Re: [strongSwan] Problems compiling strongswan 4.2.9 on SLES10SP2
Hi Nicole, you can try the latest release candidate available from http://download.strongswan.org/strongswan-4.2.10rc5.tar.bz2 which fixes the xfrm.h header inclusion problem. If this doesn't help either, them your rpm builder probably changes your linux kernel header inclusion path. You can still replace the XFRM_MODE_TUNNEL defines by their numerical values. Regards Andreas Nicole Hähnel wrote: Hi, I changed the line and recompiled strongswan by hand. This works, but I have to build a rpm for about 20 servers and that does not work. (spec attached) starterstroke.c: In function starter_stroke_add_conn: starterstroke.c:246: error: XFRM_MODE_TUNNEL undeclared (first use in this function) starterstroke.c:246: error: (Each undeclared identifier is reported only once starterstroke.c:246: error: for each function it appears in.) starterstroke.c:250: error: XFRM_MODE_BEET undeclared (first use in this function) starterstroke.c:254: error: XFRM_MODE_TRANSPORT undeclared (first use in this function) if gcc -DPACKAGE_NAME=\strongSwan\ -DPACKAGE_TARNAME=\strongswan\ -DPACKAGE_VERSION=\4.2.9\ -DPACKAGE_STRING=\strongSwan\ 4.2.9\ -DPACKAGE_BUGREPORT=\\ -DPACKAGE=\strongswan\ -DVERSION=\4.2.9\ -DPKCS11_DEFAULT_LIB=\/usr/lib/opensc-pkcs11.so\ -DDEV_RANDOM=\/dev/random\ -DDEV_URANDOM=\/dev/urandom\ -DIPSEC_ROUTING_TABLE=220 -DIPSEC_ROUTING_TABLE_PRIO=220 -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_DLFCN_H=1 -DYYTEXT_POINTER=1 -DHAVE_LIBDL=1 -DHAVE_BACKTRACE=1 -DHAVE_DLADDR=1 -I. -I. -I../../src/libfreeswan -I../../src/pluto -I../../src/whack -I../../src/stroke -DIPSEC_DIR=\/usr/lib64/ipsec\ -DIPSEC_CONFDIR=\/etc\ -DIPSEC_PIDDIR=\/var/run\ -DIPSEC_EAPDIR=\\ -DDEBUG -O2 -g -fmessage-length=0 -D_FORTIFY_SOURCE=2 -W -Wall -MT confread.o -MD -MP -MF .deps/confread.Tpo -c -o confread.o confread.c; \ then mv -f .deps/confread.Tpo .deps/confread.Po; else rm -f .deps/confread.Tpo; exit 1; fi starterwhack.c: In function pack_str: starterwhack.c:43: warning: comparison between signed and unsigned starterwhack.c: In function send_whack_msg: starterwhack.c:92: warning: comparison between signed and unsigned make[2]: *** [starterstroke.o] Error 1 make[2]: *** Waiting for unfinished jobs starterwhack.c: In function starter_whack_add_pubkey: starterwhack.c:260: warning: pointer targets in assignment differ in signedness invokepluto.c: In function starter_start_pluto: invokepluto.c:218: warning: empty body in an if-statement invokepluto.c:261: warning: empty body in an if-statement confread.c: In function load_setup: confread.c:120: warning: comparison of unsigned expression 0 is always false make[2]: Leaving directory `/usr/src/packages/BUILD/strongswan-4.2.9/src/starter' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/usr/src/packages/BUILD/strongswan-4.2.9/src' make: *** [all-recursive] Error 1 error: Bad exit status from /var/tmp/rpm-tmp.62454 (%build) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.62454 (%build) Thanks! Nicole Tobias Brunner schrieb: Hi Nicole, starterstroke.c:246: error: XFRM_MODE_TUNNEL undeclared (first use in this function) The file starterstroke.c now uses these constants defined in xfrm.h instead of the hard-coded numeric values. As you observed, some distributions provide older or different versions of this header file. For this reason we provide suitable copies of all required header files in src/include (which can be changed with the --with-linux-headers option of the configure script). Unfortunately, the makefile of starter was missing the appropriate directive to include that path. This has been fixed in [1] which will be included in the next release. For a temporary solution you can add the missing directive to line 221 of src/starter/Makefile.in (see [1] for how that line should look). Best regards, Tobias [1] http://wiki.strongswan.org/changeset/4675 == Andreas Steffen [EMAIL PROTECTED] strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] updown script failure?
There seems to be a problem with iptables: charon: 09[CHD] updown: iptables: Unknown error 18446744073709551615 charon: 09[CHD] updown: iptables: Unknown error 18446744073709551615 Which kernel and which iptables version are you using? Are you able to insert an IPsec policy iptables rule manually? iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT $S_MY_PORT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT Just replace all script parameters by their actual values. The VPN_LOGGING information seems to be correct: vpn: + [EMAIL PROTECTED] 10.10.0.1/32 == 65.x.x.138 -- 63.x.x.205 == 0.0.0.0/0 generated by logger -t $TAG -p $FAC_PRIO \ + $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT Best regards Andreas [EMAIL PROTECTED] wrote: Hi, have a problem with my strongswan set up. It looks like the insertion of a firewall rule by the updown script seems to be failing. The log messaging i am getting is not giving me a lot to go on... (my loglevel is set to 5 for CHD) I am hoping someone has seen this issue before or could recommend a troubleshooting way forward. Thanks -Dan C. General FYI Kernel=2.6.9-42.0.3 No issues on startup Using EAP SIM Authentication Public IP addresses have been 'modified' in log below strongswan-4.2.5 Log Message on tunnel initiation charon: 09[AUD] IKE_SA rw-eapsim-131000123601[1] established between [EMAIL PROTECTED] charon: 09[IKE] peer requested virtual IP %any charon: 09[IKE] assigning virtual IP 10.10.0.1 to peer charon: 09[CHD] updown: iptables: Unknown error 18446744073709551615 charon: 09[CHD] updown: iptables: Unknown error 18446744073709551615 vpn: + [EMAIL PROTECTED] 10.10.0.1/32 == 65.x.x.138 -- 63.x.x.205 == 0.0.0.0/0 charon: 09[AUD] CHILD_SA rw-eapsim-abc{1} established with SPIs c2cb37d5_i 33908b00_o and TS 0.0.0.0/0 === 10.10.0.1/32 Log Message on Strongswan shutdown charon: 01[CHD] running updown script: 21 PLUTO_VERSION='1.1' PLUTO_VERB='down-client' PLUTO_CONNECTION='rw-eapsim-abc' PLUTO_INTERFACE='eth0' PLUTO_REQID='2' PLUTO_ME='63.x.x.205' PLUTO_MY_ID='sgw.xxx.com' PLUTO_MY_CLIENT='0.0.0.0/0' PLUTO_MY_CLIENT_NET='0.0.0.0' PLUTO_MY_CLIENT_MASK='0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='65.x.x.138' PLUTO_PEER_ID='[EMAIL PROTECTED]' PLUTO_PEER_CLIENT='10.10.0.1/32' PLUTO_PEER_CLIENT_NET='10.10.0.1' PLUTO_PEER_CLIENT_MASK='32' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' ipsec _updown iptables charon: 01[CHD] updown: iptables: Bad rule (does a matching rule exist in that chain?) charon: 01[CHD] updown: iptables: Bad rule (does a matching rule exist in that chain?) vpn: - [EMAIL PROTECTED] 10.10.0.1/32 == 65.57.245.138 -- 63.80.235.205 == 0.0.0.0/0 ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users -- == Andreas Steffen [EMAIL PROTECTED] strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] ECDSA keys generation and export
Vit Pelcak wrote: Hi. I'd like to ask you how can I create and export ECDSA certs and keys for this scenario: http://www.strongswan.org/uml/testresults42/openssl/ecdsa-certs/ I described the generation of EC keys in the following posting: https://lists.strongswan.org/pipermail/users/2008-October/002789.html The openssl ecparam -genkey puts a parameter description in front of the actual EC key, a construct which strongSwan's private key parser is not able to handle. Therfore either delete the parameter description manually using an ASCII editor or execute the following cleansing command: openssl ec -in ecKey.pem -out ecKey.pem I already have CA and RSA certs and keys exported: # find /etc/ipsec.* | grep pem /etc/ipsec.d/private/machine-1.pem /etc/ipsec.d/certs/machine-1.pem /etc/ipsec.d/cacerts/ipsec-test.pem /etc/ipsec.d/crls/ipsec-crl.pem I can pass test: http://www.strongswan.org/uml/testresults42/openssl/ike-alg-ecp-high/ Do I need whole new CA or just new keys and certs are enough? No, you can use your CA's RSA key to sign an ECDSA certificate. Thank you. Regards Vit Pelcak Regards Andreas == Andreas Steffen [EMAIL PROTECTED] strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] SPI question
The IPsec stack does not care about outgoing packets but uses the SPI of incoming packets to look up the context in the SAD. If a packet replay-window is set then restrictions on the ESP packet sequence numbers apply. Andreas Jianqing Zhang wrote: When I configured SPD and SAD manually, I find that SPIs for the outgoing packets could be same but those for incoming packets must be unique. Why? == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] charon top statistics
Hi Leonid, the 160M are just virtual memory due to charon's 16 worker threads. Actual resident memory use is only 2M. If virtual memory space is an issue then you could reduce the number of threads to about 10 by setting charon { threads = 10 } in /etc/strongswan.conf. Best regards Andreas Leonid Sigal wrote: Hello, I have some top util results from charon running on my box ... Its shows DATA size == 160M, which is way too much for me... Is there any way to reduce that size ... I would be happy with 10M :-) PID USER PR NI VIRT RES SHR S %CPU %MEMTIME+ CODE DATA COMMAND 31484 root 20 0 163m 1940 1344 S 0.0 0.1 0:03.22 236160m charon Regards, Leonid. == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] # of thread in strongswan
As I recommended in my previous mail you should not reduce the number of threads below 8..10, since depending on the plugins you have activated, about 5..7 threads are permanently allocated to certain tasks. I you go below the minimum, the charon daemon will just deadlock. Andreas Leonid Sigal wrote: Configuring that number (# of threads) less 6, brakes strongSwan, it stops working. Help needed with some explanation. Thanks, Leonid. == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] linux minimum stack size
I don't know. You have to find out yourself. Andreas Leonid Sigal wrote: What the minimum Linux stack size (ulimit -a) is acceptable for strong Swan ? The Linux default is 10M, I would like to use much less ... Regards, Leonid. == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] dpd + nat keepalive
In order to activate DPD you must set dpdaction=clear|hold|restart because the default is dpdaction=none. Andreas Peter Müller wrote: Hello, I have set dpddelay=10, but I can only see keep alives are send in the daemon.log. I think the keep alives are nat keepalives. Why is there no informational send all 10 seconds. I have no other traffic send through the tunnel. Regards Peter == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Timestamps in logfile
Hi Nicole, the timestamps are added by the syslog daemon. Therefore it is not possible for the pluto daemon to add them to a log file. With --debug-none, i.e. if no debug options are added with a plutodebug statement, then pluto generates very little logging information (only whack output). Best regards Andreas Nicole Hähnel wrote: Hi, I added plutostderrlog=/var/log/ipsec.log in ipsec.conf to prevent strongswan from filling /var/log/messages with thousands of lines. But there is one handicap, no timestamps are written to the specified log. Is it possible to add timestamps? Thanks! Nicole == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] (no subject)
Hi Keith, the problem is on the other side because the peer is not responding. Do you have any logs from the peer side? Andreas Keith Smith wrote: Hey folks, I'm a complete newbie who has inherited this IpSec solution from my predecessor. I have two working tunnels and one which fails. It failed after my colleague restarted ISECP on the firewall/vpn box on Gentoo. The error I get from ipsec status is 000 bir-ams: xx.xx.xx.xx/24===xx.xx.xx.xx.---xx.xx.xx.xx...xx.xx.xx.xx---xx.xx.xx.xx=== xx.xx.xx.xx/16; erouted HOLD; eroute owner: #0 000 bir-ams: ike_life: 28800s; ipsec_life: 1800s; rekey_margin: 180s; rekey_fuzz: 33%; keyingtries: 0 000 bir-ams: policy: PSK+ENCRYPT+TUNNEL+UP; prio: 24,16; interface: eth1; 000 bir-ams: newest ISAKMP SA: #0; newest IPsec SA: #0; 000 bir-ams: IKE algorithms wanted: 5_000-2-5, 5_000-2-2, 5_000-1-5, 5_000-1-2, 000 bir-ams: IKE algorithms found: 5_192-2_160-5, 5_192-2_160-2, 5_192-1_128-5, 5_192-1_128-2, 000 bir-ams: ESP algorithms wanted: 3_000-1, 3_000-2, 000 bir-ams: ESP algorithms loaded: 3_192-1_128, 3_192-2_160, the line IKE newest is missing if I compare with a working tunnel My firewall log shoes me that max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message So I know it's failing at an early stage of negotiation. Please help. are there any debugging options I can use that will give me more data so I can tell exactly where the failure occurs. Thanks in advance == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] dhcp / ip pool
You must define a connection entry for each user since the IKEv1 pluto daemon does not support address pools: conn %default right=%any auto=add conn alice rightid=al...@strongswan.org rightsourceip=10.3.0.1 conn bob rightid=...@strongswan.org rightsourceip=10.3.0.2 ... Regards Andreas tobias.gru...@uni-ulm.de wrote: Hello, thx for your answer. strongSwans ikev1 (Pluto) can give the clients a virtual ip with the mode config, but this ist a propietray protocol. you explainded this: but the virtual IP addresses must be defined individually using rightsourceip= in the ipsec.conf file of the VPN gateway. There is no pool functionality available. How can I define an individual IP in the ipsec.conf in the vpn-gateway. I see only the option to give one IP with rightsourceip= Regards Tobias Quoting Andreas Steffen andreas.stef...@strongswan.org: Hi Tobias, RFC3456 is about DHCP-over-IPsec which doesn't IKE at all but ESP to exchange virtual IP information. To this purpose a short-lived IPsec SA with traffic selectors outer client IP -- 0.0.0.0/0 restricted to the bootps -- bootpc UDP ports is established first. This scheme didn't find much acceptance. As far as I know only SSH Sentinel and Sonicwall implemented it. A long time ago we contributed a DHCP relay function that could be used with an X.509-enhanced FreeS/WAN gateway to pass on the decapsulated ESP packets to a DHCP server: http://www.strongsec.com/freeswan/dhcprelay/index.htm When IKEv2 was being designed there was an intensive discussion on DHCP-over-IPsec but Cisco et al. opted for the configuration payload instead. Best regards Andreas Tobias Gruber wrote: Andreas Steffen schrieb: Hi Tobias, with the IKEv1 pluto daemon it is possible to request IP addresses via the proprietary IKEv1 Mode Config protocol extension http://tools.ietf.org/html/draft-dukes-ike-mode-cfg-02 but the virtual IP addresses must be defined individually using rightsourceip= in the ipsec.conf file of the VPN gateway. There is no pool functionality available. Regards Andreas Tobias Gruber wrote: Hello, does IKEv1 has a solution to give the client a IP-Adress from an IP-Pool or via DHCP? Or is this only in IKEv2 possible. In the IKEv2 RFC stands: 1) To define the entire IKE protocol in a single document, replacing RFCs 2407, 2408, and 2409 and incorporating subsequent changes to support NAT Traversal, Extensible Authentication, and Remote Address acquisition; It sounds like IKEv1 has a soluton for Remote Adress acquistition. In which RFC is this specified? Regards Tobias Hello, I found this RFC http://www.ietf.org/rfc/rfc3456.txt There it sounds like IKEv1 can do with this none proprietary protocol to give the client a virtual ip? Or am I wrong? Regards Tobias == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] ike rekeying ikev2
Yes, the charon IKEv2 daemon starts the IPsec SA rekeying at least rekeymargin seconds before the expiration of the CHILD_SA. The rekeyfuzz parameter is used to randomize the rekeying times. Regards Andreas tobias.gru...@uni-ulm.de wrote: Hello, is the ike Rekeying also without a break with rekeyfuzz? so does the tunnel like CHILD_SA rekeying without a break? Regards Tobias == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] IKEv2 base exchange with strongswan
Hi Antonio, you'll find general information on strongSwan installation and configuration in our wiki: http://wiki.strongswan.org/ and a MobIKE scenario under http://www.strongswan.org/uml/testresults42/ikev2/mobike-virtual-ip/ Best regards Andreas antonio quisillo wrote: Hi folks, My name is Antonio and I'm new in IKEv2 and strongSwan. I'm doing my master thesis in telecommunication engineering at Politecnico di Torino and I have to find a solution to the host mobility problem. I mean , I have to find a layer 3 solution that maintains application continuity between a host and a server, during the moviment of the host through different networks. For example, I start a video streaming with youtube server when I'm in my office from fixed Ethernet and later I disconnect the laptop from the Ethernet and I move to another network ( for example WLAN network ), therefore the laptop changes its IP address ( it moves from one address to another address ). In this scenario I don't want reboot the connection from the youtube server and I want to receive a video stream again. I think that MobIKE is a good solution to my problem. I have a question: I have downloaded and installed strongSwan 4.2 branch: IKEv1 IKEv2 for Linux 2.6 kernels but I don't know how to use the daemon. Which commands should I use? Is there any manual that I can follow? Best regards. Antonio == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Must the source IP in SA (used for outgoing packets) be the sender's IP?
strongSwan is an automatic keying daemon and does not care about manually configured SPs and SAs as long as they do not conflict with its own policies and associations. It seems to me that the strongSwan mailing list is not the right forum for your questions. Best regards Andreas Jianqing Zhang wrote: When I configure SP and SA manually for an outgoing packet, must the source IP in SA be the sender (local host)'s IP? Will strongSwan or native IPsec module check the consistence? Thanks == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Nokia E-Series vpn client (JFYI)
Hi Dimitrij, in the presence of a NAT situation the client switches to UDP port 4500 starting with the IKE_AUTH request. Since this request is never received by the strongSwan gateway, could it be that some firewall is blocking UDP port 4500? Best regards Andreas Dimitrij Hilt wrote: Hi Andreas, ipsec.conf: gw-ipsec-mobile-eue:~# cat /etc/ipsec.conf # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup crlcheckinterval=180 strictcrlpolicy=no charonstart=yes plutostart=no # Add connections here. # Sample VPN connections conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 conn MOBILE left=MY_EXTERNAL_IP leftcert=gw-ipsec-mobile.pem right=%any rightsourceip=10.1.2.2 rightsubnet=10.1.2.2/32 keyexchange=ikev2 auto=add #include /etc/ipsec.d/examples/no_oe.conf Logfile: Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[DMN] starting charon (strongSwan Version 4.2.4) Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] listening on interfaces: Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] eth0 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] 10.1.0.14 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] 10.1.2.1 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] MY_EXTERNAL_IP Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] fe80::216:3eff:fe01:e Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[LIB] loaded certificate file '/etc/ipsec.d/cacerts/ca.pem' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading crls from '/etc/ipsec.d/crls' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading secrets from '/etc/ipsec.secrets' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loaded private key file '/etc/ipsec.d/private/gw-ipsec-mobile.key' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[JOB] spawning 16 worker threads Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] received stroke: add connection 'MOBILE' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[LIB] loaded certificate file '/etc/ipsec.d/certs/gw-ipsec-mobile.pem' Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] peerid 87.106.225.59 not confirmed by certificate, defaulting to subject DN Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] added configuration 'MOBILE': MY_EXTERNAL_IP[C=DE, ST=Baden-Wuerttemberg, L=Karlsruhe, O=FHE3 GmbH, OU=Systemadministration, CN=gw-ipsec-mobile.fhe3.net, e=notdie...@fhe3.com]...0.0.0.0[%any] Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] adding virtual IP address pool 'MOBILE': 10.1.2.2/32 Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[NET] received packet: from 93.192.185.142[61076] to MY_EXTERNAL_IP[500] Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[AUD] 93.192.185.142 is initiating an IKE_SA Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[IKE] IKE_SA '(unnamed)' state change: CREATED = CONNECTING Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[IKE] remote host is behind NAT Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[IKE] sending cert request for C=DE, ST=Baden-Wuerttemberg, L=Karlsruhe, O=FHE3 GmbH, OU=Systemadministration, CN=FHE3 GmbH CA, e...@fhe3.com Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[NET] sending packet: from MY_EXTERNAL_IP[500] to 93.192.185.142[61076] Feb 22 18:59:40 gw-ipsec-mobile-eue charon: 10[JOB] deleting half open IKE_SA after timeout Nokia Policy was created by a new Tool as IKEv2. I'v tried to create policy with and without advanced settings, but noting works for me. How did you create a policy on you tests? Regards, Dimitrij Andreas Steffen schrieb: Hi Dimitrij, in order to help you we'd need your strongSwan ipsec.conf and a detailed log file. Regards Andreas Dimitrij Hilt wrote: Hi, dou you have more information about strongswan and Nokia configuration? I'v tried nokia E71 with openswan cert and PSK, then nokia E71 with strongswan, but nothing will work together. Dimitrij == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution
[strongSwan] ANNOUNCE: strongswan-4.2.12 and NetworkManager-strongswan-1.0.0 released
We are happy to announce the release of strongSwan 4.2.12 which improves the IKEv2 interoperability with the Windows 7 Agile VPN Client and the first separate release 1.0.0 of the strongSwan VPN applet for the GNOME NetworkManager. - Definition of up to two DNS and/or up to two WINS IPv4 or IPv6 nameservers in strongswan.conf. The syntax is charon { dns1 = 192.168.0.100 dns2 = 192.168.0.101 nbns1 = 192.168.0.150 nbns2 = 192.168.0.151 } This information is sent to the peer via the IKEv2 Configuration Payload. On Linux peers the DNS information is added to /etc/resolv.conf and on Windows 7 peers both DNS and WINS information is assigned together with a virtual IP address to the virtual network adapter. - Support of the IKEv2 EAP-MSCHAPv2 protocol. This allows EAP interoperability with a Windows 7 client as a strongSwan VPN gateway or with a Windows 2008 Server R2 as a strongSwan VPN client. A strongSwan - strongSwan scenario is shown here: http://www.strongswan.org/uml/testresults42/ikev2/rw-eap-mschapv2-rsa/ THE EAP user credentials are stored in ipsec.secrets. The EAP-MSCHAPv2 plugin is activated with the following options ./configure --enable-md4 --enable-eap-identity --enable-eap-mschapv2 A word of warning: The Windows 7 Beta Agile VPN client currently ignores the RSA signature sent by the VPN gateway. Therefore the server is authenticated solely based on the mutual property of the MS-CHAP v2 protocol which might be too weak. Thus for the time being we recommend the use of strong mutual authentication based on X.509 machine certificates as described in our Windows 7 HOWTO: http://wiki.strongswan.org/wiki/Windows7 - The strongSwan VPN applet for the GNOME NetworkManager is not part of the strongSwan 4.2.12 tarball any more but is distributed as a separate NetworkManager-strongswan-1.0.0 package available here: http://download.strongswan.org/NetworkManager/ The installation and configuration either as a Ubuntu/Debian package or from the tarball is described in the NetworkManager HOWTO: http://wiki.strongswan.org/wiki/NetworkManager We hope that NetworkManager-strongswan will quickly become an official package in all major Linux distributions. Best regards the strongSwan team: Tobias Brunner, Martin Willi, Andreas Steffen == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Common value for DPD timeout
Hi Youngsang, since IKEv2 uses INFORMATIONAL requests for DPD the regular retransmission scheme for IKEv2 messages with 5 trials applies: See the following sample scenario with dpddelay = 10 seconds: http://www.strongswan.org/uml/testresults42/ikev2/dpd-clear/ Jan 21 01:55:15 moon charon: 11[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500] # DPD message sent after dpddelay = 10s: Jan 21 01:55:25 moon charon: 12[IKE] sending DPD request Jan 21 01:55:25 moon charon: 12[ENC] generating INFORMATIONAL request 0 [ ] Jan 21 01:55:25 moon charon: 12[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500] # First retransmission after 4 seconds: Jan 21 01:55:29 moon charon: 13[IKE] retransmit 1 of request with message ID 0 Jan 21 01:55:29 moon charon: 13[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500] # Second retransmission after another 7 seconds: Jan 21 01:55:36 moon charon: 15[IKE] retransmit 2 of request with message ID 0 Jan 21 01:55:36 moon charon: 15[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500] # Third retransmission after another 13 seconds: Jan 21 01:55:49 moon charon: 03[IKE] retransmit 3 of request with message ID 0 Jan 21 01:55:49 moon charon: 03[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500] # Fourth retransmission after another 24 seconds: Jan 21 01:56:13 moon charon: 11[IKE] retransmit 4 of request with message ID 0 Jan 21 01:56:13 moon charon: 11[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500] # Fifth retransmission after another 42 seconds: Jan 21 01:56:55 moon charon: 16[IKE] retransmit 5 of request with message ID 0 Jan 21 01:56:55 moon charon: 16[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500] # No answer - peer is declared dead after 2 minutes and 45 seconds: Jan 21 01:58:10 moon charon: 15[IKE] giving up after 5 retransmits This behaviour is hard-coded and cannot be changed. Best regards Andreas Youngsang Shin wrote: Hi all, Which value is usually set for DPD timeout in a real IKEv2 setup? If DPD is not used, any other keepalive timeout value? It seems that strongSwan's default value for DPDtimeout is 120 seconds. This value is commonly used in a real environment? Thanks, Youngsang == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Tunnel dosn't build by itself
SIf you want to trigger the tunnel setup by payload packets then you must define auto=route Regards Andreas Svend Høst wrote: Hi I've made a router out of a epia sn board, and it really performes well (80 mbit iperf over vpn). But it seems to me that the tunnel dosn't start automaticly ? But if i @work du a ipsec up net-net-svende then the tunnel builds fine, but i can't ping from my lan pc and trigger the tunnel. can it be something with my iptables ? with kind regards Svend @home : # /etc/ipsec.conf - strongSwan IPsec configuration file config setup plutostart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 authby=secret keyexchange=ikev2 mobike=no conn net-net-pallas left=%defaultroute leftsubnet=left_lan_subnet http://172.17.14.0/24 leftid=left_wan_ip leftfirewall=yes leftsourceip=left_lan_gateway right=right_wan_ip rightsubnet=right_lan_subnet/24 rightid=right_wan_ip auto=add type=tunnel include /var/lib/strongswan/ipsec.conf.inc @work : # /etc/ipsec.conf - strongSwan IPsec configuration file config setup plutostart=no interfaces=ipsec0=eth0 conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 authby=secret keyexchange=ikev2 mobike=no conn net-net-svende left=%defaultroute leftsubnet=left_lan_subnet/24 http://193.163.101.0/24 leftid=left_wan_ip leftfirewall=yes leftsourceip=left_lan_gateway right=right_wan_ip rightsubnet= http://172.17.14.0/24right_lan_subnet rightid=right_wan_ip auto=add type=tunnel == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] ipsec up host-host
Hi, it seems as if you messed up your public key infrastructure: your end entity certificate is 'C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, e=is...@gmail.com' but you no matching private key is found either because the private key file defined in /etc/ipsec.secrets : RSA myKey.pem optional passphrase is not found in /etc/ipsec.d/private/ or if passphrase is wrong if the key file is encrypted. Execute ipsec rereadsecrets and check for error messages in the log! Everything is ok if ipsec listcerts shows .., has private key in the listing of the end entity certificate. There is also something wrong with your CA certificates. The peer requests an end entity certificate from you issued by the unknown CA with the public key hash 01:fb:b7:53:45:4f:73:0a:5b:d0:d7:08:29:2c:8e:2a:3d:f0:90:70 whereas you have a CA certificate 'C=GB, ST=Berkshire, L=Newbury, O=rvce, OU=ise,CN=ishan, e=is...@gmail.com' In principle it is possible to work with mixed CAs but this is probably not what you had in mind. Usually both myCert.pem and peerCert.pem are issued by the same CA. This common CA certificate must be stored in /etc/ipsec.d/cacerts/. I doubt that 'C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, e=is...@gmail.com' is signed by the CA C=GB, ST=Berkshire, L=Newbury, O=rvce, OU=ise,CN=ishan, e=is...@gmail.com' Best regards Andreas abhishek kumar wrote: hello .. i am new in using strongswan. plz help me setting host-host case.. I am getting problem in executing command ipsec up host-host RESULT IS: [r...@sun etc]# ipsec start Starting strongSwan 4.2.11 IPsec [starter]... [r...@moon etc]# ipsec restart Starting strongSwan 4.2.11 IPsec [starter]... [r...@moon etc]# sleep 1 [r...@ishan etc]# ipsec up host-host initiating IKE_SA host-host[4] to 192.168.3.4 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from 192.168.3.3[500] to 192.168.3.4[500] received packet: from 192.168.3.4[500] to 192.168.3.3[500] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] received cert request for unknown ca with keyid 01:fb:b7:53:45:4f:73:0a:5b:d0:d7:08:29:2c:8e:2a:3d:f0:90:70 sending cert request for C=GB, ST=Berkshire, L=Newbury, O=rvce, OU=ise, CN=ishan, e=is...@gmail.com no private key found for 'C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, e=is...@gmail.com' generating authentication data failed plz let me know where the mistake might be.. thanx in advance.. with regard Abhishek Kumar == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Error exporting PKCS12 file...
Hi Richard, unable to load private key means that rw.key is not found. Is the key file really located in the current directory or rather in the demoCA/private/ directory? Andreas Richard Whittaker wrote: Greetings: I realize this might not be the perfect list for my problem, but figure there are enough experts here to have an idea why I'm having this problem... I'm going through the instructions for setting up Strongswan with Windows at Nate Carlson's page, and I'm trying to export machine certificates in PKCS12 format, and I have hit the following roadblock: ad...@host:/var/sslca# openssl pkcs12 -export -in rw.pem -inkey rw.key -certfile demoCA/cacert.pem -out rw.p12 unable to load private key demoCA/cacert.pem most certainly exists, and trying to google my way out of this hole hasn't been successful. I'm looking for any thoughts or suggestions on how to further troubleshoot and get around this issue... Thanks, Richard. == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] help debugging pluto segfault
Hi Gerd, thanks for the patch. I fixed the problem a little more transparently by moving the conditional delete_connection() function call out of delete_states_by_connection(): http://wiki.strongswan.org/changeset/4924 I'm also going to use the uml scenario provided by you for future regression testing: http://wiki.strongswan.org/changeset/4926 These changesets have been integrated into the latest release candidate http://download.strongswan.org/strongswan-4.2.13rc4.tar.bz2 Best regards Andreas Gerd v. Egidy wrote: Hi, thanks for looking into this. A simple workaround in order to avoid segfaults would be to not call unroute_connection(c) if c-kind == CK_INSTANCE and to cache c-name. How about the attached patch? Unfortunately DPD_ACTION_RESTART would not succeed by using the connection template designated by c-name if right=%any or if the IP address of the peer has changed in the meantime in the case of rightallowany=yes. Hmm. I don't know if restarting a connection in this case would make sense: If you use right=%any or rightallowany=yes, the remote end is usually using a dialup with dynamic ip. On a dead peer condition the remote side has changed ips most of the time so reconnecting to the old one does not make sense. If you want such a connection to be up all the time it would make much more sense to use DPD on the client and not on the server. If both sides are on dynamic ips you have to wait for dyndns to update anyway. Thus the proper way would be to avoid deleting the connection instance in the DPD timeout case so that the latest IP address would still be available. So I think the added complexity of this approach is not neccessary. Or can you think of a scenario where such a configuration would make sense? Kind regards, Gerd == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] checkpoint with username and password
Hi Michael, strongSwan offers the following support for username password: - IKEv1 Main Mode with Mutual RSA authentication + XAUTH client authentication with username/password http://www.strongswan.org/uml/testresults42/ikev1/xauth-rsa/ - IKEv2 Server Side RSA authentication + client side EAP authentication: EAP-GTC http://tools.ietf.org/html/draft-sheffer-ikev2-gtc-00 EAP-MD5 http://www.strongswan.org/uml/testresults42/ikev2/rw-eap-md5-rsa/ EAP-MSCHAPv2 http://www.strongswan.org/uml/testresults42/ikev2/rw-eap-mschapv2-rsa/ I don't know if Checkpoint has already rolled out IKEv2, though. Best regards Andreas Michael Mengershausen wrote: Hello Strongswan-team, is there a setup with strongswan for username and password (one time password, otp) authentication with a checkpoint vpn-server ? Best regards Michael == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] key length
RFC 3947: peer is NATed Mar 17 05:40:11 sb pluto[11077]: rw[3] xxx.xxx.xxx.xxx #25: max number of retransmissions (2) reached STATE_MAIN_R2 Mar 17 05:40:11 sb pluto[11077]: rw[3] xxx.xxx.xxx.xxx: deleting connection rw-internet-mx instance with peer xxx.xxx.xxx.xxx {isakmp=#0/ipsec=#0} The other side's pluto seems unable to identify the incoming connection and it runs into the general one rw instead of the dedicated connection probcon which is provided with the parameter rightid with the correct id, let's say, rightid=C=us, ST=sp, L=sp, O=corp, OU=us, CN=sa, e...@google.com, so there's no connection. Interestingly, the connection worked with the 2048 bit key when the sa's host cert was shared and was enabled with the parameter rightcert on the other side sb. When I recreated the key (the host cert) with 1024 bit, i.e. without the option -newkey rsa:2048, ipsec simply started to work: Mar 18 01:29:39 sb pluto[23671]: packet from xxx.xxx.xxx.xxx:500: ignoring Vendor ID payload [strongSwan 2.8.8] Mar 18 01:29:39 sb pluto[23671]: packet from xxx.xxx.xxx.xxx:500: received Vendor ID payload [XAUTH] Mar 18 01:29:39 sb pluto[23671]: packet from xxx.xxx.xxx.xxx:500: received Vendor ID payload [Dead Peer Detection] Mar 18 01:29:39 sb pluto[23671]: packet from xxx.xxx.xxx.xxx:500: received Vendor ID payload [RFC 3947] Mar 18 01:29:39 sb pluto[23671]: packet from xxx.xxx.xxx.xxx:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] Mar 18 01:29:39 sb pluto[23671]: packet from xxx.xxx.xxx.xxx:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] Mar 18 01:29:39 sb pluto[23671]: packet from xxx.xxx.xxx.xxx:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] Mar 18 01:29:39 sb pluto[23671]: packet from xxx.xxx.xxx.xxx:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] Mar 18 01:29:39 sb pluto[23671]: rw[1] xxx.xxx.xxx.xxx #22: responding to Main Mode from unknown peer xxx.xxx.xxx.xxx Mar 18 01:29:39 sb pluto[23671]: rw[1] xxx.xxx.xxx.xxx #22: NAT-Traversal: Result using RFC 3947: peer is NATed Mar 18 01:29:39 sb pluto[23671]: rw[1] xxx.xxx.xxx.xxx #22: Peer ID is ID_DER_ASN1_DN: 'C=us, ST=sp, L=sp, O=corp, OU=us, CN=sa, e...@google.com' Mar 18 01:29:39 sb pluto[23671]: probcon[1] xxx.xxx.xxx.xxx #22: deleting connection rw instance with peer xxx.xxx.xxx.xxx {isakmp=#0/ipsec=#0} Mar 18 01:29:39 sb pluto[23671]: probcon[1] xxx.xxx.xxx.xxx #22: we have a cert and are sending it Mar 18 01:29:39 sb pluto[23671]: | NAT-T: new mapping xxx.xxx.xxx.xxx:500/4500) Mar 18 01:29:39 sb pluto[23671]: probcon[1] xxx.xxx.xxx.xxx:4500 #22: sent MR3, ISAKMP SA established Mar 18 01:29:40 sb pluto[23671]: probcon[1] xxx.xxx.xxx.xxx:4500 #23: responding to Quick Mode Mar 18 01:29:41 sb pluto[23671]: probcon[1] xxx.xxx.xxx.xxx:4500 #23: IPsec SA established {ESP=0x3cf5470f 0xe61e98cd IPCOMP=0x37d4 0xc76d NATOA=0.0.0.0} I think it is not made clear in the doc that a key/a host cert is *required* to be 1024 bit though it is mentioned in the doc: --- http://strongswan.org/docs/readme2.htm#section_3.2 3.2 Generating a host or user certificate The OpenSSL statement openssl req -newkey rsa:1024 -keyout hostKey.pem -out hostReq.pem generates a 1024 bit RSA private key hostKey.pem and a certificate request hostReq.pem which has to be signed by the CA. --- Btw: The parameter plutoopts=--ikeport 4500 doesn't work: Mar 18 07:54:08 sa ipsec_starter[22899]: /etc/ipsec.conf:15: unknown keyword 'plutoopts' [--ikeport 4500] Mar 18 07:54:08 sa ipsec_starter[22899]: unable to start strongSwan -- fatal errors in config The parameter leftsourceip still lacks its description in man ipsec.conf. Best regards, Michael. == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] key length
Hi Michael, overridemtu only helps with IPsec ESP payload packets and the KLIPS IPsec stack from the FreeS/WAN project. It does not help with IKE because the messages MI3 and MR3 cannot be logically split into two UDP datagrams (some VPN vendors have a proprietary FRAGMENTATION option.though, which strongSwan does not support). I'm not sure if strongSwan 2.8.8 already supports the leftsendcert= option which would allow a third workaround: On both sides install the peer certificate locally and disable the sending of certificate requests and certificates: config setup nocrsend=yes conn myconn leftcert=myCert.pem leftsendcert=never rightcert=peerCert.pem Regards Andreas Michael Roy wrote: The IKE protocol is transported in UDP datagrams. If you are transmitting certificates with 2048 bit RSA keys the IKE message becomes larger than the MTU of 1500 bytes and the datagram gets fragmented. Most firewalls and many routers discard IP fragments by default so the IKE message never reaches its destination. but with the 2048 bit key it is 1480/1500 And, ummm... :) Well, yes, they are lost, of course. Though they are sent they do not reach their destination. Interestingly, there's still no trace of fragmentation nor any information from the net, they are simply lost. This is my case. Btw, what do you think about the parameter overridemtu? Shall it help? Best regards, Michael. == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] [PATCH] timeout for graceful shutdown of pluto too short
Hi Gerd, I applied invokecharon's start and stop timing scheme to invokepluto: http://wiki.strongswan.org/changeset/5050 the starter waits during 8 seconds for the pluto daemon to clean up and then becomes more aggressive during the next 2 seconds. Best regards Andreas Gerd v. Egidy wrote: Hi, one of our customers reported problems when changing a global config option of pluto. After updating pluto, some connections could not be established again. In the log you can see what happens: Mar 26 11:32:16 intravpn1 ipsec_starter[7694]: Pluto has changed Mar 26 11:32:16 intravpn1 pluto[7695]: | Mar 26 11:32:16 intravpn1 pluto[7695]: | *received whack message Mar 26 11:32:17 intravpn1 pluto[7695]: shutting down Mar 26 11:32:17 intravpn1 pluto[7695]: forgetting secrets Mar 26 11:32:17 intravpn1 pluto[7695]: C6: deleting connection [...] Mar 26 11:32:17 intravpn1 pluto[7695]: C4: deleting connection Mar 26 11:32:17 intravpn1 pluto[7831]: Starting Pluto (strongSwan Version 2.8.8 VENDORID KEYRR) Not all connections are shut down cleanly and nevertheless a new pluto process is started. Shortly after we run into problems: Mar 26 11:32:22 intravpn1 pluto[7831]: | route owner of C2 unrouted: NULL; eroute owner: NULL Mar 26 11:32:22 intravpn1 pluto[7831]: | add inbound eroute 192.168.2.0/24:0 - 192.168.10.0/24:0 = tun.10...@172.16.6.1:0 Mar 26 11:32:22 intravpn1 pluto[7831]: C2 #2: ERROR: netlink XFRM_MSG_NEWPOLICY response for flow tun.10...@172.16.6.1 included errno 17: File exists Mar 26 11:32:22 intravpn1 pluto[7831]: | sr for #2: unrouted Mar 26 11:32:22 intravpn1 pluto[7831]: | route owner of C2 unrouted: NULL; eroute owner: NULL Mar 26 11:32:22 intravpn1 pluto[7831]: | eroute_connection add eroute 192.168.10.0/24:0 - 192.168.2.0/24:0 = tu...@172.16.6.2:0 Mar 26 11:32:22 intravpn1 pluto[7831]: C2 #2: ERROR: netlink XFRM_MSG_NEWPOLICY response for flow tu...@172.16.6.2 included errno 17: File exists Mar 26 11:32:22 intravpn1 pluto[7831]: | route_and_eroute: firewall_notified: false Mar 26 11:32:22 intravpn1 pluto[7831]: | delete inbound eroute 192.168.2.0/24:0 - 192.168.10.0/24:0 = unk255.10...@172.16.6.1:0 Mar 26 11:32:22 intravpn1 pluto[7831]: | state transition function for STATE_QUICK_I1 had internal error I debugged this and found out that starter gives a pluto process only 400.000 microseconds / 0.4 sec for a graceful shutdown. Afterwards the old pluto process gets killed with SIGTERM and later SIGKILL (see starter/invokepluto.c: starter_stop_pluto()). This time does not seem to be enough for shutting down 20 connections on a regular AMD dualcore. Attached you'll find a patch which extends this period to 10 seconds and adds a log message when pluto is killed and not shut down gracefully. This will help debugging should someone else face this problem again. It would be nice if this or a similar patch could be included in the next (non-security) strongswan release. Thank you very much. Kind regards, Gerd == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] INVALID_KEY_INFORMATION when connecting to Checkpoint VPN
If you are using the checkpoint certificate then it must contain the CheckPoint's IP address as a subjectAltName. Regards Andreas Eugene Kotlyarov wrote: Hi Could someone tell me whats wrong with my setup? I have following error 002 checkpoint-openswan #4: initiating Main Mode 104 checkpoint-openswan #4: STATE_MAIN_I1: initiate 106 checkpoint-openswan #4: STATE_MAIN_I2: sent MI2, expecting MR2 002 checkpoint-openswan #4: we have a cert and are sending it upon request 108 checkpoint-openswan #4: STATE_MAIN_I3: sent MI3, expecting MR3 003 checkpoint-openswan #4: discarding duplicate packet; already STATE_MAIN_I3 002 checkpoint-openswan #4: Peer ID is ID_IPV4_ADDR: 'x.x.119.254' 002 checkpoint-openswan #4: crl not found 002 checkpoint-openswan #4: certificate status unknown 003 checkpoint-openswan #4: no RSA public key known for 'x.x.119.254' 217 checkpoint-openswan #4: STATE_MAIN_I3: INVALID_KEY_INFORMATION 002 checkpoint-openswan #4: sending encrypted notification INVALID_KEY_INFORMATION to x.x.119.254:500 My configuration is conn checkpoint-openswan type=tunnel # Left side is Check Point left=x.x.119.254 leftcert=checkpoint_ca_cert.pem #tried setting this options also #leftid=O=c.. #leftrsasigkey=%cert #extracted with fswcert tool leftrsasigkey=0x0103... leftsubnet=10.45.0.111/32 leftsendcert=no # Right side is OpenSwan right=77.50.36.0 # As an alternative, the file itself can be specified rightcert=checkpoint_cl_cert.pem rightrsasigkey=%cert authby=rsasig auto=start # Optional specify encryption/hash methods for phase 1 2 ike=3des-md5-modp1024 esp=aes-sha1 # Disable Perfect Forward Secrecy, if not working proper pfs=no # Optional enable compression (if working) #compress=yes == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] ANNOUNCE: strongswan-4.3.0 released
Hi, we proudly present the first release of the new strongSwan 4.3 branch which offers the following two major features: - IKEv2 Multiple Authentication Exchanges (RFC 4739) -- Initiators and responders can use several authentication rounds (e.g. RSA followed by EAP) to authenticate. The new ipsec.conf leftauth/rightauth and leftauth2/rightauth2 parameters define their own authentication rounds and setup constraints for the remote peer. See the ipsec.conf man page for more details. A typical sample scenario using mutual RSA authentication in the first round and EAP-SIM client authentication in the second round can be found under the link http://www.strongswan.org/uml/testresults43/ikev2/mult-auth-rsa-eap-sim-id/ - Use of libstrongswan in the IKEv1 pluto code We refactored the pluto and scepclient code to share basic functions (memory allocation, leak detective, chunk handling, printf_hooks, strongswan.conf attributes, ASN.1 parser, etc.) with the libstrongswan library. As a first benefit, up to two DNS and WINS servers to be sent via the IKEv1 ModeConfig protocol can be configured in the pluto section of /etc/strongswan.conf: pluto { dns1 = dns2 = nbns1 = nbns2 = } A configuration example can be found under the link http://www.strongswan.org/uml/testresults43/ikev1/mode-config/ And here some more features: - If glibc printf hooks (register_printf_function) are not available, strongSwan can use the vstr string library to run on non-glibc systems. - The IKEv2 charon daemon now supports the ESP CAMELLIA-CBC cipher (esp=camellia128|192|256). A sample scenario can be found under the link http://www.strongswan.org/uml/testresults43/ikev2/esp-alg-camellia/ Due to the heavy refactoring of large parts of both the IKEv1 and IKEv2 source code we strongly advise *against* using 4.3.0 in mission critical applications. Please use the stable strongSwan 4.2.14 version on production systems instead, at least until the release of 4.3.1. Best regards Martin WilliAndreas Steffen IKEv2 Software ArchitectstrongSwan Project Leader == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] request help
Hi, according to the 5th paragraph in section 3.3. Security Association Payload of the IKEv2 RFC 4706: http://tools.ietf.org/html/rfc4306#section-3.3 Each Proposal/Protocol structure is followed by one or more transform structures. The number of different transforms is generally determined by the Protocol. AH generally has a single transform: an integrity check algorithm. *ESP generally has two: an encryption algorithm and an integrity check algorithm.* IKE generally has four transforms: a Diffie-Hellman group, an integrity check algorithm, a prf algorithm, and an encryption algorithm. If an algorithm that combines encryption and integrity protection is proposed, it MUST be proposed as an encryption algorithm and an integrity protection algorithm MUST NOT be proposed. For each Protocol, the set of permissible transforms is assigned transform ID numbers, which appear in the header of each transform. This means that an ESP SA requires only the definition of an encryption algorithm and an integrity check algorithm. According to section 2.17. Generating Keying Material for CHILD_SAs the ESP keys are derived as KEYMAT = prf+(SK_d, g^ir (new) | Ni | Nr ) and section 2.13. Generating Keying Material says In the context of the IKE_SA, four cryptographic algorithms are negotiated: an encryption algorithm, an integrity protection algorithm, a Diffie-Hellman group, and a pseudo-random function (prf). The pseudo-random function is used for the construction of keying material for all of the cryptographic algorithms used in both the IKE_SA and the CHILD_SAs. So the pseudo-random function negotiated for the IKE_SA is used to generate the keying material for the ESP SA. Thus there is no need to negotiate an additional PRF for ESP in the CREATE_CHILD_SA message. Best regards Andreas Jun Yin wrote: I'm testing strongswan ikev2 against our firewall product and found below problem: Apr 30 11:54:01 lin-1-7 charon: 14[NET] received packet: from 192.168.2.100[500] to 192.168.2.207[500] Apr 30 11:54:01 lin-1-7 charon: 14[ENC] parsed CREATE_CHILD_SA request 0 [ N(REKEY_SA) N(ESP_TFC_PAD_N) SA No KE TSi TSr ] Apr 30 11:54:01 lin-1-7 charon: 14[CFG] received proposals: ESP:3DES/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536_BIT/NO_EXT_SEQ Apr 30 11:54:01 lin-1-7 charon: 14[CFG] configured proposals: ESP:3DES/HMAC_MD5_96/MODP_1536_BIT/NO_EXT_SEQ Apr 30 11:54:01 lin-1-7 charon: 14[IKE] no acceptable proposal found Apr 30 11:54:01 lin-1-7 charon: 14[ENC] generating CREATE_CHILD_SA response 0 [ N(NO_PROP) ] Our developer said PRF_HMAC_MD5 is a mandatory field therefore strongswan should have it configured by default. Anyway, Is there a way I can configure it in strongswan manually? Thanks. == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] help? charon too long to start
Hi, it is impossible to see from your log why charon takes so long to start. Could you disable the starting of the IKEv1 pluto daemon in /etc/ipsec.conf: config setup plutostart=no and start the charon daemon without forking: ipsec start --nofork and report what is happening. Best regards Andreas Jun Yin wrote: Hi, I got error charon too long to start . Can somebody help me to figure it out? I'm using Ubunto 8.04, and StrongSwan 4.2.14. Thanks a lot. The log information: Apr 30 10:03:23 lin_1_2 ipsec_starter[23849]: Starting strongSwan 4.2.14 IPsec [starter]... Apr 30 10:03:23 lin_1_2 pluto[23875]: Starting Pluto (strongSwan Version 4.2.14 THREADS VENDORID) Apr 30 10:03:23 lin_1_2 pluto[23875]: including NAT-Traversal patch (Version 0.6c) [disabled] Apr 30 10:03:23 lin_1_2 pluto[23875]: ike_alg: Activating OAKLEY_AES_CBC encryption: Ok Apr 30 10:03:23 lin_1_2 pluto[23875]: ike_alg: Activating OAKLEY_BLOWFISH_CBC encryption: Ok Apr 30 10:03:23 lin_1_2 pluto[23875]: ike_alg: Activating OAKLEY_SERPENT_CBC encryption: Ok Apr 30 10:03:23 lin_1_2 pluto[23875]: ike_alg: Activating OAKLEY_SHA2_256 hash: Ok Apr 30 10:03:23 lin_1_2 pluto[23875]: ike_alg: Activating OAKLEY_SHA2_384 hash: Ok Apr 30 10:03:23 lin_1_2 pluto[23875]: ike_alg: Activating OAKLEY_SHA2_512 hash: Ok Apr 30 10:03:23 lin_1_2 pluto[23875]: ike_alg: Activating OAKLEY_TWOFISH_CBC encryption: Ok Apr 30 10:03:23 lin_1_2 pluto[23875]: ike_alg: Activating OAKLEY_TWOFISH_CBC_SSH encryption: Ok Apr 30 10:03:23 lin_1_2 pluto[23875]: Testing registered IKE encryption algorithms: Apr 30 10:03:23 lin_1_2 pluto[23875]: OAKLEY_BLOWFISH_CBC self-test not available Apr 30 10:03:23 lin_1_2 pluto[23875]: OAKLEY_3DES_CBC self-test not available Apr 30 10:03:23 lin_1_2 pluto[23875]: OAKLEY_AES_CBC self-test not available Apr 30 10:03:23 lin_1_2 pluto[23875]: OAKLEY_SERPENT_CBC self-test not available Apr 30 10:03:23 lin_1_2 pluto[23875]: OAKLEY_TWOFISH_CBC self-test not available Apr 30 10:03:23 lin_1_2 pluto[23875]: OAKLEY_TWOFISH_CBC_SSH self-test not available Apr 30 10:03:23 lin_1_2 pluto[23875]: Testing registered IKE hash algorithms: Apr 30 10:03:23 lin_1_2 pluto[23875]: OAKLEY_MD5 hash self-test passed Apr 30 10:03:23 lin_1_2 pluto[23875]: OAKLEY_MD5 hmac self-test passed Apr 30 10:03:23 lin_1_2 pluto[23875]: OAKLEY_SHA hash self-test passed Apr 30 10:03:23 lin_1_2 ipsec_starter[23874]: pluto (23875) started after 20 ms Apr 30 10:03:23 lin_1_2 pluto[23875]: OAKLEY_SHA hmac self-test passed Apr 30 10:03:23 lin_1_2 pluto[23875]: OAKLEY_SHA2_256 hash self-test passed Apr 30 10:03:23 lin_1_2 pluto[23875]: OAKLEY_SHA2_256 hmac self-test passed Apr 30 10:03:23 lin_1_2 pluto[23875]: OAKLEY_SHA2_384 hash self-test passed Apr 30 10:03:23 lin_1_2 pluto[23875]: OAKLEY_SHA2_384 hmac self-test passed Apr 30 10:03:23 lin_1_2 pluto[23875]: OAKLEY_SHA2_512 hash self-test passed Apr 30 10:03:23 lin_1_2 pluto[23875]: OAKLEY_SHA2_512 hmac self-test passed Apr 30 10:03:23 lin_1_2 pluto[23875]: All crypto self-tests passed Apr 30 10:03:23 lin_1_2 pluto[23875]: Using Linux 2.6 IPsec interface code Apr 30 10:03:23 lin_1_2 pluto[23875]: Changing to directory '/etc/ipsec.d/cacerts' Apr 30 10:03:23 lin_1_2 pluto[23875]: Changing to directory '/etc/ipsec.d/aacerts' Apr 30 10:03:23 lin_1_2 pluto[23875]: Changing to directory '/etc/ipsec.d/ocspcerts' Apr 30 10:03:23 lin_1_2 pluto[23875]: Changing to directory '/etc/ipsec.d/crls' Apr 30 10:03:23 lin_1_2 pluto[23875]: Changing to directory '/etc/ipsec.d/acerts' Apr 30 10:03:23 lin_1_2 pluto[23875]: listening for IKE messages Apr 30 10:03:23 lin_1_2 pluto[23875]: adding interface eth1/eth1 192.168.5.221:500 Apr 30 10:03:23 lin_1_2 pluto[23875]: adding interface eth0/eth0 172.18.7.162:500 Apr 30 10:03:23 lin_1_2 pluto[23875]: adding interface lo/lo 127.0.0.1:500 Apr 30 10:03:23 lin_1_2 pluto[23875]: adding interface lo/lo ::1:500 Apr 30 10:03:23 lin_1_2 pluto[23875]: loading secrets from /etc/ipsec.secrets Apr 30 10:03:23 lin_1_2 pluto[23875]: loaded shared key for 192.168.2.100 192.168.5.221 Apr 30 10:03:33 lin_1_2 ipsec_starter[23874]: charon too long to start... - kill kill Apr 30 10:03:34 lin_1_2 ipsec_starter[23874]: connect(charon_ctl) failed: No such file or directory Apr 30 10:03:34 lin_1_2 ipsec_starter[23874]: connect(charon_ctl) failed: No such file or directory Apr 30 10:03:34 lin_1_2 pluto[23875]: added connection description to_dut1 Apr 30 10:03:39 lin_1_2 ipsec_starter[23874]: connect(charon_ctl) failed: No such file or directory Apr 30 10:03:39 lin_1_2 ipsec_starter[23874]: connect(charon_ctl) failed: No such file or directory Apr 30 10:03:39 lin_1_2 pluto[23875]: attempt to redefine connection to_dut1 == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN
Re: [strongSwan] need some help : ipsec + xl2tpd
conn rw authby=rsasig leftrsasigkey=%cert leftcert=vpn.olympecti.fr.pem #left=217.128.239.224 left=%defaultroute #left=192.168.1.116 #leftnexthop=192.168.1.1 #leftnexthop=%defaultroute leftsubnet=192.168.1.0/24 leftprotoport=17/%any right=%any rightrsasigkey=%cert rightprotoport=17/%any rightca=%same keyingtries=3 pfs=no type=transport auto=add conn block auto=ignore conn clear auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn packetdefault auto=ignore xl2tpd.conf : [global] listen-addr = 192.168.1.116 debug tunnel = yes [lns default] ip range = 192.168.1.99-192.168.1.101 local ip = 192.168.1.99 require chap = yes refuse pap = yes require authentication = yes name = LinuxVPNserver ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes thanks in advance for your helps. --- Reza ISSANY Ingénieur Système ZA Les Playes - Jean Monnet Sud Avenue de Lisbonne 83500 La Seyne sur Mer E-mail : cont...@olympecti.fr == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] need some help : ipsec + xl2tpd
what is the output of ipsec statusall ? the connection definition shown by ipsec statusall must *exactly* match the peer's connection proposal. Andreas Reza ISSANY wrote: Thanks for your help. I've changed the line leftsubnet=192.168.1.0/24 by leftsubnet=217.128.239.224/32 But I have the same error : May 1 20:18:04 integration pluto[24455]: added connection description rw May 1 20:18:23 integration pluto[24455]: packet from 82.229.55.165:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 0004] May 1 20:18:23 integration pluto[24455]: packet from 82.229.55.165:500: ignoring Vendor ID payload [FRAGMENTATION] May 1 20:18:23 integration pluto[24455]: packet from 82.229.55.165:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] May 1 20:18:23 integration pluto[24455]: packet from 82.229.55.165:500: ignoring Vendor ID payload [Vid-Initial-Contact] May 1 20:18:23 integration pluto[24455]: rw[1] 82.229.55.165 #1: responding to Main Mode from unknown peer 82.229.55.165 May 1 20:18:24 integration pluto[24455]: rw[1] 82.229.55.165 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed May 1 20:18:24 integration pluto[24455]: rw[1] 82.229.55.165 #1: Peer ID is ID_DER_ASN1_DN: 'C=FR, ST=France, O=Olympe CTI, OU=Ingenierie informatique, CN=Reza ISSANY, e=issa...@olympecti.fr' May 1 20:18:24 integration pluto[24455]: rw[2] 82.229.55.165 #1: deleting connection rw instance with peer 82.229.55.165 {isakmp=#0/ipsec=#0} May 1 20:18:24 integration pluto[24455]: rw[2] 82.229.55.165 #1: we have a cert and are sending it upon request May 1 20:18:24 integration pluto[24455]: | NAT-T: new mapping 82.229.55.165:500/4500) May 1 20:18:24 integration pluto[24455]: rw[2] 82.229.55.165:4500 #1: sent MR3, ISAKMP SA established May 1 20:18:24 integration pluto[24455]: rw[2] 82.229.55.165:4500 #1: cannot respond to IPsec SA request because no connection is known for 217.128.239.224/32===192.168.1.116:4500[C=FR, ST=France, O=Olympe CTI, OU=Ingenierie informatique, CN=vpn.olympecti.fr, e=cont...@olympecti.fr]:17/%any...82.229.55.165:4500[C=FR, ST=France, O=Olympe CTI, OU=Ingenierie informatique, CN=Reza ISSANY, e=issa...@olympecti.fr]:17/%any May 1 20:18:24 integration pluto[24455]: rw[2] 82.229.55.165:4500 #1: sending encrypted notification INVALID_ID_INFORMATION to 82.229.55.165:4500 May 1 20:18:25 integration pluto[24455]: rw[2] 82.229.55.165:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xe1a7bc62 (perhaps this is a duplicated packet) May 1 20:18:25 integration pluto[24455]: rw[2] 82.229.55.165:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 82.229.55.165:4500 May 1 20:18:27 integration pluto[24455]: rw[2] 82.229.55.165:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xe1a7bc62 (perhaps this is a duplicated packet) May 1 20:18:27 integration pluto[24455]: rw[2] 82.229.55.165:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 82.229.55.165:4500 May 1 20:18:31 integration pluto[24455]: rw[2] 82.229.55.165:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xe1a7bc62 (perhaps this is a duplicated packet) May 1 20:18:31 integration pluto[24455]: rw[2] 82.229.55.165:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 82.229.55.165:4500 May 1 20:18:37 integration pluto[24455]: rw[2] 82.229.55.165:4500 #1: received Delete SA payload: deleting ISAKMP State #1 May 1 20:18:37 integration pluto[24455]: rw[2] 82.229.55.165:4500: deleting connection rw instance with peer 82.229.55.165 {isakmp=#0/ipsec=#0} I can't understand why the ISAKMP SA is established if no connection is known ? --- Reza ISSANY Ingénieur Système ZA Les Playes - Jean Monnet Sud Avenue de Lisbonne 83500 La Seyne sur Mer E-mail : cont...@olympecti.fr - Mail Original - De: Andreas Steffen andreas.stef...@strongswan.org À: Reza ISSANY issa...@olympecti.fr Cc: users users@lists.strongswan.org Envoyé: Vendredi 1 Mai 2009 18h36:15 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Re: [strongSwan] need some help : ipsec + xl2tpd Hi Reza, the problem is the following: cannot respond to IPsec SA request because no connection is known for 217.128.239.224/32===192.168.1.116:4500 [C=FR, ST=France, O=Olympe CTI, OU=Ingenierie informatique, CN=vpn.olympecti.fr, e=cont...@olympecti.fr] :17/%any ... 82.229.55.165:4500 [C=FR, ST=France, O=Olympe CTI, OU=Ingenierie informatique, CN=Reza ISSANY, e=issa...@olympecti.fr] :17/%any Because you have NAT in between NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed 217.128.239.224 gets translated to 192.168.1.166 due to a Destination NAT rule. Therefore you must define left=%defaultroute (will take
Re: [strongSwan] Multiple tunnels between same peer
Hi Arun, either define multiple connections: conn %default type=tunnel authby=secret left=10.1.1.2 leftid=sswan rightid=chamundi right=10.1.1.5 esp=3des-md5-9 keyexchange=ikev2 ike=aes128-sha1-modp1024,3des-sha1-md5-modp1024 auto=add conn tunnel1 leftsubnet=192.168.10.0/24 rightsubnet=172.16.10.0/24 conn tunnel2 leftsubnet=192.168.14.0/24 rightsubnet=172.16.12.0/24 or define multiple traffic selectors: conn tunnel type=tunnel authby=secret left=10.1.1.2 leftid=sswan rightid=chamundi right=10.1.1.5 leftsubnet=192.168.10.0/24,192.168.14.0/24 rightsubnet=172.16.10.0/24,172.16.12.0/24 esp=3des-md5-9 keyexchange=ikev2 ike=aes128-sha1-modp1024,3des-sha1-md5-modp1024 auto=add In the first example 192.168.10/24 is connected to 172.16.10.0/24 as part of the IKE_AUTH exchange and 192.168.14.0/24 to 172.16.12.0/24 with an additional CREATE_CHILD_SA exchange whereas in the second example the multiple traffic selectors are set up by the IKE_AUTH exchange but with the additional side effect that 192.168.10.0/24 will be coupled wit 172.16.12.0/24 and 192.168.14.0/24 with 172.16.10.0/24. BTW - esp=3des-md5-9 has an invalid syntax. What does -9 mean? A Diffie-Hellman group??? Best regards Andreas c Arun Raj wrote: Hi Andraw, I am trying to bring multiple tunnels using PSK between same peers Is this option available in strongswan The config files I used was as below. Could you please let me know how can we modify the below file to setup multiple tunnels between same peers I search in the net adn I am unable to get these option # basic configuration config setup strictcrlpolicy=no plutostart=no charonstart=yes charondebug=all klipsdebug=all conn tunnel type=tunnel authby=secret left=10.1.1.2 leftid=sswan rightid=chamundi right=10.1.1.5 leftsubnet=192.168.10.0/24 rightsubnet=172.16.10.0/24 esp=3des-md5-9 keyexchange=ikev2 pfs=no ike=aes128-sha1-modp1024,3des-sha1-md5-modp1024 auto=add Thanks Arun ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] configure: error: Vstr string library not found
Hi, since OpenBSD 4.4 doesn't seem to support printf hooks (%N, %H, etc.) the vstr string library can be used instead. But apparently this library hasn't been installed yet on your system. Anyway, we are still busy porting strongSwan to *BSD. The current svn version should work with FreeBSD but we still have some problems to solve with OpenBSD. Best regards Andreas Fortunato wrote: Hello again, I'm seeing a recurring theme here - I'm gonna have to learn more about make. :( But in the meantime, I'm getting: checking for main in -lvstr... no configure: error: Vstr string library not found This one appears to be more cryptic. There's no /usr/include/vstr.h file other than the standard string.h and strings.h files. Any ideas? This is for an OpenBSD 4.4 host. Thanks, == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] no CREATE_CHILD_SA in Strongswan
H Tilak, without any log and configuration information we cannot possibly help you. Regards Andreas Tilak Adhya wrote: Hi, I am new to this list and using Strongswan for the last 2 months... I am facing a problem regarding the CREATE_CHILD_SA for IKEV2 with Strongswan. I have connected two Strongswan back to back but not able to send CREATE_CHILD_SAs. Also, I sent CREATE_CHILD_SA but Strongswan is not responding properly. It replies with No Proposal CHosen; but proposals configured in the Strongswan should match. Not getting the reason. If you need the log files I can post it. Your help is highly appreciated. Thanks Tilak *-- tilak == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] no CREATE_CHILD_SA in Strongswan
= 65535 IKEV2: IPV4 Start Address = 10.1.1.20 IKEV2: IPV4 End Address = 10.1.1.20 IKEV2: - IKEV2 Traffic Selector Data IKEV2: TS Type = 7 ( IPV4 Addr Range) IKEV2: IP Protocol ID= 0 IKEV2: Selector Length = 16 IKEV2: Start Port= 0 IKEV2: End Port = 65535 IKEV2: IPV4 Start Address = 10.1.1.42 IKEV2: IPV4 End Address = 10.1.1.42 This translates to left=10.1.1.42 right=10.1.1.20 so that traffic selector narrowing takes place. CREATE_CHILD_SA request: IP: Source Address = 10.1.1.20 IP: Destination Address= 10.1.1.42 In this CREATE_CHILD_SA message you don't request any additional traffic selectors. Therefore don't be surprised to receive a NO_PROPOSAL_CHOSEN as a response! If you want us to help you, please provide consistent debugging information and as Daniel Mentz correctly mentioned, add a log from the strongSwan side!!! Regards Andreas Tilak Adhya wrote: Hi Andreas, !.5.txt is the log file we are sending to the Strongswan. Stongswan has the ip 10.1.1.42. And the corresponding configuration file is also attached with this mail. Waiting for valuable comments. Thanks in advance... Tilak On Mon, 18 May 2009 11:50:29 +0530 wrote H Tilak, without any log and configuration information we cannot possibly help you. Regards Andreas Tilak Adhya wrote: Hi, I am new to this list and using Strongswan for the last 2 months... I am facing a problem regarding the CREATE_CHILD_SA for IKEV2 with Strongswan. I have connected two Strongswan back to back but not able to send CREATE_CHILD_SAs. Also, I sent CREATE_CHILD_SA but Strongswan is not responding properly. It replies with No Proposal CHosen; but proposals configured in the Strongswan should match. Not getting the reason. If you need the log files I can post it. Your help is highly appreciated. Thanks Tilak *-- tilak == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Multiple L2TP clients behind NAT using the same IP - status?
As a workaround I recommend to use IPsec tunnel mode with NAT-T. Windows XP's LT2P client can be configured to use tunnel mode instead of the default transport mode. Regards Andreas Jaime Vargas wrote: Hello, everybody; As far as I know, there's a well-known issue with NAT-T that makes impossible to connect simultaneously to a VPN using L2TP over IPSec from two Windows clients which reside behind the same NAT box. Problem is, I need to offer a solution, or at least a convincing argument, for this exact case (other than configuring a site-to-site VPN, which is not deemed suitable for only two users). My questions regarding this issue are: a) Is the cause of this issue established? b) Is there any solution or workaround (involving Windows XP as the clients and strongSwan + l2tpns + NETKEY at the server)? c) If not, is a solution for this in the works, or being considered? Thanks in advance, Jaime == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] strongswan ipsec restart problem
Hi Arnab, instead of restarting the charon daemon I propose to terminate the current connection only: ipsec down jay2 if the connection has already been established then charon will try to send a delete notification which will take a long time if the peer is already disconnected. Therefore to abort the retransmissions execute again ipsec down jay2 which will shut down the connection immediately. Now you can change the configuration in ipsec.conf and execute ipsec update which will update charon's configuration. If auto=start is set then the connection will be automatically initiated. Best regards Andreas Arnab Bakshi wrote: Hi Andreas, PFA the messages attached with cfg 2, chd 2. We are restarting the charon frequently as part of some automation testing requirement which clears sessions in strongswan and our implementation... Is there better way I can gracefully terminate it(e.g sending delete or any other ipsec * commands) Thanks and Regards Arnab On Wed, Jun 3, 2009 at 6:37 PM, Andreas Steffen andreas.stef...@strongswan.org mailto:andreas.stef...@strongswan.org wrote: I just checked how the misconfiguration is treated by charon: Jun 3 14:59:38 moon charon: 03[CFG] skipped invalid proposal string: 3des-md5-96 03[CFG] skipped invalid proposal string: 3des-md5-96-modp1536 As a consequence the following default proposal is sent to the peer: Jun 3 14:59:44 sun charon: 13[CFG] received proposals: ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/ HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ Therefore this cannot be the reason for any malfunction. Regards Andreas Andreas Steffen wrote: Hi Arnab, What is the sense in restarting charon every 20 seconds before it has completed the establishment of an IKE_SA or CHILD_SA? Jun 2 15:37:03 localhost charon: 08[NET] received packet: from 10.4.3.42[500] to 10.4.3.10[500] 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No ] 08[IKE] 10.4.3.42 is initiating an IKE_SA 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No ] 08[NET] sending packet: from 10.4.3.10[500] to 10.4.3.42[500] 01[DMN] signal of type SIGINT received. Shutting down 01[IKE] destroying IKE_SA in state CONNECTING without notification 01[DMN] starting charon (strongSwan Version 4.2.12) Jun 2 15:37:23 localhost charon: 05[NET] received packet: from 10.4.3.42[500] to 10.4.3.10[500] 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No ] 05[IKE] 10.4.3.42 is initiating an IKE_SA 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No ] 05[NET] sending packet: from 10.4.3.10[500] to 10.4.3.42[500] 01[DMN] signal of type SIGINT received. Shutting down 01[IKE] destroying IKE_SA in state CONNECTING without notification 01[DMN] starting charon (strongSwan Version 4.2.12) Jun 2 15:37:44 localhost charon: 05[NET] received packet: from 10.4.3.42[500] to 10.4.3.10[500] 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No ] 05[IKE] 10.4.3.42 is initiating an IKE_SA 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No ] 05[NET] sending packet: from 10.4.3.10[500] to 10.4.3.42[500] 01[DMN] signal of type SIGINT received. Shutting down 01[IKE] destroying IKE_SA in state CONNECTING without notification 01[DMN] starting charon (strongSwan Version 4.2.12) In the first three call no communication with the kernel takes place. Jun 2 15:38:07 localhost charon: 06[IKE] initiating IKE_SA jay2[1] to 10.4.3.42 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 06[NET] sending packet: from 10.4.3.10[500] to 10.4.3.42[500] 07[NET] received packet: from 10.4.3.42[500] to 10.4.3.10[500] 07[ENC] parsed IKE_SA_INIT response 0 [ SA KE No ] 07[IKE] authentication of '10.4.3.10' (myself) with pre-shared key 07[IKE] establishing CHILD_SA jay2 07[ENC] generating IKE_AUTH request 1 [ IDi IDr AUTH N(USE_TRANSP) SA TSi TSr ] 07[NET] sending packet: from 10.4.3.10[500] to 10.4.3.42[500] 01[DMN] signal of type SIGINT received. Shutting down 01[IKE] destroying IKE_SA in state CONNECTING without notification 01[KNL] received netlink error: No such process (3) 01[KNL] unable to delete SAD entry with SPI cc7817cf 14[KNL] creating delete job for ESP CHILD_SA with SPI cc7817cf and reqid {1} Here charon is stopped before it receives the IKE_AUTH response from the peer. What happened after that? Did charon crash or even the Linux operating system??? Looking at your ipsec.conf I see the following anomalies: conn jay2 type=transport left=10.4.3.42 leftid=10.4.3.42 right=10.4.3.10
[strongSwan] Free eTickets for LinuxTag 2009 in Berlin
Hi, as every year the strongSwan team will be present with a project booth at LinuxTag which takes places from June 24-27 2009 in Berlin. http://www.linuxtag.org/2009/en/program/freies-vortragsprogramm.html We received a couple of eTickets for the four day event which we can give away for free to the strongSwan community. So if you are interested in visiting LinuxTag, just drop me an email and I'm going to send you an invitation for an eTicket which you must fetch within 48 hours by clicking on the link and downloading the eTicket. See you in Berlin! Andreas Steffen, Tobias Brunner Martin Willi == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Notification message 40501 connecting to Cisco router
Hi Rod, no, strongSwan hasn't been tested with Cisco load balancing and does not recognize the 40501 notification. Probably Cisco wants to redirect the IPsec SA to an alternative VPN gateway. Best regards Andreas rriver...@verizon.net wrote: Hi, This is my first post to this forum. I would like to thank everyone that has worked on this project. I have been using strongSwan in a road warrior configuration to connect to Cisco routers. I have been able to do this with several customers but recently when I tried to connect to a new customer I received a 40501 Notification message. After doing some research on the Internet I found the following email indicating that this notification relates to Cisco load balancing: http://sourceforge.net/mailarchive/forum.php?thread_name=alpine.lfd.2.00.0901271415230.2...@oynqr.eqh.erqung.pbzforum_name=ipsec-tools-devel Has strongSwan been tested with Cisco load balancing? Has anyone else run into this problem? I found a work around to the problem by connecting to the last server in the load balancing cluster, which does not return the 40501 notification, and the connection works fine. This will due for my initial testing but without support for load balancing I will not be able to use strongSwan. The output from the failed connection follows: # ipsec up test 002 test #1: initiating Main Mode 104 test #1: STATE_MAIN_I1: initiate 003 test #1: ignoring Vendor ID payload [FRAGMENTATION c000] 106 test #1: STATE_MAIN_I2: sent MI2, expecting MR2 003 test #1: ignoring Vendor ID payload [Cisco-Unity] 003 test #1: received Vendor ID payload [XAUTH] 003 test #1: ignoring Vendor ID payload [79d4400d1135dfa224392efd403473aa] 003 test #1: ignoring Vendor ID payload [Cisco VPN 3000 Series] 108 test #1: STATE_MAIN_I3: sent MI3, expecting MR3 003 test #1: received Vendor ID payload [Dead Peer Detection] 002 test #1: Peer ID is ID_FQDN: '@test.localdomain' 002 test #1: ISAKMP SA established 004 test #1: STATE_MAIN_I4: ISAKMP SA established 003 test #1: Notify Message Type of ISAKMP Notification Payload has an unknown value: 40501 003 test #1: malformed payload in packet Thanks, Rod == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Strongswan: Disabling repeated authentication for ikev2.
You can disable re-authentication and replace it by IKE_SA rekeying by adding the line reauth=no to your connection definition in ipsec.conf Regards Andreas Balaji J wrote: Hi ppl, Is there any way to configure strongswan for disabling the repeated authentication notify payload(rfc4478) it sends with IKE_AUTH reply? Basically, i want to disable the repeated authentication in strongswan. Is it possible? Thanks in advance. Regards, ...Balaji.J == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Can we connect Pluto with Windows Vista using RSASIG?
Hi, I cannot help you without any strongSwan log files and preferably also a log from MS Vista. Andreas gu...@mail.goo.ne.jp wrote: Hi List, I tried many things so that I could connect Pluto with Windows Vsita using RSASIG, and then ISAKMP packets requesting RSASIG authentication was sent from Vista to Pluto, but it was fai led after some Main mode messages. It was the error of calculations Hash value. Does someone know how to complete this? Best regards, Shen Wu == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Missing something on the first step
Here some follow-up infos: - It seems that libraries in /usr/local/lib/ are not found by Ubuntu the first time they get installed there. Executing the command ldconfig might fix this. - The more reliable way is to install the libraries in /usr/lib/. With the corrected sysconfdir option, type: ./configure --prefix=/usr --sysconfdir=/etc ...other options Best regards Andreas Steffen Andreas Steffen wrote: Hello Paul, it looks as if libstrongswan was either not built or the path to the library was not found. By default libstrongswan gets installed in the /usr/local/lib/ directory. Could you check that? I'm also running strongSwan on Ubuntu systems but I usually install everything under /usr [instead of /usr/local] and the configuration files under /etc [instead of /usr/local/etc] by specifying ./configure --prefix=/usr --sysconfig=/etc ... Best regards Andreas Steffen Paul Hoffman wrote: Greetings. I installed 4.3.1 on a Ubuntu 8.04 system without a hitch. However: # ipsec start /usr/local/libexec/ipsec/starter: error while loading shared libraries: libstrongswan.so.0: cannot open shared object file: No such file or directory Any clues would be appreciated. --Paul Hoffman, Director --VPN Consortium == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Configuring with --enable-http seems broken
Yes, the current option is --enable-curl. For a list of all available options, see http://wiki.strongswan.org/wiki/strongswan/Autoconf Best regards Andreas Steffen Paul Hoffman wrote: # ./configure --enable-http configure: WARNING: unrecognized options: --enable-http checking for a BSD-compatible install... /usr/bin/install -c . . . Yet --enable-http is what the INSTALL file says is needed for fetching CRLs over HTTP. Has this been replaced by --enable-curl? --Paul Hoffman, Director --VPN Consortium == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Finding those libs
Hello Paul, with the --enable-curl option the following ubuntu packages are required: libcurl3, libcurl3-gnutls, and libcurl3-gnutls-dev With --enable-openssl (required only if you want to use ECP DH groups or ECDSA signatures), the following packages are required: libssl0.9.8, libssl-dev Probably in both cases the *-dev packages are missing, since usually the curl and openssl applications are activated by default in Ubuntu. Best regards Andreas Paul Hoffman wrote: On a related note, 'configure' can't find the curl or openssl libs on Ubuntu 9.04: . . . checking for main in -lcrypto... no configure: error: OpenSSL crypto library not found Any help would be appreciated. --Paul Hoffman, Director --VPN Consortium == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Support of Encryption/Integrity algorithms in Version
Hello Sajal, yes the IKEv2 charon supports these crypto algorithms. By default the options --enable-des, --enable-aes, --enable-sha1, and --enable-hmac are set so that the corresponding plugins are compiled and automatically loaded during runtime. After starting strongSwan the command ipsec listalgs shows all supported crypto algorithms. Best regards Andreas Sajal Malhotra wrote: Hi, I am evaluating version 4.2.8 of strongswan package for IKEv2/charon. I have a small query: Does this version of package also contain following encryption and integrity algorithms: - 3DES-192 CBC - AES-128-CBC - HMAC-SHA1-96 Would appreciate your help in this regard. Thanks. Best Regards Sajal == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Converting x509 Certificates to SQL entries
Hi, first convert the base64 encoded PEM certificate file into binary DER format: openssl x509 -in strongswanCert.pem -outform der -out strongswanCert.der and then use the script bin2sql: http://wiki.strongswan.org/repositories/entry/strongswan/scripts/bin2sql.c to convert the contents of the binary file into a HEX string: cat strongSwanCert.der | scripts/bin2sql Best regards Andreas J. Tang wrote: I am trying to decipher strongSwan's SQL interface. In test sql/net2net-cert, moon's ipsec.sql has the statement INSERT INTO certificates ( type, keytype, data ) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ 1, 1, X'308203b53082029da0' ); I realize that the data blob originates from moon/etc/ipsec.d/cacerts/strongswanCert.pem. My question is how does one convert a certificate (CA or host) to a SQL data blob? == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] strongSwan + iPhone
The iPhone client does not like the XAUTH request: 12:11:05 pluto[23959]: | starting XAUTH server 12:11:05 pluto[23959]: iphone[3] CLIENT-IP:11044 #3: sending XAUTH request because instead of the XAUTH reply it sends an INFORMATIONAL message: 12:11:06 pluto[23959]: | *received 76 bytes from CLIENT-IP:11044 on eth5 12:11:06 pluto[23959]: | ICOOKIE: 31 ed 8b 9a d8 bf 78 9d 12:11:06 pluto[23959]: | RCOOKIE: 2d 5e 3f c8 6f 7d 42 2e 12:11:06 pluto[23959]: | peer: 50 bb 65 81 12:11:06 pluto[23959]: | state hash entry 0 12:11:06 pluto[23959]: | state object not found 12:11:06 pluto[23959]: packet from CLIENT-IP:11044: Informational Exchange is for an unknown (expired?) SA There are two things that you can do: 1) Have you compiled strongSwan with the --enable-cisco-quirks option? It might be that similarly to the Cisco VPN client, the iPhone clients expects the VPN gateway to send a Cisco-Unity ID and will otherwise abort the IKE negotiation. 2) Increasing the debug level by setting plutodebug=control controlmore parsing in ipsec.conf might show the content of the INFORMATIONAL message shedding some light on the error cause. Best regards Andreas Wolfram Schlich wrote: * Andreas Steffen andreas.stef...@strongswan.org [2009-07-10 18:44]: Hi Wolfram, Hey Andreas! have you enabled NAT-Traversal in ipsec.conf with the statement config setup nat_traversal=yes since the source port of the IKE message is 29643 and not 500? Ah! I overlooked that :) Ok, added nat_traversal=yes and now this happens: --8-- 12:11:00 pluto[23959]: | 12:11:00 pluto[23959]: | *received 644 bytes from CLIENT-IP:27514 on eth5 12:11:00 pluto[23959]: packet from CLIENT-IP:27514: received Vendor ID payload [RFC 3947] 12:11:00 pluto[23959]: packet from CLIENT-IP:27514: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662] 12:11:00 pluto[23959]: packet from CLIENT-IP:27514: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8] 12:11:00 pluto[23959]: packet from CLIENT-IP:27514: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582] 12:11:00 pluto[23959]: packet from CLIENT-IP:27514: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285] 12:11:00 pluto[23959]: packet from CLIENT-IP:27514: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee] 12:11:00 pluto[23959]: packet from CLIENT-IP:27514: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b] 12:11:00 pluto[23959]: packet from CLIENT-IP:27514: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] 12:11:00 pluto[23959]: packet from CLIENT-IP:27514: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] 12:11:00 pluto[23959]: packet from CLIENT-IP:27514: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] 12:11:00 pluto[23959]: packet from CLIENT-IP:27514: received Vendor ID payload [XAUTH] 12:11:00 pluto[23959]: packet from CLIENT-IP:27514: ignoring Vendor ID payload [Cisco-Unity] 12:11:00 pluto[23959]: packet from CLIENT-IP:27514: received Vendor ID payload [Dead Peer Detection] 12:11:00 pluto[23959]: | preparse_isakmp_policy: peer requests XAUTHRSASIG+XAUTHSERVER authentication 12:11:00 pluto[23959]: | instantiated iphone for CLIENT-IP 12:11:00 pluto[23959]: | creating state object #3 at 0x17b82030 12:11:00 pluto[23959]: | ICOOKIE: 31 ed 8b 9a d8 bf 78 9d 12:11:00 pluto[23959]: | RCOOKIE: 2d 5e 3f c8 6f 7d 42 2e 12:11:00 pluto[23959]: | peer: 50 bb 65 81 12:11:00 pluto[23959]: | state hash entry 0 12:11:00 pluto[23959]: | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #3 12:11:00 pluto[23959]: iphone[3] CLIENT-IP:27514 #3: responding to Main Mode from unknown peer CLIENT-IP:27514 12:11:00 pluto[23959]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #3 12:11:00 pluto[23959]: | next event EVENT_RETRANSMIT in 10 seconds for #3 12:11:02 pluto[23959]: | 12:11:02 pluto[23959]: | *received 292 bytes from CLIENT-IP:27514 on eth5 12:11:02 pluto[23959]: | ICOOKIE: 31 ed 8b 9a d8 bf 78 9d 12:11:02 pluto[23959]: | RCOOKIE: 2d 5e 3f c8 6f 7d 42 2e 12:11:02 pluto[23959]: | peer: 50 bb 65 81 12:11:02 pluto[23959]: | state hash entry 0 12:11:02 pluto[23959]: | state object #3 found, in STATE_MAIN_R1 12:11:02 pluto[23959]: iphone[3] CLIENT-IP:27514 #3: NAT-Traversal: Result using RFC 3947: peer is NATed 12:11:02 pluto[23959]: | inserting event EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds 12:11:02 pluto[23959]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #3 12:11:02 pluto[23959]: | next event EVENT_RETRANSMIT in 10 seconds for #3 12:11:05 pluto[23959]: | 12:11:05 pluto[23959]: | *received 1836 bytes from CLIENT-IP:11044 on eth5 12:11:05 pluto[23959]: | ICOOKIE: 31 ed 8b 9a d8 bf 78 9d 12:11:05 pluto[23959]: | RCOOKIE: 2d 5e 3f c8 6f 7d 42 2e 12:11:05 pluto[23959]: | peer: 50 bb 65 81 12:11:05 pluto[23959
Re: [strongSwan] strongSwan + iPhone
Wolfram Schlich wrote: Hi Andreas! * Andreas Steffen andreas.stef...@strongswan.org [2009-07-13 13:08]: The iPhone client does not like the XAUTH request: 12:11:05 pluto[23959]: | starting XAUTH server 12:11:05 pluto[23959]: iphone[3] CLIENT-IP:11044 #3: sending XAUTH request because instead of the XAUTH reply it sends an INFORMATIONAL message: 12:11:06 pluto[23959]: | *received 76 bytes from CLIENT-IP:11044 on eth5 12:11:06 pluto[23959]: | ICOOKIE: 31 ed 8b 9a d8 bf 78 9d 12:11:06 pluto[23959]: | RCOOKIE: 2d 5e 3f c8 6f 7d 42 2e 12:11:06 pluto[23959]: | peer: 50 bb 65 81 12:11:06 pluto[23959]: | state hash entry 0 12:11:06 pluto[23959]: | state object not found 12:11:06 pluto[23959]: packet from CLIENT-IP:11044: Informational Exchange is for an unknown (expired?) SA There are two things that you can do: 1) Have you compiled strongSwan with the --enable-cisco-quirks option? Yes. It might be that similarly to the Cisco VPN client, the iPhone clients expects the VPN gateway to send a Cisco-Unity ID and will otherwise abort the IKE negotiation. So shouldn't --enable-cisco-quirks have done that already?! Yes, --enable-cisco-quirks does that. 2) Increasing the debug level by setting plutodebug=control controlmore parsing in ipsec.conf might show the content of the INFORMATIONAL message shedding some light on the error cause. Done. Here you go: --8-- pluto[32003]: | NAT-T: new mapping CLIENT-IP:30983/42181) pluto[32003]: | inserting event EVENT_SA_REPLACE, timeout in 3330 seconds for #1 pluto[32003]: iphone[2] CLIENT-IP:42181 #1: sent MR3, ISAKMP SA established pluto[32003]: | starting XAUTH server pluto[32003]: iphone[2] CLIENT-IP:42181 #1: sending XAUTH request pluto[32003]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1 pluto[32003]: | next event EVENT_RETRANSMIT in 10 seconds for #1 pluto[32003]: | pluto[32003]: | *received 76 bytes from CLIENT-IP:42181 on eth5 pluto[32003]: | **parse ISAKMP Message: pluto[32003]: |initiator cookie: pluto[32003]: | 0d 59 13 eb af df ce b2 pluto[32003]: |responder cookie: pluto[32003]: | 5c 40 db 2a 75 f5 d1 91 pluto[32003]: |next payload type: ISAKMP_NEXT_HASH pluto[32003]: |ISAKMP version: ISAKMP Version 1.0 pluto[32003]: |exchange type: ISAKMP_XCHG_INFO pluto[32003]: |flags: ISAKMP_FLAG_ENCRYPTION pluto[32003]: |message ID: e6 94 48 f6 pluto[32003]: |length: 76 pluto[32003]: | ICOOKIE: 0d 59 13 eb af df ce b2 pluto[32003]: | RCOOKIE: 5c 40 db 2a 75 f5 d1 91 pluto[32003]: | peer: 50 bb 64 81 pluto[32003]: | state hash entry 19 pluto[32003]: | state object not found pluto[32003]: packet from CLIENT-IP:42181: Informational Exchange is for an unknown (expired?) SA pluto[32003]: | next event EVENT_RETRANSMIT in 10 seconds for #1 The INFORMATIONAL message is encrypted and seems to belong to an earlier IKE exchange so that the keys are not available anymore. Can you check in your log in which exchange the cookies pluto[32003]: | ICOOKIE: 0d 59 13 eb af df ce b2 pluto[32003]: | RCOOKIE: 5c 40 db 2a 75 f5 d1 91 where used. I think any further analysis of the strongSwan log does not give additional information. Upon the reception of the XAUTH request, the iPhone client should return its username/password. Is there any prompt on the client or are there any error messages available? Andreas == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Authetication Failed problem
Sushil Chaudhari wrote: Hi, I am new to strongswan. Whenever i am trying to make the data transfer between the two hosts, the log files says that: unable to locate my private key for RSA Signature and sending encrypted notification authentication Failed can anybody tell me what might be the problem?? this means that either your private key defined in ipsec.secrets could not be loaded, could not be decrypted if protected by a passphrase or the loaded private key does not match your public key contained in your certificate. Do self sigend certificates dont work in Strongswan?? if no then, is there any way that to get the certificate from CA?? Self-signed certificates work with strongSwan if you import the self-signed certificate of the peer locally. A sample scenario is available under the link http://www.strongswan.org/uml/testresults43/ikev2/default-keys/ Also do Stronswan provides header encryption as well? I don't understand this question. With IPsec transport mode you cannot encrypt the IP header because it won't possible to route the IP packet. With IPsec tunnel mode the encapsulated IP packet is encrypted including the IP header, the outer IP header contains the IP addresses of the VPN gateways. Thank you Best regards Andreas == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] FW: strongSwan installs SPs?
Hello Stephen, installpolicy=no just means the the IKEv2 charon daemon does not use the add_policy() and del_policy() methods of the kernel interface to actively manage the IPsec policies but delegates these tasks to another process on the same host. charon still uses the query_policy() method to get the use_time status information for liveliness checks. Concerning your question why we don't query the SA's use_time instead, you are not the only wondering about this. The problem with the Linux kernel's NETLINK IPsec implementation is that the SA's use_time stores the time of *first* use but unfortunately not the *latest* use whereas only the associated IPsec policy keeps track of the desired information. The attached status output of ip xfrm state and ip xfrm policy shows that both the SA and policy where added at 2009-07-22 06:45:45 and the SA was first used five minutes later at 2009-07-22 06:50:06. Shortly before generating this output I sent data over the IPsec tunnel, so the policies show 07:31:30 and 07:33:09 for the outbound and inbound direction, respectively. Strangely enough, if you want to gather information about the number of bytes / packets send over a tunnel you can retrieve this data from the SA's only. Best regards Andreas Stephen Pisano wrote: A follow-up to Mugur's question... It appears that the SA activity portion of the peer liveness algorithm uses a GETPOLICY operation to retrieve the policy use_time. So, I figure with installpolicy=no, this would essentially disable the SA activity portion of the liveness check. Is that correct? If so, this makes me wonder why policy use_time is used rather than SA use_time? Thanks, Stephen -Original Message- From: Andreas Steffen [mailto:andreas.stef...@strongswan.org] Sent: lundi 20 juillet 2009 19:57 To: ABULIUS MUGUR Cc: users@lists.strongswan.org Subject: Re: [strongSwan] strongSwan installs SPs? Hi Mugur, by default strongSwan installs IPsec security policies in the kernel. With auto=route the policies are installed at the very beginning, so that matching plaintext packets trigger an XFRM_ACQUIRE message. With auto=add or auto=start, the policies are installed only after both inbound and outbound IPsec SAs have been created. For the IKEv2 daemon there is an *installpolicy=no* option, though, which I originally created for Mobile IPv6 connections where the mip6d daemon installs the IPsec policies and then alerts the IKEv2 daemon via an XFRM_MSG_MIGRATE message. See my Mobile IPv6 HOWTO: http://wiki.strongswan.org/wiki/strongswan/MobileIPv6 So if you have another process which manages the policies you can just set installpolicy=no for that connection in ipsec.conf. Best regards Andreas ABULIUS MUGUR wrote: StrongSwan doc says that 'auto=route' installs kernel traps. Can somebody confirm that strongSwan installs a SP (Security Policy) for this connection? There are any other circumstances for which strongSwan handles (get/set) SP in kernel's SPD? We want to avoid any kernel's SPD set/get for our specific IPsec implementation. Thanks Mugur == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== [r...@strongswan stats]# ip -s xfrm state src 84.74.95.23 dst 152.96.52.150 proto esp spi 0xc7f7a5ed(3354895853) reqid 7(0x0007) mode tunnel lifetime current: 36575(bytes), 418(packets) add 2009-07-22 06:45:45 use 2009-07-22 06:50:06 src 152.96.52.150 dst 84.74.95.23 proto esp spi 0xc31c720e(3273421326) reqid 7(0x0007) mode tunnel lifetime current: 229360(bytes), 368(packets) add 2009-07-22 06:45:45 use 2009-07-22 06:50:06 [r...@strongswan stats]# ip -s xfrm policy src 10.10.0.0/23 dst 152.96.52.150/32 uid 0 dir in action allow index 1256 priority 1770 share any flag 0x lifetime current: 0(bytes), 0(packets) add 2009-07-22 06:45:45 use 2009-07-22 07:33:09 tmplsrc 84.74.95.23 dst 152.96.52.150 proto esp spi 0x(0) reqid 7(0x0007) mode tunnel src 152.96.52.150/32 dst 10.10.0.0/23 uid 0 dir out action allow index 1249 priority 1680 share any flag 0x lifetime current: 0(bytes), 0(packets) add 2009-07-22 06:45:45 use 2009-07-22 07:31:30 tmplsrc 152.96.52.150 dst 84.74.95.23 proto esp spi 0x(0) reqid 7(0x0007) mode tunnel ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] How to trigger IKE automatically?
Hello Jianquing, yes this is possible using the auto=route configuration option. Have a look at the corresponding IKEv1 and IKEv2 scenarios: http://www.strongswan.org/uml/testresults43/ikev1/net2net-route/ http://www.strongswan.org/uml/testresults43/ikev2/net2net-route/ where a ping [or any IP packet] triggers the setup of the IPsec connection. Best regards Andreas Jianqing Zhang wrote: I want to configure strongSwan in such a way that, once a communication session, say ping, is initialized by host A to host B, IKE would be triggered automatically and an IPsec tunnel would be set up between A and B on demand, given that everything else, such as certificates, keys, etc, are already there and ipsec has been started. Somebody tells me I can create corresponding SP on each side first, then IKE or SA negotiation will be triggered if the traffic matches the SP selector. Can I make it by configuring ipsec.conf? Thanks Jianqing == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] [PATCH] Improve DPD error message
Hello Thomas, checked into HEAD: http://wiki.strongswan.org/repositories/revision/1/acb34739e4423f243ae4d5c7d3a3f807f99bac61 Thanks Andreas Thomas Jarosch wrote: Hello, attached is a small patch to improve one DPD error message which occured when we debugged an obscure setup: Multiple tunnels to the same fixed IP address endpoint using a different x.509 key for phase 1, DPD went crazy sometimes. Now all tunnels to the same fixed IP address share one x.509 key. Hope this helps someone in the future when/if we see this message again. Cheers, Thomas == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] ANNOUNCE: strongswan-4.3.3 released
Hi, strongswan-4.3.3 is out and offers two new features: Optional Integrity Checksum Tests - The configuration option --enable-integrity-test plus the strongswan.conf option libstrongswan.integrity_test=yes activate integrity tests of the IKE daemons charon and pluto, libstrongswan and all loaded plugins. Thus dynamic library misconfigurations and non-malicious file manipulations can be reliably detected. More details can be found under the following wiki link: http://wiki.strongswan.org/wiki/strongswan/IntegrityTest All our rw-cert UML test scenarios are run with enabled integrity and crypto tests, e.g. http://www.strongswan.org/uml/testresults43/ikev1/rw-cert/moon.auth.log http://www.strongswan.org/uml/testresults43/ikev2/rw-cert/moon.daemon.log IKEv1 Suite B Interoperability with MS Windows -- The new default setting libstrongswan.ecp_x_coordinate_only=yes allows IKEv1 interoperability with MS Windows using the ECP DH groups 19 and 20. Additionally the IKEv1 pluto daemon now supports the AES-CCM and AES-GCM ESP authenticated encryption algorithms. Together with ECDSA signatures the strongSwan IKEv1 functionality is now compliant with Suite B defined by RFC 4869. http://tools.ietf.org/html/rfc4869 Still missing is AES-GMAC support by the Linux kernel (the crypto code is there somewhere but the XFRM interface isn't [yet]). Anyway, using ECP DH groups, ECDSA certificates and AES-GCM ESP authenticated encryption we did a couple of successful interoperability tests with the IPsec functionality of the Windows 7/Vista/Server 2008 Advanced Firewall: http://wiki.strongswan.org/wiki/strongswan/WindowsSuiteB Security Update --- The RDN parser vulnerability discovered by Orange Labs research team two months ago was not completely fixed by version 4.3.2. Some more modifications had to be applied to the asn1_length() function to make it robust. Patches for older versions are available under the link http://download.strongswan.org/patches/07_asn1_length_patch/ Best regards Andreas Steffen Martin Willi strongSwan Project LeaderIKEv2 Software Architect == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] support for tunnel configuration
Hi Vivek, vivek bairathi wrote: Hi all, I have a requirement for creating tunnel SAs. After reading strongswan documentation and code I arrived at the following conclusion:- 1. left| right source IP in the conn section of ipsec.conf is used to specify the internal IP in the tunnel( virtual IP). The external tunnel IP will be filled in left| right parameters. Is this assumtion correct? This is not correct. Let us assume that left is local and right is remote. Then leftsourceip=virtual IP address or leftsourceip=%config define a virtual IP address to be used as source address within the IPsec tunnel. This is equivalent to setting the source traffic selector to leftsubnet=virtual IP address/32 but does not change in any way left= which is used as the source address of the ESP packet. 2. How does the stack distinguish that the IPaddress that is being added is external IP or internal IP in the tunnel ? See point 1 above. 3. How does the addition/deletion of external tunnel IP address and internal IP handled differently by the charon? Available external IP addresses are automatically detected by strongSwan using RT_NETLINK. E.g. defining left=%any will select the outer source address based on the actual route to right. This can be very helpful in multi-homing environments. Virtual IP addresses are installed and by strongSwan via RT_NETLINK by adding a new virtual IP address as an alias of the physical interface used. ip addr list dev eth0 will show the virtual IPs associated with eth0. By installing a source route in table 220 which is shown by the command ip route list table 220 All plaintext packets with destination rightsubnet will assume the virtual IP as their source address before being encapsulated by ESP. Thanks Regards, Vivek Regards Andreas == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] support for tunnel configuration
Hi Vivek, you can change any connection parameter by 1) redefining it in ipsec.conf 2) taking down the active connection executing ipsec down connection name 3) execute ipsec update which transfers the new connection definition to the charon daemon. 4) execute ipsec up connection name if auto=add. with auto=start the connection will be restarted by ipsec update. Best regards Andreas Hi, Thanks for your detailed response. 1. We had a requirement to change the internal/virtual IP at runtime after charon is spawned. Is it possible to change the internal/virtual IP in a tunnel once the stack is spawned? We went through the code and found that deletion of outer/tunnel IP and inner/virtual IP is detected and handled by charon. However addition, of IP address is detected only for outer/tunnel IP? How can I change internal IP associated with tunnel IP after charon is spawned? Can the following parameters be changed at runtime after charon is spawned :- 1. The authentication parameter be changed from PSK to CERT/ CERT to PSK? 2. Re-keying time of IKE/IPSEC SA: can the new re-keying value be assinged to new SA created henceforth? 3. Encryption algorithm can be changed for an IKE SA? It would be great help if you could answer the above queries. Thanks Regards, Vivek On 7/27/09, Andreas Steffen andreas.stef...@strongswan.org wrote: Hi Vivek, vivek bairathi wrote: Hi all, I have a requirement for creating tunnel SAs. After reading strongswan documentation and code I arrived at the following conclusion:- 1. left| right source IP in the conn section of ipsec.conf is used to specify the internal IP in the tunnel( virtual IP). The external tunnel IP will be filled in left| right parameters. Is this assumtion correct? This is not correct. Let us assume that left is local and right is remote. Then leftsourceip=virtual IP address or leftsourceip=%config define a virtual IP address to be used as source address within the IPsec tunnel. This is equivalent to setting the source traffic selector to leftsubnet=virtual IP address/32 but does not change in any way left= which is used as the source address of the ESP packet. 2. How does the stack distinguish that the IPaddress that is being added is external IP or internal IP in the tunnel ? See point 1 above. 3. How does the addition/deletion of external tunnel IP address and internal IP handled differently by the charon? Available external IP addresses are automatically detected by strongSwan using RT_NETLINK. E.g. defining left=%any will select the outer source address based on the actual route to right. This can be very helpful in multi-homing environments. Virtual IP addresses are installed and by strongSwan via RT_NETLINK by adding a new virtual IP address as an alias of the physical interface used. ip addr list dev eth0 will show the virtual IPs associated with eth0. By installing a source route in table 220 which is shown by the command ip route list table 220 All plaintext packets with destination rightsubnet will assume the virtual IP as their source address before being encapsulated by ESP. Thanks Regards, Vivek Regards Andreas == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] FW: strongSwan installs SPs?
Hi Stephen, strongSwan can assign a preliminary IPsec SA and a corresponding reqid using auto=route without installing an SPD in the kernel (installpolicy=no). This is used in our Mobile IPv6 scenario: http://wiki.strongswan.org/wiki/strongswan/MobileNodeSetup The current disadvantage is that the XFRM_ACQUIRE message which will trigger the actual IKE negotiation must use the correct reqid. This is not a problem if only one tunnel is managed but might be tricky with multiple tunnel definitions pre-started with auto=route. As an alternative we could create the SA definition on demand applying a closest match on the traffic selectors that are received via the XFRM_ACQUIRE message. Best regards Andreas Stephen Pisano wrote: Hi Andreas, That is just the kind of solution I had in mind. Are you aware of any other SPD dependencies? I think I found one, which I wanted to get your view on. The area of functionality is SA establishment via a kernel ACQUIRE. In ike_sa.c:acquire(), there is the following snippet: /* find CHILD_SA */ iterator = this-child_sas-create_iterator(this-child_sas, TRUE); while (iterator-iterate(iterator, (void**)current)) { if (current-get_reqid(current) == reqid) { child_sa = current; break; } } iterator-destroy(iterator); if (!child_sa) { DBG1(DBG_IKE, acquiring CHILD_SA {reqid %d} failed: CHILD_SA not found, reqid); return FAILED; } I interpret this to mean that you can only initiate an SA establishment via a kernel ACQUIRE if there is an existing SA (which was generated with a policy in the SPD, having a certain reqid). Is this a correct interpretation? Thanks, Stephen -Original Message- From: Andreas Steffen [mailto:andreas.stef...@strongswan.org] Sent: Wednesday, July 22, 2009 7:20 AM To: Stephen Pisano Cc: users@lists.strongswan.org Subject: Re: [strongSwan] FW: strongSwan installs SPs? Hi Stephen, we could introduce e.g. a new charon.no_spd_available configuration option in /etc/strongswan.conf that would redefine the child_sa_t.get_usetime() method: http://wiki.strongswan.org/repositories/entry/strongswan/src/charon/sa/chil d_sa.c#L357 Instead of using the kernel_interface-query_policy() method a new kernel_interface-query_sa() method that we wanted to implement anyway in one of the next releases, would retrieve the current number of packets/bytes and compare it with the previously retrieved value cached in the child_sa_t object. I think I even implemented such an approach in pluto's KLIPS kernel interface many years ago. Best regards Andreas Stephen Pisano wrote: Thanks Andreas, please see my comment below. -Original Message- From: Andreas Steffen [mailto:andreas.stef...@strongswan.org] Sent: Wednesday, July 22, 2009 2:12 AM To: Stephen Pisano Cc: users@lists.strongswan.org Subject: Re: [strongSwan] FW: strongSwan installs SPs? Hello Stephen, installpolicy=no just means the the IKEv2 charon daemon does not use the add_policy() and del_policy() methods of the kernel interface to actively manage the IPsec policies but delegates these tasks to another process on the same host. charon still uses the query_policy() method to get the use_time status information for liveliness checks. [pisano] Ah, yes, I understand what you're saying, but consider an application where the SPD is not used and the IKE daemon is to be used for SA management alone. With the current behavior, this places a dependency between the IKE daemon and the presence of a policy in the SPD. Concerning your question why we don't query the SA's use_time instead, you are not the only wondering about this. The problem with the Linux kernel's NETLINK IPsec implementation is that the SA's use_time stores the time of *first* use but unfortunately not the *latest* use whereas only the associated IPsec policy keeps track of the desired information. [pisano] Yes, I see the issue with using SA use_time. The attached status output of ip xfrm state and ip xfrm policy shows that both the SA and policy where added at 2009-07-22 06:45:45 and the SA was first used five minutes later at 2009-07-22 06:50:06. Shortly before generating this output I sent data over the IPsec tunnel, so the policies show 07:31:30 and 07:33:09 for the outbound and inbound direction, respectively. Strangely enough, if you want to gather information about the number of bytes / packets send over a tunnel you can retrieve this data from the SA's only. [pisano] Perhaps the use of the SA's byte or packets counts would be a better choice to indicate activity liveness? Best regards Andreas Stephen Pisano wrote: A follow-up to Mugur's question... It appears that the SA activity portion
Re: [strongSwan] ipsec update kills current connection without config change
Hi Michael, due to the additional keywords introduced for the Multiple Authentication Exchanges with the strongSwan 4.3 branch, the KW_END_FIRST..KW_END_LAST range did not map to the KW_LEFT and KW_RIGHT ranges any more. This bug has been fixed with the following patch: http://wiki.strongswan.org/repositories/diff/strongswan?rev=ecff28c5c5721008954be93adf2ce51a35edcb4c Could you test the 4.3.4rc1 release candidate? http://download.strongswan.org/strongswan-4.3.4rc1.tar.bz2 Regards Andreas Michael Niehren wrote: Hi again, i've debugged the problem a lot more (it's still in V4.3.3). The cause seem's to come from the definition of the starter_end struct (confread.h). The function starter_cmp_end always returns FALSE because the function cmp_args(KW_END_FIRST, KW_END_LAST, (char *)c1, (char *)c2); always returns FALSE. The only difference between V4.2.16 (where the problem not occurs)and V4.3.3 there is the definition of the starter_end struct that is compared in the line cmp_args(KW_END_FIRST, KW_END_LAST, (char *)c1, (char *)c2); Could someone of the developers take an eye on that ? kind regards, Michael Am Donnerstag, 4. Juni 2009 15:00 schrieb Michael Niehren: Hi together, Subject says it all. I have configured 1 connection in the ipsec.conf and the connections comes up after start. But if i call ipsec update the connection will be deleted and is started again. And i could not find a reason for that, config is the same. Is it not possible to add an connection without deleting other running connections ? hope someone could help me Michael I am using StrongSWan V4.3.1 and here is my ipsec.conf --- config setup nat_traversal=yes conn %default authby=rsasig keyingtries=1 keylife=20m ikelifetime=240m left=%defaultroute leftcert=public_tuxvpnrobo.tuxgreen.de.pem leftupdown=/etc/ipsec.d/scripts/updown.tux esp=aes256,aes192,aes128,3des ike=aes256,aes192,aes128,3des auto=start dpdaction=clear conn robovpntest leftsubnet=192.168.23.0/24 right=217.11.60.3 rightsubnet=10.89.0.0/24 rightcert=public_okawango.tuxgreen.de.pem == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Does strongswan support DSCP mark feature
Hi Iris, strongSwan is able to set up multiple concurrent IPsec SAs between two hosts, the Linux netfilter kernel module is able to filter traffic according to DSCP marking but the Linux kernel currently unfortunately is not able to assign plaintext traffic according to their DSCP marking to individual IPsec SAs. This would require some non-trivial changes in the Linux IPsec stack. Although this is not primarily a strongSwan issue we would be interested in implementing this QoS feature in the kernel if someone would be willing to sponsor this endeavour. Best regards Andreas Iris Su wrote: Hi, Does anyone know if strongswan support DSCP Marking? If the answer is Yes, can we configure it? (enable or disable DSCP) BR, Iris == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Help - received AUTHENTICATION_FAILED notify error
-genkey -text \ -out dave-key-unprotected.pem # to password protect the pvt key, run this next line openssl ec -in dave-key-unprotected.pem -out dave-key.pem \ -aes128 -passout pass:pswd #--- # generate a user CSR (unsigned) openssl req -new -x509 -days 730 -sha256 -key dave-key.pem\ -out tmp.pem -passin pass:pswd ../promptsClient.txt # sign it openssl x509 -x509toreq -sha256 -in tmp.pem -signkey dave-key.pem \ -passin pass:pswd -out dave-req.pem #--- #--- # CA accepts CSR and signs a cert # *** # *** cert signed with ecdsa-with-SHA1 in *** # *** spite of request to use SHA-256 or *** # *** value of default_md in openssl.cnf *** # *** openssl ca -policy policy_anything -days 720 -md sha256 \ -out dave-cert.pem -infiles dave-req.pem ../promptsYY.txt # let's see it openssl x509 -text -in dave-cert.pem #--- # put user's private key, cert, and CA cert in a keystore openssl pkcs12 -export -out dave.p12 -password pass:pswd \ -in dave-cert.pem -inkey dave-key.pem \ -passin pass:pswd -name thunderbug-key \ -certfile demoCA/cacert.pem -caname myCA Now the result of ipsec listall is: MOON: *** moon:/etc/ipsec.d/CA# ipsec listall List of X.509 End Entity Certificates: subject: C=CH, ST=TI, L=Stabio, O=Gerosa Server Services, CN=moon issuer: C=CH, ST=TI, L=Stabio, O=Gerosa CA Services, CN=moon serial:01 validity: not before Jul 29 23:15:52 2009, ok not after Jul 19 23:15:52 2011, ok pubkey:ECDSA 256 bits keyid: 15:29:7f:82:a3:4a:b6:6e:0b:73:bb:3c:40:67:d4:63:18:30:c3:f2 subjkey: 5d:74:0b:30:eb:62:aa:22:15:ec:14:34:6f:fc:da:6f:43:5d:ce:a9 authkey: a7:db:14:22:72:76:7b:45:f9:f9:1b:57:59:c1:07:37:9a:a6:57:d2 List of X.509 CA Certificates: subject: C=CH, ST=TI, L=Stabio, O=Gerosa CA Services, CN=moon issuer: C=CH, ST=TI, L=Stabio, O=Gerosa CA Services, CN=moon serial:00:92:d3:29:9d:9f:0b:be:5c validity: not before Jul 28 22:27:34 2009, ok not after Jul 28 22:27:34 2019, ok pubkey:ECDSA 256 bits keyid: 1f:13:eb:00:2e:a1:00:b3:6a:d0:8d:f7:9f:03:02:9b:41:6b:65:cc subjkey: 5a:a3:95:25:a5:02:71:cd:a0:b0:ff:2a:a3:3c:6b:ea:bf:e4:3d:68 authkey: 5a:a3:95:25:a5:02:71:cd:a0:b0:ff:2a:a3:3c:6b:ea:bf:e4:3d:68 moon:/etc/ipsec.d/CA# DAVE ** dave:/etc/ipsec.d# ipsec listall List of X.509 End Entity Certificates: subject: C=CH, ST=TI, L=Stabio, O=Gerosa Server Services, CN=dave issuer: C=CH, ST=TI, L=Stabio, O=Gerosa CA Services, CN=moon serial:02 validity: not before Jul 29 23:15:53 2009, ok not after Jul 19 23:15:53 2011, ok pubkey:ECDSA 256 bits, has private key keyid: 66:19:f8:1d:bb:ad:df:7b:94:88:8d:78:fc:89:d8:68:37:a9:bd:96 subjkey: a1:72:33:c8:d6:dc:e9:a2:50:c8:bb:25:93:33:0d:d4:4e:e0:5e:8a authkey: a7:db:14:22:72:76:7b:45:f9:f9:1b:57:59:c1:07:37:9a:a6:57:d2 dave:/etc/ipsec.d# the content of /var/log/auth.log: MOON Jul 29 23:54:31 moon ipsec_starter[3035]: Starting strongSwan 4.2.4 IPsec [starter]... Jul 29 23:54:45 moon charon: 09[AUD] 192.168.0.238 is initiating an IKE_SA Jul 29 23:54:46 moon charon: 10[AUD] authentication of 'C=CH, ST=TI, L=Stabio, O=Gerosa Server Services, CN=dave' with ECDSA-256 signature failed DAVE Jul 29 23:54:46 dave charon: 09[AUD] initiating IKE_SA 'home' to 192.168.0.216 Jul 29 23:54:48 dave charon: 10[AUD] establishing CHILD_SA Jul 29 23:54:48 dave charon: 11[AUD] received AUTHENTICATION_FAILED notify error Jul 29 23:54:48 dave charon: 11[AUD] establishing CHILD_SA failed the content of /etc/ipsec.secret is: MOON ** : ECDSA /etc/ipsec.d/private/moon-key.pem pswd DAVE ** : ECDSA /etc/ipsec.d/private/dave-key.pem pswd I did: 1) copy the cacert created on moon to dave /etc/ipsec.d/cacerts 2) copy the private key davekey.pem (created on moon) to dave /etc/ipsec.d/private 3) copy the certificate dave-cert.pem (created on moon) to dave /etc/ipsec.d/certs what is wrong? Thanks for yours support. Adam == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution
Re: [strongSwan] cross-compilation
Hi, does CFLAGS=-I./build/INSTALL_STAGE/gmp-4.2.1/usr/include ./configure ... help? Regards Andreas Yong Choo wrote: I've updated gmp to 4.2.1 on the cross-compilation build (under WindRiver Linux Distribution for the mpc arch). The gmp.h file is put into ./build/INSTALL_STAGE/gmp-4.2.1/usr/include/gmp.h (by looking at the build log) When I tried to do package installation/compilation (under WindRiver) for strongswan 4.3.2, I get the following error: checking gmp.h version = 4.1.4... no configure: error: No usable gmp.h found! Any suggestion on what I can give as an option to recognize the proper location/version of 'gmp.h'? (or not possible) The .configure options that are used are: + ./configure --host=powerpc-wrs-linux-gnu --build=i686-crosscompile-linux-gnu --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --cache-file=wrs_config_cache Thanks Much! -Yong Choo == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] ipsec update kills current connection without config change
Hi Michael, I found and fixed another bug introduced by the redefinition of the bool standard type some time ago. bool now maps to a char not an int under Linux, so boolean arguments must be handled separately by cmp_args(): http://wiki.strongswan.org/repositories/diff/strongswan?rev=10c13ed26474d11427fb82b7941be88bc9a04961 Apply this patch or use the new release candidate http://download.strongswan.org/strongswan-4.3.4rc2.tar.bz2 I successfully tested the fix with your ipsec.conf: ipsec update does not cause a reload of the config any more :-) Kind regards Andreas Michael Niehren wrote: Hi Andreas, thanks for your help, but the problem still exists in V4.3.4rc1. I am currently using kernel V2.6.27.28. i will try out the V4.3.3 with the patch ... kind regards, Michael Am Dienstag, 28. Juli 2009 16:00 schrieb Andreas Steffen: Hi Michael, due to the additional keywords introduced for the Multiple Authentication Exchanges with the strongSwan 4.3 branch, the KW_END_FIRST..KW_END_LAST range did not map to the KW_LEFT and KW_RIGHT ranges any more. This bug has been fixed with the following patch: http://wiki.strongswan.org/repositories/diff/strongswan?rev=ecff28c5c5721008954be93adf2ce51a35edcb4c Could you test the 4.3.4rc1 release candidate? http://download.strongswan.org/strongswan-4.3.4rc1.tar.bz2 Regards Andreas Michael Niehren wrote: Hi again, i've debugged the problem a lot more (it's still in V4.3.3). The cause seem's to come from the definition of the starter_end struct (confread.h). The function starter_cmp_end always returns FALSE because the function cmp_args(KW_END_FIRST, KW_END_LAST, (char *)c1, (char *)c2); always returns FALSE. The only difference between V4.2.16 (where the problem not occurs)and V4.3.3 there is the definition of the starter_end struct that is compared in the line cmp_args(KW_END_FIRST, KW_END_LAST, (char *)c1, (char *)c2); Could someone of the developers take an eye on that ? kind regards, Michael Am Donnerstag, 4. Juni 2009 15:00 schrieb Michael Niehren: Hi together, Subject says it all. I have configured 1 connection in the ipsec.conf and the connections comes up after start. But if i call ipsec update the connection will be deleted and is started again. And i could not find a reason for that, config is the same. Is it not possible to add an connection without deleting other running connections ? hope someone could help me Michael I am using StrongSWan V4.3.1 and here is my ipsec.conf --- config setup nat_traversal=yes conn %default authby=rsasig keyingtries=1 keylife=20m ikelifetime=240m left=%defaultroute leftcert=public_tuxvpnrobo.tuxgreen.de.pem leftupdown=/etc/ipsec.d/scripts/updown.tux esp=aes256,aes192,aes128,3des ike=aes256,aes192,aes128,3des auto=start dpdaction=clear conn robovpntest leftsubnet=192.168.23.0/24 right=217.11.60.3 rightsubnet=10.89.0.0/24 rightcert=public_okawango.tuxgreen.de.pem == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] strongSwan installation error !!!
Hi Gowsalai, does this mean that the header file gmp.h is located in the directory /usr/local/strongSwan/gmp/include/ ? Regards Andreas Hi, Getting the following error configure: error: GNU Multi Precision library gmp not found when tried to do the following step. ./configure --prefix=/usr/local/strongSwan --sysconfdir=/usr/local/strongSwan/etc --enable-sqlite --enable-sql Please note sqlite and gmp are installed already. # ls -l /usr/local/strongSwan/sqlite/ total 12 drwxr-xr-x 2 root root 4096 Aug 10 15:27 bin drwxr-xr-x 2 root root 4096 Aug 10 15:27 include drwxr-xr-x 3 root root 4096 Aug 10 15:27 lib # ls -l /usr/local/strongSwan/gmp/ total 12 drwxr-xr-x 2 root root 4096 Aug 10 15:43 include drwxr-xr-x 2 root root 4096 Aug 10 15:43 info drwxr-xr-x 2 root root 4096 Aug 10 15:43 lib The environment to compile the strongSwan is set # echo $LDFLAGS -L/usr/local/strongSwan/gmp/lib/ -L/usr/local/strongSwan/sqlite/lib/ # echo $CFLAGS -I/usr/local/strongSwan/sqlite/include/ -I/usr/local/strongSwan/gmp/include/ Please help me to get the installation through. Regards, Gowsalai == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Fetching attribute certificates from LDAP?
Hi Juha, you are the first person ever to ask about attribute certificates :-) If you are interested in using them in an application then we might implement attribute certificate fetching from LDAP and also complete the support in IKEv2. Best regards Andreas Mustonen, Juha wrote: Any guesses when we might see this feature in Strongswan? Regards, Juha == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] pluto: crl not found
Aha, since the pluto daemon is not fully multi-threaded, the second thread used for asynchronous crl fetching must be activated by setting crlcheckinterval 0 seconds as in config setup crlcheckinterval=600 which would check for a fresh crl every ten minutes. This parameter is ignored by the IKEv2 daemon since charon fetches CRLs synchronously within the current thread. Best regards Andreas Mustonen, Juha wrote: I have test a setup where CRL is fetched from LDAP server. With IKEv2 the setup works, with IKEv1 it does not. Only difference between these is the value of keyexchange parameter in ipsec.conf. Strongswan version is 4.3.3. Any idea what could be the reason for this? Regards, Juha == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Multicast IPSec
Hi Juha, two of my Bachelor students have just completed a Multicast Security Concept for IPsec which requires only minor extensions of the IKEv2 protocol in order for a Multicast Group Controller and Key Server (GCKS) to distribute group keys via GROUP_SAs to its authenticated and authorized subscribers. Unfortunately the thesis is available in German only: http://security.hsr.ch/theses/BA_2009_MulticastSecurity-using-IPsec.pdf but we are thinking about writing an Internet Draft based on it. Best regards Andreas Mustonen, Juha wrote: Hello, I would have liked to use multicast communication in the application for which I have been studying IPSec (and Strongswan). However, as I was not able to find any real-life implementations (well, Cisco apparently has DGOI support, whatever that means), I was forced to replace multicast with bunch of unicast connection and let the server application send the data N times. As in this particular application N is likely to be most of the time 1 and never very large number this is not too bad, but bothers me in principle. Do you, Andreas/Martin/other members, know what is the status of RFCs for multicast + IPSec? The IETF MSEC working group does not seem to have done anything in years. Why? Is the specification/design work done somewhere else now? Regards, Juha == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] list of kernel configuration required available?
Here is a list of required menuconfig options: http://wiki.strongswan.org/wiki/strongswan/KernelModules Regards Andreas Yong Choo wrote: Does anyone know the full list of kernel configuration to be turned on in order to have strongswan working? This is a cross-compilation env for Windriver Linux 2.0: For instance, looking at the kernel config file (which is generated automatically for now) knl-base.cfg, I see #CONFIG_NET_KEY is not set CONFIG_XFRM=y #CONFIG_XFRM_USER is not set etc Thanks Much Again! == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Simple Q on plugins
Most of the default plugins are required. Using ./configure --enable-option --disable-option you can enable additional plugins or disable default plugins. E.g. if you decide to use the OpenSSL library (--enable-openssl) then you can disable the following default plugins: --disable-aes --disable-des --disable-md5 --disable-sha1 --disable-sha2 --disable-gmp The following link explains the use of the various plugins: http://wiki.strongswan.org/wiki/strongswan/Autoconf Regards Andreas Yong Choo wrote: I am trying to port the 4.3.3 to our powerpc target by cross-compiling. Finally got the compilation/link successful. There's one more step that I need to do, i.e. identifying the minimum set of files that are needed for our target (under WindRiver's Linux 2.0 release). Looking at the output, I see that there are many files under libexec/ipsec/plugins dir. 1. What are these for? 2. For charon and other binary executables, are these needed? (I assume not but just wanted to make sure) Thank You! -Yong Choo == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] BUG: DN with email
Yes, this is actually the real fix which was a corruption of the OID tree. Regards Andreas Dimitrios Siganos wrote: Yes, it does fix it. Thank you. I noticed that you commited some more changes related to email OIDs. Are they important? Should I get those too? I am referring to http://wiki.strongswan.org/repositories/revision/strongswan/fc0ed07c1f44d56ac9a5353c23e4cd79ee2594dd. Regards, Dimitrios Siganos Andreas Steffen wrote: Hi Dimitrios, yes, you are right. A recent refactoring of the RDN synthesis function introduced a wrong emailAddress OID (there are at least three of them but in most cases the PKCS#9 definition is still used). The following patch should fix your problem: http://wiki.strongswan.org/repositories/revision/1/c8b543a6fc28bc335212ec69d39cc57f5b0e4095 Best regards Andreas Dimitrios Siganos wrote: Hi, I believe I have found a bug with the latest strongswan. I used strongswan-4.3.3 and also the latest git code (commit 333b461aa689c29197dadb2a15abc3ccade0c89a). They both exhibit the same or similar problem. The problem appears when I add an email address to a certificate DN and then try to use DN matching in strongswan. This type of DN, works: C=UK, CN=host1 This type of DN, doesn't work: C=UK, CN=host2, e=ho...@somewhere.com To demonstrate the problem I created a very simple configuration with 2 self-signed certificates. One with an email in the DN and the other without. Then I try to set the leftid to be same as the DN of the certificate and start the ipsec. It only works if I don't have an email set in the DN. The following was tested using the git commit 333b461aa689c29197dadb2a15abc3ccade0c89a. ipsec.conf: config setup strictcrlpolicy=no plutostart=no conn host1 right=%defaultroute leftcert=host1.cert leftid=C=UK, CN=host1 auto=add conn host2 right=%defaultroute leftcert=host2.cert leftid=C=UK, CN=host2, e=ho...@somewhere.com auto=add # ipsec.secrets: : RSA host1.key : RSA host2.key # openssl x509 -in host1.cert -text -noout: Certificate: Data: Version: 3 (0x2) Serial Number: a7:59:91:8d:a2:d8:e7:25 Signature Algorithm: sha1WithRSAEncryption Issuer: C=UK, CN=host1 Validity Not Before: Aug 18 14:17:23 2009 GMT Not After : Aug 18 14:17:23 2010 GMT Subject: C=UK, CN=host1 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:bd:67:68:2a:65:05:cb:0e:41:82:b7:39:4d:f2: f3:85:77:17:2f:40:f0:83:d1:dc:34:eb:26:cf:7a: be:b3:a0:3e:24:4a:c1:4e:e4:11:1a:d4:c3:18:23: b7:86:db:e7:26:5a:c4:b8:dd:42:eb:5d:12:eb:a5: 70:9a:5b:40:2a:ba:74:49:7b:84:d6:37:ea:c5:a1: 30:28:dc:ce:34:c7:68:47:6a:80:3d:b9:bd:67:ee: 31:70:4d:8a:fb:64:5f:c6:68:fa:8c:56:b0:1a:47: 0a:94:b5:f6:28:de:0a:6d:4e:07:55:ab:e0:e0:7b: 92:51:ff:69:8f:c4:fc:15:c5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 48:A6:C5:61:A7:97:56:5D:0C:D1:0C:67:EA:C0:1E:BC:51:7F:59:75 X509v3 Authority Key Identifier: keyid:48:A6:C5:61:A7:97:56:5D:0C:D1:0C:67:EA:C0:1E:BC:51:7F:59:75 DirName:/C=UK/CN=host1 serial:A7:59:91:8D:A2:D8:E7:25 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption 0e:60:05:22:ca:42:59:95:c3:c8:d8:1d:c4:09:c8:03:1a:05: 2c:30:c3:ec:5d:47:8e:98:6b:60:c6:43:2e:d9:55:d2:01:83: b7:4a:c9:e7:28:8c:e8:e4:3e:76:84:48:f8:69:c7:e0:05:0b: 3d:5a:46:71:a6:ef:47:7b:c6:42:86:f6:eb:66:86:12:e3:1c: 57:40:54:4e:96:20:b6:b2:3e:b6:67:75:a0:f3:4d:ba:d9:ea: eb:bb:ee:80:7a:af:9d:43:0c:ca:8c:d2:56:7a:49:8a:8c:a1: 17:d0:fc:ba:88:b3:9e:6b:9d:41:a5:68:69:46:f7:c0:41:a4: 23:da # openssl x509 -in host2.cert -text -noout: Certificate: Data: Version: 3 (0x2) Serial Number: 8f:00:01:8a:0d:5d:0f:42 Signature Algorithm: sha1WithRSAEncryption Issuer: C=UK, CN=host2/emailaddress=ho...@somewhere.com Validity Not Before: Aug 18 14:17:02 2009 GMT Not After : Aug 18 14:17:02 2010 GMT Subject: C=UK, CN=host2/emailaddress=ho...@somewhere.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:c9:dd:90:db:c3:25:61:e6:f2:06:be:7c:9c:ba: 94:87:ec:c8:98:17:c8:bf:18:07:96:a4:32:00:4d
Re: [strongSwan] anti-replay window size?
Hello, currently the kernel interface method add_sa() of the IKEv2 daemon sets the replay window size to a constant value of 32: http://wiki.strongswan.org/repositories/entry/strongswan/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c#L965 whereas in the kernel interface method netlink_add_sa() of the IKEv1 daemon the size is configurable: http://wiki.strongswan.org/repositories/entry/strongswan/src/pluto/kernel_netlink.c#L606 but in kernel.c where netlink_add_sa() is called, the value is set invariably to 32, too: Best regards Andreas Yong Choo wrote: Is there a way of controlling anti-replay window size although I understand that strongswan supports it. I reviewed the man page of ipsec.conf but there is no mention of it. == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] no trusted RSA public key found
:5b:f8:1f: 66:34:ce:69:6f:75:80:8d:e4:35:4b:45:74:6c:38: de:59:a3:2b:f0:fc:3f:26:1b:60:a8:b2:f4:0f:43: 09:54:5a:93:61:f1:d6:3f:71:5c:8a:a2:e8:f4:d5: 1d:57:87:88:a9:25:a2:19:bb:e1:72:ad:7b:be:70: 9c:1c:7b:30:89:4e:7f:f1:fc:c6:e8:cf:37:33:82: a4:c1:50:5c:01:44:e0:bc:6a:36:f8:b8:44:23:be: 48:96:7e:e6:9f:15:3d:b7:eb Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: C4:1E:CC:CF:2D:51:16:7B:A1:3C:CE:1A:FD:35:23:CA:D9:1B:1D:BE X509v3 Authority Key Identifier: keyid:C4:6D:F2:07:C9:C1:2D:6C:B7:5E:E9:92:BD:97:A6:61:C2:23:E6:23 Signature Algorithm: sha1WithRSAEncryption 7b:98:6d:20:1b:87:33:56:9d:a3:4f:a8:9c:ae:b3:ad:b6:58: 31:41:5f:d4:38:1b:8c:51:ac:25:3f:cb:fc:99:0b:4b:19:9c: 77:92:ec:bf:67:1a:be:49:03:76:46:36:a8:88:8f:c3:ae:f0: f6:b5:b2:62:4d:77:ae:16:0f:76:e3:7d:9e:33:0e:7f:fd:47: 7a:69:89:9c:cb:ac:3d:8a:a4:14:ae:a2:7f:96:57:66:bb:58: c4:87:a2:86:c8:0d:52:f4:36:46:29:a4:1b:ac:bb:e8:2b:23: 3c:87:c7:07:2b:81:2d:19:f5:49:1f:9b:2f:93:3f:ba:76:40: a7:2b:d4:ac:df:ac:7e:21:fc:fd:d5:5d:57:2d:94:78:d8:eb: 91:df:e2:00:2c:80:35:87:68:c1:3e:74:79:14:c4:3e:ab:d4: 64:16:83:38:20:4f:be:f5:b7:36:6f:59:f2:d6:bd:34:fb:06: ec:a8:ef:05:90:ba:83:74:0b:a4:77:33:a2:93:67:5c:a4:c7: c3:de:83:56:dd:ad:0c:d7:56:30:c3:bf:82:71:c6:b9:23:98: 45:80:93:4c:f0:8b:97:58:c2:78:eb:37:73:ea:84:f4:4f:27: e4:17:f5:c0:d4:b0:7b:5e:01:7b:ee:42:46:0e:f2:d3:62:b1: f3:9b:13:7b The moonCert.pem [r...@localhost certs]# openssl x509 -in moonCert.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha1WithRSAEncryption Issuer: C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang/emailaddress=zha...@alcatel-lucent.com Validity Not Before: Aug 26 03:35:21 2009 GMT Not After : Aug 26 03:35:21 2011 GMT Subject: C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org/emailaddress=m...@alcatel-lucent.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:c1:21:20:a3:88:b7:bd:87:03:6e:0b:31:8a:77: eb:93:ba:5f:75:6f:7b:83:f3:84:28:60:3b:12:e5: 2c:f3:ce:c3:72:a9:4a:72:e7:03:86:bf:83:1f:73: 3c:14:47:79:27:b6:1b:bf:92:5a:42:5b:8c:62:f1: c4:23:54:98:13:53:a3:e5:a9:9e:82:69:c6:3d:8e: 66:10:73:46:48:50:24:93:ae:98:d7:61:93:54:01: c4:0a:19:4e:31:42:c8:68:0b:79:c4:39:00:5b:5e: 63:5e:e6:8f:91:1b:0a:a8:07:4c:32:2d:a5:72:61: 18:7d:94:3b:22:f1:1c:25:51 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 00:A5:D7:C3:CF:B7:F0:C3:FA:E4:70:0F:F3:96:CE:99:CC:58:1A:BE X509v3 Authority Key Identifier: keyid:C4:6D:F2:07:C9:C1:2D:6C:B7:5E:E9:92:BD:97:A6:61:C2:23:E6:23 Signature Algorithm: sha1WithRSAEncryption 97:c0:5b:45:11:7b:34:d3:09:c7:ae:83:77:e1:d8:e6:5d:aa: 0b:17:3d:23:d6:4f:74:71:18:33:7d:99:dd:4c:3d:c9:61:ca: 0c:08:f9:40:07:37:1b:9b:06:dc:f8:12:8b:34:ff:b3:06:12: 9a:ec:08:07:68:52:58:15:4f:6d:f6:90:40:0d:8b:b0:a0:94: c9:d1:79:72:9f:c0:a6:ff:53:b1:ce:ac:7b:c3:3c:9a:dd:6b: da:8a:70:df:a1:c6:a9:80:2c:9a:71:ed:d9:ff:e8:b8:61:06: 50:a9:a7:3c:3f:d3:89:4e:b4:d5:c0:3c:28:bd:1a:61:17:51: 7d:de:3e:ab:bc:85:61:d5:d2:25:18:a4:54:94:b9:c4:67:56: 3d:73:60:0b:14:14:0a:71:ca:ef:c1:bb:05:74:71:fd:db:3d: aa:ba:eb:17:5a:10:9c:15:51:4b:2f:25:c3:e4:94:5f:b0:1a: e0:8d:63:31:53:ac:2d:7e:6c:d3:bd:59:45:a9:75:15:b1:eb: 0b:c7:58:d6:3a:2f:8d:7b:0d:80:b6:5d:d5:3e:cd:c7:ee:73: 1f:2a:d3:6d:c0:53:fa:1d:ae:38:4a:f4:91:71:97:2f:6b:57: 9d:63:2d:90:7f:71:3e:66:f8:72:c5:2b:c4:b6:c2:ac:c6:b9: 9d:47:30:11 Roger == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland
Re: [strongSwan] Pluto has died ??
Hi, in order to help you I need the complete log plus your ipsec.conf file. Regards Andreas Nguyễn Hoàng Anh wrote: Hi all! Today, I try install strongswan 4.3.4 and run some tests in testing/tests/openssl-ikev1/ecdsa-certs directory. when I start ipsec and then view log in /var/log/secure, I get this: ... ipsec_starter [ 10388] : pluto has died --restart scheduled (5sec) I try restart ipsec many times but still no result for good. What is this problem? how can i solve it ? My linux kernel version: 2.6.18 (download at kernel.org and recompiled) Thanks in advanced! ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] get inner virtual IP
Hi Roger, the assigned virtual IP Address is available in the environmental variable $PLUTO_MY_SOURCEIP in the /usr/libexec/ipsec/_updown script which is called by the charon daemon after the IPsec SA has been established successfully. You could adapt the _updown script so that it communicates the virtual IP address to your application. Alternatively your application could call the system command ip addr list dev eth0 and extract the virtual IP assigned to the physical interface. Regards Andreas Zhang, Long (Roger) wrote: Hi, I have tried the IKEV2 config-payload example as http://www.strongswan.org/uml/testresults43/ikev2/config-payload/ successfully. I want to get the inner virtual IP address that are assigned by config-payload for later use in my application by SHELL command or TCL. Is there an easy way to get it? Currently I can only see it by ipsec status home and check the last line. This is easy for manual, but not easy for code to get it accurate. So I want to ask if there is an easy and accurate way to get it? [r...@localhost etc]# ipsec statusall home Status of IKEv2 charon daemon (strongSwan 4.3.4): uptime: 28 minutes, since Aug 28 14:57:39 2009 worker threads: 9 idle of 16, job queue load: 0, scheduled events: 3 loaded plugins: aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown resolv-conf Listening IP addresses: 135.252.131.87 Connections: home: 135.252.131.87...135.252.130.87 home: local: [moon.strongswan.org] uses public key authentication home:cert: C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel-lucent.com home: remote: [sun.strongswan.org] uses any authentication home: child: dynamic === 10.1.0.0/16 Security Associations: home[1]: ESTABLISHED 27 minutes ago, 135.252.131.87[moon.strongswan.org]...135.252.130.87[sun.strongswan.org] home[1]: IKE SPIs: 69208f149b5fab33_i* ca28924955c169b3_r, public key reauthentication in 23 minutes home[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 home{1}: INSTALLED, TUNNEL, ESP SPIs: caf62dcc_i ccae8f3e_o home{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 3 minutes home{1}: 10.3.0.1/32 === 10.1.0.0/16 Thanks, Roger == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] unable to initiate to %any
Hi David, with right=%any you cannot actively initiate a connection as an initiator since the peer's IP address is not known. You can only act as a passive responder waiting for the other side to initiate. Regards Andreas weiping deng wrote: Hi Martin, Hi all, When I try to find out the mechanism of virtual IP and initiate the strongswan with the following configuration, but I always got the error indication: unable to initiate to %any. Please give me a clue to trace down this problem , thanks. Configuration of two peers: [moon]- config setup strictcrlpolicy=no plutostart=no keep_alive=40m conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn host-host left=172.19.2.13 leftfirewall=yes leftcert=/usr/local/etc/ipsec.d/certs/moonCert.pem leftsubnet=192.168.253.0/24 right=%any rightsourcip=%config auto=add --[sun]--- config setup strictcrlpolicy=no plutostart=no keep_alive=40m conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn home left=172.19.2.88 leftsourceip=192.168.253.88 leftcert=/usr/local/etc/ipsec.d/certs/sunCert.pem leftfirewall=yes right=172.19.2.13 rightsubnet=192.168.253.0/24 auto=add - BTW, I still have the following two questions: 1) What's the mechanism of virtual ip? 2) If I can simulate one gateway by setting the secondary ip address of linux pc? If it is feasible, and then how? Best Regards, David === Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] strongswan + LDAP
Hi Sreenivas, what do you mean by LDAP integration? Andreas sreenivas murthy wrote: Hi thr, I have installed strongswan on ubuntu 8.04 server but i would like to integrate with LDAP server. can any one plz help me to do this. Thanks in Advance. -Sreenivas. == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] AUTHENTICATION_FAILED notify error
.chaudh...@gmail.com serial:02 validity: not before Aug 27 10:48:40 2009, ok not after Aug 27 10:48:40 2011, ok pubkey:RSA 1024 bits, has private key keyid: 16:d5:7a:50:ee:c8:db:e5:a2:02:b4:54:5e:19:29:24:d4:23:7a:a9 subjkey: 07:1f:03:c2:e4:c7:34:3c:2c:86:19:90:02:ea:d8:f2:40:24:12:c3 authkey: 83:1f:bb:b7:c2:21:13:9c:8b:c2:6d:b6:4c:e6:98:cd:bb:9a:3b:2a Thank you. == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Problems with Charon
Hi, are you running strongSwan on CentOS or RedHat? There is an issue with these Linux kernels where IPsec policies get deleted when they are queried e.g. by ipsec statusall or DPD. I think this kernel bug was fixed recently by RedHat. Best regards Andreas ServerAlex wrote: I've got a host-to-host connection that should be kept alive 24/7. machine 1: config setup plutostart=no # IKEv1 charonstart=yes # IKEv2 nat_traversal=no # Add connections here. # Sample VPN connections conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=%forever keyexchange=ikev2 dpdaction=hold mobike=no conn server1 left=XX.X.XX.XX leftcert=server1-cert.pem left...@server1.xxx.com right=YY.YY.YY.YY right...@server2.xxx.com auto=start server2: config setup plutostart=no # IKEv1 charonstart=yes # IKEv2 nat_traversal=no # Add connections here. # Sample VPN connections conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=%forever keyexchange=ikev2 dpdaction=clear mobike=no conn server12 left=YY.YY.YY.YY leftcert=server2-cert.pem left...@server2.xxx.com right=XX.XX.XX.XX right...@server1.xxx.com auto=add when i start ipsec on both sides it works for a few minutes, then it just doesnt any longer, although the SAs are still alive. server2[2]: ESTABLISHED 11 minutes ago, XX.XX.XX.XX[server1.XXX.com]...YY.YY.YY.YY[server2.XXX.com] server2{2}: INSTALLED, TUNNEL, ESP SPIs: cb043689_i c4ecff51_o server2{2}: XX.XX.XX.XX/32 === YY.YY.YY.YY/32 But no traffic flow can be established. Logs gives me errors like these: Sep 2 02:44:30 server1 charon: 11[KNL] querying policy failed: No such file or directory (2) I have to restart the whole daemon on server1 to get the traffic flowing again.. for a few minutes. Any ideas? == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Some problems with charon
strongSwan, CN=strongSwan Root CA Sep 3 15:57:37 samar charon: 12[IKE] sending cert request for C=CH, O=Linux strongSwan, CN=strongSwan Root CA Sep 3 15:57:37 samar charon: 12[IKE] authentication of 'moon.strongswan.org' (myself) with RSA signature successful Sep 3 15:57:37 samar charon: 12[IKE] sending end entity cert C=CH, O=Linux strongSwan, CN=moon.strongswan.org Sep 3 15:57:37 samar charon: 12[IKE] establishing CHILD_SA host-host Sep 3 15:57:37 samar charon: 12[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ] Sep 3 15:57:37 samar charon: 12[NET] sending packet: from 192.168.95.203[4500] to 192.168.95.131[4500] Sep 3 15:57:37 samar charon: 13[NET] received packet: from 192.168.95.131[4500] to 192.168.95.203[4500] Sep 3 15:57:37 samar charon: 13[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ] Sep 3 15:57:37 samar charon: 13[IKE] received end entity cert C=CH, O=Linux strongSwan, CN=sun.strongswan.org Sep 3 15:57:37 samar charon: 13[CFG] using certificate C=CH, O=Linux strongSwan, CN=sun.strongswan.org Sep 3 15:57:37 samar charon: 13[CFG] using trusted ca certificate C=CH, O=Linux strongSwan, CN=strongSwan Root CA Sep 3 15:57:37 samar charon: 13[CFG] checking certificate status of C=CH, O=Linux strongSwan, CN=sun.strongswan.org Sep 3 15:57:37 samar charon: 13[CFG] fetching crl from 'http://crl.strongswan.org/strongswan.crl' ... Sep 3 15:57:37 samar charon: 13[LIB] unable to fetch from http://crl.strongswan.org/strongswan.crl, no capable fetcher found Sep 3 15:57:37 samar charon: 13[CFG] crl fetching failed Sep 3 15:57:37 samar charon: 13[CFG] certificate status is not available Sep 3 15:57:37 samar charon: 13[IKE] authentication of 'sun.strongswan.org' with RSA signature successful Sep 3 15:57:37 samar charon: 13[IKE] scheduling reauthentication in 3323s Sep 3 15:57:37 samar charon: 13[IKE] maximum IKE_SA lifetime 3503s Sep 3 15:57:37 samar charon: 13[IKE] IKE_SA host-host[1] established between 192.168.95.203[moon.strongswan.org]...192.168.95.131[sun.strongswan.org] Sep 3 15:57:37 samar charon: 13[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built Sep 3 15:57:37 samar charon: 13[KNL] received netlink error: Invalid argument (22) Sep 3 15:57:37 samar charon: 13[KNL] unable to delete SAD entry with SPI c5be246b Sep 3 15:57:37 samar charon: 13[IKE] received AUTH_LIFETIME of 3335s, scheduling reauthentication in 3155s Sep 3 15:57:37 samar charon: 13[IKE] peer supports MOBIKE Please, show me what’s wrong. Why charon don't see my cipher? What I need to do to fix mistakes? Best regards, Alex --- Прогноз погоды ТУТ - http://pogoda.tut.by == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Signature verification failed
Hi Vivek, could you send a log file generated with the options charondebug=chd 2, knl2 on the linux machine so the reason for the delete becomes apparent. Regards Andreas vivek bairathi wrote: Hi, I just got the solution of my problem. Its actually the problem of endianness as the endianness is not getting set in the sha1_hasher.c and also the code on qnx is compiled using armbe which is big endian. So I just set the BIG_ENDIAN in the sha1_hasher.c and finally the authentication is successful. But now I am getting a new error, as soon as the CHILD_SA is created the linux machine sends a delete request for the CHILD_SA to the qnx machine. I don't know why this is happening. My ikeliftime, keylife and rekeymargin are all in hours so how could this happen. Can you tell me or give a possible condition because of which this is happening and ofcourse if possible a solution also? Thanks Regards, Vivek == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] strongswan ipsec XAUTH+PSK and iphone Problem !
Hi Alok, besides some unexpected packets everything seems ok. Both XAUTH and ModeConfig are established successfully but somehow the negotiation does not go on the IKE Quick Mode. Could you remove the modeconfig=push line since strange effects might occur if Mode Config is used in conjunction with XAUTH. Regards Andreas Alok Thaker wrote: Hi Friends, I am a fan of strongswan and I have made l2tp with ipsec running succesffuly with iphone and strongswan. The only problem I am facing is to make only ipsec with XAUTH+PSK running with iphone. I have also enabled --enable-cisco-quirks=yes as iphone works as cisco vpn client as I read in the strongswan answers but I have got no luck in establishment. I get the following errors while connecting strongswan ipsec(XAUTH+PSK) wiith iphone ipsec. packet from 82.132.139.25:44759: ignoring Vendor ID payload [Cisco-Unity] Sep 6 14:48:43 uk_server3 pluto[24769]: packet from 82.132.139.25:44759: received Vendor ID payload [Dead Peer Detection] Sep 6 14:48:43 uk_server3 pluto[24769]: win[1] 82.132.139.25:44759 #1: responding to Main Mode from unknown peer 82.132.139.25:44759 Sep 6 14:48:45 uk_server3 pluto[24769]: win[1] 82.132.139.25:44759 #1: NAT-Traversal: Result using RFC 3947: peer is NATed Sep 6 14:48:46 uk_server3 pluto[24769]: win[1] 82.132.139.25:44759 #1: Peer ID is ID_IPV4_ADDR: '10.38.42.53' Sep 6 14:48:46 uk_server3 pluto[24769]: win[2] 82.132.139.25:44759 #1: deleting connection win instance with peer 82.132.139.25 {isakmp=#0/ipsec=#0} Sep 6 14:48:46 uk_server3 pluto[24769]: | NAT-T: new mapping 82.132.139.25:44759/44760) Sep 6 14:48:46 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1: sent MR3, ISAKMP SA established Sep 6 14:48:46 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1: sending XAUTH request Sep 6 14:48:46 uk_server3 pluto[24769]: packet from 82.132.139.25:44760: Informational Exchange is for an unknown (expired?) SA Sep 6 14:48:46 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1: parsing XAUTH reply Sep 6 14:48:46 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1: extended authentication was successful Sep 6 14:48:46 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1: sending XAUTH status: Sep 6 14:48:47 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1: parsing XAUTH ack Sep 6 14:48:47 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1: received XAUTH ack, established Sep 6 14:48:47 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1: sending ModeCfg set Sep 6 14:48:47 uk_server3 pluto[24769]: packet from 82.132.139.25:44760: ModeCfg message is for a non-existent (expired?) ISAKMP SA Sep 6 14:48:48 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1: parsing ModeCfg ack Sep 6 14:48:48 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1: received ModeCfg ack, established Sep 6 14:48:48 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1: unsupported ModeCfg attribute 28683?? received. My ipsec.conf for for psk + xauth has this entry config setup # crlcheckinterval=600 # strictcrlpolicy=yes # cachecrls=yesA nat_traversal=yes conn win authby=xauthpsk xauth=server left=94.76.194.32 leftnexthop=%direct rightsourceip=%modeconfig modeconfig=push auto=start My ipsec.secrets has 94.76.194.32 %any : PSK alok : XAUTH alok alok Please it is urgent for me can someone hellp me out so that it wld be great achievement making strongswan ipsec (XAUTH+PSK) running with iphone. Thanks, Alok == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Able to connect, but packages does not get through.
Hello Bjarke, there are even no hits for incoming encrypted ESP packets: Chain INPUT (policy DROP 16 packets, 5520 bytes) pkts bytes target prot opt in out source destination 00 ACCEPT esp -- * * 0.0.0.0/083.89.2.202 Are you sure that the strongSwan box is receiving any ESP packets from the Win7 box? What does wireshark say? Regards Andreas Bjarke Istrup Pedersen wrote: Hey, I'm having a little problem here. I'm trying to create a roadwarrior setup with Windows 7 machines connecting into my internal network. They can connect, the route is created, and the iptables rules are added. The problem is, that no packages hit the firewall rules it seems, and no trafic can get through. Also, I don't know how to get strongswan to tell the clients to access my internal network throgh the tunnel. My network is constructed the following way: 192.168.20.1/32 == 79.138.252.53 -- 83.89.2.202 == 192.168.1.0/24 (Where 192.168.1.0/24 is my internal network, and 192.168.20.0/24 is the pool of virtual address the clients get assigned). Here is some logs and configs: http://dl.getdropbox.com/u/254699/strongswan/ipsec%20startup.txt (log of when ipsec starts up) http://dl.getdropbox.com/u/254699/strongswan/ipsec%20connection.txt (log of when a client connects) http://dl.getdropbox.com/u/254699/strongswan/ipsec%20disconnection.txt (log of when a client disconnects) http://dl.getdropbox.com/u/254699/strongswan/ipsec.conf.txt (ipsec.conf file) http://dl.getdropbox.com/u/254699/strongswan/strongswan.conf.txt(strongswan.conf file) http://dl.getdropbox.com/u/254699/strongswan/iptables.txt (output of iptables -L -v -n) http://dl.getdropbox.com/u/254699/strongswan/route.txt (output of ip route list table 220) What might be wrong? Best regards, Bjarke I. Pedersen == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Able to connect, but packages does not get through.
Hi Bjarke, what is the output of ip -s xfrm state and ip -s xfrm policy when the connection is up? Does the in or fwd IPsec policy show any time in the use field: dir in action allow index 18808 priority 1680 ptype main add 2009-08-18 15:50:33 use - dir fwd action allow index 18818 priority 1680 ptype main add 2009-08-18 15:50:33 use 2009-08-18 15:50:36 And what is the byte count in the inbound IPsec state: lifetime current: 84(bytes), 1(packets) add 2009-08-18 15:50:33 use 2009-08-18 15:50:36 and do any errors show up: stats: replay-window 0 replay 0 failed 0 Regards Andreas Bjarke Istrup Pedersen wrote: Hey Andreas, That is not an option at the moment it seems. The client I'm testing with is using a dialup connection (UMTS modem), and wireshark does not want to capture anything but ethernet adapters. Is there anything that looks suspicious, that might be causing this? The rule in the INPUT chain should be fine from what I know, since nothing can be blocking it before it reaches it. Best regards, Bjarke Istrup Pedersen == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] MODP_2048?
Hi, the error message: *configured DH group MODP_2048 not supported* means that neither the gmp nor the openssl plugin could be loaded successfully which implement the big number arithmetic required for the Diffie-Hellman groups. The command ipsec statusall should list either gmp and|or opensss in the line loaded plugins: and the command ipsec listalgs should list all Diffie Hellman groups: dh-group: MODP_2048 MODP_1536 MODP_3072 MODP_4096 MODP_6144 MODP_8192 MODP_1024 MODP_768 with the gmp plugin plus ECP_192 ECP_224 ECP_256 ECP_384 ECP_521 with the openssl plugin. By default strongSwan compiles and loads the gmp plugin which in turn requires the GNU Multiprecision library (libgmp3) including the header file /usr/include/gmp.h. Alternatively you can activate the openssl plugin (./configure --enable-openssl) which requires the libcrypto-0.9.8 library plus the /usr/include/openssl/ header files. Best regards Andreas Yong Choo wrote: Hi all, I'm trying to 'execute' the following (on a cross-compiled PowerPC Linux for a telecommunication board): ipsec up net-enb40 (where I have the connectivity setup in the ipsec.config) I'm getting the following error: *configured DH group MODP_2048 not supported* I think I'm missing a kernel option?. We are using Wind River Linux PNE2.0 version. Does anyone know how to turn this 'MODP_2048' on? Thanks Much! == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] ARM and I386 ?
It looks like a problem in the IKE session key derivation. The encryption keys derived from the Diffie-Hellman secrets don't seem to be the same on both sides, so that the payloads encrypted by the sender cannot be decrypted by the receiver. In order diagnose this problem I recommend to ramp up the debugging level by setting plutodebug=control crypt in the config setup section of /etc/ipsec.conf files on both sides so that you will get a debug output of the form: http://www.strongswan.org/uml/testresults43/ikev1/alg-blowfish/moon.auth.log showing the Diffie-Hellman secrets and the derived session keys. Best regards Andreas Nguyễn Hoàng Anh wrote: Hi Andreas and all members! Today, after finished make and make install strongswan 4.3.4 on an ARM architecture, I try setup it with a tunnel host-to-host to an I386, but I get this error in log file of pluto in I386: .. client2 #2: we have a cert and are sending it upon request server #3: NAT-Traversal: Result using RFC 3947: no NAT detected server #3: we have a cert and are sending it upon request client1 #1: next payload type of ISAKMP Hash Payload has an unknown value: 55 client1 #1: malformed payload in packet client2 #2: next payload type of ISAKMP Hash Payload has an unknown value: 181 client2 #2: malformed payload in packet server #3: next payload type of ISAKMP Hash Payload has an unknown value: 164 server #3: malformed payload in packet .. What is this error and how can I solve it ? Many thanks! == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] esp=null-sha1-modp1024,null-null
Hi Dimitrios, yes, this means that esp=null-sha1-modp1204 is added to the default list defined by http://wiki.strongswan.org/repositories/entry/strongswan/src/charon/config/proposal.c#L865 esp=null-null is not a valid configuration, since we do not accept a null integrity algorithm. If you want to send a single proposal without the default list then you can use the '!' strict character: esp=null-sha1-modp1204! Kind regards Andreas Dimitrios Siganos wrote: Hi, Is the following esp line, valid configuration? conn west-east esp=null-sha1-modp1024,null-null Does it mean: add null-sha1-modp1024 and null-null to the default list of proposals to be negotiated? How do I know what the default list proposal list is? Regards, Dimitrios Siganos == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] _updown is not called
Hello Roger, the IKEv2 charon daemon configures virtual IPs directly using the RT_NETLINK kernel interface whereas the IKEv1 pluto daemon does in fact uses the _updown script to install virtual IP addresses. With the IKEv2 you can use either the standard leftfirewall=yes which calls the _updown script which in turn installs a set of iptables firewall rules or in your case you can define leftupdown=path to my script which will call a script where you can execute any actions that you like. Best regards Andreas Zhang, Long (Roger) wrote: Hi, I am using preshared key instead of certificate to setup an IPSec tunnel. After the tunnel is setup successfully, I found the _updown script is not called. Using the test case http://www.strongswan.org/uml/testresults43/ikev2/virtual-ip-override/, the _updown can be called. Since I want to get the inner virtual IP to write to a tmp file so that my application can read it. Curious why it is not called. Is it related with preshared key? Thanks, Roger == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Does strongSwan support RFC4754
Hi Kunal, yes, both our IKEv1 and IKEv2 daemons support RFC4754. In the IKEv1 code the hash for the ECDSA signature is constructed in pluto/ipsec_doi.c:main_mode_hash() http://wiki.strongswan.org/repositories/entry/strongswan/src/pluto/ipsec_doi.c#L1355 which is then signed in pluto/ipsec_doi.c:sign_hash() http://wiki.strongswan.org/repositories/entry/strongswan/src/pluto/ipsec_doi.c#L1419 The actual signature is done in by private-sign(private, scheme, hash, sig) which maps to libstrongswan/plugins/openssl/openssl_ec_private_key.c:sign() http://wiki.strongswan.org/repositories/entry/strongswan/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c#L133 In the IKEv2 code private-sign() is called in charon/sa/authenticatiors/pubkey_authenticator.c:build() http://wiki.strongswan.org/repositories/entry/strongswan/src/charon/sa/authenticators/pubkey_authenticator.c#L61 Regards Andreas kunal patel wrote: Hi, Can someone please let me know whether strongSwan supports RFC 4754. If yes then can someone please point me to file location which implements auth payload construction for ECDSA authentication Thanks, Kunal == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Vendor id string for nat draft's
Hi Sunil, As far as I know there were no special Vendor IDs for NAT-T-6 and NAT-T-7. Only the following VIDs were in use: MD5(draft-ietf-ipsec-nat-t-ike-00) MD5(draft-ietf-ipsec-nat-t-ike-02) MD5(draft-ietf-ipsec-nat-t-ike-02\n) MD5(draft-ietf-ipsec-nat-t-ike-03) MD5(RFC 3947) Best regards Andreas sunil kumar wrote: Hi, I am looking for Vendor ID string for NAT-T-6 and NAT-T-7. It will be helpful, if i get all vendor id strings used in ISKMP. Thanks in advance. Regards, Sunilkumar == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] About finding whether the VPN tunnel is working or not
Yeah, this should work. Andreas bhanushali_bhav...@emc.com wrote: Hello All , The following is the situation : 1] I am writing code to check whether VPN tunnels are working or not in my system 2] So I do ipsec status and it shows me some output . I am thinking of grepping for ESTABLISHED and INSTALLED and If I find these words I am concluding that VPN tunnels are working fine . 3] If ipsec status doesn't show any output and the output length is 0 I am concluding that the tunnels are not working and VPN between the two machines is down. Is this the correct approach ? Thanks, Bhavesh Bhanushali == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Some Question About NAT-T and DPD
weiping deng wrote: Hi Both, I have the following questions need your answer. Please help me, thanks. Q1: About the NAT-T, whether strongswan supports: “Detecting and Honouring the NAT device changing its public address”? In principle such a situation can be detected by observing a change in the value of the NAT Detection payload contained in DPD messages and the IPsec SA can then be updated using the MOBIKE (RFC 4555) protocol. I'm not sure whether our MOBIKE implementation supports this but Martin will know. Q2: About the DPD, in IKEv2, the default value of DPD timeout (dpdtimeout) = ? IKEv2 doesn't use IKEv1's dpdtimeout configuration parameter. It just applies the regular retransmission scheme for IKE packets (5 exponentially staggered retransmission) and if no answer is received declares the peer dead after about 2 minutes. Look forward for your answer, thanks. David Regards Andreas == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Some Question about the configuration payload
weiping deng wrote: Hi Both, Excuse me. I have the following questions about the configuration payload: Q1: In current version of strongswan, whether the internal DNS can be assigned by server when peer initiates the request for it with the same configuration payload for virtual IP request? If internal DNS can be assigned, where I can get this information? And If I want to obtain this information for further handling, how can I do? Yes, internal DNS servers can be assigned to a strongSwan client via the configuration payload. A sample scenario is shown here: http://www.strongswan.org/uml/testresults43/ikev2/config-payload/console.log By default the DSN servers are added to /etc/resolv.conf by the resolv-conf plugin. The destination file can be changed via the --with-resolv-conf=file configuration option. strongSwan as a server can read DNS and WINS server information from /etc/strongswan.conf using the attr plugin: http://www.strongswan.org/uml/testresults43/ikev2/config-payload/moon.strongswan.conf Both the attr and resolv-conf (renamed to resolve starting with release 4.3.5) plugins are enabled by default. Q2: I have always a question, ie: as the description of RFC4306 (IKEv2), server can assigned the internal subnet and corresponding netmask to peer. Why we need to configure the rightsubnet in peer’s ipsec.conf? Is this item can be removed from ipsec.conf? or maybe this item is not be used to configure internal subnet and can be set as random value – (in fact, it can not be work when I set a random value to right/leftsubnet). on the client side you can define right|leftsubnet=0.0.0.0/0 and the server will narrow the range down to its own definition. Narrowing is an IKEv2 feature. Look forward to your answer, thanks. David Regards Andreas == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] 答复: Some Question about the configuration payload
The server needs the attr plugin (ipsec statusall should list it) and up to two DNS and WINS servers can be defined in strongswan.conf: # /etc/strongswan.conf - strongSwan configuration file charon { dns1 = 62.2.17.60 dns2 = 62.2.24.162 nbns1 = 10.10.1.1 nbns2 = 10.10.0.1 } On the client just the resolv-conf plugin is required (ipsec statusall should list it) The DNS servers are appended to /etc/resolv.conf or the file you specified with the compile option --with-resolv-conf=. When the tunnel goes down, the DNS information is removed. Regards Andreas weiping deng wrote: Hi Andreas, Thanks for your quick response and important information about the configuration payload. I want to affirm the following item with you further: Whether I need to configure nothing in ipsec.conf or strongswan.conf and only need to start the resolv and attr plugins in server side and peer side? Best Regards, David -邮件原件- 发件人: Andreas Steffen [mailto:andreas.stef...@strongswan.org] 发送时间: 2009年9月24日 15:03 收件人: weiping deng 抄送: 'Martin Willi'; users@lists.strongswan.org 主题: Re: Some Question about the configuration payload weiping deng wrote: Hi Both, Excuse me. I have the following questions about the configuration payload: Q1: In current version of strongswan, whether the internal DNS can be assigned by server when peer initiates the request for it with the same configuration payload for virtual IP request? If internal DNS can be assigned, where I can get this information? And If I want to obtain this information for further handling, how can I do? Yes, internal DNS servers can be assigned to a strongSwan client via the configuration payload. A sample scenario is shown here: http://www.strongswan.org/uml/testresults43/ikev2/config-payload/console.log By default the DSN servers are added to /etc/resolv.conf by the resolv-conf plugin. The destination file can be changed via the --with-resolv-conf=file configuration option. strongSwan as a server can read DNS and WINS server information from /etc/strongswan.conf using the attr plugin: http://www.strongswan.org/uml/testresults43/ikev2/config-payload/moon.strong swan.conf Both the attr and resolv-conf (renamed to resolve starting with release 4.3.5) plugins are enabled by default. Q2: I have always a question, ie: as the description of RFC4306 (IKEv2), server can assigned the internal subnet and corresponding netmask to peer. Why we need to configure the rightsubnet in peer’s ipsec.conf? Is this item can be removed from ipsec.conf? or maybe this item is not be used to configure internal subnet and can be set as random value �C (in fact, it can not be work when I set a random value to right/leftsubnet). on the client side you can define right|leftsubnet=0.0.0.0/0 and the server will narrow the range down to its own definition. Narrowing is an IKEv2 feature. Look forward to your answer, thanks. David Regards Andreas == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] EAP_MSCHAPv2 and RADIUS
Hi Peter, although the FreeRADIUS server computes the MSK value in the MSCHAPv2 case, the MSK is discarded and not included it in the EAP response. Therefore FreeRADIUS cannot be used with IKEv2 EAP_MSCHAPv2. During LinuxTag 2009 we talked with a FreeRADIUS developer and he told us that the MSK could be easily included the EAP response (but someone would have to do that hack). Martin has successfully tested IKEv2 EAP MSCHAPv2 with a Microsoft RADIUS server, though, which in turn accesses the Windows Active Directory for the user credentials. Best regards Andreas The Peter Winterer wrote: Hello all, Currently on the strongswan wiki there is an example configuration for: EAP_MSCHAPv2 authentication with EAP identity (username and password in ipsec.secrets). My question is, can EAP_MSCHAPv2 authentication with EAP work in conjunction with a radius server (username and password is taken from the radius server)? Thanks, Peter == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] about LRNG !
Hello, well /dev/random and /dev/urandom *are* the APIs for the Linux Random Number Generator! This means that the default libstrongswan random plugin uses the LRNG. We define three strengths of random material: type userandom plugin RNG_WEAK: nonces, IVs /dev/urandom RNG_STRONG: DH session keys, cookies /dev/urandom RNG_TRUE: RSA/ECDSA keys/dev/random In place of the default random plugin you could use a plugin of your own directly interfacing to a HW true random generator. Best regards Andreas Nguyễn Hoàng Anh wrote: Hello Andreas and all members! I have a question about LRNG (Linux Random Number Generator) in Strongswan. I wonder how Strongswan use it ? I looked into Strongswan ' source code and see that Strongswan use /dev/random and /dev/urandom for generate ramdom numbers. I think that Strongswan use LRNG to generate key encryption, cookies,... Is it true? Can you give me more details about it? Many thanks! == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] issue about the route
Hi David, - have you enabled IP forwarding on gateway moon? echo 1 /proc/sys/net/ipv4/ip_forward Regards Andreas weiping deng wrote: Hi Martin and Andreas, Hi all, The test scenario is listed as followed: Alice (IP: 172.19.2.190 Secondary IP: 192.168.253.68) ---moon (as gateway, IP: 172.19.2.118 Secondary IP: 192.168.253.98) carol (IP: 172.19.2.86 Virtual IP: 192.168.253.89) As above, I have established the ipsec tunnel between moon and carol, now I can ping moon from carol with ping 192.168.253.98 and I also can ping Alice from moon with ping 192.168.253.68. But I can not ping Alice from carol with ping 192.168.253.68. Please tell me what problem occurred, thanks. The following is the configuration of moon and carol: ++Moon: config setup strictcrlpolicy=no plutostart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=%forever keyexchange=ikev2 conn rw-eapaka left=172.19.2.118 leftsubnet=192.168.253.0/24 leftid=C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=MOON, E= @moon.strongswan.org leftcert=/etc/ipsec.d/certs/moonCert.pem leftauth=pubkey leftfirewall=yes lefthostaccess=yes right=%any rightid=C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=CAROL, e=ca...@strongswan.org rightsendcert=never rightsourceip=192.168.253.89 rightauth=eap-aka auto=start ++carol: config setup strictcrlpolicy=no plutostart=no keep_alive=20m conn %default ike=aes-sha1-modp1024! esp=aes-sha1! ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=%forever keyexchange=ikev2 dpdaction=clear dpdtimeout=5m dpddelay=10 conn FAP1000 left=172.19.2.86 leftsourceip=%config leftcert=/etc/ipsec.d/certs/carolCert.pem leftauth=eap right=172.19.2.118 rightsubnet=0.0.0.0/0 rightcert=/etc/ipsec.d/certs/moonCert.pem rightauth=pubkey leftid=C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=CAROL, e=ca...@strongswan.org rightid=C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=MOON, e...@moon.strongswan.org auto=add Best Regards, David == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] 答复: [SPAM] Re: issue about t he route
Hello David, the problem is that carol uses a virtual IP belonging to the same subnet as alice. Therefore alice tries to send the ICMP response directly via ARP resolution. You could try to add a route on alice, directing traffic for carol to moon: ip route add 192.168.253.89/32 via 192.168.253.1 The better solution is to assign virtual IP addresses for roadwarriors from another subnet, e.g. 192.168.252.0/24 and add moon as default gateway on alice: ip route add default via 192.168.253.1 Andreas weiping deng wrote: Hi Andreas, Thank you. I enable IP forwarding on gateway moon by using the method you provided as followed. Now the ICMP request can be forwarded to Alice, but I can not found the ICMP response in the tcpdump log. It seems that there still is some work needed to be done :-). Can you give me a further hint? Thanks. Best Regards, David -邮件原件- 发件人: Andreas Steffen [mailto:andreas.stef...@strongswan.org] 发送时间: 2009年9月28日 14:53 收件人: weiping deng 抄送: mar...@strongswan.org; users@lists.strongswan.org 主题: [SPAM] Re: issue about the route Hi David, - have you enabled IP forwarding on gateway moon? echo 1 /proc/sys/net/ipv4/ip_forward Regards Andreas weiping deng wrote: Hi Martin and Andreas, Hi all, The test scenario is listed as followed: Alice (IP: 172.19.2.190 Secondary IP: 192.168.253.68) ---moon (as gateway, IP: 172.19.2.118 Secondary IP: 192.168.253.98) carol (IP: 172.19.2.86 Virtual IP: 192.168.253.89) As above, I have established the ipsec tunnel between moon and carol, now I can ping moon from carol with ping 192.168.253.98 and I also can ping Alice from moon with ping 192.168.253.68. But I can not ping Alice from carol with ping 192.168.253.68. Please tell me what problem occurred, thanks. The following is the configuration of moon and carol: ++Moon: config setup strictcrlpolicy=no plutostart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=%forever keyexchange=ikev2 conn rw-eapaka left=172.19.2.118 leftsubnet=192.168.253.0/24 leftid=C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=MOON, E= @moon.strongswan.org leftcert=/etc/ipsec.d/certs/moonCert.pem leftauth=pubkey leftfirewall=yes lefthostaccess=yes right=%any rightid=C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=CAROL, e=ca...@strongswan.org rightsendcert=never rightsourceip=192.168.253.89 rightauth=eap-aka auto=start ++carol: config setup strictcrlpolicy=no plutostart=no keep_alive=20m conn %default ike=aes-sha1-modp1024! esp=aes-sha1! ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=%forever keyexchange=ikev2 dpdaction=clear dpdtimeout=5m dpddelay=10 conn FAP1000 left=172.19.2.86 leftsourceip=%config leftcert=/etc/ipsec.d/certs/carolCert.pem leftauth=eap right=172.19.2.118 rightsubnet=0.0.0.0/0 rightcert=/etc/ipsec.d/certs/moonCert.pem rightauth=pubkey leftid=C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=CAROL, e=ca...@strongswan.org rightid=C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=MOON, e...@moon.strongswan.org auto=add Best Regards, David == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] strongSwan implementation on Ubuntu
Hi Stevie, you might also try the free Shrew Soft VPN Client for Windows XP: http://www.shrew.net/ Under MS Vista and Windows 7 the configuration of the built-in Microsoft IKEv1 client has become much more user friendly and can be run without the tiresome L2TP overhead. Our strongSwan wiki shows the use with preshared-keys: http://wiki.strongswan.org/wiki/strongswan/WindowsVista or with efficient elliptic curve certificates http://wiki.strongswan.org/wiki/strongswan/WindowsSuiteB And of course you *must* try the new IKEv2 Agile VPN Client available with Windows 7: http://wiki.strongswan.org/wiki/strongswan/Windows7 Regards Andreas Daniel Mentz wrote: Hi Stevie, strongSwan meets most if not all of your requirements. Stevie K wrote: ° Key exchanges using Internet PKIs Please explain what you mean by that. Here's a quote from strongSwan's feature list that might be related to this requirement. - Authentication based on X.509 certificates or preshared keys - Retrieval and local caching of Certificate Revocation Lists via HTTP or LDAP - Full support of the Online Certificate Status Protocol (OCSP, RCF 2560). - CA management (OCSP and CRL URIs, default LDAP server) - Powerful IPsec policies based on wildcards or intermediate CAs - Group policies based on X.509 attribute certificates (RFC 3281) Is this possible with strongSwan and are there any HOWTOs? Please check http://wiki.strongswan.org/projects/show/strongswan and http://www.strongswan.org/docs.htm The latter might be a little bit out-dated but still contains a very good tutorial. What VPN client software is available for Windows XP that can be used with strongSwan? I successfully used NCP Secure Entry Client (Win32/64) which is unfortunately pretty expensive (142.80 EUR per license). There might be other clients for WinXP as well. You might even use the native L2TP/IPsec client of Windows XP although the setup is a bit nasty in my opinion. It also has some (security) problems. You might also be able to use Ciscos VPN client although there are license/legal issues. Check http://wiki.strongswan.org/wiki/strongswan/Autoconf for --enable-cisco-quirks -Daniel == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] ip xfrm state / ip xfrm policy
Hi Jessie, in the past there are some embedded platform which did not implement the ip xfrm command. Does e.g. ip route list work? If not then the whole iproute2 package is missing and you must install it first. Regards Andreas Jessie Liu wrote: Hi all, I'am trying to use ip xfrm state and ip xfrm policy command. But I couldn't use that command to show information. There is no such command! What else should I add in kernel config? I already have xfrm4_tunnel.ko and xfrm_user.ko, but still cannot use that command. Thanks a lot. ^___^ == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] ip xfrm state / ip xfrm policy
Yeah, it looks as if your BusyBox does not support the xfrm subcommand. Either try to update to a more recent BusyBox or install setkey from the ipsec-tools package instead: setkey -D is similar to ip xfrm state and setkey -DP similar to ip xfrm policy Regards Andreas Jessie Liu wrote: Hi Andreas, ip route list works fine on my target board. but ip xfrm state did not work. When I type ip xfrm state, it shows the following messages: BusyBox v1.10.1 (2009-09-28 15:09:16 CST) multi-call binary Usage ip [OPTIONS] {address | route | link | tunnel | rule} {COMMAND} --- *09/9/30 (三),Andreas Steffen /andreas.stef...@strongswan.org/* 寫道: 寄件者: Andreas Steffen andreas.stef...@strongswan.org 主旨: Re: [strongSwan] ip xfrm state / ip xfrm policy 收件者: Jessie Liu iamnotjes...@yahoo.com.tw 副本: users@lists.strongswan.org 日期: 2009年9月30日,三,下午12:32 Hi Jessie, in the past there are some embedded platform which did not implement the ip xfrm command. Does e.g. ip route list work? If not then the whole iproute2 package is missing and you must install it first. Regards Andreas Jessie Liu wrote: Hi all, I'am trying to use ip xfrm state and ip xfrm policy command. But I couldn't use that command to show information. There is no such command! What else should I add in kernel config? I already have xfrm4_tunnel.ko and xfrm_user.ko, but still cannot use that command. Thanks a lot. ^___^ == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] strongswan 4.3.4 /usr/libexec/ipsec/stroke
Hi Jessie, strongswan-4.3.4/src/stroke is just a wrapper script. The actual executable is found in strongswan-4.3.4/src/.libs/stroke This is generally the case with all build executables and libraries. Always copy them from the corresponding .libs subdirectory. Best regards Andreas Jessie Liu wrote: Hi all, I'm trying to make strongswan 4.3.4 work on my target board. I've successfully made this with strongswan 4.3.2. With strongswan 4.3.4, I've successfully start the two processes starter and charon, and try to set up a connection by ipsec up connection-name. But some errors occured. The error message looks like this: ( I forgot to save the error message) /usr/libexec/ipsec/stroke: /root/product/src/apps/strongswan-4.3.4/src/stroke: No such file or directory. It seems the path in host computer is included in script /usr/libexec/ipsec/stroke. How to avoided this? And I found that /usr/libexec/ipsec/stroke in 4.3.2 is an executable file and in 4.3.4 it is a script ?? Thanks ^___^ == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] setkey equivalent tool available?
strongSwan is an automatic keying daemon and therefore does not need any manual IPsec SA configuration tool. For monitoring purposes either the command ip -s xfrm state|policy or ipsec statusall can be used. Andreas Yong Choo wrote: Is there a tool in strongSwan which performs the functions as in 'setkey' in racoon? Thanks, -Yong Cho == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users