Re: [strongSwan] Running on AWS behind Elastic IP

[Mathew Marulla]

Holy crap I got it to work!

What was the problem?  Old crappy router at the far end.

All I had to do was force ikeV1 with a keyexchange = ikev1 and my existing 
config worked like a charm.

Thanks everyone!

- Matt

> On Nov 17, 2016, at 12:50 AM, Mathew Marulla  wrote:
> 
> Protocol 50 is open for ESP. Not using AH.
> 
> Kinda moot since I have yet to get beyond IKE.
> 
> Thanks!
> 
> - Matt
> 
>> On Nov 17, 2016, at 12:32 AM, Krishnanarayanan VR > > wrote:
>> 
>> Ports 500 and 4500 are open to the remote routers in the EC2 security group.
>> 
>> AH & ESP open too  ?  
> 
> ___
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Running on AWS behind Elastic IP

[Mathew Marulla]

Protocol 50 is open for ESP. Not using AH.

Kinda moot since I have yet to get beyond IKE.

Thanks!

- Matt

> On Nov 17, 2016, at 12:32 AM, Krishnanarayanan VR  
> wrote:
> 
> Ports 500 and 4500 are open to the remote routers in the EC2 security group.
> 
> AH & ESP open too  ?  

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Running on AWS behind Elastic IP

[Krishnanarayanan VR]

>
> Ports 500 and 4500 are open to the remote routers in the EC2 security
> group.
>

AH & ESP open too  ?
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] triggering MOBIKE in strongswan

[Andreas Steffen]

Hi Ravi,

yes, your understanding is correct. Our MOBIKE example scenario

https://www.strongswan.org/testing/testresults/ikev2/mobike/index.html

shows the interface change:

13[IKE] peer supports MOBIKE
07[KNL] 192.168.0.50 disappeared from eth1
15[KNL] interface eth1 deactivated
16[KNL] fec0::5 disappeared from eth1
07[KNL] fe80::5054:ff:fe3b:cd7 disappeared from eth1
12[IKE] old path is not available anymore, try to find another
12[IKE] looking for a route to 192.168.0.2 ...
12[IKE] requesting address change using MOBIKE
12[ENC] generating INFORMATIONAL request 2 [ ]
12[IKE] checking path 10.1.0.10[4500] - 192.168.0.2[4500]
12[NET] sending packet: from 10.1.0.10[4500] to 192.168.0.2[4500] (80 bytes)
12[IKE] checking path 10.1.0.10[4500] - 10.2.0.1[4500]
12[NET] sending packet: from 10.1.0.10[4500] to 10.2.0.1[4500] (80 bytes)
15[NET] received packet: from 192.168.0.2[4500] to 10.1.0.10[4500] (80
bytes)
15[ENC] parsed INFORMATIONAL response 2 [ ]
15[ENC] generating INFORMATIONAL request 3 [ N(UPD_SA_ADDR) N(NATD_S_IP)
N(NATD_D_IP) N(COOKIE2) N(ADD_6_ADDR) ]
15[NET] sending packet: from 10.1.0.10[4500] to 192.168.0.2[4500] (192
bytes)
13[NET] received packet: from 192.168.0.2[4500] to 10.1.0.10[4500] (160
bytes)
13[ENC] parsed INFORMATIONAL response 3 [ N(NATD_S_IP) N(NATD_D_IP)
N(COOKIE2) ]

Regards

Andreas

On 16.11.2016 15:54, Ravi Kanth Vanapalli wrote:
> Hi,
> 
>I wanted to know how is MOBIKE triggered in Strongswan.
>I have setup an IKEv2 connection to the gateway with MOBIKE enabled.
> I confirmed it from the logs.
>My understanding of MOBIKE is, if the default route to the gateway is
> changed i.e lets say from IP1 to IP2.  IP1 is on interface 1 , IP2 is on
> interface 2, UE triggers MOBIKE based IKE SA update to update the source
> IP. strongswan doesn't bind to any specific interface for sending the
> packets out to the ipsec gateway.
> Could you please confirm if this understanding is correct.
> 
> 
> -- 
> Regards,
> 
> RaviKanth VN Vanapalli
> Email: vvnrk.vanapa...@gmail.com 
> 
> 
> ___
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 

-- 
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution!  www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==



smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Running on AWS behind Elastic IP

[Turbo Fredriksson]

On 16 Nov 2016, at 19:42, Mathew Marulla  wrote:

> Confused now...   Is your VPN entirely within AWS?

Yes.

>  If not, how are you connecting over the public internet with a private IP?

I don’t. I connect to the EIP. But StrongSWAN don’t need to know that.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Running on AWS behind Elastic IP

[Mathew Marulla]

Confused now...   Is your VPN entirely within AWS?  If not, how are you 
connecting over the public internet with a private IP?

I'm going to do a quick network diagram this evening so I can communicate 
better what I am trying to do.

Cheers,

- Matt

> On Nov 16, 2016, at 1:16 PM, Turbo Fredriksson  wrote:
> 
>> On 16 Nov 2016, at 17:56, Mathew Marulla  wrote:
>> 
>> If I am reading your reply correctly, it seems you are getting this to work 
>> by not using an elastic IP, but just the public IP of your instance.  Then 
>> using a script to update it as needed.  Maybe that’s the only way…
>> 
>> I will try removing the elastic IP and seeing if the instance is aware of 
>> it’s own public IP, i.e.; by looking in ifconfig.  Because the elastic IP 
>> certainly does not show up there.
> 
> No, that should be the _private_ IP! That’s the only one that StrongSWAN 
> is/will be aware of
> and that’s the IP it binds to..
> 
> It doesn’t need to know about the EIP.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Running on AWS behind Elastic IP

[Turbo Fredriksson]

On 16 Nov 2016, at 17:56, Mathew Marulla  wrote:

> If I am reading your reply correctly, it seems you are getting this to work 
> by not using an elastic IP, but just the public IP of your instance.  Then 
> using a script to update it as needed.  Maybe that’s the only way…
> 
> I will try removing the elastic IP and seeing if the instance is aware of 
> it’s own public IP, i.e.; by looking in ifconfig.  Because the elastic IP 
> certainly does not show up there.

No, that should be the _private_ IP! That’s the only one that StrongSWAN 
is/will be aware of
and that’s the IP it binds to..

It doesn’t need to know about the EIP.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Running on AWS behind Elastic IP

[Mathew Marulla]

I know the leftid parameter relates to certificates, which I am not using, but 
does it also relate to sending the right identity to the remote router?  I 
assumed so based on this passage in the docs:

how the left|right participant should be identified for authentication;

But after re-reading, it seems to just be for identifying the cert.

If I am reading your reply correctly, it seems you are getting this to work by 
not using an elastic IP, but just the public IP of your instance.  Then using a 
script to update it as needed.  Maybe that’s the only way…

I will try removing the elastic IP and seeing if the instance is aware of it’s 
own public IP, i.e.; by looking in ifconfig.  Because the elastic IP certainly 
does not show up there.

- Matt

> On Nov 16, 2016, at 7:40 AM, Turbo Fredriksson  wrote:
> 
> On 16 Nov 2016, at 05:27, Mathew Marulla  wrote:
> 
>> Although I have read just about every tutorial and similar posting I can 
>> find about running StrongSwan on an EC2 instance, I still can not seem to 
>> get it to work.
> 
> I’m doing the same thing, but I started “from scratch” (didn’t have any 
> existing
> setup so this is the first setup).
> 
> My ipsec.conf:
> 
> —— s n i p ——
> config setup
>uniqueids=no
>strictcrlpolicy=no
> 
> # NOTE: The 'leftid' must be present as a "Subject Alternative Name" in the 
> cert!!
> conn %default
>left=%ETH0%
>leftid=vpn.domain.tld
>leftcert=hostname.pem
>leftsubnet=
>leftfirewall=yes
>leftsendcert=always
>leftdns=%DNS%
> 
>rightdns=%DNS%
> 
>keyexchange=ikev2
>dpdaction=clear
>dpddelay=2400s
>fragmentation=yes
>forceencaps=yes
>compress=yes
> 
> ca domain
>cacert=domain.tld.pem
>auto=add
> 
> conn client
>leftsourceip=%ETH0%
> 
>right=%any
>rightid=%any
>rightsourceip=
>rightauth=eap-mschapv2
> 
>eap_identity=%identity
>type=tunnel
>auto=add
> —— s n i p ——
> 
> %ETH0% and %DNS% is changed by a script at boot (by first finding the IP of
> ‘eth0’ and the ’nameserver’ entry in resolv.conf) because EC2 instances use 
> DHCP.
> So I’m not coding any ‘external’ IP (EIP), just the ‘internal’ (DHCP/private) 
> one..
> 
> I’m not, currently, using any (ELB) load balancers in front of StrongSWAN, but
> I might do that in the future. Maybe.
> 
> 
> I can authenticate and setup the route etc - I can access the ‘internal’ IP 
> via the
> VPN just fine.
> 
> I have yet to get access to the other VPCs over the VPN. I can access them
> if I first ssh into the VPN server and then ssh to a host in another VPC.
> 
> This is done with VPC peering, but I had _assumed_ that that would  work
> for VPN as well. But it’s not..
> 
> I can’t access any other instance in the VPN VPC though.
> 
> I’m pretty sure that have something to do with the routing table(s), but I 
> haven’t
> had time to look into this. I’m pretty sure the StrongSWAN setup is working
> correctly though, I’m using the exact same setup at home and there everything
> work just fine.

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Running on AWS behind Elastic IP

[Turbo Fredriksson]

On 16 Nov 2016, at 05:27, Mathew Marulla  wrote:

> Although I have read just about every tutorial and similar posting I can find 
> about running StrongSwan on an EC2 instance, I still can not seem to get it 
> to work.

I’m doing the same thing, but I started “from scratch” (didn’t have any existing
setup so this is the first setup).

My ipsec.conf:

—— s n i p ——
config setup
uniqueids=no
strictcrlpolicy=no

# NOTE: The 'leftid' must be present as a "Subject Alternative Name" in the 
cert!!
conn %default
left=%ETH0%
leftid=vpn.domain.tld
leftcert=hostname.pem
leftsubnet=
leftfirewall=yes
leftsendcert=always
leftdns=%DNS%

rightdns=%DNS%

keyexchange=ikev2
dpdaction=clear
dpddelay=2400s
fragmentation=yes
forceencaps=yes
compress=yes

ca domain
cacert=domain.tld.pem
auto=add

conn client
leftsourceip=%ETH0%

right=%any
rightid=%any
rightsourceip=
rightauth=eap-mschapv2

eap_identity=%identity
type=tunnel
auto=add
—— s n i p ——

%ETH0% and %DNS% is changed by a script at boot (by first finding the IP of
‘eth0’ and the ’nameserver’ entry in resolv.conf) because EC2 instances use 
DHCP.
So I’m not coding any ‘external’ IP (EIP), just the ‘internal’ (DHCP/private) 
one..

I’m not, currently, using any (ELB) load balancers in front of StrongSWAN, but
I might do that in the future. Maybe.


I can authenticate and setup the route etc - I can access the ‘internal’ IP via 
the
VPN just fine.

I have yet to get access to the other VPCs over the VPN. I can access them
if I first ssh into the VPN server and then ssh to a host in another VPC.

This is done with VPC peering, but I had _assumed_ that that would  work
for VPN as well. But it’s not..

I can’t access any other instance in the VPN VPC though.

I’m pretty sure that have something to do with the routing table(s), but I 
haven’t
had time to look into this. I’m pretty sure the StrongSWAN setup is working
correctly though, I’m using the exact same setup at home and there everything
work just fine.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] strongswan on android phone does nothing (select profile, does nothing)

[Tobias Brunner]

Hi Don,

> I'm not sure what else to try, can anyone suggest?

If you are using Google's Project Fi, please have a look at [1].

Regards,
Tobias

[1]
https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClient#Known-LimitationsIssues
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users