Re: [strongSwan] Common value for DPD timeout
Hi Youngsang, since IKEv2 uses INFORMATIONAL requests for DPD the regular retransmission scheme for IKEv2 messages with 5 trials applies: See the following sample scenario with dpddelay = 10 seconds: http://www.strongswan.org/uml/testresults42/ikev2/dpd-clear/ Jan 21 01:55:15 moon charon: 11[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500] # DPD message sent after dpddelay = 10s: Jan 21 01:55:25 moon charon: 12[IKE] sending DPD request Jan 21 01:55:25 moon charon: 12[ENC] generating INFORMATIONAL request 0 [ ] Jan 21 01:55:25 moon charon: 12[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500] # First retransmission after 4 seconds: Jan 21 01:55:29 moon charon: 13[IKE] retransmit 1 of request with message ID 0 Jan 21 01:55:29 moon charon: 13[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500] # Second retransmission after another 7 seconds: Jan 21 01:55:36 moon charon: 15[IKE] retransmit 2 of request with message ID 0 Jan 21 01:55:36 moon charon: 15[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500] # Third retransmission after another 13 seconds: Jan 21 01:55:49 moon charon: 03[IKE] retransmit 3 of request with message ID 0 Jan 21 01:55:49 moon charon: 03[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500] # Fourth retransmission after another 24 seconds: Jan 21 01:56:13 moon charon: 11[IKE] retransmit 4 of request with message ID 0 Jan 21 01:56:13 moon charon: 11[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500] # Fifth retransmission after another 42 seconds: Jan 21 01:56:55 moon charon: 16[IKE] retransmit 5 of request with message ID 0 Jan 21 01:56:55 moon charon: 16[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500] # No answer - peer is declared dead after 2 minutes and 45 seconds: Jan 21 01:58:10 moon charon: 15[IKE] giving up after 5 retransmits This behaviour is hard-coded and cannot be changed. Best regards Andreas Youngsang Shin wrote: Hi all, Which value is usually set for DPD timeout in a real IKEv2 setup? If DPD is not used, any other keepalive timeout value? It seems that strongSwan's default value for DPDtimeout is 120 seconds. This value is commonly used in a real environment? Thanks, Youngsang == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Tunnel dosn't build by itself
Hi I've made a router out of a epia sn board, and it really performes well (80 mbit iperf over vpn). But it seems to me that the tunnel dosn't start automaticly ? But if i @work du a ipsec up net-net-svende then the tunnel builds fine, but i can't ping from my lan pc and trigger the tunnel. can it be something with my iptables ? with kind regards Svend @home : # /etc/ipsec.conf - strongSwan IPsec configuration file config setup plutostart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 authby=secret keyexchange=ikev2 mobike=no conn net-net-pallas left=%defaultroute leftsubnet=left_lan_subnet http://172.17.14.0/24 leftid=left_wan_ip leftfirewall=yes leftsourceip=left_lan_gateway right=right_wan_ip rightsubnet=right_lan_subnet/24 rightid=right_wan_ip auto=add type=tunnel include /var/lib/strongswan/ipsec.conf.inc @work : # /etc/ipsec.conf - strongSwan IPsec configuration file config setup plutostart=no interfaces=ipsec0=eth0 conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 authby=secret keyexchange=ikev2 mobike=no conn net-net-svende left=%defaultroute leftsubnet=left_lan_subnet/24 http://193.163.101.0/24 leftid=left_wan_ip leftfirewall=yes leftsourceip=left_lan_gateway right=right_wan_ip rightsubnet= http://172.17.14.0/24right_lan_subnet rightid=right_wan_ip auto=add type=tunnel ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Tunnel dosn't build by itself
SIf you want to trigger the tunnel setup by payload packets then you must define auto=route Regards Andreas Svend Høst wrote: Hi I've made a router out of a epia sn board, and it really performes well (80 mbit iperf over vpn). But it seems to me that the tunnel dosn't start automaticly ? But if i @work du a ipsec up net-net-svende then the tunnel builds fine, but i can't ping from my lan pc and trigger the tunnel. can it be something with my iptables ? with kind regards Svend @home : # /etc/ipsec.conf - strongSwan IPsec configuration file config setup plutostart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 authby=secret keyexchange=ikev2 mobike=no conn net-net-pallas left=%defaultroute leftsubnet=left_lan_subnet http://172.17.14.0/24 leftid=left_wan_ip leftfirewall=yes leftsourceip=left_lan_gateway right=right_wan_ip rightsubnet=right_lan_subnet/24 rightid=right_wan_ip auto=add type=tunnel include /var/lib/strongswan/ipsec.conf.inc @work : # /etc/ipsec.conf - strongSwan IPsec configuration file config setup plutostart=no interfaces=ipsec0=eth0 conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 authby=secret keyexchange=ikev2 mobike=no conn net-net-svende left=%defaultroute leftsubnet=left_lan_subnet/24 http://193.163.101.0/24 leftid=left_wan_ip leftfirewall=yes leftsourceip=left_lan_gateway right=right_wan_ip rightsubnet= http://172.17.14.0/24right_lan_subnet rightid=right_wan_ip auto=add type=tunnel == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Tunnel dosn't build by itself
Hi I've made a router out of a epia sn board, and it really performes well (80 mbit iperf over vpn). But it seems to me that the tunnel dosn't start automaticly ? But if i @work do a ipsec up net-net-svende then the tunnel builds fine, but i can't ping from my lan pc and trigger the tunnel. can it be something with my iptables ? with kind regards Svend @home : # /etc/ipsec.conf - strongSwan IPsec configuration file config setup plutostart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 authby=secret keyexchange=ikev2 mobike=no conn net-net-pallas left=%defaultroute leftsubnet=left_lan_subnet http://172.17.14.0/24 leftid=left_wan_ip leftfirewall=yes leftsourceip=left_lan_gateway right=right_wan_ip rightsubnet=right_lan_subnet/24 rightid=right_wan_ip auto=add type=tunnel include /var/lib/strongswan/ipsec.conf.inc @work : # /etc/ipsec.conf - strongSwan IPsec configuration file config setup plutostart=no interfaces=ipsec0=eth0 conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 authby=secret keyexchange=ikev2 mobike=no conn net-net-svende left=%defaultroute leftsubnet=left_lan_subnet/24 http://193.163.101.0/24 leftid=left_wan_ip leftfirewall=yes leftsourceip=left_lan_gateway right=right_wan_ip rightsubnet= http://172.17.14.0/24right_lan_subnet rightid=right_wan_ip auto=add type=tunnel ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Nokia E-Series vpn client (JFYI)
Hi All, i may be a bug in Nokia VPN with IKEv2. I'v tested wit strongswan client with linux from same DSL Account and it works out of the box. Nokia does not answer this packet: 01:53:11.565493 IP (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto UDP (17), length 405) 87.106.225.59.500 82.113.121.1.41: isakmp 2.0 msgid cookie -: phase 1 R #34[]: [|#33] I will try with IKEv1 on weekend. Regards, Dimitrij Andreas Steffen schrieb: BTW - ModeCfg is IKE1v1 but you are currently running on IKEv2. If UDP port 4500 is open then the Nokia client - might not be able to find its private key or - a certificate from the CA matching the certificate request C=DE, ST=Baden-Wuerttemberg, L=Karlsruhe, O=FHE3 GmbH, OU=Systemadministration, CN=FHE3 GmbH CA, e...@fhe3.com is not found. In any error case the Nokia client should send an error notification back, which does not happen. This is why I thought about a blocked UDP 4500 port in the first place. Regards Andreas Dimitrij Hilt wrote: Hi Andreas, i'w tried trough WLAN+DSL and UMTS, so firewall may be not a problem. On Openswan tests a saw pakets to 4500 too, but ModCFG did't work. Any hints how configure Nokia? Regards, Dimitrij Andreas Steffen schrieb: Hi Dimitrij, in the presence of a NAT situation the client switches to UDP port 4500 starting with the IKE_AUTH request. Since this request is never received by the strongSwan gateway, could it be that some firewall is blocking UDP port 4500? Best regards Andreas Dimitrij Hilt wrote: Hi Andreas, ipsec.conf: gw-ipsec-mobile-eue:~# cat /etc/ipsec.conf # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup crlcheckinterval=180 strictcrlpolicy=no charonstart=yes plutostart=no # Add connections here. # Sample VPN connections conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 conn MOBILE left=MY_EXTERNAL_IP leftcert=gw-ipsec-mobile.pem right=%any rightsourceip=10.1.2.2 rightsubnet=10.1.2.2/32 keyexchange=ikev2 auto=add #include /etc/ipsec.d/examples/no_oe.conf Logfile: Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[DMN] starting charon (strongSwan Version 4.2.4) Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] listening on interfaces: Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] eth0 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] 10.1.0.14 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] 10.1.2.1 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] MY_EXTERNAL_IP Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] fe80::216:3eff:fe01:e Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[LIB] loaded certificate file '/etc/ipsec.d/cacerts/ca.pem' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading crls from '/etc/ipsec.d/crls' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading secrets from '/etc/ipsec.secrets' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loaded private key file '/etc/ipsec.d/private/gw-ipsec-mobile.key' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[JOB] spawning 16 worker threads Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] received stroke: add connection 'MOBILE' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[LIB] loaded certificate file '/etc/ipsec.d/certs/gw-ipsec-mobile.pem' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] peerid 87.106.225.59 not confirmed by certificate, defaulting to subject DN Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] added configuration 'MOBILE': MY_EXTERNAL_IP[C=DE, ST=Baden-Wuerttemberg, L=Karlsruhe, O=FHE3 GmbH, OU=Systemadministration, CN=gw-ipsec-mobile.fhe3.net, e=notdie...@fhe3.com]...0.0.0.0[%any] Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] adding virtual IP address pool 'MOBILE': 10.1.2.2/32 Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[NET] received packet: from 93.192.185.142[61076] to MY_EXTERNAL_IP[500] Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[AUD] 93.192.185.142 is initiating an IKE_SA Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[IKE] IKE_SA '(unnamed)' state change: CREATED = CONNECTING Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[IKE] remote host is behind NAT Feb 22 18:59:10 gw-ipsec-mobile-eue
[strongSwan] Why the first IKE_INIT request message was encrypted?
Hi all, I used pre-shared key to set up the IPsec tunnel. When I used wireshark to capture the IKE messages, I found that the first IKE_INIT request message was encrypted. I feel confused, I think it should be sent in clear text. I found no answer from the IKEv2 RFC. Any comment is appreciated. Commands I ran: ipsec start ipsec up home # ipsec.conf - strongSwan IPsec configuration file config setup strictcrlpolicy=no plutostart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 authby=secret keyexchange=ikev2 conn home left=10.28.15.6 left...@xx.org leftsourceip=10.3.0.1 leftfirewall=yes right=10.28.15.2 rightsubnet=137.117.15.0/24 right...@xxx.org auto=add Regards, Alvin _ More than messages–check out the rest of the Windows Live™. http://www.microsoft.com/windows/windowslive/attachment: IKE_INIT.jpg___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Why the first IKE_INIT request message was encrypted?
And the interesting thing is that the second message, IKE_INIT response was sent in clear text. Why the IKE_INIT request message was encrypted while the IKE_INIT response was sent in clear? Regards, Alvin From: kesheng...@msn.com To: users@lists.strongswan.org Subject: Why the first IKE_INIT request message was encrypted? Date: Fri, 27 Feb 2009 07:14:22 + Hi all, I used pre-shared key to set up the IPsec tunnel. When I used wireshark to capture the IKE messages, I found that the first IKE_INIT request message was encrypted. I feel confused, I think it should be sent in clear text. I found no answer from the IKEv2 RFC. Any comment is appreciated. Commands I ran: ipsec start ipsec up home # ipsec.conf - strongSwan IPsec configuration file config setup strictcrlpolicy=no plutostart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 authby=secret keyexchange=ikev2 conn home left=10.28.15.6 left...@xx.org leftsourceip=10.3.0.1 leftfirewall=yes right=10.28.15.2 rightsubnet=137.117.15.0/24 right...@xxx.org auto=add Regards, Alvin check out the rest of the Windows Live™. More than mail–Windows Live™ goes way beyond your inbox. More than messages _ News, entertainment and everything you care about at Live.com. Get it now! http://www.live.com/getstarted.aspx ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Tunnel dosn't build by itself
Hi I've made a router out of a epia sn board, and it really performes well (80 mbit iperf over vpn). But it seems to me that the tunnel dosn't start automaticly ? But if i @work do a ipsec up net-net-svende then the tunnel builds fine, but i can't ping from my lan pc and trigger the tunnel. A ipsec up net-net-pallas @home builds the tunnel fine, but traffic can't pass through. with kind regards Svend @home : # /etc/ipsec.conf - strongSwan IPsec configuration file config setup plutostart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 authby=secret keyexchange=ikev2 mobike=no conn net-net-pallas left=%defaultroute leftsubnet=left_lan_subnet http://172.17.14.0/24 leftid=left_wan_ip leftfirewall=yes leftsourceip=left_lan_gateway right=right_wan_ip rightsubnet=right_lan_subnet/24 rightid=right_wan_ip auto=add type=tunnel include /var/lib/strongswan/ipsec.conf.inc @work : # /etc/ipsec.conf - strongSwan IPsec configuration file config setup plutostart=no interfaces=ipsec0=eth0 conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 authby=secret keyexchange=ikev2 mobike=no conn net-net-svende left=%defaultroute leftsubnet=left_lan_subnet/24 http://193.163.101.0/24 leftid=left_wan_ip leftfirewall=yes leftsourceip=left_lan_gateway right=right_wan_ip rightsubnet=right_lan_subnet rightid=right_wan_ip auto=add type=tunnel ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users