Re: [strongSwan] iOS ipad Config

[Dirk Hartmann]

Hi,

--On Monday, November 19, 2012 09:59:42 PM -0500 Chris Arnold 
 wrote:

> strongswan 4.4 i believe and trying to get an ipad with ios 6 to
> connect to the server. I have this for my ipsec.conf:
>
> conn iOS
>   keyexchange=ikev1
>   authby=xauthrsasig
>   xauth=server
>   left=%defaultroute
>   leftsubnet=192.168.1.0/24
>   leftcert=serverCert.pem
>   right=%any
>   rightsourceip=192.168.3.0/24
>   #rightcert=
>   pfs=no
>   auto=add
>
> and this for ipsec.secrets:
>
> : RSA serverKey.pem
> username : XAUTH "password"
>
>
> I cant even tell if this config works as on the ipad, use certs is
> greyed out and will not let me turn it on. Anyone else out there
> seeing this?

did you import the certificate on the ipad already and does it match 
this requirements?


Dirk

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Regarding Installation issue in strongswan

[SaRaVanAn]

Hi Andreas,
Thanks a lot for your detailed explanation.

Regards,
Saravanan N

On Tue, Nov 20, 2012 at 1:25 AM, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:

> Hi Saravan,
>
> RFC 4306 cannot be read as a stand-alone document but the
> clarifications offered by
>
> RFC 4718 IKEv2 Clarifications and Implementation Guidelines
>
> must be considered as well. Actually the original goal of
> RFC 5996 was to combine RFC 4306 and RFC 4718 into a single
> document.
>
> Section 4.3 Diffie-Hellman for First CHILD_SA clearly states:
>
>
> http://tools.ietf.org/html/**rfc4718#section-4.3
>
>Section 1.2 [of RFC 4306] shows that IKE_AUTH messages do not
>contain KEi/KEr or Ni/Nr payloads.  This implies that the SA payload
>in IKE_AUTH exchange cannot contain Transform Type 4 (Diffie-Hellman
>Group) with any other value than NONE.  Implementations should
>probably leave the transform out entirely in this case.
>
>Thus if you include a DH-Transform in the IKE_AUTH request it must
>have the value NONE.
>
> Best regards
>
> Andreas
>
>
> On 11/19/2012 06:26 PM, SaRaVanAn wrote:
>
>> Hi Martin,
>> Thanks for you reply.
>> I just want to clarify the doubts on PFS group proposal in IKEv2.
>>
>> I guess, as per RFC 4306 , PFS group proposal will happen in CREATE_SA
>> exchange (IKE_AUTH messages). Because its mentioned like "
>>   A CHILD_SA is created by sending a CREATE_CHILD_SA request"
>>
>> But in RFC 5996 , its mentioned like
>> "  The CREATE_CHILD_SA exchange is used to create new Child SAs and to
>> rekey both IKE SAs and Child SAs"
>>
>> As per new RFC 5996, CREATE_CHILD_SA is only meant to create New Child
>> SA's (after a tunnel is formed).
>> So its not possible to inter operate a software,  which supports RFC4306
>> with Strongswan.
>>
>> Please correct me , If I am wrong. I m not clear about this point in RFC.
>> I need experts guidance.
>>
>> Regards,
>> Saravanan N
>>
>>
>>
>> On Mon, Nov 19, 2012 at 12:41 AM, Martin Willi > **> wrote:
>>
>> Hi,
>>
>>  > 13[CFG] received proposals:
>> ESP:AES_CBC_256/HMAC_SHA1_96/**MODP_1536/NO_EXT_SEQ
>>  > 13[IKE] no acceptable proposal found
>>  > 13[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(NO_PROP) ]
>>
>> Your client sends a DH group in the CHILD_SA proposals in IKE_AUTH.
>> This
>> seems wrong, as a DH exchange is never done in IKE_AUTH. The proposal
>> would match in a CREATE_CHILD_SA (as you can do a DH exchange there),
>> but not in IKE_AUTH.
>>
>> Regards
>> Martin
>>
>
> ==**==**==
> Andreas Steffen andreas.stef...@strongswan.org
> strongSwan - the Linux VPN Solution!www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ==**=[**ITA-HSR]==
>
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] iOS ipad Config

[Chris Arnold]

strongswan 4.4 i believe and trying to get an ipad with ios 6 to connect to the 
server. I have this for my ipsec.conf:

conn iOS
keyexchange=ikev1
authby=xauthrsasig
xauth=server
left=%defaultroute
leftsubnet=192.168.1.0/24
leftcert=serverCert.pem
right=%any
rightsourceip=192.168.3.0/24
#rightcert=
pfs=no
auto=add

and this for ipsec.secrets:

: RSA serverKey.pem
username : XAUTH "password"


I cant even tell if this config works as on the ipad, use certs is greyed out 
and will not let me turn it on. Anyone else out there seeing this?

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Regarding Installation issue in strongswan

[Andreas Steffen]

Hi Saravan,

RFC 4306 cannot be read as a stand-alone document but the
clarifications offered by

RFC 4718 IKEv2 Clarifications and Implementation Guidelines

must be considered as well. Actually the original goal of
RFC 5996 was to combine RFC 4306 and RFC 4718 into a single
document.

Section 4.3 Diffie-Hellman for First CHILD_SA clearly states:

http://tools.ietf.org/html/rfc4718#section-4.3

Section 1.2 [of RFC 4306] shows that IKE_AUTH messages do not
contain KEi/KEr or Ni/Nr payloads.  This implies that the SA payload
in IKE_AUTH exchange cannot contain Transform Type 4 (Diffie-Hellman
Group) with any other value than NONE.  Implementations should
probably leave the transform out entirely in this case.

Thus if you include a DH-Transform in the IKE_AUTH request it must
have the value NONE.

Best regards

Andreas

On 11/19/2012 06:26 PM, SaRaVanAn wrote:
> Hi Martin,
> Thanks for you reply.
> I just want to clarify the doubts on PFS group proposal in IKEv2.
>
> I guess, as per RFC 4306 , PFS group proposal will happen in CREATE_SA
> exchange (IKE_AUTH messages). Because its mentioned like "
>   A CHILD_SA is created by sending a CREATE_CHILD_SA request"
>
> But in RFC 5996 , its mentioned like
> "  The CREATE_CHILD_SA exchange is used to create new Child SAs and to
> rekey both IKE SAs and Child SAs"
>
> As per new RFC 5996, CREATE_CHILD_SA is only meant to create New Child
> SA's (after a tunnel is formed).
> So its not possible to inter operate a software,  which supports RFC4306
> with Strongswan.
>
> Please correct me , If I am wrong. I m not clear about this point in RFC.
> I need experts guidance.
>
> Regards,
> Saravanan N
>
>
>
> On Mon, Nov 19, 2012 at 12:41 AM, Martin Willi  > wrote:
>
> Hi,
>
>  > 13[CFG] received proposals:
> ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
>  > 13[IKE] no acceptable proposal found
>  > 13[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(NO_PROP) ]
>
> Your client sends a DH group in the CHILD_SA proposals in IKE_AUTH. This
> seems wrong, as a DH exchange is never done in IKE_AUTH. The proposal
> would match in a CREATE_CHILD_SA (as you can do a DH exchange there),
> but not in IKE_AUTH.
>
> Regards
> Martin

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Regarding Installation issue in strongswan

[SaRaVanAn]

Hi Martin,
Thanks for you reply.
I just want to clarify the doubts on PFS group proposal in IKEv2.

I guess, as per RFC 4306 , PFS group proposal will happen in CREATE_SA
exchange (IKE_AUTH messages). Because its mentioned like "
 A CHILD_SA is created by sending a CREATE_CHILD_SA request"

But in RFC 5996 , its mentioned like
"  The CREATE_CHILD_SA exchange is used to create new Child SAs and to
   rekey both IKE SAs and Child SAs"

As per new RFC 5996, CREATE_CHILD_SA is only meant to create New Child SA's
(after a tunnel is formed).
So its not possible to inter operate a software,  which supports RFC4306
with Strongswan.

Please correct me , If I am wrong. I m not clear about this point in RFC.
I need experts guidance.

Regards,
Saravanan N



On Mon, Nov 19, 2012 at 12:41 AM, Martin Willi wrote:

> Hi,
>
> > 13[CFG] received proposals:
> ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
> > 13[IKE] no acceptable proposal found
> > 13[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(NO_PROP) ]
>
> Your client sends a DH group in the CHILD_SA proposals in IKE_AUTH. This
> seems wrong, as a DH exchange is never done in IKE_AUTH. The proposal
> would match in a CREATE_CHILD_SA (as you can do a DH exchange there),
> but not in IKE_AUTH.
>
> Regards
> Martin
>
>
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] problem in HA

[Ali Masoudi]

Thank you so much Martin for your answer, I patched the required
headers and it solved the problems. I tested it with a simple scenario
and it worked. I will try to test it more.

Best wishes

On Mon, Nov 19, 2012 at 12:06 PM, Martin Willi  wrote:
> Hi,
>
>> iptables v1.4.10: can't initialize iptables table `filter': Module is
>> wrong version
>>
>> Should I compile iptables in userland again?
>
> Unfortunately, the HA patch changes the Netfilter ABI, hence you have to
> update iptables. At the wiki page there is a patch to apply against the
> Linux headers coming with iptables.
>
> Regards
> Martin
>

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] duplicate ESP packet issue

[aditya vikram]

Hi,
 
I am  testing anti replay feature of linux kernel with strongswan version 
5.0.0 and found some issues.I am capturing an ESP packet and replaying the 
captured packet  to the linux machine (IKE initiater).After sending duplicate 
packet around 30 times SA and child SA goes down which I think should not 
happen. Is this the expected behaviour and if yes what is the trigger from 
kernel to IKE daemon.
 
I can see only four messages from  kernel to IKE:
 
1)XFRM_MSG_ACQUIRE
2)XFRM_MSG_EXPIRE
3)XFRM_MSG_MIGRATE
4)XFRM_MSG_MAPPING
 


 
Best Regards
Aditya Vikram

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] iOs and android problem

[Hamid Zamani]

Hello ,

i'm trying to establish a iphone ipsec to my server , and in my log the
client gets ip address and authentication is ok but at other side client
shows me an error and it won't connect :


PSK + XAUTH


here my log :

Nov 19 08:00:56 4 charon: 02[NET] received packet: from y.y.y.y[500] to
x.x.x.x[500]
Nov 19 08:00:56 4 charon: 02[ENC] parsed ID_PROT request 0 [ SA V V V V V V
V V V V V V V
]

Nov 19 08:00:56 4 charon: 02[IKE] received NAT-T (RFC 3947) vendor
ID

Nov 19 08:00:56 4 charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike
vendor
ID

Nov 19 08:00:56 4 charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike-08
vendor
ID

Nov 19 08:00:56 4 charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike-07
vendor
ID

Nov 19 08:00:56 4 charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike-06
vendor
ID

Nov 19 08:00:56 4 charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike-05
vendor
ID

Nov 19 08:00:56 4 charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike-04
vendor
ID

Nov 19 08:00:56 4 charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike-03
vendor
ID

Nov 19 08:00:56 4 charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike-02
vendor
ID

Nov 19 08:00:56 4 charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike-02\n
vendor
ID

Nov 19 08:00:56 4 charon: 02[IKE] received XAuth vendor
ID

Nov 19 08:00:56 4 charon: 02[IKE] received Cisco Unity vendor
ID

Nov 19 08:00:56 4 charon: 02[IKE] received DPD vendor
ID

Nov 19 08:00:56 4 charon: 02[IKE] y.y.y.y is initiating a Main Mode
IKE_SA

Nov 19 08:00:56 4 charon: 02[IKE] IKE_SA (unnamed)[1] state change: CREATED
=>
CONNECTING

Nov 19 08:00:56 4 charon: 02[ENC] generating ID_PROT response 0 [ SA V V V
]

Nov 19 08:00:56 4 charon: 02[NET] sending packet: from x.x.x.x[500] to
y.y.y.y[500]

Nov 19 08:00:57 4 charon: 01[NET] received packet: from y.y.y.y[500] to
x.x.x.x[500]

Nov 19 08:00:57 4 charon: 01[ENC] parsed ID_PROT request 0 [ KE No NAT-D
NAT-D
]

Nov 19 08:00:57 4 charon: 01[IKE] remote host is behind
NAT

Nov 19 08:00:57 4 charon: 01[ENC] generating ID_PROT response 0 [ KE No
NAT-D NAT-D
]

Nov 19 08:00:57 4 charon: 01[NET] sending packet: from x.x.x.x[500] to
y.y.y.y[500]

Nov 19 08:00:57 4 charon: 12[NET] received packet: from y.y.y.y[4500] to
x.x.x.x[4500]

Nov 19 08:00:57 4 charon: 12[ENC] parsed ID_PROT request 0 [ ID HASH
N(INITIAL_CONTACT)
]

Nov 19 08:00:57 4 charon: 12[IKE] queueing XAUTH
task

Nov 19 08:00:57 4 charon: 12[ENC] generating ID_PROT response 0 [ ID HASH
]

Nov 19 08:00:57 4 charon: 12[NET] sending packet: from x.x.x.x[4500] to
y.y.y.y[4500]

Nov 19 08:00:57 4 charon: 12[IKE] activating new tasks
Nov 19 08:00:57 4 charon: 12[IKE]   activating XAUTH task
Nov 19 08:00:57 4 charon: 12[ENC] generating TRANSACTION request 525259943
[ HASH CP ]
Nov 19 08:00:57 4 charon: 12[NET] sending packet: from x.x.x.x[4500] to
y.y.y.y[4500]
Nov 19 08:00:57 4 charon: 03[NET] received packet: from y.y.y.y[4500] to
x.x.x.x[4500]
Nov 19 08:00:57 4 charon: 03[ENC] parsed TRANSACTION response 525259943 [
HASH CP ]
Nov 19 08:00:57 4 charon: 03[IKE] RADIUS authentication of 'username'
successful
Nov 19 08:00:57 4 charon: 03[IKE] XAuth authentication of 'username'
successful
Nov 19 08:00:57 4 charon: 03[IKE] reinitiating already active tasks
Nov 19 08:00:57 4 charon: 03[IKE]   XAUTH task
Nov 19 08:00:57 4 charon: 03[ENC] generating TRANSACTION request 97825
[ HASH CP ]
Nov 19 08:00:57 4 charon: 03[NET] sending packet: from x.x.x.x[4500] to
y.y.y.y[4500]
Nov 19 08:00:58 4 charon: 15[NET] received packet: from y.y.y.y[4500] to
x.x.x.x[4500]
Nov 19 08:00:58 4 charon: 15[ENC] parsed TRANSACTION response 97825 [
HASH CP ]
Nov 19 08:00:58 4 charon: 15[IKE] IKE_SA ioss[1] established between
x.x.x.x[x.x.x.x]...y.y.y.y[192.168.5.43]
Nov 19 08:00:58 4 charon: 15[IKE] IKE_SA ioss[1] state change: CONNECTING
=> ESTABLISHED
Nov 19 08:00:58 4 charon: 15[IKE] scheduling reauthentication in 9991s
Nov 19 08:00:58 4 charon: 15[IKE] maximum IKE_SA lifetime 10531s
Nov 19 08:00:58 4 charon: 15[IKE] activating new tasks
Nov 19 08:00:58 4 charon: 15[IKE] nothing to initiate
Nov 19 08:00:58 4 charon: 11[NET] received packet: from y.y.y.y[4500] to
x.x.x.x[4500]
Nov 19 08:00:58 4 charon: 11[ENC] unknown attribute type (28683)
Nov 19 08:00:58 4 charon: 11[ENC] parsed TRANSACTION request 573998017 [
HASH CP ]
Nov 19 08:00:58 4 charon: 11[IKE] processing INTERNAL_IP4_ADDRESS attribute
Nov 19 08:00:58 4 charon: 11[IKE] processing INTERNAL_IP4_NETMASK attribute
Nov 19 08:00:58 4 charon: 11[IKE] processing INTERNAL_IP4_DNS attribute
Nov 19 08:00:58 4 charon: 11[IKE] processing INTERNAL_IP4_NBNS attribute
Nov 19 08:00:58 4 charon: 11[IKE] processing INTERNAL_ADDRESS_EXPIRY
attribute
Nov 19 08:00:58 4 charon: 11[IKE] processing APPLICATION_VERSION attribute
Nov 19 08:00:58 4 charon: 11[IKE] processing UNITY_BANNER attribute
Nov 19 08:00:58 4 charon: 11[IKE] processing UNITY_DEF_DOMAIN attribute
Nov 19 08:00:58 4 charon: 11[IKE] processing UNITY_SPLITDNS_NAME attribute
Nov 19 08:00:58 4 charon: 11[IKE] 

Re: [strongSwan] Regarding Installation issue in strongswan

[Martin Willi]

Hi,

> 13[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
> 13[IKE] no acceptable proposal found
> 13[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(NO_PROP) ]

Your client sends a DH group in the CHILD_SA proposals in IKE_AUTH. This
seems wrong, as a DH exchange is never done in IKE_AUTH. The proposal
would match in a CREATE_CHILD_SA (as you can do a DH exchange there),
but not in IKE_AUTH.

Regards
Martin


___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] problem in HA

[Martin Willi]

Hi,

> iptables v1.4.10: can't initialize iptables table `filter': Module is
> wrong version
> 
> Should I compile iptables in userland again?

Unfortunately, the HA patch changes the Netfilter ABI, hence you have to
update iptables. At the wiki page there is a patch to apply against the
Linux headers coming with iptables.

Regards
Martin


___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users