Nov 17 10:56:25 frogy-vpn charon: 06[IKE] deleting IKE_SA 
>>> L2TP-PSK-noNAT[123] between (server public IP)[(server public 
>>> IP)]...(client public IP)[10.16.32.227]
>>> Nov 17 10:56:56 frogy-vpn charon: 10[NET] received packet: from (client 
>>> public IP)[4500] to (server public IP)[4500] (408 bytes)
>>> Nov 17 10:56:56 frogy-vpn charon: 10[ENC] parsed ID_PROT request 0 [ SA V V 
>>> V V V V V V ]
>>> Nov 17 10:56:56 frogy-vpn charon: 10[ENC] received unknown vendor ID: 
>>> 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
>>> Nov 17 10:56:56 frogy-vpn charon: 10[IKE] received MS NT5 ISAKMPOAKLEY 
>>> vendor ID
>>> Nov 17 10:56:56 frogy-vpn charon: 10[IKE] received NAT-T (RFC 3947) vendor 
>>> ID
>>> Nov 17 10:56:56 frogy-vpn charon: 10[IKE] received 
>>>