[strongSwan] Strongswan as responder only
Hello Strongswan users, I have some basic question on how to enable a particular strongswan connection as responder only. Basically another peer (security gateway) will try to establish a IKE/IPsec connection towards strongswan in responder mode. I tried the following configuration and strongswan seems to report error. config setup charondebug=all conn %default keyingtries=1 keyexchange=ikev2 reauth=no conn peering left=172.16.20.51 leftfirewall=no leftauth=psk right=172.16.20.2 rightauth=psk auto=add esp=aes-sha1-modp1024 ike=aes-sha1-md5-modp1024 type=tunnel rekey=yes /var/log/messages shows Sep 5 00:21:06 acme95 charon-custom: 00[JOB] spawning 16 worker threads Sep 5 00:21:06 acme95 charon-custom: 09[CFG] received stroke: add connection 'peering' Sep 5 00:21:06 acme95 charon-custom: 09[CFG] added configuration 'peering' Sep 5 00:21:36 acme95 charon-custom: 10[NET] received packet: from 172.16.20.51[500] to 172.16.20.2[500] (420 bytes) Sep 5 00:21:36 acme95 charon-custom: 10[ENC] payload type TRAFFIC_SELECTOR_INITIATOR was not encrypted Sep 5 00:21:36 acme95 charon-custom: 10[ENC] could not decrypt payloads Sep 5 00:21:36 acme95 charon-custom: 10[IKE] integrity check failed Sep 5 00:21:36 acme95 charon-custom: 10[IKE] IKE_SA_INIT request with message ID 0 processing failed Also I attempted to enable debug logging, but I do not see any more details beyond the above details. Thanks, Balaji
Re: [strongSwan] Cannot ping machines on remote local network
Hi, > type=passthrough You're sabotaging yourself. There is no IPsec processing happening with type=passthrough > threads = 8 You're doing it again. That can lock up the daemon later. Don't do that. Luckily, the setting is outside the valid configuration block, so it's invalid and ignored. >interfaces_ignore = vlan2, eth0, eth1, eth2, wl0.1, wl1.1 Unnecessary. > left=%defaultroute Unnecessary. > kernel-pfkey Plugin for the legacy IPsec API. Don't use it. >ping R6400 >PING R6400 (192.168.0.121) 56(84) bytes of data. >From 62.155.242.107 (62.155.242.107) icmp_seq=1 Destination Host >Unreachable >From 62.155.242.107 (62.155.242.107) icmp_seq=2 Destination Host >Unreachable Your next hop is sending that error. You're leaking private address into the WAN. That is forbidden. Don't do that. >Routers iptable output: > >iptables -vnL The output is unusable. Provide the output of `iptables-save`. >I have tried so many thinsg, but still cannot ping from either side or >access >any local machines. >Does anyone have a clue? Can I provide additional info? You're having no success because you're trying ramdom shit from the Internet. About 99,999% of the strongSwan related information on third party sites is wither well ng or of questinable quality. Don't get your information from any place but the project's website. Kind regards Noel Am 5. September 2017 00:53:20 MESZ schrieb Ric S: >Hi folks, > >I have been ripping my hair out with this issue. > >I'm running strongswan 5.5.3 on a router. The routers lan subnet is >192.168.0.1/24. >I can successfully connect to it with an Ipad with ikev2 and surf the >internet, but I cannot reach any internal machines. > >My config is the following: > >ipsec.conf: > >config setup > charondebug="net 2, knl 2, cfg 2" > >conn ikev2 > keyexchange=ikev2 >ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128- >sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes1 >esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128- >sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128 > dpdaction=clear > dpddelay=60s > left=%defaultroute > leftfirewall=yes > lefthostaccess=yes > leftid=myname.ddns.net > leftsubnet=192.168.0.0/24 > leftcert=host-vpn.der > leftsendcert=always > right=%any > rightauth=eap-tls > rightsourceip=%dhcp > eap_identity=%any > type=passthrough > auto=add > >strongswanf.conf: > >charon { >interfaces_ignore = vlan2, eth0, eth1, eth2, wl0.1, wl1.1 >plugins { >dhcp { >force_server_address = yes >server = 192.168.0.1 >identity_lease = yes >} >farp { >load = yes >} >}} > >threads = 8 >dns1 = 8.8.8.8 >dns1 = 8.8.8.4 > > > >Status: > >Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.4.80, armv7l): > uptime: 14 minutes, since Sep 05 00:09:53 2017 > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, >scheduled: 8 >loaded plugins: charon test-vectors aes des blowfish rc2 sha2 sha1 md5 >random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 >pkcs12 pgp >dnskey sshkey pem openssl fips-prf gmp curve25519 agent xcbc cmac hmac >sqlite >attr kernel-pfkey kernel-netlink resolve socket-default farp stroke >vici >updown eap-identity eap-aka eap-md5 eap-mschapv2 eap-radius eap-tls >xauth- >generic xauth-eap dhcp whitelist led duplicheck >Listening IP addresses: > 169.254.255.1 > 192.168.0.1 > 87.168.243.83 >Connections: > ikev2: %any...%any IKEv2, dpddelay=60s > ikev2: local: [myname.ddns.net] uses public key authentication > ikev2:cert: "C=DE, O=MYORG, CN=myname.ddns.net" > ikev2: remote: uses EAP_TLS authentication with EAP identity '%any' > ikev2: child: 192.168.0.0/24 === dynamic PASS, dpdaction=clear >Security Associations (1 up, 0 connecting): >ikev2[6]: ESTABLISHED 11 seconds ago, 87.168.243.83[myname.ddns.net]... >109.43.1.19[R6400] > ikev2[6]: IKEv2 SPIs: 243db36d71718704_i 688c466c497d2b9a_r*, public >key reauthentication in 2 hours > ikev2[6]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ >MODP_1024 >ikev2{4}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c0983fe7_i >04eb0f50_o > ikev2{4}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, >rekeying in 48 minutes > ikev2{4}: 192.168.0.0/24 === 192.168.0.121/32 > >swanctl --list-sas >ikev2: #6, ESTABLISHED, IKEv2, 243db36d71718704_i 688c466c497d2b9a_r* > local 'myname.ddns.net' @ 87.168.243.83[4500] > remote 'R6400' @ 109.43.1.19[39898] [192.168.0.121] > AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 > established 92s ago, reauth in 9765s > ikev2: #4, reqid 3, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/ >HMAC_SHA2_256_128 >installed 89s ago, rekeying in 2800s, expires in 3511s >in c0983fe7, 0 bytes, 0 packets >out 04eb0f50, 0 bytes, 0 packets >local 192.168.0.0/24 >remote 192.168.0.121/32 > >ip route
Re: [strongSwan] Cannot ping machines on remote local network
Hi Ric, Is IP forwarding enabled on the router? sysctl net.ipv4.ip_forward=1 Bas On 5 Sep 2017 12:53 AM, "Ric S"wrote: > Hi folks, > > I have been ripping my hair out with this issue. > > I'm running strongswan 5.5.3 on a router. The routers lan subnet is > 192.168.0.1/24. > I can successfully connect to it with an Ipad with ikev2 and surf the > internet, but I cannot reach any internal machines. > > My config is the following: > > ipsec.conf: > > config setup > charondebug="net 2, knl 2, cfg 2" > > conn ikev2 > keyexchange=ikev2 > ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1- > modp2048,aes128- > sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes1 > esp=aes128-aes256-sha1-sha256-modp2048-modp4096- > modp1024,aes128-sha1,aes128- > sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128 > dpdaction=clear > dpddelay=60s > left=%defaultroute > leftfirewall=yes > lefthostaccess=yes > leftid=myname.ddns.net > leftsubnet=192.168.0.0/24 > leftcert=host-vpn.der > leftsendcert=always > right=%any > rightauth=eap-tls > rightsourceip=%dhcp > eap_identity=%any > type=passthrough > auto=add > > strongswanf.conf: > > charon { > interfaces_ignore = vlan2, eth0, eth1, eth2, wl0.1, wl1.1 > plugins { > dhcp { > force_server_address = yes > server = 192.168.0.1 > identity_lease = yes > } > farp { > load = yes > } > }} > > threads = 8 > dns1 = 8.8.8.8 > dns1 = 8.8.8.4 > > > > Status: > > Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.4.80, armv7l): > uptime: 14 minutes, since Sep 05 00:09:53 2017 > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, > scheduled: 8 > loaded plugins: charon test-vectors aes des blowfish rc2 sha2 sha1 md5 > random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 > pgp > dnskey sshkey pem openssl fips-prf gmp curve25519 agent xcbc cmac hmac > sqlite > attr kernel-pfkey kernel-netlink resolve socket-default farp stroke vici > updown eap-identity eap-aka eap-md5 eap-mschapv2 eap-radius eap-tls xauth- > generic xauth-eap dhcp whitelist led duplicheck > Listening IP addresses: > 169.254.255.1 > 192.168.0.1 > 87.168.243.83 > Connections: >ikev2: %any...%any IKEv2, dpddelay=60s >ikev2: local: [myname.ddns.net] uses public key authentication >ikev2:cert: "C=DE, O=MYORG, CN=myname.ddns.net" >ikev2: remote: uses EAP_TLS authentication with EAP identity > '%any' >ikev2: child: 192.168.0.0/24 === dynamic PASS, dpdaction=clear > Security Associations (1 up, 0 connecting): >ikev2[6]: ESTABLISHED 11 seconds ago, 87.168.243.83[myname.ddns.net > ]... > 109.43.1.19[R6400] >ikev2[6]: IKEv2 SPIs: 243db36d71718704_i 688c466c497d2b9a_r*, public > key reauthentication in 2 hours >ikev2[6]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ > MODP_1024 >ikev2{4}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c0983fe7_i > 04eb0f50_o >ikev2{4}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, > rekeying in 48 minutes >ikev2{4}: 192.168.0.0/24 === 192.168.0.121/32 > > swanctl --list-sas > ikev2: #6, ESTABLISHED, IKEv2, 243db36d71718704_i 688c466c497d2b9a_r* > local 'myname.ddns.net' @ 87.168.243.83[4500] > remote 'R6400' @ 109.43.1.19[39898] [192.168.0.121] > AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 > established 92s ago, reauth in 9765s > ikev2: #4, reqid 3, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/ > HMAC_SHA2_256_128 > installed 89s ago, rekeying in 2800s, expires in 3511s > in c0983fe7, 0 bytes, 0 packets > out 04eb0f50, 0 bytes, 0 packets > local 192.168.0.0/24 > remote 192.168.0.121/32 > > ip route list table 220 > 192.168.0.121 via 62.155.242.107 dev ppp0 proto static src 192.168.0.1 > > FARP seems to work, this is a ping from one of the local machines: > > ping R6400 > PING R6400 (192.168.0.121) 56(84) bytes of data. > From 62.155.242.107 (62.155.242.107) icmp_seq=1 Destination Host > Unreachable > From 62.155.242.107 (62.155.242.107) icmp_seq=2 Destination Host > Unreachable > > > Routers iptable output: > > iptables -vnL > Chain INPUT (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT 0-- ppp0 * 192.168.0.121 > 192.168.0.0/24 policy match dir in pol ipsec reqid 4 proto 50 > 161 29398 ACCEPT udp -- * * 0.0.0.0/0 > 0.0.0.0/0 > udp dpt:4500 > 8 4544 ACCEPT udp -- * * 0.0.0.0/0 > 0.0.0.0/0 > udp dpt:500 > 0 0 log > ... > > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT 0-- ppp0 * 192.168.0.121 > 192.168.0.0/24 policy match dir in pol ipsec reqid 4 proto 50 > 0 0 ACCEPT 0-- *
[strongSwan] Cannot ping machines on remote local network
Hi folks, I have been ripping my hair out with this issue. I'm running strongswan 5.5.3 on a router. The routers lan subnet is 192.168.0.1/24. I can successfully connect to it with an Ipad with ikev2 and surf the internet, but I cannot reach any internal machines. My config is the following: ipsec.conf: config setup charondebug="net 2, knl 2, cfg 2" conn ikev2 keyexchange=ikev2 ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128- sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes1 esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128- sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128 dpdaction=clear dpddelay=60s left=%defaultroute leftfirewall=yes lefthostaccess=yes leftid=myname.ddns.net leftsubnet=192.168.0.0/24 leftcert=host-vpn.der leftsendcert=always right=%any rightauth=eap-tls rightsourceip=%dhcp eap_identity=%any type=passthrough auto=add strongswanf.conf: charon { interfaces_ignore = vlan2, eth0, eth1, eth2, wl0.1, wl1.1 plugins { dhcp { force_server_address = yes server = 192.168.0.1 identity_lease = yes } farp { load = yes } }} threads = 8 dns1 = 8.8.8.8 dns1 = 8.8.8.4 Status: Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.4.80, armv7l): uptime: 14 minutes, since Sep 05 00:09:53 2017 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 8 loaded plugins: charon test-vectors aes des blowfish rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 agent xcbc cmac hmac sqlite attr kernel-pfkey kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-aka eap-md5 eap-mschapv2 eap-radius eap-tls xauth- generic xauth-eap dhcp whitelist led duplicheck Listening IP addresses: 169.254.255.1 192.168.0.1 87.168.243.83 Connections: ikev2: %any...%any IKEv2, dpddelay=60s ikev2: local: [myname.ddns.net] uses public key authentication ikev2:cert: "C=DE, O=MYORG, CN=myname.ddns.net" ikev2: remote: uses EAP_TLS authentication with EAP identity '%any' ikev2: child: 192.168.0.0/24 === dynamic PASS, dpdaction=clear Security Associations (1 up, 0 connecting): ikev2[6]: ESTABLISHED 11 seconds ago, 87.168.243.83[myname.ddns.net]... 109.43.1.19[R6400] ikev2[6]: IKEv2 SPIs: 243db36d71718704_i 688c466c497d2b9a_r*, public key reauthentication in 2 hours ikev2[6]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ MODP_1024 ikev2{4}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c0983fe7_i 04eb0f50_o ikev2{4}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 48 minutes ikev2{4}: 192.168.0.0/24 === 192.168.0.121/32 swanctl --list-sas ikev2: #6, ESTABLISHED, IKEv2, 243db36d71718704_i 688c466c497d2b9a_r* local 'myname.ddns.net' @ 87.168.243.83[4500] remote 'R6400' @ 109.43.1.19[39898] [192.168.0.121] AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 established 92s ago, reauth in 9765s ikev2: #4, reqid 3, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/ HMAC_SHA2_256_128 installed 89s ago, rekeying in 2800s, expires in 3511s in c0983fe7, 0 bytes, 0 packets out 04eb0f50, 0 bytes, 0 packets local 192.168.0.0/24 remote 192.168.0.121/32 ip route list table 220 192.168.0.121 via 62.155.242.107 dev ppp0 proto static src 192.168.0.1 FARP seems to work, this is a ping from one of the local machines: ping R6400 PING R6400 (192.168.0.121) 56(84) bytes of data. >From 62.155.242.107 (62.155.242.107) icmp_seq=1 Destination Host Unreachable >From 62.155.242.107 (62.155.242.107) icmp_seq=2 Destination Host Unreachable Routers iptable output: iptables -vnL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT 0-- ppp0 * 192.168.0.121 192.168.0.0/24 policy match dir in pol ipsec reqid 4 proto 50 161 29398 ACCEPT udp -- * * 0.0.0.0/00.0.0.0/0 udp dpt:4500 8 4544 ACCEPT udp -- * * 0.0.0.0/00.0.0.0/0 udp dpt:500 0 0 log ... Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT 0-- ppp0 * 192.168.0.121 192.168.0.0/24 policy match dir in pol ipsec reqid 4 proto 50 0 0 ACCEPT 0-- * ppp0192.168.0.0/24 192.168.0.121 policy match dir out pol ipsec reqid 4 proto 50 ... Chain OUTPUT (policy ACCEPT 480K packets, 377M bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT 0-- * ppp0
Re: [strongSwan] strongswan 5.6.0 and RPM build errors
Hi, On 04.09.2017 17:08, Ståle Gjøs wrote: > Hello there > > I've been building RPM's out of the strongswan sources for some time now.. > since 5.3.0 basically... every version has been ok with the approach below. > > However the latest release have me stumped... I get these errors at the end > of the build > > > error: File not found by glob: > /root/rpmbuild/BUILDROOT/strongswan-5.6.0-3.el6.x86_64/usr/libexec/strongswan/*.swidtagerror: > File not found: > /root/rpmbuild/BUILDROOT/strongswan-5.6.0-3.el6.x86_64/usr/share/regid.2004-03.org.strongswanerror: > File not found by glob: > /root/rpmbuild/BUILDROOT/strongswan-5.6.0-3.el6.x86_64/usr/share/regid.2004-03.org.strongswan/*.swidtagRPM > build errors:File not found by glob: > /root/rpmbuild/BUILDROOT/strongswan-5.6.0-3.el6.x86_64/usr/libexec/strongswan/*.swidtagFile > not found: > /root/rpmbuild/BUILDROOT/strongswan-5.6.0-3.el6.x86_64/usr/share/regid.2004-03.org.strongswanFile > not found by glob: > /root/rpmbuild/BUILDROOT/strongswan-5.6.0-3.el6.x86_64/usr/share/regid.2004-03.org.strongswan/*.swidtag > > Well, do the obvious things: 1) Check if these files exist 2) Remove the corresponding command in your spec file if it doesn't or fix it, if the file was moved. I'm running RHEL6 on GCP Kind regards Noel signature.asc Description: OpenPGP digital signature
Re: [strongSwan] tunnel not negotiated after keylife expiration
Hi, On 04.09.2017 14:51, Marco Berizzi wrote: > conn servizitalia > left=205.223.229.254 > right=156.54.166.66 > leftsubnet=10.28.130.32/27 > rightsubnet=192.168.42.0/24 > authby=secret > auto=start > esp=aes256-sha1 > compress=no > leftid=205.223.229.254 > rightid=156.54.166.66 > keyingtries=%forever > keylife=1h > ikelifetime=8h > ike=aes256-md5-modp1024 Avoid modp1024[1] and md5, they're broken, use aesxcbc, sha384 or sha512 instead as hmac and PRF function, use something stronger for the DH exchange, even if it's modp1536. Avoid sha256, because there's ambiguity between peers about what algorithm is actually used (draft with 96 bit truncation or the standardized version with 128 bit truncation. You can switch between them since 5.6.0 with a special keyword in the configuration). Use auto=route[2] instead of auto=start. The only commonality strongSwan and openswan have is the "swan" at the end, the configuration *format* and that they both implement IKEv1 and IKEv2 (to varying degrees however). You can mostly NOT apply your knowledge about openswan to strongSwan. > I'm now experimenting this behaviour on every tunnel configured on this > strongSwan server. > When I run 'ipsec start', strongSwan will start all the configured tunnels, > but after sometime (close to the keylife parameter) the CHILD_SA is deleted > and it is not negotiated anymore. > > strongSwan ipsec start: > Sep 1 09:36:50 falcon charon: 12[IKE] initiating Main Mode IKE_SA > servizitalia[14] to 156.54.166.66 > Sep 1 09:36:50 falcon charon: 10[IKE] IKE_SA servizitalia[14] established > between 205.223.229.254[205.223.229.254]...156.54.166.66[156.54.166.66] > Sep 1 09:36:50 falcon charon: 06[IKE] CHILD_SA servizitalia{14} established > with SPIs with SPIs c1478566_i ca7492c1_o and TS 10.28.130.32/27 === > 192.168.42.0/24 > > after about 30 minutes: > Sep 1 10:07:17 falcon charon: 06[NET] received packet: from > 156.54.166.66[500] to 205.223.229.254[500] (76 bytes) > Sep 1 10:07:17 falcon charon: 06[ENC] parsed INFORMATIONAL_V1 request > 1251768816 [ HASH D ] > Sep 1 10:07:17 falcon charon: 06[IKE] received DELETE for ESP CHILD_SA with > SPI ca7492c1 > Sep 1 10:07:17 falcon charon: 06[IKE] closing CHILD_SA servizitalia{14} with > SPIs c1478566_i (0 bytes) ca7492c1_o (0 bytes) and TS 10.28.130.32/27 === > 192.168.42.0/24 > Sep 1 10:07:17 falcon charon: 10[NET] received packet: from > 156.54.166.66[500] to 205.223.229.254[500] (76 bytes) > Sep 1 10:07:17 falcon charon: 10[ENC] parsed INFORMATIONAL_V1 request > 3258301735 [ HASH D ] > Sep 1 10:07:17 falcon charon: 10[IKE] received DELETE for IKE_SA > servizitalia[14] > Sep 1 10:07:17 falcon charon: 10[IKE] deleting IKE_SA servizitalia[14] > between 205.223.229.254[205.223.229.254]...156.54.166.66[156.54.166.66] The problem is caused by the other peer deleting the newly keyed CHILD_SA. You need to review the logs there to find out why it does that. > at this point, it is not possible anymore to reach the 192.168.42.0/24 > network. > > Is this the expected behavior? > For now, I have bypassed the problem changing the "auto=start" with > "auto=route" on every connection definition (but packets are lost > while the ipsec sa is negotiated). It is. With auto=start, charon does not try to keep the CHILD_SA up, as openswan does. That is a deliberate decision by the devs. Discussions about it can be found either on the users ML archive or in the issue tracker. Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations#LogJam (section titled "LogJam") [2] https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations#Tunnel-Shunting (section titled "Tunnel Shunting") signature.asc Description: OpenPGP digital signature
Re: [strongSwan] Multiple Child_SAs - only one loaded at tunnel setup ?
Hi, Please provide your configuration and a log of the connection as described on the HelpRequests page[1] . There are multiple reasons this problem can occur. Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests On 04.09.2017 14:39, Sarefrech wrote: > > Hi all, > > > > I used "Linux strongSwan U5.5.3/K3.16.0-4-amd64". > > > > I have two connexion definitions with 2 child SAs each. The first one come > from ipsec.conf , the second is created via VICI: > > root@ipsec-gw:/usr/local/src# swanctl --list-conns > *default_cert1*: IKEv2, reauthentication every 3420s, no rekeying > local: %any > remote: %any > local public key authentication: > id: u2agw.u2a.xyz > remote public key authentication: > *default_cert1*: TUNNEL, rekeying every 1020s > local: 10.11.0.0/16 > remote: dynamic > *default_cert*: TUNNEL, rekeying every 1020s > local: 10.10.0.0/16 > remote: dynamic > *defautVici*: IKEv2, no reauthentication, no rekeying > local: 161.106.240.155 > remote: %any > local public key authentication: > id: u2agw.u2a.xyz > remote EAP_RADIUS authentication: > eap_id: %any > *child1*: TUNNEL, rekeying every 100s > local: 1.1.1.1/32 10.0.0.0/8 > remote: dynamic > *child2*: TUNNEL, rekeying every 100s > local: 2.2.2.5/32 > remote: dynamic > > I setup tunnels and I observe that there is only one child ca for each > connexion : one is not missing. > > root@ipsec-gw:/usr/local/src# swanctl --list-sas > *default_cert1*: #6, ESTABLISHED, IKEv2, 9ced70a70cbacaea_i > 394dc6781ed773a6_r* > local 'u2agw.u2a.xyz' @ 161.106.240.155[4500] > remote 'CN=max.min, OU=u2aUsers, DC=u2a, DC=xyz' @ 161.106.240.156[47841] > [10.11.12.162] > AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 > established 6s ago, reauth in 3336s > *default_cert1*: #5, reqid 3, INSTALLED, TUNNEL-in-UDP, > ESP:AES_CBC-128/HMAC_SHA2_256_128 > installed 5s ago, rekeying in 889s, expires in 1195s > in c3d7921a, 336 bytes, 4 packets, 0s ago > out e7757320, 336 bytes, 4 packets, 0s ago > local 10.11.0.0/16 > remote 10.11.12.162/32 > *defautVici*: #4, ESTABLISHED, IKEv2, 927ad63611b5b535_i f7a4b615d62bfcd6_r* > local 'u2agw.u2a.xyz' @ 161.106.240.155[4500] > remote 'joe.bar' @ 161.106.240.156[42859] [10.11.12.151] > AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 > established 11s ago > *child1*: #4, reqid 2, INSTALLED, TUNNEL-in-UDP, > ESP:AES_CBC-128/HMAC_SHA2_256_128 > installed 10s ago, rekeying in 80s, expires in 100s > in c53f5289, 0 bytes, 0 packets > out d0249916, 0 bytes, 0 packets > local 1.1.1.1/32 10.0.0.0/8 > remote 10.11.12.151/32 > > From the documentation & mail exchanges on the list, I understand that > strongswan GW is supposed to handle multiple child sas. > > Do I miss something or this could be a kind of bug in last versions? > > > > thanks, > > > Régis > signature.asc Description: OpenPGP digital signature
Re: [strongSwan] multiple server certificates
Hi, You can switch certs on the fly by loading the new one, replacing the value in the configuration, then flushing the certificate cache. AFAIR charon identifies the certificates by the ID in the conn and does not use the path it was loaded from (would only be applicable with starter/stroke anyway). So it is uncertain to me what certificate charon would use as soon as you have two with the same DN (ID). Try to avoid having two certificates with the same DN. Switch while it doesn't matter what certificate is used. Do it as is described in the first sentence, unless vetoed by a dev. Kind regards Noel On 04.09.2017 16:40, mike.ettr...@bertelsmann.de wrote: > > Hi! > > I would like to know if it is possible to have two server certificates with > the same subjectDN the ipsec.d/private directory and ccontained in the > ipsec.secrets configuration file. > > > > This scenario becomes interesting when the current server certificate expires > and a new certificate should be used. > > > > Is the strongSwan implementation supporting this? > > > > Kind regards, > > Mike. > > > > > signature.asc Description: OpenPGP digital signature
Re: [strongSwan] Help with IKEv1 Site-to-site PSK IPv4
Hi, Advise for your problem and corrections for incorrect statements are found in the text, below the corresponding quoted section from your mail. On 04.09.2017 20:20, Charles-Antoine Giuliani wrote: > I followed the configuration at > https://www.strongswan.org/testing/testresults/ikev1/net2net-psk/ > (closest configuration I could find, though the examples seem to have been > designed for local networks) Those are not examples, as the introduction page to the test results says[1][2]. You are not supposed to use those. There is a dedicated article[3] on the wiki about example configurations. Read the introduction[4] and the article about forwarding[5] first, then use the configuration for the corresponding scenario (site-to-site scenario). The test scenarios are tests that are run in a virtualized LAN environment using QEMU, so this obviously does not correspond to a real life deployment. This is also made clear in the warning[2]. > > However the computer does not manage to connect > > thyfate@DataLearning-001:~$ sudo ipsec start > Starting strongSwan 5.1.2 IPsec [starter]... > charon is already running (/var/run/charon.pid exists) -- skipping daemon > start > starter is already running (/var/run/starter.charon.pid exists) -- no fork > done > thyfate@DataLearning-001:~$ sudo ipsec up ciscoios > initiating Main Mode IKE_SA ciscoios[3554] to 83.XXX.XXX.XXX > generating ID_PROT request 0 [ SA V V V V ] > sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 bytes) > sending retransmit 1 of request message ID 0, seq 1 > sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 bytes) > sending retransmit 2 of request message ID 0, seq 1 > sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 bytes) > sending retransmit 3 of request message ID 0, seq 1 > sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 bytes) > sending retransmit 4 of request message ID 0, seq 1 > sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 bytes) > sending retransmit 5 of request message ID 0, seq 1 > sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 bytes) > giving up after 5 retransmits > establishing IKE_SA failed, peer not responding > establishing connection 'ciscoios' failed That obviously does not work, because you are neither supposed to, nor allowed to send IP packets from an IP address that is not bound to your host. You can work around that, but it is neither the or even a solution to your problem nor advised to try to do that. At least your home router would drop the packets because of the bogus source. I am very certain that charon logs a corresponding error message in syslog or the journal, whenever you try to initiate the connection The "left" parameter is described as follows in the first paragraph about it on the man page: > left = | | %any | | > The IP address of the left participant's public-network >interface or one of several magic values. The value %any (the default) for >the local endpoint signifies an address > to be filled in (by automatic keying) during negotiation. If the >local peer initiates the connection setup the routing table will be queried to >determine the correct local > IP address. In case the local peer is responding to a >connection setup then any IP address that is assigned to a local interface >will be accepted. As you can read, that parameter is neither appropriate nor needed in your case, because 93.XXX.XXX.XXX is not bound to any local interface. Just don't use "left". Charon is smart enough to determine the correct source IP by itself, as the man page describes. > Below some details on the setup: > > I am using Ubuntu 14.04. My computer is behind an ISP-provided router box > where ports 500 and 4500 have been NAT - forwarded, both on TCP and UDP. My > computer external address is 93.XXX.XXX.XXX and the local network the > computer is on has ranges 192.168.1.XXX, the specific machine having ip > 192.168.1.104. On the other side, a Cisco ASA 5520 is used to create the VPN > on an external ip address of 83.XXX.XXX.XXX. > > Strongswan was installed with the following command line > > sudo apt-get install strongswan strongswan-plugin-af-alg > strongswan-plugin-agent strongswan-plugin-certexpire > strongswan-plugin-coupling strongswan-plugin-curl strongswan-plugin-dhcp > strongswan-plugin-duplicheck strongswan-plugin-eap-aka > strongswan-plugin-eap-aka-3gpp2 strongswan-plugin-eap-dynamic > strongswan-plugin-eap-gtc strongswan-plugin-eap-mschapv2 > strongswan-plugin-eap-peap strongswan-plugin-eap-radius > strongswan-plugin-eap-tls strongswan-plugin-eap-ttls > strongswan-plugin-error-notify strongswan-plugin-farp > strongswan-plugin-fips-prf strongswan-plugin-gcrypt strongswan-plugin-gmp > strongswan-plugin-ipseckey strongswan-plugin-kernel-libipsec > strongswan-plugin-ldap strongswan-plugin-led
[strongSwan] Help with IKEv1 Site-to-site PSK IPv4
Hi to all, I am trying to configure a VPN, site to site, with IKEV1 and a preshared key on IPv4. I followed the configuration at https://www.strongswan.org/testing/testresults/ikev1/net2net-psk/ (closest configuration I could find, though the examples seem to have been designed for local networks) However the computer does not manage to connect thyfate@DataLearning-001:~$ sudo ipsec start Starting strongSwan 5.1.2 IPsec [starter]... charon is already running (/var/run/charon.pid exists) -- skipping daemon start starter is already running (/var/run/starter.charon.pid exists) -- no fork done thyfate@DataLearning-001:~$ sudo ipsec up ciscoios initiating Main Mode IKE_SA ciscoios[3554] to 83.XXX.XXX.XXX generating ID_PROT request 0 [ SA V V V V ] sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 bytes) sending retransmit 1 of request message ID 0, seq 1 sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 bytes) sending retransmit 2 of request message ID 0, seq 1 sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 bytes) sending retransmit 3 of request message ID 0, seq 1 sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 bytes) sending retransmit 4 of request message ID 0, seq 1 sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 bytes) sending retransmit 5 of request message ID 0, seq 1 sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 bytes) giving up after 5 retransmits establishing IKE_SA failed, peer not responding establishing connection 'ciscoios' failed Any help would be greatly appreciated ! Thanks in advance, Below some details on the setup: I am using Ubuntu 14.04. My computer is behind an ISP-provided router box where ports 500 and 4500 have been NAT - forwarded, both on TCP and UDP. My computer external address is 93.XXX.XXX.XXX and the local network the computer is on has ranges 192.168.1.XXX, the specific machine having ip 192.168.1.104. On the other side, a Cisco ASA 5520 is used to create the VPN on an external ip address of 83.XXX.XXX.XXX. Strongswan was installed with the following command line sudo apt-get install strongswan strongswan-plugin-af-alg strongswan-plugin-agent strongswan-plugin-certexpire strongswan-plugin-coupling strongswan-plugin-curl strongswan-plugin-dhcp strongswan-plugin-duplicheck strongswan-plugin-eap-aka strongswan-plugin-eap-aka-3gpp2 strongswan-plugin-eap-dynamic strongswan-plugin-eap-gtc strongswan-plugin-eap-mschapv2 strongswan-plugin-eap-peap strongswan-plugin-eap-radius strongswan-plugin-eap-tls strongswan-plugin-eap-ttls strongswan-plugin-error-notify strongswan-plugin-farp strongswan-plugin-fips-prf strongswan-plugin-gcrypt strongswan-plugin-gmp strongswan-plugin-ipseckey strongswan-plugin-kernel-libipsec strongswan-plugin-ldap strongswan-plugin-led strongswan-plugin-load-tester strongswan-plugin-lookip strongswan-plugin-ntru strongswan-plugin-pgp strongswan-plugin-pkcs11 strongswan-plugin-pubkey strongswan-plugin-radattr strongswan-plugin-sshkey strongswan-plugin-systime-fix strongswan-plugin-whitelist strongswan-plugin-xauth-eap strongswan-plugin-xauth-generic strongswan-plugin-xauth-noauth strongswan-plugin-xauth-pam The following configuration files are used: /etc/strongswan.conf # strongswan.conf - strongSwan configuration file # # Refer to the strongswan.conf(5) manpage for details # # Configuration changes should be made in the included files charon { load_modular = yes plugins { include strongswan.d/charon/*.conf } } include strongswan.d/*.conf /etc/ipsec.conf # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no # Add connections here. # Sample VPN connections #conn sample-self-signed # leftsubnet=10.1.0.0/16 # leftcert=selfCert.der # leftsendcert=never # right=192.168.0.2 # rightsubnet=10.2.0.0/16 # rightcert=peerCert.der # auto=start #conn sample-with-ca-cert # leftsubnet=10.1.0.0/16 # leftcert=myCert.pem # right=192.168.0.2 # rightsubnet=10.2.0.0/16 # rightid="C=CH, O=Linux strongSwan CN=peer name" # auto=start conn %default ikelifetime=1440m keylife=60m rekeymargin=3m keyingtries=1 keyexchange=ikev1 authby=secret conn ciscoios left=93.XXX.XXX.XXX #strongswan outside address leftsubnet=172.31.17.0/28 #network behind strongswan leftid=93.XXX.XXX.XXX#IKEID sent by strongswan leftfirewall=no right=83.XXX.XXX.XXX #IOS outside address rightsubnet=172.21.148.0/28#network behind IOS
[strongSwan] strongswan 5.6.0 and RPM build errors
Hello there I've been building RPM's out of the strongswan sources for some time now.. since 5.3.0 basically... every version has been ok with the approach below. However the latest release have me stumped... I get these errors at the end of the build error: File not found by glob: /root/rpmbuild/BUILDROOT/strongswan-5.6.0-3.el6.x86_64/usr/libexec/strongswan/*.swidtagerror: File not found: /root/rpmbuild/BUILDROOT/strongswan-5.6.0-3.el6.x86_64/usr/share/regid.2004-03.org.strongswanerror: File not found by glob: /root/rpmbuild/BUILDROOT/strongswan-5.6.0-3.el6.x86_64/usr/share/regid.2004-03.org.strongswan/*.swidtagRPM build errors: File not found by glob: /root/rpmbuild/BUILDROOT/strongswan-5.6.0-3.el6.x86_64/usr/libexec/strongswan/*.swidtag File not found: /root/rpmbuild/BUILDROOT/strongswan-5.6.0-3.el6.x86_64/usr/share/regid.2004-03.org.strongswan File not found by glob: /root/rpmbuild/BUILDROOT/strongswan-5.6.0-3.el6.x86_64/usr/share/regid.2004-03.org.strongswan/*.swidtag I'm running RHEL6 on GCP 2.6.32-696.10.1.el6.x86_64 Steps taken to get this error yum groupinstall "development tools" yum install openldap-devel openssl-devel sqlite-devel trousers-devel libxml2-devel pam-devel json-c-devel libgcrypt-devel systemd-devel libcurl-devel gmp-devel mkdir /root/rpmbuild /root/rpmbuild/SOURCES /root/rpmbuild/SPECS git clone http://pkgs.fedoraproject.org/git/strongswan.git /root/rpmbuild/SOURCES wget -P /root/rpmbuild/SOURCES/ https://download.strongswan.org/strongswan-5.6.0.tar.bz2mv /root/rpmbuild/SOURCES/strongswan.spec /root/rpmbuild/SPECS/vi /root/rpmbuild/SPECS/strongswan.specrpmbuild -ba /root/rpmbuild/SPECS/strongswan.spec I edit the spec file and change the version to 5.6.0 and remove the depedency on systemd-devel Any suggestions appreciated cheers
[strongSwan] multiple server certificates
Hi! I would like to know if it is possible to have two server certificates with the same subjectDN the ipsec.d/private directory and ccontained in the ipsec.secrets configuration file. This scenario becomes interesting when the current server certificate expires and a new certificate should be used. Is the strongSwan implementation supporting this? Kind regards, Mike.
[strongSwan] Multiple Child_SAs - only one loaded at tunnel setup ?
Hi all, I used "Linux strongSwan U5.5.3/K3.16.0-4-amd64". I have two connexion definitions with 2 child SAs each. The first one come from ipsec.conf , the second is created via VICI: root@ipsec-gw:/usr/local/src# swanctl --list-conns default_cert1: IKEv2, reauthentication every 3420s, no rekeying local: %any remote: %any local public key authentication: id: u2agw.u2a.xyz remote public key authentication: default_cert1: TUNNEL, rekeying every 1020s local: 10.11.0.0/16 remote: dynamic default_cert: TUNNEL, rekeying every 1020s local: 10.10.0.0/16 remote: dynamic defautVici: IKEv2, no reauthentication, no rekeying local: 161.106.240.155 remote: %any local public key authentication: id: u2agw.u2a.xyz remote EAP_RADIUS authentication: eap_id: %any child1: TUNNEL, rekeying every 100s local: 1.1.1.1/32 10.0.0.0/8 remote: dynamic child2: TUNNEL, rekeying every 100s local: 2.2.2.5/32 remote: dynamic I setup tunnels and I observe that there is only one child ca for each connexion : one is not missing. root@ipsec-gw:/usr/local/src# swanctl --list-sas default_cert1: #6, ESTABLISHED, IKEv2, 9ced70a70cbacaea_i 394dc6781ed773a6_r* local 'u2agw.u2a.xyz' @ 161.106.240.155[4500] remote 'CN=max.min, OU=u2aUsers, DC=u2a, DC=xyz' @ 161.106.240.156[47841] [10.11.12.162] AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 established 6s ago, reauth in 3336s default_cert1: #5, reqid 3, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA2_256_128 installed 5s ago, rekeying in 889s, expires in 1195s in c3d7921a, 336 bytes, 4 packets, 0s ago out e7757320, 336 bytes, 4 packets, 0s ago local 10.11.0.0/16 remote 10.11.12.162/32 defautVici: #4, ESTABLISHED, IKEv2, 927ad63611b5b535_i f7a4b615d62bfcd6_r* local 'u2agw.u2a.xyz' @ 161.106.240.155[4500] remote 'joe.bar' @ 161.106.240.156[42859] [10.11.12.151] AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 established 11s ago child1: #4, reqid 2, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA2_256_128 installed 10s ago, rekeying in 80s, expires in 100s in c53f5289, 0 bytes, 0 packets out d0249916, 0 bytes, 0 packets local 1.1.1.1/32 10.0.0.0/8 remote 10.11.12.151/32 >From the documentation & mail exchanges on the list, I understand that >strongswan GW is supposed to handle multiple child sas. Do I miss something or this could be a kind of bug in last versions? thanks, Régis