Re: [strongSwan] Parameters to connect to a Cisco 3000 series
Hi Hugo, Your ipsec.conf and ipsec.secrets file shall look like following: ipsec.conf: config setup charonstart =yes plutostart = no uniqueids=no conn Cisco ikelifetime=24h keyexchange=ikev2 keyingtries=%forever keylife=1h mobike=no reauth=no rekeymargin=5m ike=3des-sha1-modp1024! esp=3des-sha1-modp1024! left=y.y.y.y right=x.x.x.x authby=psk auto=start ipsec.secrets: %any x.x.x.x : PSK password On Tue, Dec 13, 2011 at 9:22 PM, Hugo Mora hum...@gmail.com wrote: Hi! I'm not an expert on VPNs (java programmer), but I need to connect using StrongSwan my company with a client via VPN. They have send me these parameters (see below)... Could someone pleeease translate these parameters to a ipsec.conf connection ?? I know that the remote site is a CISCO VPN 3000 Series. Really, thank you so much! I can't buy a CISCO *IKE Parameters* Authentication: Preshared keys Authentication Algorithm: SHA/HMAC-160 Encryption Algorithm: 3DES Diffie-Hellman Group: 2 (1024 bits) Lifetime Measurement: Time (86400) sec IKE peer: x.x.x.x Negotiation mode: main *IPSEC Parameters* Authentication Algorithm: ESP/SHA-HMAC-160 Encryption Algorithm: 3DES Mode: Tunnel Lifetime Measurement: Time (3600) sec. PFS: Group 2 (1024 bits) Bye, --Hugo ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users -- Regards, Vivek Bairathi ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Query regarding route based security
On Tue, Nov 2, 2010 at 12:35 PM, vivek bairathi bairathi.vi...@gmail.comwrote: Hi Andreas, Thanks for your quick reply. I have some more queries regarding kernel_netlink interface: If I use auto=route in ipsec.conf file for a connection: Q1. Does the stack after reading the ipsec.conf file for this connection installs SPD and route entries into the kernel? If yes then is the SPI and reqid written in SPD are the one that is sent to IKEv2 stack by kernel in XFRM ACQUIRE message? If I do not use auto=route in ipsec.conf file for a connection: Q2. I send an XFRM ACQUIRE message to IKEv2 stack using my application will the IKEv2 stack be able to trigger an IKE/IPSEC SA. I think in this case there will be no kernel traps installed by IKEv2 stack. So will it be able to trigger an SA for that connection? Thanks Regards, Vivek On Mon, Nov 1, 2010 at 6:45 PM, Andreas Steffen andreas.stef...@strongswan.org wrote: Hello Vivek, this event is signalled by an XFRM ACQUIRE message via the netlink kernel interface: http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c;h=8cc9a6283014a9b237f8a16b2146b73742ac;hb=HEAD#l514 The netlink socket is registered to receive this kind of events: http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c;h=8cc9a6283014a9b237f8a16b2146b73742ac;hb=HEAD#l2199 Best regards Andreas On 11/01/2010 01:34 PM, vivek bairathi wrote: Hi All, I want to know that if I set auto=route in ipsec.conf for a connection. The IKEv2 stack will install kernel traps for that connection and will initiate an SA only when it gets a packet between the leftsubnet and the rightsubnet. For this the IKEv2 stack needs trigger from kernel so which interface will be used to tell IKEv2 Stack that a packet has hit its kernel traps and now you have to init an IKE_SA? Thanks Regards Vivek == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Query regarding route based security
Hi All, I want to know that if I set auto=route in ipsec.conf for a connection. The IKEv2 stack will install kernel traps for that connection and will initiate an SA only when it gets a packet between the leftsubnet and the rightsubnet. For this the IKEv2 stack needs trigger from kernel so which interface will be used to tell IKEv2 Stack that a packet has hit its kernel traps and now you have to init an IKE_SA? Thanks Regards Vivek ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] IKE SA's are getting deleted
Hi All, I got one issue resolved from the my problem mentioned in the mail below. Actually only one IKE SA is getting created successfully and the other is not. So, the SGW is sending IKE DELETE for both the IKE SA's. But now a problem is coming that when I receive the delete for both the IKE SA's then the IKE SA which was created successfully is not going down completely as the SPD installed for it is not deleted and only the SAD entries are deleted. Q. Can you tell me is this a bug in the Strongswan IKEv2 stack?If yes, then how to resolve it?Any clue, will also help. Best Regards, Vivek On Tue, Aug 3, 2010 at 11:33 AM, vivek bairathi bairathi.vi...@gmail.comwrote: Hi All, I am facing a problem. The problem is as following:- When I am initiating an IKE SA from my Computer towards the Security Gateway (SGW). At the same time, SGW is also initiating an IKE SA for the same configuration. Both the IKE SA's are created successfully but as soon as both the SA's are created two IKE delete message comes from the SGW and both my SA's get deleted. Q. Can you tell me what can be the reason behind this? Q. Is it correct according to the IKEv2 Protocol? Regards, Vivek ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Closure of IKE SA or IPSEC SA on change in cinfiguration in ipsec.conf
Hi All, Can anyone tell me that strongswan IKEv2 stack automatically closes or not an IKE SA or IPSEC SA on change of its configuration in ipsec.conf ? Regards, Vivek ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Closure of IKE SA or IPSEC SA on change in cinfiguration in ipsec.conf
Hi Ashutosh, I am not asking for dynamic update of configuration. I am asking for that if a configuration changes for a connection in ipsec.conf and I fire ipsec update then is there any possibility that IKEv2 Stack will automatically bring down the SA first update the new configuration and then bring the SA up. Regards, Vivek On Wed, Jul 21, 2010 at 2:29 PM, Ashutosh Datta ashutoshda...@gmail.comwrote: No there is no dynamic update of configuration in strongswan. If one wants to update the config he have to issue. ipsec update regds ashutosh On Wed, Jul 21, 2010 at 1:58 PM, vivek bairathi bairathi.vi...@gmail.com wrote: Hi All, Can anyone tell me that strongswan IKEv2 stack automatically closes or not an IKE SA or IPSEC SA on change of its configuration in ipsec.conf ? Regards, Vivek ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Query regarding a particular scenario
Hi Andreas/Martin/Tobias, Request you to please provide your comments for the mail below. Regards, Vivek On Wed, Jul 14, 2010 at 11:55 AM, vivek bairathi bairathi.vi...@gmail.comwrote: Hi All, I have a query regarding a scenario. *The scenario is as following*:- *My implementation:* On changing of a parameter in ipsec.conf I first bring down the SA, update the configuration and then bring it up again. *Scenario: *When I connect to a Security Gateway(SGW), I make an SA and start the traffic flow. but if in between the configuration changes on my side I bring down the SA. Now as the traffic is still flowing through Security Gateway(SGW) It will again create an SA before the updation of the new configuration in the strongswan ikev2 stack which is wrong. As, now the SA has been created with wrong configuration. *Q.* Do we have any parameter in IKEv2 stack which says that no more connections are taken after a particular number of connections? If yes then whats the parameter name? If no then can you tell me how to resolve this problem? Thanks for your help in advance. Regards, Vivek ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Query regarding a particular scenario
Hi All, I have a query regarding a scenario. The scenario is as following:- My implementation: On changing of a parameter in ipsec.conf I first bring down the SA, update the configuration and then bring it up again. So, when I connect to a Security Gateway(SGW), I make an SA and start the traffic flow. but if in between the configuration changes on my side I bring down the SA. Now as the traffic is still flowing through Security Gateway(SGW) It will again create an SA before the updation of the new configuration in the strongswan ikev2 stack which is wrong. As, now the SA has been created with wrong configuration. Q. Do we have any parameter in IKEv2 stack which says that no more connections are taken after a particular number of connections? If yes then whats the parameter name? If no then can you tell me how to resolve this problem? Thanks for your help in advance. Regards, Vivek ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Doubt regarding Certificate updation in IKEv2 Stack
Hi, Some doubts regarding certificates updation in IKEv2 Stack. Consider the following scenario:- CACERT1(old with new) CACERT2 (new with new) are both from same CA. CERT1 : signed with CACERT1 CERT2: signed with CACERT2 PC1 PC2 1. certificates on pc1: 1. certificates on pc2: CACERT1 CACERT2 CACERT1 CACERT2 CERT2 (signed with cacert2)CERT1 (signed with cacert1) IKE and IPSEC SAPC1PC2creation is successfull. 2. certificates on pc1: 2. certificates on pc2: CACERT2CACERT1 CACERT2 CERT2 (signed with cacert2) CERT1 (signed with cacert1) IKE and IPSEC SAPC1-PC2creation is successfull. In the second step, when IKEv2 stack on PC1 is given only CACERT2 and CERT2 through ipsec.conf file by firing ipsec update command. Q. Now If I try to create another IKE SA between PC1 and PC2 will it be successfull as PC1 will not be able to decrypt PC2's certificate (CERT1) because of the non-availability of the CACERT1 on PC1? Thanks in advance. Regards, Vivek ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Processor not able to process jobs
Hi, My configuration creates 3 IKE SAs and 6 IPsec SAs. Configuration file attached. Now when I change the esp encryption algorithm for IpSecMPlane then I fire the following commands in the given below order:- 1. ipsec down IpSecMPlane 2. Write the new esp encryption algorithm for IpSecMPlane in ipsec.conf. 3 Ipsec update 4. ipsec up IpSecMPlane When I executed the above steps more than three times, after the third time the stack is not able to bring down the IpSecMPlane SA. After debugging the problem I found following things:- 1. The control comes to the listen_ function of bus.c where it queue the job into the processor and waits on wait command. 2. I think the processor is not able to process this queued job. What could be the reason for this? Here's the ipsec.conf file I was using:- config setup cachecrls=no charonstart=yes plutostart=no strictcrlpolicy=no uniqueids=no ca AllPlanes cacert=/tmp/RootCert3801_7349bbdb.pem auto=add conn IpSecMPlane ikelifetime=24h keyexchange=ikev2 keyingtries=%forever keylife=90m reauth=no rekey=yes mobike=no dpddelay=0 rekeymargin=4m ike=aes128-sha1-modp1024,3des-sha1-modp1024! esp=3des-sha1-modp1024,aes128-sha1-modp1024! authby=rsasig left=20.20.20.21 leftsubnet=15.15.15.2/32 right=10.10.10.2 rightsubnet=14.14.14.2/32 leftprotoport=sctp/9901 rightprotoport=sctp/9901 leftcert=/tmp/BTScert.pem rightid=%any auto=add conn IpSecSSEPlane ikelifetime=24h keyexchange=ikev2 keyingtries=%forever keylife=90m reauth=no rekey=yes mobike=no dpddelay=0 rekeymargin=4m ike=aes128-sha1-modp1024,3des-sha1-modp1024! esp=aes128-sha1-modp1024,3des-sha1-modp1024! authby=rsasig left=22.22.22.23 leftsubnet=15.15.15.5/32 right=12.12.12.2 rightsubnet=0.0.0.0/32 leftcert=/tmp/BTScert.pem rightid=%any auto=add conn IpSecCPlane ikelifetime=24h keyexchange=ikev2 keyingtries=%forever keylife=90m reauth=no rekey=yes mobike=no dpddelay=0 rekeymargin=4m ike=aes128-sha1-modp1024,3des-sha1-modp1024! esp=null-sha1-modp1024! authby=rsasig left=21.21.21.22 leftsubnet=16.16.16.2/32 right=11.11.11.2 rightsubnet=16.16.16.3/32,16.16.16.4/32 leftprotoport=sctp rightprotoport=sctp leftcert=/tmp/BTScert.pem rightid=%any auto=add conn IpSecUPSPlane ikelifetime=24h keyexchange=ikev2 keyingtries=%forever keylife=90m reauth=no rekey=yes mobike=no dpddelay=0 rekeymargin=4m ike=aes128-sha1-modp1024,3des-sha1-modp1024! esp=null-sha1-modp1024! authby=rsasig left=21.21.21.22 leftsubnet=16.16.16.2/32 right=11.11.11.2 rightsubnet=17.17.17.3/32 leftprotoport=udp/49156 rightprotoport=udp/49156 leftcert=/tmp/BTScert.pem rightid=%any auto=add conn IpSecUCSPlane ikelifetime=24h keyexchange=ikev2 keyingtries=%forever keylife=90m reauth=no rekey=yes mobike=no dpddelay=0 rekeymargin=4m ike=aes128-sha1-modp1024,3des-sha1-modp1024! esp=aes128-sha1-modp1024,3des-sha1-modp1024! authby=rsasig left=21.21.21.22 leftsubnet=16.16.16.2/32 right=11.11.11.2 rightsubnet=17.17.17.3/32 leftprotoport=udp/49154 rightprotoport=udp/49154 leftcert=/tmp/BTScert.pem rightid=%any auto=add conn IpSecToPPlane ikelifetime=24h keyexchange=ikev2 keyingtries=%forever keylife=90m reauth=no rekey=yes mobike=no dpddelay=0 rekeymargin=4m ike=aes128-sha1-modp1024,3des-sha1-modp1024! esp=null-sha1-modp1024! authby=rsasig left=21.21.21.22 leftsubnet=16.16.16.2/32 right=11.11.11.2 rightsubnet=17.17.17.5/32 leftprotoport=udp rightprotoport=udp leftcert=/tmp/BTScert.pem rightid=%any auto=add Thanks in advance. Regards, Vivek ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Problem in stack when crl updation is done
Hi Andreas, did you find anything? Regards, Vivek On Fri, Mar 26, 2010 at 6:28 PM, Andreas Steffen andreas.stef...@strongswan.org wrote: Hi Vivek, can you send me both the old and new CRL and the issuing CA certificate? Best regards Andreas On 26.03.2010 13:44, vivek bairathi wrote: Hi All, I am getting a problem with the strongswan-4.2.8, whenever I revoke a peer certificate and update the latest crl at my end and then try to make an SA it gets created as it should not. When I debug the stack I found that in credential_manager.c there is a function get_better_crl, in this there are two problems that I saw: 1. The crl list that is passed is having both the crls - the older one and the latest one. (As I had provided only two crls, one at the starting of the stack and the other after revoking the cert). But I think as the new crl is added the older should deleted? 2. The comparison done between the certificate serial number and the serial numbers present in the crl is done with only the old crl and not the new crl in which the certificate is revoked. I think there is some problem in the parsing of the crl list as the crl list is not completely parsed? Thanks for your help in advance. Regards, Vivek == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Problem in stack when crl updation is done
Hi All, I am getting a problem with the strongswan-4.2.8, whenever I revoke a peer certificate and update the latest crl at my end and then try to make an SA it gets created as it should not. When I debug the stack I found that in credential_manager.c there is a function get_better_crl, in this there are two problems that I saw: 1. The crl list that is passed is having both the crls - the older one and the latest one. (As I had provided only two crls, one at the starting of the stack and the other after revoking the cert). But I think as the new crl is added the older should deleted? 2. The comparison done between the certificate serial number and the serial numbers present in the crl is done with only the old crl and not the new crl in which the certificate is revoked. I think there is some problem in the parsing of the crl list as the crl list is not completely parsed? Thanks for your help in advance. Regards, Vivek ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Loading CRLs from file
Hi All, Hi All, I have a CRL in pem format with me. The CRL file is loaded at startup. 1. If the CRL file is updated in the directory, how can strongswan be indicated to update it. Does crlCheckInterval timer work with strongswan IKEv2? 2. Is there an option to load CRL present in Cert directory at every IKE Autentication 3. Also, If I try to specify a specific fileuri, I get the follwoing error:- Error:- Feb 20 00:58:17 vivek-desktop charon: 09[CFG] fetching crl from '/home/vivek/vivek/linux_pc_90_1/crl.pem' ... Feb 20 00:58:17 vivek-desktop charon: 09[LIB] unable to fetch from /home/vivek/vivek/linux_pc_90_1/crl.pem, no capable fetcher found Feb 20 00:58:17 vivek-desktop charon: 09[CFG] crl fetching failed ipsec.conf:- config setup cachecrls=no charonstart=yes plutostart=no strictcrlpolicy=yes uniqueids=no ca AllPlanes cacert=/tmp/RootCert3801_7349bbdb.pem crluri=file:///home/vivek/vivek/linux_pc_90_1/crl.pem auto=add conn IpSecSSEPlane ikelifetime=24h keyexchange=ikev2 keyingtries=%forever keylife=90m reauth=no rekey=yes mobike=no rekeymargin=4m ike=aes128-sha1-modp1024,3des-sha1-modp1024! esp=3des-sha1-modp1024,aes128-sha1-modp1024! authby=rsasig left=21.21.21.20 leftsubnet=14.14.14.10/32 right=21.21.21.21 leftcert=/home/vivek/vivek/linux_pc_90_1/cert.pem rightid=%any auto=add Thanks for your inputs in advance. Regards, Vivek ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] dead peer detection
Hi All, I have some query regarding dpd's: 1. If I give dpddelay value as zero in ipsec.conf then will IKEv2 Stack send dpd's or not? 2. Is last_use_time is used in case of dpd's only? Thanks in advance. Regards, Vivek ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Dead Peer Detection
Hi All, I have a query regarding dpd's:- 1. When does ikev2 stack start sending dpd's? 2. When does it know that its time to close the IPSEC SA or IKE SA? 3. Can you tell me where is the handling for closing the IPSEC SA or IKE SA in case of no response to the dpd's? Thanks in advance. Regards, Vivek ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Regarding CN as left/rightid
Hi, Actually I am encountering a problem in creating an IKE SA using the certificate. Host1 configuration:- I have not fill the left and right id in ipsec.conf, so for host1 it is showing CN as the id and for host2 it is showing ip address of host2 as its id when I fire the command ipsec statusall. The following configuration is showed by this command:- 10.118.209.90[Serial#L123456].10.118.209.204[10.118.209.204] Host2 Configuration:- I have not fill the left and right id in ipsec.conf, so for host2 it is showing CN as the id and for host1 it is showing ip address of host1 as its id when I fire the command ipsec statusall. The following configuration is showed by this command:- 10.118.209.204[Serial#L654234].10.118.209.90[10.118.209.90] After this, when I fire the command ipsec up connection name from host1, an authentication failure message is received on host1. I checked the logs at host2, there I saw that the authentication is successful but because of the configuratiion mismatch it sends the AUTH FAILURE message to host1. Can you please tell me what is wrong or is I am doing some mistake? Thanks in advance. Regards, Vivek On Mon, Jan 4, 2010 at 11:48 PM, Daniel Mentz danielml+mailinglists.strongs...@sent.comdanielml%2bmailinglists.strongs...@sent.com wrote: vivek bairathi wrote: Some doubts regarding CERT mode:- 1. Is it necessary to know the CN of peer before establishing an IKE SA? Generally speaking, no. It depends on your individual configuration. You can setup strongSwan in a way that it accepts an arbitrary DN. Wildcard matching is also provided. This is probably true if strongSwan is responding to a request to set up an IKE SA. I'm not sure what the rules are when strongSwan initiates a connection. 2. Is the left/rightid is always equal to the CN from the certificate? If leftid/rightid is a DN it must be equal to the DN in the certificate. If it is a FQDN, then this FQDN must be contained in the certificate as a subjectAlternativeName. Not sure about e-mail addresses and IP addresses, though. -Daniel ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Regarding CN as left/rightid
Hi All, Some doubts regarding CERT mode:- 1. Is it necessary to know the CN of peer before establishing an IKE SA? 2. Is the left/rightid is always equal to the CN from the certificate? Thanks in advance. Regards, Vivek ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Dead Peer Detection
Hi All, I have a query regarding dpd's. 1. When does ikev2 stack start sending dpd's? 2. When does it know that its time to close the IPSEC SA or IKE SA? 3. Can you tell me where is the handling for closing the IPSEC SA or IKE SA in case of no response to the dpd's? Thanks in advance. Regards, Vivek ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Problem with ipsec.conf
Hi All,
I am using strongswan-4.2.8 stack. And I am getting a strange problem
with this stack:-
The steps that I have taken:-
1. I created an IKE SA for IpSecCPlane and two CHILD SA's under it -
IpSecCPlane IpSecUCSPlane.
2. After that I bring down IpSecUCSPlane CHILD SA by using the command
ipsec down {reqid}.
3. After that I changed the configuration for IpSecUCSPlane in the
ipsec.conf and then fired the command ipsec update and after this
everything hangs. even the command ipsec status is not working. The
only option left for me is to restart the Computer.
In syslogs only delete connection is sent to the stroke plugin and not
the add connection for the IpSecUCSPlane.
Following is the conf file I am using:-
Before changing the configuration:-
config setup
cachecrls=no
charonstart=yes
plutostart=no
strictcrlpolicy=no
uniqueids=no
charondebug=ike 4,knl 4,cfg 4,chd 4
conn IpSecMPlane
ikelifetime=24h
keyexchange=ikev2
keyingtries=%forever
keylife=90m
reauth=no
rekey=yes
mobike=no
rekeymargin=2m
ike=aes128-sha1-modp1024!
esp=3des-sha1-modp1024,aes128-sha1-modp1024!
authby=psk
right=10.118.209.204
rightsubnet=192.168.150.25/24
left=10.118.209.90
leftsubnet=192.168.150.24/32
leftprotoport=sctp/49152
rightprotoport=sctp/49152
auto=add
conn IpSecCPlane
ikelifetime=24h
keyexchange=ikev2
keyingtries=%forever
keylife=90m
reauth=no
rekey=yes
mobike=no
rekeymargin=2m
ike=aes128-sha1-modp1024!
esp=null-sha1-modp1024!
authby=psk
right=10.118.209.254
rightsubnet=10.10.10.10/24
left=10.118.209.90
leftsubnet=10.10.10.11/32
leftprotoport=sctp
rightprotoport=sctp
auto=add
conn IpSecUPSPlane
ikelifetime=24h
keyexchange=ikev2
keyingtries=%forever
keylife=90m
reauth=no
rekey=yes
mobike=no
rekeymargin=2m
ike=aes128-sha1-modp1024!
esp=null-sha1-modp1024!
authby=psk
right=10.118.209.254
rightsubnet=10.10.10.10/24
left=10.118.209.90
leftsubnet=10.10.10.13/32
leftprotoport=udp/49156
rightprotoport=udp/49156
auto=add
conn IpSecUCSPlane
ikelifetime=24h
keyexchange=ikev2
keyingtries=%forever
keylife=90m
reauth=no
rekey=yes
mobike=no
rekeymargin=2m
ike=aes128-sha1-modp1024!
esp=aes128-sha1-modp1024,3des-sha1-modp1024!
authby=psk
right=10.118.209.254
rightsubnet=10.10.10.10/24
left=10.118.209.90
leftsubnet=10.10.10.12/32
leftprotoport=udp/49154
rightprotoport=udp/49154
auto=add
After changing the configuration:-
config setup
cachecrls=no
charonstart=yes
plutostart=no
strictcrlpolicy=no
uniqueids=no
charondebug=ike 4,knl 4,cfg 4,chd 4
conn IpSecMPlane
ikelifetime=24h
keyexchange=ikev2
keyingtries=%forever
keylife=90m
reauth=no
rekey=yes
mobike=no
rekeymargin=2m
ike=aes128-sha1-modp1024!
esp=3des-sha1-modp1024,aes128-sha1-modp1024!
authby=psk
right=10.118.209.204
rightsubnet=192.168.150.25/24
left=10.118.209.90
leftsubnet=192.168.150.24/32
leftprotoport=sctp/49152
rightprotoport=sctp/49152
auto=add
conn IpSecCPlane
ikelifetime=24h
keyexchange=ikev2
keyingtries=%forever
keylife=90m
reauth=no
rekey=yes
mobike=no
rekeymargin=2m
ike=aes128-sha1-modp1024!
esp=null-sha1-modp1024!
authby=psk
right=10.118.209.254
rightsubnet=10.10.10.10/24
left=10.118.209.90
leftsubnet=10.10.10.11/32
leftprotoport=sctp
rightprotoport=sctp
auto=add
conn IpSecUPSPlane
ikelifetime=24h
keyexchange=ikev2
keyingtries=%forever
keylife=90m
reauth=no
rekey=yes
mobike=no
rekeymargin=2m
ike=aes128-sha1-modp1024!
esp=null-sha1-modp1024!
authby=psk
right=10.118.209.254
rightsubnet=10.10.10.10/24
left=10.118.209.90
leftsubnet=10.10.10.13/32
leftprotoport=udp/49156
rightprotoport=udp/49156
auto=add
conn IpSecUCSPlane
ikelifetime=24h
keyexchange=ikev2
keyingtries=%forever
keylife=90m
reauth=no
rekey=yes
mobike=no
rekeymargin=2m
ike=aes128-sha1-modp1024!
esp=3des-sha1-modp1024,aes128-sha1-modp1024!
authby=psk
right=10.118.209.254
rightsubnet=10.10.10.10/24
Re: [strongSwan] Working with Different SAs with same src-dst IP but different Port
Hi, We are in a very critical state of our project. Please fin gtime to respond to the issue below. I would be of great help to us Thanks in advance, Ritu On 9/16/09, vivek bairathi bairathi.vi...@gmail.com wrote: Hi, We have the requirement that traffic between same source-destination IPs but different source-destination ports is channeled through different security associations Connetion Tunnel IP.Src IP Dst IPSrc Port Dst PortSA Ptr 1 a.a.a.a1.1.1.1 2.2.2.2 100 100 1 2 b.b.b.b1.1.1.1 2.2.2.2 200 200 2 With above configuration, If we bring up Connection 1 a new policy is created with tunnel IP a.a.a.a On bringing up connection 2, ref count of the previous policy is incremented in the stack and the policy in the kernel is updated, tunnel ip now being b.b.b.b Increasing reference count indicates that only a single SPD is used for both SAs. If our understanding is correct, then what is the use of creating 2 separate SAs? As per our understanding 2 different policies should be created, so that the traffic coming from different ports can be protected using the to different SAs that have been created. Can our requirment of channelising traffic between same IPs but different port into two separate SAs be achieved somehow using charon? Please find attached the ipsec.conf files and the log files for your reference. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] support of IP addresses and ports as traffic selectors
Hi, I had a doubt regarding the support of IP addresses and ports as traffic selectors. For example:- I have following SPD Entry. All the entries are using same security association: S.No.Source IP Destination IP Src Port Dst Port SA Ptr 11.1.1.12.2.2.2 100 100 1 21.1.1.12.2.2.2 200 200 1 31.1.1.13.3.3.3 300 300 1 41.1.1.13.3.3.3 400 400 1 Please Note: Entries 12 and 34 have same Src/Dst Ip Pair So, Is it possible to have a SINGLE Security Association for protecting traffic of all 4 policies above. If yes then how to specify the same in ipsec.conf Also, does it hold true for both IKEv1(pluto) and IKEv2(charon) Thanks and Regards, Vivek ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Signature verification failed
Hi,
Thanks for your reply.
I am trying to establish SA between two machines of which one is QNX
machine and the other is Linux machine. I am able to transmit the
IKE_SA_INIT request and response messages from one machine to another
but when IKE_AUTH request is received by any of the machine it says
that the signature verification failed.
Here are the logs of IKE_AUTH request message sent from QNX machine to
linux machine:-
IKE_AUTH request message sent by QNX machine:-
(gdb) x/208b data.ptr
0x808c7c0: 0x670x410xc80xe90xb40x1f0x510x61
0x808c7c8: 0x8c0x410xa50x410x490xa00x5b0x21
0x808c7d0: 0x2e0x200x230x080x000x000x000x01
0x808c7d8: 0x000x000x000xdc0x230x000x000xc0
0x808c7e0: 0x9f0x800xd50x480x140x850x2a0xe0
0x808c7e8: 0x210x5b0x300x680xd30xf10xe60xff
0x808c7f0: 0xa40x410xfa0x030x530x6c0x9a0xe9
0x808c7f8: 0x550xce0x4b0x320x890x040x270xc3
0x808c800: 0x270x080x1d0xf50x880x2b0x600xd1
0x808c808: 0xc70x740xe60x4e0x130x470x060xf7
0x808c810: 0xdf0xfe0xb80x850xc10x300x650x91
0x808c818: 0x3e0xef0x120xce0xda0x070x7d0xd6
0x808c820: 0x1a0x9c0xfe0x280x840x420xa80x43
0x808c828: 0xd10x900x090xbe0x2d0xf30x610x8a
0x808c830: 0x3c0xf50xa70x450x450x390x010x1b
0x808c838: 0x800x110xd50x7b0xad0x5c0x090xef
0x808c840: 0xd10x070xab0x330x450xd80xeb0x9c
0x808c848: 0xe10xb30xc00xe80x830xb10x010x1f
0x808c850: 0x870xec0xe80x190xeb0xec0xa30xf1
0x808c858: 0x780x570xa70x1b0xfb0x0b0xba0x2b
0x808c860: 0xce0x0c0xb40x630xd60xc00x460xa8
0x808c868: 0x890x060xec0x160x8a0xf50x160x2c
0x808c870: 0xf40xeb0xb10xa00x640x070xc60x9b
0x808c878: 0x290x240x230xe80x350xcf0xca0x79
0x808c880: 0xd50x5a0x2f0x7e0x7d0x240x8d0x7b
0x808c888: 0x080x560x0f0xf80x590x990xe60xfc
signature sent from QNX machine to the linux machine in the IKE_AUTH message:-
(gdb) x/12b signature.ptr
0x808c890: 0xe70x530xd30x870x8b0x160xe20xda
0x808c898: 0x650x230xe30x45
Here's the log on the Linux machine of the IKE_AUTH request received
from QNX machine:-
Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] received IPv4 packet = 252
bytes @ 0xb5553e04
Sep 3 00:00:21 ggn-pg-001 charon: 07[NET]0: 45 00 00 FC 0B 1C 00
00 40 11 B6 62 0A 76 D1 BA e...@..b.v..
Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 16: 0A 76 D1 CC 11 94 11
94 00 E8 63 47 00 00 00 00 .vcG
Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 32: 67 41 C8 E9 B4 1F 51
61 8C 41 A5 41 49 A0 5B 21 gAQa.A.AI.[!
Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 48: 2E 20 23 08 00 00 00
01 00 00 00 DC 23 00 00 C0 . #.#...
Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 64: 9F 80 D5 48 14 85 2A
E0 21 5B 30 68 D3 F1 E6 FF ...H..*.![0h
Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 80: A4 41 FA 03 53 6C 9A
E9 55 CE 4B 32 89 04 27 C3 .A..Sl..U.K2..'.
Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 96: 27 08 1D F5 88 2B 60
D1 C7 74 E6 4E 13 47 06 F7 '+`..t.N.G..
Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 112: DF FE B8 85 C1 30 65
91 3E EF 12 CE DA 07 7D D6 .0e..}.
Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 128: 1A 9C FE 28 84 42 A8
43 D1 90 09 BE 2D F3 61 8A ...(.B.C-.a.
Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 144: 3C F5 A7 45 45 39 01
1B 80 11 D5 7B AD 5C 09 EF ..EE9.{.\..
Sep 3 00:00:23 ggn-pg-001 charon: 07[NET] 160: D1 07 AB 33 45 D8 EB
9C E1 B3 C0 E8 83 B1 01 1F ...3E...
Sep 3 00:00:23 ggn-pg-001 charon: 07[NET] 176: 87 EC E8 19 EB EC A3
F1 78 57 A7 1B FB 0B BA 2B xW.+
Sep 3 00:00:23 ggn-pg-001 charon: 07[NET] 192: CE 0C B4 63 D6 C0 46
A8 89 06 EC 16 8A F5 16 2C ...c..F,
Sep 3 00:00:23 ggn-pg-001 charon: 07[NET] 208: F4 EB B1 A0 64 07 C6
9B 29 24 23 E8 35 CF CA 79 d...)$#.5..y
Sep 3 00:00:23 ggn-pg-001 charon: 07[NET] 224: D5 5A 2F 7E 7D 24 8D
7B 08 56 0F F8 59 99 E6 FC .Z/~}$.{.V..Y...
Sep 3 00:00:23 ggn-pg-001 charon: 07[NET] 240: E7 53 D3 87 8B 16 E2
DA 65 23 E3 45 .S..e#.E
Sep 3 00:00:23 ggn-pg-001 charon: 07[NET] received packet: from
10.118.209.186[4500] to 10.118.209.204[4500]
Sep 3 00:00:23 ggn-pg-001 charon: 07[NET] waiting for data on raw sockets
Sep 3
Re: [strongSwan] Signature verification failed
Hi,
I just got the solution of my problem. Its actually the problem of
endianness as the endianness is not getting set in the sha1_hasher.c
and also the code on qnx is compiled using armbe which is big endian.
So I just set the BIG_ENDIAN in the sha1_hasher.c and finally the
authentication is successful.
But now I am getting a new error, as soon as the CHILD_SA is created
the linux machine sends a delete request for the CHILD_SA to the qnx
machine. I don't know why this is happening. My ikeliftime, keylife
and rekeymargin are all in hours so how could this happen.
Can you tell me or give a possible condition because of which this is
happening and ofcourse if possible a solution also?
Thanks Regards,
Vivek
On 9/3/09, vivek bairathi bairathi.vi...@gmail.com wrote:
Hi,
Thanks for your reply.
I am trying to establish SA between two machines of which one is QNX
machine and the other is Linux machine. I am able to transmit the
IKE_SA_INIT request and response messages from one machine to another
but when IKE_AUTH request is received by any of the machine it says
that the signature verification failed.
Here are the logs of IKE_AUTH request message sent from QNX machine to
linux machine:-
IKE_AUTH request message sent by QNX machine:-
(gdb) x/208b data.ptr
0x808c7c0: 0x670x410xc80xe90xb40x1f0x51
0x61
0x808c7c8: 0x8c0x410xa50x410x490xa00x5b
0x21
0x808c7d0: 0x2e0x200x230x080x000x000x00
0x01
0x808c7d8: 0x000x000x000xdc0x230x000x00
0xc0
0x808c7e0: 0x9f0x800xd50x480x140x850x2a
0xe0
0x808c7e8: 0x210x5b0x300x680xd30xf10xe6
0xff
0x808c7f0: 0xa40x410xfa0x030x530x6c0x9a
0xe9
0x808c7f8: 0x550xce0x4b0x320x890x040x27
0xc3
0x808c800: 0x270x080x1d0xf50x880x2b0x60
0xd1
0x808c808: 0xc70x740xe60x4e0x130x470x06
0xf7
0x808c810: 0xdf0xfe0xb80x850xc10x300x65
0x91
0x808c818: 0x3e0xef0x120xce0xda0x070x7d
0xd6
0x808c820: 0x1a0x9c0xfe0x280x840x420xa8
0x43
0x808c828: 0xd10x900x090xbe0x2d0xf30x61
0x8a
0x808c830: 0x3c0xf50xa70x450x450x390x01
0x1b
0x808c838: 0x800x110xd50x7b0xad0x5c0x09
0xef
0x808c840: 0xd10x070xab0x330x450xd80xeb
0x9c
0x808c848: 0xe10xb30xc00xe80x830xb10x01
0x1f
0x808c850: 0x870xec0xe80x190xeb0xec0xa3
0xf1
0x808c858: 0x780x570xa70x1b0xfb0x0b0xba
0x2b
0x808c860: 0xce0x0c0xb40x630xd60xc00x46
0xa8
0x808c868: 0x890x060xec0x160x8a0xf50x16
0x2c
0x808c870: 0xf40xeb0xb10xa00x640x070xc6
0x9b
0x808c878: 0x290x240x230xe80x350xcf0xca
0x79
0x808c880: 0xd50x5a0x2f0x7e0x7d0x240x8d
0x7b
0x808c888: 0x080x560x0f0xf80x590x990xe6
0xfc
signature sent from QNX machine to the linux machine in the IKE_AUTH
message:-
(gdb) x/12b signature.ptr
0x808c890: 0xe70x530xd30x870x8b0x160xe2
0xda
0x808c898: 0x650x230xe30x45
Here's the log on the Linux machine of the IKE_AUTH request received
from QNX machine:-
Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] received IPv4 packet = 252
bytes @ 0xb5553e04
Sep 3 00:00:21 ggn-pg-001 charon: 07[NET]0: 45 00 00 FC 0B 1C 00
00 40 11 B6 62 0A 76 D1 BA e...@..b.v..
Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 16: 0A 76 D1 CC 11 94 11
94 00 E8 63 47 00 00 00 00 .vcG
Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 32: 67 41 C8 E9 B4 1F 51
61 8C 41 A5 41 49 A0 5B 21 gAQa.A.AI.[!
Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 48: 2E 20 23 08 00 00 00
01 00 00 00 DC 23 00 00 C0 . #.#...
Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 64: 9F 80 D5 48 14 85 2A
E0 21 5B 30 68 D3 F1 E6 FF ...H..*.![0h
Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 80: A4 41 FA 03 53 6C 9A
E9 55 CE 4B 32 89 04 27 C3 .A..Sl..U.K2..'.
Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 96: 27 08 1D F5 88 2B 60
D1 C7 74 E6 4E 13 47 06 F7 '+`..t.N.G..
Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 112: DF FE B8 85 C1 30 65
91 3E EF 12 CE DA 07 7D D6 .0e..}.
Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 128: 1A 9C FE 28 84 42 A8
43 D1 90 09 BE 2D F3 61 8A ...(.B.C-.a.
Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 144: 3C F5 A7 45 45 39 01
1B 80 11 D5 7B AD 5C 09 EF ..EE9.{.\..
Sep 3 00:00:23 ggn-pg-001 charon: 07[NET] 160: D1 07 AB 33 45 D8 EB
9C E1 B3 C0 E8 83 B1 01 1F
[strongSwan] Handling of outgoing packets when CHILD_SA is rekeyed
Hi, When a CHILD_SA is rekeyed, there is a time when SAD will have two SA entries corresponding to the CHILD_SA that is rekeyed. In other words this is the time, when stack has received a correct response to CREATE_CHILD_SA Request and hence has installed the new SA in SAD, however it has yet not deleted the old SA entry from SAD. During this time if a packet is to be sent out using the CHILD_SA, how do we know which SA Entry is to be used out of the 2 Entries. Thanks for your reply in advance. Regards Vivek ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Issue regarding rekeying and updation of an IKE SA
Hi, Thanks for your reply. With your help now I am able to create IKE SA and CHILD SA but there is a problem with updation rekeying of IKE SA:- 1. I am trying to change a/all parameter (for e.g:- rekeytime, encryption algo, integrity algo, DH group parameter) in ipsec.conf so that when I do ipsec update the ike established should apply the new parameters at the time of rekeying but what i am seeing that this is not happening? the IKE SA is still using the old config parameters even after rekeying. 2. Also, IKE SA is not getting rekeyed only its CHILD SA is getting rekeyed.the status for IKE SA says that rekey is disabled for it? So, how do I enable rekey of the IKE SA and also how do I apply any change in a parameter of ipsec.conf to IKE SA without bringing the IKE SA down? Here's my ipsec.conf files for the two peers: Peer_1:- # ipsec.conf - strongSwan IPsec configuration file config setup plutostart=no strictcrlpolicy=no conn %default ikelifetime=3m keyexchange=ikev2 keyingtries=1 keylife=2m reauth=no mobike=no rekeymargin=2m ike=aes128-sha1-modp2048! esp=aes256-sha1-modp2048! conn carol authby=psk left=10.118.209.204 right=10.3.5.218 leftid=10.0.3.1 rightid=10.0.3.3 auto=add Peer_2:- # ipsec.conf - strongSwan IPsec configuration file config setup plutostart=no strictcrlpolicy=no conn %default ikelifetime=3m keyexchange=ikev2 keyingtries=1 keylife=3m reauth=no mobike=no rekeymargin=2m ike=aes128-sha1-modp2048! esp=aes128-sha1-modp2048! conn carol authby=psk left=10.3.5.218 right=10.118.209.204 rightid=10.0.3.1 leftid=10.0.3.3 auto=add Please help me. Thanks for your help in advance. Regards, Vivek ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Tunnel configuration issue
Hi, I have some queries:- 1. In case I need to create a tunnel with mutiple child SAs, would there be different connection for each tunnel ip - virtual IP pair or there is a single connection containing all the virtual IPs corresponding to each Child SA? 2. In case there is a single connection for the IKE SA and child SAs inside it, would I need to shutdown the complete tunnel to change IP address corresponding to one CHILD_SA? 3. There is a parameter is strongswan.conf charon_process_route. If we set this parameter to No, and I always specify the IP address in IPSec.conf. Then the charon stack would not require the routing table for any of its fucntionality. Is this assumption correc? Actually, for our implementation wanted to remove the netlink interface interfacing the routing table and adding/removing IP address. We can comment the code that installs the virtual IP into the kernel. We were thinking of always providing the complete IP addresses in IPSec.conf and setting charon_process_route = no. Will this be sufficient. Thanks in advance for all your support Vivek ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] support for tunnel configuration
Hi, Thanks for your help. Some more queries:- 1.Did you mean that if I change any parameter in ipsec.conf then I have to delete the IKE SA and all the corresponding CHILD SA's and then apply the new configuration? 2. Is it possible to not to delete an SA and apply the new settings on the CHILD SA's that will be created in future? 3. If suppose an IKE SA has been created for a connection and I want to create a CHILD SA for it, then how do I tell stack to do that? Is it through ipsec.conf or what? 4. If I provide all the ip addresses to the stack in the ipsec.conf and disable the kernel-netlink-net interface will there be any problem with the working of the stack? Thanks Regards, Vivek On 7/27/09, Andreas Steffen andreas.stef...@strongswan.org wrote: Hi Vivek, you can change any connection parameter by 1) redefining it in ipsec.conf 2) taking down the active connection executing ipsec down connection name 3) execute ipsec update which transfers the new connection definition to the charon daemon. 4) execute ipsec up connection name if auto=add. with auto=start the connection will be restarted by ipsec update. Best regards Andreas Hi, Thanks for your detailed response. 1. We had a requirement to change the internal/virtual IP at runtime after charon is spawned. Is it possible to change the internal/virtual IP in a tunnel once the stack is spawned? We went through the code and found that deletion of outer/tunnel IP and inner/virtual IP is detected and handled by charon. However addition, of IP address is detected only for outer/tunnel IP? How can I change internal IP associated with tunnel IP after charon is spawned? Can the following parameters be changed at runtime after charon is spawned :- 1. The authentication parameter be changed from PSK to CERT/ CERT to PSK? 2. Re-keying time of IKE/IPSEC SA: can the new re-keying value be assinged to new SA created henceforth? 3. Encryption algorithm can be changed for an IKE SA? It would be great help if you could answer the above queries. Thanks Regards, Vivek On 7/27/09, Andreas Steffen andreas.stef...@strongswan.org wrote: Hi Vivek, vivek bairathi wrote: Hi all, I have a requirement for creating tunnel SAs. After reading strongswan documentation and code I arrived at the following conclusion:- 1. left| right source IP in the conn section of ipsec.conf is used to specify the internal IP in the tunnel( virtual IP). The external tunnel IP will be filled in left| right parameters. Is this assumtion correct? This is not correct. Let us assume that left is local and right is remote. Then leftsourceip=virtual IP address or leftsourceip=%config define a virtual IP address to be used as source address within the IPsec tunnel. This is equivalent to setting the source traffic selector to leftsubnet=virtual IP address/32 but does not change in any way left= which is used as the source address of the ESP packet. 2. How does the stack distinguish that the IPaddress that is being added is external IP or internal IP in the tunnel ? See point 1 above. 3. How does the addition/deletion of external tunnel IP address and internal IP handled differently by the charon? Available external IP addresses are automatically detected by strongSwan using RT_NETLINK. E.g. defining left=%any will select the outer source address based on the actual route to right. This can be very helpful in multi-homing environments. Virtual IP addresses are installed and by strongSwan via RT_NETLINK by adding a new virtual IP address as an alias of the physical interface used. ip addr list dev eth0 will show the virtual IPs associated with eth0. By installing a source route in table 220 which is shown by the command ip route list table 220 All plaintext packets with destination rightsubnet will assume the virtual IP as their source address before being encapsulated by ESP. Thanks Regards, Vivek Regards Andreas == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] support for tunnel configuration
Hi all, I have a requirement for creating tunnel SAs. After reading strongswan documentation and code I arrived at the following conclusion:- 1. left| right source IP in the conn section of ipsec.conf is used to specify the internal IP in the tunnel( virtual IP). The external tunnel IP will be filled in left| right parameters. Is this assumtion correct? 2. How does the stack distinguish that the IPaddress that is being added is external IP or internal IP in the tunnel ? 3. How does the addition/deletion of external tunnel IP address and internal IP handled differently by the charon? Thanks Regards, Vivek ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] support for tunnel configuration
Hi, Thanks for your detailed response. 1. We had a requirement to change the internal/virtual IP at runtime after charon is spawned. Is it possible to change the internal/virtual IP in a tunnel once the stack is spawned? We went through the code and found that deletion of outer/tunnel IP and inner/virtual IP is detected and handled by charon. However addition, of IP address is detected only for outer/tunnel IP? How can I change internal IP associated with tunnel IP after charon is spawned? Can the following parameters be changed at runtime after charon is spawned :- 1. The authentication parameter be changed from PSK to CERT/ CERT to PSK? 2. Re-keying time of IKE/IPSEC SA: can the new re-keying value be assinged to new SA created henceforth? 3. Encryption algorithm can be changed for an IKE SA? It would be great help if you could answer the above queries. Thanks Regards, Vivek On 7/27/09, Andreas Steffen andreas.stef...@strongswan.org wrote: Hi Vivek, vivek bairathi wrote: Hi all, I have a requirement for creating tunnel SAs. After reading strongswan documentation and code I arrived at the following conclusion:- 1. left| right source IP in the conn section of ipsec.conf is used to specify the internal IP in the tunnel( virtual IP). The external tunnel IP will be filled in left| right parameters. Is this assumtion correct? This is not correct. Let us assume that left is local and right is remote. Then leftsourceip=virtual IP address or leftsourceip=%config define a virtual IP address to be used as source address within the IPsec tunnel. This is equivalent to setting the source traffic selector to leftsubnet=virtual IP address/32 but does not change in any way left= which is used as the source address of the ESP packet. 2. How does the stack distinguish that the IPaddress that is being added is external IP or internal IP in the tunnel ? See point 1 above. 3. How does the addition/deletion of external tunnel IP address and internal IP handled differently by the charon? Available external IP addresses are automatically detected by strongSwan using RT_NETLINK. E.g. defining left=%any will select the outer source address based on the actual route to right. This can be very helpful in multi-homing environments. Virtual IP addresses are installed and by strongSwan via RT_NETLINK by adding a new virtual IP address as an alias of the physical interface used. ip addr list dev eth0 will show the virtual IPs associated with eth0. By installing a source route in table 220 which is shown by the command ip route list table 220 All plaintext packets with destination rightsubnet will assume the virtual IP as their source address before being encapsulated by ESP. Thanks Regards, Vivek Regards Andreas == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Kernel-netlink issue
Hi Martin , I went through the stronswan code to understand the IKE_SA and CHILD_SA creation . While going through the code I came across acquire function. The comments for the function indicate that it processes the trigger from the kernel for creation of CHILD_SAs. 1. Is it the only mechanism through which the CHILD_SAs can be created ( i.e through the acquire function, trigger coming from the kernel based on policies installed )? 2. The function also mentioned that the IKE_SA creation can also be triggered through the acquire function sometimes. What are the scenarios under which the IKE_SA creation can be triggered from the kernel? I would highly appretiate your help on these issues. Looking forward for a reply. Thanks, Vivek On 7/6/09, vivek bairathi bairathi.vi...@gmail.com wrote: Hi, Thanks for your help. I still have a doubt that who initiates the IKE SA and CHILD SA. 1. Is it kernel who initiates both? 2. Or Kernel just initiates the CHILD SA (through acquire() function as per the SPD) and the IKE SA is initiated/triggered by reading the ipsec.conf file from which he knows the local and remote IP addresses? 3. If I have asked the wrong question or have wrongly understood your stack code then please do explain me how an IKE SA and CHILD SA is initiated or triggered in your stack? Thank you. Regards, Vivek On 7/2/09, vivek bairathi bairathi.vi...@gmail.com wrote: Hi Martin, Thanks for your help. The problem is that we have a propritary implementaion of the IP stack in micro engine whose development is in assembly language. As per what you have suggested, I think it would make sense that we let the kernel interface remain as is ( just change address family of the sockets with compatiple ones ) and let another process sniff these messages and provide an adpater interface with the network processor/micro engine. This adapter would then provide all required interfaces to the strongswan What are your thoughts on the same ? Regards, Vivek. On 7/2/09, Martin Willi mar...@strongswan.org wrote: Hi, 1. Could you please throw some light on how is the updated IP list is given to the stack The roam job just indicates the network configuration has changed. While processing the job, a route lookup is done to find a new (or keep the existing) path to reach the peer. 2. We saw that the XFRM_Expire message is received from the kernel. Is it then the correct assumptions that strongswan does not maintain the re-keying timer for the child SAs? Yes, IKE_SA lifetimes are handled in the daemon, while CHILD_SA lifetimes are handled in the kernel. The reason for this is that there are (theoretically) other ways to expire an SA, only known to the kernel (e.g. number of bytes/packets processed). 3. Could you let us know the best approach for plugging out the kernel interface and using our own? Removing the kernel interface is probably the most complex option, you would need to work around a lot of functionality in the core daemon. The right way to do it is implement a kernel interface for IPsec and networking for the QNX system. QNX uses a PF_KEY interface [1], so you could try to use our existing PF_KEY plugin. As NetBSD uses a policy handling concept similar to KLIPS (flows), you probably need to borrow some bits from the KLIPS plugin. For the networking part, QNX uses the PF_ROUTE protocol [2] from BSD. You could try to use our PF_ROUTE plugin. It should work, but might not be feature complete. If you are willing to sponsor the development, you could hand over your QNX porting efforts to us. The strongSwan team has some experience in porting to BSD based systems... Regards Martin [1]http://www.qnx.com/developers/docs/6.3.0SP3/neutrino/lib_ref/i/ipsec_proto.html [2]http://www.qnx.com/developers/docs/6.3.0SP3/neutrino/lib_ref/r/route_proto.html ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Kernel-netlink issue
Hi, Thanks for your help. I still have a doubt that who initiates the IKE SA and CHILD SA. 1. Is it kernel who initiates both? 2. Or Kernel just initiates the CHILD SA (through acquire() function as per the SPD) and the IKE SA is initiated/triggered by reading the ipsec.conf file from which he knows the local and remote IP addresses? 3. If I have asked the wrong question or have wrongly understood your stack code then please do explain me how an IKE SA and CHILD SA is initiated or triggered in your stack? Thank you. Regards, Vivek On 7/2/09, vivek bairathi bairathi.vi...@gmail.com wrote: Hi Martin, Thanks for your help. The problem is that we have a propritary implementaion of the IP stack in micro engine whose development is in assembly language. As per what you have suggested, I think it would make sense that we let the kernel interface remain as is ( just change address family of the sockets with compatiple ones ) and let another process sniff these messages and provide an adpater interface with the network processor/micro engine. This adapter would then provide all required interfaces to the strongswan What are your thoughts on the same ? Regards, Vivek. On 7/2/09, Martin Willi mar...@strongswan.org wrote: Hi, 1. Could you please throw some light on how is the updated IP list is given to the stack The roam job just indicates the network configuration has changed. While processing the job, a route lookup is done to find a new (or keep the existing) path to reach the peer. 2. We saw that the XFRM_Expire message is received from the kernel. Is it then the correct assumptions that strongswan does not maintain the re-keying timer for the child SAs? Yes, IKE_SA lifetimes are handled in the daemon, while CHILD_SA lifetimes are handled in the kernel. The reason for this is that there are (theoretically) other ways to expire an SA, only known to the kernel (e.g. number of bytes/packets processed). 3. Could you let us know the best approach for plugging out the kernel interface and using our own? Removing the kernel interface is probably the most complex option, you would need to work around a lot of functionality in the core daemon. The right way to do it is implement a kernel interface for IPsec and networking for the QNX system. QNX uses a PF_KEY interface [1], so you could try to use our existing PF_KEY plugin. As NetBSD uses a policy handling concept similar to KLIPS (flows), you probably need to borrow some bits from the KLIPS plugin. For the networking part, QNX uses the PF_ROUTE protocol [2] from BSD. You could try to use our PF_ROUTE plugin. It should work, but might not be feature complete. If you are willing to sponsor the development, you could hand over your QNX porting efforts to us. The strongSwan team has some experience in porting to BSD based systems... Regards Martin [1]http://www.qnx.com/developers/docs/6.3.0SP3/neutrino/lib_ref/i/ipsec_proto.html [2]http://www.qnx.com/developers/docs/6.3.0SP3/neutrino/lib_ref/r/route_proto.html ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Kernel-netlink issue
Hi Martin, Thanks for your help. The problem is that we have a propritary implementaion of the IP stack in micro engine whose development is in assembly language. As per what you have suggested, I think it would make sense that we let the kernel interface remain as is ( just change address family of the sockets with compatiple ones ) and let another process sniff these messages and provide an adpater interface with the network processor/micro engine. This adapter would then provide all required interfaces to the strongswan What are your thoughts on the same ? Regards, Vivek. On 7/2/09, Martin Willi mar...@strongswan.org wrote: Hi, 1. Could you please throw some light on how is the updated IP list is given to the stack The roam job just indicates the network configuration has changed. While processing the job, a route lookup is done to find a new (or keep the existing) path to reach the peer. 2. We saw that the XFRM_Expire message is received from the kernel. Is it then the correct assumptions that strongswan does not maintain the re-keying timer for the child SAs? Yes, IKE_SA lifetimes are handled in the daemon, while CHILD_SA lifetimes are handled in the kernel. The reason for this is that there are (theoretically) other ways to expire an SA, only known to the kernel (e.g. number of bytes/packets processed). 3. Could you let us know the best approach for plugging out the kernel interface and using our own? Removing the kernel interface is probably the most complex option, you would need to work around a lot of functionality in the core daemon. The right way to do it is implement a kernel interface for IPsec and networking for the QNX system. QNX uses a PF_KEY interface [1], so you could try to use our existing PF_KEY plugin. As NetBSD uses a policy handling concept similar to KLIPS (flows), you probably need to borrow some bits from the KLIPS plugin. For the networking part, QNX uses the PF_ROUTE protocol [2] from BSD. You could try to use our PF_ROUTE plugin. It should work, but might not be feature complete. If you are willing to sponsor the development, you could hand over your QNX porting efforts to us. The strongSwan team has some experience in porting to BSD based systems... Regards Martin [1]http://www.qnx.com/developers/docs/6.3.0SP3/neutrino/lib_ref/i/ipsec_proto.html [2]http://www.qnx.com/developers/docs/6.3.0SP3/neutrino/lib_ref/r/route_proto.html ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Kernel-netlink issue
Hi Martin, Thanks for your help. For our implementation we need to port the strongswan stack on QNX. QNX does not have a kernel, but only a microkernel. This we need to remove any interface with the kernel in the strongswan stack and replace it with our own interface. Since Kernel net-interface is designed as a plugin, we were wondering whether it is feasible to plug out this interface with minimal effort and make the stronswan use our own plugin. In attempt to figure out the interface of the kernel-netlink plugin with the stack, we found that it is using the fire_roam_job function to update IKE SAs with respect to change in IP addresses. I am sure we are missing something, but fireroam job does not seem to use the updated adress list in the private_kernel_netlink_net_t structure. Hence, we are unable to get the interface of kernel-net-link with the stack for IP address update. 1. Could you please throw some light on how is the updated IP list is given to the stack 2. We saw that the XFRM_Expire message is received from the kernel. Is it then the correct assumptions that strongswan does not maintain the re-keying timer for the child SAs? 3. Could you let us know the best approach for plugging out the kernel interface and using our own? Many thanks for your help in advance Regards, Vivek. On 6/30/09, Martin Willi mar...@strongswan.org wrote: Hi, 1. How does the stack know of the change in the IP address? The IKEv2 daemon listens to netlink notification messages sent by the Linux kernel. 2. Does the stack listen to such events from the kernel? If yes, could you point us to the location in the stack that listens to kernel for such events? Charon listens for notifications from the kernel in the receive_events() function found in kernel_netlink_net.c. There it handles link/address/route changes. If something changes, it finally calls fire_roam_job() to update existing IKE_SAs. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
