Re: [strongSwan] Query on client authentication using EAP-TLS
Hi Akash, no TLS peer certificate found for '223456789123...@nai.epc.mnc213.mcc090.3gppnetwork.org', skipping client authentication EAP_TLS method failed As the TLS stack does not find a usable certificate with a private for your ID, it skips client authentication. Your server most likely requires that, though, and therefore cancels the TLS handshake. Check if you have configured the private key for your client certificate in ipsec.secrets, there is no related error in the startup log and that ipsec listcerts shows has private key for your client certificate. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Query on client authentication using EAP-TLS
Hi, In* ipsec.secrets* I have given the following key: :RSA fap-tls-10.prv 223456789123...@nai.epc.mnc213.mcc090.3gppnetwork.org %any : PSK abcd 223456789123...@nai.epc.mnc213.mcc090.3gppnetwork.org : EAP abcdedfgh Still facing the issue. Regards, Akash On Mon, Feb 23, 2015 at 6:36 PM, Martin Willi mar...@strongswan.org wrote: Hi Akash, no TLS peer certificate found for ' 223456789123...@nai.epc.mnc213.mcc090.3gppnetwork.org', skipping client authentication EAP_TLS method failed As the TLS stack does not find a usable certificate with a private for your ID, it skips client authentication. Your server most likely requires that, though, and therefore cancels the TLS handshake. Check if you have configured the private key for your client certificate in ipsec.secrets, there is no related error in the startup log and that ipsec listcerts shows has private key for your client certificate. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] High availability configuration
On 2015-02-23 09:43, unite wrote: On 2015-02-22 15:29, Noel Kuntze wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello Michael, I know that. However, even with statically setting the MAC address to the ports the hosts are on, it did not forward the ethernet frames to those ports. Mit freundlichen Grüßen/Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 22.02.2015 um 14:08 schrieb Michael Schwartzkopff: No. They started to handle it correctly. According to the specs a switch SHOULD NOT learn a multicast MAC adress that belongs to a unicast IP adress. Cisco always implemented it, but no other manufacturer. It seems that juniper started to implement it. If you want to set up such a config, you have to configure the correct MAC address in the switches in the ports. Atherwise you could have loops and you will see much traffic. -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJU6dmwAAoJEDg5KY9j7GZYk5gP/1VnLwOK193Xi/zTIjbemDjl 0VKxxILtRT89AQP0gfcUouzRg4doO2u28J7tSn4JmMe34KZEjby+k/IxhZ1/uLPk gAhBCqN3GpV2qGSYpFZBjg8DVjRv0o7eNuqplDQt4nq3De0JmZdU1LYyQFfOz2x9 9jaWIf9qs/4VpdcVAK5OyYt/qME+4OCRwxP7x8Vw/OeoyTINfhoxcREs/i5d5Ksx QzcJ0KbQhwafWrIuDjra9n//S0ZXttNEdzAt+msfB+XnBey1Ix7LNbg2LdVJJeV5 B2cjv01zJt7YS7Eo6vZfKfCupQfZS6vIxjZpaGM4SSs2LXdFveJvaxsNkDdMY+Sp X/veENJg2SGVM/O7HKH/7m43cH7c9k8OVU8LsO4mHo6W5HlilpgtPCkQkUgVjc3I N4TJvL+JcVKZccYjdOnh5regTEA6I8qGFoxD5XIgfCJmvvY1884BmzQe8SPEAADE ff1LcpGbb2u8SmipDC/hPvlb2H0yBDJiXwHyE68O3ans1hwsdGf4qmc0DkesZMh4 yHCDVlvnoigEKvUnfu1kIGEdFwoVIUw2FYChmLQ+sHQIAy7R5M6aAk+dqXo3PcKE /R3dbEPukBhcPGD1pgKWR1ugQToDgBnzpGzKYu3d615q3KEXk1sO1tNaBMhZHw3B v4/7/59cnI/TC2E5wmr0 =83xv -END PGP SIGNATURE- ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users Hi guys! I am using HP ProCurve switches - I've done quite a little testing, however it seems that it does work, at least I correctly receive multicast traffic on both nodes. Could you advise something on this my letter: So... If I use the active/passive config without using multicast address, should my tunnel source address and addresses on vpn-linked subnets be present on currently passive node? Or i can maintain this addresses using, for example, vrrp, so they are only on the active node and are got up on the passive only in the case of failure? In active/active config, I've written two clusterip rules because I'm not sure how to make it running correctly: so, eth0 - points to the ISP1 (192.168.1.0/24 subnet), eth1 - points to the ISP2 (192.168.2.0/24) subnet, and tunnel source IP resides on the vlan interface - for example vlan50:0 (1.1.1.50), subnet for vlan50 is 1.1.1.0/24. I'm just quite new to iptables clusterip module. Is the input interface stated in iptables rule somehow strictly bound to subnet on this interface? Or it can be safely ignored and the rule can be written completely without input interface statement - just using destination IP and making it clusterip? Or should I create clusterip using vlan50 input interface on which the corresponding subnet resides? And also, assuming that routing is implemented using bgp, can I setup cluster IP's only on external interfaces in ISP-pointing networks, and just create interface alias for tunnel source on vlan interface? I guess my explanations are quite unclear, so I'll try to explain in little bit more detail (I'll use only one isp in example). So: Remote-Host(100.100.100.100)-Internet--- ISP-Gateway(192.168.1.1) ISP gateway is in the same subnet as two my nodes: NODE1 eth0(192.168.1.3)ISP-Gateway (192.168.1.1) NODE2 eth0(192.168.1.4) Cluster IP for my two nodes will be 192.168.1.2 using clusterip (so traffic should be received by both nodes using multicast). Both node 1 and 2 have the ip 1.1.1.50 which is tunnel source for all of my tunnels set just as an alias interface without using cluster ip (Or it also should be clusterip?). So for example if we trace packet from the host 100.100.100.100 to my 1.1.1.50 address on the ISP-Gateway to MY-Cluster stage, the packet will hit the clusterip mac (01:00:5e:11:22:33) on NODE1 interface eth0:0 with the destination of 1.1.1.50 (having source ip of 100.100.100.100 and source mac as ISP-Gateway interface). It will be processed then by interface vlan50:0 (1.1.1.50) whcih has tunnel source IP and be further decrypted and passed through. At the same time node2 should receive the same traffic with multicast but it shouldn't process it. If another remote host initiates the second tunnel from 200.200.200.200 ip the process should be the same but traffic processing would be held by node2. Am I right? Would such sa scheme work as expected? Still, do I need to patch the 3.16 kernel to use HA plugin? I tried setting up the HA without patching the kernel and failed. As I've said I've installed strongswan 5.2.1 from
[strongSwan] Query on client authentication using EAP-TLS
Hi, I am trying to run EAP-TLS client authentication with diameter server. Strongswan is failing EAP-TLS method. *Strongswan log:* initiating IKE_SA init_nai_v4_v4_tls[1] to 122.122.122.120 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from 157.121.121.190[500] to 122.122.122.120[500] (708 bytes) received packet: from 122.122.122.120[500] to 157.121.121.190[500] (38 bytes) parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] peer didn't accept DH group MODP_2048, it requested MODP_1024 initiating IKE_SA init_nai_v4_v4_tls[1] to 122.122.122.120 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from 157.121.121.190[500] to 122.122.122.120[500] (580 bytes) received packet: from 122.122.122.120[500] to 157.121.121.190[500] (349 bytes) parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] received cert request for C=IN, ST=HARYANA, L=GURGAON, O=ARICENT, OU=ARI_CA, CN=CA received cert request for CN=quarry0, O=Quarry1, L=Gurgaon, C=IN sending cert request for C=IN, ST=HARYANA, L=GURGAON, O=ARICENT, OU=ARI_CA, CN=CA sending cert request for CN=quarry0, O=Quarry1, L=Gurgaon, C=IN sending cert request for C=IN, ST=Haryana, L=Delhi/NCR, O=Aricent, OU=Datacom, CN=Gagandeep, E=gagan.tan...@aricent.com sending end entity cert C=IN, ST=HARYANA, O=ARICENT, OU=ARI_FAP, CN= 223456789123...@nai.epc.mnc213.mcc090.3gppnetwork.org establishing CHILD_SA init_nai_v4_v4_tls generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr CP(ADDR DNS) SA TSi TSr N(EAP_ONLY) ] sending packet: from 157.121.121.190[500] to 122.122.122.120[500] (1564 bytes) received packet: from 122.122.122.120[500] to 157.121.121.190[500] (892 bytes) parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/TLS ] received end entity cert CN=quarry0, C=IN, O=Quarry3 using certificate CN=quarry0, C=IN, O=Quarry3 using trusted ca certificate CN=quarry0, O=Quarry1, L=Gurgaon, C=IN checking certificate status of CN=quarry0, C=IN, O=Quarry3 certificate status is not available reached self-signed root ca with a path length of 0 authentication of 'rohit' with RSA signature successful server requested EAP_TLS authentication (id 0x02) sending end entity cert C=IN, ST=HARYANA, O=ARICENT, OU=ARI_FAP, CN= 223456789123...@nai.epc.mnc213.mcc090.3gppnetwork.org generating IKE_AUTH request 2 [ CERT EAP/RES/TLS ] sending packet: from 157.121.121.190[500] to 122.122.122.120[500] (1292 bytes) received packet: from 122.122.122.120[500] to 157.121.121.190[500] (1100 bytes) parsed IKE_AUTH response 2 [ EAP/REQ/TLS ] negotiated TLS 1.2 using suite TLS_RSA_WITH_AES_128_CBC_SHA sending end entity cert C=IN, ST=HARYANA, O=ARICENT, OU=ARI_FAP, CN= 223456789123...@nai.epc.mnc213.mcc090.3gppnetwork.org generating IKE_AUTH request 3 [ CERT EAP/RES/TLS ] sending packet: from 157.121.121.190[500] to 122.122.122.120[500] (1180 bytes) received packet: from 122.122.122.120[500] to 157.121.121.190[500] (316 bytes) parsed IKE_AUTH response 3 [ EAP/REQ/TLS ] received TLS server certificate 'C=IN, ST=HARYANA, O=ARICENT, OU=ARICENT_AAA, CN=aaa1.nai.epc.mnc213.mcc090.3gppnetwork.org' received TLS cert request for 'C=IN, ST=HARYANA, L=GURGAON, O=ARICENT, OU=ARI_CA, CN=CA no TLS peer certificate found for ' 223456789123...@nai.epc.mnc213.mcc090.3gppnetwork.org', skipping client authentication using certificate C=IN, ST=HARYANA, O=ARICENT, OU=ARICENT_AAA, CN= aaa1.nai.epc.mnc213.mcc090.3gppnetwork.org using trusted ca certificate C=IN, ST=HARYANA, L=GURGAON, O=ARICENT, OU=ARI_CA, CN=CA checking certificate status of C=IN, ST=HARYANA, O=ARICENT, OU=ARICENT_AAA, CN=aaa1.nai.epc.mnc213.mcc090.3gppnetwork.org certificate status is not available reached self-signed root ca with a path length of 0 sending end entity cert C=IN, ST=HARYANA, O=ARICENT, OU=ARI_FAP, CN= 223456789123...@nai.epc.mnc213.mcc090.3gppnetwork.org generating IKE_AUTH request 4 [ CERT EAP/RES/TLS ] sending packet: from 157.121.121.190[500] to 122.122.122.120[500] (1532 bytes) received packet: from 122.122.122.120[500] to 157.121.121.190[500] (76 bytes) parsed IKE_AUTH response 4 [ EAP/REQ/TLS ] EAP_TLS method failed *ipsec.conf* conn init_nai_v4_v4_tls leftid=223456789123...@nai.epc.mnc213.mcc090.3gppnetwork.org leftauth=eap left=157.121.121.190 leftsourceip=10.10.10.1 #ike=3des-sha1-modp1024! #esp = aes-md5-modp1024! leftcert=fap-tls-10.crt leftfirewall=yes right=122.122.122.120 rightsubnet=151.151.151.0/24 rightid=rohit rightauth=pubkey auto=add Kindly let me know if there is any configuration issue or any other issue. Regards, Akash ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] IPsec in unstable network
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello Zesesn, I think this might be a problem with the code, rather then with the settings. I would like to get a statement from Tobias or Martin on this, rather than speculation or some guesses from me. Mit freundlichen Grüßen/Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 22.02.2015 um 02:12 schrieb Zesen Qian: Hello Noel: Actualy I 've increased charon.retransmit_tries to 1024 before that log, you can see the retransmit count up to 8 (rather than 5 as the default) but it still lost the connection.. Is there any other thing I can do to overcome this type of network? or is IPsec designed to work in such a network? Noel Kuntze n...@familie-kuntze.de writes: Hello Zesen, After looking at the log, it looks like the state of the IPsec SAs on the two sides got unsynchronized because of the repeated loss of IKE messages. You can't do a lot about this except increase the amount of retransmissions. Mit freundlichen Grüßen/Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 20.02.2015 um 11:34 schrieb Zesen Qian: Hello list, I 'm using strongswan in an unstable network, by 'unstable' I mean there may be 5 minutes out of an hour, that I cannot connect to the server. Most of the time I can establish the connection smoothly, but after several hours or several days, I lost the connection to server. charon.log: https://bpaste.net/show/63b9d0e1dfc6 ipsec.statusall: https://bpaste.net/show/ec586241759a At this point I cannot ping hosts on the other side of tunnel, however if I do a ipsec stop ipsec start, the tunnel is up and everything works again. Any comment is appreciated. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJU65KMAAoJEDg5KY9j7GZYhkUQAIeywmgJyH/3v9lvcQaJSkgu n5XBk6D+bbtgMNEKLT3j3/t/JyRjReaL1iaqayKvTIHt78IkPvWCeTTQ93eLMxKt 9+9yo73E29AkHTcmXY/vcj25kcHg6DDf+TlLw9hiXojeH1wJgl63VrPGm5lOTX7M 56DO1N0CykfJH6g8ImBi6T7GjBSTruhPNeTFR8qaeIl/KP5ENxoipwpGpMOmNF1k aI4fvDMLxEVM+g99v147o6+st3ujV2b3I26i0iY0txUOybWUfV9H0e647JQNoa8f DcvbbmCAUI937DyojvU1DYtF5AVqSgUhM4mMAua+mEbXa1UyQkzbIXcqLXFJk1gM wgRTSJpS1NUdxVyyvYtuJ+Dw5R4T/JmZieod0PMiLY3OjfL0j5h7QKe8Q/3E8Ejk ONv9mCGOdZ7BYyDigt+2+7HhnIXLEIU0a2EtNkx3kQAWYzPGzMehZX+b480auW6/ dwD/1gvUL4TLrTaHfCzHugSJ1/NvWVl5PfmDBcPg28l2S/RNMfjIFgH1jElyeyyD tsRVx08w4ruYJjRfTqBBedHz+IVK1RYEF9ArSMPy/cJWqAxGMeq8VY5vThOiPyi8 vWYjM7LZMIowp8afJv+VYLmZC69dLLhTvorar+WpJxWlaUf4bdQaMdUFcrOm+0wz e0yCvZUsuKIBEkkOEIcs =ItRm -END PGP SIGNATURE- ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Ipsec up/down(brining up one client up/down) is a trigger to bring back up A non-responsive server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello meenakshi, Did you check if the IPsec SAs are still there for the tunnels, when you get timeouts? I would like to get some information on the state of the ipsec stack when that happens. Stuff like the statistics of the policies (ip -s x p) and the CPU usage. This is likely a problem with the IPsec stack of the Linux kernel, as it does traffic processing. Mit freundlichen Grüßen/Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 20.02.2015 um 23:22 schrieb meenakshi bangad: I am experiencing a very interesting behaviour with Strongswan server. Using the load tester plugin I can bring up multiple clients. I have set up about 200 clients on 2 machines (each running 100 Ipsec tunnels to the servers). I have my own traffic generator which is sending traffic across this multiple tunnels. Initially everything runs fine, but after some time I start getting time-outs in my traffic generator application. I have tried modifying the sysctl settings etc, but nothing has worked. If during that time I bring up another client everything starts to work back again. So the trigger to non -responsive server is brining a tunnels up and down. Since I have been doing this the generator on the other 200 tunnels never times out. It seems like the server is stuck somewhere and the a tunnel up or down breaks that loop. Has anyone else experiencing the same behaviour ? Thanks, Meenakshi ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJU65POAAoJEDg5KY9j7GZYWBwQAI12PJ6yIvSnsgR88itkgf+2 oMn7Ww5bwBJpXE903H8LnoNM9DMxm1FP+hhUQtTwT4fGbL4n+yRKCd5IbWqo1fhE Iul7DTyIjw6YvaoCSKBz6iVfWjkSrm48PSHqrdHka/MI3rv5JpD0k8uLxXn+aqH2 l+xcPS89rERFw28aL5pXHRGVgfZcjmnPwpCSUCVIqE7it67wMNi4eKOTIIdzjHbR bQ0n3gKKlDrNsspWm9HWhlG9d0JzNkqSDfaoLR3NxCLNPnr7zpcDX6Ifd2gWJZzn IbLuBYfefuyFV0/N9MHxX55Sl7U6iJxW1qSAuiry1paen90BlsIDLrMgzULmwUqt 0Qt3uQlewPMTU5R/lvR5dKmmrULB8TnJLDJm66k40TzSA5paCnnGdeA8vGSSKyBc Xk6S/f8Wi2MySD/9+EBvEzw5NOtnDfJG+yngwjkWB8BJpTGKkTyvcsJLmBEKZYsd azK7lsvEhMcjt7gGT+OWo0QIc8p8XqMqX31qASp7DhMMuu16ZNUF2icOEzquHxbK lkUu4fRosDfEe0js6pC1vpMQTjlgvqE3/x7ugxonSR3JU9FxMhp2xgT2BbO81JHT xMY9rTxiuOj2DUzWWT1H33q4nJepo0aUcK6oKQ6vCCBHLX8FlyVP/WJjc91dcTSd c3Coq5ffPDqjDiSJnnFA =0CAd -END PGP SIGNATURE- ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] StrongSwan Mac OS X client
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello Fred, You need to set the ID, if your clients send one that isn't exactly the same as the configured one (even implicitely). I think this is a problem with how the strongSwan application on Mac OS interacts with the dns settings of the operating system. I think if you add your weight to that issue, it might get some priority. Mit freundlichen Grüßen/Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 21.02.2015 um 09:54 schrieb Fred: Hi all, I'm having a couple of problems with the Mac OS X app. Mac OS X v10.9.5 (Mavericks). First problem is that I was having a problem with the DN not matching the hostname even though I have a subjectAltName. I was getting constraint checking failed no alternative config found. I worked around this by setting leftid= but I shouldn't need to do this if I have specified the hostname in --san option to ipsec pki command right? I've confirmed with ipsec pki --print and I can see the correct name in altNames. In any case, the workaround is good for now, I just don't get why I need to do it in the first place. Second problem seems to be one to do with utun1 and default routes. If I use the native Cisco IPSEC configuration tool, my DNS servers and routes are all changed to use utun0. When using the StrongSwan app utun1 is created with the correct virtual IP and connects but DNS doesn't work. My local one is used because the Google DNS servers are ADDED to my current DNS server list and in Mac OS X the order DNS servers are used is based on which one is the most responsive. i.e. the one with the lowest latency. So my local one is being used outside of the tunnel and this isn't working. If I just set my DNS servers manually it seems to work, but netstat -nr still shows most routes going via enX rather than utunX. Is this just a bug with not settings routes and DNS on the correct interface? Possibly my second issue is this bug report : https://wiki.strongswan.org/issues/522 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJU65NDAAoJEDg5KY9j7GZY6oEP/1MoC0aCoNUKrXrT6VgLxswo dzrRdi26Rhu+Xdif70tfZULio5Ii7Y4G+9m+Ku0U9Ou0fAoVYntrfSp5b4pJe8y2 Z/8ntZHb4+0H+aqFSEXKL87vv4DxCaZLmwSgIy9eFywyRl6afsR8Jh1tPluqugSV pH6AMnm8j6zsahkaaqFM7IogtFLCBA/rbFrfz0Me1M7VCNyLBWKiBDRtY2+2HE9L MMiMgfuNkerz0OdJBT9tdMzIv1oxVyisZkqZLtECw10SD2Gg5x4GaCf2BOmpTQR8 LQTUTFRHpEIdw/a7C/AVwQwfjHOzqYVt2DE4UBh2C/eSRxlcQh4L3/ySuIMZraLu BttEVh+RZI2tb7dV5f3IStTl+HEaTQZ1IhFQCSFGp+f1Z4foyCRZI1Sr6mWY/Htf OQ5zERH6IQJ6B1DBFrSTc9p3lSoXnql2McPysKa4QgUcQwOVTl8Goj1WTaYv5Ydc oY2yZ/P9mclhZ9NIG1ggDcQJ7xlnUrYSsN8pBHqWEyJ6dqwRkufVACh3qiod7uOm Pa+RyLI0qF6zRzKqu+GRQb9iCMXsYFTBjh9Y99Ux42j1rtfwFR2uhzrKsK0vzM7L Te3/rLt2PLEVsj7e+G9bPh/8nUhPsdyGdlzF+JV70mC6MIqj5BXXEP+O9zKSr1SM 7pNHdMAaHlf9Kyc7LDWL =s7B3 -END PGP SIGNATURE- ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Ipsec up/down(brining up one client up/down) is a trigger to bring back up A non-responsive server
Please find the output attached for ip -s x p on the server. There are in total 11 clients. 10 clients from one machine using load-tester plugin and 1 from my IOS device. IP addresses : inet 10.10.2.1/32 scope global eth0 inet 10.10.2.7/32 scope global eth0 inet 10.10.2.10/32 scope global eth0 inet 10.10.2.6/32 scope global eth0 inet 10.10.2.8/32 scope global eth0 inet 10.10.2.5/32 scope global eth0 inet 10.10.2.4/32 scope global eth0 inet 10.10.2.2/32 scope global eth0 inet 10.10.2.3/32 scope global eth0 inet 10.10.2.9/32 scope global eth0 When this condition happens, both the CPU's are 99% idle. I have to wait for minutes for this situation to clear up and sometimes it might not clear up at all! thanks, Meenakshi On Mon, Feb 23, 2015 at 3:55 PM, Noel Kuntze n...@familie-kuntze.de wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello meenakshi, Did you check if the IPsec SAs are still there for the tunnels, when you get timeouts? I would like to get some information on the state of the ipsec stack when that happens. Stuff like the statistics of the policies (ip -s x p) and the CPU usage. This is likely a problem with the IPsec stack of the Linux kernel, as it does traffic processing. Mit freundlichen Grüßen/Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 20.02.2015 um 23:22 schrieb meenakshi bangad: I am experiencing a very interesting behaviour with Strongswan server. Using the load tester plugin I can bring up multiple clients. I have set up about 200 clients on 2 machines (each running 100 Ipsec tunnels to the servers). I have my own traffic generator which is sending traffic across this multiple tunnels. Initially everything runs fine, but after some time I start getting time-outs in my traffic generator application. I have tried modifying the sysctl settings etc, but nothing has worked. If during that time I bring up another client everything starts to work back again. So the trigger to non -responsive server is brining a tunnels up and down. Since I have been doing this the generator on the other 200 tunnels never times out. It seems like the server is stuck somewhere and the a tunnel up or down breaks that loop. Has anyone else experiencing the same behaviour ? Thanks, Meenakshi ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJU65POAAoJEDg5KY9j7GZYWBwQAI12PJ6yIvSnsgR88itkgf+2 oMn7Ww5bwBJpXE903H8LnoNM9DMxm1FP+hhUQtTwT4fGbL4n+yRKCd5IbWqo1fhE Iul7DTyIjw6YvaoCSKBz6iVfWjkSrm48PSHqrdHka/MI3rv5JpD0k8uLxXn+aqH2 l+xcPS89rERFw28aL5pXHRGVgfZcjmnPwpCSUCVIqE7it67wMNi4eKOTIIdzjHbR bQ0n3gKKlDrNsspWm9HWhlG9d0JzNkqSDfaoLR3NxCLNPnr7zpcDX6Ifd2gWJZzn IbLuBYfefuyFV0/N9MHxX55Sl7U6iJxW1qSAuiry1paen90BlsIDLrMgzULmwUqt 0Qt3uQlewPMTU5R/lvR5dKmmrULB8TnJLDJm66k40TzSA5paCnnGdeA8vGSSKyBc Xk6S/f8Wi2MySD/9+EBvEzw5NOtnDfJG+yngwjkWB8BJpTGKkTyvcsJLmBEKZYsd azK7lsvEhMcjt7gGT+OWo0QIc8p8XqMqX31qASp7DhMMuu16ZNUF2icOEzquHxbK lkUu4fRosDfEe0js6pC1vpMQTjlgvqE3/x7ugxonSR3JU9FxMhp2xgT2BbO81JHT xMY9rTxiuOj2DUzWWT1H33q4nJepo0aUcK6oKQ6vCCBHLX8FlyVP/WJjc91dcTSd c3Coq5ffPDqjDiSJnnFA =0CAd -END PGP SIGNATURE- ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users ip.output Description: Binary data ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] how to setup transport mode with netmask on the right side
I am trying to find out how to setup right side with netmask using transport mode. Following is what I did. But somehow it end up switched to tunnel mode. Can someone let me know what I did wrong here? Thanks! left=134.111.75.175 leftauth=psk type=transport right=134.111.75.0/24 rightauth=psk esp=3des-md5 keyexchange=ikev2 auto=add ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] High availability configuration
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello Aleksey, Check if you have the ha module by looking at the contents of the /usr/lib/ipsec/plugins/ directory. A file called libstrongswan-ha.so must be there to be able to support HA. It looks like your installation either does not have it, or it is disabled because of settings in /etc/strongswan.d/. The tunnel source address and the addresses on the vpn-linked subnet should always be on the active node. You need to maintain the addresses using vrrp or other mechanisms. I am somewhat confused by your many interfaces. Of course you can have the IP on any interface you want and use dynamic routing protocols to. You only need to give the CLUSTERIP rule the IP you want to loadbalance on. You can attach an unlimited number of IPs to an interface. iproute2 can do that. ifconfig can't, because it's ancient. I do not know if the clusterip rule needs an interface. It is plausible, that it needs one, as the IP and the multicast mac need to be bound to an interface. I think the kernel patches are in newer default kernels, but I might be wrong here. Mit freundlichen Grüßen/Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 23.02.2015 um 15:21 schrieb unite: So, i still can't get HA plugin working. It doesn't seem to appear in the list of loaded plugins and it doesn't synchronize SA state between the nodes. I haven't patched my kernel for clusterip as written in HA configuration guide, so I'm now trying to test active/passive configuration. I have also installed extra plugins but still no use. Strongswan i use is 5.2.1 from wheezy-backports debian repository. so the output of ipsec statusall is: ipsec statusall Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.16.0-0.bpo.4-amd64, x86_64): uptime: 72 minutes, since Feb 23 15:00:24 2015 malloc: sbrk 675840, mmap 0, used 515280, free 160560 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 12 loaded plugins: charon test-vectors ldap pkcs11 aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default stroke updown /etc/strongswan.conf on Node1: charon { load_modular = yes plugins { include strongswan.d/charon/*.conf ha { local = 10.1.64.87 remote = 10.1.64.21 segment_count = 2 fifo_interface = yes monitor = yes resync = yes load = yes } } } include strongswan.d/*.conf /etc/strongswan.conf on Node2: charon { load_modular = yes plugins { include strongswan.d/charon/*.conf ha { local = 10.1.64.21 remote = 10.1.64.87 segment_count = 2 fifo_interface = yes monitor = yes resync = yes load = yes } } } include strongswan.d/*.conf Here is output in /var/log/syslog after service ipsec restart: Feb 23 16:15:08 deb-suri charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.1, Linux 3.16.0-0.bpo.4-amd64, x86_64) Feb 23 16:15:09 deb-suri charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Feb 23 16:15:09 deb-suri charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Feb 23 16:15:09 deb-suri charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Feb 23 16:15:09 deb-suri charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Feb 23 16:15:09 deb-suri charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' Feb 23 16:15:09 deb-suri charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' Feb 23 16:15:09 deb-suri charon: 00[CFG] expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed Feb 23 16:15:09 deb-suri charon: 00[CFG] loaded IKE secret for 10.1.64.87 10.1.64.21 Feb 23 16:15:09 deb-suri charon: 00[CFG] loaded IKE secret for 10.1.64.53 10.1.234.100 Feb 23 16:15:09 deb-suri charon: 00[CFG] loaded IKE secret for 172.16.28.1 10.1.234.100 Feb 23 16:15:09 deb-suri charon: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default stroke updown Feb 23 16:15:09 deb-suri charon: 00[LIB] unable to load 3 plugin features (3 due to unmet dependencies) Feb 23 16:15:09 deb-suri charon: 00[LIB] dropped capabilities, running as uid 0, gid 0 Feb 23 16:15:09
Re: [strongSwan] how to setup transport mode with netmask on the right side
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello Ko, You cannot use transport mode with any hosts or IPs other than the ones of the endpoints. Mit freundlichen Grüßen/Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 23.02.2015 um 21:29 schrieb Ko, HsuenJu: I am trying to find out how to setup right side with netmask using transport mode. Following is what I did. But somehow it end up switched to tunnel mode. Can someone let me know what I did wrong here? Thanks! left=134.111.75.175 leftauth=psk type=transport right=134.111.75.0/24 rightauth=psk esp=3des-md5 keyexchange=ikev2 auto=add ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJU65G+AAoJEDg5KY9j7GZYplQP/joTfFkXkDguWiWgX7fCiA1c 3JpyNG9KhNiXMHdy7745M898TbUDUmq4i2oGAjG/iEw54mntBXJg+wEDdv6MVSFM Rfvr8uXa5UIunEc37Q2OC7vNeDu+CqVP2YX/0f9QBn48lXxU9IgTxIejJyiweHov hIDmaq+QU7VRfWKht6EQq+bZUK/cntrdysx4xjKelMkkCNtwUXKujfhbFqEvfaFL VvupmNSyk7JXCkwvR9QZtnO6O5w7/RhxZd/KPOKeaZTYRfaXO12cHeGfS4SkslKz wMP57IyTamTwKkYC8pgG0xM6TL7m6kYOg2uXNrOFK5q1NhYLBK/6s5nBKnEIxslG WA88Udb1dd+znkPrO3ykFQe5rqapa72yY1a7fM8jWrEyKWJ/rQDWx0tAAFXEbYzz Nj9jDhJoAwbKFzMPtate5FOAXjwanMfu09l1ta3EQIhL7H0Q6NYqS4YQP/xuV12T 6c8G/l/pqsaoNmeA7M4c7fXt0pmfJJ/4m04U+m/H1MY+l9EcpSordD6s7INjw+4k 79q7DPIRCwj1kCjNyk/ZviCmcbxrDPr2PVcUL/75iTsl+cGpVYvTQuwQ0zyBbG87 tcauyMPQqjQyUK1h7tiKpHm1oFBcZl3ThjjXGmdjADBW8FtthNsGmHRPTu/mr0EX dLgB1KA2MIdG5uevu94f =qAo1 -END PGP SIGNATURE- ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] [strongSwan-users] When Tunnel mode Becomes Transport Mode
Hello Martin, Thank you very much for your reply. I think is an interesting scenario, even though Transport mode is not made to act as Tunnel mode. Also, is good to know that StrongSwan supports transport-proxy mode for Mobile IPv6. Regards Daniel Palomares 2015-02-20 14:52 GMT+01:00 Martin Willi mar...@strongswan.org: Hi Daniel, [...] think of a typical Site-to-Site scenario where Subnets are protected by their respective gateways. However, the expert told me that it is possible to use Transport Mode instead of Tunnel Mode for this scenario a well. As the endpoints that communicate from within the subnets are different from the gateways that apply encryption, usually tunnel mode is used. This allows the gateways to communicate with their addresses, and hide the endpoint addresses in encrypted tunnel mode packets. For this Use Case to happen, the gateways must not encapsulate the entire IP packets (as Tunnel Mode does) but just need to do the routing task and cipher the data. It means that the gateways cipher the L4-7 data without changing the original IP header. Theoretically this could work, where each gateway intercepts packets and en/decrypts them as a man in the middle. So this would be some kind of transparent inline encryption; if routing your subnets works outside of these subnets, that could work. With IKE(v2), however, the ESP packet addresses (both in tunnel and transport mode) are implicitly the same addresses used for IKE negotiation. This implies that you can't actually negotiate SAs from your gateway for your inner subnet addresses, unless you mangle IKE addresses as well (or do other tricks). 1. Have anyone seen this Use Case working before? If yes, How/Which implementation/hardware does so? I didn't. 2. I know that Transport Mode is used for End-Point to End-Point communications where data plane is generated from/to end-points. But, Does StrongSwan support this kind of Site-to-Site communications in Transport Mode? What we support in strongSwan is a transport-proxy mode for Mobile IPv6, refer to the ipsec.conf manpage type keyword. It basically allows the IKE daemon to use the Care-of-Address, but negotiate SAs for the Home Address. Policy installation is up to a Mobile IP daemon, though. From our NEWS: - Basic Mobile IPv6 support has been introduced, securing Binding Update messages as well as tunneled traffic between Mobile Node and Home Agent. The installpolicy=no option allows peaceful cooperation with a dominant mip6d daemon and the new type=transport_proxy implements the special MIPv6 IPsec transport proxy mode where the IKEv2 daemon uses the Care-of-Address but the IPsec SA is set up for the Home Address. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Cannot get eap-radius working on Strongswan 5
Hi, My new setup uses MD5 passwords in Radius, while my old config used NT-hash. It seems now with radius-eap I have problems authenticating against the MD5 passwords. It is using eap-mschapv2 and it seems it is not a supported combination - This can't work, a server verifying clients with EAP-MSCHAPv2 needs the plain password or the NT-Hash of it. Any other password hash can't work with that protocol. Can I use other method from strongswan to authenticate against radius server with md5 passwords? This depends on your client. If you have Windows clients, there is probably no way around EAP-MSCHAPv2 for password authentication. Our EAP-GTC plugin exchanges plain passwords, so you basically could store password with any hash, but no such method is supported by Windows clients (and I don't know about FreeRADIUS). Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] OSX weakswan pfkey_open no such file
Hello, this is my first message to the list ;-) my setting: VPN Server: Sonicwall NSA E5500 WAN Group VPN Previously I made it work with CentOS6 and yum install strongswan, all fine with a weakswan conn. Now trying same conn with OSX 10.10 yosemite, just to act as a roadwarrior against same VPN Server: brew install strongswan --with-curl --with-suite-b in charon.conf i_dont_care_about_security_and_use_aggressive_mode_psk = yes I'll ofuscate some info... $ cat ipsec.conf config setup conn gandia12 auto=add type=tunnel aggressive=yes keyexchange=ikev1 left=%defaultroute leftauth=psk leftid=GroupVPN leftauth2=xauth xauth=client xauth_identity=user right=host.domain.com rightid=SNW UNIQ ID rightsubnet=192.168.12.0/24 rightauth=psk keyingtries=1 ike=3des-sha1-modp1024 ikelifetime=28800s esp=3des-sha1 lifetime=28800s $ cat ipsec.secrets GroupVPN SNW UNIQ ID : PSK Secret;-) user : XAUTH p@w0rd;-) $ sudo ipsec start Starting weakSwan 5.2.2 IPsec [starter]... no netkey IPsec stack detected no KLIPS IPsec stack detected no known IPsec stack detected, ignoring! $ sudo ipsec up gandia12 ULISESXXI:etc alexval$ sudo ipsec up gandia12 initiating Aggressive Mode IKE_SA gandia12[1] to 94.127.192.243 generating AGGRESSIVE request 0 [ SA KE No ID V V V V ] sending packet: from 192.168.2.15[500] to destip[500] (396 bytes) received packet: from destip[500] to 192.168.2.15[500] (405 bytes) parsed AGGRESSIVE response 0 [ SA KE No ID V V V NAT-D NAT-D V V HASH ] received unknown vendor ID: 40:4b:f4:39:52:2c:a3:f6 received unknown vendor ID: 5b:36:2b:c8:20:f6:00:08 received NAT-T (RFC 3947) vendor ID received DPD vendor ID received XAuth vendor ID local host is behind NAT, sending keep alives generating AGGRESSIVE request 0 [ NAT-D NAT-D HASH ] sending packet: from 192.168.2.15[4500] to destip[4500] (108 bytes) received packet: from destip[4500] to 192.168.2.15[4500] (76 bytes) parsed TRANSACTION request 4014275289 [ HASH CPRQ(X_TYPE X_USER X_PWD) ] generating TRANSACTION response 4014275289 [ HASH CPRP(X_USER X_PWD) ] sending packet: from 192.168.2.15[4500] to destip[4500] (92 bytes) received packet: from destip[4500] to 192.168.2.15[4500] (84 bytes) parsed INFORMATIONAL_V1 request 2418823313 [ HASH N(INITIAL_CONTACT) ] configuration payload missing in XAuth request establishing connection 'gandia12' failed ULISESXXI:etc alexval$ sudo ipsec up gandia12 initiating Aggressive Mode IKE_SA gandia12[2] to destip generating AGGRESSIVE request 0 [ SA KE No ID V V V V ] sending packet: from 192.168.2.15[500] to destip[500] (396 bytes) received packet: from destip[500] to 192.168.2.15[500] (405 bytes) parsed AGGRESSIVE response 0 [ SA KE No ID V V V NAT-D NAT-D V V HASH ] received unknown vendor ID: 40:4b:f4:39:52:2c:a3:f6 received unknown vendor ID: 5b:36:2b:c8:20:f6:00:08 received NAT-T (RFC 3947) vendor ID received DPD vendor ID received XAuth vendor ID local host is behind NAT, sending keep alives generating AGGRESSIVE request 0 [ NAT-D NAT-D HASH ] sending packet: from 192.168.2.15[4500] to destip[4500] (108 bytes) received packet: from destip[4500] to 192.168.2.15[4500] (76 bytes) parsed TRANSACTION request 1102551187 [ HASH CPRQ(X_TYPE X_USER X_PWD) ] generating TRANSACTION response 1102551187 [ HASH CPRP(X_USER X_PWD) ] sending packet: from 192.168.2.15[4500] to destip[4500] (92 bytes) received packet: from destip[4500] to 192.168.2.15[4500] (68 bytes) parsed TRANSACTION request 3574825738 [ HASH CPS(X_STATUS) ] XAuth authentication of 'user' (myself) successful IKE_SA gandia12[2] established between 192.168.2.15[GroupVPN]...destip[SNW UNIQ ID] scheduling reauthentication in 28124s maximum IKE_SA lifetime 28664s generating TRANSACTION response 3574825738 [ HASH CPA(X_STATUS) ] sending packet: from 192.168.2.15[4500] to destip[4500] (68 bytes) generating QUICK_MODE request 1778390774 [ HASH SA No ID ID ] sending packet: from 192.168.2.15[4500] to destip[4500] (196 bytes) received packet: from destip[4500] to 192.168.2.15[4500] (156 bytes) parsed QUICK_MODE response 1778390774 [ HASH SA No ID ID ] CHILD_SA gandia12{1} established with SPIs 75525fbd_i 42f23025_o and TS 192.168.2.15/32 === 192.168.12.0/24 connection 'gandia12' established successfully The tunnel is stablished OK always in the second try, sonicwalls asks twice for the username and password. The tunnel interface utun0 gets created: Feb 24 02:55:57 ULISESXXI kernel[0]: utun_ctl_connect: creating interface utun0 Feb 24 02:55:57 ULISESXXI.local charon[22124]: 00[LIB] created TUN device: utun0 $ ifconfig lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 options=3RXCSUM,TXCSUM inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff00 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 nd6 options=1PERFORMNUD gif0: flags=8010POINTOPOINT,MULTICAST mtu 1280 stf0: flags=0 mtu 1280 en1: flags=8863UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=4VLAN_MTU ether b8:8d:12:55:d6:ba inet6 fe80::ba8d:12ff:fe55:d6ba%en1 prefixlen 64 scopeid 0x4 inet