[strongSwan] Ipsec up/down(brining up one client up/down) is a trigger to bring back up A non-responsive server
I am experiencing a very interesting behaviour with Strongswan server. Using the load tester plugin I can bring up multiple clients. I have set up about 200 clients on 2 machines (each running 100 Ipsec tunnels to the servers). I have my own traffic generator which is sending traffic across this multiple tunnels. Initially everything runs fine, but after some time I start getting time-outs in my traffic generator application. I have tried modifying the sysctl settings etc, but nothing has worked. If during that time I bring up another client everything starts to work back again. So the trigger to non -responsive server is brining a tunnels up and down. Since I have been doing this the generator on the other 200 tunnels never times out. It seems like the server is stuck somewhere and the a tunnel up or down breaks that loop. Has anyone else experiencing the same behaviour ? Thanks, Meenakshi ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] High availability configuration
Hi guys! I have a couple of questions regarding stronswan HA configuration. I have the following topology: I have two debain wheezy nodes running the 5.2.1 strongswan installed from backports and 3.16 kernel also installed from wheezy backports. Here is the part of "ipsec statusall" ouput: ipsec statusall Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.16.0-0.bpo.4-amd64, x86_64) My two nodes receive routes from 2 ISPs using bgp. So both nodes are running quagga and ISP's router is configured to operate with two neighbors in my AS. The addressing between my external interfaces and the first ISPs gateway (on which BGP relations are held) is for example (192.168.1.1/24 - ISP gateway, 192.168.1.2 - my cluster node1, 192.168.1.3 - node2). Addressing for the second let's assume is in 192.168.2.0/24 net. My AS is bound to net for example 1.1.1.0/24 and I have for example vlan 50 which contains these addresses. So, for maximum reachability, I would like to configure strongswan to use the source ip from my AS net, for example - 1.1.1.50, so all tunnels would be initiated from this IP and even if one ISP fails my tunnels are still reacheble. However, is that possible to configure strongswan in HA mode using such a configuration? So, I see two possible ways how it theoretically might work: 1) in active/standby configuration - when for example all bgp traffic will be held by node1 - so ISP gateways forward traffic to node1 of my cluster, it receives VPN packets for destination 1.1.1.50 and decrypts them and so on. So in this setup all traffic will be received by node1. If I want to have high availability does the configuration differ from the simple one? Will the SA's be synchronized and will failover work correctly when only one node receives 100% of the traffic, and also at this time no multicast is used (all traffic is received by the node1, both nodes have 1.1.1.50 address so it won't forward it also to node2)? 2) in active/active configuration - if I configure my nodes to send virtual next-hop address to ISP routers. In this way both nodes will receive connection in round robin fashion however, multivast still won't be used - will this solution work correctly, will SA's be correctly synchronized and so on? Also for both cases (if they should work at all) I believe I need to make some unusual clusterip rule. So if the address could be reached directly from ISP, the clusterip rule would have been like this: ifconfig vlan50:0 1.1.1.50/24 up iptables -A INPUT -i vlan50 -d 1.1.1.50/32 -j CLUSTERIP --new --total-nodes 2 --local-node 1 but assuming I have this configration I guess I need to change the incoming interface to the one, on which packets from ISPs are received while the address 1.1.1.50 still belongs to vlan50. For example ifconfig vlan50:0 1.1.1.50/24 up iptables -A INPUT -i eth0 -d 1.1.1.50/32 -j CLUSTERIP --new --total-nodes 2 --local-node 1 iptables -A INPUT -i eth1 -d 1.1.1.50/32 -j CLUSTERIP --new --total-nodes 2 --local-node 1 Am I right? Won't it cause any problems? Also, should I anyway patch 3.16 kernel or the needed patch for clusterip+strongswan is included in it? Also, did I understand correctly, strongswan can only use HA mode if IKEv2 is used for the tunnel? Another question, is there a way to have redundant tunnels? So, what do i mean - I have two tunnels two different peers, though they link the same subnets. Tunnel is built with one peer, however if it becomes unavailable another tunnel should automatically be brought up. Is this possible using strongswan utilities? Thanks in advance. -- With kind regards, Aleksey ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Cannot get eap-radius working on Strongswan 5
I had a very similar experience recently. For me it turned out that the certificate had expired. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Cannot get eap-radius working on Strongswan 5
Hi Milen, > 07[IKE] initiating EAP_IDENTITY method (id 0x00) > 07[IKE] peer supports MOBIKE > 07[IKE] authentication of '[...]' (myself) with RSA signature successful > 07[IKE] sending end entity cert "[...]" > 07[ENC] generating IKE_AUTH response 1 [IDr CERT AUTH EAP/REQ/ID ] > 07[NET] sending packet: from 5.6.7.8[4500] to 1.2.3.4[4500] (1380 bytes) > 08[JOB] deleting half open IKE_SA after timeout The client requests EAP authentication, and your Gateway correctly sends an EAP-Identity request along with a signature and certificate to authentication itself to the client. The client, however, never continues negotiation. Most likely it didn't accept the AUTH signature or the corresponding certificate. You may check your clients log for any error, most likely the gateway certificate is not trusted on the client. I don't think this issue is directly related to RADIUS authentication, your AAA is not yet involved at this stage. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] [strongSwan-users] When Tunnel mode Becomes Transport Mode
Hi Daniel, > [...] think of a typical Site-to-Site scenario where Subnets are > protected by their respective gateways. > > However, the expert told me that it is possible to use Transport Mode > instead of Tunnel Mode for this scenario a well. As the endpoints that communicate from within the subnets are different from the gateways that apply encryption, usually tunnel mode is used. This allows the gateways to communicate with their addresses, and hide the endpoint addresses in encrypted tunnel mode packets. > For this Use Case to happen, the gateways must not encapsulate the entire > IP packets (as Tunnel Mode does) but just need to do the routing task and > cipher the data. It means that the gateways cipher the L4-7 data without > changing the original IP header. Theoretically this could work, where each gateway intercepts packets and en/decrypts them as a man in the middle. So this would be some kind of transparent inline encryption; if routing your subnets works outside of these subnets, that could work. With IKE(v2), however, the ESP packet addresses (both in tunnel and transport mode) are implicitly the same addresses used for IKE negotiation. This implies that you can't actually negotiate SAs from your gateway for your inner subnet addresses, unless you mangle IKE addresses as well (or do other tricks). > 1. Have anyone seen this Use Case working before? If yes, How/Which > implementation/hardware does so? I didn't. > 2. I know that Transport Mode is used for End-Point to End-Point > communications where data plane is generated from/to end-points. But, Does > StrongSwan support this kind of Site-to-Site communications in Transport > Mode? What we support in strongSwan is a transport-proxy mode for Mobile IPv6, refer to the ipsec.conf manpage type keyword. It basically allows the IKE daemon to use the Care-of-Address, but negotiate SAs for the Home Address. Policy installation is up to a Mobile IP daemon, though. From our NEWS: > - Basic Mobile IPv6 support has been introduced, securing Binding Update > messages as well as tunneled traffic between Mobile Node and Home Agent. > The installpolicy=no option allows peaceful cooperation with a dominant > mip6d daemon and the new type=transport_proxy implements the special MIPv6 > IPsec transport proxy mode where the IKEv2 daemon uses the Care-of-Address > but the IPsec SA is set up for the Home Address. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Cannot get eap-radius working on Strongswan 5
Hi, I have a working strongswan 4.4.1 setup with ikev2 and eap-radius which I am trying to replicate on strongswan 5.2.0 without success. My configuration is as follows: ipsec.conf: conn ipsec-ikev2 type=tunnel keyexchange=ikev2 left=left_ip_address leftsubnet=0.0.0.0/0 leftauth=pubkey leftcert=left_cert.crt right=%any rightsourceip=10.1.0.0/23 rightauth=eap-radius rightsendcert=never eap_identity=%any auto=add strongswan.conf: charon { load_modular = yes plugins { eap-radius { accounting = yes load = yes servers { server-a { address = the_radius_ip_address port = 1818 secret = the_shared_secret nas_identifier = strongSwan } } } include strongswan.d/charon/*.conf } } include strongswan.d/*.conf I have compiled strongswan with --enable-eap-radius and eap-radius module gets loaded on strongswan startup. However authentication on client fails and running the radius server in debug mode shows that strongswan doesn't even contact the radius server. Trying to authenticate to the radius server from the same machine with radtest works fine. The same configuration works fine with strongswan 4.4.1. I am probably missing something new in ver.5, but I cannot figure what. I think I have implemented everything the Wiki suggests. Any help would be appreciated. This is the strongswan log for reference: Feb 20 06:42:45 server1 charon: 02[NET] received packet: from 1.2.3.4[1024] to 5.6.7.8[500] (528 bytes) Feb 20 06:42:45 server1 charon: 02[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Feb 20 06:42:45 server1 charon: 02[IKE] 1.2.3.4 is initiating an IKE_SA Feb 20 06:42:45 server1 charon: 02[IKE] remote host is behind NAT Feb 20 06:42:45 server1 charon: 02[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] Feb 20 06:42:45 server1 charon: 02[NET] sending packet: from 5.6.7.8[500] to 1.2.3.4[1024] (308 bytes) Feb 20 06:42:46 server1 charon: 07[NET] received packet: from 1.2.3.4[4500] to 5.6.7.8[4500] (1028 bytes) Feb 20 06:42:46 server1 charon: 07[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] Feb 20 06:42:46 server1 charon: 07[IKE] received cert request for "C=US, ST=ANY, L=My City, O=MyO, OU=My VPN, CN=My CA, E=support@server1" Feb 20 06:42:46 server1 charon: 07[IKE] received 34 cert requests for an unknown ca Feb 20 06:42:46 server1 charon: 07[CFG] looking for peer configs matching 5.6.7.8[%any]...1.2.3.4[192.168.122.54] Feb 20 06:42:46 server1 charon: 07[CFG] selected peer config 'ipsec-ikev2' Feb 20 06:42:46 server1 charon: 07[IKE] initiating EAP_IDENTITY method (id 0x00) Feb 20 06:42:46 server1 charon: 07[IKE] peer supports MOBIKE Feb 20 06:42:46 server1 charon: 07[IKE] authentication of 'C=US, ST=ANY, L=My City, O=MyO, OU=My VPN, CN=*.vpn.server1.com, E=support@server1' (myself) with RSA signature successful Feb 20 06:42:46 server1 charon: 07[IKE] sending end entity cert "C=US, ST=ANY, L=My City, O=MyO, OU=My VPN, CN=*.vpn.server1.com, E=support@server1" Feb 20 06:42:46 server1 charon: 07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] Feb 20 06:42:46 server1 charon: 07[NET] sending packet: from 5.6.7.8[4500] to 1.2.3.4[4500] (1380 bytes) Feb 20 06:43:15 server1 charon: 08[JOB] deleting half open IKE_SA after timeout Regards, Milen ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] [strongSwan-users] When Tunnel mode Becomes Transport Mode
Hello All, I have a "basic" question concerning a specific Use-Case. I have recently discussed with an expert concerning a scenario which he told me was successfully tested some years ago (not with Strongswan but with other hardware vendor). *The description of the topology is the following*: Imagine two domains that are reachable through their respective gateways, and both gateways are capable to establish an IPsec tunnel in order to secure traffic between both domains. So, ss a first sight, I did think of a typical Site-to-Site scenario where Subnets are protected by their respective gateways. However, the expert told me that it is possible to use Transport Mode instead of Tunnel Mode for this scenario a well. For this Use Case to happen, the gateways must not encapsulate the entire IP packets (as Tunnel Mode does) but just need to do the routing task and cipher the data. It means that the gateways cipher the L4-7 data without changing the original IP header. I guess the are some equipments that support this scenarios even though are not Standardize usage of what Tranpost/Tunnel mode do. Thus, my questions are: 1. Have anyone seen this Use Case working before? If yes, How/Which implementation/hardware does so? 2. I know that Transport Mode is used for End-Point to End-Point communications where data plane is generated from/to end-points. But, Does StrongSwan support this kind of Site-to-Site communications in Transport Mode? Best Regards, Daniel Palomares ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] IPsec in unstable network
Hello list, I 'm using strongswan in an unstable network, by 'unstable' I mean there may be 5 minutes out of an hour, that I cannot connect to the server. Most of the time I can establish the connection smoothly, but after several hours or several days, I lost the connection to server. charon.log: https://bpaste.net/show/63b9d0e1dfc6 ipsec.statusall: https://bpaste.net/show/ec586241759a At this point I cannot ping hosts on the other side of tunnel, however if I do a ipsec stop && ipsec start, the tunnel is up and everything works again. Any comment is appreciated. -- Zesen Qian (钱泽森) ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users