date:20170504

Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT

2017-05-04 Thread Modster, Anthony

Ok, thanks

-Original Message-
From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] 
Sent: Thursday, May 04, 2017 8:59 AM
To: Modster, Anthony ; users@lists.strongswan.org
Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: 
[SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT 
EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels

Look for the list of variables in the large comments in the beginning of the 
updown script

On 04.05.2017 17:48, Modster, Anthony wrote:
> Hello Noel
> ? can you provide the parameters I need to parse for up and down
> 
> -Original Message-
> From: Modster, Anthony
> Sent: Thursday, May 04, 2017 8:47 AM
> To: 'Noel Kuntze' ; 
> users@lists.strongswan.org
> Subject: RE: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
> Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
> Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels
> 
> ok
> 
> -Original Message-
> From: Noel Kuntze 
> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting]
> Sent: Thursday, May 04, 2017 8:46 AM
> To: Modster, Anthony ; 
> users@lists.strongswan.org
> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
> Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
> Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels
> 
> 2. But you should check what event is it. And you obviously should tear down 
> the routes when the CHILD_SAs go down.
> 
> On 04.05.2017 17:44, Modster, Anthony wrote:
>> Hello Noel
>> Just to be clear
>>
>> If using VICI, (1) do I attach the script during VICI config, or (2) 
>> run the script on the "event monitor" callback (when its called)
>>
>> -Original Message-
>> From: Noel Kuntze
>> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting]
>> Sent: Thursday, May 04, 2017 8:40 AM
>> To: Modster, Anthony ; 
>> users@lists.strongswan.org
>> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
>> Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
>> Reputation] multiple tunnels
>>
>>
>>
>> On 04.05.2017 17:27, Modster, Anthony wrote:
>>> Hello Noel
>>>
>>> If I disable route installation.
>>>
>>> ? can a custom _updown script be used to set the route for each 
>>> tunnel
>> Phew. I think you can, but you have to take care not to install duplicate 
>> routes. The hook you need to put your commands into, is called with each 
>> combination of subnets.
>>
>>> ? or can the "event monitor" callback be used to set the route for 
>>> each tunnel
>> Yes, if you use VICI. You can script something with Python using the vici 
>> egg.
>>
>>> -Original Message-
>>> From: Noel Kuntze
>>> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting]
>>> Sent: Thursday, May 04, 2017 8:22 AM
>>> To: Modster, Anthony ; 
>>> users@lists.strongswan.org
>>> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
>>> Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels
>>>
>>> Nope. But you can disable the route installation from charon by setting 
>>> charon.install_routes to no.
>>> You can't use the _updown script to manage routes.
>>>
>>> On 04.05.2017 17:17, Modster, Anthony wrote:
 Hello Noel

 ? is there a way to  use _updown to set both routes (disabling 
 Charon from setting the current route)

 -Original Message-
 From: Noel Kuntze
 [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting]
 Sent: Thursday, May 04, 2017 4:12 AM
 To: Modster, Anthony ; 
 users@lists.strongswan.org
 Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
 Reputation] multiple tunnels

 Hello Anthony,

 I don't understand what you mean with that, but you could add a route to 
 the remote peer with a higher MTU, if you can actually communicate over 
 the other link with the IP on the other interface (the IP of another 
 provider). If you can't do that, then this is not solvable.

 On 04.05.2017 02:02, Modster, Anthony wrote:
> Hello Noel
> We were thinking of changing the created via for eth1.13 (adding matric 
> info).
> Then when ppp0 tunnel comes up, create another via for it.
>
> I think Charon does try to create a via for ppp0, but can't.
>
> -Original Message-
> From: Noel Kuntze
> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting]
> Sent: Wednesday, May 03, 2017 4:45 PM
> To: Modster, Anthony ; 
> users@lists.strongswan.org
> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
> Reputation] Re: [strongSwan] [SUSPECT EMAIL: No

Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tun

2017-05-04 Thread Modster, Anthony

Hello Noel
? can you provide the parameters I need to parse for up and down

-Original Message-
From: Modster, Anthony 
Sent: Thursday, May 04, 2017 8:47 AM
To: 'Noel Kuntze' ; 
users@lists.strongswan.org
Subject: RE: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] 
Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: 
[SUSPECT EMAIL: No Reputation] multiple tunnels

ok

-Original Message-
From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting]
Sent: Thursday, May 04, 2017 8:46 AM
To: Modster, Anthony ; users@lists.strongswan.org
Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: 
[SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT 
EMAIL: No Reputation] multiple tunnels

2. But you should check what event is it. And you obviously should tear down 
the routes when the CHILD_SAs go down.

On 04.05.2017 17:44, Modster, Anthony wrote:
> Hello Noel
> Just to be clear
> 
> If using VICI, (1) do I attach the script during VICI config, or (2) 
> run the script on the "event monitor" callback (when its called)
> 
> -Original Message-
> From: Noel Kuntze
> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting]
> Sent: Thursday, May 04, 2017 8:40 AM
> To: Modster, Anthony ; 
> users@lists.strongswan.org
> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
> Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
> Reputation] multiple tunnels
> 
> 
> 
> On 04.05.2017 17:27, Modster, Anthony wrote:
>> Hello Noel
>>
>> If I disable route installation.
>>
>> ? can a custom _updown script be used to set the route for each 
>> tunnel
> 
> Phew. I think you can, but you have to take care not to install duplicate 
> routes. The hook you need to put your commands into, is called with each 
> combination of subnets.
> 
>>
>> ? or can the "event monitor" callback be used to set the route for 
>> each tunnel
> 
> Yes, if you use VICI. You can script something with Python using the vici egg.
> 
>>
>> -Original Message-
>> From: Noel Kuntze
>> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting]
>> Sent: Thursday, May 04, 2017 8:22 AM
>> To: Modster, Anthony ; 
>> users@lists.strongswan.org
>> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
>> Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels
>>
>> Nope. But you can disable the route installation from charon by setting 
>> charon.install_routes to no.
>> You can't use the _updown script to manage routes.
>>
>> On 04.05.2017 17:17, Modster, Anthony wrote:
>>> Hello Noel
>>>
>>> ? is there a way to  use _updown to set both routes (disabling 
>>> Charon from setting the current route)
>>>
>>> -Original Message-
>>> From: Noel Kuntze
>>> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting]
>>> Sent: Thursday, May 04, 2017 4:12 AM
>>> To: Modster, Anthony ; 
>>> users@lists.strongswan.org
>>> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
>>> Reputation] multiple tunnels
>>>
>>> Hello Anthony,
>>>
>>> I don't understand what you mean with that, but you could add a route to 
>>> the remote peer with a higher MTU, if you can actually communicate over the 
>>> other link with the IP on the other interface (the IP of another provider). 
>>> If you can't do that, then this is not solvable.
>>>
>>> On 04.05.2017 02:02, Modster, Anthony wrote:
 Hello Noel
 We were thinking of changing the created via for eth1.13 (adding matric 
 info).
 Then when ppp0 tunnel comes up, create another via for it.

 I think Charon does try to create a via for ppp0, but can't.

 -Original Message-
 From: Noel Kuntze
 [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting]
 Sent: Wednesday, May 03, 2017 4:45 PM
 To: Modster, Anthony ; 
 users@lists.strongswan.org
 Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
 Reputation] Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re:
 [SUSPECT EMAIL: No Reputation] multiple tunnels

 Hello Anthony,

 As predicted, charon can't find an alternative network path:

 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 12[KNL] interface
 eth1.13 deactivated
 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 05[KNL]
 192.168.1.134 disappeared from eth1.13
 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] old path 
 is not available anymore, try to find another
 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] looking for a 
 route to 76.232.248.210 ...
 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] 
 reauthenticating IKE_SA due to address change
 2017 May  3

Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tun

2017-05-04 Thread Modster, Anthony

ok

-Original Message-
From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] 
Sent: Thursday, May 04, 2017 8:46 AM
To: Modster, Anthony ; users@lists.strongswan.org
Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: 
[SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT 
EMAIL: No Reputation] multiple tunnels

2. But you should check what event is it. And you obviously should tear down 
the routes when the CHILD_SAs go down.

On 04.05.2017 17:44, Modster, Anthony wrote:
> Hello Noel
> Just to be clear
> 
> If using VICI, (1) do I attach the script during VICI config, or (2) 
> run the script on the "event monitor" callback (when its called)
> 
> -Original Message-
> From: Noel Kuntze 
> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting]
> Sent: Thursday, May 04, 2017 8:40 AM
> To: Modster, Anthony ; 
> users@lists.strongswan.org
> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
> Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
> Reputation] multiple tunnels
> 
> 
> 
> On 04.05.2017 17:27, Modster, Anthony wrote:
>> Hello Noel
>>
>> If I disable route installation.
>>
>> ? can a custom _updown script be used to set the route for each 
>> tunnel
> 
> Phew. I think you can, but you have to take care not to install duplicate 
> routes. The hook you need to put your commands into, is called with each 
> combination of subnets.
> 
>>
>> ? or can the "event monitor" callback be used to set the route for 
>> each tunnel
> 
> Yes, if you use VICI. You can script something with Python using the vici egg.
> 
>>
>> -Original Message-
>> From: Noel Kuntze
>> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting]
>> Sent: Thursday, May 04, 2017 8:22 AM
>> To: Modster, Anthony ; 
>> users@lists.strongswan.org
>> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
>> Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels
>>
>> Nope. But you can disable the route installation from charon by setting 
>> charon.install_routes to no.
>> You can't use the _updown script to manage routes.
>>
>> On 04.05.2017 17:17, Modster, Anthony wrote:
>>> Hello Noel
>>>
>>> ? is there a way to  use _updown to set both routes (disabling 
>>> Charon from setting the current route)
>>>
>>> -Original Message-
>>> From: Noel Kuntze
>>> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting]
>>> Sent: Thursday, May 04, 2017 4:12 AM
>>> To: Modster, Anthony ; 
>>> users@lists.strongswan.org
>>> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
>>> Reputation] multiple tunnels
>>>
>>> Hello Anthony,
>>>
>>> I don't understand what you mean with that, but you could add a route to 
>>> the remote peer with a higher MTU, if you can actually communicate over the 
>>> other link with the IP on the other interface (the IP of another provider). 
>>> If you can't do that, then this is not solvable.
>>>
>>> On 04.05.2017 02:02, Modster, Anthony wrote:
 Hello Noel
 We were thinking of changing the created via for eth1.13 (adding matric 
 info).
 Then when ppp0 tunnel comes up, create another via for it.

 I think Charon does try to create a via for ppp0, but can't.

 -Original Message-
 From: Noel Kuntze
 [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting]
 Sent: Wednesday, May 03, 2017 4:45 PM
 To: Modster, Anthony ; 
 users@lists.strongswan.org
 Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
 Reputation] Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re:
 [SUSPECT EMAIL: No Reputation] multiple tunnels

 Hello Anthony,

 As predicted, charon can't find an alternative network path:

 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 12[KNL] interface
 eth1.13 deactivated
 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 05[KNL]
 192.168.1.134 disappeared from eth1.13
 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] old path 
 is not available anymore, try to find another
 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] looking for a 
 route to 76.232.248.210 ...
 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] 
 reauthenticating IKE_SA due to address change
 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] 
 reauthenticating IKE_SA sgateway1-gldl[1]
 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] 
 reauthenticating IKE_SA sgateway1-gldl[1]
 2017 May  3 21:50:29+00:00 wglng-6 charon [info] 05[IKE] sending 
 DPD request
 2017 May  3 21:50:29+00:00 wglng-6 charon [info] 05[ENC] generating 
 INFORMATIONAL request 23 [ ]
 2017 May  3 21:50:29+00:00 wglng-6 charon [info] 05[NET] sending

Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels

2017-05-04 Thread Noel Kuntze

2. But you should check what event is it. And you obviously should tear down 
the routes when the CHILD_SAs go down.

On 04.05.2017 17:44, Modster, Anthony wrote:
> Hello Noel
> Just to be clear
> 
> If using VICI, (1) do I attach the script during VICI config, or (2) run the 
> script on the "event monitor" callback (when its called)
> 
> -Original Message-
> From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] 
> Sent: Thursday, May 04, 2017 8:40 AM
> To: Modster, Anthony ; 
> users@lists.strongswan.org
> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] 
> Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] 
> multiple tunnels
> 
> 
> 
> On 04.05.2017 17:27, Modster, Anthony wrote:
>> Hello Noel
>>
>> If I disable route installation.
>>
>> ? can a custom _updown script be used to set the route for each tunnel
> 
> Phew. I think you can, but you have to take care not to install duplicate 
> routes. The hook you need to put your commands into, is called with each 
> combination of subnets.
> 
>>
>> ? or can the "event monitor" callback be used to set the route for 
>> each tunnel
> 
> Yes, if you use VICI. You can script something with Python using the vici egg.
> 
>>
>> -Original Message-
>> From: Noel Kuntze 
>> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting]
>> Sent: Thursday, May 04, 2017 8:22 AM
>> To: Modster, Anthony ; 
>> users@lists.strongswan.org
>> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
>> Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels
>>
>> Nope. But you can disable the route installation from charon by setting 
>> charon.install_routes to no.
>> You can't use the _updown script to manage routes.
>>
>> On 04.05.2017 17:17, Modster, Anthony wrote:
>>> Hello Noel
>>>
>>> ? is there a way to  use _updown to set both routes (disabling Charon 
>>> from setting the current route)
>>>
>>> -Original Message-
>>> From: Noel Kuntze
>>> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting]
>>> Sent: Thursday, May 04, 2017 4:12 AM
>>> To: Modster, Anthony ; 
>>> users@lists.strongswan.org
>>> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
>>> Reputation] multiple tunnels
>>>
>>> Hello Anthony,
>>>
>>> I don't understand what you mean with that, but you could add a route to 
>>> the remote peer with a higher MTU, if you can actually communicate over the 
>>> other link with the IP on the other interface (the IP of another provider). 
>>> If you can't do that, then this is not solvable.
>>>
>>> On 04.05.2017 02:02, Modster, Anthony wrote:
 Hello Noel
 We were thinking of changing the created via for eth1.13 (adding matric 
 info).
 Then when ppp0 tunnel comes up, create another via for it.

 I think Charon does try to create a via for ppp0, but can't.

 -Original Message-
 From: Noel Kuntze
 [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting]
 Sent: Wednesday, May 03, 2017 4:45 PM
 To: Modster, Anthony ; 
 users@lists.strongswan.org
 Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
 Reputation] Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re:
 [SUSPECT EMAIL: No Reputation] multiple tunnels

 Hello Anthony,

 As predicted, charon can't find an alternative network path:

 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 12[KNL] interface
 eth1.13 deactivated
 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 05[KNL]
 192.168.1.134 disappeared from eth1.13
 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] old path is 
 not available anymore, try to find another
 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] looking for a 
 route to 76.232.248.210 ...
 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] 
 reauthenticating IKE_SA due to address change
 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] 
 reauthenticating IKE_SA sgateway1-gldl[1]
 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] 
 reauthenticating IKE_SA sgateway1-gldl[1]
 2017 May  3 21:50:29+00:00 wglng-6 charon [info] 05[IKE] sending DPD 
 request
 2017 May  3 21:50:29+00:00 wglng-6 charon [info] 05[ENC] generating 
 INFORMATIONAL request 23 [ ]
 2017 May  3 21:50:29+00:00 wglng-6 charon [info] 05[NET] sending
 packet: from 166.204.98.165[4500] to 76.232.248.210[4500] (96 bytes)
 2017 May  3 21:50:29+00:00 wglng-6 charon [info] 13[NET] received
 packet: from 76.232.248.210[4500] to 166.204.98.165[4500] (96 bytes)
 2017 May  3 21:50:29+00:00 wglng-6 charon [info] 13[ENC] parsed 
 INFORMATIONAL response 23 [ ]
 2017 May  3 21:50:31+00:00 wglng-6 charon [info] 15[IKE] retransmit 
 1 of request with message ID

Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels

2017-05-04 Thread Modster, Anthony

Hello Noel
Just to be clear

If using VICI, (1) do I attach the script during VICI config, or (2) run the 
script on the "event monitor" callback (when its called)

-Original Message-
From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] 
Sent: Thursday, May 04, 2017 8:40 AM
To: Modster, Anthony ; users@lists.strongswan.org
Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: 
[SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple 
tunnels



On 04.05.2017 17:27, Modster, Anthony wrote:
> Hello Noel
> 
> If I disable route installation.
> 
> ? can a custom _updown script be used to set the route for each tunnel

Phew. I think you can, but you have to take care not to install duplicate 
routes. The hook you need to put your commands into, is called with each 
combination of subnets.

> 
> ? or can the "event monitor" callback be used to set the route for 
> each tunnel

Yes, if you use VICI. You can script something with Python using the vici egg.

> 
> -Original Message-
> From: Noel Kuntze 
> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting]
> Sent: Thursday, May 04, 2017 8:22 AM
> To: Modster, Anthony ; 
> users@lists.strongswan.org
> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
> Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels
> 
> Nope. But you can disable the route installation from charon by setting 
> charon.install_routes to no.
> You can't use the _updown script to manage routes.
> 
> On 04.05.2017 17:17, Modster, Anthony wrote:
>> Hello Noel
>>
>> ? is there a way to  use _updown to set both routes (disabling Charon 
>> from setting the current route)
>>
>> -Original Message-
>> From: Noel Kuntze
>> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting]
>> Sent: Thursday, May 04, 2017 4:12 AM
>> To: Modster, Anthony ; 
>> users@lists.strongswan.org
>> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
>> Reputation] multiple tunnels
>>
>> Hello Anthony,
>>
>> I don't understand what you mean with that, but you could add a route to the 
>> remote peer with a higher MTU, if you can actually communicate over the 
>> other link with the IP on the other interface (the IP of another provider). 
>> If you can't do that, then this is not solvable.
>>
>> On 04.05.2017 02:02, Modster, Anthony wrote:
>>> Hello Noel
>>> We were thinking of changing the created via for eth1.13 (adding matric 
>>> info).
>>> Then when ppp0 tunnel comes up, create another via for it.
>>>
>>> I think Charon does try to create a via for ppp0, but can't.
>>>
>>> -Original Message-
>>> From: Noel Kuntze
>>> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting]
>>> Sent: Wednesday, May 03, 2017 4:45 PM
>>> To: Modster, Anthony ; 
>>> users@lists.strongswan.org
>>> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
>>> Reputation] Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re:
>>> [SUSPECT EMAIL: No Reputation] multiple tunnels
>>>
>>> Hello Anthony,
>>>
>>> As predicted, charon can't find an alternative network path:
>>>
>>> 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 12[KNL] interface
>>> eth1.13 deactivated
>>> 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 05[KNL]
>>> 192.168.1.134 disappeared from eth1.13
>>> 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] old path is 
>>> not available anymore, try to find another
>>> 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] looking for a 
>>> route to 76.232.248.210 ...
>>> 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] 
>>> reauthenticating IKE_SA due to address change
>>> 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] 
>>> reauthenticating IKE_SA sgateway1-gldl[1]
>>> 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] 
>>> reauthenticating IKE_SA sgateway1-gldl[1]
>>> 2017 May  3 21:50:29+00:00 wglng-6 charon [info] 05[IKE] sending DPD 
>>> request
>>> 2017 May  3 21:50:29+00:00 wglng-6 charon [info] 05[ENC] generating 
>>> INFORMATIONAL request 23 [ ]
>>> 2017 May  3 21:50:29+00:00 wglng-6 charon [info] 05[NET] sending
>>> packet: from 166.204.98.165[4500] to 76.232.248.210[4500] (96 bytes)
>>> 2017 May  3 21:50:29+00:00 wglng-6 charon [info] 13[NET] received
>>> packet: from 76.232.248.210[4500] to 166.204.98.165[4500] (96 bytes)
>>> 2017 May  3 21:50:29+00:00 wglng-6 charon [info] 13[ENC] parsed 
>>> INFORMATIONAL response 23 [ ]
>>> 2017 May  3 21:50:31+00:00 wglng-6 charon [info] 15[IKE] retransmit 
>>> 1 of request with message ID 95
>>> 2017 May  3 21:50:31+00:00 wglng-6 charon [info] 15[NET] sending
>>> packet: from 192.168.1.134[500] to 76.232.248.210[500] (96 bytes)
>>> 2017 May  3 21:50:31+00:00 wglng-6 charon [info] 04[NET] error 
>>> writing to socket: Invalid argument
>>>
>>> It can't send any packets though, because the

Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels

2017-05-04 Thread Noel Kuntze



On 04.05.2017 17:27, Modster, Anthony wrote:
> Hello Noel
> 
> If I disable route installation.
> 
> ? can a custom _updown script be used to set the route for each tunnel

Phew. I think you can, but you have to take care not to install duplicate 
routes. The hook you need to put your commands into, is called with each 
combination of subnets.

> 
> ? or can the "event monitor" callback be used to set the route for each tunnel

Yes, if you use VICI. You can script something with Python using the vici egg.

> 
> -Original Message-
> From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] 
> Sent: Thursday, May 04, 2017 8:22 AM
> To: Modster, Anthony ; 
> users@lists.strongswan.org
> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] 
> Re: [SUSPECT EMAIL: No Reputation] multiple tunnels
> 
> Nope. But you can disable the route installation from charon by setting 
> charon.install_routes to no.
> You can't use the _updown script to manage routes.
> 
> On 04.05.2017 17:17, Modster, Anthony wrote:
>> Hello Noel
>>
>> ? is there a way to  use _updown to set both routes (disabling Charon 
>> from setting the current route)
>>
>> -Original Message-
>> From: Noel Kuntze 
>> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting]
>> Sent: Thursday, May 04, 2017 4:12 AM
>> To: Modster, Anthony ; 
>> users@lists.strongswan.org
>> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
>> Reputation] multiple tunnels
>>
>> Hello Anthony,
>>
>> I don't understand what you mean with that, but you could add a route to the 
>> remote peer with a higher MTU, if you can actually communicate over the 
>> other link with the IP on the other interface (the IP of another provider). 
>> If you can't do that, then this is not solvable.
>>
>> On 04.05.2017 02:02, Modster, Anthony wrote:
>>> Hello Noel
>>> We were thinking of changing the created via for eth1.13 (adding matric 
>>> info).
>>> Then when ppp0 tunnel comes up, create another via for it.
>>>
>>> I think Charon does try to create a via for ppp0, but can't.
>>>
>>> -Original Message-
>>> From: Noel Kuntze
>>> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting]
>>> Sent: Wednesday, May 03, 2017 4:45 PM
>>> To: Modster, Anthony ; 
>>> users@lists.strongswan.org
>>> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
>>> Reputation] Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re:
>>> [SUSPECT EMAIL: No Reputation] multiple tunnels
>>>
>>> Hello Anthony,
>>>
>>> As predicted, charon can't find an alternative network path:
>>>
>>> 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 12[KNL] interface
>>> eth1.13 deactivated
>>> 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 05[KNL] 
>>> 192.168.1.134 disappeared from eth1.13
>>> 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] old path is 
>>> not available anymore, try to find another
>>> 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] looking for a 
>>> route to 76.232.248.210 ...
>>> 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] 
>>> reauthenticating IKE_SA due to address change
>>> 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] 
>>> reauthenticating IKE_SA sgateway1-gldl[1]
>>> 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] 
>>> reauthenticating IKE_SA sgateway1-gldl[1]
>>> 2017 May  3 21:50:29+00:00 wglng-6 charon [info] 05[IKE] sending DPD 
>>> request
>>> 2017 May  3 21:50:29+00:00 wglng-6 charon [info] 05[ENC] generating 
>>> INFORMATIONAL request 23 [ ]
>>> 2017 May  3 21:50:29+00:00 wglng-6 charon [info] 05[NET] sending
>>> packet: from 166.204.98.165[4500] to 76.232.248.210[4500] (96 bytes)
>>> 2017 May  3 21:50:29+00:00 wglng-6 charon [info] 13[NET] received
>>> packet: from 76.232.248.210[4500] to 166.204.98.165[4500] (96 bytes)
>>> 2017 May  3 21:50:29+00:00 wglng-6 charon [info] 13[ENC] parsed 
>>> INFORMATIONAL response 23 [ ]
>>> 2017 May  3 21:50:31+00:00 wglng-6 charon [info] 15[IKE] retransmit 1 
>>> of request with message ID 95
>>> 2017 May  3 21:50:31+00:00 wglng-6 charon [info] 15[NET] sending
>>> packet: from 192.168.1.134[500] to 76.232.248.210[500] (96 bytes)
>>> 2017 May  3 21:50:31+00:00 wglng-6 charon [info] 04[NET] error 
>>> writing to socket: Invalid argument
>>>
>>> It can't send any packets though, because the address 192.168.1.134 isn't 
>>> bound to any active interface.
>>>
>>> That ends with this:
>>>
>>> 2017 May  3 21:50:50+00:00 wglng-6 charon [info] 07[ENC] parsed 
>>> INFORMATIONAL response 33 [ ]
>>> 2017 May  3 21:50:51+00:00 wglng-6 charon [info] 12[IKE] giving up 
>>> after 5 retransmits
>>> 2017 May  3 21:50:51+00:00 wglng-6 charon [info] 12[IKE] looking up 
>>> interface for virtual IP 20.20.20.6 failed
>>> 2017 May  3 21:50:51+00:00 wglng-6 charon [info] 12[IKE] restarting 
>>> CHILD_SA sgateway1-gldl
>>> 2017 May  3 21:50:51+00:00

Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels

2017-05-04 Thread Modster, Anthony

Hello Noel

If I disable route installation.

? can a custom _updown script be used to set the route for each tunnel

? or can the "event monitor" callback be used to set the route for each tunnel

-Original Message-
From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] 
Sent: Thursday, May 04, 2017 8:22 AM
To: Modster, Anthony ; users@lists.strongswan.org
Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: 
[SUSPECT EMAIL: No Reputation] multiple tunnels

Nope. But you can disable the route installation from charon by setting 
charon.install_routes to no.
You can't use the _updown script to manage routes.

On 04.05.2017 17:17, Modster, Anthony wrote:
> Hello Noel
> 
> ? is there a way to  use _updown to set both routes (disabling Charon 
> from setting the current route)
> 
> -Original Message-
> From: Noel Kuntze 
> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting]
> Sent: Thursday, May 04, 2017 4:12 AM
> To: Modster, Anthony ; 
> users@lists.strongswan.org
> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
> Reputation] multiple tunnels
> 
> Hello Anthony,
> 
> I don't understand what you mean with that, but you could add a route to the 
> remote peer with a higher MTU, if you can actually communicate over the other 
> link with the IP on the other interface (the IP of another provider). If you 
> can't do that, then this is not solvable.
> 
> On 04.05.2017 02:02, Modster, Anthony wrote:
>> Hello Noel
>> We were thinking of changing the created via for eth1.13 (adding matric 
>> info).
>> Then when ppp0 tunnel comes up, create another via for it.
>>
>> I think Charon does try to create a via for ppp0, but can't.
>>
>> -Original Message-
>> From: Noel Kuntze
>> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting]
>> Sent: Wednesday, May 03, 2017 4:45 PM
>> To: Modster, Anthony ; 
>> users@lists.strongswan.org
>> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
>> Reputation] Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re:
>> [SUSPECT EMAIL: No Reputation] multiple tunnels
>>
>> Hello Anthony,
>>
>> As predicted, charon can't find an alternative network path:
>>
>> 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 12[KNL] interface
>> eth1.13 deactivated
>> 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 05[KNL] 
>> 192.168.1.134 disappeared from eth1.13
>> 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] old path is 
>> not available anymore, try to find another
>> 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] looking for a route 
>> to 76.232.248.210 ...
>> 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] 
>> reauthenticating IKE_SA due to address change
>> 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] 
>> reauthenticating IKE_SA sgateway1-gldl[1]
>> 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] 
>> reauthenticating IKE_SA sgateway1-gldl[1]
>> 2017 May  3 21:50:29+00:00 wglng-6 charon [info] 05[IKE] sending DPD 
>> request
>> 2017 May  3 21:50:29+00:00 wglng-6 charon [info] 05[ENC] generating 
>> INFORMATIONAL request 23 [ ]
>> 2017 May  3 21:50:29+00:00 wglng-6 charon [info] 05[NET] sending
>> packet: from 166.204.98.165[4500] to 76.232.248.210[4500] (96 bytes)
>> 2017 May  3 21:50:29+00:00 wglng-6 charon [info] 13[NET] received
>> packet: from 76.232.248.210[4500] to 166.204.98.165[4500] (96 bytes)
>> 2017 May  3 21:50:29+00:00 wglng-6 charon [info] 13[ENC] parsed 
>> INFORMATIONAL response 23 [ ]
>> 2017 May  3 21:50:31+00:00 wglng-6 charon [info] 15[IKE] retransmit 1 
>> of request with message ID 95
>> 2017 May  3 21:50:31+00:00 wglng-6 charon [info] 15[NET] sending
>> packet: from 192.168.1.134[500] to 76.232.248.210[500] (96 bytes)
>> 2017 May  3 21:50:31+00:00 wglng-6 charon [info] 04[NET] error 
>> writing to socket: Invalid argument
>>
>> It can't send any packets though, because the address 192.168.1.134 isn't 
>> bound to any active interface.
>>
>> That ends with this:
>>
>> 2017 May  3 21:50:50+00:00 wglng-6 charon [info] 07[ENC] parsed 
>> INFORMATIONAL response 33 [ ]
>> 2017 May  3 21:50:51+00:00 wglng-6 charon [info] 12[IKE] giving up 
>> after 5 retransmits
>> 2017 May  3 21:50:51+00:00 wglng-6 charon [info] 12[IKE] looking up 
>> interface for virtual IP 20.20.20.6 failed
>> 2017 May  3 21:50:51+00:00 wglng-6 charon [info] 12[IKE] restarting 
>> CHILD_SA sgateway1-gldl
>> 2017 May  3 21:50:51+00:00 wglng-6 charon [info] 12[IKE] initiating 
>> IKE_SA sgateway1-gldl[3] to 76.232.248.210
>> 2017 May  3 21:50:51+00:00 wglng-6 charon [info] 12[IKE] initiating 
>> IKE_SA sgateway1-gldl[3] to 76.232.248.210
>> 2017 May  3 21:50:51+00:00 wglng-6 charon [info] 13[IKE] sending DPD 
>> request
>>
>> This continues until the end of the log. The interface eth1.13 doesn't come 
>> up in the logs after it was deactivated.
>>
>> The PCAPs

Re: [strongSwan] Tunnels with dynamic IP and another route issue

2017-05-04 Thread Dusan Ilic

Okey, I will try some things out and see if it gets better. If not I 
will return with some logs :)
I'm just thinking out loud here regarding Charon source route selection, 
because you proposed leaving out the "left"-parameter (defaulting to 
%any I think) and my router is multihomed, what about if I mangle the 
output packets on UDP port 500 through the right WAN interface routing 
table? Will that force charon traffic out the right interface too?
Or maybe if I exlude all routing tables present on the gateway (except 
the one I want) in strongswan.conf, then that shoud force Charon to do 
source route lookups in this table only?


I have made some completely different observations, I tried running 
Strongswan with libipsec instead of kernel modules and noticed two things.


1. The shunt policy doesn't work anymore, the route for local LAN gets 
created with dev ipsec0 (instead of br0). Is this a known bug? I had to 
add a manual route to table 220.


2. It's easier to route, maintain and so on because all traffic goes 
in/out on a dedicated interface (ipsec0), so no need for IP-tables 
policy matching. However, it's noticeable slower (througput) and when 
transferring traffic my routers almost hits 100% cpu load. Is this normal?


With kernel modules I can reach double the througput (20 vs 50Mbps), 
however then the CPU is only around 50%. What do you think is the bottle 
neck here for achieving higher throughput? The remote endpoint? With 
Android Strongswan client it's even slower than that (tested on WiFi).
Both sides of the WAN-connection in this case have 100Mbps, so that's 
ruled out.



Den 2017-05-03 kl. 16:23, skrev Noel Kuntze:


On 03.05.2017 13:51, Dusan Ilic wrote:

By the way, it seems the order of shunt connections do matter.

They don't. XFRM doesn't care about what order any policies are inserted, only 
the TS and the priority.


If I put it at the end after all other connections the network gets completely cut 
off...looks like I have to put it directly after the 0.0.0.0  
connection.

Sounds like you have a race condition between charon and the software that gets 
your network connection(s) up. Make charon start after that software is done.
I can't tell for certain though, because you don't share the logs.


 Noel Kuntze skrev 



On 02.05.2017 17:41, Dusan Ilic wrote:

I see, thank you.

Well, I seem to have random issues now with my new configuration.

After restartin Strongswan sometiems it works, sometimes it don't Very 
unreliable.
Sometimes it connects with right source interface, sometimes sending packet: 
from 0.0.0.0[500] to 94.x.x.x[500] (1316 bytes) and this won't work obviously. 
Why 0.0.0.0?
When it connects from the right public WAN IP, sometimes it connects, sometimes 
just retransmittings a bunch of packets. Never had these problemse before, and 
I'm confused what's started causing them now.


Read your logs and compare them.


*Regarding shunt connections, does it matter in which order they are put in 
ipsec.conf? Like at the top, or the bottom and so on?*


No.
*
*


Den 2017-05-02 kl. 09:41, skrev Noel Kuntze:

Yes, that's the reason why that happens. No, you need to start using another 
subnet.

On 02.05.2017 02:02, Dusan Ilic wrote:

I seem to have found the problem, it was on my local endpoint. The gateway have 
default IP-table rules in prerouting table dropping traffic entering any 
WAN-interface destined to a LAN-subnet, which I understand is normal as long as 
their isn't any IPsec involved :) Below exlude rule solves it.

iptables -t mangle -I PREROUTING -d 10.1.1.0/26 -i $(nvram get wan3_ifname) -m 
policy --dir in --pol ipsec --proto esp -j ACCEPT


Now routing everything over IP-sec tunnel works great, but instead a new issue 
have risen. My VPN remote access users cannot reach the internet anymore (or 
the local subnet for that matter) when the gateway are routing all traffic over 
another IPsec-tunnel, and from the LAN I cannot ping the VPN-client (Android 
Strongswan) either. I'm wildly guessing this is because my VPN-clients are 
getting IP's from the local subnet (rightsourceip=%dhcp), the same subnet that 
I have to create a passthrough connection for. Is this solvable in an easy way, 
or am I forced put my VPN-clients on a separate subnet?

Den 2017-05-01 kl. 14:57, skrev Noel Kuntze:

I can't  help you further easily. You need to check what happens to the packets 
and what actually needs to happen.

On 30.04.2017 23:25, Dusan Ilic wrote:

I have added following on local router

iptables -t nat -I POSTROUTING -s 10.1.1.0/26 -o vlan847 -m policy --dir out 
--pol ipsec --proto esp -j ACCEPT
(before it was iptables -t nat -I POSTROUTING -s 10.1.1.0/26 -d 192.168.1.0/24 
-o vlan847 -m policy --dir out --pol ipsec --proto esp -j ACCEPT)

And on remote router

iptables -I FORWARD -s 10.1.1.0/26 -j ACCEPT
iptables -t nat -I POSTROUTING -s 10.1.1.0/26 -j MASQUERADE

And now when the tunnel is up, internet doesnt work at all (all pings time 
out),

Re: [strongSwan] IPsec performance figures

2017-05-04 Thread Noel Kuntze

Hello,

On 04.05.2017 08:45, Martin Willi wrote:
> Hi,
>
>> are there any reliable performance figures for IPsec throughput on
>> x86_64 Linux machines?
> Nothing I could reference here.

I know of this: 
http://www.intel.ua/content/dam/www/public/us/en/documents/white-papers/aes-ipsec-performance-linux-paper.pdf
>
>> Is 10 GBit/s feasable? If yes, how?
> On commodity hardware, maybe, but only if/when:
>
>  * using AES-GCM with AESNI/CLMUL, which can handle ~1Gbit/s/core
>  * your NIC can separate traffic to multiple queues (8+), and each
>queue has assigned a core to process its traffic
>  * you have multiple SAs and flows, so the flows can actually be
>separated to queues (and cores) in both directions.
>
> If you can't effectively distribute traffic over NIC queues, you should
> consider using pcrypt. Not sure if 10Gbit/s are possible, though.

Pcrypt is actually just a bandaid and only adds marginal performance, in my 
experience. It isn't worth the effort.

Making XFRM faster was discussed in Netdev 1.2. The relevant slides are visible 
in the corresponding video at the referenced time frame[1].
The speedup is an impressive increase from 3.8 Gbps to 5.7 Gbps in a setup with 
one flow and an impressive 115.6 Gbps with 16 bidirectional flows
with all the patches and RSS. I think 10 GBit/s is definitively possible. 
Obviously even a lot more. With the patches, HW offload will also be supported 
generically.

[1] https://www.youtube.com/watch?v=bCVc6o3JxK8 TIme: 7:00

Kind regards,
Noel

signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] [SUSPECT EMAIL: No Reputation] multiple tunnels

2017-05-04 Thread Noel Kuntze

Hello Anthony,

I don't understand what you mean with that, but you could add a route to the 
remote peer with a higher MTU, if you can actually communicate
over the other link with the IP on the other interface (the IP of another 
provider). If you can't do that, then this is not solvable.

On 04.05.2017 02:02, Modster, Anthony wrote:
> Hello Noel
> We were thinking of changing the created via for eth1.13 (adding matric info).
> Then when ppp0 tunnel comes up, create another via for it.
> 
> I think Charon does try to create a via for ppp0, but can't.
> 
> -Original Message-
> From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] 
> Sent: Wednesday, May 03, 2017 4:45 PM
> To: Modster, Anthony ; 
> users@lists.strongswan.org
> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] 
> Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
> Reputation] multiple tunnels
> 
> Hello Anthony,
> 
> As predicted, charon can't find an alternative network path:
> 
> 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 12[KNL] interface eth1.13 
> deactivated
> 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 05[KNL] 192.168.1.134 
> disappeared from eth1.13
> 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] old path is not 
> available anymore, try to find another
> 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] looking for a route 
> to 76.232.248.210 ...
> 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] reauthenticating 
> IKE_SA due to address change
> 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] reauthenticating 
> IKE_SA sgateway1-gldl[1]
> 2017 May  3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] reauthenticating 
> IKE_SA sgateway1-gldl[1]
> 2017 May  3 21:50:29+00:00 wglng-6 charon [info] 05[IKE] sending DPD request
> 2017 May  3 21:50:29+00:00 wglng-6 charon [info] 05[ENC] generating 
> INFORMATIONAL request 23 [ ]
> 2017 May  3 21:50:29+00:00 wglng-6 charon [info] 05[NET] sending packet: from 
> 166.204.98.165[4500] to 76.232.248.210[4500] (96 bytes)
> 2017 May  3 21:50:29+00:00 wglng-6 charon [info] 13[NET] received packet: 
> from 76.232.248.210[4500] to 166.204.98.165[4500] (96 bytes)
> 2017 May  3 21:50:29+00:00 wglng-6 charon [info] 13[ENC] parsed INFORMATIONAL 
> response 23 [ ]
> 2017 May  3 21:50:31+00:00 wglng-6 charon [info] 15[IKE] retransmit 1 of 
> request with message ID 95
> 2017 May  3 21:50:31+00:00 wglng-6 charon [info] 15[NET] sending packet: from 
> 192.168.1.134[500] to 76.232.248.210[500] (96 bytes)
> 2017 May  3 21:50:31+00:00 wglng-6 charon [info] 04[NET] error writing to 
> socket: Invalid argument
> 
> It can't send any packets though, because the address 192.168.1.134 isn't 
> bound to any active interface.
> 
> That ends with this:
> 
> 2017 May  3 21:50:50+00:00 wglng-6 charon [info] 07[ENC] parsed INFORMATIONAL 
> response 33 [ ]
> 2017 May  3 21:50:51+00:00 wglng-6 charon [info] 12[IKE] giving up after 5 
> retransmits
> 2017 May  3 21:50:51+00:00 wglng-6 charon [info] 12[IKE] looking up interface 
> for virtual IP 20.20.20.6 failed
> 2017 May  3 21:50:51+00:00 wglng-6 charon [info] 12[IKE] restarting CHILD_SA 
> sgateway1-gldl
> 2017 May  3 21:50:51+00:00 wglng-6 charon [info] 12[IKE] initiating IKE_SA 
> sgateway1-gldl[3] to 76.232.248.210
> 2017 May  3 21:50:51+00:00 wglng-6 charon [info] 12[IKE] initiating IKE_SA 
> sgateway1-gldl[3] to 76.232.248.210
> 2017 May  3 21:50:51+00:00 wglng-6 charon [info] 13[IKE] sending DPD request
> 
> This continues until the end of the log. The interface eth1.13 doesn't come 
> up in the logs after it was deactivated.
> 
> The PCAPs are pretty useless, because they don't show the problem. But ESP 
> traffic indeed flows through the different network interfaces.
> Hmh. Curious! I wonder why that is.
> 
> On 04.05.2017 01:25, Modster, Anthony wrote:
>> Hello Noel
>>
>> I am resending the message and for files are compressed.
>>
>> -Original Message-
>> From: Modster, Anthony
>> Sent: Wednesday, May 03, 2017 2:55 PM
>> To: 'Noel Kuntze' ; 
>> users@lists.strongswan.org
>> Subject: RE: [SUSPECT EMAIL: No Reputation] Re: [strongSwan] [SUSPECT 
>> EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple 
>> tunnels
>>
>> Hello Noel
>>
>> 1. let me know if any of the files are missing (s/b 3) 2. let me know 
>> if the log levels are ok (our settings were more than support 
>> required)
>>
>> The following test and its results will be sent to strongswan for eveluation.
>>
>> bring up ethernet eth1.13
>> when interface comes up start, tcpdump -i eth1.13 -w 
>> test_restart_eth113.dat
>> note: ipsec tunnel will start
>> wait for tunnel
>> bring up ppp0
>> when interface comes up start, tcpdump -i ppp0 -w 
>> test_restart_ppp0.dat wait for tunnel disconnect ethernet
>> note: ppp0 will stop communicating
>> wait for ppp0 to recover (about 9 mins)
>>
>>

Re: [strongSwan] IPsec performance figures

2017-05-04 Thread Martin Willi

Hi,

> are there any reliable performance figures for IPsec throughput on
> x86_64 Linux machines?

Nothing I could reference here.

> Is 10 GBit/s feasable? If yes, how?

On commodity hardware, maybe, but only if/when:

 * using AES-GCM with AESNI/CLMUL, which can handle ~1Gbit/s/core
 * your NIC can separate traffic to multiple queues (8+), and each
   queue has assigned a core to process its traffic
 * you have multiple SAs and flows, so the flows can actually be
   separated to queues (and cores) in both directions.

If you can't effectively distribute traffic over NIC queues, you should
consider using pcrypt. Not sure if 10Gbit/s are possible, though.

Regards
Martin
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT

Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tun

Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tun

Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels

Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels

Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels

Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels

Re: [strongSwan] Tunnels with dynamic IP and another route issue

Re: [strongSwan] IPsec performance figures

Re: [strongSwan] [SUSPECT EMAIL: No Reputation] multiple tunnels

Re: [strongSwan] IPsec performance figures

11 matches

Site Navigation

Mail list logo

Footer information