Re: [strongSwan] Strong swan IKE issue.

[Andrii Petrenko]

Actually  all of them are identified:

12.10.219.4 Main Mode Handshake returned HDR=(CKY-R=8d51ab7841c04271) 
SA=(Enc=AES KeyLength=128 Hash=SHA1 Group=5:modp1536 Auth=PSK LifeType=Seconds 
LifeDuration=28800)
12.10.219.4 Main Mode Handshake returned HDR=(CKY-R=8d51ab78aa98b745) 
SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=5:modp1536 Auth=PSK LifeType=Seconds 
LifeDuration=28800)
12.10.219.4 Main Mode Handshake returned HDR=(CKY-R=8d51ab78faedcf4f) 
SA=(Enc=3DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds 
LifeDuration=28800)

But strong swan set for all:

12[ENC] parsed INFORMATIONAL_V1 request 76122219 [ HASH N(NO_PROP) ]
12[IKE] received NO_PROPOSAL_CHOSEN error notify


Thank you,
AP



> On Mar 19, 2018, at 15:22, Andrii Petrenko  wrote:
> 
> Tobias,
> 
> I’ve tried ike-scan and what I see: 
> 
> ~/ike-scan$ sudo ike-scan --verbose  --trans=7/256,2,1,5  xx.xx.xx.xx
> sudo: unable to resolve host stratus01
> DEBUG: pkt len=88 bytes, bandwidth=56000 bps, int=16571 us
> Starting ike-scan 1.9.4 with 1 hosts 
> (http://www.nta-monitor.com/tools/ike-scan/ 
> )
> xx.xx.xx.xx Main Mode Handshake returned HDR=(CKY-R=8d51ab7680ad) 
> SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=5:modp1536 Auth=PSK 
> LifeType=Seconds LifeDuration=28800)
> 
> 
> 
> 
>> On Mar 19, 2018, at 11:01, Andrii Petrenko > > wrote:
>> 
>> Tobias, thank you for reply.
>> 
>> Remote side is not supporting pfs.
>> 
>> IKE Phase One Parameters:
>> Encryption Algorithm:AES 256
>> Hash Algorithm:  SHA
>> Authentication Method:   Pre-shared key
>> Key Exchange:Diffie Hellman Group 5
>> IKE SA Lifetime: 86400 (Cisco default)
>> IKE Phase Two Parameters (IPSEC):
>> Authentication:  ESP with SHA-HMAC
>> Encryption Algorithm:ESP-AES 256
>> SA Establishment:ipsec-isakmp (IKE negotiated)
>> IPSEC Mode   Tunnel (Cisco default)
>> IPSEC SA Lifetime (time) 3600 seconds
>> IPSEC SA Lifetime (volume)   4608000 kilobytes
>> PFS (Perfect Forward Secrecy)No
>> Optional encryption if requirements differ from above:   
>> esp-3des esp-md5-hmac
>> esp-aes 256 esp-sha-hmac 
>> esp-aes 128 esp-sha-hmac 
>> 
>> This information I have from remote side. 
>> 
>> Is it possible to se what offer remote side?
>> 
>> Thank you,
>> AP
>> 
>> 
>>> On Mar 19, 2018, at 10:52, Tobias Brunner >> > wrote:
>>> 
>>> Hi Andrii,
>>> 
 I see the problem on IKE side, but don’t know how to debug and fix it.
>>> 
>>> The log tells you _exactly_ what the problem is:
>>> 
 12[ENC] parsed INFORMATIONAL_V1 request 2090615229 [ HASH N(NO_PROP) ]
 12[IKE] received NO_PROPOSAL_CHOSEN error notify
>>> 
>>> The peer doesn't like the crypto proposal sent by the client.  So fix
>>> the `esp` setting in the config (maybe you have to enabled PFS by adding
>>> a DH group, ask the other server admin for the correct algorithms).
>>> 
>>> Regards,
>>> Tobias
>> 
> 

Re: [strongSwan] Strong swan IKE issue.

[Andrii Petrenko]

Tobias,

I’ve tried ike-scan and what I see: 

~/ike-scan$ sudo ike-scan --verbose  --trans=7/256,2,1,5  xx.xx.xx.xx
sudo: unable to resolve host stratus01
DEBUG: pkt len=88 bytes, bandwidth=56000 bps, int=16571 us
Starting ike-scan 1.9.4 with 1 hosts 
(http://www.nta-monitor.com/tools/ike-scan/)
xx.xx.xx.xx Main Mode Handshake returned HDR=(CKY-R=8d51ab7680ad) 
SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=5:modp1536 Auth=PSK LifeType=Seconds 
LifeDuration=28800)




> On Mar 19, 2018, at 11:01, Andrii Petrenko  wrote:
> 
> Tobias, thank you for reply.
> 
> Remote side is not supporting pfs.
> 
> IKE Phase One Parameters: 
> Encryption Algorithm: AES 256
> Hash Algorithm:   SHA
> Authentication Method:Pre-shared key
> Key Exchange: Diffie Hellman Group 5
> IKE SA Lifetime:  86400 (Cisco default)
> IKE Phase Two Parameters (IPSEC): 
> Authentication:   ESP with SHA-HMAC
> Encryption Algorithm: ESP-AES 256
> SA Establishment: ipsec-isakmp (IKE negotiated)
> IPSEC ModeTunnel (Cisco default)
> IPSEC SA Lifetime (time)  3600 seconds
> IPSEC SA Lifetime (volume)4608000 kilobytes
> PFS (Perfect Forward Secrecy) No
> Optional encryption if requirements differ from above:
> esp-3des esp-md5-hmac 
> esp-aes 256 esp-sha-hmac  
> esp-aes 128 esp-sha-hmac  
> 
> This information I have from remote side. 
> 
> Is it possible to se what offer remote side?
> 
> Thank you,
> AP
> 
> 
>> On Mar 19, 2018, at 10:52, Tobias Brunner > > wrote:
>> 
>> Hi Andrii,
>> 
>>> I see the problem on IKE side, but don’t know how to debug and fix it.
>> 
>> The log tells you _exactly_ what the problem is:
>> 
>>> 12[ENC] parsed INFORMATIONAL_V1 request 2090615229 [ HASH N(NO_PROP) ]
>>> 12[IKE] received NO_PROPOSAL_CHOSEN error notify
>> 
>> The peer doesn't like the crypto proposal sent by the client.  So fix
>> the `esp` setting in the config (maybe you have to enabled PFS by adding
>> a DH group, ask the other server admin for the correct algorithms).
>> 
>> Regards,
>> Tobias
> 

Re: [strongSwan] Config Not Loaded

[Info]

On 03/19/2018 11:16 AM, Info wrote:
> On 03/19/2018 10:45 AM, Tobias Brunner wrote:
>> Hi,
>>
>>> I've made its cert with --san quantum-equities.com,cygnus.darkmatter.org, 
>>> because the LAN gateway is known outside as quantum-equities.com and the 
>>> IPSec gateway is known in the LAN as cygnus.darkmatter.org.
>> That syntax is not valid.  Just use --san multiple times for each SAN
>> (as the man page for pki --issue indicates).
> Thanks, I'll redo the certs again.
>
>>> I also tried to set --dn "C=US, O=Quantum, 
>>> CN=quantum-equities.com,cygnus.darkmatter.org" -- but strongswan pki wasn't 
>>> having it so I had to settle for just quantum-equities.com.
>> That's because commas separate RDNs (and `cygnus.darkmatter.org` is no
>> proper RDN) and strongSwan's DN string parser does not support
>> multi-value RDNs.
> It sounds like I can't use multiple --dn's.  When my gateway must
> validate with machines inside the LAN (as cygnus.darkmatter.org) and
> outside (as quantum-equities.com), how can it prove that it's the
> right machine if not DNS resolvable by checking CN=? 
>
> And how does the phone prove it is who it is in the Android app when
> its IP changes and is not resolvable?  The responder has to take its
> word for it since it has the private key?  If so, why is --san and
> --dn required?
>
>>> # swanctl -L
>>> # swanctl -l
>>> (no response, for some reason)
>> Yes, and that reason is:  No config has been loaded.  Did you run
>> swanctl --load-conns (-c) or --load-all (-q)?
> I haven't mentioned this, but I'm running CentOS7 which handles this
> in systemd:
> ExecStart=/usr/sbin/charon-systemd
> ExecStartPost=/usr/sbin/swanctl --load-all --noprompt
>
> ... and yet I still have nothing with
> # swanctl -L
> # swanctl -l
>
> Maybe this is the core of my problem with this horrid "/NO_PROPOSAL_CHOSEN/" 
> in swanctl.  That for some reason configs are not getting loaded? 
>
> No idea how to chase this down.

Even with the daemon started with systemd, I loaded manually.

# swanctl --load-all
loaded certificate from '/etc/strongswan/swanctl/x509/mars-Cert.pem'
loaded certificate from '/etc/strongswan/swanctl/x509/sirius-Cert.pem'
loaded certificate from '/etc/strongswan/swanctl/x509/gemini-Cert.pem'
loaded certificate from '/etc/strongswan/swanctl/x509/centauri-Cert.pem'
loaded certificate from '/etc/strongswan/swanctl/x509ca/cygnus-CAcert.pem'
loaded rsa key from '/etc/strongswan/swanctl/private/mars-Key.pem'
no authorities found, 0 unloaded
no pools found, 0 unloaded
no connections found, 0 unloaded
# swanctl -L
# swanctl -l

Log is attached.  Nothing.  swanctl -L is to "/list loaded
configurations/" but I get nothing.  This would be why the remote phone
cannot connect and finds no matching configs.  There is nothing related
in journalctl, and nothing in charon.log as per the attached.

swanctl has no verbose mode, so I can't get more detail.  It doesn't
seem to be recognizing my CA cert in x509ca as authoritative.  SELinux
is turned off.  Since this IPSec gateway can't load its config it can't
work with any remote device.  Is this a RedHat bug?





charon.log.bz2
Description: application/bzip

Re: [strongSwan] One to Many VPN (Host-Host)

[Info]

On 03/19/2018 10:47 AM, Tobias Brunner wrote:
> Hi,
>
>> I'm looking to VPN every machine in a LAN.  I infer that this would be
>> something like a host-to-host config.
> Did you have a look at the trap-any scenario?
Yes this was one of my many attempts over the past month and a half. 
But I found that this locked out all but members of the VPN, including
printers, Zwave hubs, etc, which can not do IPSec.  With no further info
nor help I gave up.  Anyway, I'm trying to do swanctl.

I didn't want passthrough because the idea was to encrypt all in-transit
traffic possible to defeat malefactors already inside, who may be
mirroring switch ports.

Re: [strongSwan] One to Many VPN (Host-Host)

[Info]

On 03/19/2018 10:45 AM, Tobias Brunner wrote:
> Hi,
>
>> I've made its cert with --san quantum-equities.com,cygnus.darkmatter.org, 
>> because the LAN gateway is known outside as quantum-equities.com and the 
>> IPSec gateway is known in the LAN as cygnus.darkmatter.org.
> That syntax is not valid.  Just use --san multiple times for each SAN
> (as the man page for pki --issue indicates).
Thanks, I'll redo the certs again.

>> I also tried to set --dn "C=US, O=Quantum, 
>> CN=quantum-equities.com,cygnus.darkmatter.org" -- but strongswan pki wasn't 
>> having it so I had to settle for just quantum-equities.com.
> That's because commas separate RDNs (and `cygnus.darkmatter.org` is no
> proper RDN) and strongSwan's DN string parser does not support
> multi-value RDNs.
It sounds like I can't use multiple --dn's.  When my gateway must
validate with machines inside the LAN (as cygnus.darkmatter.org) and
outside (as quantum-equities.com), how can it prove that it's the right
machine if not DNS resolvable by checking CN=? 

And how does the phone prove it is who it is in the Android app when its
IP changes and is not resolvable?  The responder has to take its word
for it since it has the private key?  If so, why is --san and --dn required?

>> # swanctl -L
>> # swanctl -l
>> (no response, for some reason)
> Yes, and that reason is:  No config has been loaded.  Did you run
> swanctl --load-conns (-c) or --load-all (-q)?
I haven't mentioned this, but I'm running CentOS7 which handles this in
systemd:
ExecStart=/usr/sbin/charon-systemd
ExecStartPost=/usr/sbin/swanctl --load-all --noprompt

... and yet I still have nothing with

# swanctl -L
# swanctl -l

Maybe this is the core of my problem with this horrid "/NO_PROPOSAL_CHOSEN/" in 
swanctl.  That for some reason configs are not getting loaded? 

No idea how to chase this down.

Re: [strongSwan] Strong swan IKE issue.

[Andrii Petrenko]

Tobias, thank you for reply.

Remote side is not supporting pfs.

IKE Phase One Parameters:   
Encryption Algorithm:   AES 256
Hash Algorithm: SHA
Authentication Method:  Pre-shared key
Key Exchange:   Diffie Hellman Group 5
IKE SA Lifetime:86400 (Cisco default)
IKE Phase Two Parameters (IPSEC):   
Authentication: ESP with SHA-HMAC
Encryption Algorithm:   ESP-AES 256
SA Establishment:   ipsec-isakmp (IKE negotiated)
IPSEC Mode  Tunnel (Cisco default)
IPSEC SA Lifetime (time)3600 seconds
IPSEC SA Lifetime (volume)  4608000 kilobytes
PFS (Perfect Forward Secrecy)   No
Optional encryption if requirements differ from above:  
esp-3des esp-md5-hmac   
esp-aes 256 esp-sha-hmac
esp-aes 128 esp-sha-hmac

This information I have from remote side. 

Is it possible to se what offer remote side?

Thank you,
AP


> On Mar 19, 2018, at 10:52, Tobias Brunner  wrote:
> 
> Hi Andrii,
> 
>> I see the problem on IKE side, but don’t know how to debug and fix it.
> 
> The log tells you _exactly_ what the problem is:
> 
>> 12[ENC] parsed INFORMATIONAL_V1 request 2090615229 [ HASH N(NO_PROP) ]
>> 12[IKE] received NO_PROPOSAL_CHOSEN error notify
> 
> The peer doesn't like the crypto proposal sent by the client.  So fix
> the `esp` setting in the config (maybe you have to enabled PFS by adding
> a DH group, ask the other server admin for the correct algorithms).
> 
> Regards,
> Tobias

Re: [strongSwan] Android Ciphers

[Info]

On 03/19/2018 10:30 AM, Tobias Brunner wrote:
> Hi,
>
>> I am not able to establish a connection with the Android app yet and so
>> have no proposed ciphers in my log.
> Did you check the server log?
Sure.  Please see "Re: [strongSwan] One to Many VPN (Host-Host)",
18/03/2018 17:08, this listserv.

>> I infer that which ciphers are supported by the app depend on the
>> Android kernel, at least for encryption.
> No, IPsec is handled completely in userland by libipsec on Android.
>
>> How would I find out which
>> ones these are, currently?
> The default ESP proposal can be found in the source [1].  Which other
> algorithms are usable depends on the enabled plugins and the algorithms
> supported by the used version of OpenSSL/BoringSSL (you can check the
> IKE proposals, which include all supported algorithms that are not too
> weak).
You seem to be saying that OpenSSL/BoringSSL is installed in Android? 
How can it then be completely determined in userland by libipsec on
Android?  I'm just trying to find out what is supported so I can choose
what I think are the best algos.  And I'd like to know.


>> PFS must be manually enabled, but which levels are currently supported
>> in the app?
> Don't know what you mean with levels.  But you don't have to enable PFS
> manually (unless you refer to the server config, where you do have to
> configure DH groups), see default proposals above.
I have in my Android notes:  "/The IPsec proposal is limited to AES
encryption with SHA2/SHA1 data integrity or AES-GCM authenticated
encryption.  Optionally, using PFS with one of a number of proposed
ECP/MODP DH groups./"

Apparently PFS must be manually enabled in ESP, but which groups are
currently supported in the app?


>
>> And is any form of ntru supported for encryption or key
>> exchange in the Android app?
> No.
In Android is this a limitation of libipsec or of OpenSSL/BoringSSL (or
of something else)?

Re: [strongSwan] Strong swan IKE issue.

[Tobias Brunner]

Hi Andrii,

> I see the problem on IKE side, but don’t know how to debug and fix it.

The log tells you _exactly_ what the problem is:

> 12[ENC] parsed INFORMATIONAL_V1 request 2090615229 [ HASH N(NO_PROP) ]
> 12[IKE] received NO_PROPOSAL_CHOSEN error notify

The peer doesn't like the crypto proposal sent by the client.  So fix
the `esp` setting in the config (maybe you have to enabled PFS by adding
a DH group, ask the other server admin for the correct algorithms).

Regards,
Tobias

Re: [strongSwan] One to Many VPN (Host-Host)

[Tobias Brunner]

Hi,

> I'm looking to VPN every machine in a LAN.  I infer that this would be
> something like a host-to-host config.

Did you have a look at the trap-any scenario?

Regards,
Tobias

[1] https://www.strongswan.org/testing/testresults/ikev2/trap-any/

Re: [strongSwan] One to Many VPN (Host-Host)

[Tobias Brunner]

Hi,

> I've made its cert with --san quantum-equities.com,cygnus.darkmatter.org, 
> because the LAN gateway is known outside as quantum-equities.com and the 
> IPSec gateway is known in the LAN as cygnus.darkmatter.org.

That syntax is not valid.  Just use --san multiple times for each SAN
(as the man page for pki --issue indicates).

> I also tried to set --dn "C=US, O=Quantum, 
> CN=quantum-equities.com,cygnus.darkmatter.org" -- but strongswan pki wasn't 
> having it so I had to settle for just quantum-equities.com.

That's because commas separate RDNs (and `cygnus.darkmatter.org` is no
proper RDN) and strongSwan's DN string parser does not support
multi-value RDNs.

> # swanctl -L
> # swanctl -l
> (no response, for some reason)

Yes, and that reason is:  No config has been loaded.  Did you run
swanctl --load-conns (-c) or --load-all (-q)?

Regards,
Tobias

Re: [strongSwan] One to Many VPN (Host-Host)

[Info]

"/no IKE config found for 192.168.1.16...172.56.42.194, sending
NO_PROPOSAL_CHOSEN/"

This is a difficult error, because no clue to the reason is given no
matter the loglevel.  And it is starting to become a scary one for me as
it seems so easy to get with swanctl.  I have the simplest possible
configuration on the responder and the prescribed setup of the Android
app, and no dice.

And I am virtually alone in trying to use swanctl as there is only one
howto by a user out there (in the Indian Ocean, ostensibly), and it is a
very simple one using PSK, whereas there are many user howtos for
ipsec.conf.

Noel has a difficult and unrewarding task to put up with us and I for
one am grateful for his many efforts.  But is there only one Noel?  Does
noone else know the newer workings of Strongswan?  Why must he do all
the heavy lifting?



On 03/18/2018 05:08 PM, Info wrote:
>
> On the phone in the Android app:
>
> Server: quantum-equities.com
>
> VPN Type: IKE2 certificate
>
> User certificate: mars2
>
> User ID: default (CN=mars.darkmatter.org,O=Quantum,C=US)
>
> CA Cert: Select automatically
>
> Profile name: cygnus
>
> Advanced|Server ID: quantum-equities.com
>
> Block IPV6 traffic not destined for the VPN.
>
> The CA cert is in CA Certs under Imported.
>
> The phone's key and cert are in the VPN definition, and current IP is
> 192.0.0.4 -- Idk why it's showing connecting from 172.56.42.34, that
> must be TMobile jazz.  It also has an IPV6 IP but I have IPV6 turned
> off in the LAN with sysctl.
>
> In the IPSec gateway I don't have anything in the Shorewall firewall
> set for device ipsec0;  I've read that the kernel is definitely no
> longer supposed to generate that...  but I always have it when the
> daemon is running.  Doesn't make sense.
>
>
>
> On 03/18/2018 04:52 PM, Info wrote:
>> This post is formatted as per here
>> .
>>
>> I'm using the bare minimum swanctl.conf and I've regenerated all my
>> keys and certs again.  For the IPSec gateway, which is a virtual
>> machine in the LAN DNATted to by the LAN gateway, I've made its cert
>> with --san quantum-equities.com,cygnus.darkmatter.org, because the
>> LAN gateway is known outside as quantum-equities.com and the IPSec
>> gateway is known in the LAN as cygnus.darkmatter.org.  My assumption
>> is it has to be resolvable in both worlds.
>>
>> I also tried to set --dn "C=US, O=Quantum,
>> CN=quantum-equities.com,cygnus.darkmatter.org" -- but strongswan pki
>> wasn't having it so I had to settle for just quantum-equities.com.
>>
>> For the phone's key and cert, when it is the initiator, I know of no
>> way it can prove it is mars.darkmatter.org, other than what the cert
>> says.  It could be at any IP so I don't see how it can prove its
>> identity?  The IPSec gateway resolves to quantum-equities.com so it
>> can prove its identity.
>>
>> Also I would like to set the phone and other remotes to 'initiate
>> only' but there doesn't seem to be a way in the Android app.  And for
>> other remote machines there no longer seems to be that option.
>>
>> Log levels are as per instructions and charon.log is attached.
>>
>> strongswan.conf
>> charon {
>>     load_modular = yes
>>     plugins {
>>     include strongswan.d/charon/*.conf
>>     }
>> }
>>
>> include strongswan.d/*.conf
>>
>>
>> swanctl.conf
>> ikev2-pubkey {
>>     version = 2
>>     rekey_time = 0s
>>     local {
>>     cert = cygnus-Cert.pem
>>     id = cygnus.darkmatter.org
>>     }
>>     remote {
>>     # defaults are fine.
>>     }
>>     children {
>>     ikev2-pubkey {
>>     local_ts = 192.168.1.0/24
>>     mode = transport
>>     }
>>     }
>> }
>>
>>
>> charon.conf
>> charon {
>>
>> # two defined file loggers
>>     filelog {
>>     /var/log/charon.log {
>>             time_format = %a, %Y-%m-%d %R
>>     ike_name = yes
>>     append = no
>>     default = 2
>>     flush_line = yes
>>     }
>>     stderr {
>>     mgr = 0
>>     net = 1
>>     enc = 1
>>     asn = 1
>>     job = 1
>>     knl = 1
>>     }
>>     }
>>
>>
>> # swanctl -L
>> # swanctl -l
>> (no response, for some reason)
>>
>> # systemctl status strongswan-swanctl
>> ● strongswan-swanctl.service - strongSwan IPsec IKEv1/IKEv2 daemon
>> using swanctl
>>    Loaded: loaded
>> (/usr/lib/systemd/system/strongswan-swanctl.service; enabled; vendor
>> preset: disabled)
>>    Active: active (running) since Sun 2018-03-18 12:14:37 PDT; 3h
>> 58min ago
>>   Process: 59439 ExecStartPost=/usr/sbin/swanctl --load-all
>> --noprompt (code=exited, status=0/SUCCESS)
>>  Main PID: 59419 (charon-systemd)
>>    Status: "charon-systemd running, strongSwan 5.5.3, Linux
>> 4.13.0-1.el7.elrepo.x86_64, x86_64"
>>    CGroup:

Re: [strongSwan] Android Ciphers

[Tobias Brunner]

Hi,

> I am not able to establish a connection with the Android app yet and so
> have no proposed ciphers in my log.

Did you check the server log?

> I infer that which ciphers are supported by the app depend on the
> Android kernel, at least for encryption.

No, IPsec is handled completely in userland by libipsec on Android.

> How would I find out which
> ones these are, currently?

The default ESP proposal can be found in the source [1].  Which other
algorithms are usable depends on the enabled plugins and the algorithms
supported by the used version of OpenSSL/BoringSSL (you can check the
IKE proposals, which include all supported algorithms that are not too
weak).

> PFS must be manually enabled, but which levels are currently supported
> in the app?

Don't know what you mean with levels.  But you don't have to enable PFS
manually (unless you refer to the server config, where you do have to
configure DH groups), see default proposals above.

> And is any form of ntru supported for encryption or key
> exchange in the Android app?

No.

Regards,
Tobias

[1]
https://git.strongswan.org/?p=strongswan.git;a=blob;f=src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_service.c;h=806375c2f7152be6503f3239d3a34edbd8c47f6b;hb=HEAD#l834

[strongSwan] Android Ciphers

[Info]

https://lists.strongswan.org/pipermail/users/2015-April/007855.html
https://wiki.strongswan.org/projects/strongswan/wiki/androidvpnclient
https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites
https://wiki.strongswan.org/projects/strongswan/wiki/NTRU

I am not able to establish a connection with the Android app yet and so
have no proposed ciphers in my log.

I infer that which ciphers are supported by the app depend on the
Android kernel, at least for encryption.  How would I find out which
ones these are, currently?  I can find no way of determining this.

PFS must be manually enabled, but which levels are currently supported
in the app?  And is any form of ntru supported for encryption or key
exchange in the Android app?

Re: [strongSwan] connecting identities get always the same ip from sql-pool

[Tobias Brunner]

Hi Mike,

> But after disconnecting, waiting 15 seconds and connecting again in the
> reversed order, each roadwarrior get the ip as it got in the first
> connection order.

Offline leases for the same identity are reused (you see "acquired
existing lease for address ... in pool '...'" in the log).  They are
also listed in `ipsec pool --leases` (first as `valid`, then as
`expired`).  The timeout is used to reassign expired/unassigned leases
if no offline lease is found.

> Is there a way to disable the address to identity binding?

No, currently not.

Regards,
Tobias

[strongSwan] Strong swan IKE issue.

[Andrii Petrenko]

Hello All,

I have an issue to set up VPN to Cisco ASA. Problem appeared on IKE side.

Log: 
#
$ docker run -it   --cap-add=NET_ADMIN   --net=host   -v 
$PWD/config/strongswan.conf:/etc/strongswan.conf   -v 
$PWD/config/ipsec.conf:/etc/ipsec.conf   -v 
$PWD/config/ipsec.secrets:/etc/ipsec.secrets   -v 
$PWD/config/ipsec.d:/etc/ipsec.d   --name=strongswan   --rm  strongswan
Starting strongSwan 5.6.2 IPsec [starter]...
ipsec_starter[1]: Starting strongSwan 5.6.2 IPsec [starter]...
# unknown keyword 'ikeylife'
ipsec_starter[1]: # unknown keyword 'ikeylife'
### 1 parsing error (0 fatal) ###
ipsec_starter[1]: ### 1 parsing error (0 fatal) ###
modprobe: can't change directory to '/lib/modules': No such file or directory
no netkey IPsec stack detected
ipsec_starter[1]: no netkey IPsec stack detected
modprobe: can't change directory to '/lib/modules': No such file or directory
no KLIPS IPsec stack detected
ipsec_starter[1]: no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!
ipsec_starter[1]: no known IPsec stack detected, ignoring!
00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 3.13.0-58-generic, 
x86_64)
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG]   loaded IKE secret for xx.xx.xx.xx
00[CFG] loaded 0 RADIUS server configurations
00[LIB] loaded plugins: charon aesni aes des rc2 sha2 sha3 sha1 md4 md5 mgf1 
random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp 
dnskey sshkey pem openssl fips-prf gmp curve25519 chapoly xcbc cmac hmac gcm 
ntru newhope curl files attr kernel-netlink resolve socket-default farp stroke 
vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls 
xauth-generic dhcp counters
00[JOB] spawning 16 worker threads
charon (12) started after 20 ms
ipsec_starter[1]: charon (12) started after 20 ms
05[CFG] received stroke: add connection 'remote-asa'
05[CFG] added configuration 'remote-asa'
07[CFG] received stroke: initiate 'remote-asa'
07[IKE] initiating Main Mode IKE_SA remote-asa[1] to xx.xx.xx.xx
07[ENC] generating ID_PROT request 0 [ SA V V V V V V ]
07[NET] sending packet: from 45.55.20.248[500] to xx.xx.xx.xx[500] (272 bytes)
09[NET] received packet: from xx.xx.xx.xx[500] to 45.55.20.248[500] (108 bytes)
09[ENC] parsed ID_PROT response 0 [ SA V ]
09[IKE] received NAT-T (RFC 3947) vendor ID
09[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
09[NET] sending packet: from 45.55.20.248[500] to xx.xx.xx.xx[500] (308 bytes)
10[NET] received packet: from xx.xx.xx.xx[500] to 45.55.20.248[500] (368 bytes)
10[ENC] parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
10[IKE] received Cisco Unity vendor ID
10[IKE] received DPD vendor ID
10[ENC] received unknown vendor ID: 
78:96:0c:65:2b:d4:73:8d:af:cd:b5:00:63:a6:38:03
10[IKE] received XAuth vendor ID
10[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
10[NET] sending packet: from 45.55.20.248[500] to xx.xx.xx.xx[500] (108 bytes)
11[NET] received packet: from xx.xx.xx.xx[500] to 45.55.20.248[500] (76 bytes)
11[ENC] parsed ID_PROT response 0 [ ID HASH ]
11[IKE] IKE_SA remote-asa[1] established between 
45.55.20.248[trueaccord]...xx.xx.xx.xx[xx.xx.xx.xx]
11[IKE] scheduling reauthentication in 86138s
11[IKE] maximum IKE_SA lifetime 86318s
11[ENC] generating QUICK_MODE request 4088404241 [ HASH SA No ID ID ]
11[NET] sending packet: from 45.55.20.248[500] to xx.xx.xx.xx[500] (188 bytes)
12[NET] received packet: from xx.xx.xx.xx[500] to 45.55.20.248[500] (92 bytes)
12[ENC] parsed INFORMATIONAL_V1 request 2090615229 [ HASH N(NO_PROP) ]
12[IKE] received NO_PROPOSAL_CHOSEN error notify


Status: 
#
~/alpine-strongswan-vpn$ docker exec -it strongswan ipsec statusall remote-asa
Status of IKE charon daemon (strongSwan 5.6.2, Linux 3.13.0-58-generic, x86_64):
  uptime: 3 seconds, since Mar 19 14:30:08 2018
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
scheduled: 1
  loaded plugins: charon aesni aes des rc2 sha2 sha3 sha1 md4 md5 mgf1 random 
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey 
sshkey pem openssl fips-prf gmp curve25519 chapoly xcbc cmac hmac gcm ntru 
newhope curl files attr kernel-netlink resolve socket-default farp stroke vici 
updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls 
xauth-generic dhcp counters
Listening IP addresses:
  45.55.20.248
  2604:a880:1:20::120:9001
  172.17.0.1
Connections:
remote-asa:  %any...xx.xx.xx.xx  IKEv1
remote-asa:   local:  [trueaccord] uses pre-shared k

[strongSwan] connecting identities get always the same ip from sql-pool

[Mike.Ettrich]

Hi!
We are using a sql-pool that became set the timeout in the pools tablet to 5.

We did think that two roadwarriors that connect to the gateway do become ip's 
from the pool in the order they connect.
But after disconnecting, waiting 15 seconds and connecting again in the 
reversed order, each roadwarrior get the ip as it got in the first connection 
order.

Did we understand something wrong?
Is there a way to disable the address to identity binding?

Kind regards,
Mike.

Re: [strongSwan] Cipher Suite proposals changed in the course of 5.6.0 to 5.6.2

[Noel Kuntze]

Does my address look like a developer's?
1) Sane defaults are more important
2) People with legacy setups (which they are told, that they are)

It should be obvious that there are third party legacy setups - and they are 
the majority, because companies are lazy and uncaring in that regard - that can 
only handle old, insecure ciphers.
It should also be obvious that legacy setups must not be allowed to impact the 
security of other software in regards to negotiable settings.

If people don't configure their setups correctly (meaning specifically for the 
stuff they need, in regards to the proposals), then that's their fault and 
their problem.

There are lists of cipher keywords on the IKEv1CipherSuites and 
IKEv2CipherSuites pages.

Kind regards

Noel


On 19.03.2018 05:36, Dr. Rolf Jansen wrote:
> After some trials I found it:
> 
>    ike = aes256-sha1-modp1024
> 
> Obvious, isn't it?
> 
> Do you know the Robustness Principle of software design? According to this, 
> IMHO, in the reponder (server) role strongSwan would be well advised to 
> accept the best cipher of the otherwise too low security ciphers, because the 
> alternative for the client would be no VPN at all, which would be the 
> absolute worst case. In the initiator (client) role it should of course 
> propose the most secure ciphers it knows of -- and perhaps like Postfix does, 
> enforce this by a flag or even not, depending on the user's choice.
> 
> See: https://en.wikipedia.org/wiki/Robustness_principle
> 
> Anyway, never mind, best regards.
> 
> Rolf Jansen
> 
> 
>> Am 18.03.2018 um 22:08 schrieb Dr. Rolf Jansen > >:
>>
>> I tried already adding the following line to my ipsec.conf:
>>
>>   ike = AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>>
>> But as expected, this did not work because the syntax for specifying the 
>> ciphers is different from the syntax for the actually used proposals. I 
>> searched half the day for sort of a translation table or translation aid 
>> before I gave up and simply patched the sources.
>>
>> That said, what would be the correct ike directive for getting charon simply 
>> to accept the above proposal?
>>
>> Thank you ver much
>>
>> Rolf Jansen
>>
>>
>>> Am 18.03.2018 um 20:01 schrieb Noel Kuntze 
>>> >> >:
>>>
>>> Hello,
>>>
>>> I know that everything looks like a nail, if you only got a hammer, but you 
>>> only needed to add a corresponding ike and/or esp line in ipsec.conf to 
>>> configure the right ciphers for that particular IKE SA configuration. The 
>>> ciphers were removed because they were insecure and now there's an RFC for 
>>> that. Take a look at the UsableExamples page.
>>>
>>> Kind regards
>>>
>>> Noel
>>>
>>> On 18.03.2018 23:48, Dr. Rolf Jansen wrote:
 I am still using an iPhone 4 with iOS 7.1.2 which cannot be updated to a 
 more recent iOS.

 When I am on travel, I use the builtin L2TP/IPsec client in order to 
 connect to my FreeBSD home server providing the respective VPN service via 
 net/mpd5 + security/strongswan (both of which are installed from the ports 
 collection).

 After a recent update from strongSwan 5.6.0 to v5.6.2, my iPhone 4 cannot 
 connect anymore. In the server's log I see:

 Mar 18 18:33:05 example charon: 15[CFG] received proposals: 
 IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, 
 IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, 
 IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, 
 IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, 
 IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, 
 IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
 Mar 18 18:33:05 example charon: 15[CFG] configured proposals: 
 IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_3072, 
 IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048,
  
 IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
 Mar 18 18:33:05 example charon: 15[IKE] no proposal found


 I dug into the strongSwan sources, and I found, that some ciphers were 
 disabled. As a hot fix I added on my FreeBSD server a patch file to 
 /usr/ports/security/strongswan/files/patch-zz-add-classic-ciphers.local 
 (s. attachment), then I executed make deinstall install clean. For 

Re: [strongSwan] Prevent strongswan Initiator to reauthenticate

[Tobias Brunner]

Hi Alex,

> I am in the need to verify that a Strongswan Responder is initiating a
> IKE SA reauthentication in case the Initiator doesn‘t.

The responder might not be able to initiate a reauthentication (depends
on the config, e.g. whether EAP or virtual IPs are used).

> Therefore, would you see a way to prevent a Strongswan Initiator (I am
> using a Strongswan as the client/initiator too) from reauthenticating
> even if the Responder requested reauthentication (AUTH_LIFETIME in
> IKE_AUTH Responder Response) ?
> 
> Setting reauth=no in Initiator doesn’t do the job …

No, as documented [1], clients will schedule a rekeying if an
AUTH_LIFETIME notify is received even if reauthentication is disabled in
the config.  There is currently no option to change that.  So you'd have
to modify the code to make the client ignore any received AUTH_LIFETIME
notifies.

Regards,
Tobias

[1]
https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey#IKEv2-Responder-Behavior

Re: [strongSwan] RSA_EMSA_PKCS1_SHA1 not acceptable

[Tobias Brunner]

Hi Mike,

> Did you find something that could help us?

You gave the answer basically yourself by considering the very old
strongSwan version (which you claimed to be 5.5.3 on both ends in your
original mail btw.).  If you didn't stop there but e.g. checked the
changelog [1] to see since when IKEv2 signature authentication (and thus
the use of stronger signature algorithms) has been supported (it's
5.3.0) you'd have realized that you can't restrict the signature
algorithm to only SHA-256 during authentication (rightauth) if your
peers use such old versions that only support SHA-1.

> The client has the same configuration as the gateway:
> 
>ike=aes256-sha256-modp2048,aes256-sha1-modp2048!
>esp=aes256-sha256-modp2048,aes256-sha1-modp2048!

This has absolutely nothing to do with the authentication, where your
problem is.

Regards,
Tobias

[1]
https://wiki.strongswan.org/projects/strongswan/roadmap?completed=1&from=5.1.3