[strongSwan] Ipsec up/down(brining up one client up/down) is a trigger to bring back up A non-responsive server

[meenakshi bangad]

I am experiencing a very interesting behaviour with Strongswan server.

Using the load tester plugin I can bring up multiple clients. I have set up
about 200 clients on 2 machines (each running 100 Ipsec tunnels to the
servers).
I have my own traffic generator which is sending traffic across this
multiple tunnels.

Initially everything runs fine, but after some time  I start getting
time-outs in my traffic generator application. I have tried modifying the
sysctl settings etc,
but nothing has worked. If during that time I bring up another client
everything starts to work back again. So the trigger to non -responsive
server is brining a tunnels up and down. Since
I have been doing this the generator on the other 200 tunnels never times
out. It seems like the server is stuck somewhere and the a tunnel up or
down breaks that loop.

Has anyone else experiencing the same behaviour ?

Thanks,

Meenakshi
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] High availability configuration

[unite]

Hi guys!

I have a couple of questions regarding stronswan HA configuration.

I have the following topology:
I have two debain wheezy nodes running the 5.2.1 strongswan installed 
from backports and 3.16 kernel also installed from wheezy backports. 
Here is the part of "ipsec statusall" ouput:


ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.1, Linux 
3.16.0-0.bpo.4-amd64, x86_64)


My two nodes receive routes from 2 ISPs using bgp. So both nodes are 
running quagga and ISP's router is configured to operate with two 
neighbors in my AS. The addressing between my external interfaces and 
the first ISPs gateway (on which BGP relations are held) is for example 
(192.168.1.1/24 - ISP gateway, 192.168.1.2 - my cluster node1, 
192.168.1.3 - node2). Addressing for the second let's assume is in 
192.168.2.0/24 net. My AS is bound to net for example 1.1.1.0/24 and I 
have for example vlan 50 which contains these addresses.


So, for maximum reachability, I would like to configure strongswan to 
use the source ip from my AS net, for example - 1.1.1.50, so all tunnels 
would be initiated from this IP and even if one ISP fails my tunnels are 
still reacheble. However, is that possible to configure strongswan in HA 
mode using such a configuration? So, I see two possible ways how it 
theoretically might work:


1) in active/standby configuration - when for example all bgp traffic 
will be held by node1 - so ISP gateways forward traffic to node1 of my 
cluster, it receives VPN packets for destination 1.1.1.50 and decrypts 
them and so on. So in this setup all traffic will be received by node1. 
If I want to have high availability does the configuration differ from 
the simple one? Will the SA's be synchronized and will failover work 
correctly when only one node receives 100% of the traffic, and also at 
this time no multicast is used (all traffic is received by the node1, 
both nodes have 1.1.1.50 address so it won't forward it also to node2)?


2) in active/active configuration - if I configure my nodes to send 
virtual next-hop address to ISP routers. In this way both nodes will 
receive connection in round robin fashion however, multivast still won't 
be used - will this solution work correctly, will SA's be correctly 
synchronized and so on?


Also for both cases (if they should work at all)  I believe I need to 
make some unusual clusterip rule. So if the address could be reached 
directly from ISP, the clusterip rule would have been like this:

ifconfig vlan50:0 1.1.1.50/24 up
iptables -A INPUT -i vlan50 -d 1.1.1.50/32 -j CLUSTERIP --new 
--total-nodes 2 --local-node 1


but assuming I have this configration I guess I need to change the 
incoming interface to the one, on which packets from ISPs are received 
while the address 1.1.1.50 still belongs to vlan50. For example

ifconfig vlan50:0 1.1.1.50/24 up
iptables -A INPUT -i eth0 -d 1.1.1.50/32 -j CLUSTERIP --new 
--total-nodes 2 --local-node 1
iptables -A INPUT -i eth1 -d 1.1.1.50/32 -j CLUSTERIP --new 
--total-nodes 2 --local-node 1


Am I right? Won't it cause any problems?
Also, should I anyway patch 3.16 kernel or the needed patch for 
clusterip+strongswan is included in it?



Also, did I understand correctly, strongswan can only use HA mode if 
IKEv2 is used for the tunnel?


Another question, is there a way to have redundant tunnels? So, what do 
i mean - I have two tunnels two different peers, though they link the 
same subnets. Tunnel is built with one peer, however if it becomes 
unavailable another tunnel should automatically be brought up. Is this 
possible using strongswan utilities?


Thanks in advance.

--
With kind regards,
Aleksey
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Cannot get eap-radius working on Strongswan 5

[AlanEvans]

I had a very similar experience recently.
For me it turned out that the certificate had expired.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Cannot get eap-radius working on Strongswan 5

[Martin Willi]

Hi Milen,

> 07[IKE] initiating EAP_IDENTITY method (id 0x00)
> 07[IKE] peer supports MOBIKE
> 07[IKE] authentication of '[...]' (myself) with RSA signature successful
> 07[IKE] sending end entity cert "[...]"
> 07[ENC] generating IKE_AUTH response 1 [IDr CERT AUTH EAP/REQ/ID ]
> 07[NET] sending packet: from 5.6.7.8[4500] to 1.2.3.4[4500] (1380 bytes)
> 08[JOB] deleting half open IKE_SA after timeout

The client requests EAP authentication, and your Gateway correctly sends
an EAP-Identity request along with a signature and certificate to
authentication itself to the client. The client, however, never
continues negotiation. Most likely it didn't accept the AUTH signature
or the corresponding certificate.

You may check your clients log for any error, most likely the gateway
certificate is not trusted on the client. I don't think this issue is
directly related to RADIUS authentication, your AAA is not yet involved
at this stage.

Regards
Martin 

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] [strongSwan-users] When Tunnel mode Becomes Transport Mode

[Martin Willi]

Hi Daniel,

> [...] think of a typical Site-to-Site scenario where Subnets are
> protected by their respective gateways.
> 
> However, the expert told me that it is possible to use Transport Mode
> instead of Tunnel Mode for this scenario a well.

As the endpoints that communicate from within the subnets are different
from the gateways that apply encryption, usually tunnel mode is used.
This allows the gateways to communicate with their addresses, and hide
the endpoint addresses in encrypted tunnel mode packets.

> For this Use Case to happen, the gateways must not encapsulate the entire
> IP packets (as Tunnel Mode does) but just need to do the routing task and
> cipher the data. It means that the gateways cipher the L4-7 data without
> changing the original IP header.

Theoretically this could work, where each gateway intercepts packets and
en/decrypts them as a man in the middle. So this would be some kind of
transparent inline encryption; if routing your subnets works outside of
these subnets, that could work.

With IKE(v2), however, the ESP packet addresses (both in tunnel and
transport mode) are implicitly the same addresses used for IKE
negotiation. This implies that you can't actually negotiate SAs from
your gateway for your inner subnet addresses, unless you mangle IKE
addresses as well (or do other tricks).

> 1. Have anyone seen this Use Case working before? If yes, How/Which
> implementation/hardware does so?

I didn't.

> 2. I know that Transport Mode is used for End-Point to End-Point
> communications where data plane is generated from/to end-points. But, Does
> StrongSwan support this kind of Site-to-Site communications in Transport
> Mode?

What we support in strongSwan is a transport-proxy mode for Mobile IPv6,
refer to the ipsec.conf manpage type keyword. It basically allows the
IKE daemon to use the Care-of-Address, but negotiate SAs for the Home
Address. Policy installation is up to a Mobile IP daemon, though. From
our NEWS:

> - Basic Mobile IPv6 support has been introduced, securing Binding Update
>   messages as well as tunneled traffic between Mobile Node and Home Agent.
>   The installpolicy=no option allows peaceful cooperation with a dominant
>   mip6d daemon and the new type=transport_proxy implements the special MIPv6
>   IPsec transport proxy mode where the IKEv2 daemon uses the Care-of-Address
>   but the IPsec SA is set up for the Home Address.

Regards
Martin

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Cannot get eap-radius working on Strongswan 5

[Milen Pankov]

Hi,

I have a working strongswan 4.4.1 setup with ikev2 and eap-radius which
I am trying to replicate on strongswan 5.2.0 without success.

My configuration is as follows:

ipsec.conf:

conn ipsec-ikev2
type=tunnel
keyexchange=ikev2
left=left_ip_address
leftsubnet=0.0.0.0/0
leftauth=pubkey
leftcert=left_cert.crt
right=%any
rightsourceip=10.1.0.0/23
rightauth=eap-radius
rightsendcert=never
eap_identity=%any
auto=add

strongswan.conf:

charon {
load_modular = yes
plugins {
eap-radius {
accounting = yes
load = yes
servers {
server-a {
address = the_radius_ip_address
port = 1818
secret = the_shared_secret
nas_identifier = strongSwan
}
}
}
include strongswan.d/charon/*.conf
}
}

include strongswan.d/*.conf

I have compiled strongswan with --enable-eap-radius and eap-radius
module gets loaded on strongswan startup. However authentication on
client fails and running the radius server in debug mode shows that
strongswan doesn't even contact the radius server. Trying to
authenticate to the radius server from the same machine with radtest
works fine. The same configuration works fine with strongswan 4.4.1. I
am probably missing something new in ver.5, but I cannot figure what. I
think I have implemented everything the Wiki suggests. Any help would be
appreciated. This is the strongswan log for reference:

Feb 20 06:42:45 server1 charon: 02[NET] received packet: from
1.2.3.4[1024] to 5.6.7.8[500] (528 bytes)
Feb 20 06:42:45 server1 charon: 02[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Feb 20 06:42:45 server1 charon: 02[IKE] 1.2.3.4 is initiating an IKE_SA
Feb 20 06:42:45 server1 charon: 02[IKE] remote host is behind NAT
Feb 20 06:42:45 server1 charon: 02[ENC] generating IKE_SA_INIT response
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Feb 20 06:42:45 server1 charon: 02[NET] sending packet: from
5.6.7.8[500] to 1.2.3.4[1024] (308 bytes)
Feb 20 06:42:46 server1 charon: 07[NET] received packet: from
1.2.3.4[4500] to 5.6.7.8[4500] (1028 bytes)
Feb 20 06:42:46 server1 charon: 07[ENC] parsed IKE_AUTH request 1 [ IDi
CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Feb 20 06:42:46 server1 charon: 07[IKE] received cert request for "C=US,
ST=ANY, L=My City, O=MyO, OU=My VPN, CN=My CA, E=support@server1"
Feb 20 06:42:46 server1 charon: 07[IKE] received 34 cert requests for an
unknown ca
Feb 20 06:42:46 server1 charon: 07[CFG] looking for peer configs
matching 5.6.7.8[%any]...1.2.3.4[192.168.122.54]
Feb 20 06:42:46 server1 charon: 07[CFG] selected peer config 'ipsec-ikev2'
Feb 20 06:42:46 server1 charon: 07[IKE] initiating EAP_IDENTITY method
(id 0x00)
Feb 20 06:42:46 server1 charon: 07[IKE] peer supports MOBIKE
Feb 20 06:42:46 server1 charon: 07[IKE] authentication of 'C=US, ST=ANY,
L=My City, O=MyO, OU=My VPN, CN=*.vpn.server1.com, E=support@server1'
(myself) with RSA signature successful
Feb 20 06:42:46 server1 charon: 07[IKE] sending end entity cert "C=US,
ST=ANY, L=My City, O=MyO, OU=My VPN, CN=*.vpn.server1.com,
E=support@server1"
Feb 20 06:42:46 server1 charon: 07[ENC] generating IKE_AUTH response 1 [
IDr CERT AUTH EAP/REQ/ID ]
Feb 20 06:42:46 server1 charon: 07[NET] sending packet: from
5.6.7.8[4500] to 1.2.3.4[4500] (1380 bytes)
Feb 20 06:43:15 server1 charon: 08[JOB] deleting half open IKE_SA after
timeout


Regards,
Milen
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] [strongSwan-users] When Tunnel mode Becomes Transport Mode

[Daniel Palomares]

Hello All,

I have a "basic" question concerning a specific Use-Case.
I have recently discussed with an expert concerning a scenario which he
told me was successfully tested some years ago (not with Strongswan but
with other hardware vendor).

*The description of the topology is the following*: Imagine two domains
that are reachable through their respective gateways, and both gateways are
capable to establish an IPsec tunnel in order to secure traffic between
both domains.
So, ss a first sight, I did think of a typical Site-to-Site scenario where
Subnets are protected by their respective gateways.

However, the expert told me that it is possible to use Transport Mode
instead of Tunnel Mode for this scenario a well.
For this Use Case to happen, the gateways must not encapsulate the entire
IP packets (as Tunnel Mode does) but just need to do the routing task and
cipher the data. It means that the gateways cipher the L4-7 data without
changing the original IP header.
I guess the are some equipments that support this scenarios even though are
not Standardize usage of what Tranpost/Tunnel mode do. Thus, my questions
are:
1. Have anyone seen this Use Case working before? If yes, How/Which
implementation/hardware does so?
2. I know that Transport Mode is used for End-Point to End-Point
communications where data plane is generated from/to end-points. But, Does
StrongSwan support this kind of Site-to-Site communications in Transport
Mode?


Best Regards,
Daniel Palomares
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] IPsec in unstable network

[Zesen Qian]

Hello list,
I 'm using strongswan in an unstable network, by 'unstable' I mean there
may be 5 minutes out of an hour, that I cannot connect to the server.
Most of the time I can establish the connection smoothly, but after
several hours or several days, I lost the connection to server. 

charon.log: https://bpaste.net/show/63b9d0e1dfc6
ipsec.statusall: https://bpaste.net/show/ec586241759a

At this point I cannot ping hosts on the other side of tunnel, however
if I do a ipsec stop && ipsec start, the tunnel is up and everything
works again.

Any comment is appreciated.

-- 
Zesen Qian (钱泽森)
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users