[strongSwan] Strongswan failed to forward decrypted packet to socket
I am using Strongswan 5.6.1 on my OpenVZ servers
And strongswan 5.6.1 is compiled by myself. kernel-libipsec enabled by
./configure --enable-eap-identity --enable-eap-md5 \ --enable-eap-mschapv2
--enable-eap-tls --enable-eap-ttls --enable-eap-peap \ --enable-eap-tnc
--enable-eap-dynamic --enable-eap-radius --enable-xauth-eap \
--enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock
--enable-unity \ --enable-certexpire --enable-radattr --enable-tools
--enable-openssl --disable-gmp --enable-kernel-libipsec
the strongswan.conf configuration modified as :
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
kernel-netlink {
fwmark = !0x4
}
socket-default {
fwmark = 0x4
}
kernel-libipsec {
allow_peer_ts = yes
}
}
}
I have created ipsec tunnel successfully between my OpenVZ server alpha and
beta:
But the socket connection fails.
By investigate the problem, I tried tcpdump, found that
If I ping from alpha to beta
tcpdump could found
esp from alpha->beta
esp from beta->alpha
but ping timeout
If I ping from beta to alpha
tcpdump could found
esp from beta->alpha
and ping timeout
if using tcp, and answer is similar
alpha->beta
alpha SYN_SENT
beta SYN_RECV
beta->alpha
beta SYN_SENT
alpha NULL
I guess there should be some problem during esp to socket
anyone could tell me how to detect the problem, or some further information
should I give.
alpha and beta belongs to different OpenVZ supplier, don't know the problem.
I have reinstalled alpha sometimes, but doesn't work.
beta:Linux beta 2.6.32-042stab125.5 #1 SMP Tue Oct 17 12:48:22 MSK 2017
x86_64 GNU/Linux
alpha: Linux alpha 2.6.32-042stab123.3 #1 SMP Fri May 5 12:29:05 MSK 2017
x86_64 GNU/Linux
Regards
Quaker
Re: [strongSwan] swanctt + dhcp + dns
kjonca-h7QdYz1kt/q...@public.gmane.org (Kamil Jońca) writes: > Noel Kuntze > > writes: > >> 1. Did you test it? > Yes. >> 2. I wrote before that you can not pass the assigned DNS server you >> get via DHCP. > Yes, I mixed-up two things, and was innacurate. My fault, sorry. > > >> You can use a pool though to pass it as an >> attribute. Read the manual for swanctl.conf. The syntax is mentioned >> there. Finally I think I found the problem. Basically I want to have configuration like https://www.strongswan.org/testing/testresults/swanctl/dhcp -- http://stopstopnop.pl/stop_stopnop.pl_o_nas.html If you didn't get caught, did you really do it?
Re: [strongSwan] Autorisation in vici?
Hi Michael, in order to access the charon daemon via a vici UNIX socket you either must be root or if capability dropping is enabled and a vpn group is defined, you must be member of that vpn group. The latter case allows mortals to initiate and terminate connections without having root access to the configuration and secrets in swanctl.conf. In principle the VICI interface could be configured as a TCP network socket via the charon.plugins.vici.socket option in strongswan.conf. But because no authentication is required and TLS is currently not available we strongly advise against enabling vici network sockets. Best regards Andreas On 17.12.2017 14:58, Michael Schwartzkopff wrote: > Hi, > > > is there any kind of authentication / autorization in the vici > interface? Or does everybody that has access to the socket (or tcp > socket) full control over charon? > > > I did not find anything the docs. > > > Mit freundlichen Grüßen, > -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions HSR University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[INS-HSR]== smime.p7s Description: S/MIME Cryptographic Signature
[strongSwan] routing and firewall policy
Hello ? How to setup routing and firewall policy, when using VICI Thanks
Re: [strongSwan] OSCP
Hello Andreas If the OCSP URI is included in the authorityInfoAccess extension: ? How does strongswan obtain the IP address ? Does it need to have a DNS client installed on the host ? Can it support secure DNS Thanks -Original Message- From: Users [mailto:users-boun...@lists.strongswan.org] On Behalf Of Andreas Steffen Sent: Saturday, December 16, 2017 2:23 AM To: Modster, Anthony ; users@lists.strongswan.org Subject: Re: [strongSwan] OSCP Hello Anthony, if the OCSP URI is not included via an authorityInfoAccess extension in the end entity certificate itself then an authority section defining an OCSP URI can be added to swanctl.conf as shown in the link below https://www.strongswan.net/testing/testresults/swanctl/ocsp-signer-cert/carol.swanctl.conf Regards Andreas On 16.12.2017 00:56, Modster, Anthony wrote: > Hello > > > > ? how do we setup OSCP, when using VICI > > > > Is there a writeup for this item. > > > > ? what support tools are needed on the host > > > > Thanks > > > -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions HSR University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[INS-HSR]==
Re: [strongSwan] swanctt + dhcp + dns
Noel Kuntze
writes:
> 1. Did you test it?
Yes.
> 2. I wrote before that you can not pass the assigned DNS server you
> get via DHCP.
Yes, I mixed-up two things, and was innacurate. My fault, sorry.
> You can use a pool though to pass it as an
> attribute. Read the manual for swanctl.conf. The syntax is mentioned
> there.
But how to define such pool?
Below my config:
server:
--8<---cut here---start->8---
secrets {
[...]
}
connections {
rw {
local_addrs = 192.168.200.200
pools = dhcp,a
local {
auth = pubkey
cacerts=/etc/swanctl/x509ca/ipsec--kaczka--ca.pem
certs = alfa.kjonca.5.pem
id = "C = PL, ST = Mazowieckie, O = kjonca.kjonca, OU = ipsec, CN =
x"
}
remote {
auth = pubkey
}
children {
net-alfa-server {
local_ts = 192.168.200.200/24
ipcomp=yes
}
}
}
}
authorities {
[...]
}
pools {
a {
addrs = 192.168.200.0/24
dns = 192.168.200.200
}
}
--8<---cut here---end--->8---
client:
--8<---cut here---start->8---
connections {
alfa {
vips = 0.0.0.0
remote_addrs = circinus.ddns.net
local {
auth = pubkey
cacerts= /etc/swanctl/x509ca/ipsec--kaczka--ca.pem
certs = bambus.kjonca.pem
}
remote {
cacerts= /etc/swanctl/x509ca/ipsec--kaczka--ca.pem
auth = pubkey
id="C = PL, ST = Mazowieckie, O = kjonca.kjonca, OU = ipsec, CN = "
}
children {
net-alfa-server {
remote_ts=0.0.0.0/0
updown=/home/kjonca/wd/ipsec/test.sh iptables
ipcomp=yes
}
}
}
}
--8<---cut here---end--->8---
But with this config. remote addres is taken from pool "a" - not from
dhcp as expected.
Moreover it looks like, dns is not pass to client. (I cannot see
PLUTO_DNS4_1 in script on client side)
What do I wrong?
--
http://stopstopnop.pl/stop_stopnop.pl_o_nas.html
I've been on a diet for two weeks and all I've lost is two weeks.
-- Totie Fields
Re: [strongSwan] swanctt + dhcp + dns
1. Did you test it? 2. I wrote before that you can not pass the assigned DNS server you get via DHCP. That is not possible at all. You can use a pool though to pass it as an attribute. Read the manual for swanctl.conf. The syntax is mentioned there. Just use two pools. One dhcp, one with the attribute. Kind regards Noel On 18.12.2017 15:53, Kamil Jońca wrote: > Noel Kuntze > > writes: > >> 1. Never did that with swanctl. You have to play around with the pools or >> dig around. Maybe it's as simple as "connections..pools = dhcp" or >> "connections..pools = %dhcp". Maybe it's not. > Well, this can be done by simply > pools = dhcp > and alone is not a problem, but ... > >> 2. You can't. > So there is no an equivalent of > > "rightdns=192.168.200.200" > > in swanctl, and the only way to send DNS server is to return to old > starter-based approach? > > Am I wrong? > KJ > > >> On 18.12.2017 15:21, Kamil Jońca wrote: >>> Noel Kuntze >>> >>> writes: >>> Use a pool. Look at the UsableExamples[1] page. You can't pass dns servers from DHCP at all. It has nothing to do with the configuration backend you're using. >>> I was not too clear probably. >>> >>> I want to do with swanctl: >>> 1. have client addres taken from dhcp >>> 2. somehow configure dns to pass (how? ) >>> >>> ie. how to translate from old config: >>> >>> >>> conn xxx >>> left=192.168.200.200 >>> leftsubnet=192.168.200.0/24 >>> leftid=xxx >>> leftca=yyy >>> leftcert= >>> rightdns=192.168.200.200 >>> right=%any >>> compress=yes >>> rightsourceip=%dhcp >>> >>> >>> >>> KJ >>> signature.asc Description: OpenPGP digital signature
Re: [strongSwan] swanctt + dhcp + dns
Noel Kuntze writes: > 1. Never did that with swanctl. You have to play around with the pools or dig > around. Maybe it's as simple as "connections..pools = dhcp" or > "connections..pools = %dhcp". Maybe it's not. Well, this can be done by simply pools = dhcp and alone is not a problem, but ... > 2. You can't. So there is no an equivalent of "rightdns=192.168.200.200" in swanctl, and the only way to send DNS server is to return to old starter-based approach? Am I wrong? KJ > On 18.12.2017 15:21, Kamil Jońca wrote: >> Noel Kuntze >> >> writes: >> >>> Use a pool. Look at the UsableExamples[1] page. >>> You can't pass dns servers from DHCP at all. It has nothing to do with >>> the configuration backend you're using. >> I was not too clear probably. >> >> I want to do with swanctl: >> 1. have client addres taken from dhcp >> 2. somehow configure dns to pass (how? ) >> >> ie. how to translate from old config: >> >> >> conn xxx >> left=192.168.200.200 >> leftsubnet=192.168.200.0/24 >> leftid=xxx >> leftca=yyy >> leftcert= >> rightdns=192.168.200.200 >> right=%any >> compress=yes >> rightsourceip=%dhcp >> >> >> >> KJ >> > -- http://stopstopnop.pl/stop_stopnop.pl_o_nas.html Mencken and Nathan's Fifteenth Law of The Average American: The worst actress in the company is always the manager's wife.
Re: [strongSwan] swanctt + dhcp + dns
1. Never did that with swanctl. You have to play around with the pools or dig around. Maybe it's as simple as "connections..pools = dhcp" or "connections..pools = %dhcp". Maybe it's not. 2. You can't. On 18.12.2017 15:21, Kamil Jońca wrote: > Noel Kuntze > > writes: > >> Use a pool. Look at the UsableExamples[1] page. >> You can't pass dns servers from DHCP at all. It has nothing to do with >> the configuration backend you're using. > I was not too clear probably. > > I want to do with swanctl: > 1. have client addres taken from dhcp > 2. somehow configure dns to pass (how? ) > > ie. how to translate from old config: > > > conn xxx > left=192.168.200.200 > leftsubnet=192.168.200.0/24 > leftid=xxx > leftca=yyy > leftcert= > rightdns=192.168.200.200 > right=%any > compress=yes > rightsourceip=%dhcp > > > > KJ > signature.asc Description: OpenPGP digital signature
Re: [strongSwan] swanctt + dhcp + dns
Noel Kuntze writes: > Use a pool. Look at the UsableExamples[1] page. > You can't pass dns servers from DHCP at all. It has nothing to do with > the configuration backend you're using. I was not too clear probably. I want to do with swanctl: 1. have client addres taken from dhcp 2. somehow configure dns to pass (how? ) ie. how to translate from old config: conn xxx left=192.168.200.200 leftsubnet=192.168.200.0/24 leftid=xxx leftca=yyy leftcert= rightdns=192.168.200.200 right=%any compress=yes rightsourceip=%dhcp KJ -- http://stopstopnop.pl/stop_stopnop.pl_o_nas.html One can never consent to creep when one feels an impulse to soar. -- Helen Keller
Re: [strongSwan] swanctt + dhcp + dns
Use a pool. Look at the UsableExamples[1] page.
You can't pass dns servers from DHCP at all. It has nothing to do with the
configuration backend you're using.
Kind regards
Noel
[1] https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples
On 17.12.2017 08:47, Kamil Jońca wrote:
> I am testing migration from starter config to swanctlt config, and have
> issue that cannot resolve.
>
> my config below:
> --8<---cut here---start->8---
> secrets {
> private {
> file=
> secret= []
> }
> }
> connections {
>
>rw {
> local_addrs = 192.168.200.200
> pools = dhcp
> local {
> auth = pubkey
> cacerts= [...]
>certs = [...]
> id = "C = PL, ST = Mazowieckie, O = kjonca.kjonca, OU = ipsec, CN =
> xx"
> }
> remote {
> auth = pubkey
> }
> children {
> net-alfa-server {
> local_ts = 192.168.200.200/24
> ipcomp=yes
>
> }
> }
>}
> }
> authorities {
> kaczka{
> crl_uris = file:///etc/swanctl/x509crl/kaczka.pem
> cacert = /etc/swanctl/x509ca/ipsec--kaczka--ca.pem
>
> }
> }
> --8<---cut here---end--->8---
>
> 1.How with this config I can pass dns server to client?
> 2. Is it possible to take DNS server from dhcp (and others possible
> options too)?
>
>
> KJ
>
signature.asc
Description: OpenPGP digital signature
Re: [strongSwan] Autorisation in vici?
Hi, There's no authentication in VICI. Kind regards Noel On 17.12.2017 14:58, Michael Schwartzkopff wrote: > Hi, > > > is there any kind of authentication / autorization in the vici > interface? Or does everybody that has access to the socket (or tcp > socket) full control over charon? > > > I did not find anything the docs. > > > Mit freundlichen Grüßen, > signature.asc Description: OpenPGP digital signature
[strongSwan] iPhone, iOS with TLS+EAP
Hello! I'm trying to get the IPSec connection of the iPhone to work with StrongSwan. Currently it runs with the old racoon (ipsec-tools) and IKEv1. In the old configuration the password is checked against the AD via the LDAP module. We want to change to StrongSwan and use IKEv2. I've got the connection running following the instructions on the web-site and many experiments. In my configuration I'm using the 'eap-mschapv2' module and specified the password in the /etc/ipsec.secret file. I have three questions: 1) Is it possible to check the EAP password without using a radius server? If so, which module must I use? 2) Can I use a IKEv2 iOS <-> StrongSwan connection verified by certificates only? 3) I experimented with the parameters and have the feeling if I use the EAP password check the certificate isn't check any longer? I replaced the CA certificate on the server with a wrong (none-matching) CA but I still can connect to the server. Do I have an error in reasoning here? I expected the connection to fail, because the server could not match the incoming certificate from the iPhone to the servers CA!? Some details: Linux strongSwan U5.5.1/K4.1.39 ipsec.conf: config setup uniqueids=no charondebug = ike 2, net 2, pts 2, lib 2, tls 2, cfg 3, knl 2 conn rw-base fragmentation=yes dpdtimeout=90s dpddelay=30s dpdaction=clear conn rw-config also=rw-base keyexchange=ikev2 reauth=no rekey=no ike=aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072 esp=aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072 leftsubnet=0.0.0.0/0,::/0 leftid="ipsec.domain.net" leftcert=server.crt leftsendcert=always rightdns=10.1.3.10 #rightca="C=DE, L=Somewhere, O=Firm, OU=IT, DC=local, DC=group, CN=Firm CA" rightsourceip=172.16.252.0/24 conn ikev2-pubkey also=rw-config auto=add conn ikev2-eap-mschapv2 also=rw-config auto=add rightauth=eap-mschapv2 eap_identity=%identity ipsec.secrets: : RSA server.key user : PSK "test" user %any% : EAP "test" Regards Sven Anders -- Sven Anders () UTF-8 Ribbon Campaign /\ Support plain text e-mail ANDURAS intranet security AG Messestrasse 3 - 94036 Passau - Germany Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55 Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. - Benjamin Franklin <>
