[strongSwan] why i cannot download files through l2tp server after being connected for a couple of minutes?
i run xl2tpd -D on server side, after i am connected to xl2tpd server, i can download using vpn for about 2 minutes, but after that , i cannot download anything using vpn anymore, but the vpn is still connected, why? and the following is what output by xl2tpd daemon? what it tells? which staff could such error message? and how to solve this problem? xl2tpd[27406]: Call established with 111.111.xx.xx, Local: 47476, Remote: 1, Serial: 0 xl2tpd[27406]: Maximum retries exceeded for tunnel 50936. Closing. xl2tpd[27406]: Terminating pppd: sending TERM signal to pid 27415 xl2tpd[27406]: Connection 1 closed to 111.111.xx.xx, port 1701 (Timeout) xl2tpd[27406]: get_call: can't find call 47476 in tunnel 50936 (ref=0/0)xl2tpd[27406]: get_call: can't find call 47476 in tunnel 50936 (ref=0/0)xl2tpd[27406]: get_call: can't find call 47476 in tunnel 50936 (ref=0/0)xl2tpd[27406]: get_call: can't find call 47476 in tunnel 50936 (ref=0/0)xl2tpd[27406]: get_call: can't find call 47476 in tunnel 50936 ... (ref=0/0)xl2tpd[27406]: Unable to deliver closing message for tunnel 50936. Destroying anyway. xl2tpd[27406]: Can not find tunnel 50936 (refhim=0) xl2tpd[27406]: network_thread: unable to find call or tunnel to handle packet. call = 47476, tunnel = 50936 Dumping. xl2tpd[27406]: Can not find tunnel 50936 (refhim=0) xl2tpd[27406]: network_thread: unable to find call or tunnel to handle packet. call = 47476, tunnel = 50936 Dumping ... detailed message here: http://pastie.org/10198998 ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] PKCS#12 and leftid
Hi Jacques, However, I would need to be able to use the old certificates I have. Is there still any way to use them ? Do I have to convert unicode to binary to have something like leftid=asn1dn:#0a010110101... Moreover the sharp sign seems to be interpreted as commentary in bash, how am I suppose to prevent it ? You have to use quotes. leftid="asn1dn:#306c310b3009060355040613024445... And you have to specify the DN in DER encoded format. openssl asn1parse decodes my DN example to 0:d=0 hl=2 l= 108 cons: SEQUENCE 2:d=1 hl=2 l= 11 cons: SET 4:d=2 hl=2 l= 9 cons: SEQUENCE 6:d=3 hl=2 l= 3 prim:OBJECT:countryName 11:d=3 hl=2 l= 2 prim:PRINTABLESTRING :DE 15:... Regards, Volker ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] win8 to strongswan ikev2
I have a strange problem, the windows computer errors out fast saying "Authentication details for IKE is not being accepted" (translated from Swedish...), but strongswan says (ipsec status) that the connection is established... I just don't understand... ipsec.conf conn ikev2 left=%defaultroute leftcert=ca.pem leftsubnet=192.168.103.0/24 right=%any leftsourceip=192.168.103.201 rightsourceip=%dhcp keyexchange=ikev2 leftfirewall=yes rightid="C=SE, O=Solvare, OU=net, CN=*" dpdaction=clear dpddelay=300s rekey=no auto=add charon_log: 2015-05-20 18:18 06[CFG] <2> candidate "ikev2", match: 1/19/28 (me/other/ike) 2015-05-20 18:18 06[CFG] selected peer config 'ikev2' 2015-05-20 18:18 06[CFG]using certificate "C=SE, O=Solvare, OU=net, CN=c-dator" 2015-05-20 18:18 06[CFG]certificate "C=SE, O=Solvare, OU=net, CN=c-dator" key: 2048 bit RSA 2015-05-20 18:18 06[CFG]using trusted ca certificate "C=SE, O=Support, CN=Solvare CA" 2015-05-20 18:18 06[CFG] checking certificate status of "C=SE, O=Solvare, OU=net, CN=c-dator" 2015-05-20 18:18 06[CFG] ocsp check skipped, no ocsp found 2015-05-20 18:18 06[CFG] certificate status is not available 2015-05-20 18:18 06[CFG]certificate "C=SE, O=Support, CN=Solvare CA" key: 2048 bit RSA 2015-05-20 18:18 06[CFG]reached self-signed root ca with a path length of 0 2015-05-20 18:18 06[IKE] authentication of 'C=SE, O=Solvare, OU=net, CN=c-dator' with RSA signature successful 2015-05-20 18:18 06[IKE] processing INTERNAL_IP4_ADDRESS attribute 2015-05-20 18:18 06[IKE] processing INTERNAL_IP4_DNS attribute 2015-05-20 18:18 06[IKE] processing INTERNAL_IP4_NBNS attribute 2015-05-20 18:18 06[IKE] processing INTERNAL_IP4_SERVER attribute 2015-05-20 18:18 06[IKE] processing INTERNAL_IP6_ADDRESS attribute 2015-05-20 18:18 06[IKE] processing INTERNAL_IP6_DNS attribute 2015-05-20 18:18 06[IKE] processing INTERNAL_IP6_SERVER attribute 2015-05-20 18:18 06[IKE] peer supports MOBIKE 2015-05-20 18:18 06[ENC] added payload of type ID_RESPONDER to message 2015-05-20 18:18 06[ENC] added payload of type AUTH to message 2015-05-20 18:18 06[IKE] authentication of 'C=SE, ST=Solvare, O=Solvare, CN=VPN' (myself) with RSA signature successful 2015-05-20 18:18 06[IKE] IKE_SA ikev2[2] established between 37.46.166.66[C=SE, ST=Solvare, O=Solvare, CN=VPN]...46.59.24.181[C=SE, O=Solvare, OU=net, CN=c-dator] 2015-05-20 18:18 06[IKE] IKE_SA ikev2[2] state change: CONNECTING => ESTABLISHED 2015-05-20 18:18 01[JOB] next event in 29s 881ms, waiting 2015-05-20 18:18 06[IKE] sending end entity cert "C=SE, ST=Solvare, O=Solvare, CN=VPN" 2015-05-20 18:18 06[ENC] added payload of type CERTIFICATE to message 2015-05-20 18:18 06[IKE] peer requested virtual IP %any 2015-05-20 18:18 06[KNL] using 192.168.103.201 as address to reach 192.168.103.200/32 2015-05-20 18:18 06[CFG] sending DHCP DISCOVER to 192.168.103.200 2015-05-20 18:18 16[JOB] watched FD 21 ready to read 2015-05-20 18:18 16[JOB] watcher going to poll() 7 fds 2015-05-20 18:18 05[CFG] received DHCP ACK for 192.168.103.160 2015-05-20 18:18 16[JOB] watcher got notification, rebuilding 2015-05-20 18:18 16[JOB] watcher going to poll() 8 fds 2015-05-20 18:18 06[IKE] assigning virtual IP 192.168.103.160 to peer 'C=SE, O=Solvare, OU=net, CN=c-dator' 2015-05-20 18:18 06[IKE] peer requested virtual IP %any6 2015-05-20 18:18 06[IKE] no virtual IP found for %any6 requested by 'C=SE, O=Solvare, OU=net, CN=c-dator' 2015-05-20 18:18 06[IKE] building INTERNAL_IP4_DNS attribute 2015-05-20 18:18 16[JOB] watcher going to poll() 7 fds 2015-05-20 18:18 05[CFG] received DHCP ACK for 192.168.103.160 2015-05-20 18:18 16[JOB] watcher got notification, rebuilding 2015-05-20 18:18 16[JOB] watcher going to poll() 8 fds 2015-05-20 18:18 06[IKE] assigning virtual IP 192.168.103.160 to peer 'C=SE, O=Solvare, OU=net, CN=c-dator' 2015-05-20 18:18 06[IKE] peer requested virtual IP %any6 2015-05-20 18:18 06[IKE] no virtual IP found for %any6 requested by 'C=SE, O=Solvare, OU=net, CN=c-dator' 2015-05-20 18:18 06[IKE] building INTERNAL_IP4_DNS attribute 2015-05-20 18:18 06[ENC] added payload of type CONFIGURATION to message 2015-05-20 18:18 06[CFG] looking for a child config for ::/0 0.0.0.0/0 === ::/0 0.0.0.0/0 2015-05-20 18:18 06[CFG] proposing traffic selectors for us: 2015-05-20 18:18 06[CFG] 192.168.103.0/24 2015-05-20 18:18 06[CFG] proposing traffic selectors for other: 2015-05-20 18:18 06[CFG] 192.168.103.160/32 2015-05-20 18:18 06[CFG]candidate "ikev2" with prio 1+1 2015-05-20 18:18 06[CFG] found matching child config "ikev2" with prio 2 2015-05-20 18:18 06[CFG] selecting proposal: 2015-05-20 18:18 06[CFG]no acceptable ENCRYPTION_ALGORITHM found 2015-05-20 18:18 06[CFG] selecting proposal: 2015-05-20 18:18 06[CFG]no acceptable ENCRYPTION_ALGORITHM found 2015-05-20 18:18 06[CFG] selecting proposal: 2015-05-20 18:18 06[CFG]no acceptable ENCRYPTION_ALGO
Re: [strongSwan] PKCS#12 and leftid
Indeed, the certificates were not created with the option -utf8 so by default the fields are interpreted as ASCII. I tried to create a certificate with this option and it now works well. However, I would need to be able to use the old certificates I have. Is there still any way to use them ? I tried to use prefix in leftid, I read in strongswan wiki : "For example, *ipv4:10.0.0.1* does not create a valid ID_IPV4_ADDR IKE identity, as it does not get converted to binary 0x0a01. Instead, one could use *ipv4:#0a01* to get a valid identity". Do I have to convert unicode to binary to have something like leftid=asn1dn:#0a010110101... Moreover the sharp sign seems to be interpreted as commentary in bash, how am I suppose to prevent it ? Regards 2015-05-13 20:12 GMT+02:00 Volker Rümelin : > > The RDN specifies C=FR, but I don't know if I have to do something more >> to precise the encoding. Am I supposed to change it at the creation of >> the x509, of the p12 or after ? >> > > I don't know how you create your x509 certificate. So it's either at the > creation of your certificate, or even before, at the creation of your > PKCS#10 certificate request. I use openssl with the -utf8 option, > string_mask = utf8only in the [req] stanza and my locale codeset is utf8. > > Regards, > Volker > ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Is there any way to specify/configure different initiator_tsr for each initiator?
> As per the implementation, an SPD entry would contain the destination > IP as selector field and uses the same as a key to search the SPD > table. I don't think this will work; The remote selector does not have to be unique per CHILD_SA/policy. Having multiple CHILD_SAs having the same remote selector is perfectly fine, and is what load-tester establishes even when it requests a virtual IP. You should include the local address in the SPD lookup as well. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Is there any way to specify/configure different initiator_tsr for each initiator?
Hi Martin,Thank youfor this information. We have modifiedthe strongswan (5.2.2) code to bypass the strongSwan's IPsec Linux kernelinterface. We do have on our own SPD and SAD table. As per the implementation,an SPD entry would contain the destination IP as selector field and uses thesame as a key to search the SPD table. In install() function (src/libcharon/sa/child_sa.c),we populate the SPD based upon the dst_ts->get_from_address(dst_ts). At IKE Initiatorend, it will have same destination IP address for all the Child SAs. It results into oneSPD entry. 11[IKE] CHILD_SA load-test{1} established with SPIs cb8db1db_i6e4c2042_o and TS 50.0.0.1/32 === 40.0.0.0/812[IKE] CHILD_SA load-test{2} established with SPIs cc0db1dc_i6b4c2043_o and TS 50.0.0.2/32 === 40.0.0.0/8 We need differentIP address of the same subnet to be populated in SPD (using load tester plugin)as follows11[IKE] CHILD_SA load-test{1} established with SPIs cb8db1db_i6e4c2042_o and TS 50.0.0.1/32 === 40.0.0.1/812[IKE] CHILD_SA load-test{2} established with SPIs cc0db1dc_i6b4c2043_o and TS 50.0.0.2/32 === 40.0.0.2/8 Would itsolve our issue if I do appropriate modification in add_ts() function from load_tester_config.c?If not, pls suggest what should be done to accomplish the same.Thanks in advance. Regards,Chinmaya On Wednesday, May 20, 2015 12:52 PM, Martin Willi wrote: Hi, > all CHILD SAs will have the same traffic selector (i.e., 40.0.0.1/8) > on responder side, as proposed by initiator. Is there any way to > specify/configure different initiator_tsr for each initiator? Currently all initiators use the same subnet as defined with initiator_tsr. So no, there is currently no way to define individual subnets for each client. There is, however, a %unique port option you can use, such as initiator_tsr=40.0.0.1/8[udp/%unique]. This selects a single port for each initiator TSr, starting at 1025. This at least results in unique policies on your gateway under test, but not sure what you intend to test. If that is not sufficient, have a look at the add_ts() function from load_tester_config.c. It shouldn't be too hard to use a distinct subnet for each initiator, similar to what we do with these %unique ports. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Statistics
Hello, I just wondered what statistics are available on bandwidth usage per conn? I know that I can get information per SA using "ip -s xfrm state" and "ipsec statusall" but that information appears to be specific to the SA and these counters are reset when the phase 2 tunnel is rekeyed. Is there any way to query the amount of bandwidth that each phase 2 tunnel has used in the last 5 mins? What I'm really looking for is the ability to graph bandwidth usage per connection in the same way as we would each interface on a device using snmp. Cheers, Tormod Please consider the environment before printing this email * This e-mail and any attachments are confidential. If it is not for you, please inform us and delete it immediately without disclosing, copying, or distributing it. If the content is not about the business of PayWizard Group PLC or its clients, then it is neither from nor sanctioned by PayWizard Group PLC. Use of this or any other PayWizard Group PLC e-mail facility signifies consent to interception by PayWizard Group PLC. The views expressed in this email or any attachments may not reflect the views and opinions of PayWizard Group PLC. This message has been scanned for viruses and dangerous content by MailScanner, but PayWizard Group PLC accepts no liability for any damage caused by the transmission of any viruses. PayWizard Group PLC is a public limited company registered in Scotland (SC175703) with its registered office at Cluny Court, John Smith Business Park, Kirkcaldy, Fife, KY2 6QJ. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Strongswan in AWS (NATed), connecting to Cisco 72xx, fails
Hi Florin, We also use Strongswan to connect to our AWS environments. We run it on CentOS6. Whenever we tried CentOS7 we consistently lost around 3% of the packets. I've got a case open with AWS and they've been pretty stumped so far but are continuing to work with me on it and are being pretty helpful. I just wondered whether you'd noticed any packet loss? We've confirmed that the packets make it over the VPN connection from our site to AWS and appear to leave the CentOS7 instance (which is also routing) bound for the far end device within AWS but they never arrive there. Hopefully this isn't affecting you but I'd be interested to know if it is. Cheers, Tormod >>> Florin Andrei 19/05/2015 02:35 >>> Noel, That's it. The PSK was wrong. Also, the other side uses IKEv1, whereas the implicit default with Strongswan is IKEv2. I've explicitly enforced IKEv1. Works great now. Other potential issues: The other side is picky about cipher suites, so I had to add some explicit cipher suite lists. Also, we're running Strongswan in Amazon, and AWS is doing 1:1 NAT for our instances, so I added some conf items for that. Key lifetimes were also important to tweak. Not sure if all the config lines here are mandatory, but anyway, this is what works for us now: config setup nat_traversal=yes conn %default conn us2them authby=psk left=%any leftsubnet=our_subnet/netmask leftid=private.ip.of.our.VPN.instance right=ip.of.their.VPN.gateway rightsubnet=their_subnet/netmask rightid=ip.of.their.VPN.gateway auto=start ike = some-list-of-ciphers-that-works esp = some-other-list-of-ciphers-that-works ikelifetime = some-lifetime-interval lifetime = some-other-lifetime-interval forceencaps = yes keyexchange=ikev1 Again, this is for Strongswan in the AWS cloud, connecting to Cisco 72xx with some custom settings. Thank you. -- Florin Andrei https://urldefense.proofpoint.com/v2/url?u=http-3A__florin.myip.org_&d=BQICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=Jr4atqVkXS4Qv5TtvYkK3shxyHw5mu1maC_nWQNfG8Q&m=2k4OvTVvIcBT7-3S2WyR4g&s=GCMDvjNmN80LVT22fg-6SFVpgA1hy4kkTUCtbme0M7E&e= ___ Users mailing list Users@lists.strongswan.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.strongswan.org_mailman_listinfo_users&d=BQICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=Jr4atqVkXS4Qv5TtvYkK3shxyHw5mu1maC_nWQNfG8Q&m=2k4OvTVvIcBT7-3S2WyR4g&s=0RoW30Dutl9uFWKcdaMYGqHMT0WCdCFaOcAKn9Wnqx4&e= Please consider the environment before printing this email * This e-mail and any attachments are confidential. If it is not for you, please inform us and delete it immediately without disclosing, copying, or distributing it. If the content is not about the business of PayWizard Group PLC or its clients, then it is neither from nor sanctioned by PayWizard Group PLC. Use of this or any other PayWizard Group PLC e-mail facility signifies consent to interception by PayWizard Group PLC. The views expressed in this email or any attachments may not reflect the views and opinions of PayWizard Group PLC. This message has been scanned for viruses and dangerous content by MailScanner, but PayWizard Group PLC accepts no liability for any damage caused by the transmission of any viruses. PayWizard Group PLC is a public limited company registered in Scotland (SC175703) with its registered office at Cluny Court, John Smith Business Park, Kirkcaldy, Fife, KY2 6QJ. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Is there any way to specify/configure different initiator_tsr for each initiator?
Hi, > all CHILD SAs will have the same traffic selector (i.e., 40.0.0.1/8) > on responder side, as proposed by initiator. Is there any way to > specify/configure different initiator_tsr for each initiator? Currently all initiators use the same subnet as defined with initiator_tsr. So no, there is currently no way to define individual subnets for each client. There is, however, a %unique port option you can use, such as initiator_tsr=40.0.0.1/8[udp/%unique]. This selects a single port for each initiator TSr, starting at 1025. This at least results in unique policies on your gateway under test, but not sure what you intend to test. If that is not sufficient, have a look at the add_ts() function from load_tester_config.c. It shouldn't be too hard to use a distinct subnet for each initiator, similar to what we do with these %unique ports. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users