Re: [strongSwan] IPSEC/l2TP Chrome OS
Tobias thank you so much for your reply! On the bottom you'll find the attached logs from the chromebook machine, please let me know if you require any pocket sniffing Cheers, Ilan 2015-02-12T10:22:13.896043-08:00 charon[2428]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' 2015-02-12T10:22:13.900278-08:00 charon[2428]: 00[CFG] loaded ca certificate CN=domain Dev Root CA G1, O=domain, C=US from '/etc/ipsec.d/cacerts/cacert.der' 2015-02-12T10:22:13.900904-08:00 charon[2428]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' 2015-02-12T10:22:13.901409-08:00 charon[2428]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' 2015-02-12T10:22:13.901910-08:00 charon[2428]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' 2015-02-12T10:22:13.902417-08:00 charon[2428]: 00[CFG] loading crls from '/etc/ipsec.d/crls' 2015-02-12T10:22:13.902953-08:00 charon[2428]: 00[CFG] loading secrets from '/etc/ipsec.secrets' 2015-02-12T10:22:13.911338-08:00 charon[2428]: 00[CFG] loaded private key from %smartcard1@crypto_module:719D7F5687E27E8DAD5E37FD84CFFA1027B29878 2015-02-12T10:22:13.912395-08:00 charon[2428]: 00[DMN] loaded plugins: charon pkcs11 aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic 2015-02-12T10:22:13.913424-08:00 charon[2428]: 00[LIB] dropped capabilities, running as uid 212, gid 212 2015-02-12T10:22:13.913935-08:00 charon[2428]: 00[JOB] spawning 16 worker threads 2015-02-12T10:22:13.925508-08:00 charon[2428]: 01[CFG] received stroke: add connection 'managed' 2015-02-12T10:22:13.926009-08:00 charon[2428]: 01[CFG] left nor right host is our side, assuming left=local 2015-02-12T10:22:13.930950-08:00 charon[2428]: 01[CFG] loaded certificate CN=right_cn, OU=1957, O=domain.com, C=US from '%smartcard1@crypto_module :719D7F5687E27E8DAD5E37FD84CFFA1027B29878' 2015-02-12T10:22:13.931524-08:00 charon[2428]: 01[CFG] id '%any' not confirmed by certificate, defaulting to 'CN=right_cn, OU=1957, O=domain.com, C=US' 2015-02-12T10:22:13.932301-08:00 charon[2428]: 01[CFG] added configuration 'managed' 2015-02-12T10:22:13.933065-08:00 charon[2428]: 12[CFG] received stroke: initiate 'managed' 2015-02-12T10:22:13.933964-08:00 charon[2428]: 12[IKE] initiating Main Mode IKE_SA managed[1] to 162.243.137.92 2015-02-12T10:22:13.937160-08:00 charon[2428]: 12[ENC] generating ID_PROT request 0 [ SA V V V V ] 2015-02-12T10:22:13.937898-08:00 charon[2428]: 12[NET] sending packet: from 10.0.1.186[500] to 162.243.137.92[500] (188 bytes) 2015-02-12T10:22:13.956699-08:00 charon[2428]: 09[NET] received packet: from 162.243.137.92[500] to 10.0.1.186[500] (132 bytes) 2015-02-12T10:22:13.957266-08:00 charon[2428]: 09[ENC] parsed ID_PROT response 0 [ SA V V V ] 2015-02-12T10:22:13.957296-08:00 charon[2428]: 09[IKE] received XAuth vendor ID 2015-02-12T10:22:13.957310-08:00 charon[2428]: 09[IKE] received DPD vendor ID 2015-02-12T10:22:13.957323-08:00 charon[2428]: 09[IKE] received NAT-T (RFC 3947) vendor ID 2015-02-12T10:22:13.964554-08:00 charon[2428]: 09[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ] 2015-02-12T10:22:13.964647-08:00 charon[2428]: 09[NET] sending packet: from 10.0.1.186[500] to 162.243.137.92[500] (244 bytes) 2015-02-12T10:22:13.987288-08:00 charon[2428]: 02[NET] received packet: from 162.243.137.92[500] to 10.0.1.186[500] (468 bytes) 2015-02-12T10:22:13.987330-08:00 charon[2428]: 02[ENC] parsed ID_PROT response 0 [ KE No CERTREQ CERTREQ CERTREQ NAT-D NAT-D ] 2015-02-12T10:22:13.987345-08:00 charon[2428]: 02[IKE] received cert request for unknown ca 'CN=domain Dev Issuing CA G1, O=domain, C=US' 2015-02-12T10:22:13.987359-08:00 charon[2428]: 02[IKE] received cert request for 'CN=domain Dev Root CA G1, O=domain, C=US' 2015-02-12T10:22:13.987373-08:00 charon[2428]: 02[IKE] received cert request for unknown ca 'CN=domain Dev Intermediate CA G1, O=domain, C=US' 2015-02-12T10:22:13.994140-08:00 charon[2428]: 02[IKE] local host is behind NAT, sending keep alives 2015-02-12T10:22:13.999718-08:00 charon[2428]: 02[IKE] sending cert request for CN=domain Dev Root CA G1, O=domain, C=US 2015-02-12T10:22:14.012951-08:00 shill[1076]: [ERROR:error.cc(103)] Operation failed (no other information) 2015-02-12T10:22:14.365615-08:00 shill[1076]: last message repeated 25 times 2015-02-12T10:22:14.365013-08:00 charon[2428]: 02[IKE] authentication of 'CN=right_cn, OU=1957, O=domain.com, C=US' (myself) successful 2015-02-12T10:22:14.365056-08:00 charon[2428]: 02[IKE] sending end entity cert CN=right_cn, OU=1957, O=domain.com, C=US 2015-02-12T10:22:14.365078-08:00 charon[2428]: 02[ENC] generating ID_PROT request 0 [ ID CERT SIG CERTREQ ] 2015-02-12T10:22:14.365098-08:00 charon[2428]: 02[NET] sending packet: from 10.0.1.186[4500] to 162.243.137.92[4500] (1092 bytes) 2015-02-12T10:22:14.622824-08:00 charon[2428]: 07[NET] received
Re: [strongSwan] Multiple Child SA after only 14 minutes
On Tue, 10 Feb 2015 01:02:17 +0100 Noel Kuntze n...@familie-kuntze.de wrote: SNIP This advice applies to all connections and is good advice in general. Thanks for the advice (specifically to set only one end of the tunnel to dpdaction=restart), Noel. I have done this, but I am still seeing multiple child SAs spring up: [root@ipfire ~]# ipsec statusall HostB Status of IKE charon daemon (strongSwan 5.2.0, Linux 3.10.44-ipfire, i686): uptime: 17 hours, since Feb 11 19:30:06 2015 malloc: sbrk 525200, mmap 0, used 387408, free 137792 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 60 loaded plugins: charon curl aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-noauth dhcp Listening IP addresses: 10.100.0.1 IPA.DDR.ESS.A IPA.DDR.ESS.A2 IPA.DDR.ESS.A3 10.100.1.1 Connections: HostB: IPA.DDR.ESS.A...IPA.DDR.ESS.B IKEv2, dpddelay=120s HostB: local: [C=US, ST=UT, O=MyOrg, OU=Engineering Dept, CN=MyOrg.com] uses public key authentication HostB:cert: C=US, ST=UT, O=MyOrg, OU=Engineering Dept, CN=MyOrg.com HostB: remote: [C=US, ST=UT, O=MyOrg, OU=Engineering Dept, CN=HostB.MyOrg.com] uses public key authentication HostB:cert: C=US, ST=UT, O=MyOrg, OU=Engineering Dept, CN=HostB.MyOrg.com HostB: child: 10.100.0.0/23 === 10.2.0.0/16 TUNNEL, dpdaction=clear Routed Connections: HostB{10}: ROUTED, TUNNEL HostB{10}: 10.100.0.0/23 === 10.2.0.0/16 Security Associations (15 up, 0 connecting): HostB[164]: ESTABLISHED 2 hours ago, IPA.DDR.ESS.A[C=US, ST=UT, O=MyOrg, OU=Engineering Dept, CN=MyOrg.com]...IPA.DDR.ESS.B[C=US, ST=UT, O=MyOrg, OU=Engineering Dept, CN=HostB.MyOrg.com] HostB[164]: IKEv2 SPIs: 1083250bd152df93_i aa0b0cf822e2a48a_r*, public key reauthentication in 5 hours HostB[164]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_512_BP HostB{10}: INSTALLED, TUNNEL, ESP SPIs: ca493aee_i cd5a7958_o, IPCOMP CPIs: b621_i e57d_o HostB{10}: AES_CBC_256/HMAC_SHA2_256_128, 530419 bytes_i (3503 pkts, 0s ago), 1580851 bytes_o (3824 pkts, 0s ago), rekeying in 29 minutes HostB{10}: 10.100.0.0/23 === 10.2.0.0/16 HostB{10}: INSTALLED, TUNNEL, ESP SPIs: c8746473_i c4dd84bb_o, IPCOMP CPIs: 3ac6_i 3e51_o HostB{10}: AES_CBC_256/HMAC_SHA2_256_128, 2917676 bytes_i (32813 pkts, 0s ago), 2781420 bytes_o (32677 pkts, 0s ago), rekeying in 31 minutes HostB{10}: 10.100.0.0/23 === 10.2.0.0/16 HostB{10}: INSTALLED, TUNNEL, ESP SPIs: ca68d731_i cbc5df84_o, IPCOMP CPIs: 1d57_i 6be8_o HostB{10}: AES_CBC_256/HMAC_SHA2_256_128, 2658017 bytes_i (28452 pkts, 0s ago), 2816354 bytes_o (28267 pkts, 0s ago), rekeying in 38 minutes HostB{10}: 10.100.0.0/23 === 10.2.0.0/16 Also, I noticed that these three Child SAs were all set to expire and they all re-keyed. They will all stay open (and even multiply) as long as the tunnel stays up. If I force it down and then bring it back up, it will come back up with only one SA, and others will show up on a seemingly random basis. I had originally thought that a new SA was created each time it rekeyed phase2, but there were three before the last re-key and three after, so I am not flummoxed. Id this just normal behavior, or am I missing something? The other side looks like this: [root@HostB ~]# ipsec statusall Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.10.44-ipfire-pae, i686): uptime: 10 days, since Feb 01 15:21:58 2015 malloc: sbrk 394896, mmap 0, used 242208, free 152688 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6 loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-noauth dhcp Listening IP addresses: 10.2.0.1 IPA.DDR.ESS.B Connections: Data: IPA.DDR.ESS.B...IPA.DDR.ESS.A IKEv2, dpddelay=120s Data: local: [C=US, ST=UT, O=MyOrg, OU=Engineering Dept, CN=HostB.MyOrg.com] uses public key authentication Data:cert: C=US, ST=UT, O=MyOrg, OU=Engineering Dept, CN=HostB.MyOrg.com Data: remote: [C=US, ST=UT, O=MyOrg, OU=Engineering Dept, CN=MyOrg.com] uses public key authentication Data:cert: C=US, ST=UT, O=MyOrg, OU=Engineering Dept, CN=MyOrg.com Data: child: 10.2.0.0/16 === 10.100.0.0/23 TUNNEL, dpdaction=restart Routed Connections: Data{23}: ROUTED, TUNNEL Data{23}: 10.2.0.0/16 === 10.100.0.0/23 Security
Re: [strongSwan] Issues observed with Server leases in road warrior configuration
Hi Sumit, In this case, since the server was not notified about client going down, the lease was still active at server, and then later when client came up and asked for virtual IP, server gave a different one and also updated the lease with this new assigned Virtual IP. If you use in-memory pools (i.e. `rightsourceip=subnet`) you could enable the `charon.mem-pool.reassign_online` option in strongswan.conf. If it is enabled existing online leases will be reassigned to clients with the same identity. Regards, Tobias ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Issues observed with Server leases in road warrior configuration
Hi, Individual client based conn sections cannot be added since the server do not know the identity of road warriors. Wanted to check, for this use case(where server do not know its clients), would even Sql plugin provide any solution wrt assigning same virtual IP to a client always? Thanks Sumit -Original Message- From: ext Tobias Brunner [mailto:tob...@strongswan.org] Sent: Thursday, February 12, 2015 4:52 PM To: Kaur, Sumit (NSN - IN/Bangalore); ext Noel Kuntze; users@lists.strongswan.org Subject: Re: [strongSwan] Issues observed with Server leases in road warrior configuration Hi Sumit, Note that, strongswan version that I use is 4.3.6. The reassign_online option was added with 5.1.0, but the default behavior before that was actually to reassign online leases. But only if the client explicitly requested the same IP address it got assigned earlier. This was done for better interoperability during reauthentication with third-party implementations, but we added the option and disabled this behavior by default when we started to prevent duplicate IPsec policies (see [1]). Since your client obviously won't request the same address this does not actually help in your case. Please try the SQL plugin as mentioned by Noel (another option might be to assign IP addresses via RADIUS, or adding individual conn sections for each client). In newer releases, where, as mentioned, duplicate IPsec policies are not allowed this could actually cause problems, though, if the old SA is still around. Also, there is nothing available on strongswan wiki wrt mem-pool.reassign_online option. I've added documentation to the wiki and the man page. Regards, Tobias [1] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=7612a6e42 ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Issues observed with Server leases in road warrior configuration
Hi Sumit, Note that, strongswan version that I use is 4.3.6. The reassign_online option was added with 5.1.0, but the default behavior before that was actually to reassign online leases. But only if the client explicitly requested the same IP address it got assigned earlier. This was done for better interoperability during reauthentication with third-party implementations, but we added the option and disabled this behavior by default when we started to prevent duplicate IPsec policies (see [1]). Since your client obviously won't request the same address this does not actually help in your case. Please try the SQL plugin as mentioned by Noel (another option might be to assign IP addresses via RADIUS, or adding individual conn sections for each client). In newer releases, where, as mentioned, duplicate IPsec policies are not allowed this could actually cause problems, though, if the old SA is still around. Also, there is nothing available on strongswan wiki wrt mem-pool.reassign_online option. I've added documentation to the wiki and the man page. Regards, Tobias [1] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=7612a6e42 ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Does strongswan-5.0.4 support the AH protocol?
Hi,We are using the strongswan-5.0.4.What I understand, the KEv2 Charon daemon does not s does not implement AH butESP with authentication only is configurable (i.e., NULL encryption with anydata integrity algorithm). Since 5.1.1 the ah keyword (i.e., auth = esp | ah) canbe used to configure AH with the Charon IKEv2 daemon. Can anyone please confirm? Thanks in advance. Regards,Chinmaya___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] IPSEC/l2TP Chrome OS
Hi Ilan, 06[ENC] invalid HASH_V1 payload length, decryption failed? 06[ENC] could not decrypt payloads 06[IKE] message parsing failed 06[IKE] ignore malformed INFORMATIONAL request This looks like #836 (or #570). Do you have any logs from the client? It seems it might not like the server's certificate and then maybe sends a DELETE or some other notify to the server. Could you try to determine what is contained in that INFORMATIONAL request (e.g. via Wireshark)? Regards, Tobias [1] https://wiki.strongswan.org/issues/836 [2] https://wiki.strongswan.org/issues/570 ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Issues establishing multiple IKEv1 Site-to-Site Tunnels to the same peer
Hello all, As you may have known around the VyOS/EdgeOS community, I am the poor guy who decided to upgrade the strongSwan stack from 4.5.2 to 5.2.2. Yes, it was an eye-opener on how the scripts were written back in the day and I'm surprised it still even works today. During testing, I've noticed that establishing multiple IKEv1 tunnels between strongSwan 5.2.2 doesn't work as expected with configurations being both generated by VyOS/EdgeOS/Vyatta's vpn-config.pl. One of the tunnels specified in ipsec.conf does work, but the other one does not. I am pasting charon's logger from ike/cfg at level 2: -- BEGIN LOG-- Feb 12 08:41:14 vyos-2 ipsec_starter[2970]: Starting strongSwan 5.2.2 IPsec [starter]... Feb 12 08:41:14 vyos-2 ipsec_starter[2970]: # deprecated keyword 'interfaces' in config setup Feb 12 08:41:14 vyos-2 ipsec_starter[2970]: ### 1 parsing error (0 fatal) ### Feb 12 08:41:14 vyos-2 ipsec_starter[2986]: charon (2987) started after 20 ms Feb 12 08:41:14 vyos-2 charon: 12[IKE] initiating Main Mode IKE_SA peer-192.168.2.1-tunnel-0[1] to 192.168.2.1 Feb 12 08:41:39 vyos-2 charon: 04[IKE] sending retransmit 3 of request message ID 0, seq 1 Feb 12 08:41:45 vyos-2 charon: 16[CFG] looking for an ike config for 192.168.2.2...192.168.2.1 Feb 12 08:41:45 vyos-2 charon: 16[CFG] candidate: 192.168.2.2...192.168.2.1, prio 3100 Feb 12 08:41:45 vyos-2 charon: 16[CFG] found matching ike config: 192.168.2.2...192.168.2.1 with prio 3100 Feb 12 08:41:45 vyos-2 charon: 16[IKE] received XAuth vendor ID Feb 12 08:41:45 vyos-2 charon: 16[IKE] received DPD vendor ID Feb 12 08:41:45 vyos-2 charon: 16[IKE] received NAT-T (RFC 3947) vendor ID Feb 12 08:41:45 vyos-2 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Feb 12 08:41:45 vyos-2 charon: 16[IKE] 192.168.2.1 is initiating a Main Mode IKE_SA Feb 12 08:41:45 vyos-2 charon: 16[IKE] IKE_SA (unnamed)[2] state change: CREATED = CONNECTING Feb 12 08:41:45 vyos-2 charon: 16[CFG] selecting proposal: Feb 12 08:41:45 vyos-2 charon: 16[CFG] proposal matches Feb 12 08:41:45 vyos-2 charon: 16[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Feb 12 08:41:45 vyos-2 charon: 16[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Feb 12 08:41:45 vyos-2 charon: 16[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Feb 12 08:41:45 vyos-2 charon: 16[IKE] sending XAuth vendor ID Feb 12 08:41:45 vyos-2 charon: 16[IKE] sending DPD vendor ID Feb 12 08:41:45 vyos-2 charon: 16[IKE] sending NAT-T (RFC 3947) vendor ID Feb 12 08:41:45 vyos-2 charon: 06[CFG] looking for pre-shared key peer configs matching 192.168.2.2...192.168.2.1[192.168.2.1] Feb 12 08:41:45 vyos-2 charon: 06[CFG] candidate peer-192.168.2.1-tunnel-0, match: 1/20/3100 (me/other/ike) Feb 12 08:41:45 vyos-2 charon: 06[CFG] selected peer config peer-192.168.2.1-tunnel-0 Feb 12 08:41:45 vyos-2 charon: 06[IKE] IKE_SA peer-192.168.2.1-tunnel-0[2] established between 192.168.2.2[192.168.2.2]...192.168.2.1[192.168.2.1] Feb 12 08:41:45 vyos-2 charon: 06[IKE] IKE_SA peer-192.168.2.1-tunnel-0[2] state change: CONNECTING = ESTABLISHED Feb 12 08:41:45 vyos-2 charon: 06[IKE] scheduling reauthentication in 27939s Feb 12 08:41:45 vyos-2 charon: 06[IKE] maximum IKE_SA lifetime 28479s Feb 12 08:41:45 vyos-2 charon: 03[CFG] looking for a child config for 192.168.4.0/24 === 192.168.3.0/24 Feb 12 08:41:45 vyos-2 charon: 03[CFG] proposing traffic selectors for us: Feb 12 08:41:45 vyos-2 charon: 03[CFG] 192.168.4.0/24 Feb 12 08:41:45 vyos-2 charon: 03[CFG] proposing traffic selectors for other: Feb 12 08:41:45 vyos-2 charon: 03[CFG] 192.168.3.0/24 Feb 12 08:41:45 vyos-2 charon: 03[CFG] candidate peer-192.168.2.1-tunnel-0 with prio 5+5 Feb 12 08:41:45 vyos-2 charon: 03[CFG] proposing traffic selectors for us: Feb 12 08:41:45 vyos-2 charon: 03[CFG] 10.0.11.0/24 Feb 12 08:41:45 vyos-2 charon: 03[CFG] proposing traffic selectors for other: Feb 12 08:41:45 vyos-2 charon: 03[CFG] 10.0.10.0/24 Feb 12 08:41:45 vyos-2 charon: 03[CFG] found matching child config peer-192.168.2.1-tunnel-0 with prio 10 Feb 12 08:41:45 vyos-2 charon: 03[CFG] selecting traffic selectors for other: Feb 12 08:41:45 vyos-2 charon: 03[CFG] config: 192.168.3.0/24, received: 192.168.3.0/24 = match: 192.168.3.0/24 Feb 12 08:41:45 vyos-2 charon: 03[CFG] selecting traffic selectors for us: Feb 12 08:41:45 vyos-2 charon: 03[CFG] config: 192.168.4.0/24, received: 192.168.4.0/24 = match: 192.168.4.0/24 Feb 12 08:41:45 vyos-2 charon: 03[CFG] selecting proposal: Feb 12 08:41:45 vyos-2 charon: 03[CFG] proposal matches Feb 12 08:41:45 vyos-2 charon: 03[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Feb 12 08:41:45 vyos-2 charon: 03[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Feb 12 08:41:45 vyos-2 charon: 03[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Feb 12 08:41:45 vyos-2 charon: 04[IKE]
Re: [strongSwan] FW: Traffic dropped when IKE initiation happen between two nodes simultaneously.
Hi, Can anyone please comment on this. I tested this with the new strongswan version 5.2 and noticed the same behavior. Regards Suhas -Original Message- From: users-boun...@lists.strongswan.org [mailto:users-boun...@lists.strongswan.org] On Behalf Of ext Krishna G, Suhas (NSN - IN/Bangalore) Sent: Monday, February 09, 2015 2:24 PM To: ext Noel Kuntze; users@lists.strongswan.org Subject: Re: [strongSwan] FW: Traffic dropped when IKE initiation happen between two nodes simultaneously. Hi Noel, One more observation with respect to the below query. With uniqueids=yes, as you mentioned only one pair of SA is formed but I found a limitation w.r.t this. I configured IPSec(same setup as I had mentioned in previous mail) between two nodes(peer1---peer2) with the uniqueids=yes option in the ipsec.conf file on both ends. Apparently, no SAs are duplicated when I do ipsec up multiple times from one end. Old SAs are being replaced by new ones. But when I do ipsec up for the first time from the other end, though SAs are already established, another set of SA is initiated. So two set of SAs get established. But no further SAs are duplicated even after ipsec up multiple times from either ends. So, there can exist max two set of SAs between the same end points with the uniqueids=yes option. First set of SA initiated from peer1 and the second set initiated by peer2. So, I think there is no actual check for SA being established but there is only a check for the number of times ipsec up is done from one end which is a drawback. Is this the same behavior in the new version of strongswan? Regards Suhas -Original Message- From: users-boun...@lists.strongswan.orgmailto:users-boun...@lists.strongswan.org [mailto:users-boun...@lists.strongswan.org] On Behalf Of ext Krishna G, Suhas (NSN - IN/Bangalore) Sent: Friday, February 06, 2015 12:12 PM To: ext Noel Kuntze; users@lists.strongswan.orgmailto:users@lists.strongswan.org Subject: Re: [strongSwan] FW: Traffic dropped when IKE initiation happen between two nodes simultaneously. Hi Noel, I had forgot to ask one thing. Does any configuration in strongswan.conf file affect this. How exactly does this uniqueid stuff work? My strongsan.conf file for reference just in case: # strongswan.conf charon { reuse_ikesa=no install_routes=no block_threshold=50 cookie_threshold=100 } -Original Message- From: ext Noel Kuntze [mailto:n...@familie-kuntze.de] Sent: Thursday, February 05, 2015 12:07 AM To: Krishna G, Suhas (NSN - IN/Bangalore); users@lists.strongswan.orgmailto:users@lists.strongswan.org Subject: Re: [strongSwan] FW: Traffic dropped when IKE initiation happen between two nodes simultaneously. -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello Krishna, Yes, that is relevant. I have a net-to-net setup here with the newest strongSwan version and PSK authentication, that does not show this bad behaviour. You might want to try a newer version. Mit freundlichen Grüßen/Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 04.02.2015 um 11:07 schrieb Krishna G, Suhas (NSN - IN/Bangalore): Hi Noel, Thanks for the quick response. I tested with the combination of changes you suggested but am still facing the same issue. I found a thread relating to this: http://permalink.gmane.org/gmane.network.vpn.strongswan.devel/671 Is this of any relevance? The charon does not check for duplicate SAs and delete them? The duplicate SAs persist even after rekeying. Regards Suhas Krishna -Original Message- From: users-boun...@lists.strongswan.orgmailto:users-boun...@lists.strongswan.org [mailto:users-boun...@lists.strongswan.org] On Behalf Of ext Noel Kuntze Sent: Wednesday, February 04, 2015 1:23 AM To: users@lists.strongswan.orgmailto:users@lists.strongswan.org Subject: Re: [strongSwan] FW: Traffic dropped when IKE initiation happen between two nodes simultaneously. Hello Kirshna, You set uniqueids=no. That causes that behaviour. Use uniqueids=yes, uniqueids=keep or uniqueids=replace. Mit freundlichen Grüßen/Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 03.02.2015 um 11:05 schrieb Krishna G, Suhas (NSN - IN/Bangalore): Hi, I am testing a simple scenario using ikev2. The setup is as follows: (Traffic generator2)30.0.0.1---(30.0.0.2)node2(20.0.0.1)--(20.0.0.2)node1(40.0.0.1)40.0.0.2(Traffic generator1) eth2 eth3 eth2 (vlan201) Node1: # ipsec.conf config setup charonstart=yes plutostart=no uniqueids=no
Re: [strongSwan] Fritzbox - strongSwan / Missing ping replies
Hi, seems to be this kind of problem. After pinning the connection settings to: ike=aes256-sha-modp1024 esp=aes192-sha1-modp1024! the connection works perfectly. Don't know why the Fritzbox offers aes256 but only aes192 works. Cheers Sascha Zitat von Tobias Brunner tob...@strongswan.org: Hi Sascha, I've build a connection between a FRITZ!Box and a strongSwan server. On the virtual server where strongSwan is located I've added a virtual interface and configured the ip 192.168.0.10/24 on it. Now I'm trying to ping each side of the vpn with no luck. What version of strongSwan are you using? There were some issues with proposal handling between FRITZ!Box and strongSwan before 5.2.0, see [1]. Regards, Tobias [1] https://wiki.strongswan.org/issues/661 ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] recommandation with many connections and heavy stress testing
Hi, We are doing stress testing with strongswan with over 256 connections and a lot of packets send/recv with default rekey time. We experienced some connections being dropped and saw many rekey collision with (win or lose) messages from the log. Is there any tuning parameters that we can use to help reduce the collision. Does increase charon number of threads help? Does reauth=no help? Any help is deeply appreciated. Bettina ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users