[strongSwan] Higher Ping Through IPsec
Hi there, Is it normal that the ping through IPsec tunnel is higher than without? If I ping the internal IP through IPsec I get 45ms. If I ping the public IP directly, I get 13ms. If this is not normal, where should I look? Thanks, Chris
Re: [strongSwan] multiple remote_ts with ikev1 file format
> On Feb 22, 2018, at 7:15 AM, Marco Berizziwrote: > > I'm starting strongswan with the old 'ipsec start', and after I > issue the command: 'swanctl -q' for loading the configuration > files under /etc/swanctl/conf.d/* > > Am I right? Or is there a smarter way to start strongswan without > the old 'ipsec' script? Distro-specific, but we’re running charon directly from upstart: -- /etc/init/charon.conf -- description "StrongSwan IKE daemon" start on runlevel [2345] stop on runlevel [!2345] respawn respawn limit 10 5 exec /usr/lib/ipsec/charon --use-syslog -- And we leverage the on-start charon option to have it load its config on start: -- /etc/strongswan.d/charon-startup.conf -- charon { start-scripts { load-config = swanctl --load-all } } -- (We also don’t install the ‘ipsec’ command at all, to avoid people confusing old and new approaches; I’ve found swanctl gives me everything that I’d get out of ipsec other than starting and stopping charon.) > Is there a way to not write in every section the parameters > common to all the children sections (rekey_time, esp_proposals…)? I wasn’t able to find a way to set defaults, but I’ve put my common parameters in /etc/swanctl/swanctl-ipsec.conf and then done "include swanctl-ipsec.conf” in each child config. If someone else knows a better way, though, I’m all ears! -Rich
[strongSwan] multiple remote_ts with ikev1 file format
Hello everyone, I would like to finally drop the ipsec.conf and ipsec.secrets configuration files from my strongswan ipsec gateway. I have a couple of questions to ask. I'm running strongswan 5.6.2 on Slackware linux (still systemd free). On my test bed, ipsec.conf and ipsec.secrets are those shipped with strongswan: they are both empty. I'm starting strongswan with the old 'ipsec start', and after I issue the command: 'swanctl -q' for loading the configuration files under /etc/swanctl/conf.d/* Am I right? Or is there a smarter way to start strongswan without the old 'ipsec' script? The second question is about the file format when multiple remote_ts need to be defined when ikev1 must be used. Here is my example: children { net-0ab1 { local_ts = 10.139.10.0/23 remote_ts = 10.177.0.0/16 rekey_time = 8h start_action = trap esp_proposals = aes128-sha1-modp1024,aes256-sha1-modp1024 } net-0ab4 { local_ts = 10.139.10.0/23 remote_ts = 10.180.0.0/16 rekey_time = 8h start_action = trap esp_proposals = aes128-sha1-modp1024,aes256-sha1-modp1024 } } Is there a way to not write in every section the parameters common to all the children sections (rekey_time, esp_proposals...)? Thanks in advance
Re: [strongSwan] Migrating to swanctl.conf
Hi Thomas, --On Thursday, February 22, 2018 10:47:00 AM +0100 Thomas Egererwrote: On 02/22/2018 10:33 AM, Dirk Hartmann wrote: Hi, so the other migration I'm planning is to move to swanctl.conf/VICI-Plugin. As it is possible to run both plugins stroke and VICI at the same time at the same server, is this a good idea?From my understanding of the code you should be fine running both plugins simultaniously. It would definitely ease the migration if I could simply migrate our approximately 250 connections from ipsec.conf to swanctl.conf one by one. My question is, is this advisable? Each plugin has its own config backend and as long as the names of your configurations don't clash I don't see a problem. However, Tobias knows the code much better and might still object ;) ah that sounds promising. Cheers and good luck for the migration Thank you! Dirk
Re: [strongSwan] Migrating to a new ca
Hi Dirk, > left= in ipsec.conf only accepts one argument (ip,fqdn) while > connections..local_addrs in swanctl.conf allows multiple that is > a good reason to start with VICI :) This is the same for left and right. But migrating to swanctl.conf is still a good idea. Regards, Tobias
Re: [strongSwan] Migrating to a new ca
Hi Tobias, --On Thursday, February 22, 2018 10:54:37 AM +0100 Tobias Brunnerwrote: Is it possible to add a second connection definition that is identical but has conn win2018eapmschap leftcert=serverCert2018.pem leftid="C=DE, O=OUR COMPANY, CN=STRONGSWANSERVER2018" so that eap clients can connect to the server when they are equiped with either the old or the new ca? You can do that. However, the second config will only be used with clients that explicitly send a remote identity that matches leftid. With clients that don't send an IDr (e.g. Windows or the strongSwan Android app with its default settings) the first config that's loaded and matches the IPs/IDs will be used (since the only difference is leftid and no identity can be compared to it, both will match equally well, so the first one will be used). Unfortunately, certificate requests are currently not considered when selecting configs. So even if leftca is set and a client that doesn't send an IDr sends a certificate request for the second CA the first config will be used. Thank you for clarification. As most of the eap-clients are windows that wouldn't work for us this way. Then I'll probably add an additional IP and hostname to the server and add a conn only for this IP. left= in ipsec.conf only accepts one argument (ip,fqdn) while connections..local_addrs in swanctl.conf allows multiple that is a good reason to start with VICI :) So I can work with only one new config for IPv4 and IPv6 instead of two. Thanks again Dirk
Re: [strongSwan] Migrating to a new ca
Hi Dirk, > Is it possible to add a second connection definition that is identical > but has > conn win2018eapmschap > leftcert=serverCert2018.pem > leftid="C=DE, O=OUR COMPANY, CN=STRONGSWANSERVER2018" > > so that eap clients can connect to the server when they are equiped > with either the old or the new ca? You can do that. However, the second config will only be used with clients that explicitly send a remote identity that matches leftid. With clients that don't send an IDr (e.g. Windows or the strongSwan Android app with its default settings) the first config that's loaded and matches the IPs/IDs will be used (since the only difference is leftid and no identity can be compared to it, both will match equally well, so the first one will be used). Unfortunately, certificate requests are currently not considered when selecting configs. So even if leftca is set and a client that doesn't send an IDr sends a certificate request for the second CA the first config will be used. Regards, Tobias
Re: [strongSwan] Migrating to swanctl.conf
Hi Dirk, On 02/22/2018 10:33 AM, Dirk Hartmann wrote: > Hi, > > so the other migration I'm planning is to move to swanctl.conf/VICI-Plugin. > > As it is possible to run both plugins stroke and VICI at the same time at the > same server, is this a good idea?From my understanding of the code you should > be fine running both plugins simultaniously. > > It would definitely ease the migration if I could simply migrate our > approximately 250 connections from ipsec.conf to swanctl.conf one by one. > > My question is, is this advisable? Each plugin has its own config backend and as long as the names of your configurations don't clash I don't see a problem. However, Tobias knows the code much better and might still object ;) > Best regards > Dirk Cheers and good luck for the migration Thomas
[strongSwan] Migrating to swanctl.conf
Hi, so the other migration I'm planning is to move to swanctl.conf/VICI-Plugin. As it is possible to run both plugins stroke and VICI at the same time at the same server, is this a good idea? It would definitely ease the migration if I could simply migrate our approximately 250 connections from ipsec.conf to swanctl.conf one by one. My question is, is this advisable? Best regards Dirk