Re: [strongSwan] Security Comparison

[Dirk Hartmann]

--On Thursday, July 19, 2018 09:58:51 AM +0100 Christian Salway 
 wrote:




Thanks. answers inline



On 19 Jul 2018, at 09:38, Tobias Brunner 
wrote:

Hi Christian,


I am also
limited to the native OSX/Windows VPN clients which currently
support a maximum of aes256-sha256-prfsha256-ecp256-modp2048
(Windows does not support ecp)


It does (at least on Windows 10), you just have to enable it via
PowerShell (see [1]).


Even with the registry key added, the IKE ciphers are as follows:

WINDOWS 10
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048


Have a look here:


Regards,
Dirk

Re: [strongSwan] Windows gives error 13868: Policy match error but Linux connect works

[Dirk Hartmann]

--On Friday, May 04, 2018 07:55:11 AM +0100 Christian Salway 
<christian.sal...@naimuri.com> wrote:



not sure if it was a bad copy paste but you need a space after
-PassThru

Set-VPNConnectionIPsecConfiguration -ConnectionName "my-vpn"
-AuthenticationTransformConstants SHA256128 -CipherTransformConstants
AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256
-PfsGroup None -DHGroup Group14 -PassThru -Force


jupp sorry, copy/paste on a wrap


 <http://www.naimuri.com/>


On 4 May 2018, at 07:47, Dirk Hartmann <d...@heise.de> wrote:

Set-VPNConnectionIPsecConfiguration -ConnectionName ""
-AuthenticationTransformConstants SHA256128
-CipherTransformConstants AES256 -EncryptionMethod AES256
-IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14
-PassThru-Force

Re: [strongSwan] Windows gives error 13868: Policy match error but Linux connect works

[Dirk Hartmann]

--On Friday, May 04, 2018 04:53:29 PM +1200 flyingrhino 
 wrote:



Hi,

Just to keep a complete record of this for other people who may
search the list archive for this solution:

The solution was to create a windows registry key:
Path:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameter
s  Key: NegotiateDH2048_AES256
Type: DWORD 32bit
Value: 1

If you need to roll this out across multiple machines as I did - once
you do the first machine, you can select the new key you just edited
and do: File -> Export  , select type reg.
Then on subsequent machines the user simply double clicks the file
and it gets imported automatically.

Hope this helps other people who find this post.


to add to the tip I distribute a powershell script to roadwarriors to 
setup the complete VPN-Connection. Maybe someone likes to use parts of 
it:



echo "activate higher encryption"
reg add HKLM\System\CurrentControlSet\Services\Rasman\Parameters /v 
NegotiateDH2048_AES256 /t REG_DWORD /d 2 /f


echo "import CA"
echo "-BEGIN PKCS7-
MII.
=
-END PKCS7-
" > c:\certtmp.p7b

import-certificate -FilePath c:\certtmp.p7b -CertStoreLocation 
'Cert:\LocalMachine\Root'


del c:\certtmp.p7b

sleep 1

echo "Make VPN"
^M
Add-VpnConnection -Name "" -ServerAddress  
-TunnelType "Ikev2" -AllUserConnection -EncryptionLevel Required


echo "added"

Set-VPNConnection -Name "" -AllUserConnection -SplitTunneling 0

echo "split out"

Set-VPNConnectionIPsecConfiguration -ConnectionName "" 
-AuthenticationTransformConstants SHA256128 -CipherTransformConstants 
AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup 
None -DHGroup Group14 -PassThru-Force


echo "parameter set"

sleep 1

echo "all set"


Cheers
Dirk

Re: [strongSwan] Migrating to swanctl.conf

[Dirk Hartmann]

Hi Thomas,

--On Thursday, February 22, 2018 10:47:00 AM +0100 Thomas Egerer 
<hakke_...@gmx.de> wrote:



On 02/22/2018 10:33 AM, Dirk Hartmann wrote:

Hi,

so the other migration I'm planning is to move to
swanctl.conf/VICI-Plugin.

As it is possible to run both plugins stroke and VICI at the same
time at the same server, is this a good idea?From my understanding
of the code you should be fine running

both plugins simultaniously.



It would definitely ease the migration if I could simply migrate our
approximately 250 connections from ipsec.conf to swanctl.conf one by
one.

My question is, is this advisable?

Each plugin has its own config backend and as long as the
names of your configurations don't clash I don't see a
problem. However, Tobias knows the code much better and
might still object ;)


ah that sounds promising.


Cheers and good luck for the migration


Thank you!
Dirk

Re: [strongSwan] Migrating to a new ca

[Dirk Hartmann]

Hi Tobias,

--On Thursday, February 22, 2018 10:54:37 AM +0100 Tobias Brunner 
 wrote:



Is it possible to add a second connection definition that is
identical  but has
conn win2018eapmschap
leftcert=serverCert2018.pem
leftid="C=DE, O=OUR COMPANY, CN=STRONGSWANSERVER2018"

so that eap clients can connect to the server when they are equiped
with either the old or the new ca?


You can do that.  However, the second config will only be used with
clients that explicitly send a remote identity that matches leftid.
With clients that don't send an IDr (e.g. Windows or the strongSwan
Android app with its default settings) the first config that's loaded
and matches the IPs/IDs will be used (since the only difference is
leftid and no identity can be compared to it, both will match equally
well, so the first one will be used).

Unfortunately, certificate requests are currently not considered when
selecting configs.  So even if leftca is set and a client that doesn't
send an IDr sends a certificate request for the second CA the first
config will be used.


Thank you for clarification.
As most of the eap-clients are windows that wouldn't work for us this 
way.


Then I'll probably add an additional IP and hostname to the server and 
add a conn only for this IP.


left= in ipsec.conf only accepts one argument (ip,fqdn) while 
connections..local_addrs in swanctl.conf allows multiple that is 
a good reason to start with VICI :) So I can work with only one new 
config for IPv4 and IPv6 instead of two.


Thanks again
Dirk

[strongSwan] Migrating to swanctl.conf

[Dirk Hartmann]

Hi,

so the other migration I'm planning is to move to 
swanctl.conf/VICI-Plugin.


As it is possible to run both plugins stroke and VICI at the same time 
at the same server, is this a good idea?


It would definitely ease the migration if I could simply migrate our 
approximately 250 connections from ipsec.conf to swanctl.conf one by 
one.


My question is, is this advisable?

Best regards
Dirk

[strongSwan] Migrating to a new ca

[Dirk Hartmann]

Hi,

after many years with our old certification authority for strongswan 
I'm planning to migrate to a new one with more modern crypto.


To make it as painless as possible for the end users I plan on adding a 
second ca and a matching second server certificate to our installation.
Over time I would update the old clients with the new ca and new 
certificates.


For the linux and mac clients and some Windows clients we use unique 
connection descriptions so there is no problem to provide a leftid and 
leftcert for the ones that are updated.


But I'm not sure about the config for our eap clients.

The configuration part is

conn win7eapmschap
left=STRONGSWANSERVERIP
leftsubnet=0.0.0.0/0
leftauth=pubkey
leftsendcert=always
leftcert=serverCert.pem
   right=%any
rightauth=eap-mschapv2
rightsourceip=%eappool,%eappool6
eap_identity=%any
   leftcert=serverCert.pem
leftid="C=DE, O=OUR COMPANY, CN=STRONGSWANSERVER"
auto=add


Is it possible to add a second connection definition that is identical 
but has

conn win2018eapmschap
leftcert=serverCert2018.pem
leftid="C=DE, O=OUR COMPANY, CN=STRONGSWANSERVER2018"

so that eap clients can connect to the server when they are equiped 
with either the old or the new ca?


Best regards
Dirk

Re: [strongSwan] strongswan.tar.gz issue

[Dirk Hartmann]

Hi,

--On Friday, February 02, 2018 06:35:54 AM + "Kalyani Garigipati 
(kagarigi)"  wrote:



I have downloaded strongswan.tar.gz file from strongswan website, but
when I have extracted it, I found that the Makefile is missing in the
folder. Did anyone encounter this issue ?

Because of this I am unable to compile strongswan


you ran ./configure and it finished without error?

Best Regards,
Dirk

Re: [strongSwan] road worrior IP - can it also be used by services/daemons to listen onto?

[Dirk Hartmann]

--On 10. November 2017 at 15:20:40 + lejeczek <pelj...@yahoo.co.uk> 
wrote:





On 10/11/17 14:34, Dirk Hartmann wrote:

Hi,  > > --On Friday, November 10, 2017 02:21:09 PM +

lejeczek > <pelj...@yahoo.co.uk> wrote: > >> I've a working roadwarrior
which links up to a server(not mine, >> meaning - no control over it) and
I wonder - can that IP my >> roadworrior gets other things use? >> >>
From that other(server) end, the network behind the server sees >> that
IP my roadworrior gets, can ping it but, how to make, eg. >> apache etc,
use and serve on that IP? If I do nmap from server's >> net on my
roadwarrior IP it says port is closed. >> >> Is it something I can do at
my end? Which would be great if >> possible. > > without a firewall
either on your RW or on the Gateway side there is > no reason you should
not be able to reach any port on your RW. > > The question is, does your
service bind itself to your RW-IP. >  > What does netstat report for your
apache? > > netstat -tulpn | grep apache > > Mostly you configure apache
in /etc/apache2/ports.conf on which IPs > it should listen or if it
should listen on all IPs. > > Some services don't bind to interfaces
added after the service > startet, so maybe you have to restart it after
the VPN connection is > up. > >  > Dirk
Apache listens on all port, and I did restart it, same for sshd. Nmap
from behind the gateway says ports are closed, but not filtered.

My RW is on a box which is my local gateway-to-internet, the
interface/connection strongswan creates when connects to VPN gateway I
put(with use of firewalld) into my external zone, so it gets masqueraded
so other nodes on my local LAN can get to VPN via my RW - but I do not
see this affects firewall, etc, ports that are opened in exteranal
zone(nic with public IP and RW) as  nmap says are not filtered.
I nmap my public IP and is "open" I nmap my RW-IP and is "closed".


IIRC closed means it's either no service there or when using iptables it 
has a reject rule to it instead of a drop-rule.



It all runs off a fedora26, I have
strongswan-libipsec-5.6.0-1.fc26.x86_64 installed - I understand with it
I get ipsec0 interface autocreation which then I can manage with
"regular" OS utils, eg. firewalld - I thought it was the laziest/quickest
way out.

I did think that RW-NIC-IP would be just operational, manageable as any
other iface in the OS, but it seems some sorcerery is needed, or maybe
something trivial?


Did you try to access the apache from local server via the tunnel-IP?

As I said. In a vanilla setup without firewall there is nothing preventing 
you to reach open ports on either side of the tunnel via the tunnel.


Dirk

Re: [strongSwan] road worrior IP - can it also be used by services/daemons to listen onto?

[Dirk Hartmann]

Hi,

--On Friday, November 10, 2017 02:21:09 PM + lejeczek 
 wrote:



I've a working roadwarrior which links up to a server(not mine,
meaning - no control over it) and I wonder - can that IP my
roadworrior gets other things use?

 From that other(server) end, the network behind the server sees that
IP my roadworrior gets, can ping it but, how to make, eg. apache etc,
use and serve on that IP?
If I do nmap from server's net on my roadwarrior IP it says port is
closed.

Is it something I can do at my end? Which would be great if possible.


without a firewall either on your RW or on the Gateway side there is no 
reason you should not be able to reach any port on your RW.


The question is, does your service bind itself to your RW-IP.

What does netstat report for your apache?

netstat -tulpn | grep apache

Mostly you configure apache in /etc/apache2/ports.conf on which IPs it 
should listen or if it should listen on all IPs.


Some services don't bind to interfaces added after the service startet, 
so maybe you have to restart it after the VPN connection is up.



Dirk

Re: [strongSwan] charon says "DH group MODP_1024 inacceptable, requesting MODP_1536"

[Dirk Hartmann]

--On Wednesday, October 28, 2015 05:18:28 PM +0800 Rayson Zhu 
 wrote:



yes, but only if you don't use high encryption.
so sad.

On Wed, Oct 28, 2015 at 4:56 PM, Roger Skjetlein
 wrote:


I found out that this combination works with of the devices out
there: ike = 3des-sha1-modp1024
esp = aes256-sha1,aes192-sha1,aes128-sha1


ike=aes256-sha2_512-modp2048,aes256-sha1-modp1024
esp=aes256-sha2_512,aes256-sha1,aes128-sha1

should work too but you still would have the dangerous modp1024 for 
Win7 etc.



windows 7 to 10, os x 10.11, ios 8 and 9, android...

On Wed, Oct 28, 2015 at 2:50 AM, Rayson Zhu  wrote:


I met this issue too. I have to change my cipher suite to
aes128-sha-1-modp1024 to connect IOS devices.


On Tuesday, October 27, 2015, Tobias Brunner 
wrote:


Hi Harald,

> If I got you correctly I would have to move back to DH2, just to
> make the iphone users happy.

Correct, or you use a configuration profile with
DiffieHellmanGroup set to one of the other groups Apple claims to
support (I don't know which of them actually work, though): 2
(Default), 5, 14, 15, 16, 17, or 18.

> Do you know of any commitments from Apple to fix this?

No idea.  I wasn't the one adding that information to the wiki.
But you could report the bug to Apple to get a rough idea when it
is fixed.  In this case they will close your bug report and mark
it as duplicate and you won't get any direct status updates etc.
but you can see whether the original ticket is still open or not.


___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Small Problems with 5.2

[Dirk Hartmann]

Hi Tobias,

--On Wednesday, July 16, 2014 10:48:30 AM +0200 Tobias Brunner 
tob...@strongswan.org wrote:



Not sure why the behavior changed between 5.1.3 and 5.2.0 in this
regard; likely that it is related to the replaced ipsec.conf parser.


It's probably the new parser.
Checking the logs on the gateway running 5.1.3 I discovered that the
rightsendcert = never wasn't honoured for any connection. Windows 7
eap  clients received a cert request too. So your suggestion to
remove this  option from our config should be no problem.


Intriguing.  Could you send me the complete config file that manifests
this difference in behavior?


sure
The normal ipsec.conf includes all *.conf files in the connections 
directory.

The files in this directory are named:
0_all_w7_eapmschap.conf which I attached as its holds the rightsendcert 
= never.

One file 98_partner1.conf.
The rest are subnet related config files named 172.xx.xx-name.conf I 
added one too.


Best regards
Dirk


ipsec.conf
Description: Binary data


0_all_w7_eapmschap.conf
Description: Binary data


98_partner1.conf
Description: Binary data


172.25.22-abt1.conf
Description: Binary data
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Small Problems with 5.2

[Dirk Hartmann]

Hi Martin,

--On Friday, July 11, 2014 03:04:27 PM +0200 Martin Willi 
mar...@strongswan.org wrote:





ipsec_starter[3318]: notifying watcher failed: Broken pipe



I got: no trusted RSA public key found for NAME


Btw, I don't think these two issues are directly related. While
asynchronous IPC operation is affected, starter actually doesn't use
that.

Probably something else is wrong with that key: trust chain
validation, certificate exchange, or loading trusted certificates.
Your log might have more details.


was there a change in 5.2 about charon asking for the certificate of 
the peer?
I can establish a connection when I add leftsendcert=yes to the 
configuration of my roadwarrior.

If I don't add it I get a connection with 5.1.3 but on 5.2 I get:
[IKE] no trusted RSA public key found for 'C=DE, O='
in the log of the server.

Best Regards
Dirk


pgpKoigv8o7Ll.pgp
Description: PGP signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Small Problems with 5.2

[Dirk Hartmann]

Hi Martin,

--On Tuesday, July 15, 2014 01:52:45 PM +0200 Martin Willi 
mar...@strongswan.org wrote:





With this connection active it doesn't matter if I set rightsendcert
to  ifasked or yes in the default section or the specific connection
section of my linux roadwarrior. I can't connect because charon
doesn't  send a certificate request.

If I remove the conn section for win 7 eap, I can connect.


Certificate requests are sent very early in the IKE negotiation. As a
responder, it is sent in the first IKE_SA_INIT response. At this
stage, charon can not reliably select a configuration, as no peer
identities or authentication methods are known yet.

If no IP address selectors are in place (using left/right), usually
just the first matching configuration is used. This probably is the
win7 connection in your configuration.


ah ok I see


I set rightsendcert = never as mentioned in the wiki page


While this recommendation is fine if you handle Windows clients only,
for mixed setups it can result in these issues. I'll add a note to the
wiki.

If you can't apply IP based selectors to your configuration using
left/right, you should consider removing the rightsendcert option.

Not sure why the behavior changed between 5.1.3 and 5.2.0 in this
regard; likely that it is related to the replaced ipsec.conf parser.


It's probably the new parser.
Checking the logs on the gateway running 5.1.3 I discovered that the 
rightsendcert = never wasn't honoured for any connection. Windows 7 eap 
clients received a cert request too. So your suggestion to remove this 
option from our config should be no problem.


Thanks
Dirk


___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Small Problems with 5.2

[Dirk Hartmann]

Hi Noel,

--On Thursday, July 10, 2014 06:35:40 PM +0200 Noel Kuntze 
n...@familie-kuntze.de wrote:



Can you please provide your strongswan.conf?


sure.

Server now back on 5.1.3 is simple using still the single 
strongswan.conf:


=
charon {
threads = 16
cisco_unity = yes
send_vendor_id = yes

plugins {

sql {
loglevel = -1
}

attr {
dns = xx.xx.xx.xx, xx.xx.xx.xx
nbns = xx.xx.xx.xx
}
}

libhydra {
plugins {
attr-sql {
database = 
sqlite:///etc/ipsec.d/database/strongswandb.sqlite
}
}
}

pluto {

}

libstrongswan {
}
=

I think it's a good time to remove pluto from it.


Client still running 5.2 using the split config:

=
charon {

   load_modular = yes

   plugins {

   include strongswan.d/charon/*.conf

   }

}

include strongswan.d/*.conf

aes {

   load = yes

}

attr {

   load = yes

}

blowfish {

   load = yes

}

cmac {

   load = yes

}

constraints {

   load = yes

}

curl {

   load = yes

}

des {

   load = yes

}

dnskey {

   load = yes

}

fips-prf {

   load = yes

}

gmp {

   load = yes

}

hmac {

   load = yes

}

kernel-netlink {

   load = yes

}

md5 {

   load = yes

}

nonce {

   load = yes

}

ntru {

   load = yes

}

openssl {

   load = yes

}

pem {
   load = yes

}

pgp {

   load = yes

}

pkcs12 {

   load = yes

}

pkcs1 {

   load = yes

}

pkcs7 {

   load = yes

}

pkcs8 {

   load = yes

}

pubkey {

   load = yes

}

random {

   load = yes

}

rc2 {

   load = yes

}

resolve {

   file = /etc/resolve.strongswan

   load = yes

   resolvconf {

   }

}

revocation {

   load = yes

}

sha1 {

   load = yes

}

sha2 {

   load = yes

}

socket-default {

   load = yes

}

sshkey {

   load = yes

}

stroke {

   load = yes

}

updown {

   load = yes

}

x509 {
   load = yes

}

xcbc {

   load = yes

}

charon {

   send_vendor_id = yes

   crypto_test {

   }

   host_resolver {

   }

   leak_detective {

   }

   processor {

   priority_threads {

   }

   }

   tls {

   }

   x509 {

   }

}

charon {

   filelog {

   }

   syslog {

   auth {

   default = 1

   enc = 0

   lib = 0

   knl = 0

   job = 0

   }

   }

}

pki {

}

scepclient {

}

starter {

}

openac {

}

pki {

}

scepclient {

}
=

Thanks
Dirk



Am 10.07.2014 15:54, schrieb Dirk Hartmann:

Hi,

I hit two problems after upgrading to 5.2.
System on both sides is a Debian wheezy 64. Strongswan compiled with:
[client]
./configure --prefix=/usr --sysconfdir=/etc --enable-blowfish
--enable-curl --enable-openssl --disable-ikev1 --enable-ntru

[gateway]
./configure --prefix=/usr --sysconfdir=/etc --enable-blowfish
--enable-curl --enable-eap-radius --enable-ha --enable-openssl
--enable-xauth-eap --enable-eap-mschapv2 --enable-eap-identity
--enable-sql --enable-attr-sql --enable-sqlite --enable-xauth-noauth
--enable-ntru

1. I get this error on both systems after upgrade:
ipsec_starter[3318]: notifying watcher failed: Broken pipe

2. I had to roll back to 5.1.3 on the gateway because I couldn't
connect from other linux IKEv2 clients which authenticate via X.509
certificates. I got: no trusted RSA public key found for NAME

On the other side IKEv1 connections from Mac/iOS with certificates
and IKEv2 connections from Windows clients with eap-mschapv2 had no
problems. (No Win7 Client with IKEv2 and X509 certificates try to
connect that time)

As the gateway is in productive use I coudn't debug the problem for
long.

I have a second server with the same configuration that I can use to
dig deeper into the problem. What further information would you
need, what debug levels should I use?

All the while the gateway is back on 5.1.3 while my home client is
still on 5.2 and can connect despite the Broken Pipe error.

Best Regards
Dirk


___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users


-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTvsDcAAoJEDg5KY9j7GZY5NwQAJU4RfQJ763TjqYIGkMOZlzG
sg7U66+Fxwe39pzyr6qL/vrSBMyMDrogc4unvT6N3vfRduK24n7ZOqo+UjcsM62X
gJON8ODTNywIxP08zXm2zWkJwfXqr3H/ApBveVlMyPJ/9pBFe3o7vBoKN+XOJkrY
b8oqhHxOJ0LTu+N03U7GjFLPE/RVVg4LzRrRXQoAISiCo9te0kFjC5Ah3xjwpABz
zMFjt5fnKXN6nVvOboQSO7sAK9EHy0f6IqCQp6LApa809FBDrLvcOLd1Wes3K8L6
PD+PVRQKXtZhx8nBBo4sZAXCSTNDTlrTXfm8aMjzjNyJoqluga/qrj0o7NmsXqx9
wDYmNcSSwpqAiRT9fN8uHuMZK1m51ZD1anDM1+fzMbG33zkqwPKPKWbw8Rm8r1Xg
p8/iHpQqFtAf7lElaCHboUXffz+YDFM/iDTRb0W2XFqe73CWL85gNUvdA1XEAcB+
hwjcY

Re: [strongSwan] Small Problems with 5.2

[Dirk Hartmann]

Hi Martin,

--On Friday, July 11, 2014 09:52:40 AM +0200 Martin Willi 
mar...@strongswan.org wrote:



1. I get this error on both systems after upgrade:
ipsec_starter[3318]: notifying watcher failed: Broken pipe


Hm, interesting, not sure were this broken pipe could come from, nor
do I see this error on my 64bit Wheezy.

Can you provide a little more context to this error message? What gets
logged before/after this error?


Jul 10 10:31:28 media charon: 00[CFG]   loaded crl from 
'/etc/ipsec.d/crls/crl.pem'


Jul 10 10:31:28 media charon: 00[CFG] loading secrets from 
'/etc/ipsec.secrets'


Jul 10 10:31:28 media charon: 00[CFG]   loaded RSA private key from 
'/etc/ipsec.d/private/dhaKey.pem'


Jul 10 10:31:28 media charon: 00[CFG]   loaded RSA private key from 
'/etc/ipsec.d/private/dhanetKey.pem'


Jul 10 10:31:28 media ipsec_starter[1712]: charon (1713) started after 
100 ms


Jul 10 10:31:28 media charon: 03[CFG] received stroke: add connection 
'dhanet'


Jul 10 10:31:28 media charon: 03[CFG] left nor right host is our side, 
assuming left=local


Jul 10 10:31:28 media charon: 03[CFG]   loaded certificate MYCERT 
from 'dhanetCert.pem'


Jul 10 10:31:28 media charon: 03[CFG] added configuration 'dhanet'

Jul 10 10:31:28 media ipsec_starter[1712]: notifying watcher failed: 
Broken pipe


Jul 10 10:31:28 media charon: 06[CFG] received stroke: initiate 
'dhanet'


Jul 10 10:31:28 media charon: 06[IKE] initiating IKE_SA dhanet[1] to 
SERVERIP


Jul 10 10:31:28 media charon: 06[NET] sending packet: from LOCALIP[500] 
to SERVERIP[500] (452 bytes)


Jul 10 10:31:28 media ipsec_starter[1712]: notifying watcher failed: 
Broken pipe


Jul 10 10:31:28 media charon: 08[NET] received packet: from 
SERVERIP[500] to LOCALIP[500] (465 bytes)


Jul 10 10:31:28 media charon: 08[IKE] local host is behind NAT, sending 
keep alives


Jul 10 10:31:28 media charon: 08[IKE] received cert request for 
CACERT


Jul 10 10:31:28 media charon: 08[IKE] sending cert request for CACERT

Jul 10 10:31:28 media charon: 08[IKE] authentication of 'MYCERT' 
(myself) with RSA signature successful


Debuglevel was:
charondebug=cfg 2 ike 2, knl 2, net 2


What further information would you need, what debug levels should I
use?


After building strongSwan, can you try to run make check on this
system? Do the watcher/stream tests complete successfully?


yes no problems reported.

 Passed all 4 'watcher' test cases

 Passed all 4 'stream' test cases


the same on both gateways.


If not, the
output of


TESTS_VERBOSITY=2 TESTS_SUITES=watcher, stream make check


could help in debugging this issue.



Thanks
Dirk

pgpFIyQe4FAX0.pgp
Description: PGP signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Small Problems with 5.2

[Dirk Hartmann]

Hi Martin,

--On Friday, July 11, 2014 02:55:26 PM +0200 Martin Willi 
mar...@strongswan.org wrote:



Thanks for the update. I could reproduce the issue, it happens when
starter forks() to the background. I haven't seen that, as starter
logs to a different file here.


ah yes I use auth.log for all strongswan related lines.


Due to [1], starter closefrom()s all open file descriptors after the
fork. As we now use libstrongswan to manage IPC sockets, this won't
work. The file descriptor watcher class uses a pipe() to signal FDSET
changes. And the closefrom() just kills our pipe.

Not sure what the best approach is to address this, but the
closefrom() is definitely not that elegant. The attached patch fixes
the issue here.


tested and works.

Thank you!
Dirk
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Small Problems with 5.2

[Dirk Hartmann]

Hi,

I hit two problems after upgrading to 5.2.
System on both sides is a Debian wheezy 64. Strongswan compiled with:
[client]
./configure --prefix=/usr --sysconfdir=/etc --enable-blowfish 
--enable-curl --enable-openssl --disable-ikev1 --enable-ntru


[gateway]
./configure --prefix=/usr --sysconfdir=/etc --enable-blowfish 
--enable-curl --enable-eap-radius --enable-ha --enable-openssl 
--enable-xauth-eap --enable-eap-mschapv2 --enable-eap-identity 
--enable-sql --enable-attr-sql --enable-sqlite --enable-xauth-noauth 
--enable-ntru


1. I get this error on both systems after upgrade:
ipsec_starter[3318]: notifying watcher failed: Broken pipe

2. I had to roll back to 5.1.3 on the gateway because I couldn't 
connect from other linux IKEv2 clients which authenticate via X.509 
certificates.

I got: no trusted RSA public key found for NAME

On the other side IKEv1 connections from Mac/iOS with certificates and 
IKEv2 connections from Windows clients with eap-mschapv2 had no 
problems.
(No Win7 Client with IKEv2 and X509 certificates try to connect that 
time)


As the gateway is in productive use I coudn't debug the problem for 
long.


I have a second server with the same configuration that I can use to 
dig deeper into the problem. What further information would you need, 
what debug levels should I use?


All the while the gateway is back on 5.1.3 while my home client is 
still on 5.2 and can connect despite the Broken Pipe error.


Best Regards
Dirk


___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] temporarily disable a road warrior user

[Dirk Hartmann]

Hi Karl,

--On Tuesday, February 18, 2014 06:24:46 PM +0100 Karl Hiramoto 
k...@hiramoto.org wrote:



I have multiple road warriors with their own certificates.

How can I temporarily disable the user, without revoking the
certificate,  can I do that?


I assume you don't have an unique entry for every user in your 
ipsec.conf, so that you simply could disable this config?



Do I revoke it, and to re-enable by removing it from the CRL?   Is
there an easier way?


Reenabling a revoked certificate is not a good idea.

You could add a specific config for his connection for example:

conn tempdis
authby=rsasig
right=%any
rightid=@certificatename
rightauth2=xauth
auto=add

I think this specific config should win over a catchall.
rightauth2=xauth would require a 2nd auth before establishing the 
tunnel.

So if you put
tempdis : XAUTH noentryhere
in your ipsec.secrets he couldn't log in without knowing the secret and 
the connection would fail.


I'm not a 100% shure of this solution could anyone comment if it works 
this way?


Dirk

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] wiki article iOS

[Dirk Hartmann]

Hi Michael,

--On Friday, March 15, 2013 08:21:55 AM +0100 Michael Monnerie 
lists.michael.monne...@is.it-management.at wrote:

 http://wiki.strongswan.org/projects/strongswan/wiki/IOS_%28Apple%29

 I'm trying to get my iPad work with strongswan 5.0.2, followed that
 article, but I just get this. What's wrong?

 Mar 15 08:16:15 sharepoint1 charon: 05[IKE] no IKE config found
 for 212.69.162.156...81.217.108.227, sending NO_PROPOSAL_CHOSEN Mar
 15 08:16:15 sharepoint1 charon: 05[ENC] generating INFORMATIONAL_V1
 request 293443323 [ N(NO_PROP) ]

could you include your ipsec.conf?

Do you have set

left=212.69.162.156
and
right=%any

Dirk

-- 
Dirk Hartmann, Heise Zeitschriften Verlag GmbH  Co. KG
IT-Systemmanagement, Karl-Wiechert-Allee 10,  D-30625 Hannover
E-Mail: d...@heise.de - Tel.: +49 511 5352 494 - FAX:  - 479
PGP-Fingerprint 4153 7C95 3259 C39F 49AA  9BAA 6833 A8DC 6D90 050E

Don't blame me for the following spam, blame european government:

Heise Zeitschriften Verlag GmbH  Co. KG
Registergericht: Amtsgericht Hannover HRA 26709

Persönlich haftende Gesellschafterin:
Heise Zeitschriften Verlag Geschäftsführung GmbH
Registergericht: Amtsgericht Hannover, HRB 60405
Geschäftsführer: Ansgar Heise, Dr. Alfons Schräder

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Multiple tunnels between two endpoints

[Dirk Hartmann]

--On Tuesday, January 08, 2013 11:30:00 AM +0330 Ali Masoudi 
masoudi1...@gmail.com wrote:

 Thank you Dirk for your answer,

 But what about ikev1 connections? I think using multiple subnets in
 one connection is acceptable in ikev2. If I'm wrong, correct me
 please.

no that is correct.
IKEv2 supports multiple subnets separated by commas, IKEv1 only 
interprets the first subnet of such a definition, unless the Cisco 
Unity extension plugin is enabled (available since 5.0.1).
http://wiki.strongswan.org/projects/strongswan/wiki/ConnSection

 I use reuse_ikesa = no for a while and I have no problem, but in the
 last week, I started to work with hearbeat service from linux-ha, and
 in the failover occasions, after i bring up the virtual ip address
 related service (I have written) for ipsec, I had a few problems to
 bring up some tunnels. But when I use reuse_ikesa = yes, the
 problems solved.

could it be a timing-problem? I assume that initiating a full IKE_SA 
takes more time than just a CHILD_SA.


___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Multiple tunnels between two endpoints

[Dirk Hartmann]

Hi Ali,

--On Monday, January 07, 2013 02:39:55 PM +0330 Ali Masoudi 
masoudi1...@gmail.com wrote:

 I have a simple question, and I would be grateful if anyone could
 answer it.

 If we want to establish multiple tunnels between two endpoints, is it
 recommended to use reuse_ikesa = no option in strongswan.conf.

 I figured it in my tests that it is better to use the default config.
 Am I right? What is the application of reuse_ikesa option? Thanks a
 lot.

if you set reuse_ikesa = no there will be a new IKE_SA for every 
CHILD_SA.

Normally it is ok to have one IKE_SA with more CHILD_SAs.
Handling is a little bit easier if you want to stop/start single 
CHILD_SAs.

Do the different tunnels run to the same net on one side? Then you 
could enable them in a single tunnel.
Example:
rightsubnet= 192.168.1.0/25
leftsubnet=10.0.0.0/8,172.16.1.0/24,172.16.2.0/24,172.31.0.0/16

Best Regards
Dirk


___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] iOS ipad Config

[Dirk Hartmann]

Hi,

--On Monday, November 19, 2012 09:59:42 PM -0500 Chris Arnold 
carn...@electrichendrix.com wrote:

 strongswan 4.4 i believe and trying to get an ipad with ios 6 to
 connect to the server. I have this for my ipsec.conf:

 conn iOS
   keyexchange=ikev1
   authby=xauthrsasig
   xauth=server
   left=%defaultroute
   leftsubnet=192.168.1.0/24
   leftcert=serverCert.pem
   right=%any
   rightsourceip=192.168.3.0/24
   #rightcert=
   pfs=no
   auto=add

 and this for ipsec.secrets:

 : RSA serverKey.pem
 username : XAUTH password


 I cant even tell if this config works as on the ipad, use certs is
 greyed out and will not let me turn it on. Anyone else out there
 seeing this?

did you import the certificate on the ipad already and does it match 
this requirements?
http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)#Certificate-requirements-for-iOS-interoperability

Dirk

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] W7 eap-mschapv2 with defined ip

[Dirk Hartmann]

Hi,

I played with a config to connect Win7 clients with EAP-MSCHAPv2 auth:
http://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultipleConfig


works so far, but has the drawback that you can't assign a static IPs 
to a special user. I tried to simply use two connections with:

conn win7eap
right=%any
rightauth=eap-mschapv2
rightsourceip=10.0.0.3
rightsendcert=never
eap_identity=dhaeap

conn win7auth
right=%any
rightauth=eap-mschapv2
rightsourceip=10.10.2.3
rightsendcert=never
eap_identity=dhaw7

But Strongswan always picks the first connection on every client 
connecting via eap-mschapv2. So eap_identity doesn't work the way I 
expected it to.

Aug 22 09:37:36 purgatory01 charon: 09[CFG]   candidate win7eap, 
match: 1/1/5/2 (me/other/ike/version)
Aug 22 09:37:36 purgatory01 charon: 09[CFG]   candidate win7auth, 
match: 1/1/5/2 (me/other/ike/version)
Aug 22 09:37:36 purgatory01 charon: 09[CFG] selected peer config 
'win7eap'

Is there an other way to assign static IPs to Win7 clients connecting 
with eap-mschapv2 or is this only possible using client certificates?

The thing is I would like to assign different networks to different 
users depending on their department.

Thanks and Regards

Dirk

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] W7 eap-mschapv2 with defined ip

[Dirk Hartmann]

Hi Andreas,

works like a charm.
Thank you very much!

Dirk

--On Wednesday, August 22, 2012 10:22:59 AM +0200 Andreas Steffen 
andreas.stef...@strongswan.org wrote:

 Hi Dirk,

 did you have a look at the ipsec pool tool which allows to
 pre-assign static IP addresses to users by storing them in
 a small SQLite database:

 http://wiki.strongswan.org/projects/strongswan/wiki/IpsecPool

 Interesting for you is a feature which allows ipsec pool
 to read file-based list and store the entries in the
 database

 ipsec pool --add name --addresses file [--timeout timeout]

 Add a list of pool addresses to the database.

 name: Name of the pool, as used in ipsec.conf rightsourceip=%name

 file: File where newline-separated pool addresses for are read from

 Optionally each address can be pre-assigned to a roadwarrior identity,
 e.g. 10.231.14.2=al...@strongswan.org.
 If a '-' (hyphen) is given instead of a file name, the addresses are
 read from STDIN.
 Reading addresses stops at the end of file or an empty line.
 Pools created with this command can not be resized.

 timeout: Lease time in hours, 0 for static leases

 Best regards

 Andreas

 On 22.08.2012 10:09, Dirk Hartmann wrote:
 Hi,

 I played with a config to connect Win7 clients with EAP-MSCHAPv2
 auth:
 http://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultiple
 Config


 works so far, but has the drawback that you can't assign a static
 IPs  to a special user. I tried to simply use two connections with:

 conn win7eap
  right=%any
 rightauth=eap-mschapv2
 rightsourceip=10.0.0.3
 rightsendcert=never
 eap_identity=dhaeap

 conn win7auth
  right=%any
 rightauth=eap-mschapv2
 rightsourceip=10.10.2.3
 rightsendcert=never
 eap_identity=dhaw7

 But Strongswan always picks the first connection on every client
 connecting via eap-mschapv2. So eap_identity doesn't work the way I
 expected it to.

 Aug 22 09:37:36 purgatory01 charon: 09[CFG]   candidate win7eap,
 match: 1/1/5/2 (me/other/ike/version)
 Aug 22 09:37:36 purgatory01 charon: 09[CFG]   candidate win7auth,
 match: 1/1/5/2 (me/other/ike/version)
 Aug 22 09:37:36 purgatory01 charon: 09[CFG] selected peer config
 'win7eap'

 Is there an other way to assign static IPs to Win7 clients
 connecting  with eap-mschapv2 or is this only possible using client
 certificates?

 The thing is I would like to assign different networks to different
 users depending on their department.

 Thanks and Regards

 Dirk
 ==
 Andreas Steffen andreas.stef...@strongswan.org
 strongSwan - the Linux VPN Solution!www.strongswan.org
 Institute for Internet Technologies and Applications
 University of Applied Sciences Rapperswil
 CH-8640 Rapperswil (Switzerland)
 ===[ITA-HSR]==




-- 
Dirk Hartmann, Heise Zeitschriften Verlag GmbH  Co. KG
IT-Systemmanagement, Karl-Wiechert-Allee 10,  D-30625 Hannover
E-Mail: d...@heise.de - Tel.: +49 511 5352 494 - FAX:  - 479
PGP-Fingerprint 4153 7C95 3259 C39F 49AA  9BAA 6833 A8DC 6D90 050E

Don't blame me for the following spam, blame european government:

Heise Zeitschriften Verlag GmbH  Co. KG
Registergericht: Amtsgericht Hannover HRA 26709

Persönlich haftende Gesellschafterin:
Heise Zeitschriften Verlag Geschäftsführung GmbH
Registergericht: Amtsgericht Hannover, HRB 60405
Geschäftsführer: Ansgar Heise, Dr. Alfons
Schräder

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] CA

[Dirk Hartmann]

--On Sunday, March 15, 2009 09:29:16 AM +0100 Daniel Mentz 
danielml+mailinglists.strongs...@sent.com wrote:

 http://sandbox.rulemaker.net/ngps/m2/howto.ca.html

 I did not check it in detail and there might be better sites. But I
 think if you mix the information you get from this site with the
 information from the strongSwan configuration guide then you should
 be  able to set up a CA for using it with strongSwan.

And if you prefer a GUI to create and manage your CA you could try 
tinyca2
http://tinyca.sm-zone.net/

It is also available as a package in most distributions.

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] IPsec SA error

[Dirk Hartmann]

--On Friday, March 13, 2009 02:25:32 PM +0100 Daniel Mentz 
danielml+mailinglists.strongs...@sent.com wrote:

 antonio quisillo wrote:
 received netlink error: Protocol not supported (93)
 unable to add SAD entry with SPI c0844b4a
 unable to install IPsec SA (SAD) in kernel

 Here's a quote from strongSwan developer Martin Willi:

 It seems that your kernel does either not support transport/tunnel
 mode or one of the algorithms. Please have a look at our wiki for a
 list of modules required:

 http://trac.strongswan.org/wiki/KernelModules

 END OF QUOTE

 Does this solve your problem?

From own experience it is probably the missing xfrm6_mode_tunnel Module 
even if you don't use ipv6.
Try modprobe xfrm6_mode_tunnel

https://lists.strongswan.org/pipermail/users/2008-November/002917.html

Dirk
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Low-Prio Feature Request libstrongswan plugin twofish

[Dirk Hartmann]

Hi,

just as in the Subject, I have a low priority feature request.
At the moment I try to migrate as many tunnels as possible to IKEv2. It 
would be nice to use twofish with charon as an alternative to aes for 
IKEv2.

Thanks
Dirk
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] ipsec IKEv2 host-host

[Dirk Hartmann]

Hi

--On Friday, March 13, 2009 00:26:21 +0530 abhishek kumar 
abhishekr...@gmail.com wrote:

 no matching config found for '192.168.3.4'...'192.168.3.3'

just a guess: try switching the left and right in ipsec.conf on sun to:
conn host-host
  left=192.168.3.4
  right=192.168.3.3

Dirk
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users