[strongSwan] understanding libhydra kernel interface
Hi all, I am having trouble interpreting the plugins of libhydra, specifically understanding the interfaces which communicate with kernel. Scenario:* using SS client for IKEv2.* Web link below indicates that by default 'kernel-netlink' of libhydra will be loaded by default for communicating with kernel net-key ipsec stack. http://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist which means.. as per my understanding of code base. Following would be the flow , *i)* ipsec start -- starts the starter in starter.c There is a call libhydra_init(starter) -- initalize kernel interfaces specific to 'starter' for the kernel. *iii) *Starter starts the Charon daemon in line 714 of starter.c. *iii)* Inside charon.c line *a)* again libhydra_init(charon) line 472 -- initialize the kernel interfaces ( including netlink interface) specific to the 'charon' for the kernel * b)* line 572 Initalize the charon daemon with 'charon.load' which reads libhydra plugins from strongswan.conf pertaning to charon. In Step* b*) above, there is a plugin called 'kernel-netlink' which initializes the netlink kernel interfaces for NETKEY ipsec and netlink kernel interfaces for network. ( line 46,48 of kernel_netlink_plugin.c ) My question is, why should we initialize the kernel interface eg. 'kernel-netlink' again when step a) already initializes the 'kernel-netlink' interfaces in libhydra_init. Why should the Charon daemon specifically initalize its kernel interfaces like in step b, when libhydra daemon for Charon..already does it in step a. I am not sure if my understanding or reasoning is correct and I would deeply apppreciate any help to clarify my doubt. Regards, RV ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] support for simultaneous connections to multiple gateways from my linux laptop
Hello All, I was trying to use strongswan to setup up multiple IKEv2 tunnels simultaneously. Can Strongswan 5.x software handle simultaneous IKEv2 connections to different end point or Gateways. i.,e UE1 connecting to Gateway1, UE1 connecting to GW2. Can both requests be processed by 5.x software simultaenously, setup 2 parallel connections. and operate each tunnel independently ? -- Regards, Venkata ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] strongswan android plugin support for simultaneous connections
Dear All, I have one query. Does strongswan android plugin at location 'strongswan/src/libcharon/plugins/android' support simultaneous handling of connection requests.. i.e Application A writes to the control socket on which android plugin listens to. Application B writes to the same control socket on which android plugin listens too.. In the source code in android plugin for this scenario. Kindly confirm if this setup is feasible. Is this a limitation of android plugin not being ablet o handle simultaneous requests ?? Does the underlying charon daemon support handling of simultaneous requests for IKE control path setup with the tunnel. ? -- Regards, Ravikanth ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] including IPv6 address and IPv6 DNS entry in the conf payload of IKE_AUTH message
Dear all, I have a query, Does charon daemon used as a client capable of including just IPv6 address/IPv6 DNS in the conf payload , in the IKE_AUTH message sent to the ePDG. ? eg. in the CP payload I want to include IPv6: fec3::/120 in the CP.. What is the configuration parameter to be set for charon daemon to send this IPv6 address in the conf payload. ? Also which IKEv2 RFC is currently supported by Strongswan RFC 5996 or RFC 7296. Link below says https://wiki.strongswan.org/projects/strongswan/wiki/IpsecStandards it is compliant to RFC 7296. Strongswan.org website on the first page says it is RFC 5996 compliant. -- Regards, RaviKanth VN Vanapalli ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] IKEv2 EAP (username/password) authentication failing with strongswan server
Dear All, I am trying to do IKEv2 EAP Username/password authentication between Dec 22 11:44:59 samsung-600 Client: Strongswan Android google play apk Server: Strongswan server runningon my linux machine Connection is failing with *charon: 11[IKE] no shared key found for '10.0.0.35' - 'user1'* *Please find below the snapshot of my configuration files. Please let me know if I missed something.* ipsec.conf --- # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # plutodebug=all # crlcheckinterval=600 # strictcrlpolicy=yes # cachecrls=yes # nat_traversal=yes charonstart=yes plutostart=yes # Add connections here. conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 authby=secret conn ssandroid left=10.0.0.35 leftfirewall=no right=%any rightsourceip = 10.0.0.2 rightauth=eap-mschapv2 rightsendcert=never eap_identity=%any auto=start ipsec.secrets --- include /var/lib/strongswan/ipsec.secrets.inc user1:EAP topsecretpassword *Daemon log for this failure* i.e tail -f /var/log/syslog c 22 11:44:58 samsung-600B4B-600B5B charon: 16[NET] received packet: from 10.0.0.29[59701] to 10.0.0.35[500] Dec 22 11:44:58 samsung-600B4B-600B5B charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N((16430)) ] Dec 22 11:44:58 samsung-600B4B-600B5B charon: 16[IKE] 10.0.0.29 is initiating an IKE_SA Dec 22 11:44:58 samsung-600B4B-600B5B charon: 16[IKE] remote host is behind NAT Dec 22 11:44:58 samsung-600B4B-600B5B charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] Dec 22 11:44:58 samsung-600B4B-600B5B charon: 16[NET] sending packet: from 10.0.0.35[500] to 10.0.0.29[59701] Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[NET] received packet: from 10.0.0.29[49704] to 10.0.0.35[4500] Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CP(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[IKE] received cert request for C=CH, O=strongSwan, CN=strongSwan Root CA Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[CFG] looking for peer configs matching 10.0.0.35[%any]...10.0.0.29[user1] Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[CFG] selected peer config 'ssandroid' Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[IKE] initiating EAP-Identity request Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[IKE] peer supports MOBIKE Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[IKE] authentication of '10.0.0.35' (myself) with pre-shared key *Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[IKE] no shared key found for '10.0.0.35' - 'user1'*Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[NET] sending packet: from 10.0.0.35[4500] to 10.0.0.29[49704] Please help me resolve this issue. -- Regards, RaviKanth ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] IKEv2 EAP (username/password) authentication failing with strongswan server
Dear Noel, I was able to make some progress after setting the leftauth to pubkey. I generated the certificates using the procedure outlined in the link. Now I am running into the issue where gateway sends the last IKE_AUTH message with IP address. Then UE sends back AUTH failed. On looking into charon.log, there was an error like Dec 22 14:02:52 12[CFG] constraint check failed: identity '192.168.43.185' required Dec 22 14:02:52 12[CFG] selected peer config 'android' inacceptable: constraint checking failed Here is the print of daemon log (/var/log/syslog)on the strongswan server side --- Dec 22 14:02:54 samsung-600B4B-600B5B charon: 14[NET] received packet: from 192.168.43.94[54252] to 192.168.43.185[500] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N((16430)) ] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 14[IKE] 192.168.43.94 is initiating an IKE_SA Dec 22 14:02:54 samsung-600B4B-600B5B charon: 14[IKE] remote host is behind NAT Dec 22 14:02:54 samsung-600B4B-600B5B charon: 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 14[NET] sending packet: from 192.168.43.185[500] to 192.168.43.94[54252] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[NET] received packet: from 192.168.43.94[46301] to 192.168.43.185[4500] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CP(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] received cert request for C=CH, O=strongSwan, CN=strongSwan Root CA Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[CFG] looking for peer configs matching 192.168.43.185[%any]...192.168.43.94[user1] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[CFG] selected peer config 'ssandroid' Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] initiating EAP-Identity request Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] peer supports MOBIKE Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] authentication of 'C=CH, O=strongSwan, CN=strongSwan Root CA' (myself) with RSA signature successful Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] sending end entity cert C=CH, O=strongSwan, CN=strongSwan Root CA Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[NET] sending packet: from 192.168.43.185[4500] to 192.168.43.94[46301] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 09[NET] received packet: from 192.168.43.94[46301] to 192.168.43.185[4500] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 09[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 09[IKE] received EAP identity 'user1' Dec 22 14:02:54 samsung-600B4B-600B5B charon: 09[IKE] initiating EAP_MSCHAPV2 method (id 0x87) Dec 22 14:02:54 samsung-600B4B-600B5B charon: 09[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 09[NET] sending packet: from 192.168.43.185[4500] to 192.168.43.94[46301] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 10[NET] received packet: from 192.168.43.94[46301] to 192.168.43.185[4500] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 10[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 10[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 10[NET] sending packet: from 192.168.43.185[4500] to 192.168.43.94[46301] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 11[NET] received packet: from 192.168.43.94[46301] to 192.168.43.185[4500] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 11[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 11[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established Dec 22 14:02:54 samsung-600B4B-600B5B charon: 11[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 11[NET] sending packet: from 192.168.43.185[4500] to 192.168.43.94[46301] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[NET] received packet: from 192.168.43.94[46301] to 192.168.43.185[4500] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[ENC] parsed IKE_AUTH request 5 [ AUTH ] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[IKE] authentication of 'user1' with EAP successful Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[IKE] authentication of 'C=CH, O=strongSwan, CN=strongSwan Root CA' (myself) with EAP Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[IKE] IKE_SA
Re: [strongSwan] IKEv2 EAP (username/password) authentication failing with strongswan server
Dear Noel, I have made progress with this issue. Issue was the Assigned Name in the certifcate. I have set it to the gateway IP, generated the certifcaets and re-installed the certificates on the UE and server side. I refered to the following link to solve this issue: http://marc.info/?t=13483749014r=1w=2 Now my strongswan Android App is connnected to my gateway. Thanks much for your quick support. Regards, Ravikanth On Mon, Dec 22, 2014 at 2:12 PM, Ravi Kanth Vanapalli vvnrk.vanapa...@gmail.com wrote: Dear Noel, I was able to make some progress after setting the leftauth to pubkey. I generated the certificates using the procedure outlined in the link. Now I am running into the issue where gateway sends the last IKE_AUTH message with IP address. Then UE sends back AUTH failed. On looking into charon.log, there was an error like Dec 22 14:02:52 12[CFG] constraint check failed: identity '192.168.43.185' required Dec 22 14:02:52 12[CFG] selected peer config 'android' inacceptable: constraint checking failed Here is the print of daemon log (/var/log/syslog)on the strongswan server side --- Dec 22 14:02:54 samsung-600B4B-600B5B charon: 14[NET] received packet: from 192.168.43.94[54252] to 192.168.43.185[500] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N((16430)) ] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 14[IKE] 192.168.43.94 is initiating an IKE_SA Dec 22 14:02:54 samsung-600B4B-600B5B charon: 14[IKE] remote host is behind NAT Dec 22 14:02:54 samsung-600B4B-600B5B charon: 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 14[NET] sending packet: from 192.168.43.185[500] to 192.168.43.94[54252] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[NET] received packet: from 192.168.43.94[46301] to 192.168.43.185[4500] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CP(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] received cert request for C=CH, O=strongSwan, CN=strongSwan Root CA Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[CFG] looking for peer configs matching 192.168.43.185[%any]...192.168.43.94[user1] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[CFG] selected peer config 'ssandroid' Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] initiating EAP-Identity request Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] peer supports MOBIKE Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] authentication of 'C=CH, O=strongSwan, CN=strongSwan Root CA' (myself) with RSA signature successful Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] sending end entity cert C=CH, O=strongSwan, CN=strongSwan Root CA Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[NET] sending packet: from 192.168.43.185[4500] to 192.168.43.94[46301] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 09[NET] received packet: from 192.168.43.94[46301] to 192.168.43.185[4500] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 09[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 09[IKE] received EAP identity 'user1' Dec 22 14:02:54 samsung-600B4B-600B5B charon: 09[IKE] initiating EAP_MSCHAPV2 method (id 0x87) Dec 22 14:02:54 samsung-600B4B-600B5B charon: 09[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 09[NET] sending packet: from 192.168.43.185[4500] to 192.168.43.94[46301] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 10[NET] received packet: from 192.168.43.94[46301] to 192.168.43.185[4500] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 10[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 10[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 10[NET] sending packet: from 192.168.43.185[4500] to 192.168.43.94[46301] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 11[NET] received packet: from 192.168.43.94[46301] to 192.168.43.185[4500] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 11[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ] Dec 22 14:02:54 samsung-600B4B-600B5B charon: 11[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established Dec 22 14:02:54 samsung-600B4B-600B5B charon: 11[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ] Dec 22 14:02
[strongSwan] does Strongswan Android Playstore app using socket_dynamic or socket_default plugin
Dear All, Please let us know if Strongswan Android play store app uses which of the following plugins for socket writing. socket_default_plugin or socket_dynamic_plugin. I was trying to understand the data path and ran into this issue where there were two plugins to write information out. Kindly help me undestand the advantages of using socket_dynamic_plugin over socket_default_plugin. Which one is used when ? -- Regards, RaviKanth VN Vanapalli ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] role of libhydra in strongswan android app source code
Dear all, I am having query regarding libhydra in android apk source code. As I understand, strongswan uses libipsec library for SA ,management , encryption and decryption. What is the need to include libhydra in the Android.mk file as below LOCAL_SHARED_LIBRARIES := libstrongswan libhydra libipsec libcharon -- Regards, RaviKanth VN Vanapalli ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] experimenting on a adding a new plugin to strongswan. android ndk compilation failing to pick up the source in new plugin
Dear All, I already have compiled Android sources. https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClientBuild I am trying to write a new plugin to strongswan libcharon. Added the code to libcharon/plugins/newplugincode When I do an ndk-build, for some reason, it is not picking up my code added in the new plugin. I have already made changes to Android.mk file in the libcharon file to include the plugins. Should I also modify the Makefile.am in the new plugin folder. Also, should I modify the configure.sh in the strongswan root folder and recompile all the code ? Any instructions on how to add a new plugin to the strongswan android sources and compiling with ndk would be highly appreciated -- Regards, Ravikanth ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] including the opensource plugin eap_aka_3gpp2 in ndk build fails
Dear all, I am trying to include the plugin eap_aka_3gpp2 into the strongswan ndk build and I am facing the following error. *Error* /home/ravikanth/work/Perforce/1716/strongswan-open2/strongswan/src/frontends/android/jni/strongswan/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.h:24:28: fatal error: simaka_manager.h: No such file or directory #include simaka_manager.h ^ compilation terminated. make: *** [/home/ravikanth/work/Perforce/1716/strongswan-open2/strongswan/src/frontends/android/obj/local/armeabi/objs/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.o] Error 1 *Android.mk change in location * *root@ravikanth-ubuntu:/home/ravikanth/work/Perforce/1716/strongswan-open2/strongswan/src/frontends/android/jni* strongswan_CHARON_PLUGINS := android-log openssl fips-prf random nonce pubkey \ pkcs1 pkcs8 pem xcbc hmac socket-default kernel-netlink \ eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls *eap-aka-3gpp2* Please let me know if I missed something or am i following the right procedure to include the plugin for ndk build. -- Regards, RaviKanth VN Vanapalli ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] role of High Aavailibity plugin in installing ipsec SA keys when there is only one node in Android Client
Dear all, I have a question regarding the role of using HA plugin when installing the IKE_SA keys. As I observe from the code once IKE_SA_INIT negotiation complets. process_r and 'build_r' which inturn calls 'derive_keys' derive_keys calls 'charon-bus-ike_keys' on the charon bus. The listener to ike_keys has been added by the High availability plugin. Query: 1) There is only one node.. i.e the android client. Why would be the need to use a HA plugin here. 2) In line 140 of ha_ike.c there is a call like below this-socket-push(this-socket, m); // To which socket this information is being written. Which module will be listening to this socket for keying information. 3) How is this keying information stored back in the IKE_SA managed by the IKE SA manager ? -- Regards, RaviKanth VN Vanapalli ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] using linux xfrm package instead of libipsec in strongswan android apk
Dear All, Is there any option in strongswan android apk sources which we can make, to use linux ip xfrm instead of using libipsec for encryption and decryption. Reason I ask this question is I want to run strongswan android apk as a system app in my build system and the app would have privileged access to the linux kernel. Thank you in advance! -- Regards, RaviKanth VN Vanapalli ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] role of High Aavailibity plugin in installing ipsec SA keys when there is only one node in Android Client
Dear Martin Willi, Thank you for clarifying this. Reason I asked this is I see some code in derive_keys() function in file ike_init.c if (!this-keymat-derive_ike_keys(this-keymat, this-proposal, this-dh, nonce_i, nonce_r, id, prf_alg, skd)) { return FALSE; } charon-bus-ike_keys(charon-bus, this-ike_sa, this-dh, chunk_empty, nonce_i, nonce_r, this-old_sa, NULL); My query here was, how the keys which are computed in derive_ike_keys function get stored in the IKE_SA. As I see this function updates the keys in 'this-keymat' Here 'this' refers to ike_sa_init_t // which is the ike sa init task..created for performing IKE_SA_INIT exchange. How is the change of keymat in IKE_SA_INIT task affecting the IKE_SA. I was thinking the call to 'charonn-bus-ike_keys' updates the keys in IKE_SA. This function ike_keys has been added by HA plugin. Now that you confirmed that HA plugin is not activated in android, Now i am back to my to square one. Could you help me point to the potential code which updates the IKE_SA keys computed after IKE_SA_INIT exchange into IKE_SA Your input is highly appreciated. Thanks, Ravikanth On Thu, Jan 8, 2015 at 5:42 AM, Martin Willi mar...@strongswan.org wrote: Hi, 1) There is only one node.. i.e the android client. Why would be the need to use a HA plugin here. There really is none. The HA plugin synchronizes SA state between nodes in a gateway cluster. It really makes no sense to enable the plugin on your Android client device. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] does strongswan android client support sending NON_FIRST_FRAGMENTS_ALSO in notify payload
Dear All, Does Strongswan Android market app support sending NON_FIRST_FRAGMENTS_ALSO in the first IKE_AUTH message to the gateway. Also I have a query regarding this attribute NON_FIRST_FRAGMENTS_ALSO RFC 5996 reads below The NON_FIRST_FRAGMENTS_ALSO notification is used for fragmentation control. Both parties need to agree to sending non-first fragments before either party does so. It is enabled only if NON_FIRST_FRAGMENTS_ALSO notification is included in both the request proposing an SA and the response accepting it. If the responder does not want to send or receive non-first fragments, it only omits NON_FIRST_FRAGMENTS_ALSO notificationfrom its response, but does not reject the whole Child SA creation. Questions 1) Does this mean to support IKE layer fragmentation UE needs to send NON_FIRST_FRAGMENTS_ALSO in the first IKE_AUTH message ? 2) Does the statement mean, only once initiator and responder agree on IKE layer fragmentation with the use of this notification payload, does fragmented IKE layer exchanges take place ? Kindly help clarify this query. -- Regards, RaviKanth VN Vanapalli ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] [strongSwan-dev] need for calling TASK_IKE_CONFIG before TASK_CHILD_CREATE in task_manager_v2.c
Dear Martin, In case of Strongswan Android Market App, the IP address assignment, MTU setting to the ipsec0 interface is handled Android framework VPN JNI module.This will be after the IKE_SA and Child_SA is setup. Could you please give more details, how the configuration setup happens in the Strongswan Android market app is different ? Regards, Ravikanth On Thu, Mar 5, 2015 at 8:54 AM, Martin Willi mar...@strongswan.org wrote: My understanding was ip address assignment to interface can happen later after child SA is negotiated with tunnel end point using the virtual ip stored in the Strongswan internal data structures. No, this won't work. Negotiating the CHILD_SA installs IPsec SAs and policies to the kernel, along with a source route to actually make use of these policies. If the virtual IP is not installed to the kernel, installing the source route is not possible. Not sure what you want to achieve by deferring virtual IP installation, but that won't work with the way strongSwan handles CHILD_SA setup. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] need for calling TASK_IKE_CONFIG before TASK_CHILD_CREATE in task_manager_v2.c
Dear Dev Group, What is the need for activate the TASK_IKE_CONFIG before TASK_CHILD_CREATE. As I see from the code TASK_IKE_CONFIG assigns the IP addresses to the virtual interface. Could we activate this task after TASK_CHILD_CREATE is complete. What would be the side effects if we activate the IKE config task later. ? My understanding the complete control path for IKE completes only after TASK_CHILD_CREATE is complete. Logically ip address assignment should succeed TASK_CHILD_CREATE. Please help further clarify. -- Regards, RaviKanth VN Vanapalli ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Support for Routing rule modification via IKE informational requests after IKE tunnel is setup with gateway
Hi, I wanted to know if Strongswan supports routing rule modification through means of IKE Informational requests after the IKE tunnel has been setup. eg scenario is i) UE completed IKE_SA_INIT exchange with gateway. ii) UE completed IKE_AUTH exchange with gateway. iii) IKE tunnel is setup with some traffic selector range TSi and TSr iv) UE wants to modify the TSi and TSr. v) UE sends IKE Informational exchange with updated TSi and TSr to gateway.. Does Strongswan support sending the line (v) listed above ? In other words is routing rule modification via IKE informational exchange supported in Strongswan ? -- Regards, RaviKanth ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] need for openssl plugin use case
Hi, I have one query regarding the use of openssl plugin. I want to write an android plugin which makes use of strongswan openssl plugin more specifically I was looking to use 'openssl_rsa_private_key_load' in openssl. >From the link below https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist openssl s Crypto backend based on OpenSSL, provides RSA/ECDSA/DH/ECDH/ciphers/hashers/HMAC/X.509/CRL/RNG But in the strongswan-master code repo, i see no reference to open-ssl plugin . eg. openssl_crypter_create function in openssl_crypter.c I am expecting this crypter to be created in someother module which needs to encrypt. I see no references to any code calling openssl_crypter_create. Kindly provide me code references how to use API's provided by openssl plugin. Any sample example would be highly appreciated. -- Regards, RaviKanth ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] file content is not binary ASN.1
I am using the latest strongswan version 5.5.0 On Wed, Oct 5, 2016 at 4:07 PM, Ravi Kanth Vanapalli < vvnrk.vanapa...@gmail.com> wrote: > Hi all, > I am trying to use TLS to setup a connection to a gateway > programmatically. > > Used the code below. > > > > > private_key_t *key; > char path[512]="/system/etc/user1_private.pem"; > key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, > BUILD_FROM_FILE, path, BUILD_END); > if (!key) { > DBG1(DBG_DMN, "Parsing private key failed"); > } > > > -- > On running, I do not see "Parsing private key failed". But I see the print > as below > > > 10-05 15:31:37.266 4630 4650 D : 08[ASN] file content is not > binary ASN.1 > 10-05 15:31:37.266 4630 4650 D : 08[ASN] -BEGIN RSA PRIVATE > KEY--- > 10-05 15:31:37.266 4630 4650 D : 08[ASN] -END RSA PRIVATE > KEY- > > My private key file is below. Can you help me find the issue > > -BEGIN RSA PRIVATE KEY- > MIIEpAIBAAKCAQEAsVqa9nZctF/gxA26RTN3oSs6MbNiJYFP6jKpVJRAjflB17rC > 7Pg6bf5NBr4SdgR0YyklI17wvzwEWxCDjJZHAw/CxeN/icSCsN6VehHoJ6ROhPOo > jdRs2MsyYyut8OZiSoG/jHVmLQWVgJIZvSOxxCGDj+xYqEbd6YhO8ejPrrh4v3/r > NJW6glu6PbbrgNfwtozMeNOQrXnETmSLBNJ5RlM+sntzivq6t8QJzDcjmf2OV3Xk > GwvNaLeOvoq55dbPf1wpuVyaU3npZphQe4EDsrX3p05DhYEW6rwUXc9iyF98D/HR > JTEnCN+Ri/pwXWyuUlEN/1Bq09nU/L6KfAQ8HwIDAQABAoIBADnNvhP2H+DqHufH > UZ6cV7E/1Ye9X4+5xcIfIPFgIGolg0A8rqttfB29dH1uFbZBXW20S1Zr6yto9EJ5 > 72Yy1JI64NB+hWLxmWbsJOvUSkYhVzYd9CHFynQeRh3sbpTFgeOmxjeRS+wAlemB > tMHgkF/MTITsEzlFX65trs1Jg+b9zc7wJs5ZeebBqw9m+Kn687MBDhOmx4uij59S > xP0ok2FnDlXNIEX1yLJpzSVPtEhhrFhcrFCq7LESUitZULoWD0v9VLaUVNe3n9yH > KPDRqu4lH5Y3bloI+Bx/hiZmxBCTV+kTF+4+PZJq1WzB6PCqmxNhN9zn+O7DDTzB > TSI/QoECgYEA34MnKE93DCNj4qL85NMCyCqo2ynsicqPBOtt1pZGXquYMbffefGx > kBl7BIpDfnn6077hWbTJzTeTO2gEXKcncQPWnDWCwIiCBbmgiec3k6WG+/Fki4mq > J+E1kO9eLn5Qw3uUzMNaey9P4kIore2zg7Ds42xHoNi7c3537evi6KsCgYEAyyHo > gz+gmIHr7mk6aKg6b4WydJuMYcB4g+sVt+JmUhhmfNAXx4MpKJo6c7jhgStAzXXD > d0FaYs4DfuU/ptcNmkmDPkVrpLj8NYHt7i2RZhULiObrY8iNRaW39LDUBvIkeuAr > JbuCJ7gYH8K7cnEF6/LvDsqllDUUEt+1I4UNIl0CgYEAkFyseOvCb3OYOzScdMsZ > W+G5yDxuy5yp/Tp2aggLkW/xUAN78s45qmHaw9btuw3cBNGfyYnsYYDItrD7SECq > R+N7xM8HEYXZvQrk9s0BZ3qdEbMbBsk2vqVGLMN+KDdrwKbcN9jhYvju9qtWjOgf > bypiBo3UQb5abEE+Asy9dRsCgYEAvDiBMAxnDKlmKhWLL6qh6vBheTcgjvs/ME1G > ZIr98Jf3bzOKtS3Nl3fBLbVkDsI7W6YBJqGB1Qe7qXtWzYt7aTkwySSeJ5XY7OOl > ygqjLYnWlFYUSvNsI9r4Z1zqOj1onArXMDFc2tz0TYmtEs+zgvwpkvUnE/tSzGJJ > f84ra2kCgYAY/qErTWgqRkc95A1qCyqsl/oU1swLMDmqe6F4rceFvdXuHkIyWGzL > Op8l/Nj1YzDRiGcQEyEooaGrgS1rvas2Q+nzxHMFBypVQsZE4y6F1qJ5dyr0xRGE > XeWrqWY/8UjLZzgDktjghg7DCoQEjI+c0rUs8ld6fFv4iK9ecI0Gng== > -END RSA PRIVATE KEY- > > > > -- > Regards, > RaviKanth VN Vanapalli > > -- Regards, RaviKanth VN Vanapalli Ph: (469) 999 7567 Email: vvnrk.vanapa...@gmail.com ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] initialzing EAP TLS peer with a different IDi than the IDi used in teh first IKE AUTH message
Hi all, I have a situation wherein I need to alter the IDi slightly before the EAP-TLS authentication proceeds. I.e IDi in the first IKE_AUTH message should be different to IDi to be used for user private key lookup in the EAP-TLS user authentication. I see that the API 'eap_tls_create_peer' is being used, to initialize the peer identitiy in TLSplugin. This is being registered with plugin eap_tls_plugin.c I am finding it difficult to know which module calls this API eap_tls_create_peer to initialize EAP TLS peer identity. Kindly provide any inputs regarding my issue. Thank you very much. -- Regards, RaviKanth ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] can strongswan monitor multiple interfaces for sending IKE packets out
I am having multiple interfaces on my device.All with active internet connection. We have the possibility of using source routing to route the packets over any interface. Default route is also present In this context I have two questions. 1) When routing packets towards the ipsec gateway, how does strongswan determine which interface to use as outgoing interface. 2) Is there an option to specify that strongswan use a particular interface for sending out the IKE packets ? 3) Is there an option for strongswan to monitor multiple interfaces and use a prefered interface for routing IKE packets out. Thank you for your input. -- Regards, RaviKanth VN Vanapalli ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] can strongswan monitor multiple interfaces for sending IKE packets out
In this current scenario, we are using libipsec module and not kernel libipsec. Also MOBIKE is enabled. Thanks, Ravikanth On Thu, Nov 10, 2016 at 8:00 AM, Ravi Kanth Vanapalli < vvnrk.vanapa...@gmail.com> wrote: > I am having multiple interfaces on my device.All with active internet > connection. We have the possibility of using source routing to route the > packets over any interface. Default route is also present > > In this context I have two questions. > 1) When routing packets towards the ipsec gateway, how does strongswan > determine which interface to use as outgoing interface. > 2) Is there an option to specify that strongswan use a particular > interface for sending out the IKE packets ? > 3) Is there an option for strongswan to monitor multiple interfaces and > use a prefered interface for routing IKE packets out. > > Thank you for your input. > -- > Regards, > RaviKanth VN Vanapalli > > ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] using lib->creds->create for private key creation vs android_private_key_create
Hi, I am using EAP-TLS authentication. Tried to load the private key using the function below METHOD(charonservice_t, get_user_key, private_key_t*, private_charonservice_t *this, public_key_t *pubkey) { private_key_t *key; char path[512]="/system/etc/user1_private.der"; key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, BUILD_FROM_FILE, path, BUILD_END); if (!key) { DBG1(DBG_DMN, "Parsing private key failed"); } return key; } Is the call to this API equivalent to the call to the API android_private_key_create() in file android_private_key.c I understand that the second function gets the certificate via the JNI and first function reads directly from the file. The return type seems to the same, i.e private_key_t. Can we treat these functions functionally equivalent ? I am currently working in android and would like direct access to the private key file instead of reading from the JNI. -- Regards, RaviKanth VN Vanapalli ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] using lib->creds->create for private key creation vs android_private_key_create
Also what is the role of the pubkey in the API below android_private_key_create(jobject key, public_key_t *pubkey) ?? how does the call to the API lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, BUILD_FROM_FILE, path, BUILD_END); offset the role of the pubkey as described in the android_private_key_create API ? Thank you very much for your help. Regards, Ravikanth ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] does EAP-TLS work with self signed certificates
Hi, Server has issued a self signed certificated for the UE. UE is supposed to share this cert via EAP-TLS authentication when server requests a certificate Server has shared the private key to the UE via secure means. This signature is used for for signature verification in EAP-TLS Does this kind of setup work for EAP-TLS authentication in strongswan ? I mean, when UE is trying to find a private key using the API find_private_key() in file tls_peer.c, it returns null. user certificate and private key is properly loaded into the UE. Please let me know if more information is required to answer this query. -- Regards, RaviKanth VN Vanapalli Email: vvnrk.vanapa...@gmail.com ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] triggering MOBIKE in strongswan
Thank you Andreas for the clarification. One additional query. There is a flag named roam_events in kernel_netlink_net.c My understanding of this flag is when the UE IP address changes, if this flag is set to true, then UE triggers MOBIKE, else UE doesn't trigger MOBIKE even though UE's source IP address changes. Kindly confirm if my understanding of this flag is true. On Wed, Nov 16, 2016 at 4:42 PM, Andreas Steffen < andreas.stef...@strongswan.org> wrote: > Hi Ravi, > > yes, your understanding is correct. Our MOBIKE example scenario > > https://www.strongswan.org/testing/testresults/ikev2/mobike/index.html > > shows the interface change: > > 13[IKE] peer supports MOBIKE > 07[KNL] 192.168.0.50 disappeared from eth1 > 15[KNL] interface eth1 deactivated > 16[KNL] fec0::5 disappeared from eth1 > 07[KNL] fe80::5054:ff:fe3b:cd7 disappeared from eth1 > 12[IKE] old path is not available anymore, try to find another > 12[IKE] looking for a route to 192.168.0.2 ... > 12[IKE] requesting address change using MOBIKE > 12[ENC] generating INFORMATIONAL request 2 [ ] > 12[IKE] checking path 10.1.0.10[4500] - 192.168.0.2[4500] > 12[NET] sending packet: from 10.1.0.10[4500] to 192.168.0.2[4500] (80 > bytes) > 12[IKE] checking path 10.1.0.10[4500] - 10.2.0.1[4500] > 12[NET] sending packet: from 10.1.0.10[4500] to 10.2.0.1[4500] (80 bytes) > 15[NET] received packet: from 192.168.0.2[4500] to 10.1.0.10[4500] (80 > bytes) > 15[ENC] parsed INFORMATIONAL response 2 [ ] > 15[ENC] generating INFORMATIONAL request 3 [ N(UPD_SA_ADDR) N(NATD_S_IP) > N(NATD_D_IP) N(COOKIE2) N(ADD_6_ADDR) ] > 15[NET] sending packet: from 10.1.0.10[4500] to 192.168.0.2[4500] (192 > bytes) > 13[NET] received packet: from 192.168.0.2[4500] to 10.1.0.10[4500] (160 > bytes) > 13[ENC] parsed INFORMATIONAL response 3 [ N(NATD_S_IP) N(NATD_D_IP) > N(COOKIE2) ] > > Regards > > Andreas > > On 16.11.2016 15:54, Ravi Kanth Vanapalli wrote: > > Hi, > > > >I wanted to know how is MOBIKE triggered in Strongswan. > >I have setup an IKEv2 connection to the gateway with MOBIKE enabled. > > I confirmed it from the logs. > >My understanding of MOBIKE is, if the default route to the gateway is > > changed i.e lets say from IP1 to IP2. IP1 is on interface 1 , IP2 is on > > interface 2, UE triggers MOBIKE based IKE SA update to update the source > > IP. strongswan doesn't bind to any specific interface for sending the > > packets out to the ipsec gateway. > > Could you please confirm if this understanding is correct. > > > > > > -- > > Regards, > > > > RaviKanth VN Vanapalli > > Email: vvnrk.vanapa...@gmail.com <mailto:vvnrk.vanapa...@gmail.com> > > > > > > ___ > > Users mailing list > > Users@lists.strongswan.org > > https://lists.strongswan.org/mailman/listinfo/users > > > > -- > == > Andreas Steffen andreas.stef...@strongswan.org > strongSwan - the Open Source VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===[ITA-HSR]== > > -- Regards, RaviKanth VN Vanapalli Email: vvnrk.vanapa...@gmail.com ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users