[strongSwan] Higher Ping Through IPsec

2018-02-22 Thread Christopher Bachner 
Hi there,

Is it normal that the ping through IPsec tunnel is higher than without?

If I ping the internal IP through IPsec I get 45ms. 

If I ping the public IP directly, I get 13ms.

If this is not normal, where should I look?

Thanks,

Chris

Re: [strongSwan] multiple remote_ts with ikev1 file format

2018-02-22 Thread Rich Lafferty 

> On Feb 22, 2018, at 7:15 AM, Marco Berizzi  wrote:
> 
> I'm starting strongswan with the old 'ipsec start', and after I
> issue the command: 'swanctl -q' for loading the configuration
> files under /etc/swanctl/conf.d/*
> 
> Am I right? Or is there a smarter way to start strongswan without
> the old 'ipsec' script?

Distro-specific, but we’re running charon directly from upstart:

-- /etc/init/charon.conf -- 
description "StrongSwan IKE daemon"

start on runlevel [2345]
stop on runlevel [!2345]

respawn
respawn limit 10 5

exec /usr/lib/ipsec/charon --use-syslog
--  

And we leverage the on-start charon option to have it load its config on start:

-- /etc/strongswan.d/charon-startup.conf -- 
charon {
start-scripts {
   load-config = swanctl --load-all
}
}
-- 

(We also don’t install the ‘ipsec’ command at all, to avoid people confusing 
old and new approaches; I’ve found swanctl gives me everything that I’d get out 
of ipsec other than starting and stopping charon.)

> Is there a way to not write in every section the parameters
> common to all the children sections (rekey_time, esp_proposals…)?

I wasn’t able to find a way to set defaults, but I’ve put my common parameters 
in /etc/swanctl/swanctl-ipsec.conf and then done
"include swanctl-ipsec.conf” in each child config. If someone else knows a 
better way, though, I’m all ears!

  -Rich

[strongSwan] multiple remote_ts with ikev1 file format

2018-02-22 Thread Marco Berizzi 
Hello everyone,

I would like to finally drop the ipsec.conf and ipsec.secrets
configuration files from my strongswan ipsec gateway.
I have a couple of questions to ask.

I'm running strongswan 5.6.2 on Slackware linux (still systemd
free).

On my test bed, ipsec.conf and ipsec.secrets are those shipped
with strongswan: they are both empty.

I'm starting strongswan with the old 'ipsec start', and after I
issue the command: 'swanctl -q' for loading the configuration
files under /etc/swanctl/conf.d/*

Am I right? Or is there a smarter way to start strongswan without
the old 'ipsec' script?

The second question is about the file format when multiple remote_ts
need to be defined when ikev1 must be used.
Here is my example:

children {
  net-0ab1 {
  local_ts  = 10.139.10.0/23
  remote_ts = 10.177.0.0/16
  rekey_time = 8h
  start_action = trap
  esp_proposals = aes128-sha1-modp1024,aes256-sha1-modp1024
  }
net-0ab4 {
  local_ts  = 10.139.10.0/23
  remote_ts = 10.180.0.0/16
  rekey_time = 8h
  start_action = trap
  esp_proposals = aes128-sha1-modp1024,aes256-sha1-modp1024
  }
}

Is there a way to not write in every section the parameters
common to all the children sections (rekey_time, esp_proposals...)?

Thanks in advance

Re: [strongSwan] Migrating to swanctl.conf

2018-02-22 Thread Dirk Hartmann 

Hi Thomas,

--On Thursday, February 22, 2018 10:47:00 AM +0100 Thomas Egerer 
 wrote:



On 02/22/2018 10:33 AM, Dirk Hartmann wrote:

Hi,

so the other migration I'm planning is to move to
swanctl.conf/VICI-Plugin.

As it is possible to run both plugins stroke and VICI at the same
time at the same server, is this a good idea?From my understanding
of the code you should be fine running

both plugins simultaniously.



It would definitely ease the migration if I could simply migrate our
approximately 250 connections from ipsec.conf to swanctl.conf one by
one.

My question is, is this advisable?

Each plugin has its own config backend and as long as the
names of your configurations don't clash I don't see a
problem. However, Tobias knows the code much better and
might still object ;)


ah that sounds promising.


Cheers and good luck for the migration


Thank you!
Dirk

Re: [strongSwan] Migrating to a new ca

2018-02-22 Thread Tobias Brunner 
Hi Dirk,

> left= in ipsec.conf only accepts one argument (ip,fqdn) while 
> connections..local_addrs in swanctl.conf allows multiple that is 
> a good reason to start with VICI :)

This is the same for left and right.  But migrating to swanctl.conf is
still a good idea.

Regards,
Tobias

Re: [strongSwan] Migrating to a new ca

2018-02-22 Thread Dirk Hartmann 

Hi Tobias,

--On Thursday, February 22, 2018 10:54:37 AM +0100 Tobias Brunner 
 wrote:



Is it possible to add a second connection definition that is
identical  but has
conn win2018eapmschap
leftcert=serverCert2018.pem
leftid="C=DE, O=OUR COMPANY, CN=STRONGSWANSERVER2018"

so that eap clients can connect to the server when they are equiped
with either the old or the new ca?


You can do that.  However, the second config will only be used with
clients that explicitly send a remote identity that matches leftid.
With clients that don't send an IDr (e.g. Windows or the strongSwan
Android app with its default settings) the first config that's loaded
and matches the IPs/IDs will be used (since the only difference is
leftid and no identity can be compared to it, both will match equally
well, so the first one will be used).

Unfortunately, certificate requests are currently not considered when
selecting configs.  So even if leftca is set and a client that doesn't
send an IDr sends a certificate request for the second CA the first
config will be used.


Thank you for clarification.
As most of the eap-clients are windows that wouldn't work for us this 
way.


Then I'll probably add an additional IP and hostname to the server and 
add a conn only for this IP.


left= in ipsec.conf only accepts one argument (ip,fqdn) while 
connections..local_addrs in swanctl.conf allows multiple that is 
a good reason to start with VICI :) So I can work with only one new 
config for IPv4 and IPv6 instead of two.


Thanks again
Dirk

Re: [strongSwan] Migrating to a new ca

2018-02-22 Thread Tobias Brunner 
Hi Dirk,

> Is it possible to add a second connection definition that is identical 
> but has
> conn win2018eapmschap
>   leftcert=serverCert2018.pem
>   leftid="C=DE, O=OUR COMPANY, CN=STRONGSWANSERVER2018"
> 
> so that eap clients can connect to the server when they are equiped 
> with either the old or the new ca?

You can do that.  However, the second config will only be used with
clients that explicitly send a remote identity that matches leftid.
With clients that don't send an IDr (e.g. Windows or the strongSwan
Android app with its default settings) the first config that's loaded
and matches the IPs/IDs will be used (since the only difference is
leftid and no identity can be compared to it, both will match equally
well, so the first one will be used).

Unfortunately, certificate requests are currently not considered when
selecting configs.  So even if leftca is set and a client that doesn't
send an IDr sends a certificate request for the second CA the first
config will be used.

Regards,
Tobias

Re: [strongSwan] Migrating to swanctl.conf

2018-02-22 Thread Thomas Egerer 
Hi Dirk,


On 02/22/2018 10:33 AM, Dirk Hartmann wrote:
> Hi,
> 
> so the other migration I'm planning is to move to swanctl.conf/VICI-Plugin.
> 
> As it is possible to run both plugins stroke and VICI at the same time at the 
> same server, is this a good idea?From my understanding of the code you should 
> be fine running
both plugins simultaniously. 

> 
> It would definitely ease the migration if I could simply migrate our 
> approximately 250 connections from ipsec.conf to swanctl.conf one by one.
> 
> My question is, is this advisable?
Each plugin has its own config backend and as long as the
names of your configurations don't clash I don't see a
problem. However, Tobias knows the code much better and
might still object ;)
> Best regards
> Dirk

Cheers and good luck for the migration
Thomas

[strongSwan] Migrating to swanctl.conf

2018-02-22 Thread Dirk Hartmann 

Hi,

so the other migration I'm planning is to move to 
swanctl.conf/VICI-Plugin.


As it is possible to run both plugins stroke and VICI at the same time 
at the same server, is this a good idea?


It would definitely ease the migration if I could simply migrate our 
approximately 250 connections from ipsec.conf to swanctl.conf one by 
one.


My question is, is this advisable?

Best regards
Dirk