Re: [strongSwan] Problems compiling strongswan 4.2.9 on SLES10SP2

[Andreas Steffen]

Hi Nicole,

you can try the latest release candidate available from

  http://download.strongswan.org/strongswan-4.2.10rc5.tar.bz2

which fixes the xfrm.h header inclusion problem. If this doesn't
help either, them your rpm builder probably changes your linux
kernel header inclusion path. You can still replace  the
XFRM_MODE_TUNNEL defines by their numerical values.

Regards

Andreas

Nicole Hähnel wrote:
 Hi,
 
 I changed the line and recompiled strongswan by hand.
 This works, but I have to build a rpm for about 20 servers and that does
 not work.
 (spec attached)
 
 starterstroke.c: In function starter_stroke_add_conn:
 starterstroke.c:246: error: XFRM_MODE_TUNNEL undeclared (first use in
 this function)
 starterstroke.c:246: error: (Each undeclared identifier is reported only
 once
 starterstroke.c:246: error: for each function it appears in.)
 starterstroke.c:250: error: XFRM_MODE_BEET undeclared (first use in
 this function)
 starterstroke.c:254: error: XFRM_MODE_TRANSPORT undeclared (first use
 in this function)
 if gcc -DPACKAGE_NAME=\strongSwan\ -DPACKAGE_TARNAME=\strongswan\
 -DPACKAGE_VERSION=\4.2.9\ -DPACKAGE_STRING=\strongSwan\ 4.2.9\
 -DPACKAGE_BUGREPORT=\\ -DPACKAGE=\strongswan\ -DVERSION=\4.2.9\
 -DPKCS11_DEFAULT_LIB=\/usr/lib/opensc-pkcs11.so\
 -DDEV_RANDOM=\/dev/random\ -DDEV_URANDOM=\/dev/urandom\
 -DIPSEC_ROUTING_TABLE=220 -DIPSEC_ROUTING_TABLE_PRIO=220
 -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1
 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1
 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_DLFCN_H=1
 -DYYTEXT_POINTER=1 -DHAVE_LIBDL=1 -DHAVE_BACKTRACE=1 -DHAVE_DLADDR=1 
 -I. -I. -I../../src/libfreeswan -I../../src/pluto -I../../src/whack
 -I../../src/stroke   -DIPSEC_DIR=\/usr/lib64/ipsec\
 -DIPSEC_CONFDIR=\/etc\ -DIPSEC_PIDDIR=\/var/run\ -DIPSEC_EAPDIR=\\
 -DDEBUG -O2 -g -fmessage-length=0 -D_FORTIFY_SOURCE=2 -W -Wall -MT
 confread.o -MD -MP -MF .deps/confread.Tpo -c -o
 confread.o confread.c; \
 then mv -f .deps/confread.Tpo .deps/confread.Po; else rm -f
 .deps/confread.Tpo; exit 1; fi
 starterwhack.c: In function pack_str:
 starterwhack.c:43: warning: comparison between signed and unsigned
 starterwhack.c: In function send_whack_msg:
 starterwhack.c:92: warning: comparison between signed and unsigned
 make[2]: *** [starterstroke.o] Error 1
 make[2]: *** Waiting for unfinished jobs
 starterwhack.c: In function starter_whack_add_pubkey:
 starterwhack.c:260: warning: pointer targets in assignment differ in
 signedness
 invokepluto.c: In function starter_start_pluto:
 invokepluto.c:218: warning: empty body in an if-statement
 invokepluto.c:261: warning: empty body in an if-statement
 confread.c: In function load_setup:
 confread.c:120: warning: comparison of unsigned expression  0 is always
 false
 make[2]: Leaving directory
 `/usr/src/packages/BUILD/strongswan-4.2.9/src/starter'
 make[1]: *** [all-recursive] Error 1
 make[1]: Leaving directory `/usr/src/packages/BUILD/strongswan-4.2.9/src'
 make: *** [all-recursive] Error 1
 error: Bad exit status from /var/tmp/rpm-tmp.62454 (%build)
 
 
 RPM build errors:
Bad exit status from /var/tmp/rpm-tmp.62454 (%build)
 
 Thanks!
 Nicole
 
 Tobias Brunner schrieb:
 Hi Nicole,

   starterstroke.c:246: error: XFRM_MODE_TUNNEL undeclared (first use in
   this function)

 The file starterstroke.c now uses these constants defined in xfrm.h
 instead of the hard-coded numeric values.  As you observed, some
 distributions provide older or different versions of this header file.
 For this reason we provide suitable copies of all required header files
 in src/include (which can be changed with the --with-linux-headers
 option of the configure script).  Unfortunately, the makefile of starter
 was missing the appropriate directive to include that path.  This has
 been fixed in [1] which will be included in the next release.  For a
 temporary solution you can add the missing directive to line 221 of
 src/starter/Makefile.in (see [1] for how that line should look).

 Best regards,
 Tobias

 [1] http://wiki.strongswan.org/changeset/4675
 

==
Andreas Steffen [EMAIL PROTECTED]
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] updown script failure?

[Andreas Steffen]

There seems to be a problem with iptables:

 charon: 09[CHD] updown: iptables: Unknown error 18446744073709551615
 charon: 09[CHD] updown: iptables: Unknown error 18446744073709551615

Which kernel and which iptables version are you using? Are you able
to insert an IPsec policy iptables rule manually?

iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT

iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
  -s $PLUTO_MY_CLIENT $S_MY_PORT \
  -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT

Just replace all script parameters by their actual values.

The VPN_LOGGING information seems to be correct:

 vpn: + [EMAIL PROTECTED]
   10.10.0.1/32 == 65.x.x.138 -- 63.x.x.205 == 0.0.0.0/0

generated by

logger -t $TAG -p $FAC_PRIO \
   + $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER --
  $PLUTO_ME == $PLUTO_MY_CLIENT

Best regards

Andreas

[EMAIL PROTECTED] wrote:
 Hi,
 
 have a problem with my strongswan set up.  It looks like the insertion
 of a firewall rule by the updown script seems to be failing. The log
 messaging i am getting is not giving me a lot to go on... (my loglevel
 is set to 5 for CHD)  I am hoping someone has seen this issue before
 or could recommend a troubleshooting way forward.
 
 Thanks
 -Dan C.
 
 General FYI
 Kernel=2.6.9-42.0.3
 No issues on startup
 Using EAP SIM Authentication
 Public IP addresses have been 'modified' in log below
 strongswan-4.2.5
 
 Log Message on tunnel initiation
 charon: 09[AUD] IKE_SA rw-eapsim-131000123601[1] established
 between [EMAIL PROTECTED]
 charon: 09[IKE] peer requested virtual IP %any
 charon: 09[IKE] assigning virtual IP 10.10.0.1 to peer
 charon: 09[CHD] updown: iptables: Unknown error 18446744073709551615
 charon: 09[CHD] updown: iptables: Unknown error 18446744073709551615
 vpn: + [EMAIL PROTECTED] 10.10.0.1/32 == 65.x.x.138 --
 63.x.x.205 == 0.0.0.0/0
 charon: 09[AUD] CHILD_SA rw-eapsim-abc{1} established with SPIs
 c2cb37d5_i 33908b00_o and TS 0.0.0.0/0 === 10.10.0.1/32
 
 
 Log Message on Strongswan shutdown
  charon: 01[CHD] running updown script: 21 PLUTO_VERSION='1.1'
 PLUTO_VERB='down-client' PLUTO_CONNECTION='rw-eapsim-abc'
 PLUTO_INTERFACE='eth0' PLUTO_REQID='2' PLUTO_ME='63.x.x.205'
 PLUTO_MY_ID='sgw.xxx.com' PLUTO_MY_CLIENT='0.0.0.0/0'
 PLUTO_MY_CLIENT_NET='0.0.0.0' PLUTO_MY_CLIENT_MASK='0'
 PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='65.x.x.138'
 PLUTO_PEER_ID='[EMAIL PROTECTED]'
 PLUTO_PEER_CLIENT='10.10.0.1/32' PLUTO_PEER_CLIENT_NET='10.10.0.1'
 PLUTO_PEER_CLIENT_MASK='32' PLUTO_PEER_PORT='0'
 PLUTO_PEER_PROTOCOL='0' ipsec _updown iptables
 charon: 01[CHD] updown: iptables: Bad rule (does a matching rule exist
 in that chain?)
 charon: 01[CHD] updown: iptables: Bad rule (does a matching rule exist
 in that chain?)
 vpn: - [EMAIL PROTECTED] 10.10.0.1/32 ==
 65.57.245.138 -- 63.80.235.205 == 0.0.0.0/0
 ___
 Users mailing list
 Users@lists.strongswan.org
 https://lists.strongswan.org/mailman/listinfo/users


-- 
==
Andreas Steffen [EMAIL PROTECTED]
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] ECDSA keys generation and export

[Andreas Steffen]

Vit Pelcak wrote:
 Hi.
 
 I'd like to ask you how can I create and export ECDSA certs and keys for
 this scenario:
 http://www.strongswan.org/uml/testresults42/openssl/ecdsa-certs/

I described the generation of EC keys in the following posting:

https://lists.strongswan.org/pipermail/users/2008-October/002789.html

The openssl ecparam -genkey puts a parameter description in front
of the actual EC key, a construct which strongSwan's private key parser
is not able to handle. Therfore either delete the parameter description
manually using an ASCII editor or execute the following cleansing command:

  openssl ec -in ecKey.pem -out ecKey.pem

 I already have CA and RSA certs and keys exported:
 
 # find /etc/ipsec.* | grep pem
 /etc/ipsec.d/private/machine-1.pem
 /etc/ipsec.d/certs/machine-1.pem
 /etc/ipsec.d/cacerts/ipsec-test.pem
 /etc/ipsec.d/crls/ipsec-crl.pem
 
 I can pass test:
 http://www.strongswan.org/uml/testresults42/openssl/ike-alg-ecp-high/
 
 Do I need whole new CA or just new keys and certs are enough?
 
No, you can use your CA's RSA key to sign an ECDSA certificate.

 Thank you.
 
 Regards
 Vit Pelcak

Regards

Andreas

==
Andreas Steffen [EMAIL PROTECTED]
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] SPI question

[Andreas Steffen]

The IPsec stack does not care about outgoing packets but uses the
SPI of incoming packets to look up the context in the SAD.
If a packet replay-window is set then restrictions on the ESP
packet sequence numbers apply.

Andreas

Jianqing Zhang wrote:
 When I configured SPD and SAD manually, I find that SPIs for the
 outgoing packets could be same but those for incoming packets must be
 unique. Why?

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] charon top statistics

[Andreas Steffen]

Hi Leonid,

the 160M are just virtual memory due to charon's 16 worker threads.
Actual resident memory use is only 2M. If virtual memory space is
an issue then you could reduce the number of threads to about 10 by
setting

charon {
  threads = 10
}

in /etc/strongswan.conf.

Best regards

Andreas

Leonid Sigal wrote:
 Hello, I have some top util results from charon running on my box ...
 Its shows DATA size == 160M,
 which is way too much for me...
 Is there any way to reduce that size ...
 I would be happy with 10M :-)
 
 
 
 PID USER  PR  NI  VIRT  RES  SHR S %CPU %MEMTIME+  CODE DATA
 COMMAND
 31484 root  20   0  163m 1940 1344 S  0.0  0.1 0:03.22
 236160m charon
 
 
 Regards,
 Leonid.

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] # of thread in strongswan

[Andreas Steffen]

As I recommended in my previous mail you should not reduce the number
of threads below 8..10, since depending on the plugins you have
activated, about 5..7 threads are permanently allocated to certain
tasks. I you go below the minimum, the charon daemon will just
deadlock.

Andreas

Leonid Sigal wrote:
 Configuring that number (# of threads) less  6, brakes strongSwan, it stops 
 working.
 Help needed with some explanation.
 
 Thanks,
 Leonid.

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] linux minimum stack size

[Andreas Steffen]

I don't know. You have to find out yourself.

Andreas

Leonid Sigal wrote:
 What the minimum Linux stack size (ulimit -a) is acceptable for strong Swan ?
 The Linux default is 10M, I would like to use  much less ...
 
 Regards,
 Leonid.

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] dpd + nat keepalive

[Andreas Steffen]

In order to activate DPD you must set

  dpdaction=clear|hold|restart

because the default is dpdaction=none.

Andreas

Peter Müller wrote:
 Hello,
 
 I have set dpddelay=10, but I can only see keep alives are send in the 
 daemon.log. 
 I think the keep alives are nat keepalives.
 Why is there no informational send all 10 seconds. I have no other traffic 
 send through the tunnel.
 
 Regards
 Peter

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Timestamps in logfile

[Andreas Steffen]

Hi Nicole,

the timestamps are added by the syslog daemon. Therefore it is not
possible for the pluto daemon to add them to a log file.

With --debug-none, i.e. if no debug options are added with a
plutodebug statement, then pluto generates very little logging
information (only whack output).

Best regards

Andreas

Nicole Hähnel wrote:
 Hi,
 
 I added plutostderrlog=/var/log/ipsec.log in ipsec.conf to prevent 
 strongswan from filling /var/log/messages with thousands of lines.
 But there is one handicap, no timestamps are written to the specified log.
 Is it possible to add timestamps?
 
 Thanks!
 Nicole

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] (no subject)

[Andreas Steffen]

Hi Keith,

the problem is on the other side because the peer is not
responding. Do you have any logs from the peer side?

Andreas

Keith Smith wrote:
 Hey folks,
  
 I'm a complete newbie who has inherited this IpSec solution from my
 predecessor.
 I have two working tunnels and one which fails.
 It failed after my colleague restarted ISECP on the firewall/vpn box on
 Gentoo.
  
 The error I get from ipsec status is
 
 000 bir-ams:
 xx.xx.xx.xx/24===xx.xx.xx.xx.---xx.xx.xx.xx...xx.xx.xx.xx---xx.xx.xx.xx===
 xx.xx.xx.xx/16; erouted HOLD; eroute owner: #0
 000 bir-ams:   ike_life: 28800s; ipsec_life: 1800s; rekey_margin: 180s;
 rekey_fuzz: 33%; keyingtries: 0
 000 bir-ams:   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 24,16; interface:
 eth1;
 000 bir-ams:   newest ISAKMP SA: #0; newest IPsec SA: #0;
 000 bir-ams:   IKE algorithms wanted: 5_000-2-5, 5_000-2-2, 5_000-1-5,
 5_000-1-2,
 000 bir-ams:   IKE algorithms found:  5_192-2_160-5, 5_192-2_160-2,
 5_192-1_128-5, 5_192-1_128-2,
 000 bir-ams:   ESP algorithms wanted: 3_000-1, 3_000-2,
 000 bir-ams:   ESP algorithms loaded: 3_192-1_128, 3_192-2_160,
  
 the line IKE newest is missing if I compare with a working tunnel
  
 My firewall log shoes me that 
  max number of retransmissions (2) reached STATE_MAIN_I1.  No response (or
 no acceptable response) to our first IKE message
  
 So I know it's failing at an early stage of negotiation.
 Please help.
 are there any debugging options I can use that will give me more data so I
 can tell exactly where the failure occurs.
  
 Thanks in advance

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] dhcp / ip pool

[Andreas Steffen]

You must define a connection entry for each user since the
IKEv1 pluto daemon does not support address pools:

conn %default
 right=%any
 
 auto=add

conn alice
 rightid=al...@strongswan.org
 rightsourceip=10.3.0.1

conn bob
 rightid=...@strongswan.org
 rightsourceip=10.3.0.2

...

Regards

Andreas

tobias.gru...@uni-ulm.de wrote:
 Hello,
 
 thx for your answer.
 strongSwans ikev1 (Pluto) can give the clients a virtual ip with the
 mode config, but this ist a propietray protocol.
 you explainded this:
 but the virtual IP addresses must be defined individually using
 rightsourceip= in the ipsec.conf file of the VPN gateway. There
 is no pool functionality available.
 
 How can I define an individual IP in the ipsec.conf in the vpn-gateway.
 I see only the option to give one IP with rightsourceip=
 
 Regards
 Tobias
 
 Quoting Andreas Steffen andreas.stef...@strongswan.org:
 
 Hi Tobias,

 RFC3456 is about DHCP-over-IPsec which doesn't IKE at all
 but ESP to exchange virtual IP information. To this purpose
 a short-lived IPsec SA with traffic selectors

outer client IP -- 0.0.0.0/0

 restricted to the bootps -- bootpc UDP ports is established
 first. This scheme didn't find much acceptance. As far as I know
 only SSH Sentinel and Sonicwall implemented it. A long time ago
 we contributed a DHCP relay function that could be used with
 an X.509-enhanced FreeS/WAN gateway to pass on the decapsulated
 ESP packets to a DHCP server:

   http://www.strongsec.com/freeswan/dhcprelay/index.htm

 When IKEv2 was being designed there was an intensive discussion
 on DHCP-over-IPsec but Cisco et al. opted for the configuration
 payload instead.

 Best regards

 Andreas

 Tobias Gruber wrote:
 Andreas Steffen schrieb:
 Hi Tobias,

 with the IKEv1 pluto daemon it is possible to request IP addresses
 via the proprietary IKEv1 Mode Config protocol extension

   http://tools.ietf.org/html/draft-dukes-ike-mode-cfg-02

 but the virtual IP addresses must be defined individually using
 rightsourceip= in the ipsec.conf file of the VPN gateway. There
 is no pool functionality available.

 Regards

 Andreas

 Tobias Gruber wrote:

 Hello,

 does IKEv1 has a solution to give the client a IP-Adress from an
 IP-Pool or via DHCP?
 Or is this only in IKEv2 possible.

 In the IKEv2 RFC stands:

  1) To define the entire IKE protocol in a single document, replacing
RFCs 2407, 2408, and 2409 and incorporating subsequent changes to
support NAT Traversal, Extensible Authentication, and Remote
 Address
acquisition;

 It sounds like IKEv1 has a soluton for Remote Adress acquistition. In
 which RFC is this specified?

 Regards
 Tobias


 Hello,

 I found this RFC http://www.ietf.org/rfc/rfc3456.txt
 There it sounds like IKEv1 can do with this none proprietary protocol to
 give the client a virtual ip?

 Or am I wrong?

 Regards
 Tobias

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] ike rekeying ikev2

[Andreas Steffen]

Yes, the charon IKEv2 daemon starts the IPsec SA rekeying
at least rekeymargin seconds before the expiration of the CHILD_SA.
The rekeyfuzz parameter is used to randomize the rekeying times.

Regards

Andreas
tobias.gru...@uni-ulm.de wrote:
 Hello,
 
 is the ike Rekeying also without a break with rekeyfuzz?
 so does the tunnel like CHILD_SA rekeying without a break?
 
 Regards
 Tobias

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] IKEv2 base exchange with strongswan

[Andreas Steffen]

Hi Antonio,

you'll find general information on strongSwan installation and
configuration in our wiki:

  http://wiki.strongswan.org/

and a MobIKE scenario under

  http://www.strongswan.org/uml/testresults42/ikev2/mobike-virtual-ip/

Best regards

Andreas

antonio quisillo wrote:
 Hi folks,
 My name is Antonio and I'm new in IKEv2 and strongSwan. I'm doing my master
 thesis in telecommunication engineering at Politecnico di Torino and I have
 to find a solution to the host mobility problem. I mean , I have to find a
 layer 3 solution that maintains application continuity between a host and
 a server, during the moviment of the host through different networks.
 For example, I start a video streaming with youtube server when I'm in my
 office from fixed Ethernet and later I disconnect the laptop from the
 Ethernet and I move to another network ( for example WLAN network ),
 therefore the laptop changes its IP address ( it moves from one address to
 another address ). In this scenario I don't want reboot the connection from
 the youtube server and I want to receive a video stream again.
 I think that MobIKE is a good solution to my problem.
 I have a question: I have downloaded and installed strongSwan 4.2 branch:
  IKEv1  IKEv2 for Linux 2.6 kernels but I don't know how to use the
 daemon. Which commands should I use? Is there any manual that I can follow?
 
 Best regards.
 
 Antonio

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Must the source IP in SA (used for outgoing packets) be the sender's IP?

[Andreas Steffen]

strongSwan is an automatic keying daemon and does not care about
manually configured SPs and SAs as long as they do not conflict
with its own policies and associations. It seems to me that the
strongSwan mailing list is not the right forum for your questions.

Best regards

Andreas

Jianqing Zhang wrote:
 When I configure SP and SA manually for an outgoing packet, must the
 source IP in SA be the sender (local host)'s IP? Will strongSwan or
 native IPsec module check the consistence?
 
 Thanks

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Nokia E-Series vpn client (JFYI)

[Andreas Steffen]

Hi Dimitrij,

in the presence of a NAT situation the client switches
to UDP port 4500 starting with the IKE_AUTH request.
Since this request is never received by the strongSwan
gateway, could it be that some firewall is blocking
UDP port 4500?

Best regards

Andreas

Dimitrij Hilt wrote:
 Hi Andreas,
 
 ipsec.conf:
 gw-ipsec-mobile-eue:~# cat /etc/ipsec.conf
 # ipsec.conf - strongSwan IPsec configuration file
 
 # basic configuration
 
 config setup
 crlcheckinterval=180
 strictcrlpolicy=no
 charonstart=yes
 plutostart=no
 
 # Add connections here.
 
 # Sample VPN connections
 conn %default
 ikelifetime=60m
 keylife=20m
 rekeymargin=3m
 keyingtries=1
 
 
 
 conn MOBILE
   left=MY_EXTERNAL_IP
   leftcert=gw-ipsec-mobile.pem
   right=%any
   rightsourceip=10.1.2.2
   rightsubnet=10.1.2.2/32
   keyexchange=ikev2
   auto=add
 
 #include /etc/ipsec.d/examples/no_oe.conf
 
 Logfile:
 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[DMN] starting charon
 (strongSwan Version 4.2.4)
 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] listening on interfaces:
 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL]   eth0
 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] 10.1.0.14
 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] 10.1.2.1
 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL] MY_EXTERNAL_IP
 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[KNL]
 fe80::216:3eff:fe01:e
 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading ca
 certificates from '/etc/ipsec.d/cacerts'
 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[LIB]   loaded certificate
 file '/etc/ipsec.d/cacerts/ca.pem'
 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading aa
 certificates from '/etc/ipsec.d/aacerts'
 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading ocsp signer
 certificates from '/etc/ipsec.d/ocspcerts'
 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading attribute
 certificates from '/etc/ipsec.d/acerts'
 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading crls from
 '/etc/ipsec.d/crls'
 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG] loading secrets from
 '/etc/ipsec.secrets'
 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[CFG]   loaded private key
 file '/etc/ipsec.d/private/gw-ipsec-mobile.key'
 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 01[JOB] spawning 16 worker
 threads
 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] received stroke: add
 connection 'MOBILE'
 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[LIB]   loaded certificate
 file '/etc/ipsec.d/certs/gw-ipsec-mobile.pem'
 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG]   peerid
 87.106.225.59 not confirmed by certificate, defaulting to subject DN
 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] added configuration
 'MOBILE': MY_EXTERNAL_IP[C=DE, ST=Baden-Wuerttemberg, L=Karlsruhe,
 O=FHE3 GmbH, OU=Systemadministration, CN=gw-ipsec-mobile.fhe3.net,
 e=notdie...@fhe3.com]...0.0.0.0[%any]
 Feb 22 18:58:58 gw-ipsec-mobile-eue charon: 04[CFG] adding virtual IP
 address pool 'MOBILE': 10.1.2.2/32
 Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[NET] received packet:
 from 93.192.185.142[61076] to MY_EXTERNAL_IP[500]
 Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[ENC] parsed IKE_SA_INIT
 request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
 Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[AUD] 93.192.185.142 is
 initiating an IKE_SA
 Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[IKE] IKE_SA '(unnamed)'
 state change: CREATED = CONNECTING
 Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[IKE] remote host is
 behind NAT
 Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[IKE] sending cert request
 for C=DE, ST=Baden-Wuerttemberg, L=Karlsruhe, O=FHE3 GmbH,
 OU=Systemadministration, CN=FHE3 GmbH CA, e...@fhe3.com
 Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[ENC] generating
 IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
 Feb 22 18:59:10 gw-ipsec-mobile-eue charon: 09[NET] sending packet: from
 MY_EXTERNAL_IP[500] to 93.192.185.142[61076]
 Feb 22 18:59:40 gw-ipsec-mobile-eue charon: 10[JOB] deleting half open
 IKE_SA after timeout
 
 
 Nokia Policy was created by a new Tool as IKEv2. I'v tried to create
 policy with and without advanced settings, but noting works for me.
 
 How did you create a policy on you tests?
 
 Regards,
 
 Dimitrij
 
 Andreas Steffen schrieb:
 Hi Dimitrij,

 in order to help you we'd need your strongSwan ipsec.conf and a
 detailed log file.

 Regards

 Andreas

 Dimitrij Hilt wrote:
 Hi,

 dou you have more information about strongswan and Nokia configuration?
 I'v tried nokia E71 with openswan cert and PSK, then nokia E71 with
 strongswan, but nothing will work together.

 Dimitrij


==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution

[strongSwan] ANNOUNCE: strongswan-4.2.12 and NetworkManager-strongswan-1.0.0 released

[Andreas Steffen]

We are happy to announce the release of strongSwan 4.2.12 which
improves the IKEv2 interoperability with the Windows 7 Agile VPN Client
and the first separate release 1.0.0 of the strongSwan VPN applet
for the GNOME NetworkManager.

- Definition of up to two DNS and/or up to two WINS IPv4 or IPv6
  nameservers in strongswan.conf. The syntax is

  charon {
dns1 = 192.168.0.100
dns2 = 192.168.0.101
nbns1 = 192.168.0.150
nbns2 = 192.168.0.151
  }

  This information is sent to the peer via the IKEv2 Configuration
  Payload. On Linux peers the DNS information is added to
  /etc/resolv.conf and on Windows 7 peers both DNS and WINS
  information is assigned together with a virtual IP address to
  the virtual network adapter.

- Support of the IKEv2 EAP-MSCHAPv2 protocol.
  This allows EAP interoperability with a Windows 7 client as a
  strongSwan VPN gateway or with a Windows 2008 Server R2 as a
  strongSwan VPN client. A strongSwan - strongSwan scenario is
  shown here:

  http://www.strongswan.org/uml/testresults42/ikev2/rw-eap-mschapv2-rsa/

  THE EAP user credentials are stored in ipsec.secrets.
  The EAP-MSCHAPv2 plugin is activated with the following options

  ./configure --enable-md4 --enable-eap-identity --enable-eap-mschapv2

  A word of warning: The Windows 7 Beta Agile VPN client currently
  ignores the RSA signature sent by the VPN gateway. Therefore the
  server is authenticated solely based on the mutual property of
  the MS-CHAP v2 protocol which might be too weak. Thus for the
  time being we recommend the use of strong mutual authentication
  based on X.509 machine certificates as described in our Windows 7
  HOWTO:

  http://wiki.strongswan.org/wiki/Windows7

- The strongSwan VPN applet for the GNOME NetworkManager is not part
  of the strongSwan 4.2.12 tarball any more but is distributed as a
  separate NetworkManager-strongswan-1.0.0 package available here:

  http://download.strongswan.org/NetworkManager/

  The installation and configuration either as a Ubuntu/Debian package
  or from the tarball is described in the NetworkManager HOWTO:

  http://wiki.strongswan.org/wiki/NetworkManager

  We hope that NetworkManager-strongswan will quickly become an
  official package in all major Linux distributions.

  Best regards

  the strongSwan team: Tobias Brunner, Martin Willi, Andreas Steffen

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Common value for DPD timeout

[Andreas Steffen]

Hi Youngsang,

since IKEv2 uses INFORMATIONAL requests for DPD the regular
retransmission scheme for IKEv2 messages with 5 trials applies:

See the following sample scenario with dpddelay = 10 seconds:

http://www.strongswan.org/uml/testresults42/ikev2/dpd-clear/

Jan 21 01:55:15 moon charon:
   11[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500]

# DPD message sent after dpddelay = 10s:
Jan 21 01:55:25 moon charon:
   12[IKE] sending DPD request
Jan 21 01:55:25 moon charon:
   12[ENC] generating INFORMATIONAL request 0 [ ]
Jan 21 01:55:25 moon charon:
   12[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500]

# First retransmission after 4 seconds:
Jan 21 01:55:29 moon charon:
   13[IKE] retransmit 1 of request with message ID 0
Jan 21 01:55:29 moon charon:
   13[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500]

# Second retransmission after another 7 seconds:
Jan 21 01:55:36 moon charon:
   15[IKE] retransmit 2 of request with message ID 0
Jan 21 01:55:36 moon charon:
   15[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500]

# Third retransmission after another 13 seconds:
Jan 21 01:55:49 moon charon:
   03[IKE] retransmit 3 of request with message ID 0
Jan 21 01:55:49 moon charon:
   03[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500]

# Fourth retransmission after another 24 seconds:
Jan 21 01:56:13 moon charon:
   11[IKE] retransmit 4 of request with message ID 0
Jan 21 01:56:13 moon charon:
  11[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500]

# Fifth retransmission after another 42 seconds:
Jan 21 01:56:55 moon charon:
   16[IKE] retransmit 5 of request with message ID 0
Jan 21 01:56:55 moon charon:
   16[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500]

# No answer - peer is declared dead after 2 minutes and 45 seconds:
Jan 21 01:58:10 moon charon: 15[IKE] giving up after 5 retransmits

This behaviour is hard-coded and cannot be changed.

Best regards

Andreas

Youngsang Shin wrote:
 Hi all,
 
 Which value is usually set for DPD timeout in a real IKEv2 setup? If  
 DPD is not used, any other keepalive timeout value?
 
 It seems that strongSwan's default value for DPDtimeout is 120  
 seconds. This value is commonly used in a real environment?
 
 
 Thanks,
 Youngsang
 

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Tunnel dosn't build by itself

[Andreas Steffen]

SIf you want to trigger the tunnel setup by payload packets then you
must define

  auto=route

Regards

Andreas

Svend Høst wrote:

Hi

I've made a router out of a epia sn board, and it really performes well (80
mbit iperf over vpn).

But it seems to me that the tunnel dosn't start automaticly ?

But if i @work du a ipsec up net-net-svende then the tunnel builds fine, but
i can't ping from my lan pc and trigger the tunnel.

can it be something with my iptables ?

with kind regards
Svend


@home :

# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
plutostart=no

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
mobike=no

conn net-net-pallas
left=%defaultroute
leftsubnet=left_lan_subnet http://172.17.14.0/24
leftid=left_wan_ip
leftfirewall=yes
leftsourceip=left_lan_gateway
right=right_wan_ip
rightsubnet=right_lan_subnet/24
rightid=right_wan_ip
auto=add
type=tunnel

include /var/lib/strongswan/ipsec.conf.inc


@work :

# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
plutostart=no
interfaces=ipsec0=eth0

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
mobike=no

conn net-net-svende
left=%defaultroute
leftsubnet=left_lan_subnet/24 http://193.163.101.0/24
leftid=left_wan_ip
leftfirewall=yes
leftsourceip=left_lan_gateway
right=right_wan_ip
rightsubnet= http://172.17.14.0/24right_lan_subnet
rightid=right_wan_ip
auto=add
type=tunnel


==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==



smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] ipsec up host-host

[Andreas Steffen]

Hi,

it seems as if you messed up your public key infrastructure:

your end entity certificate is

'C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, e=is...@gmail.com'

but you no matching private key is found either because the private key
file defined in /etc/ipsec.secrets

 : RSA myKey.pem optional passphrase

is not found in /etc/ipsec.d/private/ or if passphrase is wrong if the
key file is encrypted. Execute

  ipsec rereadsecrets

and check for error messages in the log! Everything is ok if

  ipsec listcerts

shows

 .., has private key

in the listing of the end entity certificate. There is also something
wrong with your CA certificates. The peer requests an end entity
certificate from you issued by the unknown CA with the public key hash

01:fb:b7:53:45:4f:73:0a:5b:d0:d7:08:29:2c:8e:2a:3d:f0:90:70

whereas you have a CA certificate

'C=GB, ST=Berkshire, L=Newbury, O=rvce, OU=ise,CN=ishan,
 e=is...@gmail.com'

In principle it is possible to work with mixed CAs but this is probably
not what you had in mind. Usually both myCert.pem and peerCert.pem
are issued by the same CA. This common CA certificate must be stored
in /etc/ipsec.d/cacerts/. I doubt that

'C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce, CN=ishan, e=is...@gmail.com'

is signed by the CA

C=GB, ST=Berkshire, L=Newbury, O=rvce, OU=ise,CN=ishan,
 e=is...@gmail.com'

Best regards

Andreas

abhishek kumar wrote:
 hello ..
 i am new in using strongswan. plz help me setting host-host case.. I am
 getting problem in executing command ipsec up host-host
 
 RESULT IS:
 
 [r...@sun etc]# ipsec start
 Starting strongSwan 4.2.11 IPsec [starter]...
 
 [r...@moon etc]# ipsec restart
 Starting strongSwan 4.2.11 IPsec [starter]...
 
 [r...@moon etc]# sleep 1
 
 [r...@ishan etc]# ipsec up host-host
 initiating IKE_SA host-host[4] to 192.168.3.4
 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
 sending packet: from 192.168.3.3[500] to 192.168.3.4[500]
 received packet: from 192.168.3.4[500] to 192.168.3.3[500]
 parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
 received cert request for unknown ca with keyid
 01:fb:b7:53:45:4f:73:0a:5b:d0:d7:08:29:2c:8e:2a:3d:f0:90:70
 sending cert request for C=GB, ST=Berkshire, L=Newbury, O=rvce, OU=ise,
 CN=ishan, e=is...@gmail.com
 no private key found for 'C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=rvce,
 CN=ishan, e=is...@gmail.com'
 generating authentication data failed
 
 plz let me know where the mistake might be..
 
 thanx in advance..
 
 with regard
 
 Abhishek Kumar

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Error exporting PKCS12 file...

[Andreas Steffen]

Hi Richard,

unable to load private key means that rw.key is not found. Is the key
file really located in the current directory or rather in the
demoCA/private/ directory?

Andreas

Richard Whittaker wrote:
 Greetings:
 
 I realize this might not be the perfect list for my problem, but figure
 there are enough experts here to have an idea why I'm having this
 problem...
 
 I'm going through the instructions for setting up Strongswan with Windows
 at Nate Carlson's page, and I'm trying to export machine certificates in
 PKCS12 format, and I have hit the following roadblock:
 
 ad...@host:/var/sslca# openssl pkcs12 -export -in rw.pem -inkey rw.key
 -certfile demoCA/cacert.pem -out rw.p12
 unable to load private key
 
 demoCA/cacert.pem most certainly exists, and trying to google my way out
 of this hole hasn't been successful. I'm looking for any thoughts or
 suggestions on how to further troubleshoot and get around this issue...
 
 Thanks,
 Richard.

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] help debugging pluto segfault

[Andreas Steffen]

Hi Gerd,

thanks for the patch. I fixed the problem a little more transparently
by moving the conditional delete_connection() function call out of
delete_states_by_connection():

  http://wiki.strongswan.org/changeset/4924

I'm also going to use the uml scenario provided by you for future
regression testing:

  http://wiki.strongswan.org/changeset/4926

These changesets have been integrated into the latest release candidate

 http://download.strongswan.org/strongswan-4.2.13rc4.tar.bz2

Best regards

Andreas

Gerd v. Egidy wrote:
 Hi,
 
 thanks for looking into this.
 
 A simple workaround in order to avoid segfaults would be to not call
 unroute_connection(c) if c-kind == CK_INSTANCE and to cache c-name.
 
 How about the attached patch?
 
 Unfortunately DPD_ACTION_RESTART would not succeed by using the
 connection template designated by c-name if right=%any or if the
 IP address of the peer has changed in the meantime in the case of
 rightallowany=yes.
 
 Hmm. I don't know if restarting a connection in this case would make sense:
 
 If you use right=%any or rightallowany=yes, the remote end is usually using a 
 dialup with dynamic ip. On a dead peer condition the remote side has changed 
 ips most of the time so reconnecting to the old one does not make sense. If 
 you want such a connection to be up all the time it would make much more 
 sense 
 to use DPD on the client and not on the server. If both sides are on dynamic 
 ips you have to wait for dyndns to update anyway.
 
 Thus the proper way would be to avoid deleting the connection instance
 in the DPD timeout case so that the latest IP address would still be
 available.
 
 So I think the added complexity of this approach is not neccessary. Or can 
 you 
 think of a scenario where such a configuration would make sense?
 
 Kind regards,
 
 Gerd

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] checkpoint with username and password

[Andreas Steffen]

Hi Michael,

strongSwan offers the following support for username password:

- IKEv1 Main Mode with Mutual RSA authentication +
  XAUTH client authentication with username/password
  http://www.strongswan.org/uml/testresults42/ikev1/xauth-rsa/

- IKEv2 Server Side RSA authentication + client side EAP authentication:

  EAP-GTC
  http://tools.ietf.org/html/draft-sheffer-ikev2-gtc-00

  EAP-MD5
  http://www.strongswan.org/uml/testresults42/ikev2/rw-eap-md5-rsa/

  EAP-MSCHAPv2
  http://www.strongswan.org/uml/testresults42/ikev2/rw-eap-mschapv2-rsa/

I don't know if Checkpoint has already rolled out IKEv2, though.

Best regards

Andreas

Michael Mengershausen wrote:
 Hello Strongswan-team,
 
 is there a setup with strongswan for username and password (one time 
 password, otp) authentication with a checkpoint vpn-server ?
 
 Best regards
   Michael

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] key length

[Andreas Steffen]

 RFC 3947: peer is NATed
 Mar 17 05:40:11 sb pluto[11077]: rw[3] xxx.xxx.xxx.xxx #25: max
 number of retransmissions (2) reached STATE_MAIN_R2
 Mar 17 05:40:11 sb pluto[11077]: rw[3] xxx.xxx.xxx.xxx: deleting
 connection rw-internet-mx instance with peer xxx.xxx.xxx.xxx
 {isakmp=#0/ipsec=#0}
 
 The other side's pluto seems unable to identify the incoming
 connection and it runs into the general one rw instead of the
 dedicated connection probcon which is provided with the parameter
 rightid with the correct id, let's say, rightid=C=us, ST=sp, L=sp,
 O=corp, OU=us, CN=sa, e...@google.com, so there's no connection.
 Interestingly, the connection worked with the 2048 bit key when the
 sa's host cert was shared and was enabled with the parameter
 rightcert on the other side sb.
 
 When I recreated the key (the host cert) with 1024 bit, i.e. without
 the option -newkey rsa:2048, ipsec simply started to work:
 
 Mar 18 01:29:39 sb pluto[23671]: packet from xxx.xxx.xxx.xxx:500:
 ignoring Vendor ID payload [strongSwan 2.8.8]
 Mar 18 01:29:39 sb pluto[23671]: packet from xxx.xxx.xxx.xxx:500:
 received Vendor ID payload [XAUTH]
 Mar 18 01:29:39 sb pluto[23671]: packet from xxx.xxx.xxx.xxx:500:
 received Vendor ID payload [Dead Peer Detection]
 Mar 18 01:29:39 sb pluto[23671]: packet from xxx.xxx.xxx.xxx:500:
 received Vendor ID payload [RFC 3947]
 Mar 18 01:29:39 sb pluto[23671]: packet from xxx.xxx.xxx.xxx:500:
 ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
 Mar 18 01:29:39 sb pluto[23671]: packet from xxx.xxx.xxx.xxx:500:
 ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
 Mar 18 01:29:39 sb pluto[23671]: packet from xxx.xxx.xxx.xxx:500:
 ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
 Mar 18 01:29:39 sb pluto[23671]: packet from xxx.xxx.xxx.xxx:500:
 ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
 Mar 18 01:29:39 sb pluto[23671]: rw[1] xxx.xxx.xxx.xxx #22:
 responding to Main Mode from unknown peer xxx.xxx.xxx.xxx
 Mar 18 01:29:39 sb pluto[23671]: rw[1] xxx.xxx.xxx.xxx #22:
 NAT-Traversal: Result using RFC 3947: peer is NATed
 Mar 18 01:29:39 sb pluto[23671]: rw[1] xxx.xxx.xxx.xxx #22: Peer ID
 is ID_DER_ASN1_DN: 'C=us, ST=sp, L=sp, O=corp, OU=us, CN=sa,
 e...@google.com'
 Mar 18 01:29:39 sb pluto[23671]: probcon[1] xxx.xxx.xxx.xxx #22:
 deleting connection rw instance with peer xxx.xxx.xxx.xxx
 {isakmp=#0/ipsec=#0}
 Mar 18 01:29:39 sb pluto[23671]: probcon[1] xxx.xxx.xxx.xxx #22: we
 have a cert and are sending it
 Mar 18 01:29:39 sb pluto[23671]: | NAT-T: new mapping 
 xxx.xxx.xxx.xxx:500/4500)
 Mar 18 01:29:39 sb pluto[23671]: probcon[1] xxx.xxx.xxx.xxx:4500
 #22: sent MR3, ISAKMP SA established
 Mar 18 01:29:40 sb pluto[23671]: probcon[1] xxx.xxx.xxx.xxx:4500
 #23: responding to Quick Mode
 Mar 18 01:29:41 sb pluto[23671]: probcon[1] xxx.xxx.xxx.xxx:4500
 #23: IPsec SA established {ESP=0x3cf5470f 0xe61e98cd
 IPCOMP=0x37d4 0xc76d NATOA=0.0.0.0}
 
 I think it is not made clear in the doc that a key/a host cert is
 *required* to be 1024 bit though it is mentioned in the doc:
 ---
 http://strongswan.org/docs/readme2.htm#section_3.2
 3.2 Generating a host or user certificate
 The OpenSSL statement
 
 openssl req -newkey rsa:1024 -keyout hostKey.pem -out hostReq.pem
 
 generates a 1024 bit RSA private key hostKey.pem and a certificate
 request hostReq.pem which has to be signed by the CA.
 ---
 
 
 Btw:
 
 The parameter plutoopts=--ikeport 4500 doesn't work:
 Mar 18 07:54:08 sa ipsec_starter[22899]: /etc/ipsec.conf:15: unknown
 keyword 'plutoopts' [--ikeport 4500]
 Mar 18 07:54:08 sa ipsec_starter[22899]: unable to start strongSwan --
 fatal errors in config
 
 The parameter leftsourceip still lacks its description in man ipsec.conf.
 
 Best regards,
 Michael.

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] key length

[Andreas Steffen]

Hi Michael,

overridemtu only helps with IPsec ESP payload packets and the
KLIPS IPsec stack from the FreeS/WAN project. It does not help
with IKE because the messages MI3 and MR3 cannot be logically
split into two UDP datagrams (some VPN vendors have a proprietary
FRAGMENTATION option.though, which strongSwan does not support).

I'm not sure if strongSwan 2.8.8 already supports the leftsendcert=
option which would allow a third workaround:

On both sides install the peer certificate locally and disable
the sending of certificate requests and certificates:

config setup
 nocrsend=yes

conn myconn
 leftcert=myCert.pem
 leftsendcert=never
 rightcert=peerCert.pem

Regards

Andreas

Michael Roy wrote:
 The IKE protocol is transported in UDP datagrams. If you are
 transmitting certificates with 2048 bit RSA keys the IKE message
 becomes larger than the MTU of 1500 bytes and the datagram gets
 fragmented. Most firewalls and many routers discard IP fragments
 by default so the IKE message never reaches its destination.
 
 but with the 2048 bit key it is 1480/1500
 
 And, ummm... :)
 Well, yes, they are lost, of course.
 Though they are sent they do not reach their destination.
 Interestingly, there's still no trace of fragmentation nor any
 information from the net, they are simply lost.
 This is my case.
 
 Btw, what do you think about the parameter overridemtu? Shall it help?
 
 Best regards,
 Michael.

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] [PATCH] timeout for graceful shutdown of pluto too short

[Andreas Steffen]

Hi Gerd,

I applied invokecharon's start and stop timing scheme to invokepluto:

  http://wiki.strongswan.org/changeset/5050

the starter waits during 8 seconds for the pluto daemon to clean up
and then becomes more aggressive during the next 2 seconds.

Best regards

Andreas

Gerd v. Egidy wrote:
 Hi,
 
 one of our customers reported problems when changing a global config
 option of pluto. After updating pluto, some connections could not be 
 established again. In the log you can see what happens:
 
 Mar 26 11:32:16 intravpn1 ipsec_starter[7694]: Pluto has changed
 Mar 26 11:32:16 intravpn1 pluto[7695]: |  
 Mar 26 11:32:16 intravpn1 pluto[7695]: | *received whack message
 Mar 26 11:32:17 intravpn1 pluto[7695]: shutting down
 Mar 26 11:32:17 intravpn1 pluto[7695]: forgetting secrets
 Mar 26 11:32:17 intravpn1 pluto[7695]: C6: deleting connection
 [...]
 Mar 26 11:32:17 intravpn1 pluto[7695]: C4: deleting connection
 Mar 26 11:32:17 intravpn1 pluto[7831]: Starting Pluto (strongSwan Version 
 2.8.8 VENDORID KEYRR)
 
 Not all connections are shut down cleanly and nevertheless a new pluto 
 process is started. Shortly after we run into problems:
 
 Mar 26 11:32:22 intravpn1 pluto[7831]: | route owner of C2 unrouted: NULL; 
 eroute owner: NULL
 Mar 26 11:32:22 intravpn1 pluto[7831]: | add inbound eroute 192.168.2.0/24:0 
 - 192.168.10.0/24:0 = tun.10...@172.16.6.1:0
 Mar 26 11:32:22 intravpn1 pluto[7831]: C2 #2: ERROR: netlink 
 XFRM_MSG_NEWPOLICY response for flow tun.10...@172.16.6.1 included errno 17: 
 File exists
 Mar 26 11:32:22 intravpn1 pluto[7831]: | sr for #2: unrouted
 Mar 26 11:32:22 intravpn1 pluto[7831]: | route owner of C2 unrouted: NULL; 
 eroute owner: NULL
 Mar 26 11:32:22 intravpn1 pluto[7831]: | eroute_connection add eroute 
 192.168.10.0/24:0 - 192.168.2.0/24:0 = tu...@172.16.6.2:0
 Mar 26 11:32:22 intravpn1 pluto[7831]: C2 #2: ERROR: netlink 
 XFRM_MSG_NEWPOLICY response for flow tu...@172.16.6.2 included errno 17: File 
 exists
 Mar 26 11:32:22 intravpn1 pluto[7831]: | route_and_eroute: firewall_notified: 
 false
 Mar 26 11:32:22 intravpn1 pluto[7831]: | delete inbound eroute 
 192.168.2.0/24:0 - 192.168.10.0/24:0 = unk255.10...@172.16.6.1:0
 Mar 26 11:32:22 intravpn1 pluto[7831]: | state transition function for 
 STATE_QUICK_I1 had internal error
 
 I debugged this and found out that starter gives a pluto process only
 400.000 microseconds / 0.4 sec for a graceful shutdown. Afterwards the
 old pluto process gets killed with SIGTERM and later SIGKILL (see 
 starter/invokepluto.c: starter_stop_pluto()). This time does not seem to 
 be enough for shutting down 20 connections on a regular AMD dualcore.
 
 Attached you'll find a patch which extends this period to 10 seconds and 
 adds a log message when pluto is killed and not shut down gracefully.  
 This will help debugging should someone else face this problem again. 
 
 It would be nice if this or a similar patch could be included in the next
 (non-security) strongswan release. Thank you very much.
 
 Kind regards,
 
 Gerd

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] INVALID_KEY_INFORMATION when connecting to Checkpoint VPN

[Andreas Steffen]

If you are using the checkpoint certificate then it must contain
the CheckPoint's IP address as a subjectAltName.

Regards

Andreas

Eugene Kotlyarov wrote:
 Hi
 
 Could someone tell me whats wrong with my setup?
 I have following error
 
 002 checkpoint-openswan #4: initiating Main Mode
 104 checkpoint-openswan #4: STATE_MAIN_I1: initiate
 106 checkpoint-openswan #4: STATE_MAIN_I2: sent MI2, expecting MR2
 002 checkpoint-openswan #4: we have a cert and are sending it upon request
 108 checkpoint-openswan #4: STATE_MAIN_I3: sent MI3, expecting MR3
 003 checkpoint-openswan #4: discarding duplicate packet; already 
 STATE_MAIN_I3
 002 checkpoint-openswan #4: Peer ID is ID_IPV4_ADDR: 'x.x.119.254'
 002 checkpoint-openswan #4: crl not found
 002 checkpoint-openswan #4: certificate status unknown
 003 checkpoint-openswan #4: no RSA public key known for 'x.x.119.254'
 217 checkpoint-openswan #4: STATE_MAIN_I3: INVALID_KEY_INFORMATION
 002 checkpoint-openswan #4: sending encrypted notification 
 INVALID_KEY_INFORMATION to x.x.119.254:500
 
 My configuration is
 
 conn checkpoint-openswan
  type=tunnel
  # Left side is Check Point
  left=x.x.119.254
  leftcert=checkpoint_ca_cert.pem
  #tried setting this options also
  #leftid=O=c..
  #leftrsasigkey=%cert
  #extracted with fswcert tool
  leftrsasigkey=0x0103...
  leftsubnet=10.45.0.111/32
  leftsendcert=no
  # Right side is OpenSwan
  right=77.50.36.0
  # As an alternative, the file itself can be specified
  rightcert=checkpoint_cl_cert.pem
  rightrsasigkey=%cert
  authby=rsasig
  auto=start
  # Optional specify encryption/hash methods for phase 1  2
  ike=3des-md5-modp1024
  esp=aes-sha1
  # Disable Perfect Forward Secrecy, if not working proper
  pfs=no
  # Optional enable compression (if working)
  #compress=yes

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] ANNOUNCE: strongswan-4.3.0 released

[Andreas Steffen]

Hi,

we proudly present the first release of the new strongSwan 4.3 branch
which offers the following two major features:

- IKEv2 Multiple Authentication Exchanges (RFC 4739)
  --

  Initiators and responders can use several authentication rounds
  (e.g. RSA followed by EAP) to authenticate. The new ipsec.conf
  leftauth/rightauth and leftauth2/rightauth2 parameters define
  their own authentication rounds and setup constraints for the
  remote peer. See the ipsec.conf man page for more details.

  A typical sample scenario using mutual RSA authentication in
  the first round and EAP-SIM client authentication in the second
  round can be found under the link

http://www.strongswan.org/uml/testresults43/ikev2/mult-auth-rsa-eap-sim-id/

- Use of libstrongswan in the IKEv1 pluto code
  

  We refactored the pluto and scepclient code to share basic functions
  (memory allocation, leak detective, chunk handling, printf_hooks,
  strongswan.conf attributes, ASN.1 parser, etc.) with the libstrongswan
  library.

  As a first benefit, up to two DNS and WINS servers to be sent via
  the IKEv1 ModeConfig protocol can be configured in the pluto section
  of /etc/strongswan.conf:

  pluto {
  dns1 =
  dns2 =
  nbns1 =
  nbns2 =
  }

  A configuration example can be found under the link

  http://www.strongswan.org/uml/testresults43/ikev1/mode-config/

And here some more features:

- If glibc printf hooks (register_printf_function) are not available,
  strongSwan can use the vstr string library to run on non-glibc
  systems.

- The IKEv2 charon daemon now supports the ESP CAMELLIA-CBC cipher
  (esp=camellia128|192|256).

  A sample scenario can be found under the link

  http://www.strongswan.org/uml/testresults43/ikev2/esp-alg-camellia/

Due to the heavy refactoring of large parts of both the IKEv1 and IKEv2
source code we strongly advise *against* using 4.3.0 in mission critical
applications. Please use the stable strongSwan 4.2.14 version on
production systems instead, at least until the release of 4.3.1.

Best regards

Martin WilliAndreas Steffen
IKEv2 Software ArchitectstrongSwan Project Leader

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] request help

[Andreas Steffen]

Hi,

according to the 5th paragraph in section 3.3. Security Association
Payload of the IKEv2 RFC 4706:

   http://tools.ietf.org/html/rfc4306#section-3.3

   Each Proposal/Protocol structure is followed by one or more transform
   structures.  The number of different transforms is generally
   determined by the Protocol.  AH generally has a single transform: an
   integrity check algorithm.  *ESP generally has two: an encryption
   algorithm and an integrity check algorithm.*  IKE generally has four
   transforms: a Diffie-Hellman group, an integrity check algorithm, a
   prf algorithm, and an encryption algorithm.  If an algorithm that
   combines encryption and integrity protection is proposed, it MUST be
   proposed as an encryption algorithm and an integrity protection
   algorithm MUST NOT be proposed.  For each Protocol, the set of
   permissible transforms is assigned transform ID numbers, which appear
   in the header of each transform.

This means that an ESP SA requires only the definition of an encryption
algorithm and an integrity check algorithm. According to section 2.17.
Generating Keying Material for CHILD_SAs the ESP keys are derived as

 KEYMAT = prf+(SK_d, g^ir (new) | Ni | Nr )

and section 2.13. Generating Keying Material says

   In the context of the IKE_SA, four cryptographic algorithms are
   negotiated: an encryption algorithm, an integrity protection
   algorithm, a Diffie-Hellman group, and a pseudo-random function
   (prf).  The pseudo-random function is used for the construction of
   keying material for all of the cryptographic algorithms used in both
   the IKE_SA and the CHILD_SAs.

So the pseudo-random function negotiated for the IKE_SA is used to
generate the keying material for the ESP SA. Thus there is no need
to negotiate an additional PRF for ESP in the CREATE_CHILD_SA message.

Best regards

Andreas

Jun Yin wrote:
 I'm testing strongswan ikev2 against our firewall product  and found
 below problem:
 
 
 Apr 30 11:54:01 lin-1-7 charon: 14[NET] received packet: from
 192.168.2.100[500] to 192.168.2.207[500]
 Apr 30 11:54:01 lin-1-7 charon: 14[ENC] parsed CREATE_CHILD_SA request
 0 [ N(REKEY_SA) N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
 Apr 30 11:54:01 lin-1-7 charon: 14[CFG] received proposals:
 ESP:3DES/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536_BIT/NO_EXT_SEQ
 Apr 30 11:54:01 lin-1-7 charon: 14[CFG] configured proposals:
 ESP:3DES/HMAC_MD5_96/MODP_1536_BIT/NO_EXT_SEQ
 Apr 30 11:54:01 lin-1-7 charon: 14[IKE] no acceptable proposal found
 Apr 30 11:54:01 lin-1-7 charon: 14[ENC] generating CREATE_CHILD_SA
 response 0 [ N(NO_PROP) ]
 
 Our developer said PRF_HMAC_MD5 is a mandatory field therefore
 strongswan should have it configured by default. Anyway, Is there a
 way I can configure it in strongswan manually?
 
 Thanks.

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] help? charon too long to start

[Andreas Steffen]

Hi,

it is impossible to see from your log why charon takes so long
to start. Could you disable the starting of the IKEv1 pluto daemon
in /etc/ipsec.conf:

  config setup
 plutostart=no

and start the charon daemon without forking:

  ipsec start --nofork

and report what is happening.

Best regards

Andreas

Jun Yin wrote:
 Hi,
 I got error charon too long to start . Can somebody help me to figure it 
 out?
 I'm using Ubunto 8.04, and StrongSwan 4.2.14.
 Thanks a lot.
 
 The log information:
 Apr 30 10:03:23 lin_1_2 ipsec_starter[23849]: Starting strongSwan
 4.2.14 IPsec [starter]...
 Apr 30 10:03:23 lin_1_2 pluto[23875]: Starting Pluto (strongSwan
 Version 4.2.14 THREADS VENDORID)
 Apr 30 10:03:23 lin_1_2 pluto[23875]:   including NAT-Traversal patch
 (Version 0.6c) [disabled]
 Apr 30 10:03:23 lin_1_2 pluto[23875]: ike_alg: Activating
 OAKLEY_AES_CBC encryption: Ok
 Apr 30 10:03:23 lin_1_2 pluto[23875]: ike_alg: Activating
 OAKLEY_BLOWFISH_CBC encryption: Ok
 Apr 30 10:03:23 lin_1_2 pluto[23875]: ike_alg: Activating
 OAKLEY_SERPENT_CBC encryption: Ok
 Apr 30 10:03:23 lin_1_2 pluto[23875]: ike_alg: Activating
 OAKLEY_SHA2_256 hash: Ok
 Apr 30 10:03:23 lin_1_2 pluto[23875]: ike_alg: Activating
 OAKLEY_SHA2_384 hash: Ok
 Apr 30 10:03:23 lin_1_2 pluto[23875]: ike_alg: Activating
 OAKLEY_SHA2_512 hash: Ok
 Apr 30 10:03:23 lin_1_2 pluto[23875]: ike_alg: Activating
 OAKLEY_TWOFISH_CBC encryption: Ok
 Apr 30 10:03:23 lin_1_2 pluto[23875]: ike_alg: Activating
 OAKLEY_TWOFISH_CBC_SSH encryption: Ok
 Apr 30 10:03:23 lin_1_2 pluto[23875]: Testing registered IKE
 encryption algorithms:
 Apr 30 10:03:23 lin_1_2 pluto[23875]:   OAKLEY_BLOWFISH_CBC self-test
 not available
 Apr 30 10:03:23 lin_1_2 pluto[23875]:   OAKLEY_3DES_CBC self-test not 
 available
 Apr 30 10:03:23 lin_1_2 pluto[23875]:   OAKLEY_AES_CBC self-test not available
 Apr 30 10:03:23 lin_1_2 pluto[23875]:   OAKLEY_SERPENT_CBC self-test
 not available
 Apr 30 10:03:23 lin_1_2 pluto[23875]:   OAKLEY_TWOFISH_CBC self-test
 not available
 Apr 30 10:03:23 lin_1_2 pluto[23875]:   OAKLEY_TWOFISH_CBC_SSH
 self-test not available
 Apr 30 10:03:23 lin_1_2 pluto[23875]: Testing registered IKE hash algorithms:
 Apr 30 10:03:23 lin_1_2 pluto[23875]:   OAKLEY_MD5 hash self-test passed
 Apr 30 10:03:23 lin_1_2 pluto[23875]:   OAKLEY_MD5 hmac self-test passed
 Apr 30 10:03:23 lin_1_2 pluto[23875]:   OAKLEY_SHA hash self-test passed
 Apr 30 10:03:23 lin_1_2 ipsec_starter[23874]: pluto (23875) started after 20 
 ms
 Apr 30 10:03:23 lin_1_2 pluto[23875]:   OAKLEY_SHA hmac self-test passed
 Apr 30 10:03:23 lin_1_2 pluto[23875]:   OAKLEY_SHA2_256 hash self-test passed
 Apr 30 10:03:23 lin_1_2 pluto[23875]:   OAKLEY_SHA2_256 hmac self-test passed
 Apr 30 10:03:23 lin_1_2 pluto[23875]:   OAKLEY_SHA2_384 hash self-test passed
 Apr 30 10:03:23 lin_1_2 pluto[23875]:   OAKLEY_SHA2_384 hmac self-test passed
 Apr 30 10:03:23 lin_1_2 pluto[23875]:   OAKLEY_SHA2_512 hash self-test passed
 Apr 30 10:03:23 lin_1_2 pluto[23875]:   OAKLEY_SHA2_512 hmac self-test passed
 Apr 30 10:03:23 lin_1_2 pluto[23875]: All crypto self-tests passed
 Apr 30 10:03:23 lin_1_2 pluto[23875]: Using Linux 2.6 IPsec interface code
 Apr 30 10:03:23 lin_1_2 pluto[23875]: Changing to directory
 '/etc/ipsec.d/cacerts'
 Apr 30 10:03:23 lin_1_2 pluto[23875]: Changing to directory
 '/etc/ipsec.d/aacerts'
 Apr 30 10:03:23 lin_1_2 pluto[23875]: Changing to directory
 '/etc/ipsec.d/ocspcerts'
 Apr 30 10:03:23 lin_1_2 pluto[23875]: Changing to directory 
 '/etc/ipsec.d/crls'
 Apr 30 10:03:23 lin_1_2 pluto[23875]: Changing to directory
 '/etc/ipsec.d/acerts'
 Apr 30 10:03:23 lin_1_2 pluto[23875]: listening for IKE messages
 Apr 30 10:03:23 lin_1_2 pluto[23875]: adding interface eth1/eth1
 192.168.5.221:500
 Apr 30 10:03:23 lin_1_2 pluto[23875]: adding interface eth0/eth0
 172.18.7.162:500
 Apr 30 10:03:23 lin_1_2 pluto[23875]: adding interface lo/lo 127.0.0.1:500
 Apr 30 10:03:23 lin_1_2 pluto[23875]: adding interface lo/lo ::1:500
 Apr 30 10:03:23 lin_1_2 pluto[23875]: loading secrets from 
 /etc/ipsec.secrets
 Apr 30 10:03:23 lin_1_2 pluto[23875]:   loaded shared key for
 192.168.2.100 192.168.5.221
 Apr 30 10:03:33 lin_1_2 ipsec_starter[23874]: charon too long to
 start... - kill kill
 Apr 30 10:03:34 lin_1_2 ipsec_starter[23874]: connect(charon_ctl)
 failed: No such file or directory
 Apr 30 10:03:34 lin_1_2 ipsec_starter[23874]: connect(charon_ctl)
 failed: No such file or directory
 Apr 30 10:03:34 lin_1_2 pluto[23875]: added connection description to_dut1
 Apr 30 10:03:39 lin_1_2 ipsec_starter[23874]: connect(charon_ctl)
 failed: No such file or directory
 Apr 30 10:03:39 lin_1_2 ipsec_starter[23874]: connect(charon_ctl)
 failed: No such file or directory
 Apr 30 10:03:39 lin_1_2 pluto[23875]: attempt to redefine connection to_dut1

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN

Re: [strongSwan] need some help : ipsec + xl2tpd

[Andreas Steffen]

 
 
 conn rw 
 authby=rsasig 
 leftrsasigkey=%cert 
 leftcert=vpn.olympecti.fr.pem 
 #left=217.128.239.224 
 left=%defaultroute 
 #left=192.168.1.116 
 #leftnexthop=192.168.1.1 
 #leftnexthop=%defaultroute 
 leftsubnet=192.168.1.0/24 
 leftprotoport=17/%any 
 right=%any 
 rightrsasigkey=%cert 
 rightprotoport=17/%any 
 rightca=%same 
 keyingtries=3 
 pfs=no 
 type=transport 
 auto=add 
 
 conn block 
 auto=ignore 
 
 conn clear 
 auto=ignore 
 
 conn private 
 auto=ignore 
 
 conn private-or-clear 
 auto=ignore 
 
 conn clear-or-private 
 auto=ignore 
 
 conn packetdefault 
 auto=ignore 
 
 xl2tpd.conf : 
 
 [global] 
 listen-addr = 192.168.1.116 
 debug tunnel = yes 
 
 [lns default] 
 ip range = 192.168.1.99-192.168.1.101 
 local ip = 192.168.1.99 
 require chap = yes 
 refuse pap = yes 
 require authentication = yes 
 name = LinuxVPNserver 
 ppp debug = yes 
 pppoptfile = /etc/ppp/options.xl2tpd 
 length bit = yes 
 
 thanks in advance for your helps. 
 
 
 --- 
 Reza ISSANY 
 Ingénieur Système 
 ZA Les Playes - Jean Monnet Sud 
 Avenue de Lisbonne 
 83500 La Seyne sur Mer 
 E-mail : cont...@olympecti.fr 

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] need some help : ipsec + xl2tpd

[Andreas Steffen]

what is the output of ipsec statusall ?

the connection definition shown by ipsec statusall must
*exactly* match the peer's connection proposal.

Andreas

Reza ISSANY wrote:
 Thanks for your help.
 
 I've changed the line
 leftsubnet=192.168.1.0/24
 
 by
 
 leftsubnet=217.128.239.224/32
 
 But I have the same error :
 
 May  1 20:18:04 integration pluto[24455]: added connection description rw
 May  1 20:18:23 integration pluto[24455]: packet from 82.229.55.165:500:
 ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 0004]
 May  1 20:18:23 integration pluto[24455]: packet from 82.229.55.165:500:
 ignoring Vendor ID payload [FRAGMENTATION]
 May  1 20:18:23 integration pluto[24455]: packet from 82.229.55.165:500:
 received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
 May  1 20:18:23 integration pluto[24455]: packet from 82.229.55.165:500:
 ignoring Vendor ID payload [Vid-Initial-Contact]
 May  1 20:18:23 integration pluto[24455]: rw[1] 82.229.55.165 #1:
 responding to Main Mode from unknown peer 82.229.55.165
 May  1 20:18:24 integration pluto[24455]: rw[1] 82.229.55.165 #1:
 NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
 May  1 20:18:24 integration pluto[24455]: rw[1] 82.229.55.165 #1: Peer
 ID is ID_DER_ASN1_DN: 'C=FR, ST=France, O=Olympe CTI, OU=Ingenierie
 informatique, CN=Reza ISSANY, e=issa...@olympecti.fr'
 May  1 20:18:24 integration pluto[24455]: rw[2] 82.229.55.165 #1:
 deleting connection rw instance with peer 82.229.55.165
 {isakmp=#0/ipsec=#0}
 May  1 20:18:24 integration pluto[24455]: rw[2] 82.229.55.165 #1: we
 have a cert and are sending it upon request
 May  1 20:18:24 integration pluto[24455]: | NAT-T: new mapping
 82.229.55.165:500/4500)
 May  1 20:18:24 integration pluto[24455]: rw[2] 82.229.55.165:4500 #1:
 sent MR3, ISAKMP SA established
 May  1 20:18:24 integration pluto[24455]: rw[2] 82.229.55.165:4500 #1:
 cannot respond to IPsec SA request because no connection is known for
 217.128.239.224/32===192.168.1.116:4500[C=FR, ST=France, O=Olympe CTI,
 OU=Ingenierie informatique, CN=vpn.olympecti.fr,
 e=cont...@olympecti.fr]:17/%any...82.229.55.165:4500[C=FR, ST=France,
 O=Olympe CTI, OU=Ingenierie informatique, CN=Reza ISSANY,
 e=issa...@olympecti.fr]:17/%any
 May  1 20:18:24 integration pluto[24455]: rw[2] 82.229.55.165:4500 #1:
 sending encrypted notification INVALID_ID_INFORMATION to 82.229.55.165:4500
 May  1 20:18:25 integration pluto[24455]: rw[2] 82.229.55.165:4500 #1:
 Quick Mode I1 message is unacceptable because it uses a previously used
 Message ID 0xe1a7bc62 (perhaps this is a duplicated packet)
 May  1 20:18:25 integration pluto[24455]: rw[2] 82.229.55.165:4500 #1:
 sending encrypted notification INVALID_MESSAGE_ID to 82.229.55.165:4500
 May  1 20:18:27 integration pluto[24455]: rw[2] 82.229.55.165:4500 #1:
 Quick Mode I1 message is unacceptable because it uses a previously used
 Message ID 0xe1a7bc62 (perhaps this is a duplicated packet)
 May  1 20:18:27 integration pluto[24455]: rw[2] 82.229.55.165:4500 #1:
 sending encrypted notification INVALID_MESSAGE_ID to 82.229.55.165:4500
 May  1 20:18:31 integration pluto[24455]: rw[2] 82.229.55.165:4500 #1:
 Quick Mode I1 message is unacceptable because it uses a previously used
 Message ID 0xe1a7bc62 (perhaps this is a duplicated packet)
 May  1 20:18:31 integration pluto[24455]: rw[2] 82.229.55.165:4500 #1:
 sending encrypted notification INVALID_MESSAGE_ID to 82.229.55.165:4500
 May  1 20:18:37 integration pluto[24455]: rw[2] 82.229.55.165:4500 #1:
 received Delete SA payload: deleting ISAKMP State #1
 May  1 20:18:37 integration pluto[24455]: rw[2] 82.229.55.165:4500:
 deleting connection rw instance with peer 82.229.55.165
 {isakmp=#0/ipsec=#0}
 
 I can't understand why the ISAKMP SA is established if no connection is
 known ?
 
 ---
 Reza ISSANY
 Ingénieur Système
 ZA Les Playes - Jean Monnet Sud
 Avenue de Lisbonne
 83500 La Seyne sur Mer
 E-mail : cont...@olympecti.fr
 
 
 - Mail Original -
 De: Andreas Steffen andreas.stef...@strongswan.org
 À: Reza ISSANY issa...@olympecti.fr
 Cc: users users@lists.strongswan.org
 Envoyé: Vendredi 1 Mai 2009 18h36:15 GMT +01:00 Amsterdam / Berlin /
 Berne / Rome / Stockholm / Vienne
 Objet: Re: [strongSwan] need some help : ipsec + xl2tpd
 
 Hi Reza,
 
 the problem is the following:
 
 cannot respond to IPsec SA request because no connection is known for
 217.128.239.224/32===192.168.1.116:4500
   [C=FR, ST=France, O=Olympe CTI, OU=Ingenierie informatique,
CN=vpn.olympecti.fr, e=cont...@olympecti.fr]
 :17/%any
 ...
 82.229.55.165:4500
   [C=FR, ST=France, O=Olympe CTI, OU=Ingenierie informatique,
CN=Reza ISSANY, e=issa...@olympecti.fr]
 :17/%any
 
 Because you have NAT in between
 
 NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03:
both are NATed
 
 217.128.239.224 gets translated to 192.168.1.166 due to a Destination
 NAT rule.
 
 Therefore you must define
 
 left=%defaultroute (will take

Re: [strongSwan] Multiple tunnels between same peer

[Andreas Steffen]

Hi Arun,

either define multiple connections:

conn %default
type=tunnel
authby=secret
left=10.1.1.2
leftid=sswan
rightid=chamundi
right=10.1.1.5
esp=3des-md5-9
keyexchange=ikev2
ike=aes128-sha1-modp1024,3des-sha1-md5-modp1024
auto=add

conn tunnel1
leftsubnet=192.168.10.0/24
rightsubnet=172.16.10.0/24

conn tunnel2
leftsubnet=192.168.14.0/24
rightsubnet=172.16.12.0/24

or define multiple traffic selectors:

conn tunnel
type=tunnel
authby=secret
left=10.1.1.2
leftid=sswan
rightid=chamundi
right=10.1.1.5
leftsubnet=192.168.10.0/24,192.168.14.0/24
rightsubnet=172.16.10.0/24,172.16.12.0/24
esp=3des-md5-9
keyexchange=ikev2
ike=aes128-sha1-modp1024,3des-sha1-md5-modp1024
auto=add

In the first example 192.168.10/24 is connected to 172.16.10.0/24
as part of the IKE_AUTH exchange and 192.168.14.0/24 to 172.16.12.0/24
with an additional CREATE_CHILD_SA exchange whereas in the second
example the multiple traffic selectors are set up by the IKE_AUTH
exchange but with the additional side effect that 192.168.10.0/24 will
be coupled wit 172.16.12.0/24 and 192.168.14.0/24 with 172.16.10.0/24.

BTW - esp=3des-md5-9 has an invalid syntax. What does -9 mean? A
  Diffie-Hellman group???

Best regards

Andreas

c

Arun Raj wrote:
 Hi Andraw,
  
 I am trying to bring multiple tunnels using PSK between same peers
 Is this option available in strongswan
  
 The config files I used was as below.
 Could you please let me know how can we modify the below file to setup
 multiple tunnels between same peers
  
 I search in the net adn I am unable to get these option
  
 # basic configuration
  
 config setup
 strictcrlpolicy=no
 plutostart=no
 charonstart=yes
 charondebug=all
 klipsdebug=all
  
 
 conn tunnel
 type=tunnel
 authby=secret
 left=10.1.1.2
 leftid=sswan
 rightid=chamundi
 right=10.1.1.5
 leftsubnet=192.168.10.0/24
 rightsubnet=172.16.10.0/24
 esp=3des-md5-9
 keyexchange=ikev2
 pfs=no
 ike=aes128-sha1-modp1024,3des-sha1-md5-modp1024
 auto=add
 
  
 Thanks
 Arun
 ___
 Users mailing list
 Users@lists.strongswan.org
 https://lists.strongswan.org/mailman/listinfo/users


-- 
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] configure: error: Vstr string library not found

[Andreas Steffen]

Hi,

since OpenBSD 4.4 doesn't seem to support printf hooks (%N, %H, etc.)
the vstr string library can be used instead. But apparently this
library hasn't been installed yet on your system.

Anyway, we are still busy porting strongSwan to *BSD. The current svn
version should work with FreeBSD but we still have some problems to
solve with OpenBSD.

Best regards

Andreas

Fortunato wrote:
 Hello again,
 
 I'm seeing a recurring theme here - I'm gonna have to learn more
 about make. :( But in the meantime, I'm getting:
 
 checking for main in -lvstr... no configure: error: Vstr string
 library not found
 
 This one appears to be more cryptic. There's no /usr/include/vstr.h
 file other than the standard string.h and strings.h files.
 
 Any ideas? This is for an OpenBSD 4.4 host.
 
 Thanks,

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==



smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] no CREATE_CHILD_SA in Strongswan

[Andreas Steffen]

H Tilak,

without any log and configuration information we cannot possibly
help you.

Regards

Andreas

Tilak Adhya wrote:
 Hi,
 
 I am new to this list and using Strongswan for the last 2 months... I 
 am facing a problem regarding the CREATE_CHILD_SA for IKEV2 with 
 Strongswan. I have connected two Strongswan back to back but not able 
 to send CREATE_CHILD_SAs. Also, I sent CREATE_CHILD_SA but Strongswan 
 is not responding properly. It replies with No Proposal CHosen; but 
 proposals configured in the Strongswan should match. Not getting the 
 reason. If you need the log files I can post it.
 Your help is highly appreciated.
 
 Thanks
 Tilak
 
 *--
 tilak

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==


smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] no CREATE_CHILD_SA in Strongswan

[Andreas Steffen]

  = 65535
IKEV2: IPV4 Start Address   = 10.1.1.20
IKEV2: IPV4 End Address = 10.1.1.20

IKEV2: - IKEV2 Traffic Selector Data 
IKEV2: TS Type   =  7 ( IPV4 Addr Range)
IKEV2: IP Protocol ID=  0
IKEV2: Selector Length   =  16
IKEV2: Start Port= 0
IKEV2: End Port  = 65535
IKEV2: IPV4 Start Address   = 10.1.1.42
IKEV2: IPV4 End Address = 10.1.1.42

This translates to

left=10.1.1.42
right=10.1.1.20

so that traffic selector narrowing takes place.

CREATE_CHILD_SA request:
IP: Source Address = 10.1.1.20
IP: Destination Address= 10.1.1.42

In this CREATE_CHILD_SA message you don't request any
additional traffic selectors. Therefore don't be surprised
to receive a NO_PROPOSAL_CHOSEN as a response!

If you want us to help you, please provide consistent debugging
information and as Daniel Mentz correctly mentioned, add a
log from the strongSwan side!!!

Regards

Andreas

Tilak Adhya wrote:
 Hi Andreas,

 !.5.txt is the log file we are sending to the Strongswan. Stongswan
 has the ip 10.1.1.42.
 And the corresponding configuration file is also attached with this
 mail.
 Waiting for valuable comments.

 Thanks in advance...
 Tilak


 On Mon, 18 May 2009 11:50:29 +0530 wrote
H Tilak,

without any log and configuration information we cannot possibly
help you.

Regards

Andreas

Tilak Adhya wrote:
 Hi,

 I am new to this list and using Strongswan for the last 2
 months...
 I
 am facing a problem regarding the CREATE_CHILD_SA for IKEV2 with
 Strongswan. I have connected two Strongswan back to back but not
 able
 to send CREATE_CHILD_SAs. Also, I sent CREATE_CHILD_SA but
 Strongswan
 is not responding properly. It replies with No Proposal CHosen;
 but
 proposals configured in the Strongswan should match. Not getting
 the
 reason. If you need the log files I can post it.
 Your help is highly appreciated.

 Thanks
 Tilak

 *--
 tilak


==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==


smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Multiple L2TP clients behind NAT using the same IP - status?

[Andreas Steffen]

As a workaround I recommend to use IPsec tunnel mode with NAT-T.
Windows XP's LT2P client can be configured to use tunnel mode
instead of the default transport mode.

Regards

Andreas

Jaime Vargas wrote:
 Hello, everybody;
 
 As far as I know, there's a well-known issue with NAT-T that makes
 impossible to connect simultaneously to a VPN using L2TP over IPSec
 from two Windows clients which reside behind the same NAT box. Problem
 is, I need to offer a solution, or at least a convincing argument, for
 this exact case (other than configuring a site-to-site VPN, which is
 not deemed suitable for only two users).
 
 My questions regarding this issue are:
 
 a) Is the cause of this issue established?
 b) Is there any solution or workaround (involving Windows XP as the
 clients and strongSwan + l2tpns + NETKEY at the server)?
 c) If not, is a solution for this in the works, or being considered?
 
 Thanks in advance,
 Jaime

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] strongswan ipsec restart problem

[Andreas Steffen]

Hi Arnab,

instead of restarting the charon daemon I propose to terminate the
current connection only:

ipsec down jay2

if the connection has already been established then charon will try
to send a delete notification which will take a long time if the
peer is already disconnected. Therefore to abort the retransmissions
execute again

ipsec down jay2

which will shut down the connection immediately. Now you can change
the configuration in ipsec.conf and execute

ipsec update

which will update charon's configuration. If auto=start is set then
the connection will be automatically initiated.

Best regards

Andreas

Arnab Bakshi wrote:
 Hi Andreas,
 
PFA the messages attached with cfg 2, chd 2. 
 
We are restarting the charon frequently as part of some automation
 testing requirement which clears sessions in strongswan and our
 implementation...
 
Is there better way I can gracefully terminate it(e.g sending
 delete or any other ipsec * commands)
 
 Thanks and Regards
 Arnab
 
 On Wed, Jun 3, 2009 at 6:37 PM, Andreas Steffen
 andreas.stef...@strongswan.org mailto:andreas.stef...@strongswan.org
 wrote:
 
 I just checked how the misconfiguration is treated by charon:
 
 Jun  3 14:59:38 moon charon:
 03[CFG] skipped invalid proposal string: 3des-md5-96
 03[CFG] skipped invalid proposal string: 3des-md5-96-modp1536
 
 As a consequence the following default proposal is sent to the peer:
 
 Jun  3 14:59:44 sun charon:
 13[CFG] received proposals:
 ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/
 HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
 
 Therefore this cannot be the reason for any malfunction.
 
 Regards
 
 Andreas
 
 Andreas Steffen wrote:
  Hi Arnab,
 
  What is the sense in restarting charon every 20 seconds before
  it has completed the establishment of an IKE_SA or CHILD_SA?
 
  Jun  2 15:37:03 localhost charon:
  08[NET] received packet: from 10.4.3.42[500] to 10.4.3.10[500]
  08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No ]
  08[IKE] 10.4.3.42 is initiating an IKE_SA
  08[ENC] generating IKE_SA_INIT response 0 [ SA KE No ]
  08[NET] sending packet: from 10.4.3.10[500] to 10.4.3.42[500]
  01[DMN] signal of type SIGINT received. Shutting down
  01[IKE] destroying IKE_SA in state CONNECTING without notification
  01[DMN] starting charon (strongSwan Version 4.2.12)
 
  Jun  2 15:37:23 localhost charon:
  05[NET] received packet: from 10.4.3.42[500] to 10.4.3.10[500]
  05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No ]
  05[IKE] 10.4.3.42 is initiating an IKE_SA
  05[ENC] generating IKE_SA_INIT response 0 [ SA KE No ]
  05[NET] sending packet: from 10.4.3.10[500] to 10.4.3.42[500]
  01[DMN] signal of type SIGINT received. Shutting down
  01[IKE] destroying IKE_SA in state CONNECTING without notification
  01[DMN] starting charon (strongSwan Version 4.2.12)
 
  Jun  2 15:37:44 localhost charon:
  05[NET] received packet: from 10.4.3.42[500] to 10.4.3.10[500]
  05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No ]
  05[IKE] 10.4.3.42 is initiating an IKE_SA
  05[ENC] generating IKE_SA_INIT response 0 [ SA KE No ]
  05[NET] sending packet: from 10.4.3.10[500] to 10.4.3.42[500]
  01[DMN] signal of type SIGINT received. Shutting down
  01[IKE] destroying IKE_SA in state CONNECTING without notification
  01[DMN] starting charon (strongSwan Version 4.2.12)
 
  In the first three call no communication with the kernel takes
  place.
 
  Jun  2 15:38:07 localhost charon:
  06[IKE] initiating IKE_SA jay2[1] to 10.4.3.42
  06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
  N(NATD_D_IP) ]
  06[NET] sending packet: from 10.4.3.10[500] to 10.4.3.42[500]
  07[NET] received packet: from 10.4.3.42[500] to 10.4.3.10[500]
  07[ENC] parsed IKE_SA_INIT response 0 [ SA KE No ]
  07[IKE] authentication of '10.4.3.10' (myself) with pre-shared key
  07[IKE] establishing CHILD_SA jay2
  07[ENC] generating IKE_AUTH request 1 [ IDi IDr AUTH N(USE_TRANSP) SA
  TSi TSr ]
  07[NET] sending packet: from 10.4.3.10[500] to 10.4.3.42[500]
  01[DMN] signal of type SIGINT received. Shutting down
  01[IKE] destroying IKE_SA in state CONNECTING without notification
  01[KNL] received netlink error: No such process (3)
  01[KNL] unable to delete SAD entry with SPI cc7817cf
  14[KNL] creating delete job for ESP CHILD_SA with SPI cc7817cf and
 reqid {1}
 
  Here charon is stopped before it receives the IKE_AUTH response from
  the peer. What happened after that? Did charon crash or even the
  Linux operating system???
 
  Looking at your ipsec.conf I see the following anomalies:
 
  conn jay2
type=transport
left=10.4.3.42
leftid=10.4.3.42
right=10.4.3.10

[strongSwan] Free eTickets for LinuxTag 2009 in Berlin

[Andreas Steffen]

Hi,

as every year the strongSwan team will be present with a project
booth at LinuxTag which takes places from June 24-27 2009 in Berlin.

http://www.linuxtag.org/2009/en/program/freies-vortragsprogramm.html

We received a couple of eTickets for the four day event which we
can give away for free to the strongSwan community. So if you are
interested in visiting LinuxTag, just drop me an email and I'm going
to send you an invitation for an eTicket which you must fetch within
48 hours by clicking on the link and downloading the eTicket.

See you in Berlin!

Andreas Steffen, Tobias Brunner  Martin Willi

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Notification message 40501 connecting to Cisco router

[Andreas Steffen]

Hi Rod,

no, strongSwan hasn't been tested with Cisco load balancing and
does not recognize the 40501 notification. Probably Cisco wants
to redirect the IPsec SA to an alternative VPN gateway.

Best regards

Andreas

 rriver...@verizon.net wrote:
 Hi,
  
 This is my first post to this forum.  I would like to thank everyone that has 
 worked on this project.  I have been using strongSwan in a road warrior 
 configuration to connect to Cisco routers.  I have been able to do this with 
 several customers but recently when I tried to connect to a new customer I 
 received a 40501 Notification message.  After doing some research on the 
 Internet I found the following email indicating that this notification 
 relates to Cisco load balancing:
 http://sourceforge.net/mailarchive/forum.php?thread_name=alpine.lfd.2.00.0901271415230.2...@oynqr.eqh.erqung.pbzforum_name=ipsec-tools-devel
  
 Has strongSwan been tested with Cisco load balancing?  Has anyone else run 
 into this problem?
  
 I found a work around to the problem by connecting to the last server in the 
 load balancing cluster, which does not return the 40501 notification, and the 
 connection works fine.   This will due for my initial testing but without 
 support for load balancing I will not be able to use strongSwan.  The output 
 from the failed connection follows:
  
 # ipsec up test
 002 test #1: initiating Main Mode
 104 test #1: STATE_MAIN_I1: initiate
 003 test #1: ignoring Vendor ID payload [FRAGMENTATION c000]
 106 test #1: STATE_MAIN_I2: sent MI2, expecting MR2
 003 test #1: ignoring Vendor ID payload [Cisco-Unity]
 003 test #1: received Vendor ID payload [XAUTH]
 003 test #1: ignoring Vendor ID payload [79d4400d1135dfa224392efd403473aa]
 003 test #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
 108 test #1: STATE_MAIN_I3: sent MI3, expecting MR3
 003 test #1: received Vendor ID payload [Dead Peer Detection]
 002 test #1: Peer ID is ID_FQDN: '@test.localdomain'
 002 test #1: ISAKMP SA established
 004 test #1: STATE_MAIN_I4: ISAKMP SA established
 003 test #1: Notify Message Type of ISAKMP Notification Payload has an 
 unknown value: 40501
 003 test #1: malformed payload in packet
 
  
 Thanks,
  
 Rod

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==


smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Strongswan: Disabling repeated authentication for ikev2.

[Andreas Steffen]

You can disable re-authentication and replace it by IKE_SA rekeying
by adding the line

  reauth=no

to your connection definition in ipsec.conf

Regards

Andreas

Balaji J wrote:
 Hi ppl,
 
 Is there any way to configure strongswan for disabling the repeated
 authentication notify payload(rfc4478) it sends with IKE_AUTH reply?
 Basically, i want to disable the repeated authentication in strongswan. Is
 it possible?
 
 Thanks in advance.
 
 Regards,
 ...Balaji.J

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==


smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Can we connect Pluto with Windows Vista using RSASIG?

[Andreas Steffen]

Hi,

I cannot help you without any strongSwan log files and
preferably also a log from MS Vista.

Andreas

gu...@mail.goo.ne.jp wrote:
 Hi List,
 
 I tried many things so that I could connect Pluto with Windows Vsita using 
 RSASIG, and then 
 ISAKMP packets requesting RSASIG authentication was sent from Vista to Pluto, 
 but it was fai
 led after some Main mode messages.
 It was the error of calculations Hash value.
 
 Does someone know how to complete this?
 
 Best regards,
 Shen Wu

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==


smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Missing something on the first step

[Andreas Steffen]

Here some follow-up infos:

- It seems that libraries in /usr/local/lib/ are not found by
  Ubuntu the first time they get installed there. Executing the
  command ldconfig might fix this.

- The more reliable way is to install the libraries in /usr/lib/.
  With the corrected sysconfdir option, type:

   ./configure --prefix=/usr --sysconfdir=/etc ...other options

Best regards

Andreas Steffen

Andreas Steffen wrote:
 Hello Paul,
 
 it looks as if libstrongswan was either not built or the path to
 the library was not found. By default libstrongswan gets installed
 in the /usr/local/lib/ directory. Could you check that?
 
 I'm also running strongSwan on Ubuntu systems but I usually install
 everything under /usr [instead of /usr/local] and the configuration
 files under /etc [instead of /usr/local/etc] by specifying
 
   ./configure --prefix=/usr --sysconfig=/etc ...
 
 Best regards
 
 Andreas Steffen
 
 Paul Hoffman wrote:
 Greetings. I installed 4.3.1 on a Ubuntu 8.04 system without a hitch.
 However: # ipsec start /usr/local/libexec/ipsec/starter: error while
 loading shared libraries: libstrongswan.so.0: cannot open shared
 object file: No such file or directory

 Any clues would be appreciated.

 --Paul Hoffman, Director --VPN Consortium 

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Configuring with --enable-http seems broken

[Andreas Steffen]

Yes, the current option is --enable-curl. For a list of all available
options, see

http://wiki.strongswan.org/wiki/strongswan/Autoconf

Best regards

Andreas Steffen

Paul Hoffman wrote:
 # ./configure --enable-http
 configure: WARNING: unrecognized options: --enable-http
 checking for a BSD-compatible install... /usr/bin/install -c
 . . .
 
 Yet --enable-http is what the INSTALL file says is needed for fetching CRLs 
 over HTTP.
 
 Has this been replaced by --enable-curl?
 
 --Paul Hoffman, Director
 --VPN Consortium

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==


smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Finding those libs

[Andreas Steffen]

Hello Paul,

with the --enable-curl option the following ubuntu packages are
required:

  libcurl3, libcurl3-gnutls, and libcurl3-gnutls-dev

With --enable-openssl (required only if you want to use ECP DH groups
or ECDSA signatures), the following packages are required:

  libssl0.9.8, libssl-dev

Probably in both cases the *-dev packages are missing, since usually
the curl and openssl applications are activated by default in Ubuntu.

Best regards

Andreas

Paul Hoffman wrote:
 On a related note, 'configure' can't find the curl or openssl libs on Ubuntu 
 9.04:
 . . .
 checking for main in -lcrypto... no
 configure: error: OpenSSL crypto library not found
 
 Any help would be appreciated.
 
 --Paul Hoffman, Director
 --VPN Consortium

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==


smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Support of Encryption/Integrity algorithms in Version

[Andreas Steffen]

Hello Sajal,

yes the IKEv2 charon supports these crypto algorithms. By default
the options --enable-des, --enable-aes, --enable-sha1, and
--enable-hmac are set so that the corresponding plugins are compiled
and automatically loaded during runtime. After starting strongSwan
the command

  ipsec listalgs

shows all supported crypto algorithms.

Best regards

Andreas

Sajal Malhotra wrote:
 Hi,
 
 I am evaluating version 4.2.8 of strongswan package for IKEv2/charon. I have 
 a small query:
 
 Does this version of package also contain following encryption and integrity 
 algorithms:
 -  3DES-192 CBC
 -  AES-128-CBC
 -  HMAC-SHA1-96
 
 Would appreciate your help in this regard.
 
 Thanks.
 
 Best Regards
 Sajal
 

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Converting x509 Certificates to SQL entries

[Andreas Steffen]

Hi,

first convert the base64 encoded PEM certificate file into binary DER
format:

openssl x509 -in strongswanCert.pem -outform der -out strongswanCert.der

and then use the script bin2sql:

http://wiki.strongswan.org/repositories/entry/strongswan/scripts/bin2sql.c

to convert the contents of the binary file into a HEX string:

cat strongSwanCert.der | scripts/bin2sql

Best regards

Andreas

J. Tang wrote:
 I am trying to decipher strongSwan's SQL interface.  In test
 sql/net2net-cert, moon's ipsec.sql has the statement
 
   INSERT INTO certificates (
  type, keytype, data
   ) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
 1, 1, X'308203b53082029da0'
   );
 
 I realize that the data blob originates from
 moon/etc/ipsec.d/cacerts/strongswanCert.pem.  My question is how does
 one convert a certificate (CA or host) to a SQL data blob?

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] strongSwan + iPhone

[Andreas Steffen]

The iPhone client does not like the XAUTH request:

 12:11:05 pluto[23959]: | starting XAUTH server
 12:11:05 pluto[23959]: iphone[3] CLIENT-IP:11044 #3:
  sending XAUTH request

because instead of the XAUTH reply it sends an INFORMATIONAL message:

12:11:06 pluto[23959]: | *received 76 bytes from CLIENT-IP:11044 on eth5
12:11:06 pluto[23959]: | ICOOKIE:  31 ed 8b 9a  d8 bf 78 9d
12:11:06 pluto[23959]: | RCOOKIE:  2d 5e 3f c8  6f 7d 42 2e
12:11:06 pluto[23959]: | peer:  50 bb 65 81
12:11:06 pluto[23959]: | state hash entry 0
12:11:06 pluto[23959]: | state object not found
12:11:06 pluto[23959]: packet from CLIENT-IP:11044:
 Informational Exchange is for an unknown (expired?) SA

There are two things that you can do:

1) Have you compiled strongSwan with the --enable-cisco-quirks option?
   It might be that similarly to the Cisco VPN client, the iPhone
   clients expects the VPN gateway to send a Cisco-Unity ID
   and will otherwise abort the IKE negotiation.

2) Increasing the debug level by setting

   plutodebug=control controlmore parsing

  in ipsec.conf might show the content of the INFORMATIONAL message
  shedding some light on the error cause.

Best regards

Andreas

Wolfram Schlich wrote:
 * Andreas Steffen andreas.stef...@strongswan.org [2009-07-10 18:44]:
 Hi Wolfram,
 
 Hey Andreas!
 
 have you enabled NAT-Traversal in ipsec.conf with the statement

 config setup
nat_traversal=yes

 since the source port of the IKE message is 29643 and not 500?
 
 Ah! I overlooked that :)
 
 Ok, added nat_traversal=yes and now this happens:
 
 --8--
 12:11:00 pluto[23959]: | 
 12:11:00 pluto[23959]: | *received 644 bytes from CLIENT-IP:27514 on eth5
 12:11:00 pluto[23959]: packet from CLIENT-IP:27514: received Vendor ID 
 payload [RFC 3947]
 12:11:00 pluto[23959]: packet from CLIENT-IP:27514: ignoring Vendor ID 
 payload [4df37928e9fc4fd1b3262170d515c662]
 12:11:00 pluto[23959]: packet from CLIENT-IP:27514: ignoring Vendor ID 
 payload [8f8d83826d246b6fc7a8a6a428c11de8]
 12:11:00 pluto[23959]: packet from CLIENT-IP:27514: ignoring Vendor ID 
 payload [439b59f8ba676c4c7737ae22eab8f582]
 12:11:00 pluto[23959]: packet from CLIENT-IP:27514: ignoring Vendor ID 
 payload [4d1e0e136deafa34c4f3ea9f02ec7285]
 12:11:00 pluto[23959]: packet from CLIENT-IP:27514: ignoring Vendor ID 
 payload [80d0bb3def54565ee84645d4c85ce3ee]
 12:11:00 pluto[23959]: packet from CLIENT-IP:27514: ignoring Vendor ID 
 payload [9909b64eed937c6573de52ace952fa6b]
 12:11:00 pluto[23959]: packet from CLIENT-IP:27514: ignoring Vendor ID 
 payload [draft-ietf-ipsec-nat-t-ike-03]
 12:11:00 pluto[23959]: packet from CLIENT-IP:27514: ignoring Vendor ID 
 payload [draft-ietf-ipsec-nat-t-ike-02]
 12:11:00 pluto[23959]: packet from CLIENT-IP:27514: ignoring Vendor ID 
 payload [draft-ietf-ipsec-nat-t-ike-02_n]
 12:11:00 pluto[23959]: packet from CLIENT-IP:27514: received Vendor ID 
 payload [XAUTH]
 12:11:00 pluto[23959]: packet from CLIENT-IP:27514: ignoring Vendor ID 
 payload [Cisco-Unity]
 12:11:00 pluto[23959]: packet from CLIENT-IP:27514: received Vendor ID 
 payload [Dead Peer Detection]
 12:11:00 pluto[23959]: | preparse_isakmp_policy: peer requests 
 XAUTHRSASIG+XAUTHSERVER authentication
 12:11:00 pluto[23959]: | instantiated iphone for CLIENT-IP
 12:11:00 pluto[23959]: | creating state object #3 at 0x17b82030
 12:11:00 pluto[23959]: | ICOOKIE:  31 ed 8b 9a  d8 bf 78 9d
 12:11:00 pluto[23959]: | RCOOKIE:  2d 5e 3f c8  6f 7d 42 2e
 12:11:00 pluto[23959]: | peer:  50 bb 65 81
 12:11:00 pluto[23959]: | state hash entry 0
 12:11:00 pluto[23959]: | inserting event EVENT_SO_DISCARD, timeout in 0 
 seconds for #3
 12:11:00 pluto[23959]: iphone[3] CLIENT-IP:27514 #3: responding to Main 
 Mode from unknown peer CLIENT-IP:27514
 12:11:00 pluto[23959]: | inserting event EVENT_RETRANSMIT, timeout in 10 
 seconds for #3
 12:11:00 pluto[23959]: | next event EVENT_RETRANSMIT in 10 seconds for #3
 
 12:11:02 pluto[23959]: | 
 12:11:02 pluto[23959]: | *received 292 bytes from CLIENT-IP:27514 on eth5
 12:11:02 pluto[23959]: | ICOOKIE:  31 ed 8b 9a  d8 bf 78 9d
 12:11:02 pluto[23959]: | RCOOKIE:  2d 5e 3f c8  6f 7d 42 2e
 12:11:02 pluto[23959]: | peer:  50 bb 65 81
 12:11:02 pluto[23959]: | state hash entry 0
 12:11:02 pluto[23959]: | state object #3 found, in STATE_MAIN_R1
 12:11:02 pluto[23959]: iphone[3] CLIENT-IP:27514 #3: NAT-Traversal: Result 
 using RFC 3947: peer is NATed
 12:11:02 pluto[23959]: | inserting event EVENT_NAT_T_KEEPALIVE, timeout in 20 
 seconds
 12:11:02 pluto[23959]: | inserting event EVENT_RETRANSMIT, timeout in 10 
 seconds for #3
 12:11:02 pluto[23959]: | next event EVENT_RETRANSMIT in 10 seconds for #3
 
 12:11:05 pluto[23959]: | 
 12:11:05 pluto[23959]: | *received 1836 bytes from CLIENT-IP:11044 on eth5
 12:11:05 pluto[23959]: | ICOOKIE:  31 ed 8b 9a  d8 bf 78 9d
 12:11:05 pluto[23959]: | RCOOKIE:  2d 5e 3f c8  6f 7d 42 2e
 12:11:05 pluto[23959]: | peer:  50 bb 65 81
 12:11:05 pluto[23959

Re: [strongSwan] strongSwan + iPhone

[Andreas Steffen]

Wolfram Schlich wrote:
 Hi Andreas!
 
 * Andreas Steffen andreas.stef...@strongswan.org [2009-07-13 13:08]:
 The iPhone client does not like the XAUTH request:

 12:11:05 pluto[23959]: | starting XAUTH server
 12:11:05 pluto[23959]: iphone[3] CLIENT-IP:11044 #3:
sending XAUTH request

 because instead of the XAUTH reply it sends an INFORMATIONAL message:

 12:11:06 pluto[23959]: | *received 76 bytes from CLIENT-IP:11044 on eth5
 12:11:06 pluto[23959]: | ICOOKIE:  31 ed 8b 9a  d8 bf 78 9d
 12:11:06 pluto[23959]: | RCOOKIE:  2d 5e 3f c8  6f 7d 42 2e
 12:11:06 pluto[23959]: | peer:  50 bb 65 81
 12:11:06 pluto[23959]: | state hash entry 0
 12:11:06 pluto[23959]: | state object not found
 12:11:06 pluto[23959]: packet from CLIENT-IP:11044:
   Informational Exchange is for an unknown (expired?) SA

 There are two things that you can do:

 1) Have you compiled strongSwan with the --enable-cisco-quirks option?
 
 Yes.
 
It might be that similarly to the Cisco VPN client, the iPhone
clients expects the VPN gateway to send a Cisco-Unity ID
and will otherwise abort the IKE negotiation.
 
 So shouldn't --enable-cisco-quirks have done that already?!
Yes, --enable-cisco-quirks does that.
 
 2) Increasing the debug level by setting

plutodebug=control controlmore parsing

   in ipsec.conf might show the content of the INFORMATIONAL message
   shedding some light on the error cause.
 
 Done. Here you go:
 
 --8--
 pluto[32003]: | NAT-T: new mapping CLIENT-IP:30983/42181)
 pluto[32003]: | inserting event EVENT_SA_REPLACE, timeout in 3330 seconds for 
 #1
 pluto[32003]: iphone[2] CLIENT-IP:42181 #1: sent MR3, ISAKMP SA established
 pluto[32003]: | starting XAUTH server
 pluto[32003]: iphone[2] CLIENT-IP:42181 #1: sending XAUTH request
 pluto[32003]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
 pluto[32003]: | next event EVENT_RETRANSMIT in 10 seconds for #1
 
 pluto[32003]: |
 pluto[32003]: | *received 76 bytes from CLIENT-IP:42181 on eth5
 pluto[32003]: | **parse ISAKMP Message:
 pluto[32003]: |initiator cookie:
 pluto[32003]: |   0d 59 13 eb  af df ce b2
 pluto[32003]: |responder cookie:
 pluto[32003]: |   5c 40 db 2a  75 f5 d1 91
 pluto[32003]: |next payload type: ISAKMP_NEXT_HASH
 pluto[32003]: |ISAKMP version: ISAKMP Version 1.0
 pluto[32003]: |exchange type: ISAKMP_XCHG_INFO
 pluto[32003]: |flags: ISAKMP_FLAG_ENCRYPTION
 pluto[32003]: |message ID:  e6 94 48 f6
 pluto[32003]: |length: 76
 pluto[32003]: | ICOOKIE:  0d 59 13 eb  af df ce b2
 pluto[32003]: | RCOOKIE:  5c 40 db 2a  75 f5 d1 91
 pluto[32003]: | peer:  50 bb 64 81
 pluto[32003]: | state hash entry 19
 pluto[32003]: | state object not found
 pluto[32003]: packet from CLIENT-IP:42181: Informational Exchange is for an 
 unknown (expired?) SA
 pluto[32003]: | next event EVENT_RETRANSMIT in 10 seconds for #1

The INFORMATIONAL message is encrypted and seems to belong to an
earlier IKE exchange so that the keys are not available anymore.
Can you check in your log in which exchange the cookies

 pluto[32003]: | ICOOKIE:  0d 59 13 eb  af df ce b2
 pluto[32003]: | RCOOKIE:  5c 40 db 2a  75 f5 d1 91

where used.

I think any further analysis of the strongSwan log does not give
additional information. Upon the reception of the XAUTH request,
the iPhone client should return its username/password. Is there any
prompt on the client or are there any error messages available?

Andreas

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==


smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Authetication Failed problem

[Andreas Steffen]

Sushil Chaudhari wrote:
 Hi,
 
 I am new to strongswan. Whenever i am trying to make the data transfer 
 between the two hosts, the log files says that:
 
 unable to locate my private key for RSA Signature and sending encrypted 
 notification authentication Failed
 can anybody tell me what might be the problem??
 
this means that either your private key defined in ipsec.secrets could
not be loaded, could not be decrypted if protected by a passphrase
or the loaded private key does not match your public key contained in
your certificate.

 Do self sigend certificates dont work in Strongswan?? if no then,
 is there any way that to get the certificate from CA??
 
Self-signed certificates work with strongSwan if you import the
self-signed certificate of the peer locally. A sample scenario is
available under the link

http://www.strongswan.org/uml/testresults43/ikev2/default-keys/

 Also do Stronswan provides header encryption as well? 
 
I don't understand this question. With IPsec transport mode you
cannot encrypt the IP header because it won't possible to route the
IP packet. With IPsec tunnel mode the encapsulated IP packet is
encrypted including the IP header, the outer IP header contains
the IP addresses of the VPN gateways.

 Thank you

Best regards

Andreas

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==



smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] FW: strongSwan installs SPs?

[Andreas Steffen]

Hello Stephen,

installpolicy=no just means the the IKEv2 charon daemon does not
use the add_policy() and del_policy() methods of the kernel interface
to actively manage the IPsec policies but delegates these tasks to
another process on the same host. charon still uses the query_policy()
method to get the use_time status information for liveliness checks.

Concerning your question why we don't query the SA's use_time instead,
you are not the only wondering about this. The problem with the Linux
kernel's NETLINK IPsec implementation is that the SA's use_time stores
the time of *first* use but unfortunately not the *latest* use whereas
only the associated IPsec policy keeps track of the desired information.

The attached status output of ip xfrm state and ip xfrm policy shows
that both the SA and policy where added at 2009-07-22 06:45:45 and
the SA was first used five minutes later at 2009-07-22 06:50:06.
Shortly before generating this output I sent data over the IPsec
tunnel, so the policies show 07:31:30 and 07:33:09 for the outbound and
inbound direction, respectively. Strangely enough, if you want to gather
information about the number of bytes / packets send over a tunnel you
can retrieve this data from the SA's only.

Best regards

Andreas

Stephen Pisano wrote:
 A follow-up to Mugur's question...
 
 It appears that the SA activity portion of the peer liveness algorithm
 uses a GETPOLICY operation to retrieve the policy use_time.  So, I figure
 with installpolicy=no, this would essentially disable the SA activity
 portion of the liveness check.  Is that correct?  If so, this makes me
 wonder why policy use_time is used rather than SA use_time?
 
 Thanks,
 Stephen
 
 -Original Message-
 From: Andreas Steffen [mailto:andreas.stef...@strongswan.org] 
 Sent: lundi 20 juillet 2009 19:57
 To: ABULIUS MUGUR
 Cc: users@lists.strongswan.org
 Subject: Re: [strongSwan] strongSwan installs SPs?
 
 Hi Mugur,
 
 by default strongSwan installs IPsec security policies in the kernel.
 With auto=route the policies are installed at the very beginning, so
 that matching plaintext packets trigger an XFRM_ACQUIRE message.
 With auto=add or auto=start, the policies are installed only after both
 inbound and outbound IPsec SAs have been created.
 
 For the IKEv2 daemon there is an *installpolicy=no* option, though,
 which I originally created for Mobile IPv6 connections where the mip6d
 daemon installs the IPsec policies and then alerts the IKEv2 daemon via
 an XFRM_MSG_MIGRATE message. See my Mobile IPv6 HOWTO:
 
   http://wiki.strongswan.org/wiki/strongswan/MobileIPv6
 
 So if you have another process which manages the policies you can just
 set installpolicy=no for that connection in ipsec.conf.
 
 Best regards
 
 Andreas
 
 ABULIUS MUGUR wrote:
 StrongSwan doc says that 'auto=route' installs kernel traps. Can 
 somebody confirm that strongSwan installs a SP (Security Policy) for 
 this connection? There are any other circumstances for which 
 strongSwan handles (get/set) SP in kernel's SPD? We want to avoid any 
 kernel's SPD set/get for our specific IPsec implementation.

 Thanks
 Mugur

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
[r...@strongswan stats]# ip -s xfrm state

src 84.74.95.23 dst 152.96.52.150
proto esp spi 0xc7f7a5ed(3354895853) reqid 7(0x0007) mode tunnel
lifetime current:
  36575(bytes), 418(packets)
  add 2009-07-22 06:45:45 use 2009-07-22 06:50:06

src 152.96.52.150 dst 84.74.95.23
proto esp spi 0xc31c720e(3273421326) reqid 7(0x0007) mode tunnel
lifetime current:
  229360(bytes), 368(packets)
  add 2009-07-22 06:45:45 use 2009-07-22 06:50:06

[r...@strongswan stats]# ip -s xfrm policy

src 10.10.0.0/23 dst 152.96.52.150/32 uid 0
dir in action allow index 1256 priority 1770 share any flag 0x
lifetime current:
  0(bytes), 0(packets)
  add 2009-07-22 06:45:45 use 2009-07-22 07:33:09
tmplsrc 84.74.95.23 dst 152.96.52.150
proto esp spi 0x(0) reqid 7(0x0007) mode tunnel

src 152.96.52.150/32 dst 10.10.0.0/23 uid 0
dir out action allow index 1249 priority 1680 share any flag 0x
lifetime current:
  0(bytes), 0(packets)
  add 2009-07-22 06:45:45 use 2009-07-22 07:31:30
tmplsrc 152.96.52.150 dst 84.74.95.23
proto esp spi 0x(0) reqid 7(0x0007) mode tunnel

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] How to trigger IKE automatically?

[Andreas Steffen]

Hello Jianquing,

yes this is possible using the auto=route configuration option.
Have a look at the corresponding IKEv1 and IKEv2 scenarios:

http://www.strongswan.org/uml/testresults43/ikev1/net2net-route/

http://www.strongswan.org/uml/testresults43/ikev2/net2net-route/

where a ping [or any IP packet] triggers the setup of the IPsec
connection.

Best regards

Andreas

Jianqing Zhang wrote:
 I want to configure strongSwan in such a way that, once a
 communication session, say ping, is initialized by host A to host B,
 IKE would be triggered automatically and an IPsec tunnel would be set
 up between A and B on demand, given that everything else, such as
 certificates, keys, etc, are already there and ipsec has been started.
 Somebody tells me I can create corresponding SP on each side first,
 then IKE or SA negotiation will be triggered if the traffic matches
 the SP selector. Can I make it by configuring ipsec.conf?
 
 Thanks
 Jianqing

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==


smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] [PATCH] Improve DPD error message

[Andreas Steffen]

Hello Thomas,

checked into HEAD:

http://wiki.strongswan.org/repositories/revision/1/acb34739e4423f243ae4d5c7d3a3f807f99bac61

Thanks

Andreas

Thomas Jarosch wrote:
 Hello,
 
 attached is a small patch to improve one DPD error message
 which occured when we debugged an obscure setup:
 
 Multiple tunnels to the same fixed IP address endpoint using
 a different x.509 key for phase 1, DPD went crazy sometimes.
 Now all tunnels to the same fixed IP address share one x.509 key.
 
 Hope this helps someone in the future when/if we see this message again.
 
 Cheers,
 Thomas

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==



smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] ANNOUNCE: strongswan-4.3.3 released

[Andreas Steffen]

Hi,

strongswan-4.3.3 is out and offers two new features:

Optional Integrity Checksum Tests
-

The configuration option --enable-integrity-test plus the
strongswan.conf option libstrongswan.integrity_test=yes activate
integrity tests of the IKE daemons charon and pluto, libstrongswan
and all loaded plugins. Thus dynamic library misconfigurations and
non-malicious file manipulations can be reliably detected.  More
details can be found under the following wiki link:

 http://wiki.strongswan.org/wiki/strongswan/IntegrityTest

All our rw-cert UML test scenarios are run with enabled integrity
and crypto tests, e.g.

http://www.strongswan.org/uml/testresults43/ikev1/rw-cert/moon.auth.log

http://www.strongswan.org/uml/testresults43/ikev2/rw-cert/moon.daemon.log


IKEv1 Suite B Interoperability with MS Windows
--

The new default setting libstrongswan.ecp_x_coordinate_only=yes allows
IKEv1 interoperability with MS Windows using the ECP DH groups 19 and
20. Additionally the IKEv1 pluto daemon now supports the AES-CCM and
AES-GCM ESP authenticated encryption algorithms. Together with ECDSA
signatures the strongSwan IKEv1 functionality is now compliant with
Suite B defined by RFC 4869.

  http://tools.ietf.org/html/rfc4869

Still missing is AES-GMAC support by the Linux kernel (the crypto code
is there somewhere but the XFRM interface isn't [yet]). Anyway, using
ECP DH groups, ECDSA certificates and AES-GCM ESP authenticated
encryption we did a couple of successful interoperability tests with
the IPsec functionality of the Windows 7/Vista/Server 2008 Advanced
Firewall:

 http://wiki.strongswan.org/wiki/strongswan/WindowsSuiteB


Security Update
---

The RDN parser vulnerability discovered by Orange Labs research team
two months ago was not completely fixed by version 4.3.2. Some more
modifications had to be applied to the asn1_length() function to make
it robust. Patches for older versions are available under the link

  http://download.strongswan.org/patches/07_asn1_length_patch/

Best regards

Andreas Steffen  Martin Willi
strongSwan Project LeaderIKEv2 Software Architect

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] support for tunnel configuration

[Andreas Steffen]

Hi Vivek,

vivek bairathi wrote:
 Hi all,

 I have a requirement for creating tunnel SAs.  After reading
 strongswan documentation and code I arrived at the following
 conclusion:-

 1. left| right source IP  in the conn section of ipsec.conf is used to
 specify the internal IP in the tunnel( virtual IP). The external
 tunnel IP will be filled in left| right parameters. Is this assumtion
 correct?

This is not correct. Let us assume that left is local and right is
remote. Then

  leftsourceip=virtual IP address

or

  leftsourceip=%config

define a virtual IP address to be used as source address within
the IPsec tunnel. This is equivalent to setting the source
traffic selector to

  leftsubnet=virtual IP address/32

but does not change in any way left= which is used as the source
address of the ESP packet.

 2. How does the stack distinguish that the IPaddress  that is being
 added is external IP or internal IP in the tunnel ?

See point 1 above.

 3. How does the addition/deletion of external tunnel IP address and
 internal IP  handled differently by the charon?

Available external IP addresses are automatically detected by
strongSwan using RT_NETLINK. E.g. defining

  left=%any

will select the outer source address based on the actual route to
right. This can be very helpful in multi-homing environments.

Virtual IP addresses are installed and by strongSwan via RT_NETLINK
by adding a new virtual IP address as an alias of the physical
interface used.

  ip addr list dev eth0

will show the virtual IPs associated with eth0. By installing a source
route in table 220 which is shown by the command

  ip route list table 220

All plaintext packets with destination rightsubnet will assume the
virtual IP as their source address before being encapsulated by ESP.


 Thanks  Regards,
 Vivek

Regards

Andreas

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==


smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] support for tunnel configuration

[Andreas Steffen]

Hi Vivek,

you can change any connection parameter by

1) redefining it in ipsec.conf

2) taking down the active connection executing

   ipsec down connection name

3) execute

   ipsec update

   which transfers the new connection definition to the charon daemon.

4) execute

   ipsec up connection name

   if auto=add. with auto=start the connection will be restarted by
   ipsec update.

Best regards

Andreas

 Hi,
 
 Thanks for your detailed response.
 
 1. We had a requirement to change the internal/virtual IP at runtime
 after charon is spawned. Is it possible to change the internal/virtual
 IP in a tunnel once the stack is spawned? We went through the code and
 found that deletion of  outer/tunnel IP and inner/virtual IP is
 detected and handled by charon. However addition, of IP address is
 detected only for outer/tunnel IP?  How can I change internal IP
 associated with tunnel IP after charon is spawned?
 
 Can the following parameters be changed at runtime after charon is spawned :-
1. The authentication parameter be changed from PSK to CERT/ CERT to PSK?
2. Re-keying time of IKE/IPSEC SA: can the new re-keying value be
 assinged to new SA created henceforth?
3. Encryption algorithm can be changed for an IKE SA?
 
 It would be great help if you could answer the above queries.
 
 Thanks  Regards,
 Vivek
 
 
 
 On 7/27/09, Andreas Steffen andreas.stef...@strongswan.org wrote:
 Hi Vivek,

 vivek bairathi wrote:
 Hi all,

 I have a requirement for creating tunnel SAs.  After reading
 strongswan documentation and code I arrived at the following
 conclusion:-

 1. left| right source IP  in the conn section of ipsec.conf is used to
 specify the internal IP in the tunnel( virtual IP). The external
 tunnel IP will be filled in left| right parameters. Is this assumtion
 correct?

 This is not correct. Let us assume that left is local and right is
 remote. Then

   leftsourceip=virtual IP address

 or

   leftsourceip=%config

 define a virtual IP address to be used as source address within
 the IPsec tunnel. This is equivalent to setting the source
 traffic selector to

   leftsubnet=virtual IP address/32

 but does not change in any way left= which is used as the source
 address of the ESP packet.
 2. How does the stack distinguish that the IPaddress  that is being
 added is external IP or internal IP in the tunnel ?

 See point 1 above.

 3. How does the addition/deletion of external tunnel IP address and
 internal IP  handled differently by the charon?

 Available external IP addresses are automatically detected by
 strongSwan using RT_NETLINK. E.g. defining

   left=%any

 will select the outer source address based on the actual route to
 right. This can be very helpful in multi-homing environments.

 Virtual IP addresses are installed and by strongSwan via RT_NETLINK
 by adding a new virtual IP address as an alias of the physical
 interface used.

   ip addr list dev eth0

 will show the virtual IPs associated with eth0. By installing a source
 route in table 220 which is shown by the command

   ip route list table 220

 All plaintext packets with destination rightsubnet will assume the
 virtual IP as their source address before being encapsulated by ESP.


 Thanks  Regards,
 Vivek
 Regards

 Andreas

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==


smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] FW: strongSwan installs SPs?

[Andreas Steffen]

Hi Stephen,

strongSwan can assign a preliminary IPsec SA and a corresponding
reqid using auto=route without installing an SPD in the kernel
(installpolicy=no). This is used in our Mobile IPv6 scenario:

http://wiki.strongswan.org/wiki/strongswan/MobileNodeSetup

The current disadvantage is that the XFRM_ACQUIRE message which
will trigger the actual IKE negotiation must use the correct reqid.
This is not a problem if only one tunnel is managed but might be tricky
with multiple tunnel definitions pre-started with auto=route. As an
alternative we could create the SA definition on demand applying a
closest match on the traffic selectors that are received via the
XFRM_ACQUIRE message.

Best regards

Andreas

Stephen Pisano wrote:
 Hi Andreas, 
 
 That is just the kind of solution I had in mind.
 
 Are you aware of any other SPD dependencies?
 
 I think I found one, which I wanted to get your view on.
 
 The area of functionality is SA establishment via a kernel ACQUIRE.
 
 In ike_sa.c:acquire(), there is the following snippet:
 
 /* find CHILD_SA */
 iterator = this-child_sas-create_iterator(this-child_sas, TRUE);
 while (iterator-iterate(iterator, (void**)current))
 {
 if (current-get_reqid(current) == reqid)
 {
 child_sa = current;
 break;
 }
 }
 iterator-destroy(iterator);
 if (!child_sa)
 {
 DBG1(DBG_IKE, acquiring CHILD_SA {reqid %d} failed: 
  CHILD_SA not found, reqid);
 return FAILED;
 }
 
 I interpret this to mean that you can only initiate an SA establishment via
 a kernel ACQUIRE if there is an existing SA (which was generated with a
 policy in the SPD, having a certain reqid).
 
 Is this a correct interpretation?  
 
 Thanks,
 Stephen
 
 
 
 -Original Message-
 From: Andreas Steffen [mailto:andreas.stef...@strongswan.org]
 Sent: Wednesday, July 22, 2009 7:20 AM
 To: Stephen Pisano
 Cc: users@lists.strongswan.org
 Subject: Re: [strongSwan] FW: strongSwan installs SPs?

 Hi Stephen,

 we could introduce e.g. a new charon.no_spd_available configuration
 option in /etc/strongswan.conf that would redefine the
 child_sa_t.get_usetime() method:

 http://wiki.strongswan.org/repositories/entry/strongswan/src/charon/sa/chil
 d_sa.c#L357

 Instead of using the kernel_interface-query_policy() method
 a new kernel_interface-query_sa() method that we wanted to
 implement anyway in one of the next releases, would retrieve
 the current number of packets/bytes and compare it with the
 previously retrieved value cached in the child_sa_t object.
 I think I even implemented such an approach in pluto's KLIPS
 kernel interface many years ago.

 Best regards

 Andreas

 Stephen Pisano wrote:
 Thanks Andreas, please see my comment below.


 -Original Message-
 From: Andreas Steffen [mailto:andreas.stef...@strongswan.org]
 Sent: Wednesday, July 22, 2009 2:12 AM
 To: Stephen Pisano
 Cc: users@lists.strongswan.org
 Subject: Re: [strongSwan] FW: strongSwan installs SPs?

 Hello Stephen,

 installpolicy=no just means the the IKEv2 charon daemon does not
 use the add_policy() and del_policy() methods of the kernel interface
 to actively manage the IPsec policies but delegates these tasks to
 another process on the same host. charon still uses the query_policy()
 method to get the use_time status information for liveliness checks.
 [pisano] Ah, yes, I understand what you're saying, but consider an
 application where the SPD is not used and the IKE daemon is to be used
 for
 SA management alone.  With the current behavior, this places a dependency
 between the IKE daemon and the presence of a policy in the SPD.

 Concerning your question why we don't query the SA's use_time instead,
 you are not the only wondering about this. The problem with the Linux
 kernel's NETLINK IPsec implementation is that the SA's use_time stores
 the time of *first* use but unfortunately not the *latest* use whereas
 only the associated IPsec policy keeps track of the desired information.
 [pisano] Yes, I see the issue with using SA use_time.

 The attached status output of ip xfrm state and ip xfrm policy shows
 that both the SA and policy where added at 2009-07-22 06:45:45 and
 the SA was first used five minutes later at 2009-07-22 06:50:06.
 Shortly before generating this output I sent data over the IPsec
 tunnel, so the policies show 07:31:30 and 07:33:09 for the outbound and
 inbound direction, respectively. Strangely enough, if you want to gather
 information about the number of bytes / packets send over a tunnel you
 can retrieve this data from the SA's only.
 [pisano] Perhaps the use of the SA's byte or packets counts would be a
 better choice to indicate activity liveness?

 Best regards

 Andreas

 Stephen Pisano wrote:
 A follow-up to Mugur's question...

 It appears that the SA activity portion

Re: [strongSwan] ipsec update kills current connection without config change

[Andreas Steffen]

Hi Michael,

due to the additional keywords introduced for the Multiple
Authentication Exchanges with the strongSwan 4.3 branch,
the KW_END_FIRST..KW_END_LAST range did not map to the KW_LEFT
and KW_RIGHT ranges any more. This bug has been fixed with the
following patch:

http://wiki.strongswan.org/repositories/diff/strongswan?rev=ecff28c5c5721008954be93adf2ce51a35edcb4c

Could you test the 4.3.4rc1 release candidate?

http://download.strongswan.org/strongswan-4.3.4rc1.tar.bz2

Regards

Andreas

Michael Niehren wrote:
 Hi again,
 
 i've debugged the problem a lot more (it's still in V4.3.3). The cause seem's 
 to come from the definition
 of the starter_end struct (confread.h).
 
 The function starter_cmp_end always returns FALSE because the function
   cmp_args(KW_END_FIRST, KW_END_LAST, (char *)c1, (char *)c2);
 always returns FALSE.
 
 The only difference between V4.2.16 (where the problem not occurs)and V4.3.3 
 there is the definition
 of the starter_end struct that is compared in the line
   cmp_args(KW_END_FIRST, KW_END_LAST, (char *)c1, (char *)c2);
 
 Could someone of the developers take an eye on that ?
 
 kind regards,
   Michael
 
 
 Am Donnerstag, 4. Juni 2009 15:00 schrieb Michael Niehren:
 Hi together,

 Subject says it all. I have configured 1 connection in the ipsec.conf and 
 the 
 connections comes up after start. But if i call
   ipsec update
 the connection will be deleted and is started again. And i could not find a 
 reason for that, config is the same. Is it not possible to add an connection 
 without deleting other running connections ?

 hope someone could help me
   Michael


 I am using StrongSWan V4.3.1 and here is my ipsec.conf

 ---
 config setup
   nat_traversal=yes

 conn %default
   authby=rsasig
   keyingtries=1
   keylife=20m
   ikelifetime=240m
   left=%defaultroute
   leftcert=public_tuxvpnrobo.tuxgreen.de.pem
   leftupdown=/etc/ipsec.d/scripts/updown.tux
   esp=aes256,aes192,aes128,3des
   ike=aes256,aes192,aes128,3des
   auto=start
   dpdaction=clear

 conn robovpntest
   leftsubnet=192.168.23.0/24
   right=217.11.60.3
   rightsubnet=10.89.0.0/24
   rightcert=public_okawango.tuxgreen.de.pem

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Does strongswan support DSCP mark feature

[Andreas Steffen]

Hi Iris,

strongSwan is able to set up multiple concurrent IPsec SAs between
two hosts, the Linux netfilter kernel module is able to filter traffic
according to DSCP marking but the Linux kernel currently unfortunately
is not able to assign plaintext traffic according to their DSCP marking
to individual IPsec SAs. This would require some non-trivial changes in
the Linux IPsec stack. Although this is not primarily a strongSwan issue
we would be interested in implementing this QoS feature in the kernel if
someone would be willing to sponsor this endeavour.

Best regards

Andreas

Iris Su wrote:
 Hi,
 
 Does anyone know if strongswan support DSCP Marking?
 If the answer is Yes, can we configure it? (enable or disable DSCP)
 
 BR,
 Iris

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Help - received AUTHENTICATION_FAILED notify error

[Andreas Steffen]

 -genkey -text  \
 -out dave-key-unprotected.pem
 # to password protect the pvt key, run this next line
 openssl ec -in dave-key-unprotected.pem -out dave-key.pem  \
-aes128 -passout pass:pswd
 
 #---
 # generate a user CSR (unsigned)
 openssl req  -new -x509 -days 730 -sha256 -key dave-key.pem\
  -out tmp.pem -passin pass:pswd  ../promptsClient.txt
 # sign it
 openssl x509 -x509toreq -sha256 -in tmp.pem -signkey dave-key.pem  \
  -passin pass:pswd -out dave-req.pem
 
 #---
 #---
 # CA accepts CSR and signs a cert
 #   ***
 #   *** cert signed with ecdsa-with-SHA1 in ***
 #   *** spite of request to use SHA-256 or  ***
 #   *** value of default_md in openssl.cnf  ***
 #   ***
 openssl ca -policy policy_anything -days 720 -md sha256  \
-out dave-cert.pem -infiles dave-req.pem  ../promptsYY.txt
 # let's see it
 openssl x509 -text -in dave-cert.pem
 
 #---
 # put user's private key, cert, and CA cert in a keystore
 openssl pkcs12 -export -out dave.p12 -password pass:pswd  \
-in dave-cert.pem -inkey dave-key.pem  \
-passin pass:pswd -name thunderbug-key \
-certfile demoCA/cacert.pem -caname myCA
 
 
 Now the result of ipsec listall is:
 
 MOON:
 ***
 moon:/etc/ipsec.d/CA# ipsec listall
 
 List of X.509 End Entity Certificates:
 
   subject:  C=CH, ST=TI, L=Stabio, O=Gerosa Server Services, CN=moon
   issuer:   C=CH, ST=TI, L=Stabio, O=Gerosa CA Services, CN=moon
   serial:01
   validity:  not before Jul 29 23:15:52 2009, ok
  not after  Jul 19 23:15:52 2011, ok
   pubkey:ECDSA 256 bits
   keyid: 15:29:7f:82:a3:4a:b6:6e:0b:73:bb:3c:40:67:d4:63:18:30:c3:f2
   subjkey:   5d:74:0b:30:eb:62:aa:22:15:ec:14:34:6f:fc:da:6f:43:5d:ce:a9
   authkey:   a7:db:14:22:72:76:7b:45:f9:f9:1b:57:59:c1:07:37:9a:a6:57:d2
 
 List of X.509 CA Certificates:
 
   subject:  C=CH, ST=TI, L=Stabio, O=Gerosa CA Services, CN=moon
   issuer:   C=CH, ST=TI, L=Stabio, O=Gerosa CA Services, CN=moon
   serial:00:92:d3:29:9d:9f:0b:be:5c
   validity:  not before Jul 28 22:27:34 2009, ok
  not after  Jul 28 22:27:34 2019, ok
   pubkey:ECDSA 256 bits
   keyid: 1f:13:eb:00:2e:a1:00:b3:6a:d0:8d:f7:9f:03:02:9b:41:6b:65:cc
   subjkey:   5a:a3:95:25:a5:02:71:cd:a0:b0:ff:2a:a3:3c:6b:ea:bf:e4:3d:68
   authkey:   5a:a3:95:25:a5:02:71:cd:a0:b0:ff:2a:a3:3c:6b:ea:bf:e4:3d:68
 moon:/etc/ipsec.d/CA#
 
 DAVE
 **
 dave:/etc/ipsec.d# ipsec listall
 
 List of X.509 End Entity Certificates:
 
   subject:  C=CH, ST=TI, L=Stabio, O=Gerosa Server Services, CN=dave
   issuer:   C=CH, ST=TI, L=Stabio, O=Gerosa CA Services, CN=moon
   serial:02
   validity:  not before Jul 29 23:15:53 2009, ok
  not after  Jul 19 23:15:53 2011, ok
   pubkey:ECDSA 256 bits, has private key
   keyid: 66:19:f8:1d:bb:ad:df:7b:94:88:8d:78:fc:89:d8:68:37:a9:bd:96
   subjkey:   a1:72:33:c8:d6:dc:e9:a2:50:c8:bb:25:93:33:0d:d4:4e:e0:5e:8a
   authkey:   a7:db:14:22:72:76:7b:45:f9:f9:1b:57:59:c1:07:37:9a:a6:57:d2
 dave:/etc/ipsec.d#
 
 
 the content of /var/log/auth.log:
 
 MOON
 
 Jul 29 23:54:31 moon ipsec_starter[3035]: Starting strongSwan 4.2.4 IPsec
 [starter]...
 Jul 29 23:54:45 moon charon: 09[AUD] 192.168.0.238 is initiating an IKE_SA
 Jul 29 23:54:46 moon charon: 10[AUD] authentication of 'C=CH, ST=TI,
 L=Stabio, O=Gerosa Server Services, CN=dave' with ECDSA-256 signature failed
 
 DAVE
 
 Jul 29 23:54:46 dave charon: 09[AUD] initiating IKE_SA 'home' to
 192.168.0.216
 Jul 29 23:54:48 dave charon: 10[AUD] establishing CHILD_SA
 Jul 29 23:54:48 dave charon: 11[AUD] received AUTHENTICATION_FAILED notify
 error
 Jul 29 23:54:48 dave charon: 11[AUD] establishing CHILD_SA failed
 
 the content of /etc/ipsec.secret is:
 
 MOON
 **
 : ECDSA /etc/ipsec.d/private/moon-key.pem pswd
 
 DAVE
 **
 : ECDSA /etc/ipsec.d/private/dave-key.pem pswd
 
 I did:
 1) copy the cacert created on moon to dave /etc/ipsec.d/cacerts
 2) copy the private key davekey.pem (created on moon) to dave
 /etc/ipsec.d/private
 3) copy the certificate dave-cert.pem (created on moon) to dave
 /etc/ipsec.d/certs
 
 what is wrong?
 
 Thanks for yours support.
 
 Adam

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution

Re: [strongSwan] cross-compilation

[Andreas Steffen]

Hi,

does

CFLAGS=-I./build/INSTALL_STAGE/gmp-4.2.1/usr/include   ./configure ...

help?

Regards

Andreas

Yong Choo wrote:
 I've updated gmp to 4.2.1 on the cross-compilation build (under 
 WindRiver Linux Distribution for the mpc arch). The gmp.h file is put
 into ./build/INSTALL_STAGE/gmp-4.2.1/usr/include/gmp.h (by looking at
 the build log)
 
 When I tried to do package installation/compilation (under WindRiver)
  for strongswan 4.3.2, I get the following error:
 
 checking gmp.h version = 4.1.4... no configure: error: No usable
 gmp.h found!
 
 
 Any  suggestion on what I  can give as an option  to recognize the 
 proper location/version of 'gmp.h'? (or not possible)
 
 The .configure options that are used are:
 
 + ./configure --host=powerpc-wrs-linux-gnu
 --build=i686-crosscompile-linux-gnu --program-prefix= --prefix=/usr
 --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin
 --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include
 --libdir=/usr/lib --libexecdir=/usr/libexec --localstatedir=/var
 --sharedstatedir=/usr/com --mandir=/usr/share/man
 --infodir=/usr/share/info --cache-file=wrs_config_cache
 
 
 Thanks Much! -Yong Choo

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] ipsec update kills current connection without config change

[Andreas Steffen]

Hi Michael,

I found and fixed another bug introduced by the redefinition of the bool
standard type some time ago. bool now maps to a char not an int under
Linux, so boolean arguments must be handled separately by cmp_args():

http://wiki.strongswan.org/repositories/diff/strongswan?rev=10c13ed26474d11427fb82b7941be88bc9a04961

Apply this patch or use the new release candidate

http://download.strongswan.org/strongswan-4.3.4rc2.tar.bz2

I successfully tested the fix with your ipsec.conf:
ipsec update does not cause a reload of the config any more :-)

Kind regards

Andreas

Michael Niehren wrote:
 Hi Andreas,
 
 thanks for your help, but the problem still exists in V4.3.4rc1. I am 
 currently using 
 kernel V2.6.27.28.
 
 i will try out the V4.3.3 with the patch ...
 
 kind regards,
   Michael
 
 Am Dienstag, 28. Juli 2009 16:00 schrieb Andreas Steffen:
 Hi Michael,

 due to the additional keywords introduced for the Multiple
 Authentication Exchanges with the strongSwan 4.3 branch,
 the KW_END_FIRST..KW_END_LAST range did not map to the KW_LEFT
 and KW_RIGHT ranges any more. This bug has been fixed with the
 following patch:

 http://wiki.strongswan.org/repositories/diff/strongswan?rev=ecff28c5c5721008954be93adf2ce51a35edcb4c

 Could you test the 4.3.4rc1 release candidate?

 http://download.strongswan.org/strongswan-4.3.4rc1.tar.bz2

 Regards

 Andreas

 Michael Niehren wrote:
 Hi again,

 i've debugged the problem a lot more (it's still in V4.3.3). The cause 
 seem's to come from the definition
 of the starter_end struct (confread.h).

 The function starter_cmp_end always returns FALSE because the function
   cmp_args(KW_END_FIRST, KW_END_LAST, (char *)c1, (char *)c2);
 always returns FALSE.

 The only difference between V4.2.16 (where the problem not occurs)and 
 V4.3.3 there is the definition
 of the starter_end struct that is compared in the line
   cmp_args(KW_END_FIRST, KW_END_LAST, (char *)c1, (char *)c2);

 Could someone of the developers take an eye on that ?

 kind regards,
   Michael


 Am Donnerstag, 4. Juni 2009 15:00 schrieb Michael Niehren:
 Hi together,

 Subject says it all. I have configured 1 connection in the ipsec.conf and 
 the 
 connections comes up after start. But if i call
   ipsec update
 the connection will be deleted and is started again. And i could not find 
 a 
 reason for that, config is the same. Is it not possible to add an 
 connection 
 without deleting other running connections ?

 hope someone could help me
   Michael


 I am using StrongSWan V4.3.1 and here is my ipsec.conf

 ---
 config setup
   nat_traversal=yes

 conn %default
   authby=rsasig
   keyingtries=1
   keylife=20m
   ikelifetime=240m
   left=%defaultroute
   leftcert=public_tuxvpnrobo.tuxgreen.de.pem
   leftupdown=/etc/ipsec.d/scripts/updown.tux
   esp=aes256,aes192,aes128,3des
   ike=aes256,aes192,aes128,3des
   auto=start
   dpdaction=clear

 conn robovpntest
   leftsubnet=192.168.23.0/24
   right=217.11.60.3
   rightsubnet=10.89.0.0/24
   rightcert=public_okawango.tuxgreen.de.pem

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] strongSwan installation error !!!

[Andreas Steffen]

Hi Gowsalai,

does this mean that the header file gmp.h is located in
the directory /usr/local/strongSwan/gmp/include/ ?

Regards

Andreas

 Hi,
 
 Getting the following error configure: error: GNU Multi Precision
 library gmp not found when tried to do the following step.
 
 ./configure --prefix=/usr/local/strongSwan
 --sysconfdir=/usr/local/strongSwan/etc --enable-sqlite --enable-sql
 
 Please note sqlite and gmp are installed already.
 
 # ls -l /usr/local/strongSwan/sqlite/
 total 12
 drwxr-xr-x 2 root root 4096 Aug 10 15:27 bin
 drwxr-xr-x 2 root root 4096 Aug 10 15:27 include
 drwxr-xr-x 3 root root 4096 Aug 10 15:27 lib
 
 # ls -l /usr/local/strongSwan/gmp/
 total 12
 drwxr-xr-x 2 root root 4096 Aug 10 15:43 include
 drwxr-xr-x 2 root root 4096 Aug 10 15:43 info
 drwxr-xr-x 2 root root 4096 Aug 10 15:43 lib
 
 The environment to compile the strongSwan is set
 
 # echo $LDFLAGS
 -L/usr/local/strongSwan/gmp/lib/ -L/usr/local/strongSwan/sqlite/lib/
 
 # echo $CFLAGS
 -I/usr/local/strongSwan/sqlite/include/
 -I/usr/local/strongSwan/gmp/include/
 
 Please help me to get the installation through.
 
 Regards,
 Gowsalai

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==


smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Fetching attribute certificates from LDAP?

[Andreas Steffen]

Hi Juha,

you are the first person ever to ask about attribute certificates :-)
If you are interested in using them in an application then we
might implement attribute certificate fetching from LDAP and also
complete the support in IKEv2.

Best regards

Andreas

Mustonen, Juha wrote:
 Any guesses when we might see this feature in Strongswan?
 
 Regards,
 
 Juha 

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] pluto: crl not found

[Andreas Steffen]

Aha, since the pluto daemon is not fully multi-threaded, the second
thread used for asynchronous crl fetching must be activated by setting
crlcheckinterval  0 seconds as in

config setup
crlcheckinterval=600

which would check for a fresh crl every ten minutes. This parameter
is ignored by the IKEv2 daemon since charon fetches CRLs synchronously
within the current thread.

Best regards

Andreas

Mustonen, Juha wrote:
 I have test a setup where CRL is fetched from LDAP server. With IKEv2
 the setup works, with IKEv1 it does not. Only difference between these
 is the value of keyexchange parameter in ipsec.conf. Strongswan version
 is 4.3.3. Any idea what could be the reason for this?
 
 Regards,
 
 Juha

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Multicast IPSec

[Andreas Steffen]

Hi Juha,

two of my Bachelor students have just completed a Multicast Security
Concept for IPsec which requires only minor extensions of the IKEv2
protocol in order for a Multicast Group Controller and Key Server
(GCKS) to distribute group keys via GROUP_SAs to its authenticated
and authorized subscribers. Unfortunately the thesis is available
in German only:

http://security.hsr.ch/theses/BA_2009_MulticastSecurity-using-IPsec.pdf

but we are thinking about writing an Internet Draft based on it.

Best regards

Andreas

Mustonen, Juha wrote:
 Hello,
 
 I would have liked to use multicast communication in the application for
 which I have been studying IPSec (and Strongswan). However, as I was not
 able to find any real-life implementations (well, Cisco apparently has
 DGOI support, whatever that means), I was forced to replace multicast
 with bunch of unicast connection and let the server application send the
 data N times. As in this particular application N is likely to be most
 of the time 1 and never very large number this is not too bad, but
 bothers me in principle. Do you, Andreas/Martin/other members, know what
 is the status of RFCs for multicast + IPSec? The IETF MSEC working group
 does not seem to have done anything in years. Why? Is the
 specification/design work done somewhere else now?
 
 Regards,
 
 Juha

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] list of kernel configuration required available?

[Andreas Steffen]

Here is a list of required menuconfig options:

http://wiki.strongswan.org/wiki/strongswan/KernelModules

Regards

Andreas

Yong Choo wrote:
 Does anyone know the full list of kernel configuration to be turned on 
 in order to have strongswan working?
 This is a cross-compilation env for Windriver Linux 2.0:
 
 For instance, looking at the kernel config file (which is generated 
 automatically for now) knl-base.cfg, I see
 #CONFIG_NET_KEY is not set
 CONFIG_XFRM=y
 #CONFIG_XFRM_USER is not set
 etc
 
 Thanks Much Again!

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Simple Q on plugins

[Andreas Steffen]

Most of the default plugins are required. Using

  ./configure --enable-option --disable-option

you can enable additional plugins or disable default plugins.
E.g. if you decide to use the OpenSSL library (--enable-openssl)
then you can disable the following default plugins:

  --disable-aes  --disable-des --disable-md5 --disable-sha1
  --disable-sha2 --disable-gmp

The following link explains the use of the various plugins:

  http://wiki.strongswan.org/wiki/strongswan/Autoconf

Regards

Andreas

Yong Choo wrote:
 I am trying to port the 4.3.3 to our powerpc target by cross-compiling.
 Finally got the compilation/link successful. There's one more step that 
 I need to do, i.e. identifying the minimum set of files that are needed 
 for our target (under WindRiver's Linux 2.0 release).
 
 Looking at the output, I see that there are many files under
 libexec/ipsec/plugins dir.
 
 1. What are these for?
 2. For charon and other binary executables, are these needed? (I assume 
 not but just wanted to make sure)
 
 Thank You!
 -Yong Choo

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] BUG: DN with email

[Andreas Steffen]

Yes, this is actually the real fix which was a corruption of
the OID tree.

Regards

Andreas

Dimitrios Siganos wrote:
 Yes, it does fix it. Thank you.
 
 I noticed that you commited some more changes related to email OIDs. Are 
 they important? Should I get those too?
 I am referring to 
 http://wiki.strongswan.org/repositories/revision/strongswan/fc0ed07c1f44d56ac9a5353c23e4cd79ee2594dd.
 
 Regards,
 Dimitrios Siganos
 
 Andreas Steffen wrote:
 Hi Dimitrios,

 yes, you are right. A recent refactoring of the RDN synthesis function
 introduced a wrong emailAddress OID (there are at least three of them
 but in most cases the PKCS#9 definition is still used).

 The following patch should fix your problem:

 http://wiki.strongswan.org/repositories/revision/1/c8b543a6fc28bc335212ec69d39cc57f5b0e4095

 Best regards

 Andreas

 Dimitrios Siganos wrote:
   
 Hi,

 I believe I have found a bug with the latest strongswan. I used 
 strongswan-4.3.3 and also the latest git code (commit 
 333b461aa689c29197dadb2a15abc3ccade0c89a). They both exhibit the same or 
 similar problem.

 The problem appears when I add an email address to a certificate DN and 
 then try to use DN matching in strongswan.

 This type of DN, works:
 C=UK, CN=host1

 This type of DN, doesn't work:
 C=UK, CN=host2, e=ho...@somewhere.com

 To demonstrate the problem I created a very simple configuration with 2 
 self-signed certificates. One with an email in the DN and the other 
 without. Then I try to set the leftid to be same as the DN of the 
 certificate and start the ipsec. It only works if I don't have an email 
 set in the DN.

 The following was tested using the git commit 
 333b461aa689c29197dadb2a15abc3ccade0c89a.

 
 ipsec.conf:

 config setup
 strictcrlpolicy=no
 plutostart=no

 conn host1
 right=%defaultroute
 leftcert=host1.cert
 leftid=C=UK, CN=host1
 auto=add

 conn host2
 right=%defaultroute
 leftcert=host2.cert
 leftid=C=UK, CN=host2, e=ho...@somewhere.com
 auto=add

 #
 ipsec.secrets:

 : RSA host1.key
 : RSA host2.key

 #
 openssl x509 -in host1.cert -text -noout:
 Certificate:
 Data:
 Version: 3 (0x2)
 Serial Number:
 a7:59:91:8d:a2:d8:e7:25
 Signature Algorithm: sha1WithRSAEncryption
 Issuer: C=UK, CN=host1
 Validity
 Not Before: Aug 18 14:17:23 2009 GMT
 Not After : Aug 18 14:17:23 2010 GMT
 Subject: C=UK, CN=host1
 Subject Public Key Info:
 Public Key Algorithm: rsaEncryption
 RSA Public Key: (1024 bit)
 Modulus (1024 bit):
 00:bd:67:68:2a:65:05:cb:0e:41:82:b7:39:4d:f2:
 f3:85:77:17:2f:40:f0:83:d1:dc:34:eb:26:cf:7a:
 be:b3:a0:3e:24:4a:c1:4e:e4:11:1a:d4:c3:18:23:
 b7:86:db:e7:26:5a:c4:b8:dd:42:eb:5d:12:eb:a5:
 70:9a:5b:40:2a:ba:74:49:7b:84:d6:37:ea:c5:a1:
 30:28:dc:ce:34:c7:68:47:6a:80:3d:b9:bd:67:ee:
 31:70:4d:8a:fb:64:5f:c6:68:fa:8c:56:b0:1a:47:
 0a:94:b5:f6:28:de:0a:6d:4e:07:55:ab:e0:e0:7b:
 92:51:ff:69:8f:c4:fc:15:c5
 Exponent: 65537 (0x10001)
 X509v3 extensions:
 X509v3 Subject Key Identifier:
 48:A6:C5:61:A7:97:56:5D:0C:D1:0C:67:EA:C0:1E:BC:51:7F:59:75
 X509v3 Authority Key Identifier:
 
 keyid:48:A6:C5:61:A7:97:56:5D:0C:D1:0C:67:EA:C0:1E:BC:51:7F:59:75
 DirName:/C=UK/CN=host1
 serial:A7:59:91:8D:A2:D8:E7:25

 X509v3 Basic Constraints:
 CA:TRUE
 Signature Algorithm: sha1WithRSAEncryption
 0e:60:05:22:ca:42:59:95:c3:c8:d8:1d:c4:09:c8:03:1a:05:
 2c:30:c3:ec:5d:47:8e:98:6b:60:c6:43:2e:d9:55:d2:01:83:
 b7:4a:c9:e7:28:8c:e8:e4:3e:76:84:48:f8:69:c7:e0:05:0b:
 3d:5a:46:71:a6:ef:47:7b:c6:42:86:f6:eb:66:86:12:e3:1c:
 57:40:54:4e:96:20:b6:b2:3e:b6:67:75:a0:f3:4d:ba:d9:ea:
 eb:bb:ee:80:7a:af:9d:43:0c:ca:8c:d2:56:7a:49:8a:8c:a1:
 17:d0:fc:ba:88:b3:9e:6b:9d:41:a5:68:69:46:f7:c0:41:a4:
 23:da

 #
 openssl x509 -in host2.cert -text -noout:
 Certificate:
 Data:
 Version: 3 (0x2)
 Serial Number:
 8f:00:01:8a:0d:5d:0f:42
 Signature Algorithm: sha1WithRSAEncryption
 Issuer: C=UK, CN=host2/emailaddress=ho...@somewhere.com
 Validity
 Not Before: Aug 18 14:17:02 2009 GMT
 Not After : Aug 18 14:17:02 2010 GMT
 Subject: C=UK, CN=host2/emailaddress=ho...@somewhere.com
 Subject Public Key Info:
 Public Key Algorithm: rsaEncryption
 RSA Public Key: (1024 bit)
 Modulus (1024 bit):
 00:c9:dd:90:db:c3:25:61:e6:f2:06:be:7c:9c:ba:
 94:87:ec:c8:98:17:c8:bf:18:07:96:a4:32:00:4d

Re: [strongSwan] anti-replay window size?

[Andreas Steffen]

Hello,

currently the kernel interface method add_sa() of the IKEv2 daemon
sets the replay window size to a constant value of 32:

http://wiki.strongswan.org/repositories/entry/strongswan/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c#L965

whereas in the kernel interface method netlink_add_sa() of the IKEv1
daemon the size is configurable:

http://wiki.strongswan.org/repositories/entry/strongswan/src/pluto/kernel_netlink.c#L606

but in kernel.c where netlink_add_sa() is called, the value is set
invariably to 32, too:

Best regards

Andreas

Yong Choo wrote:
 Is there a way of controlling anti-replay window size although I 
 understand that strongswan supports it.
 I reviewed the man page of ipsec.conf but there is no mention of it.

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] no trusted RSA public key found

[Andreas Steffen]

:5b:f8:1f:
 66:34:ce:69:6f:75:80:8d:e4:35:4b:45:74:6c:38:
 de:59:a3:2b:f0:fc:3f:26:1b:60:a8:b2:f4:0f:43:
 09:54:5a:93:61:f1:d6:3f:71:5c:8a:a2:e8:f4:d5:
 1d:57:87:88:a9:25:a2:19:bb:e1:72:ad:7b:be:70:
 9c:1c:7b:30:89:4e:7f:f1:fc:c6:e8:cf:37:33:82:
 a4:c1:50:5c:01:44:e0:bc:6a:36:f8:b8:44:23:be:
 48:96:7e:e6:9f:15:3d:b7:eb
 Exponent: 65537 (0x10001)
 X509v3 extensions:
 X509v3 Basic Constraints:
 CA:FALSE
 Netscape Comment:
 OpenSSL Generated Certificate
 X509v3 Subject Key Identifier:
 C4:1E:CC:CF:2D:51:16:7B:A1:3C:CE:1A:FD:35:23:CA:D9:1B:1D:BE
 X509v3 Authority Key Identifier:
 
 keyid:C4:6D:F2:07:C9:C1:2D:6C:B7:5E:E9:92:BD:97:A6:61:C2:23:E6:23
 
 Signature Algorithm: sha1WithRSAEncryption
 7b:98:6d:20:1b:87:33:56:9d:a3:4f:a8:9c:ae:b3:ad:b6:58:
 31:41:5f:d4:38:1b:8c:51:ac:25:3f:cb:fc:99:0b:4b:19:9c:
 77:92:ec:bf:67:1a:be:49:03:76:46:36:a8:88:8f:c3:ae:f0:
 f6:b5:b2:62:4d:77:ae:16:0f:76:e3:7d:9e:33:0e:7f:fd:47:
 7a:69:89:9c:cb:ac:3d:8a:a4:14:ae:a2:7f:96:57:66:bb:58:
 c4:87:a2:86:c8:0d:52:f4:36:46:29:a4:1b:ac:bb:e8:2b:23:
 3c:87:c7:07:2b:81:2d:19:f5:49:1f:9b:2f:93:3f:ba:76:40:
 a7:2b:d4:ac:df:ac:7e:21:fc:fd:d5:5d:57:2d:94:78:d8:eb:
 91:df:e2:00:2c:80:35:87:68:c1:3e:74:79:14:c4:3e:ab:d4:
 64:16:83:38:20:4f:be:f5:b7:36:6f:59:f2:d6:bd:34:fb:06:
 ec:a8:ef:05:90:ba:83:74:0b:a4:77:33:a2:93:67:5c:a4:c7:
 c3:de:83:56:dd:ad:0c:d7:56:30:c3:bf:82:71:c6:b9:23:98:
 45:80:93:4c:f0:8b:97:58:c2:78:eb:37:73:ea:84:f4:4f:27:
 e4:17:f5:c0:d4:b0:7b:5e:01:7b:ee:42:46:0e:f2:d3:62:b1:
 f3:9b:13:7b
 
 
 
 The moonCert.pem
 
 [r...@localhost certs]# openssl x509 -in moonCert.pem  -noout -text
 Certificate:
 Data:
 Version: 3 (0x2)
 Serial Number: 2 (0x2)
 Signature Algorithm: sha1WithRSAEncryption
 Issuer: C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger 
 Zhang/emailaddress=zha...@alcatel-lucent.com
 Validity
 Not Before: Aug 26 03:35:21 2009 GMT
 Not After : Aug 26 03:35:21 2011 GMT
 Subject: C=CN, ST=Shandong, O=ALU, OU=RD, 
 CN=moon.strongswan.org/emailaddress=m...@alcatel-lucent.com
 Subject Public Key Info:
 Public Key Algorithm: rsaEncryption
 RSA Public Key: (1024 bit)
 Modulus (1024 bit):
 00:c1:21:20:a3:88:b7:bd:87:03:6e:0b:31:8a:77:
 eb:93:ba:5f:75:6f:7b:83:f3:84:28:60:3b:12:e5:
 2c:f3:ce:c3:72:a9:4a:72:e7:03:86:bf:83:1f:73:
 3c:14:47:79:27:b6:1b:bf:92:5a:42:5b:8c:62:f1:
 c4:23:54:98:13:53:a3:e5:a9:9e:82:69:c6:3d:8e:
 66:10:73:46:48:50:24:93:ae:98:d7:61:93:54:01:
 c4:0a:19:4e:31:42:c8:68:0b:79:c4:39:00:5b:5e:
 63:5e:e6:8f:91:1b:0a:a8:07:4c:32:2d:a5:72:61:
 18:7d:94:3b:22:f1:1c:25:51
 Exponent: 65537 (0x10001)
 X509v3 extensions:
 X509v3 Basic Constraints:
 CA:FALSE
 Netscape Comment:
 OpenSSL Generated Certificate
 X509v3 Subject Key Identifier:
 00:A5:D7:C3:CF:B7:F0:C3:FA:E4:70:0F:F3:96:CE:99:CC:58:1A:BE
 X509v3 Authority Key Identifier:
 
 keyid:C4:6D:F2:07:C9:C1:2D:6C:B7:5E:E9:92:BD:97:A6:61:C2:23:E6:23
 
 Signature Algorithm: sha1WithRSAEncryption
 97:c0:5b:45:11:7b:34:d3:09:c7:ae:83:77:e1:d8:e6:5d:aa:
 0b:17:3d:23:d6:4f:74:71:18:33:7d:99:dd:4c:3d:c9:61:ca:
 0c:08:f9:40:07:37:1b:9b:06:dc:f8:12:8b:34:ff:b3:06:12:
 9a:ec:08:07:68:52:58:15:4f:6d:f6:90:40:0d:8b:b0:a0:94:
 c9:d1:79:72:9f:c0:a6:ff:53:b1:ce:ac:7b:c3:3c:9a:dd:6b:
 da:8a:70:df:a1:c6:a9:80:2c:9a:71:ed:d9:ff:e8:b8:61:06:
 50:a9:a7:3c:3f:d3:89:4e:b4:d5:c0:3c:28:bd:1a:61:17:51:
 7d:de:3e:ab:bc:85:61:d5:d2:25:18:a4:54:94:b9:c4:67:56:
 3d:73:60:0b:14:14:0a:71:ca:ef:c1:bb:05:74:71:fd:db:3d:
 aa:ba:eb:17:5a:10:9c:15:51:4b:2f:25:c3:e4:94:5f:b0:1a:
 e0:8d:63:31:53:ac:2d:7e:6c:d3:bd:59:45:a9:75:15:b1:eb:
 0b:c7:58:d6:3a:2f:8d:7b:0d:80:b6:5d:d5:3e:cd:c7:ee:73:
 1f:2a:d3:6d:c0:53:fa:1d:ae:38:4a:f4:91:71:97:2f:6b:57:
 9d:63:2d:90:7f:71:3e:66:f8:72:c5:2b:c4:b6:c2:ac:c6:b9:
 9d:47:30:11
 
 Roger

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland

Re: [strongSwan] Pluto has died ??

[Andreas Steffen]

Hi,

in order to help you I need the complete log plus your
ipsec.conf file.

Regards

Andreas

Nguyễn Hoàng Anh wrote:
 Hi all!
 
 Today, I try install strongswan 4.3.4 and run some tests in
 testing/tests/openssl-ikev1/ecdsa-certs  directory.
 when I start ipsec and then view log in /var/log/secure, I get this:
 ...
 ipsec_starter [ 10388] : pluto has died --restart scheduled (5sec)
 
 
 I try restart ipsec many times but still no result for good.
 
 What is this problem? how can i solve it ?
 My linux kernel version: 2.6.18 (download at kernel.org and recompiled)
 
 Thanks in advanced!
 ___
 Users mailing list
 Users@lists.strongswan.org
 https://lists.strongswan.org/mailman/listinfo/users


-- 
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] get inner virtual IP

[Andreas Steffen]

Hi Roger,

the assigned virtual IP Address is available in the environmental
variable $PLUTO_MY_SOURCEIP in the /usr/libexec/ipsec/_updown script
which is called by the charon daemon after the IPsec SA has been
established successfully. You could adapt the _updown script so that
it communicates the virtual IP address to your application.

Alternatively your application could call the system command

ip addr list dev eth0

and extract the virtual IP assigned to the physical interface.

Regards

Andreas

Zhang, Long (Roger) wrote:
 Hi,
 
 I have tried the IKEV2 config-payload example as  
 http://www.strongswan.org/uml/testresults43/ikev2/config-payload/ 
 successfully.
 
 I want to get the inner virtual IP address that are assigned by 
 config-payload for later use in my application by SHELL command or TCL. Is 
 there an easy way to get it? Currently I can only see it by ipsec status 
 home and check the last line. This is easy for manual, but not easy for code 
 to get it accurate. So I want to ask if there is an easy and accurate way to 
 get it?
 
 [r...@localhost etc]# ipsec statusall home
 Status of IKEv2 charon daemon (strongSwan 4.3.4):
   uptime: 28 minutes, since Aug 28 14:57:39 2009
   worker threads: 9 idle of 16, job queue load: 0, scheduled events: 3
   loaded plugins: aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc 
 stroke kernel-netlink updown resolv-conf
 Listening IP addresses:
   135.252.131.87
 Connections:
 home:  135.252.131.87...135.252.130.87
 home:   local:  [moon.strongswan.org] uses public key authentication
 home:cert:  C=CN, ST=Shandong, O=ALU, OU=RD, 
 CN=moon.strongswan.org, e=m...@alcatel-lucent.com
 home:   remote: [sun.strongswan.org] uses any authentication
 home:   child:  dynamic === 10.1.0.0/16
 Security Associations:
 home[1]: ESTABLISHED 27 minutes ago, 
 135.252.131.87[moon.strongswan.org]...135.252.130.87[sun.strongswan.org]
 home[1]: IKE SPIs: 69208f149b5fab33_i* ca28924955c169b3_r, public key 
 reauthentication in 23 minutes
 home[1]: IKE proposal: 
 AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
 home{1}:  INSTALLED, TUNNEL, ESP SPIs: caf62dcc_i ccae8f3e_o
 home{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 
 3 minutes
 home{1}:   10.3.0.1/32 === 10.1.0.0/16
 
 Thanks,
 Roger

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==



smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] unable to initiate to %any

[Andreas Steffen]

Hi David,

with right=%any you cannot actively initiate a connection as
an initiator since the peer's IP address is not known. You can
only act as a passive responder waiting for the other side to
initiate.

Regards

Andreas

weiping deng wrote:
 Hi Martin, Hi all,
 
 When I try to find out the mechanism of virtual IP and initiate the
 strongswan with the following configuration, but I always got the error
 indication: unable to initiate to %any.
 
 Please give me a clue to trace down this problem , thanks.
 
  
 
 Configuration of two peers:
 
  [moon]-
 
 config setup
 
 strictcrlpolicy=no
 
 plutostart=no
 
 keep_alive=40m
 
 conn %default
 
 ikelifetime=60m
 
 keylife=20m
 
 rekeymargin=3m
 
 keyingtries=1
 
 keyexchange=ikev2
 
 conn host-host
 
 left=172.19.2.13
 
 leftfirewall=yes
 
 leftcert=/usr/local/etc/ipsec.d/certs/moonCert.pem
 
 leftsubnet=192.168.253.0/24
 
 right=%any
 
 rightsourcip=%config
 
 auto=add
 
 --[sun]---
 
 config setup
 
 strictcrlpolicy=no
 
 plutostart=no
 
keep_alive=40m
 
 conn %default
 
 ikelifetime=60m
 
 keylife=20m
 
 rekeymargin=3m
 
 keyingtries=1
 
 keyexchange=ikev2
 
 conn home
 
 left=172.19.2.88
 
 leftsourceip=192.168.253.88
 
 leftcert=/usr/local/etc/ipsec.d/certs/sunCert.pem
 
 leftfirewall=yes
 
 right=172.19.2.13
 
 rightsubnet=192.168.253.0/24
 
 auto=add
 
 -
 
 BTW, I still have the following two questions:
 
 1)  What's the mechanism of virtual ip?
 
 2)  If I can simulate one gateway by setting the secondary ip address of
 linux pc? If it is feasible, and then how?
 
  
 
 Best Regards,
 
 David 
===
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] strongswan + LDAP

[Andreas Steffen]

Hi Sreenivas,

what do you mean by LDAP integration?

Andreas

sreenivas murthy wrote:
 Hi thr,
 
 I have installed strongswan on ubuntu 8.04 server but i would like to
 integrate with LDAP server. can any one plz help me to do this.
 
 Thanks in Advance.
 
 -Sreenivas.

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] AUTHENTICATION_FAILED notify error

[Andreas Steffen]

.chaudh...@gmail.com
   serial:02
   validity:  not before Aug 27 10:48:40 2009, ok
  not after  Aug 27 10:48:40 2011, ok
   pubkey:RSA 1024 bits, has private key
   keyid: 16:d5:7a:50:ee:c8:db:e5:a2:02:b4:54:5e:19:29:24:d4:23:7a:a9
   subjkey:   07:1f:03:c2:e4:c7:34:3c:2c:86:19:90:02:ea:d8:f2:40:24:12:c3
   authkey:   83:1f:bb:b7:c2:21:13:9c:8b:c2:6d:b6:4c:e6:98:cd:bb:9a:3b:2a
 
 Thank you.

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Problems with Charon

[Andreas Steffen]

Hi,

are you running strongSwan on CentOS or RedHat? There is an issue with
these Linux kernels where IPsec policies get deleted when they are
queried e.g. by ipsec statusall or DPD. I think this kernel bug was
fixed recently by RedHat.

Best regards

Andreas

ServerAlex wrote:
 I've got a host-to-host connection that should be kept alive 24/7.
 
 machine 1:
 config setup
 plutostart=no   # IKEv1
 charonstart=yes # IKEv2
 nat_traversal=no
 
 # Add connections here.
 
 # Sample VPN connections
 conn %default
 ikelifetime=60m
 keylife=20m
 rekeymargin=3m
 keyingtries=%forever
 keyexchange=ikev2
 dpdaction=hold
 mobike=no
 
 conn server1
 left=XX.X.XX.XX
 leftcert=server1-cert.pem
 left...@server1.xxx.com
 right=YY.YY.YY.YY
 right...@server2.xxx.com
 auto=start
 
 server2:
 config setup
 plutostart=no   # IKEv1
 charonstart=yes # IKEv2
 nat_traversal=no
 
 # Add connections here.
 
 # Sample VPN connections
 conn %default
 ikelifetime=60m
 keylife=20m
 rekeymargin=3m
 keyingtries=%forever
 keyexchange=ikev2
 dpdaction=clear
 mobike=no
 
 conn server12
 left=YY.YY.YY.YY
 leftcert=server2-cert.pem
 left...@server2.xxx.com
 right=XX.XX.XX.XX
 right...@server1.xxx.com
 auto=add
 
 
 when i start ipsec on both sides it works for a few minutes, then it
 just doesnt any longer, although the SAs are still alive.
 server2[2]: ESTABLISHED 11 minutes ago,
 XX.XX.XX.XX[server1.XXX.com]...YY.YY.YY.YY[server2.XXX.com]
 server2{2}:  INSTALLED, TUNNEL, ESP SPIs: cb043689_i c4ecff51_o
 server2{2}:   XX.XX.XX.XX/32 === YY.YY.YY.YY/32
 
 But no traffic flow can be established. Logs gives me errors like these:
 Sep  2 02:44:30 server1 charon: 11[KNL] querying policy failed: No
 such file or directory (2)
 
 I have to restart the whole daemon on server1 to get the traffic
 flowing again.. for a few minutes.
 
 Any ideas?

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Some problems with charon

[Andreas Steffen]

 strongSwan, CN=strongSwan Root CA
 Sep  3 15:57:37 samar charon: 12[IKE] sending cert request for C=CH, 
 O=Linux strongSwan, CN=strongSwan Root CA
 Sep  3 15:57:37 samar charon: 12[IKE] authentication of 
 'moon.strongswan.org' (myself) with RSA signature successful
 Sep  3 15:57:37 samar charon: 12[IKE] sending end entity cert C=CH, O=Linux 
 strongSwan, CN=moon.strongswan.org
 Sep  3 15:57:37 samar charon: 12[IKE] establishing CHILD_SA host-host
 Sep  3 15:57:37 samar charon: 12[ENC] generating IKE_AUTH request 1 [ IDi 
 CERT CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) 
 N(MULT_AUTH) ]
 Sep  3 15:57:37 samar charon: 12[NET] sending packet: from 
 192.168.95.203[4500] to 192.168.95.131[4500]
 Sep  3 15:57:37 samar charon: 13[NET] received packet: from 
 192.168.95.131[4500] to 192.168.95.203[4500]
 Sep  3 15:57:37 samar charon: 13[ENC] parsed IKE_AUTH response 1 [ IDr CERT 
 AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ]
 Sep  3 15:57:37 samar charon: 13[IKE] received end entity cert C=CH, 
 O=Linux strongSwan, CN=sun.strongswan.org
 Sep  3 15:57:37 samar charon: 13[CFG]   using certificate C=CH, O=Linux 
 strongSwan, CN=sun.strongswan.org
 Sep  3 15:57:37 samar charon: 13[CFG]   using trusted ca certificate C=CH, 
 O=Linux strongSwan, CN=strongSwan Root CA
 Sep  3 15:57:37 samar charon: 13[CFG] checking certificate status of C=CH, 
 O=Linux strongSwan, CN=sun.strongswan.org
 Sep  3 15:57:37 samar charon: 13[CFG]   fetching crl from 
 'http://crl.strongswan.org/strongswan.crl' ...
 Sep  3 15:57:37 samar charon: 13[LIB] unable to fetch from 
 http://crl.strongswan.org/strongswan.crl, no capable fetcher found
 Sep  3 15:57:37 samar charon: 13[CFG] crl fetching failed
 Sep  3 15:57:37 samar charon: 13[CFG] certificate status is not available
 Sep  3 15:57:37 samar charon: 13[IKE] authentication of 'sun.strongswan.org' 
 with RSA signature successful
 Sep  3 15:57:37 samar charon: 13[IKE] scheduling reauthentication in 3323s
 Sep  3 15:57:37 samar charon: 13[IKE] maximum IKE_SA lifetime 3503s
 Sep  3 15:57:37 samar charon: 13[IKE] IKE_SA host-host[1] established 
 between 
 192.168.95.203[moon.strongswan.org]...192.168.95.131[sun.strongswan.org]
 
 Sep  3 15:57:37 samar charon: 13[IKE] received NO_PROPOSAL_CHOSEN notify, no 
 CHILD_SA built
 Sep  3 15:57:37 samar charon: 13[KNL] received netlink error: Invalid 
 argument (22)
 
 Sep  3 15:57:37 samar charon: 13[KNL] unable to delete SAD entry with SPI 
 c5be246b
 Sep  3 15:57:37 samar charon: 13[IKE] received AUTH_LIFETIME of 3335s, 
 scheduling reauthentication in 3155s
 Sep  3 15:57:37 samar charon: 13[IKE] peer supports MOBIKE
 
 Please, show me what’s wrong. Why charon don't see my cipher?  What I need 
 to do to fix mistakes?
 
 Best regards, Alex
  
 ---
 Прогноз погоды ТУТ - http://pogoda.tut.by

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Signature verification failed

[Andreas Steffen]

Hi Vivek,

could you send a log file generated with the options

charondebug=chd 2, knl2

on the linux machine so the reason for the delete becomes
apparent.

Regards

Andreas

vivek bairathi wrote:
 Hi,
 
 I just got the solution of my problem. Its actually the problem of
 endianness as the endianness is not getting set in the sha1_hasher.c
 and also the code on qnx is compiled using armbe which is big endian.
 So I just set the BIG_ENDIAN in the sha1_hasher.c and finally the
 authentication is successful.
 
 But now I am getting a new error, as soon as the CHILD_SA is created
 the linux machine sends a delete request for the CHILD_SA to the qnx
 machine. I don't know why this is happening. My ikeliftime, keylife
 and rekeymargin are all in hours so how could this happen.
 
 Can you tell me or give a possible condition because of which this is
 happening and ofcourse if possible a solution also?
 
 Thanks  Regards,
 Vivek

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==



smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] strongswan ipsec XAUTH+PSK and iphone Problem !

[Andreas Steffen]

Hi Alok,

besides some unexpected packets everything seems ok. Both XAUTH
and ModeConfig are established successfully but somehow
the negotiation does not go on the IKE Quick Mode.
Could you remove the modeconfig=push line since strange effects
might occur if Mode Config is used in conjunction with XAUTH.

Regards

Andreas

Alok Thaker wrote:
 Hi Friends,
 
  I am a fan of strongswan and I have made l2tp with ipsec running
 succesffuly with iphone and strongswan. The only problem I am facing is to
 make only ipsec with XAUTH+PSK running with iphone.
 
 I have also enabled --enable-cisco-quirks=yes as iphone works as cisco vpn
 client as I read in the strongswan answers but I have got no luck in
 establishment.
 I get the following errors while connecting strongswan ipsec(XAUTH+PSK)
 wiith iphone ipsec.
 
  packet from 82.132.139.25:44759: ignoring Vendor ID payload [Cisco-Unity]
 Sep  6 14:48:43 uk_server3 pluto[24769]: packet from 82.132.139.25:44759:
 received Vendor ID payload [Dead Peer Detection]
 Sep  6 14:48:43 uk_server3 pluto[24769]: win[1] 82.132.139.25:44759 #1:
 responding to Main Mode from unknown peer 82.132.139.25:44759
 Sep  6 14:48:45 uk_server3 pluto[24769]: win[1] 82.132.139.25:44759 #1:
 NAT-Traversal: Result using RFC 3947: peer is NATed
 Sep  6 14:48:46 uk_server3 pluto[24769]: win[1] 82.132.139.25:44759 #1:
 Peer ID is ID_IPV4_ADDR: '10.38.42.53'
 Sep  6 14:48:46 uk_server3 pluto[24769]: win[2] 82.132.139.25:44759 #1:
 deleting connection win instance with peer 82.132.139.25
 {isakmp=#0/ipsec=#0}
 Sep  6 14:48:46 uk_server3 pluto[24769]: | NAT-T: new mapping
 82.132.139.25:44759/44760)
 Sep  6 14:48:46 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1:
 sent MR3, ISAKMP SA established
 Sep  6 14:48:46 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1:
 sending XAUTH request
 Sep  6 14:48:46 uk_server3 pluto[24769]: packet from 82.132.139.25:44760:
 Informational Exchange is for an unknown (expired?) SA
 Sep  6 14:48:46 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1:
 parsing XAUTH reply
 Sep  6 14:48:46 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1:
 extended authentication was successful
 Sep  6 14:48:46 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1:
 sending XAUTH status:
 Sep  6 14:48:47 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1:
 parsing XAUTH ack
 Sep  6 14:48:47 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1:
 received XAUTH ack, established
 Sep  6 14:48:47 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1:
 sending ModeCfg set
 Sep  6 14:48:47 uk_server3 pluto[24769]: packet from 82.132.139.25:44760:
 ModeCfg message is for a non-existent (expired?) ISAKMP SA
 Sep  6 14:48:48 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1:
 parsing ModeCfg ack
 Sep  6 14:48:48 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1:
 received ModeCfg ack, established
 Sep  6 14:48:48 uk_server3 pluto[24769]: win[2] 82.132.139.25:44760 #1:
 unsupported ModeCfg attribute 28683?? received.
 
 My ipsec.conf for for psk + xauth has this entry
 
 config setup
 # crlcheckinterval=600
 # strictcrlpolicy=yes
 # cachecrls=yesA
 nat_traversal=yes
 conn win
 authby=xauthpsk
 xauth=server
 left=94.76.194.32
 leftnexthop=%direct
 rightsourceip=%modeconfig
 modeconfig=push
 auto=start
 
 My ipsec.secrets has
 94.76.194.32 %any : PSK alok
 : XAUTH alok alok
 
 Please it is urgent for me can someone hellp me out so that it wld be great
 achievement making strongswan ipsec (XAUTH+PSK) running with iphone.
 
 Thanks,
 Alok

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==


smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Able to connect, but packages does not get through.

[Andreas Steffen]

Hello Bjarke,

there are even no hits for incoming encrypted ESP packets:

Chain INPUT (policy DROP 16 packets, 5520 bytes)
pkts bytes target   prot opt in  out   source   destination
00 ACCEPT   esp  --  *   * 0.0.0.0/083.89.2.202

Are you sure that the strongSwan box is receiving any ESP packets
from the Win7 box? What does wireshark say?

Regards

Andreas

Bjarke Istrup Pedersen wrote:
 Hey,
 
 I'm having a little problem here.
 
 I'm trying to create a roadwarrior setup with Windows 7 machines connecting
 into my internal network.
 
 They can connect, the route is created, and the iptables rules are added.
 
 The problem is, that no packages hit the firewall rules it seems, and no
 trafic can get through.
 
 Also, I don't know how to get strongswan to tell the clients to access my
 internal network throgh the tunnel.
 
 My network is constructed the following way: 192.168.20.1/32 ==
 79.138.252.53 -- 83.89.2.202 == 192.168.1.0/24 (Where 192.168.1.0/24 is my
 internal network, and 192.168.20.0/24 is the pool of virtual address the
 clients get assigned).
 
 Here is some logs and configs:
 
 http://dl.getdropbox.com/u/254699/strongswan/ipsec%20startup.txt (log of
 when ipsec starts up)
 http://dl.getdropbox.com/u/254699/strongswan/ipsec%20connection.txt (log of
 when a client connects)
 http://dl.getdropbox.com/u/254699/strongswan/ipsec%20disconnection.txt (log
 of when a client disconnects)
 
 http://dl.getdropbox.com/u/254699/strongswan/ipsec.conf.txt (ipsec.conf
 file)
 http://dl.getdropbox.com/u/254699/strongswan/strongswan.conf.txt(strongswan.conf
 file)
 
 http://dl.getdropbox.com/u/254699/strongswan/iptables.txt (output of
 iptables -L -v -n)
 http://dl.getdropbox.com/u/254699/strongswan/route.txt (output of ip route
 list table 220)
 
 What might be wrong?
 
 Best regards,
 Bjarke I. Pedersen

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Able to connect, but packages does not get through.

[Andreas Steffen]

Hi Bjarke,

what is the output of

  ip -s xfrm state

and

  ip -s xfrm policy

when the connection is up?

Does the in or fwd IPsec policy show any time in the use field:

dir in action allow index 18808 priority 1680 ptype main
  add 2009-08-18 15:50:33 use -

dir fwd action allow index 18818 priority 1680 ptype main
  add 2009-08-18 15:50:33 use 2009-08-18 15:50:36

And what is the byte count in the inbound IPsec state:

lifetime current:
  84(bytes), 1(packets)
  add 2009-08-18 15:50:33 use 2009-08-18 15:50:36

and do any errors show up:

stats:
  replay-window 0 replay 0 failed 0

Regards

Andreas

Bjarke Istrup Pedersen wrote:
 Hey Andreas,
 
 That is not an option at the moment it seems.
 The client I'm testing with is using a dialup connection (UMTS modem), and
 wireshark does not want to capture anything but ethernet adapters.
 
 Is there anything that looks suspicious, that might be causing this?
 
 The rule in the INPUT chain should be fine from what I know, since nothing
 can be blocking it before it reaches it.
 
 Best regards,
 Bjarke Istrup Pedersen

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] MODP_2048?

[Andreas Steffen]

Hi,
the error message:

 *configured DH group MODP_2048 not supported*

means that neither the gmp nor the openssl plugin could be
loaded successfully which implement the big number arithmetic
required for the Diffie-Hellman groups.

The command ipsec statusall should list either gmp and|or opensss in
the line

  loaded plugins: 

and the command ipsec listalgs should list all Diffie Hellman groups:

  dh-group:   MODP_2048 MODP_1536 MODP_3072 MODP_4096 MODP_6144
  MODP_8192 MODP_1024 MODP_768

with the gmp plugin plus

 ECP_192 ECP_224 ECP_256 ECP_384 ECP_521

with the openssl plugin.

By default strongSwan compiles and loads the gmp plugin which in turn
requires the GNU Multiprecision library (libgmp3) including the header
file /usr/include/gmp.h.

Alternatively you can activate the openssl plugin (./configure
--enable-openssl) which requires the libcrypto-0.9.8 library plus the
/usr/include/openssl/ header files.

Best regards

Andreas

Yong Choo wrote:
 Hi all,
 
 I'm trying to 'execute' the following (on a cross-compiled PowerPC 
 Linux  for a telecommunication board):
 ipsec up net-enb40 (where I have the connectivity setup in the ipsec.config)
 
 I'm getting the following error:
 *configured DH group MODP_2048 not supported*
 
 I think I'm missing a kernel option?. We are using Wind River Linux 
 PNE2.0 version.
 Does anyone know how to turn this 'MODP_2048' on?
 
 Thanks Much!

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] ARM and I386 ?

[Andreas Steffen]

It looks like a problem in the IKE session key derivation.
The encryption keys derived from the Diffie-Hellman secrets
don't seem to be the same on both sides, so that the
payloads encrypted by the sender cannot be decrypted by the
receiver. In order diagnose this problem I recommend to
ramp up the debugging level by setting

  plutodebug=control crypt

in the config setup section of /etc/ipsec.conf files on both
sides so that you will get a debug output of the form:

http://www.strongswan.org/uml/testresults43/ikev1/alg-blowfish/moon.auth.log

showing the Diffie-Hellman secrets and the derived session
keys.

Best regards

Andreas

Nguyễn Hoàng Anh wrote:
 Hi Andreas and all members!
 
 Today, after finished make and make install strongswan 4.3.4 on an ARM
 architecture, I try setup it with a tunnel host-to-host to an I386, but I
 get this error in log file of pluto in I386:
 
 
 ..
 client2 #2: we have a cert and are sending it upon request
 server #3: NAT-Traversal: Result using RFC 3947: no NAT detected
 server #3: we have a cert and are sending it upon request
 client1 #1: next payload type of ISAKMP Hash Payload has an unknown value:
 55
 client1 #1: malformed payload in packet
 client2 #2: next payload type of ISAKMP Hash Payload has an unknown value:
 181
 client2 #2: malformed payload in packet
 server #3: next payload type of ISAKMP Hash Payload has an unknown value:
 164
 server #3: malformed payload in packet
 ..
 
 What is this error and how can I solve it ?
 
 Many thanks!

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] esp=null-sha1-modp1024,null-null

[Andreas Steffen]

Hi Dimitrios,

yes, this means that esp=null-sha1-modp1204 is added to the default
list defined by

http://wiki.strongswan.org/repositories/entry/strongswan/src/charon/config/proposal.c#L865

esp=null-null is not a valid configuration, since we do not accept a
null integrity algorithm. If you want to send a single proposal without
the default list then you can use the '!' strict character:

  esp=null-sha1-modp1204!

Kind regards

Andreas

Dimitrios Siganos wrote:
 Hi,
 
 Is the following esp line, valid configuration?
 
 conn west-east
 esp=null-sha1-modp1024,null-null
 
 Does it mean: add null-sha1-modp1024 and null-null to the default list 
 of proposals to be negotiated?
 
 How do I know what the default list proposal list is?
 
 Regards,
 Dimitrios Siganos

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] _updown is not called

[Andreas Steffen]

Hello Roger,

the IKEv2 charon daemon configures virtual IPs directly using
the RT_NETLINK kernel interface whereas the IKEv1 pluto daemon
does in fact uses the _updown script to install virtual IP
addresses.

With the IKEv2 you can use either the standard

leftfirewall=yes

which calls the _updown script which in turn installs a set
of  iptables firewall rules or in your case you can define

leftupdown=path to my script

which will call a script where you can execute any actions
that you like.

Best regards

Andreas

Zhang, Long (Roger) wrote:
 Hi,
 
 I am using preshared key instead of certificate to setup an IPSec
 tunnel. After the tunnel is setup successfully, I found the _updown
 script is not called.  Using the test case
 http://www.strongswan.org/uml/testresults43/ikev2/virtual-ip-override/,
 the _updown can be called. Since I want to get the inner virtual IP
 to write to a tmp file so that my application can read it. Curious
 why it is not called. Is it related with preshared key?
 
 Thanks, Roger

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Does strongSwan support RFC4754

[Andreas Steffen]

Hi Kunal,

yes, both our IKEv1 and IKEv2 daemons support RFC4754.

In the IKEv1 code the hash for the ECDSA signature is constructed in
pluto/ipsec_doi.c:main_mode_hash()

http://wiki.strongswan.org/repositories/entry/strongswan/src/pluto/ipsec_doi.c#L1355

which is then signed in pluto/ipsec_doi.c:sign_hash()

http://wiki.strongswan.org/repositories/entry/strongswan/src/pluto/ipsec_doi.c#L1419

The actual signature is done in by

   private-sign(private, scheme, hash, sig)

which maps to

libstrongswan/plugins/openssl/openssl_ec_private_key.c:sign()

http://wiki.strongswan.org/repositories/entry/strongswan/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c#L133

In the IKEv2 code private-sign() is called in

charon/sa/authenticatiors/pubkey_authenticator.c:build()

http://wiki.strongswan.org/repositories/entry/strongswan/src/charon/sa/authenticators/pubkey_authenticator.c#L61

Regards

Andreas

kunal patel wrote:
 Hi,
 
 Can someone please let me know whether strongSwan supports RFC 4754. If yes
 then can someone please point me to file location which implements auth
 payload construction for ECDSA authentication
 
 Thanks,
 Kunal

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Vendor id string for nat draft's

[Andreas Steffen]

Hi Sunil,

As far as I know there were no special Vendor IDs
for NAT-T-6 and NAT-T-7. Only the following VIDs
were in use:

MD5(draft-ietf-ipsec-nat-t-ike-00)
MD5(draft-ietf-ipsec-nat-t-ike-02)
MD5(draft-ietf-ipsec-nat-t-ike-02\n)
MD5(draft-ietf-ipsec-nat-t-ike-03)
MD5(RFC 3947)

Best regards

Andreas

sunil kumar wrote:
 Hi,
 
 I am looking for Vendor ID string for NAT-T-6 and NAT-T-7.
 It will be helpful, if i get all vendor id strings used in ISKMP.
 
 Thanks in advance.
 
 Regards,
 Sunilkumar

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] About finding whether the VPN tunnel is working or not

[Andreas Steffen]

Yeah, this should work.

Andreas

bhanushali_bhav...@emc.com wrote:
 Hello All , 
   The following is the situation :   
 
 1] I am writing code to check whether VPN tunnels are working or not in
 my system 
 
 2] So I do ipsec status and it shows me some output . I am thinking of
 grepping for ESTABLISHED and INSTALLED and If I find these words I
 am concluding that VPN tunnels are working fine .
 
 3] If ipsec status doesn't show any output and the output length is
 0 I am concluding that the tunnels are not working and VPN between the
 two machines is down.
 
 Is this the correct approach ?
 
 Thanks,
 Bhavesh Bhanushali

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Some Question About NAT-T and DPD

[Andreas Steffen]

weiping deng wrote:
 Hi Both，
 
 I have the following questions need your answer. Please help me, thanks.
 
 Q1:
 About the NAT-T, whether strongswan supports: “Detecting and Honouring
 the NAT device changing its public address”?

In principle such a situation can be detected by observing a change
in the value of the NAT Detection payload contained in DPD messages
and the IPsec SA can then be updated using the MOBIKE (RFC 4555)
protocol. I'm not sure whether our MOBIKE implementation supports this
but Martin will know.

 Q2:
 About the DPD, in IKEv2, the default value of DPD timeout (dpdtimeout) = ?  

IKEv2 doesn't use IKEv1's dpdtimeout configuration parameter. It
just applies the regular retransmission scheme for IKE packets
(5 exponentially staggered retransmission) and if no answer is received
declares the peer dead after about 2 minutes.

 Look forward for your answer, thanks.
 
 David

Regards

Andreas

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Some Question about the configuration payload

[Andreas Steffen]

weiping deng wrote:
 Hi Both，
 
 Excuse me. I have the following questions about the configuration payload:
 
 Q1：
 
 In current version of strongswan, whether the internal DNS can be
 assigned by server when peer initiates the request for it with the same
 configuration payload for virtual IP request?
 
 If internal DNS can be assigned, where I can get this information? And
 If I want to obtain this information for further handling, how can I do?

Yes, internal DNS servers can be assigned to a strongSwan client via
the configuration payload. A sample scenario is shown here:

http://www.strongswan.org/uml/testresults43/ikev2/config-payload/console.log

By default the DSN servers are added to /etc/resolv.conf by the
resolv-conf plugin. The destination file can be changed via the

  --with-resolv-conf=file

configuration option. strongSwan as a server can read DNS and WINS
server information from /etc/strongswan.conf using the attr plugin:

http://www.strongswan.org/uml/testresults43/ikev2/config-payload/moon.strongswan.conf

Both the attr and resolv-conf (renamed to resolve starting with
release 4.3.5)
plugins are enabled by default.

 
 Q2：
 
 I have always a question, ie: as the description of RFC4306 (IKEv2),
 server can assigned the internal subnet and corresponding netmask to
 peer. Why we need to configure the rightsubnet in peer’s ipsec.conf?
 
 Is this item can be removed from ipsec.conf? or maybe this item is not
 be used to configure internal subnet and can be set as random value –
 (in fact, it can not be work when I set a random value to
 right/leftsubnet).

on the client side you can define right|leftsubnet=0.0.0.0/0
and the server will narrow the range down to its own definition.
Narrowing is an IKEv2 feature.

  
 
 Look forward to your answer, thanks.
 
 David

Regards

Andreas

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] 答复: Some Question about the configuration payload

[Andreas Steffen]

The server needs the attr plugin (ipsec statusall should list it)
and up to two DNS and WINS servers can be defined in strongswan.conf:

# /etc/strongswan.conf - strongSwan configuration file

charon {
  dns1 = 62.2.17.60
  dns2 = 62.2.24.162
  nbns1 = 10.10.1.1
  nbns2 = 10.10.0.1
}

On the client just the resolv-conf plugin is required (ipsec
statusall should list it) The DNS servers are appended to
/etc/resolv.conf or the file you specified with the compile
option --with-resolv-conf=. When the tunnel goes down,
the DNS information is removed.

Regards

Andreas

weiping deng wrote:
 Hi Andreas,
 
 Thanks for your quick response and important information about the
 configuration payload. 
 I want to affirm the following item with you further:
 Whether I need to configure nothing in ipsec.conf or strongswan.conf and
 only need to start the resolv and attr plugins in server side and peer
 side?
 
 Best Regards,
 David
 -邮件原件-
 发件人: Andreas Steffen [mailto:andreas.stef...@strongswan.org] 
 发送时间: 2009年9月24日 15:03
 收件人: weiping deng
 抄送: 'Martin Willi'; users@lists.strongswan.org
 主题: Re: Some Question about the configuration payload
 
 weiping deng wrote:
 Hi Both，

 Excuse me. I have the following questions about the configuration payload:

 Q1：

 In current version of strongswan, whether the internal DNS can be
 assigned by server when peer initiates the request for it with the same
 configuration payload for virtual IP request?

 If internal DNS can be assigned, where I can get this information? And
 If I want to obtain this information for further handling, how can I do?

 Yes, internal DNS servers can be assigned to a strongSwan client via
 the configuration payload. A sample scenario is shown here:
 
 http://www.strongswan.org/uml/testresults43/ikev2/config-payload/console.log
 
 By default the DSN servers are added to /etc/resolv.conf by the
 resolv-conf plugin. The destination file can be changed via the
 
   --with-resolv-conf=file
 
 configuration option. strongSwan as a server can read DNS and WINS
 server information from /etc/strongswan.conf using the attr plugin:
 
 http://www.strongswan.org/uml/testresults43/ikev2/config-payload/moon.strong
 swan.conf
 
 Both the attr and resolv-conf (renamed to resolve starting with
 release 4.3.5)
 plugins are enabled by default.
 
 Q2：

 I have always a question, ie: as the description of RFC4306 (IKEv2),
 server can assigned the internal subnet and corresponding netmask to
 peer. Why we need to configure the rightsubnet in peer’s ipsec.conf?

 Is this item can be removed from ipsec.conf? or maybe this item is not
 be used to configure internal subnet and can be set as random value �C
 (in fact, it can not be work when I set a random value to
 right/leftsubnet).

 on the client side you can define right|leftsubnet=0.0.0.0/0
 and the server will narrow the range down to its own definition.
 Narrowing is an IKEv2 feature.
 
  

 Look forward to your answer, thanks.

 David
 
 Regards
 
 Andreas
 
 ==
 Andreas Steffen andreas.stef...@strongswan.org
 strongSwan - the Linux VPN Solution!www.strongswan.org
 Institute for Internet Technologies and Applications
 University of Applied Sciences Rapperswil
 CH-8640 Rapperswil (Switzerland)
 ===[ITA-HSR]==
 


-- 
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] EAP_MSCHAPv2 and RADIUS

[Andreas Steffen]

Hi Peter,

although the FreeRADIUS server computes the MSK value in the MSCHAPv2
case, the MSK is discarded and not included it in the EAP response.
Therefore FreeRADIUS cannot be used with IKEv2 EAP_MSCHAPv2. During
LinuxTag 2009 we talked with a FreeRADIUS developer and he told us
that the MSK could be easily included the EAP response (but
someone would have to do that hack).

Martin has successfully tested IKEv2 EAP MSCHAPv2 with a Microsoft
RADIUS server, though, which in turn accesses the Windows Active
Directory for the user credentials.

Best regards

Andreas

The Peter Winterer wrote:
 Hello all,
 
 Currently on the strongswan wiki there is an example configuration for:
 EAP_MSCHAPv2 authentication with EAP identity (username and password in 
 ipsec.secrets).
 
 My question is, can EAP_MSCHAPv2 authentication with EAP work in 
 conjunction with a radius server (username and password is taken from 
 the radius server)?
 
 Thanks,
 Peter

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] about LRNG !

[Andreas Steffen]

Hello,

well /dev/random and /dev/urandom *are* the APIs for the
Linux Random Number Generator! This means that the default
libstrongswan random plugin uses the LRNG. We define three
strengths of random material:

type   userandom plugin
RNG_WEAK:   nonces, IVs   /dev/urandom
RNG_STRONG: DH session keys, cookies  /dev/urandom
RNG_TRUE:   RSA/ECDSA keys/dev/random

In place of the default random plugin you could use a plugin
of your own directly interfacing to a HW true random generator.

Best regards

Andreas

Nguyễn Hoàng Anh wrote:
 Hello Andreas and all members!
 
 I have a question about LRNG (Linux Random Number Generator) in Strongswan.
 I wonder how Strongswan use it ?
 I looked into Strongswan ' source code and see that Strongswan use
 /dev/random and /dev/urandom for generate ramdom numbers.
 I think that Strongswan use LRNG to generate key encryption, cookies,... Is
 it true?
 Can you give me more details about it?
 
 Many thanks!
 

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] issue about the route

[Andreas Steffen]

Hi David,

- have you enabled IP forwarding on gateway moon?

  echo 1  /proc/sys/net/ipv4/ip_forward

Regards

Andreas

weiping deng wrote:
 Hi Martin and Andreas, Hi all,
 
  
 
 The test scenario is listed as followed:
 
  
 
 Alice (IP:   172.19.2.190
 
 Secondary IP: 192.168.253.68) ---moon (as
 gateway, IP: 172.19.2.118
 
  
 Secondary IP: 192.168.253.98)  carol (IP:  172.19.2.86
 
  
 Virtual IP:  192.168.253.89)
 
  
 
 As above, I have established the ipsec tunnel between moon and carol, now I
 can ping moon from carol with ping 192.168.253.98 and I also can ping
 Alice from moon with ping 192.168.253.68.
 
 But I can not ping Alice from carol with ping 192.168.253.68.   Please
 tell me what problem occurred, thanks.
 
  
 
 The following is the configuration of moon and carol:
 
 ++Moon:  
 
 config setup
 
 strictcrlpolicy=no
 
 plutostart=no
 
  
 
 conn %default
 
 ikelifetime=60m
 
 keylife=20m
 
 rekeymargin=3m
 
 keyingtries=%forever
 
 keyexchange=ikev2
 
  
 
 conn rw-eapaka
 
 left=172.19.2.118
 
 leftsubnet=192.168.253.0/24
 
 leftid=C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY,
 CN=MOON, E= @moon.strongswan.org
 
 leftcert=/etc/ipsec.d/certs/moonCert.pem
 
 leftauth=pubkey
 
 leftfirewall=yes
 
 lefthostaccess=yes
 
 right=%any
 
 rightid=C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY,
 CN=CAROL, e=ca...@strongswan.org
 
 rightsendcert=never
 
 rightsourceip=192.168.253.89
 
 rightauth=eap-aka
 
 auto=start
 
  
 
 ++carol:
 
 config setup
 
  strictcrlpolicy=no
 
  plutostart=no
 
  keep_alive=20m
 
 conn %default
 
  ike=aes-sha1-modp1024!
 
  esp=aes-sha1!
 
  ikelifetime=60m
 
  keylife=20m
 
  rekeymargin=3m
 
  keyingtries=%forever
 
  keyexchange=ikev2
 
  dpdaction=clear
 
  dpdtimeout=5m
 
  dpddelay=10
 
 conn FAP1000
 
  left=172.19.2.86
 
  leftsourceip=%config
 
  leftcert=/etc/ipsec.d/certs/carolCert.pem
 
  leftauth=eap
 
  right=172.19.2.118
 
  rightsubnet=0.0.0.0/0
 
  rightcert=/etc/ipsec.d/certs/moonCert.pem
 
  rightauth=pubkey
 
  leftid=C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY,
 CN=CAROL, e=ca...@strongswan.org
 
  rightid=C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY,
 CN=MOON, e...@moon.strongswan.org
 
 auto=add
 
  
 
  
 
 Best Regards,
 
 David 

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] 答复: [SPAM] Re: issue about t he route

[Andreas Steffen]

Hello David,

the problem is that carol uses a virtual IP belonging to
the same subnet as alice. Therefore alice tries to send
the ICMP response directly via ARP resolution. You could
try to add a route on alice, directing traffic for carol
to moon:

ip route add 192.168.253.89/32 via 192.168.253.1

The better solution is to assign virtual IP addresses
for roadwarriors from another subnet, e.g. 192.168.252.0/24
and add moon as default gateway on alice:

ip route add default via 192.168.253.1

Andreas

weiping deng wrote:
 Hi Andreas,
 Thank you. I enable IP forwarding on gateway moon by using the method you
 provided as followed. Now the ICMP request can be forwarded to Alice, but I
 can not found the ICMP response in the tcpdump log. It seems that there
 still is some work needed to be done :-). Can you give me a further hint?
 Thanks.
 Best Regards,
 David
 
 -邮件原件-
 发件人: Andreas Steffen [mailto:andreas.stef...@strongswan.org] 
 发送时间: 2009年9月28日 14:53
 收件人: weiping deng
 抄送: mar...@strongswan.org; users@lists.strongswan.org
 主题: [SPAM] Re: issue about the route
 
 Hi David,
 
 - have you enabled IP forwarding on gateway moon?
 
   echo 1  /proc/sys/net/ipv4/ip_forward
 
 Regards
 
 Andreas
 
 weiping deng wrote:
 Hi Martin and Andreas, Hi all,

  

 The test scenario is listed as followed:

  

 Alice (IP:   172.19.2.190

 Secondary IP: 192.168.253.68) ---moon
 (as
 gateway, IP: 172.19.2.118

  
 Secondary IP: 192.168.253.98)  carol (IP:  172.19.2.86

  
 Virtual IP:  192.168.253.89)

  

 As above, I have established the ipsec tunnel between moon and carol, now
 I
 can ping moon from carol with ping 192.168.253.98 and I also can ping
 Alice from moon with ping 192.168.253.68.

 But I can not ping Alice from carol with ping 192.168.253.68.   Please
 tell me what problem occurred, thanks.

  

 The following is the configuration of moon and carol:

 ++Moon:  

 config setup

 strictcrlpolicy=no

 plutostart=no

  

 conn %default

 ikelifetime=60m

 keylife=20m

 rekeymargin=3m

 keyingtries=%forever

 keyexchange=ikev2

  

 conn rw-eapaka

 left=172.19.2.118

 leftsubnet=192.168.253.0/24

 leftid=C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY,
 CN=MOON, E= @moon.strongswan.org

 leftcert=/etc/ipsec.d/certs/moonCert.pem

 leftauth=pubkey

 leftfirewall=yes

 lefthostaccess=yes

 right=%any

 rightid=C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY,
 CN=CAROL, e=ca...@strongswan.org

 rightsendcert=never

 rightsourceip=192.168.253.89

 rightauth=eap-aka

 auto=start

  

 ++carol:

 config setup

  strictcrlpolicy=no

  plutostart=no

  keep_alive=20m

 conn %default

  ike=aes-sha1-modp1024!

  esp=aes-sha1!

  ikelifetime=60m

  keylife=20m

  rekeymargin=3m

  keyingtries=%forever

  keyexchange=ikev2

  dpdaction=clear

  dpdtimeout=5m

  dpddelay=10

 conn FAP1000

  left=172.19.2.86

  leftsourceip=%config

  leftcert=/etc/ipsec.d/certs/carolCert.pem

  leftauth=eap

  right=172.19.2.118

  rightsubnet=0.0.0.0/0

  rightcert=/etc/ipsec.d/certs/moonCert.pem

  rightauth=pubkey

  leftid=C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY,
 CN=CAROL, e=ca...@strongswan.org

  rightid=C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY,
 CN=MOON, e...@moon.strongswan.org

 auto=add

  

  

 Best Regards,

 David 

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] strongSwan implementation on Ubuntu

[Andreas Steffen]

Hi Stevie,

you might also try the free Shrew Soft VPN Client for Windows XP:

  http://www.shrew.net/

Under MS Vista and Windows 7 the configuration of the built-in
Microsoft IKEv1 client has become much more user friendly and
can be run without the tiresome L2TP overhead. Our strongSwan wiki
shows the use with preshared-keys:

  http://wiki.strongswan.org/wiki/strongswan/WindowsVista

or with efficient elliptic curve certificates

  http://wiki.strongswan.org/wiki/strongswan/WindowsSuiteB

And of course you *must* try the new IKEv2 Agile VPN Client
available with Windows 7:

  http://wiki.strongswan.org/wiki/strongswan/Windows7

Regards

Andreas

Daniel Mentz wrote:
 Hi Stevie,
 
 strongSwan meets most if not all of your requirements.
 
 Stevie K wrote:
 ° Key exchanges using Internet PKIs
 
 Please explain what you mean by that. Here's a quote from strongSwan's 
 feature list that might be related to this requirement.
 
 - Authentication based on X.509 certificates or preshared keys
 - Retrieval and local caching of Certificate Revocation Lists via HTTP 
 or LDAP
 - Full support of the Online Certificate Status Protocol (OCSP, RCF 2560).
 - CA management (OCSP and CRL URIs, default LDAP server)
 - Powerful IPsec policies based on wildcards or intermediate CAs
 - Group policies based on X.509 attribute certificates (RFC 3281)
 
 Is this possible with strongSwan and are there any HOWTOs?
 
 Please check
 http://wiki.strongswan.org/projects/show/strongswan
 
 and
 
 http://www.strongswan.org/docs.htm
 
 The latter might be a little bit out-dated but still contains a very 
 good tutorial.
 
 What VPN client software is available for Windows XP that can be used with
 strongSwan?
 
 I successfully used
 NCP Secure Entry Client  (Win32/64)
 which is unfortunately pretty expensive (142.80 EUR per license).
 There might be other clients for WinXP as well.
 
 You might even use the native L2TP/IPsec client of Windows XP although 
 the setup is a bit nasty in my opinion. It also has some (security) 
 problems.
 
 You might also be able to use Ciscos VPN client although there are 
 license/legal issues. Check
 http://wiki.strongswan.org/wiki/strongswan/Autoconf
 for
 --enable-cisco-quirks
 
 -Daniel

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] ip xfrm state / ip xfrm policy

[Andreas Steffen]

Hi Jessie,

in the past there are some embedded platform which did not implement
the ip xfrm command. Does e.g. ip route list work? If not then the
whole iproute2 package is missing and you must install it first.

Regards

Andreas

Jessie Liu wrote:
 Hi all, 
  I'am trying to use  ip xfrm state  and  ip xfrm policy  command.
 But I couldn't use that command to show information. There is no such command!
 What else should I add in kernel config?
 I already have xfrm4_tunnel.ko and xfrm_user.ko, but still cannot use that 
 command.
  
 Thanks a lot. ^___^

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] ip xfrm state / ip xfrm policy

[Andreas Steffen]

Yeah, it looks as if your BusyBox does not support the xfrm subcommand.
Either try to update to a more recent BusyBox or install setkey
from the ipsec-tools package instead:

  setkey -D is similar to ip xfrm state

and

  setkey -DP similar to ip xfrm policy

Regards

Andreas

Jessie Liu wrote:
 Hi Andreas,
  
ip route list works fine on my target board. but ip xfrm state did
 not work.
  
 When I type ip xfrm state,
 it shows the following messages:
  
 BusyBox v1.10.1 (2009-09-28 15:09:16 CST) multi-call binary
  
 Usage ip [OPTIONS] {address | route | link | tunnel | rule} {COMMAND}
  
 
 
 --- *09/9/30 (三)，Andreas Steffen /andreas.stef...@strongswan.org/*
 寫道：
 
 
 寄件者: Andreas Steffen andreas.stef...@strongswan.org
 主旨: Re: [strongSwan] ip xfrm state / ip xfrm policy
 收件者: Jessie Liu iamnotjes...@yahoo.com.tw
 副本: users@lists.strongswan.org
 日期: 2009年9月30日,三,下午12:32
 
 Hi Jessie,
 
 in the past there are some embedded platform which did not implement
 the ip xfrm command. Does e.g. ip route list work? If not then the
 whole iproute2 package is missing and you must install it first.
 
 Regards
 
 Andreas
 
 Jessie Liu wrote:
  Hi all,
   I'am trying to use  ip xfrm state  and  ip xfrm policy  command.
  But I couldn't use that command to show information. There is no
 such command!
  What else should I add in kernel config?
  I already have xfrm4_tunnel.ko and xfrm_user.ko, but still cannot
 use that command.
  
  Thanks a lot. ^___^

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] strongswan 4.3.4 /usr/libexec/ipsec/stroke

[Andreas Steffen]

Hi Jessie,

strongswan-4.3.4/src/stroke is just a wrapper script. The actual
executable is found in

  strongswan-4.3.4/src/.libs/stroke

This is generally the case with all build executables and libraries.
Always copy them from the corresponding .libs subdirectory.

Best regards

Andreas

Jessie Liu wrote:
 Hi all,
I'm trying to make strongswan 4.3.4 work on my target board.
 I've successfully made this with strongswan 4.3.2. 
  
 With strongswan 4.3.4, I've successfully start the two processes starter and 
 charon, and try to set up a connection by ipsec up connection-name. 
  
 But some errors occured.
  
 The error message looks like this: ( I forgot to save the error message)
 /usr/libexec/ipsec/stroke: 
 /root/product/src/apps/strongswan-4.3.4/src/stroke:  No such file or 
 directory.
  
 It seems the path in host computer is included in script 
 /usr/libexec/ipsec/stroke.
 How to avoided this?
 And I found that /usr/libexec/ipsec/stroke in 4.3.2 is an executable file and 
 in 4.3.4 it is a script ??
  
 Thanks ^___^

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] setkey equivalent tool available?

[Andreas Steffen]

strongSwan is an automatic keying daemon and therefore does not
need any manual IPsec SA configuration tool. For monitoring purposes
either the command

  ip -s xfrm state|policy

or ipsec statusall can be used.

Andreas

Yong Choo wrote:
 Is there a tool in strongSwan which performs the functions as in 
 'setkey' in racoon?
 
 Thanks,
 -Yong Cho

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users