[strongSwan] What is the correct subnet for rightsourceip?

[Houman]

Hello,

I have seen many examples using subnet /24. However, that's only 254 ip
addresses, meaning only 254 could connect to the VPN at a time.

rightsourceip=10.10.10.0/24, fdf3:5237:bf63::/64

Is there any harm if I chose subset /22 to increase it to 1022 IPs?

rightsourceip=10.10.10.0/22, fdf3:5237:bf63::/64

Many thanks,
Houman

Re: [strongSwan] How to get StrongSwan work with IPv6?

[Houman]

Hello Noel,

Good call. I have tried it with *tcpdump icmp6*

12:51:32.014856 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
55160, length 114
12:51:32.014980 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
52502, length 111
12:51:33.015768 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
55160, length 114
12:51:33.015853 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
52502, length 111
12:51:37.230741 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
59089, length 141
12:51:37.230773 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
49622, length 153
12:51:37.230832 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
52451, length 179
12:51:37.231091 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
63183, length 141
12:51:37.231276 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
60488, length 153
12:51:37.244840 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
63401, length 179
12:51:41.217794 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
62192, length 117
12:51:41.399465 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
63183, length 141
12:51:41.399497 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
49622, length 153
12:51:41.399515 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
57891, length 179
12:51:41.399526 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
59089, length 141
12:51:41.399536 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
52451, length 179
12:51:41.399555 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
60488, length 153
12:51:42.267324 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
62192, length 117
12:51:48.624243 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
57891, length 179
12:51:48.624270 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6,
destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port
60718, length 153

This is strange because the firewall should be ok:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [4571:533993]
:OUTPUT ACCEPT [3620:1295287]
:OUTGOING - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p esp -m esp -j ACCEPT
-A INPUT -m ah -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -j OUTGOING
-A FORWARD -m policy --dir out --pol ipsec -j ACCEPT
-A OUTGOING -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTGOING -m hashlimit --hashlimit-upto 5/sec --hashlimit-burst 5
--hashlimit-mode srcip,dstip --hashlimit-name NETSCANv6 --hashlimit-dstmask
64 -j ACCEPT
COMMIT

IPv6 doesn't need NAT. So what is here unreachable?

Thanks,
Houman


On Sun, 14 Nov 2021 at 23:26, Noel Kuntze
 wrote:

> Hello Houman,
>
> Looks like it's time for tcpdump, wireshark, ... .
> Collect traffic dumps as shown on the wiki[1] to figure out what replies
> the peer gets and what is forwarded.
>
> Also, verify your testing method and client configuration, specifically
> iptables/ip6tables if it's Linux.
>
> Kind regards
> Noel
>
> [1]
> https://wiki.strongswan.org/projects/strongswan/wiki/CorrectTrafficDump
>
> Am 12.11.21 um 08:26 schrieb Houman:
> > Good morning,
> >
> > I have disabled forseencaps and enabled IPv6.  I can establish a VPN
> connection via IPv6. But no traffic goes through. IPv4 connection is
> working.
> > I'm sharing my config below. I would really appreciate it if
> somebody could h

[strongSwan] How to get StrongSwan work with IPv6?

[Houman]

gswan-starter*
● strongswan-starter.service - strongSwan IPsec IKEv1/IKEv2 daemon using
ipsec.conf
 Loaded: loaded (/lib/systemd/system/strongswan-starter.service;
enabled; vendor preset: enabled)
 Active: active (running) since Thu 2021-11-11 20:16:27 UTC; 11h ago
   Main PID: 905 (starter)
  Tasks: 18 (limit: 2276)
 Memory: 11.3M
CPU: 685ms
 CGroup: /system.slice/strongswan-starter.service
 ├─905 /usr/libexec/ipsec/starter --daemon charon --nofork
 └─918 /usr/libexec/ipsec/charon
Nov 11 20:16:27 de-test-1 systemd[1]: Started strongSwan IPsec IKEv1/IKEv2
daemon using ipsec.conf.
Nov 11 20:16:27 de-test-1 ipsec[905]: Starting strongSwan 5.9.4 IPsec
[starter]...
Nov 11 20:16:27 de-test-1 ipsec_starter[905]: Starting strongSwan 5.9.4
IPsec [starter]...
Nov 11 20:16:29 de-test-1 ipsec[905]: charon (918) started after 1620 ms
Nov 11 20:16:29 de-test-1 ipsec_starter[905]: charon (918) started after
1620 ms

*ip6tables-save*
*filter
:INPUT DROP [0:0]
:FORWARD DROP [176:15578]
:OUTPUT ACCEPT [2539:673098]
:OUTGOING - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 275 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p esp -m esp -j ACCEPT
-A INPUT -m ah -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -j OUTGOING
-A FORWARD -m policy --dir out --pol ipsec -j ACCEPT
-A OUTGOING -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTGOING -m hashlimit --hashlimit-upto 5/sec --hashlimit-burst 5
--hashlimit-mode srcip,dstip --hashlimit-name NETSCANv6 --hashlimit-dstmask
64 -j ACCEPT
COMMIT
# Completed on Fri Nov 12 07:18:59 2021
# Generated by ip6tables-save v1.8.7 on Fri Nov 12 07:18:59 2021
*nat
:PREROUTING ACCEPT [848:78316]
:INPUT ACCEPT [12:2456]
:OUTPUT ACCEPT [17:1616]
:POSTROUTING ACCEPT [677:61898]
-A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -m addrtype ! --src-type LOCAL -j MASQUERADE
COMMIT

*ip route show table all*
default via 172.31.1.1 dev eth0
172.31.1.1 dev eth0 scope link
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src
127.0.0.1
local 162.55.173.134 dev eth0 table local proto kernel scope host src
162.55.173.134
broadcast 162.55.173.134 dev eth0 table local proto kernel scope link src
162.55.173.134
::1 dev lo proto kernel metric 256 pref medium
2a01:4f8:c17:1f2d::1 dev eth0 proto kernel metric 256 pref medium
2a01:4f8:c17:1f2d:cafe::123 dev eth0 proto kernel metric 256 pref medium
2a01:4f8:c17:1f2d:::/80 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
default via fe80::1 dev eth0 metric 1024 onlink pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local 2a01:4f8:c17:1f2d::1 dev eth0 table local proto kernel metric 0 pref
medium
local 2a01:4f8:c17:1f2d:cafe::123 dev eth0 table local proto kernel metric
0 pref medium
local 2a01:4f8:c17:1f2d::: dev eth0 table local proto kernel metric 0
pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
local fe80::9400:ff:fef1:6bcb dev eth0 table local proto kernel metric 0
pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium

*ip address*
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
   valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc pfifo_fast state
UP group default qlen 1000
link/ether 96:00:00:f1:6b:cb brd ff:ff:ff:ff:ff:ff
altname enp0s3
altname ens3
inet 162.55.173.134/32 brd 162.55.173.134 scope global dynamic eth0
   valid_lft 82750sec preferred_lft 82750sec
inet6 2a01:4f8:c17:1f2d:::/80 scope global
   valid_lft forever preferred_lft forever
inet6 2a01:4f8:c17:1f2d:cafe::123/128 scope global
   valid_lft forever preferred_lft forever
inet6 2a01:4f8:c17:1f2d::1/128 scope global
   valid_lft forever preferred_lft forever
inet6 fe80::9400:ff:fef1:6bcb/64 scope link
   valid_lft forever preferred_lft forever

Please let me know if you need anything else. Much appreciated.
Thank you,
Houman

[strongSwan] Latest Android doesn't compile

[Houman]

Hello Tobias,

The latest Android Frontend is no longer compiling after your latest
changes.
I'm using boringSSL instead of openssl as recommended.

[arm64-v8a] StaticLibrary  : libcrypto_static.a
[arm64-v8a] SharedLibrary  : libstrongswan.so
fcntl(): Bad file descriptor
ld: error: relocation R_AARCH64_PREL64 cannot be used against symbol
OPENSSL_armcap_P; recompile with -fPIC
>>> defined in
/Users/houmie/Projects/strongswan/src/frontends/android/app/src/main/obj/local/arm64-v8a/libcrypto_static.a(sha1-armv8.o)
>>> referenced by sha1-armv8.o:(.text+0x1240) in archive
/Users/houmie/Projects/strongswan/src/frontends/android/app/src/main/obj/local/arm64-v8a/libcrypto_static.a

ld: error: relocation R_AARCH64_PREL64 cannot be used against symbol
OPENSSL_armcap_P; recompile with -fPIC
>>> defined in
/Users/houmie/Projects/strongswan/src/frontends/android/app/src/main/obj/local/arm64-v8a/libcrypto_static.a(sha1-armv8.o)
>>> referenced by sha256-armv8.o:(.text+0xF48) in archive
/Users/houmie/Projects/strongswan/src/frontends/android/app/src/main/obj/local/arm64-v8a/libcrypto_static.a

ld: error: relocation R_AARCH64_PREL64 cannot be used against symbol
OPENSSL_armcap_P; recompile with -fPIC
>>> defined in
/Users/houmie/Projects/strongswan/src/frontends/android/app/src/main/obj/local/arm64-v8a/libcrypto_static.a(sha1-armv8.o)
>>> referenced by sha512-armv8.o:(.text+0x10C8) in archive
/Users/houmie/Projects/strongswan/src/frontends/android/app/src/main/obj/local/arm64-v8a/libcrypto_static.a
clang++: error: linker command failed with exit code 1 (use -v to see
invocation)
make: *** [/Users/houmie/Library/Android/sdk/ndk/22.0.6917172/build/core/
build-binary.mk:728:
/Users/houmie/Projects/strongswan/src/frontends/android/app/src/main/obj/local/arm64-v8a/libstrongswan.so]
Error 1
make: *** Waiting for unfinished jobs
[x86] SharedLibrary  : libstrongswan.so
fcntl(): Bad file descriptor
[armeabi-v7a] SharedLibrary  : libstrongswan.so
fcntl(): Bad file descriptor
fcntl(): Bad file descriptor
[x86_64] Compile: crypto_static <= p256-64.c

> Task :app:buildNative FAILED

Any suggestions, please?
Many Thanks,
Houman

Re: [strongSwan] StrongSwan for Android

[Houman]

Hi Tobias,

Thank you so much. I got it working.

I needed only this last step:  git clone git://
git.strongswan.org/android-ndk-boringssl.git -b ndk-static openssl

to execute from src/frontends/android/app/src/main/jni/

Superb!

Kind Regards,
Houman


On Thu, 29 Oct 2020 at 07:39, Tobias Brunner  wrote:

> Hi Houman,
>
> Please follow the instructions on [1].
>
> Regards,
> Tobias
>
> [1]
> https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClientBuild
>

[strongSwan] StrongSwan for Android

[Houman]

Hi Tobias,

I really hope you can help me with this. I'm trying to build the Android
Client
https://github.com/strongswan/strongswan/tree/master/src/frontends/android

I have successfully compiled StrongSwan on my Mac as requested
in README.ndk (first paragraph).

I have also ndk successfully installed in Android Studio, but it fails when
I try to run it in Android simulator with the following error message:

Execution failed for task ':app:buildNative'.
> Process 'command
'/Users/houmie/Library/Android/sdk/ndk/21.3.6528147/ndk-build'' finished
with non-zero exit value 2

Is this because I need to copy BoringSSL sources in
app/src/main/jni/openssl as explained in the second paragraph in
the README.ndk?  But where is this path? I don't see it in the StrongSwan
directory hierarchy.

Many Thanks,
Houman

Re: [strongSwan] DH group ECP_256 unacceptable, requesting ECP_256

[Houman]

Hi Tobias,

I came across the same issue that someone else had raised with you 10
months ago. Unfortunately it seems he was right about the bug.
https://wiki.strongswan.org/issues/3290

This is what I'm getting:
Oct 16 07:36:48 de-fsn-x charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.9.0, Linux 5.4.0-1028-aws, x86_64)
Oct 16 07:36:48 de-fsn-x charon: 00[KNL] unable to create IPv4 routing
table rule
Oct 16 07:36:48 de-fsn-x charon: 00[KNL] unable to create IPv6 routing
table rule
Oct 16 07:36:48 de-fsn-x charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Oct 16 07:36:48 de-fsn-x charon: 00[CFG]   loaded ca certificate "C=US,
O=Let's Encrypt, CN=Let's Encrypt Authority X3" from
'/etc/ipsec.d/cacerts/chain.pem'
Oct 16 07:36:48 de-fsn-x charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Oct 16 07:36:48 de-fsn-x ipsec[1855]: /usr/libexec/ipsec/charon: symbol
lookup error: /usr/lib/ipsec/plugins/libstrongswan-wolfssl.so: undefined
symbol: mp_read_unsigned_bin
Oct 16 07:36:48 de-fsn-x charon: 00[CFG] loading ocsp signer certificates
from '/etc/ipsec.d/ocspcerts'
Oct 16 07:36:48 de-fsn-x charon: 00[CFG] loading attribute certificates
from '/etc/ipsec.d/acerts'
Oct 16 07:36:48 de-fsn-x ipsec[506]: charon has died -- restart scheduled
(5sec)
Oct 16 07:36:48 de-fsn-x ipsec[506]: charon refused to be started
Oct 16 07:36:48 de-fsn-x charon: 00[CFG] loading crls from
'/etc/ipsec.d/crls'
Oct 16 07:36:48 de-fsn-x charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'

This is how I compiled everything:

git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl/
./autogen.sh
./configure --disable-crypttests --disable-examples --enable-keygen
--enable-rsapss --enable-aesccm --enable-aesctr --enable-des3
--enable-camellia --enable-curve25519 --enable-ed25519 --enable-curve448
--enable-ed448 --enable-sha3 --enable-shake256
make
make check
make install
mv /usr/local/lib/libwolfssl.* /usr/lib/
cd ..
wget https://download.strongswan.org/strongswan-5.9.0.tar.bz2
tar xjvf strongswan-5.9.0.tar.bz2
cd strongswan-5.9.0
./configure --prefix=/usr --sysconfdir=/etc --enable-eap-radius
--enable-eap-identity --enable-systemd --enable-swanctl --enable-gcm
--enable-aesni --enable-wolfssl
make install


Thank you,
Houman


On Thu, 15 Oct 2020 at 19:31, Houman  wrote:

> Hello Tobias,
>
> Thank you for your reply.  Excellent, now I understand.
>
> If I compile WolfSSL into /usr/local/lib and then compile StrongSwan
> with --enable-wolfssl. Will StrongSwan automatically pick up the latest
> WolfSSL lib like that?
> Or do I need to set a path as well?
>
> Many Thanks,
> Houman
>
> On Thu, 15 Oct 2020 at 16:53, Tobias Brunner 
> wrote:
>
>> Hi,
>>
>> > Is that another plugin that I need to compile?
>>
>> Yes, you need one of the third-party crypto plugins (openssl, wolfssl,
>> botan).  See [1] for the list of all algorithms and the plugins that
>> provide them.
>>
>> Regards,
>> Tobias
>>
>> [1]
>> https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites
>>
>

Re: [strongSwan] DH group ECP_256 unacceptable, requesting ECP_256

[Houman]

Hello Tobias,

Thank you for your reply.  Excellent, now I understand.

If I compile WolfSSL into /usr/local/lib and then compile StrongSwan
with --enable-wolfssl. Will StrongSwan automatically pick up the latest
WolfSSL lib like that?
Or do I need to set a path as well?

Many Thanks,
Houman

On Thu, 15 Oct 2020 at 16:53, Tobias Brunner  wrote:

> Hi,
>
> > Is that another plugin that I need to compile?
>
> Yes, you need one of the third-party crypto plugins (openssl, wolfssl,
> botan).  See [1] for the list of all algorithms and the plugins that
> provide them.
>
> Regards,
> Tobias
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites
>

[strongSwan] DH group ECP_256 unacceptable, requesting ECP_256

[Houman]

Hey guys,

I figured out my issue this morning. I needed to compile StrongSwan
with --enable-gcm. Now I can use AES256GCM. Pretty sweet.

When I try to use diffieHellmanGroup = group19 on iOS though I get the
following error message on the server.

Oct 15 15:17:03 de-fsn-x charon: 15[CFG] selected proposal:
IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256
Oct 15 15:17:03 de-fsn-x charon: 15[IKE] DH group ECP_256 unacceptable,
requesting ECP_256

Is that another plugin that I need to compile? Why is that DH group
unacceptable?


Many Thanks,
Houman

[strongSwan] How to allow AES256GCM and diffieHellmanGroup 19

[Houman]

Hello,

(Sorry about the previous message without a subject line)

I would like to change the encryption to support the following on iOS:

ikev2.ikeSecurityAssociationParameters.encryptionAlgorithm =
.algorithmAES256GCM
ikev2.ikeSecurityAssociationParameters.integrityAlgorithm = .SHA384
ikev2.ikeSecurityAssociationParameters.diffieHellmanGroup = .group19
ikev2.childSecurityAssociationParameters.encryptionAlgorithm =
.algorithmAES256GCM
ikev2.childSecurityAssociationParameters.integrityAlgorithm = .SHA384
ikev2.childSecurityAssociationParameters.diffieHellmanGroup = .group19

This is how the server is setup:
config setup
  strictcrlpolicy=yes
  uniqueids=never
conn ${SERVERNAME}
  auto=add
  compress=no
  type=tunnel
  keyexchange=ikev2
  fragmentation=yes
  forceencaps=yes

ike=aes256gcm16-aes192gcm16-aes128gcm16-prfsha256-ecp521-ecp256-modp4096-modp2048,
aes256-sha256-ecp521-ecp256-modp4096-modp2048!
  esp=aes256gcm16-aes192gcm16-aes128gcm16-ecp521-ecp256-modp4096-modp2048,
aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1!
  dpdaction=clear
  dpddelay=180s
  dpdtimeout=3600s
  rekey=no
  left=%any
  leftid=@${VPNHOST}
  leftcert=cert.pem
  leftsendcert=always
  leftsubnet=0.0.0.0/0, ::/0
  right=%any
  rightid=%any
  rightauth=eap-radius
  eap_identity=%any
  rightdns=${DNS1},${DNS2}
  rightsourceip=${VPNIPPOOL},${VPNIP6POOL}
  leftfirewall=no

But I can't connect, what do I have to change to make this possible,
please?
Thanks
Houman

[strongSwan] (no subject)

[Houman]

Hello,

I would like to change the encryption to support the following on iOS:

ikev2.ikeSecurityAssociationParameters.encryptionAlgorithm =
.algorithmAES256GCM
ikev2.ikeSecurityAssociationParameters.integrityAlgorithm = .SHA384
ikev2.ikeSecurityAssociationParameters.diffieHellmanGroup = .group19
ikev2.childSecurityAssociationParameters.encryptionAlgorithm =
.algorithmAES256GCM
ikev2.childSecurityAssociationParameters.integrityAlgorithm = .SHA384
ikev2.childSecurityAssociationParameters.diffieHellmanGroup = .group19

This is how the server is setup:
config setup
  strictcrlpolicy=yes
  uniqueids=never
conn ${SERVERNAME}
  auto=add
  compress=no
  type=tunnel
  keyexchange=ikev2
  fragmentation=yes
  forceencaps=yes

ike=aes256gcm16-aes192gcm16-aes128gcm16-prfsha256-ecp521-ecp256-modp4096-modp2048,
aes256-sha256-ecp521-ecp256-modp4096-modp2048!
  esp=aes256gcm16-aes192gcm16-aes128gcm16-ecp521-ecp256-modp4096-modp2048,
aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1!
  dpdaction=clear
  dpddelay=180s
  dpdtimeout=3600s
  rekey=no
  left=%any
  leftid=@${VPNHOST}
  leftcert=cert.pem
  leftsendcert=always
  leftsubnet=0.0.0.0/0, ::/0
  right=%any
  rightid=%any
  rightauth=eap-radius
  eap_identity=%any
  rightdns=${DNS1},${DNS2}
  rightsourceip=${VPNIPPOOL},${VPNIP6POOL}
  leftfirewall=no

But I can't connect, what do I have to change to make this possible,
please?
Thanks
Houman

[strongSwan] What compilation flag is needed for systemctl?

[Houman]

Hello,

Today I have compiled the latest StrongSwan 5.9 with the following flags:

./configure --prefix=/usr --sysconfdir=/etc --enable-eap-radius

Everything goes smoothly, but it seems I don't have any services installed.

systemctl restart ipsec
ends up with
Unit ipsec.service could not be found.

Did I have to use the flag --enable-systemd when compiling? And
everything would be in the right place?

I'm on Ubuntu 20.04. Any other advice along the way is much appreciated,

Thank you,
Houman

[strongSwan] Can I obfuscate StrongSwan (IKEv2)?

[Houman]

Hello,

Our VPN was recently blocked in UAE by one of their major ISP providers.
The connection is established but no traffic goes through.  I'm unsure how
they have achieved this, but potentially they run a DPI on their network
and block our packets.

I was hoping to see if there is something I could do to obfuscate it to
remain anonymous?

For example there is the XOR patch for OpenVPN
https://github.com/clayface/openvpn_xorpatch.
Although not perfect, it helps a bit.

Is there something like that for StrongSwan where I could patch StrongSwan
from source and compile it (and cross my fingers)? :-)

Many Thanks,
Houman

Re: [strongSwan] StrongSwan 5.8.2 - received netlink error: Invalid argument (22)

[Houman]

Hi Tobias,

Thanks again for your help.

I have changed *forceencaps* to *no* in /etc/ipsec.conf, saved and
rebooted.
I still get the same errors. Although the "faking NAT situation to enforce
UDP encapsulation" is not showing anymore. Is this now something else?

Jul  7 00:28:58 de-fsn-6 charon: 12[ENC] generating INFORMATIONAL response
24 [ ]

Jul  7 00:28:58 de-fsn-6 charon: 12[NET] sending packet: from
144.76.11x.xxx[4500] to 2.50.157.xxx[4500] (80 bytes)

Jul  7 00:28:59 de-fsn-6 charon: 11[NET] received packet: from
2001:8f8:xxx:xxx:504c:4f39:258e:8191[4500] to 2a01:4f8:192:::2[4500]
(144 bytes)

Jul  7 00:28:59 de-fsn-6 charon: 11[ENC] parsed INFORMATIONAL request 11 [
N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP) ]

Jul  7 00:28:59 de-fsn-6 charon: 11[IKE] local host is behind NAT, sending
keep alives

Jul  7 00:28:59 de-fsn-6 charon: 11[KNL] received netlink error: Invalid
argument (22)

Jul  7 00:28:59 de-fsn-6 charon: 11[KNL] unable to update SAD entry with
SPI cf20af06

Jul  7 00:28:59 de-fsn-6 charon: 11[KNL] received netlink error: Invalid
argument (22)

Jul  7 00:28:59 de-fsn-6 charon: 11[KNL] unable to update SAD entry with
SPI 0b13a954

Jul  7 00:28:59 de-fsn-6 charon: 11[ENC] generating INFORMATIONAL response
11 [ N(NATD_S_IP) N(NATD_D_IP) ]

Jul  7 00:28:59 de-fsn-6 charon: 11[NET] sending packet: from
2a01:4f8:xxx:732c::2[4500] to 2001:8f8:xxx:53d3:504c:4f39:xxx:8191[4500]
(128 bytes)

Jul  7 00:28:59 de-fsn-6 charon: 01[KNL] creating acquire job for policy
128.116.xxx.3/32[tcp/https] === 10.10.18.xxx/32[tcp/56633] with reqid {2595}

Jul  7 00:28:59 de-fsn-6 charon: 01[CFG] trap not found, unable to acquire
reqid 2595

Jul  7 00:29:00 de-fsn-6 charon: 06[NET] received packet: from
2001:8f8:1163::504c:4f39:258e:8191[4500] to 2a01:4f8:xxx:::2[4500]
(144 bytes)

Jul  7 00:29:00 de-fsn-6 charon: 06[ENC] parsed INFORMATIONAL request 11 [
N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP) ]

Jul  7 00:29:00 de-fsn-6 charon: 06[IKE] received retransmit of request
with ID 11, retransmitting response

Jul  7 00:29:00 de-fsn-6 charon: 06[NET] sending packet: from
2a01:4f8:192:::2[4500] to 2001:8f8:1163:53d3:504c::258e:8191[4500]
(128 bytes)

Jul  7 00:29:01 de-fsn-6 charon: 15[IKE] retransmit 5 of request with
message ID 0


It is very strange that the same configuration works with StringSwan 5.7.2
but 5.8.2 throws these errors. Something must have changed that I'm
missing, I think.
If you see no other possibility, I suppose I have no other choice than
disabling IPV6 by setting *use_ipv6 = no* in
*/etc/strongswan.d/charon/socket-default.conf*

I was hoping not to do it, as some ISP might only support IPv6 and by doing
that I might cause new problems. What do you think?  Maybe I should live
with that error. After all, it happens only 5 times a day. What is the most
sensible thing to do?

Many Thanks,
Houman

On Mon, 6 Jul 2020 at 11:12, Tobias Brunner  wrote:

> Hi Houman,
>
> > I could disable *forceencaps=no* but having it enabled helps overcoming
> > restrictive firewalls.  So maybe it's better for my users if I
> > disabled IPv6 instead. Do you agree?
> > Or is forcing it not such a big deal after all?
>
> Depends on the clients.  Many will be behind a NAT anyway, others (e.g.
> our Android client) will also force UDP encapsulation.  Only for
> unnatted clients behind restrictive firewalls that can't force it
> themselves, will forcing it on the server make a difference.
>
> > What is strange is that I thought I had disabled ipv6, like this:
> > ...
> > net.ipv6.conf.all.disable_ipv6 = 1
> > net.ipv6.conf.default.disable_ipv6 = 1
>
> I don't think that affects interfaces that are already up, so you might
> have to explicitly set it for the specific interface too.
>
> > Where do I disable it then?
>
> You may disable charon.plugins.socket-default.use_ipv6 so the plugin
> won't open an IPv6 socket.
>
> Regards,
> Tobias
>

Re: [strongSwan] StrongSwan 5.8.2 - received netlink error: Invalid argument (22)

[Houman]

Hi Tobias,

Thank you so much for the detailed explanation. You brought up some
interesting points.

I could disable *forceencaps=no* but having it enabled helps overcoming
restrictive firewalls.  So maybe it's better for my users if I
disabled IPv6 instead. Do you agree?
Or is forcing it not such a big deal after all?

What is strange is that I thought I had disabled ipv6, like this:

*/etc/sysctl.conf*
net.ipv4.ip_forward = 1
net.ipv4.ip_no_pmtu_disc = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

Where do I disable it then?

Many Thanks,
Houman

On Mon, 6 Jul 2020 at 10:08, Tobias Brunner  wrote:

> Hi Houman,
>
> > We have two types of servers. Same users are doing ok on servers with
> > StrongSwan 5.7.2 on kernel  5.3.0-53-generic.
> >
> > But on the servers with StrongSwan 5.8.2 with kernel* 5.4.0-39-generic,
> > *the issue arises. (Not for all users, but quite a few)
>
> I had a closer look at the log and now saw what the problem is.  It has
> nothing to do with the strongSwan or kernel version.
>
> The problem is that the client moves from an IPv4 address to an IPv6
> address and you apparently have UDP-encapsulation forced (see the
> "faking NAT situation to enforce UDP encapsulation").  However, the
> Linux kernel currently does not support UDP encapsulation for IPv6 (the
> upcoming 5.8 kernel will be the first one with support for it), so you
> get that error when the daemon tries to replace the IPv4 SA with an IPv6
> SA that has UDP encapsulation enabled.  Try without forcing UDP
> encapsulation (or disable IPv6 in the socket-default plugin if you don't
> want clients to use it).
>
> Regards,
> Tobias
>

Re: [strongSwan] StrongSwan 5.8.2 - received netlink error: Invalid argument (22)

[Houman]

Hi Tobias,

We have two types of servers. Same users are doing ok on servers with
StrongSwan 5.7.2 on kernel  5.3.0-53-generic.

But on the servers with StrongSwan 5.8.2 with kernel* 5.4.0-39-generic, *the
issue arises. (Not for all users, but quite a few)

increase the log level for knl to 2 to see which operation failed


May you please elaborate a bit more how to change the log level for knl? In
which config do I do that?

Many Thanks,
Houman


On Mon, 6 Jul 2020 at 09:20, Tobias Brunner  wrote:

> Hi,
>
> > I'm seeing a strange error in StrongSwan U5.8.2/K5.4.0-39-generic
> > (Ubuntu 20.04).
> > I don't get this error with StrongSwan U5.7.2/K5.3.0-53-generic (Ubuntu
> > 19.10).
>
> In the same situation (i.e. if a client's IP address changes)?  Or just
> in general?  Can you replicate this error?
>
> > received netlink error: Invalid argument (22)
>
> As the error indicates, this is returned by the kernel if it doesn't
> like the provided data.  Either when querying the existing SA or when
> replacing it with updated IP addresses (increase the log level for knl
> to 2 to see which operation failed).  Also, what kernel version are you
> using?
>
> Regards,
> Tobias
>

[strongSwan] StrongSwan 5.8.2 - received netlink error: Invalid argument (22)

[Houman]

Hello,

I'm seeing a strange error in StrongSwan U5.8.2/K5.4.0-39-generic (Ubuntu
20.04).
I don't get this error with StrongSwan U5.7.2/K5.3.0-53-generic (Ubuntu
19.10).

received netlink error: Invalid argument (22)

Jul  4 04:54:22 de-fsn-6 charon: 05[IKE] authentication of 'de-fsn-6.VPN.net'
(myself) with RSA signature successful

Jul  4 04:54:22 de-fsn-6 charon: 05[IKE] sending end entity cert "CN=
de-fsn-6.VPN.net"

Jul  4 04:54:22 de-fsn-6 charon: 05[IKE] sending issuer cert "C=US, O=Let's
Encrypt, CN=Let's Encrypt Authority X3"

Jul  4 04:54:22 de-fsn-6 charon: 05[ENC] generating IKE_AUTH response 1 [
IDr CERT CERT AUTH EAP/REQ/ID ]

Jul  4 04:54:22 de-fsn-6 charon: 05[ENC] splitting IKE message (2928 bytes)
into 3 fragments

Jul  4 04:54:22 de-fsn-6 charon: 05[ENC] generating IKE_AUTH response 1 [
EF(1/3) ]

Jul  4 04:54:22 de-fsn-6 charon: 05[ENC] generating IKE_AUTH response 1 [
EF(2/3) ]

Jul  4 04:54:22 de-fsn-6 charon: 05[ENC] generating IKE_AUTH response 1 [
EF(3/3) ]

Jul  4 04:54:22 de-fsn-6 charon: 05[NET] sending packet: from
144.76.113.xxx[4500] to 31.215.103.xxx[4500] (1236 bytes)

Jul  4 04:54:22 de-fsn-6 charon: 05[NET] sending packet: from
144.76.113.xxx[4500] to 31.215.103.xxx[4500] (1236 bytes)

Jul  4 04:54:22 de-fsn-6 charon: 05[NET] sending packet: from
144.76.113.xxx[4500] to 31.215.103.xxx[4500] (612 bytes)

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 01[NET] received packet: from
39.33.54.xxx[4500] to 144.76.113.xxx[4500] (144 bytes)

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 01[ENC] parsed INFORMATIONAL request
409 [ N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP) ]

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 01[ENC] generating INFORMATIONAL
response 409 [ N(NATD_S_IP) N(NATD_D_IP) ]

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 01[NET] sending packet: from
144.76.113.xxx[4500] to 39.33.54.xxx[4500] (128 bytes)

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 08[NET] received packet: from
:8f8:112d:ed31:2474:a82d:88cc:544[4500] to :4f7:192:732c::2[4500]
(144 bytes)

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 08[ENC] parsed INFORMATIONAL request
12 [ N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP) ]

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 08[IKE] remote host is not behind NAT
anymore

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 08[IKE] faking NAT situation to
enforce UDP encapsulation

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 08[KNL] received netlink error:
Invalid argument (22)

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 08[KNL] unable to update SAD entry
with SPI c8a1394b

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 08[KNL] received netlink error:
Invalid argument (22)

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 08[KNL] unable to update SAD entry
with SPI 0b956c9a

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 08[ENC] generating INFORMATIONAL
response 12 [ N(NATD_S_IP) N(NATD_D_IP) ]

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 08[NET] sending packet: from
:4f7:192:732c::2[4500] to :8f8:112d:ed31:2474:a82d:88cc:544[4500]
(128 bytes)

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 13[KNL] creating acquire job for
policy xxx.111.251.62/32[tcp/https] === 10.10.34.25/32[tcp/51510] with
reqid {31606}

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 13[CFG] trap not found, unable to
acquire reqid 31606

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 09[NET] received packet: from
:8f8:112d:ed31:2474:a82d:88cc:544[4500] to :4f7:192:732c::2[4500]
(144 bytes)

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 09[ENC] parsed INFORMATIONAL request
12 [ N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP) ]

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 09[IKE] received retransmit of request
with ID 12, retransmitting response



*/etc/ipsec.conf*


config setup

  strictcrlpolicy=yes

  uniqueids=never

conn Falkenstein-6

  auto=add

  compress=no

  type=tunnel

  keyexchange=ikev2

  fragmentation=yes

  forceencaps=yes


ike=aes256gcm16-aes192gcm16-aes128gcm16-prfsha256-ecp521-ecp256-modp4096-modp2048,
aes256-sha256-ecp521-ecp256-modp4096-modp2048!

  esp=aes256gcm16-aes192gcm16-aes128gcm16-ecp521-ecp256-modp4096-modp2048,
aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1!

  dpdaction=clear

  dpddelay=180s

  dpdtimeout=3600s

  rekey=no

  left=%any

  leftid=@de-fsn-6.VPN.net

  leftcert=cert.pem

  leftsendcert=always

  leftsubnet=0.0.0.0/0, ::/0

  right=%any

  rightid=%any

  rightauth=eap-radius

  eap_identity=%any

  rightdns=8.8.8.8,8.8.4.4

  rightsourceip=10.10.10.0/17,fdd2:54c4:4c90:1::300/113

  leftfirewall=no



Any idea what this could be?


Many Thanks,

Houman

Re: [strongSwan] Is there an official docker image for StrongSwan?

[Houman]

Hi Andreas,

Thank you, that's very helpful.

On Sun, 28 Jun 2020 at 17:29, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:

> Hi Houman,
>
> I created a strongSwan 5.8.4 image a couple of months ago for a
> a tutorial so it builds only a limited number of plugins:
>
>   https://hub.docker.com/repository/docker/strongx509/strongswan
>
> I hope this helps
>
> Andreas
>
> On 28.06.20 17:58, Houman wrote:
> > Hello,
> >
> > I'm new to Docker and was wondering where I could find the official
> > StrongSwan docker image?
> > There isn't any official version on docker hub and most of the
> > community stuff is fairly outdated.  If there isn't any, what is the
> > best way to make my own?
> >
> > Thank you for advice,
> > Houman
>
> ==
> Andreas Steffen andreas.stef...@strongswan.org
> strongSwan - the Open Source VPN Solution!  www.strongswan.org
> Institute for Networked Solutions
> HSR University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===[INS-HSR]==
>

[strongSwan] Is there an official docker image for StrongSwan?

[Houman]

Hello,

I'm new to Docker and was wondering where I could find the official
StrongSwan docker image?
There isn't any official version on docker hub and most of the
community stuff is fairly outdated.  If there isn't any, what is the best
way to make my own?

Thank you for advice,
Houman

[strongSwan] Strongswan systemctl missing in 5.8.2?

[Houman]

Hello,

This worked fine in StrongSwan 5.7.2 on Ubuntu 19.10.

But Strongswan 5.8.2 on Ubuntu 20.04 seems to be missing it

systemctl status strongswan
Unit strongswan.service could not be found.

What am I missing please?

Thanks,
Houman

[strongSwan] Seeking a consultant to help me blocking netscan use via StrongSwan

[Houman]

Hello,

One of my StrongSwan users is using my VPN to scan the network ports via
netscan. I have deployed StrongSwan with a server provider called Hetzner
and they don't like it at all. So I need to find a way to block port
scanning, unless there is a better solution to do it via StrongSwan,
iptables may be the only choice.

Please get in touch with me, if you have the experience and can help out,
Many Thanks,
Houman

[strongSwan] Where are the logs on StrongSwan Ubuntu 19.10?

[Houman]

Hello,

I have tested the latest StrongSwan on Ubuntu 19.10. I don't seem to be
able to connect, but neither can I see any entries in /var/log/syslog.
Could it be that the default log output has moved to somewhere else?

In my deployment script, I have set this:

mkdir /etc/systemd/system/strongswan.service.d
echo "[Service]
StandardOutput=null
" > /etc/systemd/system/strongswan.service.d/override.conf

Many Thanks,
Houman

[strongSwan] Is there a sources.list for latest StrongSwan?

[Houman]

Hello,

I'm using StrongSwan on Ubuntu 18.04 LTS.  The packaged StrongSwan version
is still 5.6.2 and has now fallen quite behind.

FreeRaduis offers a seamless way to install the latest version on Ubuntu:

echo 'deb http://packages.networkradius.com/releases/ubuntu-bionic
bionic main' >> /etc/apt/sources.list
apt-key adv --keyserver keys.gnupg.net --recv-key 0x41382202
apt update
apt full-upgrade -y

Is there something similar for StrongSwan, where I could seamlessly upgrade
it to the latest version? Or is the only way to download and compile the
binary?

Many Thanks,
Houman

Re: [strongSwan] (Vici) How to disconnect a VPN connection on the server side?

[Houman]

Hi Tobias,

That's great news.  You are right, I can see those entries in sys logs. But
there is still a strange issue. At 12:09:27 despite the initial disconnect
request and acknowledgement, StrongSwan doesn't disconnect the user.

Oct 15 12:09:27 stag-1 charon: 05[CFG] reassigning offline lease to 'houman'

Oct 15 12:09:27 stag-1 charon: 05[IKE] assigning virtual IP
:54c4::1::301 to peer 'houman'

Oct 15 12:09:27 stag-1 charon: 05[IKE] CHILD_SA stag-1{26} established with
SPIs c8a04ba5_i 041b28de_o and TS 0.0.0.0/0 ::/0 === 10.10.10.1/32
xxx:54c4:4c90:1::301/128

Oct 15 12:09:27 stag-1 charon: 05[CFG] sending RADIUS Accounting-Request to
server 'server-a'

Oct 15 12:09:27 stag-1 charon: 13[CFG] received RADIUS DAE
Disconnect-Request for houman from 127.0.0.1

Oct 15 12:09:27 stag-1 charon: 13[CFG] no IKE_SA matches
Disconnect-Request, sending Disconnect-NAK

Oct 15 12:09:27 stag-1 charon: 05[CFG] received RADIUS Accounting-Response
from server 'server-a'

Oct 15 12:09:27 stag-1 charon: 05[ENC] generating IKE_AUTH response 6 [
AUTH CPRP(ADDR ADDR6 DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]

Oct 15 12:09:27 stag-1 charon: 05[NET] sending packet: from
172.31.X.X[4500] to 5.78.X.X[4500] (352 bytes)


10 seconds later (because of the Acct-Interim-Interval) a second disconnect
request is sent.


post-auth {

update reply {

Acct-Interim-Interval = 10

}

}


Oct 15 12:09:37 stag-1 charon: 16[CFG] sending RADIUS Accounting-Request to
server 'server-a'

Oct 15 12:09:37 stag-1 charon: 07[CFG] received RADIUS DAE
Disconnect-Request for houman from 127.0.0.1

Oct 15 12:09:37 stag-1 charon: 07[CFG] closing 1 IKE_SA matching
Disconnect-Request, sending Disconnect-ACK

Oct 15 12:09:37 stag-1 charon: 07[IKE] deleting IKE_SA stag-1[35] between
172.31.xx.xx[stag-1.xxx.com]…5.78.xxx.xx[stag-1.xxx.com]

Oct 15 12:09:37 stag-1 charon: 07[IKE] sending DELETE for IKE_SA stag-1[35]

Oct 15 12:09:37 stag-1 charon: 07[ENC] generating INFORMATIONAL request 0 [
D ]

Oct 15 12:09:37 stag-1 charon: 07[NET] sending packet: from
172.31.xx.xx[4500] to 5.78.xx.xx[4500] (80 bytes)

Oct 15 12:09:37 stag-1 charon: 16[CFG] received RADIUS Accounting-Response
from server 'server-a'

Oct 15 12:09:37 stag-1 charon: 06[NET] received packet: from
5.78.xx.xx[4500] to 172.31.xx.xx[4500] (80 bytes)

Oct 15 12:09:37 stag-1 charon: 06[ENC] parsed INFORMATIONAL response 0 [ ]

Oct 15 12:09:37 stag-1 charon: 06[IKE] IKE_SA deleted

Oct 15 12:09:37 stag-1 charon: 06[CFG] sending RADIUS Accounting-Request to
server 'server-a'

Oct 15 12:09:37 stag-1 charon: 11[CFG] received RADIUS DAE
Disconnect-Request for houman from 127.0.0.1

Oct 15 12:09:37 stag-1 charon: 11[CFG] no IKE_SA matches
Disconnect-Request, sending Disconnect-NAK

Oct 15 12:09:37 stag-1 charon: 06[CFG] received RADIUS Accounting-Response
from server 'server-a'

Oct 15 12:09:37 stag-1 charon: 06[CFG] lease fdd2:54c4:4c90:1::301 by
'houman' went offline

Oct 15 12:09:37 stag-1 charon: 06[CFG] lease 10.10.10.1 by 'houman' went
offline

Only this time it actually works and the user is disconnected.  Why isn't
it working the first time around?

Many Thanks,
Houman

On Tue, 15 Oct 2019 at 15:34, Tobias Brunner  wrote:

> Hi Houman,
>
> > What attributes *should* be in the Disconnect-Request beside User-Name?
>
> None, that's fine.  If you receive a NAK that means no IKE_SA was found
> with a matching remote identity.  You should see something like this in
> the strongSwan log:
>
> > received RADIUS DAE Disconnect-Request for houman from 127.0.0.1
> > no IKE_SA matches houman, sending Disconnect-NAK
>
> Regards,
> Tobias
>

Re: [strongSwan] (Vici) How to disconnect a VPN connection on the server side?

[Houman]

Hello Tobias,

Thank you, for your help on this. I have managed to utilise eap-radius
plugin to listen to disconnect messages from Freeradius.

I get strange reporting in the logs. It seems that StrongSwan rejects the
initial disconnect message with a NAK.

(4) Sent Disconnect-Request Id 11 from 0.0.0.0:42481 to 127.0.0.1:3799
length 28
(4)   User-Name = "houman"
(4) Sent Accounting-Response Id 178 from 127.0.0.1:1813 to 127.0.0.1:51530
length 0
(4) Finished request
(4) Cleaning up request packet ID 178 with timestamp +6
Waking up in 2.1 seconds.
(4) Clearing existing : attributes
(4) Received Disconnect-NAK Id 11 from 127.0.0.1:3799 to 127.0.0.1:42481
length 20

What attributes *should* be in the Disconnect-Request beside User-Name?  Is
there anything else I need to avoid getting a NAK from StrongSwan?

Many Thanks,
Houman


On Tue, 10 Sep 2019 at 12:02, Tobias Brunner  wrote:

> Hi Houman,
>
> > Do you think that is possible to do via FreeRadius?
>
> See [1].
>
> > Just to be
> > clear there is always a 1:1 relationship between IKE_SA and a user at a
> > time, correct?
>
> Probably, that is, if you don't allow multiple IKE_SAs per user identity.
>
> > If I end an IKE_SA, I won't be kicking several users by
> > mistake?
>
> Not if you do so by unique ID (by name wouldn't be a good idea because
> all IKE_SAs by roadwarriors will share the name of the connection).
>
> > So in other words what
> > I'm trying to achieve is possible with Vici right?
>
> Yes.
>
> Regards,
> Tobias
>
> [1]
>
> https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius#Session-Timeout-and-Dynamic-Authorization-Extension
>

Re: [strongSwan] How to block Netstat attacks from VPN users?

[Houman]

Hello Noel,

I just tried the suggested solution below and sadly it blocks the entire
VPN.

iptables -I FORWARD 2 -d 192.168.0.0/16 -j REJECT
iptables -I FORWARD 2 -d 172.16.0.0/12 -j REJECT
iptables -I FORWARD 2 -d 10.0.0.0/8 -j REJECT

Unless I have inserted the rules at the wrong spot, it doesn't look good.
See below, please:

# Generated by iptables-save v1.6.1 on Mon Oct 14 18:33:31 2019
*mangle
:PREROUTING ACCEPT [54716:20906174]
:INPUT ACCEPT [26852:4628015]
:FORWARD ACCEPT [27829:16271441]
:OUTPUT ACCEPT [25477:18649644]
:POSTROUTING ACCEPT [52098:34734180]
-A FORWARD -s 10.10.10.0/24 -o eth0 -p tcp -m policy --dir in --pol ipsec
-m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS
--set-mss 1360
COMMIT
# Completed on Mon Oct 14 18:33:31 2019
# Generated by iptables-save v1.6.1 on Mon Oct 14 18:33:31 2019
*nat
:PREROUTING ACCEPT [1575:110530]
:INPUT ACCEPT [28:8296]
:OUTPUT ACCEPT [429:29655]
:POSTROUTING ACCEPT [429:29655]
-A POSTROUTING -s 10.10.10.0/24 -o eth0 -m policy --dir out --pol ipsec -j
ACCEPT
-A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Oct 14 18:33:31 2019
# Generated by iptables-save v1.6.1 on Mon Oct 14 18:33:31 2019
*filter
:INPUT DROP [1:40]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [102:15526]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A FORWARD -s 10.10.10.0/24 -d 10.10.10.0/24 -j DROP
-A FORWARD -d 10.0.0.0/8 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 172.16.0.0/12 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.0.0/16 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m policy --dir in --pol ipsec -j ACCEPT
-A FORWARD -m policy --dir out --pol ipsec -j ACCEPT
COMMIT

If this doesn't work I have to fallback to your initial solution:

iptables -I FORWARD 2 -m conntrack --ctstate NEW -m hashlimit
--hashlimit-name NETSCAN --hashlimit-mode srcip --hashlimit-srcmask 32
--hashlimit-upto 5/s -j ACCEPT

With the following outcome:

# Generated by iptables-save v1.6.1 on Mon Oct 14 18:40:26 2019
*filter
:INPUT DROP [192413:18329342]
:FORWARD DROP [340475:90672719]
:OUTPUT ACCEPT [425183776:485173348374]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A FORWARD -s 10.10.0.0/17 -d 10.10.0.0/17 -j DROP
-A FORWARD -m conntrack --ctstate NEW -m hashlimit --hashlimit-upto 5/sec
--hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name NETSCAN -j
ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -j ACCEPT
-A FORWARD -m policy --dir out --pol ipsec -j ACCEPT
COMMIT
# Completed on Mon Oct 14 18:40:26 2019
# Generated by iptables-save v1.6.1 on Mon Oct 14 18:40:26 2019
*nat
:PREROUTING ACCEPT [133256521:12349660945]
:INPUT ACCEPT [805996:248685578]
:OUTPUT ACCEPT [151185:15397949]
:POSTROUTING ACCEPT [151185:15397949]
-A POSTROUTING -s 10.10.0.0/17 -o enp2s0 -m policy --dir out --pol ipsec -j
ACCEPT
-A POSTROUTING -s 10.10.0.0/17 -o enp2s0 -j MASQUERADE
COMMIT
# Completed on Mon Oct 14 18:40:26 2019
# Generated by iptables-save v1.6.1 on Mon Oct 14 18:40:26 2019
*mangle
:PREROUTING ACCEPT [47285409804:29854894928171]
:INPUT ACCEPT [16114043471:4661974048771]
:FORWARD ACCEPT [31166444886:25192112917092]
:OUTPUT ACCEPT [20092152323:23622919704514]
:POSTROUTING ACCEPT [51247881050:48812187889401]
-A FORWARD -s 10.10.0.0/17 -o enp2s0 -p tcp -m policy --dir in --pol ipsec
-m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS
--set-mss 1360
COMMIT
# Completed on Mon Oct 14 18:40:26 2019

The latter doesn't stop the VPN, but I won't know it really prevents
someone from running netscan until someone tries a new attempt again. :)

What do you think?

Many Thanks,
Houman


On Mon, 14 Oct 2019 at 17:05, Noel Kuntze 
wrote:

> Hello Houman,
>
> Depends on what exactly you're doing on your server. It's not possible to
> give you a generalized answer.
> You shouldn't script with iptables though. Use iptables-save and -restore
> (save prints out a serialised form of your loaded iptables rules, restore
> loads data in said form).
>
> Kind regards
>
> Noel
>
> Am 14.10.19 um 14:30 schrieb Houman:
> > Hello Noel,
> >
> > It's a bare-metal server that I'm renting (it's not a virtual server) so
> I assume that it should be in its own private subnet. I have tried to
> follow up with them, but their support doesn't communicate very well in
> English. All I could gather is the following:
> >
> > 1) Based on the ROOT SERVER SERVICE AGREEMENT, the scanning of foreign
> networks or foreign IP addresses 

Re: [strongSwan] How to block Netstat attacks from VPN users?

[Houman]

Hello Noel,

It's a bare-metal server that I'm renting (it's not a virtual server) so I
assume that it should be in its own private subnet. I have tried to follow
up with them, but their support doesn't communicate very well in English.
All I could gather is the following:

1) Based on the ROOT SERVER SERVICE AGREEMENT, the scanning of foreign
networks or foreign IP addresses is not permitted.
2) These RFC1918 networks are not reachable via my external interface (Then
why is it a problem? I don't understand them)

I did some further research. It seems it is better to do the REJECT rule
only on the interface that is connected to the Internet. Otherwise, I could
be blocking LAN or vpn peer-to-peer communications.

export INET_IFACE=$(ip route get 8.8.8.8 | awk -- '{printf $5}')

iptables -A FORWARD -o $INET_IFACE -d 10.0.0.0/8 -j REJECT
iptables -A FORWARD -o $INET_IFACE -d 172.16.0.0/12 -j REJECT
iptables -A FORWARD -o $INET_IFACE -d 192.168.0.0/16 -j REJECT

Do you agree with this? Or is it rather unnecessary for a StrongSwan server?

Thanks,
Houman




On Mon, 14 Oct 2019 at 14:00, Noel Kuntze 
wrote:

> Hello Houman,
>
> You can do that. I wonder though why that is a problem. Are they providing
> a private subnet on the link of your server?
>
> Kind regards
>
> Noel
>
> Am 14.10.19 um 12:03 schrieb Houman:
> > Hi Noel,
> >
> > That makes sense, thank you.
> >
> > I received a followup email from our server provider (about a new
> netscan attempt from one of our users today).
> >
> > """
> > We would recommend that you set up a local firewall and block outgoing
> traffic to the following prefixes
> > https://tools.ietf.org/html/rfc1918
> > > 10.0.0.0/8 <http://10.0.0.0/8>
> > > 172.16.0.0/12 <http://172.16.0.0/12>
> > > 192.168.0.0/16 <http://192.168.0.0/16>
> > Please block this range of RFC1918 on your server.
> > We would like to avoid further network abuse from your end.
> > """
> >
> > Is this as simple as
> >
> > iptables -A FORWARD -d 10.0.0.0/8 <http://10.0.0.0/8> -j REJECT
> > iptables -A FORWARD -d 172.16.0.0/12 <http://172.16.0.0/12> -j REJECT
> > iptables -A FORWARD -d 192.168.0.0/16 <http://192.168.0.0/16> -j REJECT
> >
> > Or am I oversimplifying this?
> >
> > Many Thanks,
> > Houman
> >
> >
> > On Mon, 14 Oct 2019 at 13:02, Noel Kuntze 
> wrote:
> >
> > Hello Houman,
> >
> > Depends on if you have a whitelist or blacklist rule set.
> >
> > With the ruleset you have provided in this email, you need to accept
> the stuff you want. So up to 5 new connections per second.
> >
> > Kind regards
> >
> > Noel
> >
> > Am 14.10.19 um 10:40 schrieb Houman:
> > > Hi Noel,
> > >
> > > Actually based on my firewall config, I think I have to DROP it
> instead of ACCEPT if it's over the 5/sec limit?  Don't you agree?
> > >
> > > iptables -I FORWARD 2 -m conntrack --ctstate NEW -m hashlimit
> --hashlimit-name NETSCAN --hashlimit-mode srcip --hashlimit-srcmask 32
> --hashlimit-above 5/s -j DROP
> > >
> > > So I replace *hashlimit-upto* with *hashlimit-above* following
> with a DROP.
> > >
> > > This is my current firewall settings based on your previous
> suggestion. If Iptables is clever enough to DROP the connection
> if hashlimit-upto is exceeded, it should work as well.
> > >
> > > # iptables-save
> > > *filter
> > > :INPUT DROP [6374:460035]
> > > :FORWARD DROP [7119:2071794]
> > > :OUTPUT ACCEPT [19665335:23255290771]
> > > -A INPUT -i lo -j ACCEPT
> > > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> > > -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
> > > -A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT
> > > -A INPUT -p udp -m udp --dport 500 -j ACCEPT
> > > -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
> > > -A FORWARD -s 10.10.0.0/17 <http://10.10.0.0/17> <
> http://10.10.0.0/17> -d 10.10.0.0/17 <http://10.10.0.0/17> <
> http://10.10.0.0/17> -j DROP
> > > -A FORWARD -m conntrack --ctstate NEW -m hashlimit
> --hashlimit-upto 5/sec --hashlimit-burst 5 --hashlimit-mode srcip
> --hashlimit-name NETSCAN -j ACCEPT
> > > -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT
> > > -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT
> > > COMMIT
> > > # Completed on Mon Oct 14 08:30:14 2019
> > > # Genera

Re: [strongSwan] How to block Netstat attacks from VPN users?

[Houman]

Hi Noel,

That makes sense, thank you.

I received a followup email from our server provider (about a new
netscan attempt
from one of our users today).

"""
We would recommend that you set up a local firewall and block outgoing
traffic to the following prefixes
https://tools.ietf.org/html/rfc1918
> 10.0.0.0/8
> 172.16.0.0/12
> 192.168.0.0/16
Please block this range of RFC1918 on your server.
We would like to avoid further network abuse from your end.
"""

Is this as simple as

iptables -A FORWARD -d 10.0.0.0/8 -j REJECT
iptables -A FORWARD -d 172.16.0.0/12 -j REJECT
iptables -A FORWARD -d 192.168.0.0/16 -j REJECT

Or am I oversimplifying this?

Many Thanks,
Houman


On Mon, 14 Oct 2019 at 13:02, Noel Kuntze 
wrote:

> Hello Houman,
>
> Depends on if you have a whitelist or blacklist rule set.
>
> With the ruleset you have provided in this email, you need to accept the
> stuff you want. So up to 5 new connections per second.
>
> Kind regards
>
> Noel
>
> Am 14.10.19 um 10:40 schrieb Houman:
> > Hi Noel,
> >
> > Actually based on my firewall config, I think I have to DROP it instead
> of ACCEPT if it's over the 5/sec limit?  Don't you agree?
> >
> > iptables -I FORWARD 2 -m conntrack --ctstate NEW -m hashlimit
> --hashlimit-name NETSCAN --hashlimit-mode srcip --hashlimit-srcmask 32
> --hashlimit-above 5/s -j DROP
> >
> > So I replace *hashlimit-upto* with *hashlimit-above* following with a
> DROP.
> >
> > This is my current firewall settings based on your previous suggestion.
> If Iptables is clever enough to DROP the connection if hashlimit-upto is
> exceeded, it should work as well.
> >
> > # iptables-save
> > *filter
> > :INPUT DROP [6374:460035]
> > :FORWARD DROP [7119:2071794]
> > :OUTPUT ACCEPT [19665335:23255290771]
> > -A INPUT -i lo -j ACCEPT
> > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> > -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
> > -A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT
> > -A INPUT -p udp -m udp --dport 500 -j ACCEPT
> > -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
> > -A FORWARD -s 10.10.0.0/17 <http://10.10.0.0/17> -d 10.10.0.0/17 <
> http://10.10.0.0/17> -j DROP
> > -A FORWARD -m conntrack --ctstate NEW -m hashlimit --hashlimit-upto
> 5/sec --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name NETSCAN
> -j ACCEPT
> > -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT
> > -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT
> > COMMIT
> > # Completed on Mon Oct 14 08:30:14 2019
> > # Generated by iptables-save v1.6.1 on Mon Oct 14 08:30:14 2019
> > *nat
> > :PREROUTING ACCEPT [222978690:20761159044]
> > :INPUT ACCEPT [1143238:398065963]
> > :OUTPUT ACCEPT [245876:24207759]
> > :POSTROUTING ACCEPT [245876:24207759]
> > -A POSTROUTING -s 10.10.0.0/17 <http://10.10.0.0/17> -o enp2s0 -m
> policy --dir out --pol ipsec -j ACCEPT
> > -A POSTROUTING -s 10.10.0.0/17 <http://10.10.0.0/17> -o enp2s0 -j
> MASQUERADE
> > COMMIT
> > # Completed on Mon Oct 14 08:30:14 2019
> > # Generated by iptables-save v1.6.1 on Mon Oct 14 08:30:14 2019
> > *mangle
> > :PREROUTING ACCEPT [76920955633:50815277695359]
> > :INPUT ACCEPT [27612054762:8305407205459]
> > :FORWARD ACCEPT [49298861266:42508240159831]
> > :OUTPUT ACCEPT [34323442858:39692165780388]
> > :POSTROUTING ACCEPT [83603096494:82195502934979]
> > -A FORWARD -s 10.10.0.0/17 <http://10.10.0.0/17> -o enp2s0 -p tcp -m
> policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss
> 1361:1536 -j TCPMSS --set-mss 1360
> > COMMIT
> >
> > On Mon, 14 Oct 2019 at 11:14, Houman  hou...@gmail.com>> wrote:
> >
> > Hello Noel,
> >
> > Thanks for your solution, I just tried it:
> >
> > iptables -I FORWARD 2 -m conntrack --ctstate NEW -m hashlimit
> --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-upto 5/s -j ACCEPT
> >
> > But I got this error message:
> >
> > iptables v1.6.1: hashlimit: option "--hashlimit-name" must be
> specified
> >
> > I googled and added the missing name like this:
> >
> > iptables -I FORWARD 2 -m conntrack --ctstate NEW -m hashlimit
> --hashlimit-name NETSCAN --hashlimit-mode srcip --hashlimit-srcmask 32
> --hashlimit-upto 5/s -j ACCEPT
> >
> > Do you agree with this approach to prevent VPN users from
> running Netscans?
> >
> > Many Thanks,
> > Houman
> >
> >
> > On Wed, 31 Jul 2019 at 14:51, Noel Kuntze
>  wrote:
> >
> >   

Re: [strongSwan] How to block Netstat attacks from VPN users?

[Houman]

Hi Noel,

Actually based on my firewall config, I think I have to DROP it instead of
ACCEPT if it's over the 5/sec limit?  Don't you agree?

iptables -I FORWARD 2 -m conntrack --ctstate NEW -m hashlimit
--hashlimit-name NETSCAN --hashlimit-mode srcip --hashlimit-srcmask 32
--hashlimit-above 5/s -j DROP

So I replace *hashlimit-upto* with *hashlimit-above* following with a DROP.

This is my current firewall settings based on your previous suggestion. If
Iptables is clever enough to DROP the connection if hashlimit-upto is
exceeded, it should work as well.

# iptables-save
*filter
:INPUT DROP [6374:460035]
:FORWARD DROP [7119:2071794]
:OUTPUT ACCEPT [19665335:23255290771]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A FORWARD -s 10.10.0.0/17 -d 10.10.0.0/17 -j DROP
-A FORWARD -m conntrack --ctstate NEW -m hashlimit --hashlimit-upto 5/sec
--hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name NETSCAN -j
ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -j ACCEPT
-A FORWARD -m policy --dir out --pol ipsec -j ACCEPT
COMMIT
# Completed on Mon Oct 14 08:30:14 2019
# Generated by iptables-save v1.6.1 on Mon Oct 14 08:30:14 2019
*nat
:PREROUTING ACCEPT [222978690:20761159044]
:INPUT ACCEPT [1143238:398065963]
:OUTPUT ACCEPT [245876:24207759]
:POSTROUTING ACCEPT [245876:24207759]
-A POSTROUTING -s 10.10.0.0/17 -o enp2s0 -m policy --dir out --pol ipsec -j
ACCEPT
-A POSTROUTING -s 10.10.0.0/17 -o enp2s0 -j MASQUERADE
COMMIT
# Completed on Mon Oct 14 08:30:14 2019
# Generated by iptables-save v1.6.1 on Mon Oct 14 08:30:14 2019
*mangle
:PREROUTING ACCEPT [76920955633:50815277695359]
:INPUT ACCEPT [27612054762:8305407205459]
:FORWARD ACCEPT [49298861266:42508240159831]
:OUTPUT ACCEPT [34323442858:39692165780388]
:POSTROUTING ACCEPT [83603096494:82195502934979]
-A FORWARD -s 10.10.0.0/17 -o enp2s0 -p tcp -m policy --dir in --pol ipsec
-m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS
--set-mss 1360
COMMIT

On Mon, 14 Oct 2019 at 11:14, Houman  wrote:

> Hello Noel,
>
> Thanks for your solution, I just tried it:
>
> iptables -I FORWARD 2 -m conntrack --ctstate NEW -m hashlimit
> --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-upto 5/s -j ACCEPT
>
> But I got this error message:
>
> iptables v1.6.1: hashlimit: option "--hashlimit-name" must be specified
>
> I googled and added the missing name like this:
>
> iptables -I FORWARD 2 -m conntrack --ctstate NEW -m hashlimit
> --hashlimit-name NETSCAN --hashlimit-mode srcip --hashlimit-srcmask 32
> --hashlimit-upto 5/s -j ACCEPT
>
> Do you agree with this approach to prevent VPN users from running Netscans?
>
> Many Thanks,
> Houman
>
>
> On Wed, 31 Jul 2019 at 14:51, Noel Kuntze 
> wrote:
>
>> Hello Houman,
>>
>> A "netscan" attack isn't actually anything worthy of an abuse email.
>> It's not part of a benign usage pattern of a VPN service, but it itself
>> isn't illegal or anything.
>> You can only slow down such scans by rate limiting the number of new
>> connections using the hashlimit match module, for example.
>>
>> E.g. -A FORWARD -m conntrack --ctstate NEW -m hashlimit --hashlimit-mode
>> srcip --hashlimit-srcmask 32 --hashlimit-upto 5/s -j ACCEPT
>>
>> Kind regards
>>
>> Noel
>>
>> Am 30.07.19 um 16:39 schrieb Houman:
>> > Sorry I mistyped. I meant  Netscan.
>> >
>> > The abuse message was saying: *NetscanOutLevel: Netscan detected from
>> xx.xx.xx.xx*
>> >
>> > This is possible though, that VPN users run a netscan and scan the
>> ports. Am I correct?
>> >
>> > Thanks,
>> >
>> > On Tue, 30 Jul 2019 at 15:30, Thor Simon > <mailto:thor.si...@twosigma.com>> wrote:
>> >
>> > I don't think netstat does what you think it does.  It is a _local_
>> tool.  Perhaps the "abuse notification" you received is a phishing attack?
>> >
>> > Hae a look at the manual page:
>> >
>> > http://manpages.ubuntu.com/manpages/trusty/man8/netstat.8.html
>> >
>> > 
>> > From: Houman mailto:hou...@gmail.com>>
>> > Sent: Jul 30, 2019 10:18 AM
>> > To: users@lists.strongswan.org <mailto:users@lists.strongswan.org>
>> > Subject: [strongSwan] How to block Netstat attacks from VPN users?
>> >
>> > Hello,
>> >
>> > I had an interesting abuse notification that someone has run a
>> netstat through our VPN.
>

Re: [strongSwan] How to block Netstat attacks from VPN users?

[Houman]

Hello Noel,

Thanks for your solution, I just tried it:

iptables -I FORWARD 2 -m conntrack --ctstate NEW -m hashlimit
--hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-upto 5/s -j ACCEPT

But I got this error message:

iptables v1.6.1: hashlimit: option "--hashlimit-name" must be specified

I googled and added the missing name like this:

iptables -I FORWARD 2 -m conntrack --ctstate NEW -m hashlimit
--hashlimit-name NETSCAN --hashlimit-mode srcip --hashlimit-srcmask 32
--hashlimit-upto 5/s -j ACCEPT

Do you agree with this approach to prevent VPN users from running Netscans?

Many Thanks,
Houman


On Wed, 31 Jul 2019 at 14:51, Noel Kuntze 
wrote:

> Hello Houman,
>
> A "netscan" attack isn't actually anything worthy of an abuse email.
> It's not part of a benign usage pattern of a VPN service, but it itself
> isn't illegal or anything.
> You can only slow down such scans by rate limiting the number of new
> connections using the hashlimit match module, for example.
>
> E.g. -A FORWARD -m conntrack --ctstate NEW -m hashlimit --hashlimit-mode
> srcip --hashlimit-srcmask 32 --hashlimit-upto 5/s -j ACCEPT
>
> Kind regards
>
> Noel
>
> Am 30.07.19 um 16:39 schrieb Houman:
> > Sorry I mistyped. I meant  Netscan.
> >
> > The abuse message was saying: *NetscanOutLevel: Netscan detected from
> xx.xx.xx.xx*
> >
> > This is possible though, that VPN users run a netscan and scan the
> ports. Am I correct?
> >
> > Thanks,
> >
> > On Tue, 30 Jul 2019 at 15:30, Thor Simon  <mailto:thor.si...@twosigma.com>> wrote:
> >
> > I don't think netstat does what you think it does.  It is a _local_
> tool.  Perhaps the "abuse notification" you received is a phishing attack?
> >
> >     Hae a look at the manual page:
> >
> > http://manpages.ubuntu.com/manpages/trusty/man8/netstat.8.html
> >
> > 
> > From: Houman mailto:hou...@gmail.com>>
> > Sent: Jul 30, 2019 10:18 AM
> > To: users@lists.strongswan.org <mailto:users@lists.strongswan.org>
> > Subject: [strongSwan] How to block Netstat attacks from VPN users?
> >
> > Hello,
> >
> > I had an interesting abuse notification that someone has run a
> netstat through our VPN.
> >
> > > timeprotocol src_ip src_port  dest_ip
> dest_port
> > >
> ---
> > > Tue Jul 30 13:38:01 2019 UDP 136.243.xxx.xxx 21346 =>
> 172.20.10.17 21346
> > > Tue Jul 30 13:38:01 2019 UDP 136.243.xxx.xxx 21346 =>
> 172.20.10.19 21346
> >
> > I was wondering if there is a good way to block all VPN users from
> running hacker tools such as netstat (port scanning) altogether.  Is there
> a reliable way to do that with iptables?
> >
> > I came across this snippet that should block port scans, but I'm not
> sure if that would block a VPN user after all since the VPN traffic is
> masqueraded.
> >
> > iptables -A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m
> limit --limit 1/s -j RETURN
> > iptables -A port-scan -j DROP --log-level 6
> > iptables -A specific-rule-set -p tcp --syn -j syn-flood
> > iptables -A specific-rule-set -p tcp --tcp-flags SYN,ACK,FIN,RST RST
> -j port-scan
> >
> > Any suggestions, please?
> > Many Thanks,
> > Houman
> >
> >
> >
>
> --
> Noel Kuntze
> IT security consultant
>
> GPG Key ID: 0x0739AD6C
> Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
>
>
>

Re: [strongSwan] How to block torrent traffic in StrongSwan?

[Houman]

Hello Volodymyr,

Thank you for your email.  I think DPI goes a step too far for privacy
reasons. But I'm happy to go down the route of blocking well-known trackers.
Is there a way to obtain the list from somewhere?

Many Thanks,
Houman

On Sun, 29 Sep 2019 at 16:35, Volodymyr Litovka  wrote:

> Hello, Houman,
>
> to be able to find and block torrent traffic, you need to implement DPI
> (Deep Packet Inspection) on your gateway and even this does not
> guarantee success, because modern torrent clients like uTorrent
> implement very sofisticated mimicry mechanisms and, from my experience,
> are very successful in passing DPIs, firewalls etc.
>
> Using iptables you can try to block well-know trackers, but this
> approach will require constant updating.
>
> On 29.09.2019 12:17, Houman wrote:
> > Hello,
> >
> > I would like to block VPN users from using torrents. I'm not sure if
> > this is something that can be done in StrongSwan settings, maybe there
> > is a way through IPTables to achieve this?
> >
> > Any advice would be appreciated,
> >
> > Many Thanks,
> > Houman
>
> --
> Volodymyr Litovka
>"Vision without Execution is Hallucination." -- Thomas Edison
>
>

[strongSwan] How to block torrent traffic in StrongSwan?

[Houman]

Hello,

I would like to block VPN users from using torrents. I'm not sure if this
is something that can be done in StrongSwan settings, maybe there is a way
through IPTables to achieve this?

Any advice would be appreciated,

Many Thanks,
Houman

[strongSwan] How to check the health of a StrongSwan server?

[Houman]

Hello,


How can I check if the VPN server is healthy and can accept new connections?


I found this Ruby script
https://github.com/sensu-plugins/sensu-plugins-strongswan/blob/master/bin/check-strongswan.rb
which utilises ‘ipsec status’ to check for health.

My Ruby isn’t very good to make full sense of it.  When I run ‘ipsec
status’ from the command line, all I get is the listing of each active
connection.  But a server can be without any active connection and still be
healthy. So I can’t follow the thought process.


Do you guys know of a way to check the health status of a strongswan
server?


Many Thanks,

Houman

Re: [strongSwan] (Vici) How to disconnect a VPN connection on the server side?

[Houman]

Hello Tobias,

Thank you for your reply.

Not directly (at least not via vici, it might be possible via RADIUS,
> depending on the RADIUS server).
>

This is concerning if this wasn't possible. I have FreeRadius 3.0.16, maybe
I should explain the use case I'm trying to achieve.

I have setup a limit by monthly-usage in FreeRadius. Each user can use 10
GB and after that, any attempt to connect to the VPN server fails.

echo 'ATTRIBUTE   Monthly-Usage  3001integer64' >>
/etc/freeradius/3.0/dictionary

sed -i '/authorize {/a\
   update request {\
Monthly-Usage = "%{sql:SELECT
COALESCE((SUM(`acctoutputoctets`)), 0) FROM radacct WHERE
`username`='"'"'%{User-Name}'"'"' AND
Month(acctupdatetime)=(Month(NOW())) AND
Year(acctupdatetime)=Year(NOW())}"\
}\
' /etc/freeradius/3.0/sites-enabled/default

INSERT INTO radcheck (username,attribute,op,VALUE) VALUES
('houman','Monthly-Usage','<',100);

This works, however, once the limit has been reached, he continues to
remain connected, nothing forces him out. Only if he disconnects and tries
to connect again, he would be prevented.  I was thinking to check every 5
minutes to see if someone has reached the monthly usage and is still
connected to kick him out.

Do you think that is possible to do via FreeRadius?

What do you mean?  [1] provides an overview and has a link to the
> README.md file that describes the available commands and even contains
> simple code examples.  The Python bindings are basically a wrapper that
> provides a convenient interface for these commands.
>

Ah my bad. I was looking at https://pypi.org/project/vici/ but I found more
documentation at the github project.

That returns the configured connections, so that's not really useful to
> you.  More interesting will be the list of established IKE_SAs
> (s.list_sas).



There is no option to filter by remote/user ID, so you have

to enumerate the established SAs (list-sa documents the returned
> information) and check remote-(eap-)id yourself.
>
>
Perfect. I think the username in Radcheck is the same as the
remote-(eap-)id you mentioned. So I have to find a way to filter that
within the IKE_SA and then to terminate the IKE_SA itself.  Just to be
clear there is always a 1:1 relationship between IKE_SA and a user at a
time, correct?  If I end an IKE_SA, I won't be kicking several users by
mistake? It will be only the one user using that? So in other words what
I'm trying to achieve is possible with Vici right?

Many Thanks,
Houman

[strongSwan] (Vici) How to disconnect a VPN connection on the server side?

[Houman]

Hello,

Is there is a way to disconnect a specific strongswan user from the command
line?

I have found the Vici plugin, but there is no documentation whatsoever. It
says check the comments in the code and it's still not clear to me.

All I could do so far was this

import vici
s = vici.Session()
>>> s.list_conns()


I have one connection on this test server, But I need somehow to filter for
a specific user, if I had more connections.

Looking at the code there is a "filters" as an argument to pass in:

def list_conns(self, filters=None):

"""Retrieve loaded connections.


:param filters: retrieve only matching configuration names
(optional)

:type filters: dict

:return: generator for loaded connections as dict

:rtype: generator

"""

return self.streamed_request("list-conns", "list-conn",

 filters)

But I'm stuck as I don't know how to set that. There must be some kind of
documentation for this right?

I suppose once I have the actual SA, I could pass it to terminate().

Many Thanks,
Houman

Re: [strongSwan] Should each StrongSwan have its own FreeRadius or should they share one?

[Houman]

Hello Michael,

You brought up some very good points.

I'm currently only using the authentication in RADIUS by utilising the
username/password in the Radcheck table. I also make use of Radacct table
to see for how long a user was connected, from which location the
connection was made and to which VPN server the user is connected. Other
than that all VPN servers are the same and don't differ.

> If your VPN servers do not differ I would set up two RADIUS server (for
> > redundancy) that use the one database (master / slave setup for
> redundancy).


I have found this blog post
<https://thenetworkcable.wordpress.com/2014/11/28/creating-redundant-freeradius-servers-with-mysql-replication/>
that explains how to run two freeradius and two mysql servers in
replication.
So it seems that two databases are needed after all.  But you advised to
just use one database with two FreeRadius in replication. Do I have to do
anything specifically in the configs to make them work in replication with
a single database? Or is it as simple as creating an AWS Loadbalancer that
points to both freeradius servers as round-robin? And in turn all VPN
servers are pointing to the same Load balancer endpoint? I suppose nothing
stops me of having two database/replication in this scenario to make it
more resilient, isn't it?

Many Thanks,
Houman


On Wed, 21 Aug 2019 at 08:52, Michael Schwartzkopff  wrote:

> Am 21.08.19 um 08:20 schrieb Houman:
> > Hello,
> >
> > I have multiple StrongSwan VPN servers setup and each of them has its own
> > FreeRadius server. Each of the freeradius servers then points to the
> > central database in a separate location. This works without any problem.
> > But I wonder if this is the right approach after all.
> >
> > Maybe I should have only one FreeRadius server installed next to the
> > database, and have each VPN server connect to the central freeradius
> server
> > instead?
> >
> > As in setting *accounting = yes* and *address= [remote IP of freeradius
> > server]* in /etc/strongswan.d/charon/eap-radius.conf for each VPN.
> >
> > What is the most optimal way?
> >
> > Many Thanks,
> > Houman
> >
>
> As always, it depends ...
>
> First of all you need to write down, what you want to achieve.
>
> Then you have to find the best solution for you. The "best" might be the
> most simple, the easiest to maintain, the one with the least effort in
> setting up, the one that has least components, the one with the least
> complexity or a combination of everything.
>
> What do you want to acchieve? Authentication / Authorization of VPN
> client through a central backend database? Do you need accouting?
>
> If your VPN servers do not differ I would set up two RADIUS server (for
> redundancy) that use the one database (master / slave setup for
> redundancy).
>
> If your VPN servers differ and the outcome of your Authorization depends
> on the VPN server, I would set up different virtual RADIUS servers.
>
> But everything depends on your setup. Be sure you know what you want.
>
>
> Mit freundlichen Grüßen,
>
> --
>
> [*] sys4 AG
>
> https://sys4.de, +49 (89) 30 90 46 64
> Schleißheimer Straße 26/MG,80333 München
>
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
> Aufsichtsratsvorsitzender: Florian Kirstein
>
>
>

[strongSwan] Should each StrongSwan have its own FreeRadius or should they share one?

[Houman]

Hello,

I have multiple StrongSwan VPN servers setup and each of them has its own
FreeRadius server. Each of the freeradius servers then points to the
central database in a separate location. This works without any problem.
But I wonder if this is the right approach after all.

Maybe I should have only one FreeRadius server installed next to the
database, and have each VPN server connect to the central freeradius server
instead?

As in setting *accounting = yes* and *address= [remote IP of freeradius
server]* in /etc/strongswan.d/charon/eap-radius.conf for each VPN.

What is the most optimal way?

Many Thanks,
Houman

Re: [strongSwan] How to determine how many connections are currently active?

[Houman]

Hi Andreas,

Thank you very much.  That worked nicely, much easier than I thought it
would be.

The difference between INSTALLED (519) and ESTABLISHED (520) was nearly the
same in my case.   What is the main difference between them in this context?

Many Thanks,
Houman

On Wed, 31 Jul 2019 at 11:14, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:

> Hi Houman,
>
> you can get the number of active IKE SAs via
>
>   swanctl --list-sas | grep ESTABLISHED | wc -l
>
> if you are using the vici interface or
>
>   ipsec statusall | grep ESTABLISHED | wc -l
>
> if you are using the legacy whack interface.
>
> For the total number of active CHILD SAs replace ESTABLISHED
> by INSTALLED in the grep query.
>
> Best regards
>
> Andreas
>
> On 31.07.19 10:05, Houman wrote:
> > Good morning,
> >
> >
> > What is the best way to determine how many connections are currently
> > active on the StrongSwan server?
> >
> >
> > Maybe there is a simpler way but I thought of one way. I’m using
> > FreeRadius with Mysql DB as storage.
> >
> >
> > There are three fields that capture the start (acctstarttime), ongoing
> > (acctupdatetime) and the end (acctstoptime) of a connection.
> >
> >
> > I could theoretically filter for all acctupdatetime that start from
> > today and have a acctstoptime that is null.  The count of these records
> > would be the approximate number of active connections to the server.
> >
> >
> > Is there a better way to achieve this or do you agree to this approach?
> >
> >
> >
> > Many Thanks,
> >
> > Houman
> >
>
> --
> ==
> Andreas Steffen andreas.stef...@strongswan.org
> strongSwan - the Open Source VPN Solution!  www.strongswan.org
> Institute for Networked Solutions
> HSR University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===[INS-HSR]==
>

[strongSwan] How to determine how many connections are currently active?

[Houman]

Good morning,


What is the best way to determine how many connections are currently active
on the StrongSwan server?


Maybe there is a simpler way but I thought of one way. I’m using FreeRadius
with Mysql DB as storage.


There are three fields that capture the start (acctstarttime), ongoing
(acctupdatetime) and the end (acctstoptime) of a connection.


I could theoretically filter for all acctupdatetime that start from today
and have a acctstoptime that is null.  The count of these records would be
the approximate number of active connections to the server.


Is there a better way to achieve this or do you agree to this approach?



Many Thanks,

Houman

Re: [strongSwan] How to block Netstat attacks from VPN users?

[Houman]

Sorry I mistyped. I meant  Netscan.

The abuse message was saying: *NetscanOutLevel: Netscan detected from
xx.xx.xx.xx*

This is possible though, that VPN users run a netscan and scan the ports.
Am I correct?

Thanks,

On Tue, 30 Jul 2019 at 15:30, Thor Simon  wrote:

> I don't think netstat does what you think it does.  It is a _local_ tool.
> Perhaps the "abuse notification" you received is a phishing attack?
>
> Hae a look at the manual page:
>
> http://manpages.ubuntu.com/manpages/trusty/man8/netstat.8.html
>
> ________
> From: Houman 
> Sent: Jul 30, 2019 10:18 AM
> To: users@lists.strongswan.org
> Subject: [strongSwan] How to block Netstat attacks from VPN users?
>
> Hello,
>
> I had an interesting abuse notification that someone has run a netstat
> through our VPN.
>
> > timeprotocol src_ip src_port  dest_ip dest_port
> >
> ---
> > Tue Jul 30 13:38:01 2019 UDP 136.243.xxx.xxx 21346 =>172.20.10.17
> 21346
> > Tue Jul 30 13:38:01 2019 UDP 136.243.xxx.xxx 21346 =>172.20.10.19
> 21346
>
> I was wondering if there is a good way to block all VPN users from running
> hacker tools such as netstat (port scanning) altogether.  Is there a
> reliable way to do that with iptables?
>
> I came across this snippet that should block port scans, but I'm not sure
> if that would block a VPN user after all since the VPN traffic is
> masqueraded.
>
> iptables -A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit
> --limit 1/s -j RETURN
> iptables -A port-scan -j DROP --log-level 6
> iptables -A specific-rule-set -p tcp --syn -j syn-flood
> iptables -A specific-rule-set -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j
> port-scan
>
> Any suggestions, please?
> Many Thanks,
> Houman
>
>
>
>

[strongSwan] How to block Netstat attacks from VPN users?

[Houman]

Hello,

I had an interesting abuse notification that someone has run a
netstat through our VPN.

> timeprotocol src_ip src_port  dest_ip dest_port
>
---
> Tue Jul 30 13:38:01 2019 UDP 136.243.xxx.xxx 21346 =>172.20.10.17
21346
> Tue Jul 30 13:38:01 2019 UDP 136.243.xxx.xxx 21346 =>172.20.10.19
21346

I was wondering if there is a good way to block all VPN users from running
hacker tools such as netstat (port scanning) altogether.  Is there a
reliable way to do that with iptables?

I came across this snippet that should block port scans, but I'm not sure
if that would block a VPN user after all since the VPN traffic is
masqueraded.

iptables -A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit
--limit 1/s -j RETURN
iptables -A port-scan -j DROP --log-level 6
iptables -A specific-rule-set -p tcp --syn -j syn-flood
iptables -A specific-rule-set -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j
port-scan

Any suggestions, please?
Many Thanks,
Houman

Re: [strongSwan] received netlink error: Network is unreachable

[Houman]

Hello Noel,

It works! I tested it for 24 hours and not a single issue anymore. Thank
you very much for your help.

For the record, this is the file I have edited.

/etc/strongswan.d/charon.conf

I uncommented the line *install_routes = yes* and changed it to *install_routes
= no*

Thanks,
Houman

On Thu, 18 Jul 2019 at 12:35, Noel Kuntze 
wrote:

> Hello Houman,
>
> I took a look at it and it seems the problem is that your default route is
>
> default via fe80::1 dev enp2s0 proto static metric 1024 pref medium
>
> fe80::1 is a link-local address, so I assume the problem is that the
> kernel doesn't have a clue which interface it exactly can be reached over.
>
> but that doesn't matter, because you can disable route installation
> anyway, because you don't need it in your use case.
> So just set charon.install_routes=no and you're fine. It will improve
> performance on your setup, too.
>
> Kind regards
>
> Noel
>
> Am 18.07.19 um 13:24 schrieb Houman:
> > Hi Noel,
> >
> > I just tried to send it to the group but the message body was larger
> than 100kb and it was held back.
> >
> > I hope it's ok that I'm attaching them here directly. I hope this is
> what you were looking for.
> >
> > Many Thanks,
> > Houman
> >
> >
> > On Thu, 18 Jul 2019 at 10:04, Noel Kuntze 
> wrote:
> >
> > Hello Houman,
> >
> > Those are still not all the IPv4 *and IPv6* routing tables.
> > Use `ip route show table all` for IPv4 and `ip -6 route show table
> all` for IPv6.
> >
> > Kind regards
> >
> > Noel
> >
> > Am 18.07.19 um 10:29 schrieb Houman:
> > > Hello Noel.
> > >
> > > Sorry, it's still too early in the morning for me.
> > >
> > > *> netstat -rn*
> > > *
> > > *
> > > Kernel IP routing table
> > > Destination Gateway Genmask Flags   MSS Window
>  irtt Iface
> > > 0.0.0.0 136.243.104.xxx 0.0.0.0 UG0 0
>  0 enp2s0
> > >
> > > *> route -n*
> > > Kernel IP routing table
> > > Destination Gateway Genmask     Flags Metric Ref
>  Use Iface
> > > 0.0.0.0 136.243.104.xxx 0.0.0.0 UG0  0
>0 enp2s0
> > >
> > > *> iproute*
> > > default via 136.243.104.xxx dev enp2s0 proto static onlink
> > >
> > > If I have missed anything please let me know,
> > >
> > > Many Thanks,
> > > Houman
> > >
> > >
> > > On Thu, 18 Jul 2019 at 08:07, Noel Kuntze
>  wrote:
> > >
> > > Hello Houman,
> > >
> > > Those are not *routing* tables. Those are your *iptables*
> rules.
> > >
> > > Kind regards
> > >
> > > Noel
> > >
> > > Am 18.07.19 um 09:02 schrieb Houman:
> > > > Hello Noel,
> > > >
> > > > You're right. It's interesting that I always get the
> following error right after that. "unable to install source route for %any".
> > > >
> > > > Please find both the IPv4 and IPv6 routing tables as well as
> the ipsec.conf below.
> > > >
> > > > Please note that IPv6 is disabled since my configuration
> wasn't entirely supported on the latest Ubuntu 18.04 as we had established
> previously.
> > > >
> > > > *IPv4*
> > > >
> > > > # Generated by iptables-save v1.6.1 on Thu Jul 18 06:54:18
> 2019
> > > > *filter
> > > > :INPUT DROP [2615693:262169077]
> > > > :FORWARD DROP [4655474:1206379130]
> > > > :OUTPUT ACCEPT [8219816926:9451426041332]
> > > > -A INPUT -i lo -j ACCEPT
> > > > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> > > > -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
> > > > -A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT
> > > > -A INPUT -p udp -m udp --dport 500 -j ACCEPT
> > > > -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
> > > > -A FORWARD -s 10.10.0.0/17 <http://10.10.0.0/17> <
> http://10.10.0.0/17> <http://10.10.0.0/17> -d 10.10.0.0/17 <
> http://10.10.0.0/17> <http://10.10.0.0/17> <http://10.10

Re: [strongSwan] received netlink error: Network is unreachable

[Houman]

Hello Noel.

Sorry, it's still too early in the morning for me.

*> netstat -rn*

Kernel IP routing table
Destination Gateway Genmask Flags   MSS Window  irtt
Iface
0.0.0.0 136.243.104.xxx 0.0.0.0 UG0 0  0
enp2s0

*> route -n*
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse
Iface
0.0.0.0 136.243.104.xxx 0.0.0.0 UG0  00
enp2s0

*> iproute*
default via 136.243.104.xxx dev enp2s0 proto static onlink

If I have missed anything please let me know,

Many Thanks,
Houman


On Thu, 18 Jul 2019 at 08:07, Noel Kuntze 
wrote:

> Hello Houman,
>
> Those are not *routing* tables. Those are your *iptables* rules.
>
> Kind regards
>
> Noel
>
> Am 18.07.19 um 09:02 schrieb Houman:
> > Hello Noel,
> >
> > You're right. It's interesting that I always get the following error
> right after that. "unable to install source route for %any".
> >
> > Please find both the IPv4 and IPv6 routing tables as well as the
> ipsec.conf below.
> >
> > Please note that IPv6 is disabled since my configuration wasn't entirely
> supported on the latest Ubuntu 18.04 as we had established previously.
> >
> > *IPv4*
> >
> > # Generated by iptables-save v1.6.1 on Thu Jul 18 06:54:18 2019
> > *filter
> > :INPUT DROP [2615693:262169077]
> > :FORWARD DROP [4655474:1206379130]
> > :OUTPUT ACCEPT [8219816926:9451426041332]
> > -A INPUT -i lo -j ACCEPT
> > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> > -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
> > -A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT
> > -A INPUT -p udp -m udp --dport 500 -j ACCEPT
> > -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
> > -A FORWARD -s 10.10.0.0/17 <http://10.10.0.0/17> -d 10.10.0.0/17 <
> http://10.10.0.0/17> -j DROP
> > -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT
> > -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT
> > COMMIT
> > # Completed on Thu Jul 18 06:54:18 2019
> > # Generated by iptables-save v1.6.1 on Thu Jul 18 06:54:18 2019
> > *nat
> > :PREROUTING ACCEPT [212142454:17804580572]
> > :INPUT ACCEPT [1326262:431133155]
> > :OUTPUT ACCEPT [174309:20072403]
> > :POSTROUTING ACCEPT [174309:20072403]
> > -A POSTROUTING -s 10.10.0.0/17 <http://10.10.0.0/17> -o enp2s0 -m
> policy --dir out --pol ipsec -j ACCEPT
> > -A POSTROUTING -s 10.10.0.0/17 <http://10.10.0.0/17> -o enp2s0 -j
> MASQUERADE
> > COMMIT
> > # Completed on Thu Jul 18 06:54:18 2019
> > # Generated by iptables-save v1.6.1 on Thu Jul 18 06:54:18 2019
> > *mangle
> > :PREROUTING ACCEPT [78101233478:52605889723396]
> > :INPUT ACCEPT [28473561018:8872181346525]
> > :FORWARD ACCEPT [49618124462:43732105143957]
> > :OUTPUT ACCEPT [34893259071:40508743962892]
> > :POSTROUTING ACCEPT [84492095926:84235652892511]
> > -A FORWARD -s 10.10.0.0/17 <http://10.10.0.0/17> -o enp2s0 -p tcp -m
> policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss
> 1361:1536 -j TCPMSS --set-mss 1360
> > COMMIT
> > # Completed on Thu Jul 18 06:54:18 2019
> >
> > *and IPv6*
> >
> > # Generated by ip6tables-save v1.6.1 on Thu Jul 18 06:55:55 2019
> > *filter
> > :INPUT DROP [53380:3843262]
> > :FORWARD DROP [0:0]
> > :OUTPUT ACCEPT [54922:3965190]
> > -A INPUT -i lo -j ACCEPT
> > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> > -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
> > -A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT
> > -A INPUT -p udp -m udp --dport 500 -j ACCEPT
> > -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
> > -A FORWARD -s fdd2:54c4:4c90:1::/113 -d fdd2:54c4:4c90:1::/113 -j DROP
> > -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT
> > -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT
> > COMMIT
> > # Completed on Thu Jul 18 06:55:55 2019
> > # Generated by ip6tables-save v1.6.1 on Thu Jul 18 06:55:55 2019
> > *nat
> > :PREROUTING ACCEPT [16411485:1786456120]
> > :INPUT ACCEPT [2:392]
> > :OUTPUT ACCEPT [232:18788]
> > :POSTROUTING ACCEPT [232:18788]
> > -A POSTROUTING -s fdd2:54c4:4c90:1::/113 -o eth0 -m policy --dir out
> --pol ipsec -j ACCEPT
> > -A POSTROUTING -s fdd2:54c4:4c90:1::/113 -o eth0 -j MASQUERADE
> > COMMIT
> > # Completed on Thu Jul 18 06:55:55 2019
> >
> > *and ipsec.conf*
> >
> > config setup
> >   strictcrlpolicy=yes
> >   uniqueids=never
> > conn Falkenstein-2
> >   auto=add
> >   compress=no
> >   type=tunnel

Re: [strongSwan] received netlink error: Network is unreachable

[Houman]

Hello Noel,

You're right. It's interesting that I always get the following error right
after that. "unable to install source route for %any".

Please find both the IPv4 and IPv6 routing tables as well as the ipsec.conf
below.

Please note that IPv6 is disabled since my configuration wasn't entirely
supported on the latest Ubuntu 18.04 as we had established previously.

*IPv4*

# Generated by iptables-save v1.6.1 on Thu Jul 18 06:54:18 2019
*filter
:INPUT DROP [2615693:262169077]
:FORWARD DROP [4655474:1206379130]
:OUTPUT ACCEPT [8219816926:9451426041332]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A FORWARD -s 10.10.0.0/17 -d 10.10.0.0/17 -j DROP
-A FORWARD -m policy --dir in --pol ipsec -j ACCEPT
-A FORWARD -m policy --dir out --pol ipsec -j ACCEPT
COMMIT
# Completed on Thu Jul 18 06:54:18 2019
# Generated by iptables-save v1.6.1 on Thu Jul 18 06:54:18 2019
*nat
:PREROUTING ACCEPT [212142454:17804580572]
:INPUT ACCEPT [1326262:431133155]
:OUTPUT ACCEPT [174309:20072403]
:POSTROUTING ACCEPT [174309:20072403]
-A POSTROUTING -s 10.10.0.0/17 -o enp2s0 -m policy --dir out --pol ipsec -j
ACCEPT
-A POSTROUTING -s 10.10.0.0/17 -o enp2s0 -j MASQUERADE
COMMIT
# Completed on Thu Jul 18 06:54:18 2019
# Generated by iptables-save v1.6.1 on Thu Jul 18 06:54:18 2019
*mangle
:PREROUTING ACCEPT [78101233478:52605889723396]
:INPUT ACCEPT [28473561018:8872181346525]
:FORWARD ACCEPT [49618124462:43732105143957]
:OUTPUT ACCEPT [34893259071:40508743962892]
:POSTROUTING ACCEPT [84492095926:84235652892511]
-A FORWARD -s 10.10.0.0/17 -o enp2s0 -p tcp -m policy --dir in --pol ipsec
-m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS
--set-mss 1360
COMMIT
# Completed on Thu Jul 18 06:54:18 2019

*and IPv6*

# Generated by ip6tables-save v1.6.1 on Thu Jul 18 06:55:55 2019
*filter
:INPUT DROP [53380:3843262]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [54922:3965190]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A FORWARD -s fdd2:54c4:4c90:1::/113 -d fdd2:54c4:4c90:1::/113 -j DROP
-A FORWARD -m policy --dir in --pol ipsec -j ACCEPT
-A FORWARD -m policy --dir out --pol ipsec -j ACCEPT
COMMIT
# Completed on Thu Jul 18 06:55:55 2019
# Generated by ip6tables-save v1.6.1 on Thu Jul 18 06:55:55 2019
*nat
:PREROUTING ACCEPT [16411485:1786456120]
:INPUT ACCEPT [2:392]
:OUTPUT ACCEPT [232:18788]
:POSTROUTING ACCEPT [232:18788]
-A POSTROUTING -s fdd2:54c4:4c90:1::/113 -o eth0 -m policy --dir out --pol
ipsec -j ACCEPT
-A POSTROUTING -s fdd2:54c4:4c90:1::/113 -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Jul 18 06:55:55 2019

*and ipsec.conf*

config setup
  strictcrlpolicy=yes
  uniqueids=never
conn Falkenstein-2
  auto=add
  compress=no
  type=tunnel
  keyexchange=ikev2
  fragmentation=yes
  forceencaps=yes

ike=aes256gcm16-aes192gcm16-aes128gcm16-prfsha256-ecp521-ecp256-modp4096-modp2048,
aes256-sha256-ecp521-ecp256-modp4096-modp2048!
  esp=aes256gcm16-aes192gcm16-aes128gcm16-ecp521-ecp256-modp4096-modp2048,
aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1!
  dpdaction=clear
  dpddelay=180s
  dpdtimeout=3600s
  rekey=no
  left=%any
  leftid=@de-fsn-2.x.net
  leftcert=cert.pem
  leftsendcert=always
  leftsubnet=0.0.0.0/0, ::/0
  right=%any
  rightid=%any
  rightauth=eap-radius
  eap_identity=%any
  rightdns=8.8.8.8,8.8.4.4
  rightsourceip=10.10.10.0/17,fdd2:54c4:4c90:1::300/113
  leftfirewall=no


Many Thanks,
Houman

On Thu, 18 Jul 2019 at 07:42, Noel Kuntze 
wrote:

> Hello Houman,
>
> That happens when the main routing table (Or other tables in newer
> kernels) does not have any routes that allow the new route to be installed
> (next hop is not reachable over a local interface).
> For the exact reason, you'd need to at least provide the IPv6 routing
> tables.
>
> Kind regards
>
> Noel
>
> Am 18.07.19 um 00:47 schrieb Houman:
> > Hello,
> >
> > I'm getting this error in the syslog.
> >
> > It still connects but I keep getting this error sometimes:
> > *charon: 15[KNL] received netlink error: Network is unreachable (101)*
> >
> > Why is that?
> >
> > *Syslog:*
> >
> > Jul 17 21:31:08 de-fsn-2 charon: 09[CFG] reassigning offline lease to
> 'c8c09c88-8a67-4af6-8620-xx'
> >
> > Jul 17 21:31:08 de-fsn-2 charon: 09[IKE] assigning virtual IP
> 10.10.55.127 to peer 'c8c09c88-8a67-4af6-8620-xx'
> >
> > Jul 17 21:31:08 de-fsn-2 charon: 09[IKE] peer requested virtual IP %any6
> >
> > Jul 17 21:31:08 de-fsn-

[strongSwan] received netlink error: Network is unreachable

[Houman]

Hello,

I'm getting this error in the syslog.

It still connects but I keep getting this error sometimes:
*charon: 15[KNL] received netlink error: Network is unreachable (101)*

Why is that?

*Syslog:*

Jul 17 21:31:08 de-fsn-2 charon: 09[CFG] reassigning offline lease to
'c8c09c88-8a67-4af6-8620-xx'

Jul 17 21:31:08 de-fsn-2 charon: 09[IKE] assigning virtual IP 10.10.55.127
to peer 'c8c09c88-8a67-4af6-8620-xx'

Jul 17 21:31:08 de-fsn-2 charon: 09[IKE] peer requested virtual IP %any6

Jul 17 21:31:08 de-fsn-2 charon: 09[CFG] reassigning offline lease to
'c8c09c88-8a67-4af6-8620-xx'

Jul 17 21:31:08 de-fsn-2 charon: 09[IKE] assigning virtual IP
fdd2:54c4:4c90:1::307f to peer 'c8c09c88-8a67-4af6-8620-xx'

Jul 17 21:31:08 de-fsn-2 charon: 09[KNL] received netlink error: Network is
unreachable (101)

Jul 17 21:31:08 de-fsn-2 charon: 09[KNL] unable to install source route for
%any

Jul 17 21:31:08 de-fsn-2 charon: 09[IKE] CHILD_SA Falkenstein-2{455771}
established with SPIs c6b5caac_i 0c8a8cdf_o and TS 0.0.0.0/0 ::/0 ===
10.10.55.127/32 fdd2:54c4:4c90:1::307f/128

Jul 17 21:31:08 de-fsn-2 charon: 09[CFG] sending RADIUS Accounting-Request
to server 'server-a'

Jul 17 21:31:08 de-fsn-2 charon: 15[NET] received packet: from
109.177.xx.xxx[4500] to 136.243.xxx.xxx[4500] (112 bytes)

Jul 17 21:31:08 de-fsn-2 charon: 09[CFG] received RADIUS
Accounting-Response from server 'server-a'

Jul 17 21:31:08 de-fsn-2 charon: 09[ENC] generating IKE_AUTH response 6 [
AUTH CPRP(ADDR ADDR6 DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) ]

Jul 17 21:31:08 de-fsn-2 charon: 15[ENC] parsed IKE_AUTH request 6 [ AUTH ]

Jul 17 21:31:08 de-fsn-2 charon: 09[NET] sending packet: from
136.243.xxx.xxx[4500] to 86.97.xx.xxx[4500] (368 bytes)

Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] authentication of 'VPN' with EAP
successful

Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] authentication of '
de-fsn-2.x.net' (myself) with EAP

Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] IKE_SA Falkenstein-2[549905]
established between 136.243.xxx.xxx[de-fsn-2.x.net
]...109.177.xx.xxx[VPN]

Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] peer requested virtual IP %any

Jul 17 21:31:08 de-fsn-2 charon: 15[CFG] reassigning offline lease to
'b05ccf72-7bad-425e-95e0-x'

Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] assigning virtual IP 10.10.50.102
to peer 'b05ccf72-7bad-425e-95e0-x'

Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] peer requested virtual IP %any6

Jul 17 21:31:08 de-fsn-2 charon: 15[CFG] reassigning offline lease to
'b05ccf72-7bad-425e-95e0-x'

Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] assigning virtual IP
fdd2:54c4:4c90:1::2b66 to peer 'b05ccf72-7bad-425e-95e0-x'

Jul 17 21:31:08 de-fsn-2 charon: 15[KNL] received netlink error: Network is
unreachable (101)

Jul 17 21:31:08 de-fsn-2 charon: 15[KNL] unable to install source route for
%any

Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] CHILD_SA Falkenstein-2{455772}
established with SPIs c23f2271_i 07d2a903_o and TS 0.0.0.0/0 ::/0 ===
10.10.50.102/32 fdd2:54c4:4c90:1::2b66/128

Jul 17 21:31:08 de-fsn-2 charon: 15[CFG] sending RADIUS Accounting-Request
to server 'server-a'

Jul 17 21:31:08 de-fsn-2 charon: 13[NET] received packet: from
94.206.xxx.xxx[4500] to 136.243.xxx.xxx[4500] (368 bytes)

Jul 17 21:31:08 de-fsn-2 charon: 15[CFG] received RADIUS
Accounting-Response from server 'server-a'

Jul 17 21:31:08 de-fsn-2 charon: 15[ENC] generating IKE_AUTH response 6 [
AUTH CPRP(ADDR ADDR6 DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) ]

Jul 17 21:31:08 de-fsn-2 charon: 13[ENC] unknown attribute type (25)

Jul 17 21:31:08 de-fsn-2 charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6
(25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(EAP_ONLY) ]

Jul 17 21:31:08 de-fsn-2 charon: 15[NET] sending packet: from
136.243.xxx.xxx[4500] to 109.177.xx.xxx[4500] (368 bytes)

Jul 17 21:31:08 de-fsn-2 charon: 13[CFG] looking for peer configs matching
136.243.xxx.xxx[de-fsn-2.x.net]...94.206.xxx.xxx[VPN]

Jul 17 21:31:08 de-fsn-2 charon: 13[CFG] selected peer config
'Falkenstein-2'


Many Thanks,

Houman

Re: [strongSwan] pool '10.10.10.0/24' is full, unable to assign address

[Houman]

Hi Noel,

That's fantastic. You mean this setup could deal with 25,600 at a time?
That would be incredible.

So if I pick CIDR: *10.10.10.0/17 <http://10.10.10.0/17> *that could work
with *32768.  *Do you think that's too much?

or should I rather go lower with *10.10.10.0/18 <http://10.10.10.0/18>
,*which comes
down to *16384*.

Many Thanks,
Houman



On Mon, 10 Jun 2019 at 10:35, Noel Kuntze
 wrote:

> Hello Houman,
>
> Easily. Add a couple of zeros. And you don't need that much memory.
>
> Kind regards
> Noel
>
> Am 10.06.19 um 10:51 schrieb Houman:
> > Hey guys,
> >
> > I'm getting the following error message in Syslog:
> >
> > *pool '10.10.10.0/24 <http://10.10.10.0/24>' is full, unable to assign
> address*
> >
> > This means I have more than 256 users at a time on the server.
> >
> > What is the ideal setting for a VPN on s server with Intel Xeon
> E3-1246V3 (8 CPU) with 32 Gb RAM? Are 512 users doable on this server above?
> >
> > I think *10.10.10.0/23 <http://10.10.10.0/23> *means 512 IPs can be
> allocated. Do you agree that this IP pool for strongswan makes sense?
> >
> >
> > Many Thanks,
> > Houman
>
>

[strongSwan] pool '10.10.10.0/24' is full, unable to assign address

[Houman]

Hey guys,

I'm getting the following error message in Syslog:

*pool '10.10.10.0/24 <http://10.10.10.0/24>' is full, unable to assign
address*

This means I have more than 256 users at a time on the server.

What is the ideal setting for a VPN on s server with Intel Xeon E3-1246V3
(8 CPU) with 32 Gb RAM? Are 512 users doable on this server above?

I think *10.10.10.0/23 <http://10.10.10.0/23> *means 512 IPs can be
allocated. Do you agree that this IP pool for strongswan makes sense?


Many Thanks,
Houman

[strongSwan] VPN connection times out

[Houman]

 address*

1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

inet 127.0.0.1/8 scope host lo

   valid_lft forever preferred_lft forever

2: eth0:  mtu 1500 qdisc fq_codel state UP
group default qlen 1000

link/ether be:8d:3e:0f:9d:42 brd ff:ff:ff:ff:ff:ff

inet 157.230.xx.xxx/20 brd 157.230.31.255 scope global eth0

   valid_lft forever preferred_lft forever

inet 10.19.0.6/16 brd 10.19.255.255 scope global eth0

   valid_lft forever preferred_lft forever

inet6 fe80::bc8d:3eff:fe0f:9d42/64 scope link

   valid_lft forever preferred_lft forever

3: eth1:  mtu 1500 qdisc fq_codel state UP
group default qlen 1000

link/ether 7a:0e:63:78:ba:b7 brd ff:ff:ff:ff:ff:ff

inet 10.135.41.65/16 brd 10.135.255.255 scope global eth1

   valid_lft forever preferred_lft forever

inet6 fe80::780e:63ff:fe78:bab7/64 scope link

   valid_lft forever preferred_lft forever


Please let me if you need to see anything else,


Many Thanks,

Houman

[strongSwan] EAP_MSCHAPV2 failed for peer VPN

[Houman]

Hello guys,

Around three days ago, I received multiple reports from my users (all from
UAE) that the VPN isn't working.

Looking at the logs I can see that some users are getting this error shown
in StrongSwan:

Apr 27 08:02:42 gb-lon-1 ipsec[795]: 14[IKE] RADIUS authentication of
'5697324e-xxx-9273-0e0f3d1cbb28' failed
Apr 27 08:02:42 gb-lon-1 ipsec[795]: 14[IKE] EAP method EAP_MSCHAPV2 failed
for peer VPN

I can connect to it without any trouble from London.  Could the VPN IP have
been blocked in UAE?  Or has a recent security update in Ubuntu 18.04
caused a side effect?  Trying to think of any reason why this could happen
out of the blue.

Many Thanks,
Houman

Re: [strongSwan] Is it possible to see which IP addresses the VPN users are accessing?

[Houman]

Hello Noel,

Thank you for the tip. I will definitely look into RELP. For now, I finally
got it working with a JSON output for testing purposes only.

I added this to the iptables:
*sudo iptables -I FORWARD ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK
SYN -m state --state NEW -j NFLOG --nflog-prefix  "Web 80" --nflog-group 1*

Chain INPUT (policy ACCEPT)
num  target prot opt source   destination
1ACCEPT all  --  anywhere anywhere state
RELATED,ESTABLISHED
2ACCEPT tcp  --  anywhere anywhere tcp
dpt:https
3ACCEPT tcp  --  anywhere anywhere tcp
dpt:2022
4ACCEPT all  --  anywhere anywhere
5DROP   all  --  anywhere anywhere state
INVALID
6ACCEPT udp  --  anywhere anywhere udp
dpt:isakmp
7ACCEPT udp  --  anywhere anywhere udp
dpt:ipsec-nat-t
8DROP   all  --  anywhere anywhere

Chain FORWARD (policy ACCEPT)
num  target prot opt source   destination
1NFLOG  tcp  --  anywhere anywhere tcp
flags:FIN,SYN,RST,ACK/SYN state NEW nflog-prefix  "Web 80" nflog-group 1
2ACCEPT all  --  ip-10-10-10-0.eu-west-2.compute.internal/24
 anywhere policy match dir in pol ipsec proto esp
3ACCEPT all  --  anywhere
ip-10-10-10-0.eu-west-2.compute.internal/24  policy match dir out pol ipsec
proto esp
4DROP   all  --  anywhere anywhere

Chain OUTPUT (policy ACCEPT)
num  target prot opt source   destination

It works nicely.  BUT the source IP shows as 10.10.10.8
I was expecting to see my real IP address. What am I missing, please?

I know I can't add it to the INPUT because the VPN is masquerading. I have
to put the rule against FORWARD, otherwise, I get no entries in the log. So
what to do?

{
  "timestamp": "2019-04-17T09:37:40.502387",
  "dvc": "My awesome Netfilter firewall",
  "raw.pktlen": 64,
  "raw.pktcount": 1,
  "oob.prefix": "Web 80",
  "oob.time.sec": 1555493860,
  "oob.time.usec": 502387,
  "oob.mark": 0,
  "oob.ifindex_in": 2,
  "oob.ifindex_out": 2,
  "oob.hook": 2,
  "raw.mac_len": 14,
  "oob.family": 2,
  "oob.protocol": 2048,
  "action": "allowed",
  "raw.type": 1,
  "raw.mac.addrlen": 6,
  "ip.protocol": 6,
  "ip.tos": 0,
  "ip.ttl": 63,
  "ip.totlen": 64,
  "ip.ihl": 5,
  "ip.csum": 44141,
  "ip.id": 0,
  "ip.fragoff": 16384,
  "src_port": 55560,
  "dest_port": 80,
  "tcp.seq": 1199851582,
  "tcp.ackseq": 0,
  "tcp.window": 65535,
  "tcp.offset": 0,
  "tcp.reserved": 0,
  "tcp.urg": 0,
  "tcp.ack": 0,
  "tcp.psh": 0,
  "tcp.rst": 0,
  "tcp.syn": 1,
  "tcp.fin": 0,
  "tcp.res1": 0,
  "tcp.res2": 3,
  "tcp.csum": 26423,
  "oob.in": "eth0",
  "oob.out": "eth0",
  "src_ip": "10.10.10.8",
  "dest_ip": "52.85.70.228",
  "mac.saddr.str": "xx",
  "mac.daddr.str": "xx",
  "mac.str": "xx"
}

Many Thanks,
Houman

On Tue, 16 Apr 2019 at 21:40, Noel Kuntze
 wrote:

> Hello Houman,
>
> I'd keep the logs as text only and stream them to a logging service via
> RELP (don't use syslog over tcp. It can loose messages. RELP ensures
> delivery by design.).
> Unless you really got a boatload of clients (> 4000) on a single system, I
> doubt you'll run into problems.
>
> Kind regards
>
> Noel
>
> Am 16.04.19 um 22:19 schrieb Houman:
> > Hello Noel,
> >
> > Thank you very much for your detailed answer. I started looking into
> ulogd2. Tutorials and documentation seem a bit scarce, but I'm sure I will
> find my way around it eventually. If you have a good recommendation
> please let me know.
> >
> > Do you recommend keeping ulogd2's logs locally or rather feed them into
> a local LogStash?  I wonder which one is faster and less resource hungry.
> >
> > Many Thanks,
> > Houman
> >
> >
> >
> >
> >
> >
> > On Mon, 15 Apr 2019 at 19:26, Noel Kuntze
>  wrote:
> >
> > Hello Houman,
> >
> > No, that is not a layer that strongSwan or freeradius does have
> access to. You need to log (and account) the user's traffic using, for
> example, a netflow collector or ulogd2 (which can use Linux's native
> conntrack

Re: [strongSwan] Is it possible to see which IP addresses the VPN users are accessing?

[Houman]

Hello Noel,

Thank you very much for your detailed answer. I started looking into
ulogd2. Tutorials and documentation seem a bit scarce, but I'm sure I will
find my way around it eventually. If you have a good recommendation
please let me know.

Do you recommend keeping ulogd2's logs locally or rather feed them into a
local LogStash?  I wonder which one is faster and less resource hungry.

Many Thanks,
Houman






On Mon, 15 Apr 2019 at 19:26, Noel Kuntze
 wrote:

> Hello Houman,
>
> No, that is not a layer that strongSwan or freeradius does have access to.
> You need to log (and account) the user's traffic using, for example, a
> netflow collector or ulogd2 (which can use Linux's native conntrack
> connection tracking system) to capture the relevant data. Using ulogd2 is
> advised, because unless you disabled conntrack for the relevant
> connections, you are basically guaranteed to get all information from
> conntrack (unless ulogd2 can't keep up, but then you don't have enough
> resources, so you have another issue already).
>
> Kind regards
>
> Noel
>
> Am 15.04.19 um 20:13 schrieb Houman:
> > Hello,
> >
> > We got a notification from the German Federal Office for Information
> Security that one of our users has been using a website with malware to
> steal personal information and commit online-banking fraud. To cover their
> tracks they have been using our StrongSwan VPN.
> >
> >
> > We have now blocked the IPs that resolve to the given website to prevent
> this from happening.  Unfortunately, The freeRadius logs and syslog we have
> in place are not enough to pinpoint it to the exact culprit.
> >
> >
> > Is there a way to run strongswan with maximum verbose logs to see which
> EAP-Radius user has been accessing which IP address at what time? We would
> like to ban users like this in future.
> >
> >
> > From Freeradius we get to see the acctstartdate, acctupdatedate and
> acctstopdate but there is no way to relate this to their activities.
> >
> >
> >
> > Many Thanks,
> >
> > Houman
>
>

[strongSwan] Is it possible to see which IP addresses the VPN users are accessing?

[Houman]

Hello,

We got a notification from the German Federal Office for Information
Security that one of our users has been using a website with malware to
steal personal information and commit online-banking fraud. To cover their
tracks they have been using our StrongSwan VPN.


We have now blocked the IPs that resolve to the given website to prevent
this from happening.  Unfortunately, The freeRadius logs and syslog we have
in place are not enough to pinpoint it to the exact culprit.


Is there a way to run strongswan with maximum verbose logs to see which
EAP-Radius user has been accessing which IP address at what time? We would
like to ban users like this in future.


>From Freeradius we get to see the acctstartdate, acctupdatedate and
acctstopdate but there is no way to relate this to their activities.



Many Thanks,
Houman

Re: [strongSwan] Windows 10 connects to StrongSwan but IP doesn't change

[Houman]

Hi Filipe,

Sorry for the late reply.  Below is the information you had requested. It
shows 10.10.10.1 instead of 10.10.10.0. Is that the problem?
What can I do?

PPP adapter vpn-1.domain.net:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : vpn-1.domain.net
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.10.10.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 208.67.222.222
   208.67.220.220
   NetBIOS over Tcpip. . . . . . . . : Enabled

Many Thanks,
Houman

On Tue, 2 Apr 2019 at 16:09, Felipe Arturo Polanco 
wrote:

> Hi,
>
> Do an ipconfig /all in windows and check that you have an 10.10.10.0/24
> IP in the output.
>
> On Tue, Apr 2, 2019 at 6:03 AM Houman  wrote:
>
>> Hey guys,
>>
>> I wonder if this email went through and someone has an idea why this is
>> happening.
>>
>> Many Thanks,
>> Houman
>>
>> On Fri, 29 Mar 2019 at 17:04, Houman  wrote:
>>
>>> Hello,
>>>
>>> Please help me with this, as I'm completely stuck.
>>>
>>> Windows 10 can connect to my StrongSwan server. But the IP address
>>> doesn't change to the VPN. It still shows the local IP address. Accordingly
>>> blocked websites remain blocked.
>>>
>>> config setup
>>>   strictcrlpolicy=yes
>>>   uniqueids=never
>>> conn roadwarrior
>>>   auto=add
>>>   compress=no
>>>   type=tunnel
>>>   keyexchange=ikev2
>>>   fragmentation=yes
>>>   forceencaps=yes
>>>   ike=aes256gcm16-prfsha256-ecp521,aes256-sha256-ecp384
>>>   esp=aes256-sha1,3des-sha1!
>>>   dpdaction=clear
>>>   dpddelay=180s
>>>   rekey=no
>>>   left=%any
>>>   leftid=@vpn-1.domain.net
>>>   leftcert=cert.pem
>>>   leftsendcert=always
>>>   leftsubnet=0.0.0.0/0
>>>   right=%any
>>>   rightid=%any
>>>   rightauth=eap-radius
>>>   eap_identity=%any
>>>   rightdns=208.67.222.222,208.67.220.220
>>>   rightsourceip=10.10.10.0/24
>>>   rightsendcert=never
>>>
>>>
>>> Mar 29 16:50:45 vpn-1 charon: 08[NET] received packet: from
>>> 91.98.xxx.xxx[500] to 172.31.0.243[500] (632 bytes)
>>>
>>> Mar 29 16:50:45 vpn-1 charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA
>>> KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
>>>
>>> Mar 29 16:50:45 vpn-1 charon: 08[IKE] received MS NT5 ISAKMPOAKLEY v9
>>> vendor ID
>>>
>>> Mar 29 16:50:45 vpn-1 charon: 08[IKE] received MS-Negotiation Discovery
>>> Capable vendor ID
>>>
>>> Mar 29 16:50:45 vpn-1 charon: 08[IKE] received Vid-Initial-Contact
>>> vendor ID
>>>
>>> Mar 29 16:50:45 vpn-1 charon: 08[ENC] received unknown vendor ID:
>>> 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
>>>
>>> Mar 29 16:50:45 vpn-1 charon: 08[IKE] 91.98.xxx.xxx is initiating an
>>> IKE_SA
>>>
>>> Mar 29 16:50:45 vpn-1 charon: 08[IKE] local host is behind NAT, sending
>>> keep alives
>>>
>>> Mar 29 16:50:45 vpn-1 charon: 08[IKE] remote host is behind NAT
>>>
>>> Mar 29 16:50:45 vpn-1 charon: 08[ENC] generating IKE_SA_INIT response 0
>>> [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
>>>
>>> Mar 29 16:50:45 vpn-1 charon: 08[NET] sending packet: from
>>> 172.31.0.243[500] to 91.98.xxx.xxx[500] (448 bytes)
>>>
>>> Mar 29 16:50:45 vpn-1 charon: 09[NET] received packet: from
>>> 91.98.xxx.xxx[4500] to 172.31.0.243[4500] (576 bytes)
>>>
>>> Mar 29 16:50:45 vpn-1 charon: 09[ENC] parsed IKE_AUTH request 1 [
>>> EF(1/4) ]
>>>
>>> Mar 29 16:50:45 vpn-1 charon: 09[ENC] received fragment #1 of 4, waiting
>>> for complete IKE message
>>>
>>> Mar 29 16:50:45 vpn-1 charon: 10[NET] received packet: from
>>> 91.98.xxx.xxx[4500] to 172.31.0.243[4500] (576 bytes)
>>>
>>> Mar 29 16:50:45 vpn-1 charon: 10[ENC] parsed IKE_AUTH request 1 [
>>> EF(2/4) ]
>>>
>>> Mar 29 16:50:45 vpn-1 charon: 10[ENC] received fragment #2 of 4, waiting
>>> for complete IKE message
>>>
>>> Mar 29 16:50:45 vpn-1 charon: 12[NET] received packet: from
>>> 91.98.xxx.xxx[4500] to 172.31.0.243[4500] (576 bytes)
>>>
>>> Mar 29 16:50:45 

Re: [strongSwan] Windows 10 connects to StrongSwan but IP doesn't change

[Houman]

Hey guys,

I wonder if this email went through and someone has an idea why this is
happening.

Many Thanks,
Houman

On Fri, 29 Mar 2019 at 17:04, Houman  wrote:

> Hello,
>
> Please help me with this, as I'm completely stuck.
>
> Windows 10 can connect to my StrongSwan server. But the IP address doesn't
> change to the VPN. It still shows the local IP address. Accordingly blocked
> websites remain blocked.
>
> config setup
>   strictcrlpolicy=yes
>   uniqueids=never
> conn roadwarrior
>   auto=add
>   compress=no
>   type=tunnel
>   keyexchange=ikev2
>   fragmentation=yes
>   forceencaps=yes
>   ike=aes256gcm16-prfsha256-ecp521,aes256-sha256-ecp384
>   esp=aes256-sha1,3des-sha1!
>   dpdaction=clear
>   dpddelay=180s
>   rekey=no
>   left=%any
>   leftid=@vpn-1.domain.net
>   leftcert=cert.pem
>   leftsendcert=always
>   leftsubnet=0.0.0.0/0
>   right=%any
>   rightid=%any
>   rightauth=eap-radius
>   eap_identity=%any
>   rightdns=208.67.222.222,208.67.220.220
>   rightsourceip=10.10.10.0/24
>   rightsendcert=never
>
>
> Mar 29 16:50:45 vpn-1 charon: 08[NET] received packet: from
> 91.98.xxx.xxx[500] to 172.31.0.243[500] (632 bytes)
>
> Mar 29 16:50:45 vpn-1 charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE
> No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
>
> Mar 29 16:50:45 vpn-1 charon: 08[IKE] received MS NT5 ISAKMPOAKLEY v9
> vendor ID
>
> Mar 29 16:50:45 vpn-1 charon: 08[IKE] received MS-Negotiation Discovery
> Capable vendor ID
>
> Mar 29 16:50:45 vpn-1 charon: 08[IKE] received Vid-Initial-Contact vendor
> ID
>
> Mar 29 16:50:45 vpn-1 charon: 08[ENC] received unknown vendor ID:
> 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
>
> Mar 29 16:50:45 vpn-1 charon: 08[IKE] 91.98.xxx.xxx is initiating an IKE_SA
>
> Mar 29 16:50:45 vpn-1 charon: 08[IKE] local host is behind NAT, sending
> keep alives
>
> Mar 29 16:50:45 vpn-1 charon: 08[IKE] remote host is behind NAT
>
> Mar 29 16:50:45 vpn-1 charon: 08[ENC] generating IKE_SA_INIT response 0 [
> SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
>
> Mar 29 16:50:45 vpn-1 charon: 08[NET] sending packet: from
> 172.31.0.243[500] to 91.98.xxx.xxx[500] (448 bytes)
>
> Mar 29 16:50:45 vpn-1 charon: 09[NET] received packet: from
> 91.98.xxx.xxx[4500] to 172.31.0.243[4500] (576 bytes)
>
> Mar 29 16:50:45 vpn-1 charon: 09[ENC] parsed IKE_AUTH request 1 [ EF(1/4) ]
>
> Mar 29 16:50:45 vpn-1 charon: 09[ENC] received fragment #1 of 4, waiting
> for complete IKE message
>
> Mar 29 16:50:45 vpn-1 charon: 10[NET] received packet: from
> 91.98.xxx.xxx[4500] to 172.31.0.243[4500] (576 bytes)
>
> Mar 29 16:50:45 vpn-1 charon: 10[ENC] parsed IKE_AUTH request 1 [ EF(2/4) ]
>
> Mar 29 16:50:45 vpn-1 charon: 10[ENC] received fragment #2 of 4, waiting
> for complete IKE message
>
> Mar 29 16:50:45 vpn-1 charon: 12[NET] received packet: from
> 91.98.xxx.xxx[4500] to 172.31.0.243[4500] (576 bytes)
>
> Mar 29 16:50:45 vpn-1 charon: 12[ENC] parsed IKE_AUTH request 1 [ EF(3/4) ]
>
> Mar 29 16:50:45 vpn-1 charon: 12[ENC] received fragment #3 of 4, waiting
> for complete IKE message
>
> Mar 29 16:50:45 vpn-1 charon: 11[NET] received packet: from
> 91.98.xxx.xxx[4500] to 172.31.0.243[4500] (112 bytes)
>
> Mar 29 16:50:45 vpn-1 charon: 11[ENC] parsed IKE_AUTH request 1 [ EF(4/4) ]
>
> Mar 29 16:50:45 vpn-1 charon: 11[ENC] received fragment #4 of 4,
> reassembling fragmented IKE message
>
> Mar 29 16:50:45 vpn-1 charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi
> CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
>
> Mar 29 16:50:45 vpn-1 charon: 11[IKE] received 57 cert requests for an
> unknown ca
>
> Mar 29 16:50:45 vpn-1 charon: 11[CFG] looking for peer configs matching
> 172.31.0.243[%any]...91.98.xxx.xxx[192.168.1.104]
>
> Mar 29 16:50:45 vpn-1 charon: 11[CFG] selected peer config 'roadwarrior'
>
> Mar 29 16:50:45 vpn-1 ipsec[1051]: 05[ENC] parsed CREATE_CHILD_SA request
> 15 [ SA No TSi TSr ]
>
> Mar 29 16:50:45 vpn-1 ipsec[1051]: 05[IKE] CHILD_SA roadwarrior{3}
> established with SPIs ccadd085_i d57f9f2c_o and TS 0.0.0.0/0 ===
> 10.10.10.1/32
>
> Mar 29 16:50:45 vpn-1 ipsec[1051]: 05[ENC] generating CREATE_CHILD_SA
> response 15 [ SA No TSi TSr ]
>
> Mar 29 16:50:45 vpn-1 ipsec[1051]: 05[NET] sending packet: from
> 172.31.0.243[4500] to 91.98.xxx.xxx[4500] (204 bytes)
>
> Mar 29 16:50:45 vpn-1 ipsec[1051]: 07[NET] received packet: from
> 91.98.xxx.xxx[4500] to 172.31.0.243[4500] (76 bytes)
>
> Mar 29 16:50:45 vpn-1 ipsec[1051]: 07[ENC] parsed INFORMATIONAL request 16
> [ D ]
>
> Mar 29 16:50:45 vpn-1 ipsec[1051]: 07[IKE] received DELETE for

[strongSwan] Windows 10 connects to StrongSwan but IP doesn't change

[Houman]

Hello,

Please help me with this, as I'm completely stuck.

Windows 10 can connect to my StrongSwan server. But the IP address doesn't
change to the VPN. It still shows the local IP address. Accordingly blocked
websites remain blocked.

config setup
  strictcrlpolicy=yes
  uniqueids=never
conn roadwarrior
  auto=add
  compress=no
  type=tunnel
  keyexchange=ikev2
  fragmentation=yes
  forceencaps=yes
  ike=aes256gcm16-prfsha256-ecp521,aes256-sha256-ecp384
  esp=aes256-sha1,3des-sha1!
  dpdaction=clear
  dpddelay=180s
  rekey=no
  left=%any
  leftid=@vpn-1.domain.net
  leftcert=cert.pem
  leftsendcert=always
  leftsubnet=0.0.0.0/0
  right=%any
  rightid=%any
  rightauth=eap-radius
  eap_identity=%any
  rightdns=208.67.222.222,208.67.220.220
  rightsourceip=10.10.10.0/24
  rightsendcert=never


Mar 29 16:50:45 vpn-1 charon: 08[NET] received packet: from
91.98.xxx.xxx[500] to 172.31.0.243[500] (632 bytes)

Mar 29 16:50:45 vpn-1 charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE
No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]

Mar 29 16:50:45 vpn-1 charon: 08[IKE] received MS NT5 ISAKMPOAKLEY v9
vendor ID

Mar 29 16:50:45 vpn-1 charon: 08[IKE] received MS-Negotiation Discovery
Capable vendor ID

Mar 29 16:50:45 vpn-1 charon: 08[IKE] received Vid-Initial-Contact vendor ID

Mar 29 16:50:45 vpn-1 charon: 08[ENC] received unknown vendor ID:
01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02

Mar 29 16:50:45 vpn-1 charon: 08[IKE] 91.98.xxx.xxx is initiating an IKE_SA

Mar 29 16:50:45 vpn-1 charon: 08[IKE] local host is behind NAT, sending
keep alives

Mar 29 16:50:45 vpn-1 charon: 08[IKE] remote host is behind NAT

Mar 29 16:50:45 vpn-1 charon: 08[ENC] generating IKE_SA_INIT response 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]

Mar 29 16:50:45 vpn-1 charon: 08[NET] sending packet: from
172.31.0.243[500] to 91.98.xxx.xxx[500] (448 bytes)

Mar 29 16:50:45 vpn-1 charon: 09[NET] received packet: from
91.98.xxx.xxx[4500] to 172.31.0.243[4500] (576 bytes)

Mar 29 16:50:45 vpn-1 charon: 09[ENC] parsed IKE_AUTH request 1 [ EF(1/4) ]

Mar 29 16:50:45 vpn-1 charon: 09[ENC] received fragment #1 of 4, waiting
for complete IKE message

Mar 29 16:50:45 vpn-1 charon: 10[NET] received packet: from
91.98.xxx.xxx[4500] to 172.31.0.243[4500] (576 bytes)

Mar 29 16:50:45 vpn-1 charon: 10[ENC] parsed IKE_AUTH request 1 [ EF(2/4) ]

Mar 29 16:50:45 vpn-1 charon: 10[ENC] received fragment #2 of 4, waiting
for complete IKE message

Mar 29 16:50:45 vpn-1 charon: 12[NET] received packet: from
91.98.xxx.xxx[4500] to 172.31.0.243[4500] (576 bytes)

Mar 29 16:50:45 vpn-1 charon: 12[ENC] parsed IKE_AUTH request 1 [ EF(3/4) ]

Mar 29 16:50:45 vpn-1 charon: 12[ENC] received fragment #3 of 4, waiting
for complete IKE message

Mar 29 16:50:45 vpn-1 charon: 11[NET] received packet: from
91.98.xxx.xxx[4500] to 172.31.0.243[4500] (112 bytes)

Mar 29 16:50:45 vpn-1 charon: 11[ENC] parsed IKE_AUTH request 1 [ EF(4/4) ]

Mar 29 16:50:45 vpn-1 charon: 11[ENC] received fragment #4 of 4,
reassembling fragmented IKE message

Mar 29 16:50:45 vpn-1 charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi
CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]

Mar 29 16:50:45 vpn-1 charon: 11[IKE] received 57 cert requests for an
unknown ca

Mar 29 16:50:45 vpn-1 charon: 11[CFG] looking for peer configs matching
172.31.0.243[%any]...91.98.xxx.xxx[192.168.1.104]

Mar 29 16:50:45 vpn-1 charon: 11[CFG] selected peer config 'roadwarrior'

Mar 29 16:50:45 vpn-1 ipsec[1051]: 05[ENC] parsed CREATE_CHILD_SA request
15 [ SA No TSi TSr ]

Mar 29 16:50:45 vpn-1 ipsec[1051]: 05[IKE] CHILD_SA roadwarrior{3}
established with SPIs ccadd085_i d57f9f2c_o and TS 0.0.0.0/0 ===
10.10.10.1/32

Mar 29 16:50:45 vpn-1 ipsec[1051]: 05[ENC] generating CREATE_CHILD_SA
response 15 [ SA No TSi TSr ]

Mar 29 16:50:45 vpn-1 ipsec[1051]: 05[NET] sending packet: from
172.31.0.243[4500] to 91.98.xxx.xxx[4500] (204 bytes)

Mar 29 16:50:45 vpn-1 ipsec[1051]: 07[NET] received packet: from
91.98.xxx.xxx[4500] to 172.31.0.243[4500] (76 bytes)

Mar 29 16:50:45 vpn-1 ipsec[1051]: 07[ENC] parsed INFORMATIONAL request 16
[ D ]

Mar 29 16:50:45 vpn-1 ipsec[1051]: 07[IKE] received DELETE for ESP CHILD_SA
with SPI af63e684

Mar 29 16:50:45 vpn-1 ipsec[1051]: 07[IKE] closing CHILD_SA roadwarrior{2}
with SPIs cf6737f5_i (104 bytes) af63e684_o (0 bytes) and TS 0.0.0.0/0 ===
10.10.10.1/32

Mar 29 16:50:45 vpn-1 ipsec[1051]: 07[IKE] sending DELETE for ESP CHILD_SA
with SPI cf6737f5

Mar 29 16:50:45 vpn-1 ipsec[1051]: 07[IKE] CHILD_SA closed

Mar 29 16:50:45 vpn-1 ipsec[1051]: 07[ENC] generating INFORMATIONAL
response 16 [ D ]

Mar 29 16:50:45 vpn-1 ipsec[1051]: 07[NET] sending packet: from
172.31.0.243[4500] to 91.98.xxx.xxx[4500] (76 bytes)

Mar 29 16:50:45 vpn-1 ipsec[1051]: 10[IKE] sending keep alive to
91.98.xxx.xxx[4500]

Mar 29 16:50:45 vpn-1 ipsec[1051]: 11[IKE] sending keep alive to
91.98.xxx.xxx[4500]

Mar 29 16:50:45 vpn-1 ipsec[1051]: 14[IKE] sending 

[strongSwan] Health check on Strongswan?

[Houman]

Hello,


Is there a way to check for the health of the VPN server? Is there a port I
could potentially ping and expect certain return value that indicates the
VPN is still up and running?


Many Thanks,

Houman

[strongSwan] Are these StrongSwan settings optimal for iOS devices?

[Houman]

Hello,

I have set up a StrongSwan server on Ubuntu 18.04 and am really enjoying
it. I was hoping to check with you guys to see if these settings are
optimal or if it could be still improved.

I only allow iOS devices to connect to this server. So I don't care that
much about Windows and Android at this point.  Security is important but
fast handshake and speed are also a key factor.  What do you think?

config setup
  strictcrlpolicy=yes
  uniqueids=never
conn roadwarrior
  auto=add
  compress=yes
  type=tunnel
  keyexchange=ikev2
  fragmentation=yes
  forceencaps=yes
  ike=aes256-sha256-ecp521-ecp256-modp4096-modp2048!
  esp=aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048,
aes256-sha256-sha1!
  dpdaction=clear
  dpddelay=180s
  rekey=no
  left=%any
  leftid=@my.server.com
  leftcert=cert.pem
  leftsendcert=always
  leftsubnet=0.0.0.0/0
  right=%any
  rightid=%any
  rightauth=eap-radius
  eap_identity=%any
  rightdns=208.67.222.222,208.67.220.220
  rightsourceip=10.10.10.0/24
  rightsendcert=never

Many Thanks,
Houman

[strongSwan] How to improve connection loss when moving from 4G to Wifi?

[Houman]

Hello,

I've set up strongSwan U5.6.2/K4.15.0-43-generic on Ubuntu 18.04. It works
very well.

However is there any way to improve connection or loss of when moving from
cellular 4G to WiFi / WiFi to 4G?

I thought that IKEv2 could do that seamlessly?

Many Thanks,

[strongSwan] How to prevent StrongSwan VPN to be detected by Netflix?

[Houman]

Hi,

I have setup a StrongSwan VPN server but when I try to watch Netflix over
it, Netflix recognises that I'm using a VPN and doesn't play the movie.

Is there any way to configure StrongSwan to avoid that? I did some research
that the trick lies in the DNS rather than VPN.

I'm still researching but if someone were so kind and advised me on this,
please, I would really appreciate it.

Many Thanks,

[strongSwan] Trusted PPA for StrongSwan?

[Houman]

Is there any trusted source for StrongSwan on Ubuntu 18.04?
I was hoping to keep to date with the latest stable release.

Many Thanks,

[strongSwan] How to limit IKEv2 traffic per user?

[Houman]

Hello,

I have attempted to limit the VPN speed to 10Mbit per user.  But when I do
a DSL speed test with two devices simultaneously, it seems that the total
traffic is limited to 10Mbit/s instead rather than each device having
10Mbit/s on their own.

ETH0ORSIMILAR="eth0"
SERVER_LIMIT="10mbit"

tc qdisc del dev $ETH0ORSIMILAR root
tc qdisc add dev $ETH0ORSIMILAR root handle 1: htb
iptables -I FORWARD -s 10.10.10.0/24 -j MARK --set-mark 51
iptables -I FORWARD -d 10.10.10.0/24 -j MARK --set-mark 51
tc class add dev $ETH0ORSIMILAR parent 1:1 classid 1:51 htb rate
$SERVER_LIMIT ceil $SERVER_LIMIT
tc qdisc add dev $ETH0ORSIMILAR parent 1:51 sfq perturb 10
tc filter add dev $ETH0ORSIMILAR protocol ip parent 1: prio 1 handle 51 fw
flowid 1:51

I had followed this tutorial to achieve this:
https://linuxscriptshub.com/bandwidth-control-on-ikev2-with-tc-and-iptables/

I'm essentially marking 10.10.10.0/24 vpn ip pool with number 51. After the
marking, based on the single private IP address with iptables, I'd do the
bandwidth limiting based on the marking id 51.

Is this correct how I have done it?

further iptables settings:
VPNIPPOOL="10.10.10.0/24"

# accept anything on the loopback interface
iptables -A INPUT -i lo -j ACCEPT

# drop invalid packets
iptables -A INPUT -m state --state INVALID -j DROP

# rate-limit repeated new requests from same IP to any ports
iptables -I INPUT -i $ETH0ORSIMILAR -m state --state NEW -m recent --set
iptables -I INPUT -i $ETH0ORSIMILAR -m state --state NEW -m recent --update
--seconds 60 --hitcount 12 -j DROP

# accept IPSec/NAT-T for VPN (ESP not needed with forceencaps, as ESP goes
inside UDP)
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT

# forward VPN traffic anywhere
iptables -A FORWARD --match policy --pol ipsec --dir in --proto esp -s
$VPNIPPOOL -j ACCEPT
iptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d
$VPNIPPOOL -j ACCEPT

# reduce MTU/MSS values for dumb VPN clients
iptables -t mangle -A FORWARD --match policy --pol ipsec --dir in -s
$VPNIPPOOL -o $ETH0ORSIMILAR -p tcp -m tcp --tcp-flags SYN,RST SYN -m
tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360

# masquerade VPN traffic over eth0 etc.
iptables -t nat -A POSTROUTING -s $VPNIPPOOL -o $ETH0ORSIMILAR -m policy
--pol ipsec --dir out -j ACCEPT # exempt IPsec traffic from masquerading
iptables -t nat -A POSTROUTING -s $VPNIPPOOL -o $ETH0ORSIMILAR -j MASQUERADE

ipsec config:
config setup
strictcrlpolicy=yes
uniqueids=never
conn roadwarrior
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes256-sha256-ecp521-ecp256-modp4096-modp2048!
esp=aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1!
dpdaction=clear
dpddelay=180s
rekey=no
left=%any
leftid=@${VPNHOST}
leftcert=cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-radius
eap_identity=%any
rightdns=208.67.222.222,208.67.220.220
rightsourceip=${VPNIPPOOL}
rightsendcert=never

Many Thanks,
Houman

Re: [strongSwan] Sudden issues with Windows 10 clients

[Houman]

Hello Jafar,

Thank you for the final proposals. I have entered them and it works great
with iOS and OSX. I have no Windows to test it yet.

The only reason I had picked 3des-shal1, was because the StrongSwan Wiki
claims this was needed for Mac (OSX)
https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients.  But I
can see it works even without that.

My user in Iran still can't connect successfully. I have followed your
instructions. I have tailed the syslog below, hence this is all I can see:

May 12 11:03:07 vpn-server charon: 02[NET] received packet: from
91.99.xxx.xxx[500] to 172.31.xxx.xxx[500] (604 bytes)

May 12 11:03:07 vpn-server charon: 02[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]

May 12 11:03:07 vpn-server charon: 02[IKE] 91.99.xxx.xxx is initiating an
IKE_SA

May 12 11:03:07 vpn-server charon: 02[IKE] local host is behind NAT,
sending keep alives

May 12 11:03:07 vpn-server charon: 02[IKE] remote host is behind NAT

May 12 11:03:07 vpn-server charon: 02[ENC] generating IKE_SA_INIT response
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]

May 12 11:03:07 vpn-server charon: 02[NET] sending packet: from
172.31.xxx.xxx[500] to 91.99.xxx.xxx[500] (448 bytes)

May 12 11:03:13 vpn-server charon: 11[NET] received packet: from
91.99.xxx.xxx[500] to 172.31.xxx.xxx[500] (604 bytes)

May 12 11:03:13 vpn-server charon: 11[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]

May 12 11:03:13 vpn-server charon: 11[IKE] received retransmit of request
with ID 0, retransmitting response

May 12 11:03:13 vpn-server charon: 11[NET] sending packet: from
172.31.xxx.xxx[500] to 91.99.xxx.xxx[500] (448 bytes)

May 12 11:03:16 vpn-server charon: 12[NET] received packet: from
91.99.xxx.xxx[500] to 172.31.xxx.xxx[500] (604 bytes)

May 12 11:03:16 vpn-server charon: 12[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]

May 12 11:03:16 vpn-server charon: 12[IKE] received retransmit of request
with ID 0, retransmitting response

May 12 11:03:16 vpn-server charon: 12[NET] sending packet: from
172.31.xxx.xxx[500] to 91.99.xxx.xxx[500] (448 bytes)

May 12 11:03:27 vpn-server charon: 10[IKE] sending keep alive to
91.99.xxx.xxx[500]

May 12 11:03:37 vpn-server charon: 05[JOB] deleting half open IKE_SA after
timeout


I have also executed ipsec statusall


Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-1057-aws,
x86_64):

  uptime: 68 minutes, since May 12 09:55:31 2018

  malloc: sbrk 1773568, mmap 0, used 572416, free 1201152

  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 1

  loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr
kernel-netlink resolve socket-default connmark farp stroke updown
eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2
eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic
dhcp lookip error-notify certexpire led addrblock unity

Virtual IP pools (size/online/offline):

  10.10.10.0/24: 254/0/1

Listening IP addresses:

  172.31.xxx.xxx

Connections:

 roadwarrior:  %any...%any  IKEv2, dpddelay=180s

 roadwarrior:   local:  [vpn1.xxx.com] uses public key authentication

 roadwarrior:cert:  "CN=vpn1.xxx.com"

 roadwarrior:   remote: uses EAP_MSCHAPV2 authentication with EAP identity
'%any'

 roadwarrior:   child:  0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear

Security Associations (0 up, 0 connecting):

  none


I can't quite see from this if they have blocked ESP or not. But I suspect
this is the case.


Many Thanks for your help,

Houman



On 11 May 2018 at 16:00, Jafar Al-Gharaibeh <ja...@atcorp.com> wrote:

> 1) The log shows that while it took a couple of attempts to establish and
> IKE SA, it was eventually up with and ESP Child SA as well. So, as far as I
> can see in your logs, the connection should be up. What happens next? do
> the logs show that the connection is dropped for some reason? what is the
> output of  "ipsec statusall"? Can you confirm that you are receiving ESP
> packets afterward, or if ESP is blocked?
>
> 2) Depending on the vpn clients  you use, your proposals seem OK. I would
> expand them a bit with better DH group in case the client supports it in
> both IKE and ESP configs. In ESP case you can have two proposals, with and
> without DH groups if you have clients that can't do DH with ESP. Unless you
> really think you need 3des-sha1 for some clients, there is no reason to
> keep it. Here is an example:
>
> ike=aes256-sha256-ecp521-ecp256-modp4096-modp2048!
> es

Re: [strongSwan] Sudden issues with Windows 10 clients

[Houman]

Hello Jafar,

Apologies, as I didn't explain what I had already tried.

1) I have tried your suggestion:

 ike=aes256-sha256-prfsha256-modp2048-modp1024!
 esp=aes256-sha256,aes256-sha1,3des-sha1!

I can connect to it via iOS 11 and OSX High Sierra without any problem from
UK.  And I no longer get that error message: "DH group MODP_2048
inacceptable, requesting MODP_1024".

However my user still can't connect.  As he is connecting from Iran, I
strongly suspect this is because of a recent tightening of the VPN traffic
due to the recent political circumstances.  Further below I have pasted the
log when he is trying to connect unsuccessfully. It says "Connecting..."
and after a few sconds, it drops.

2) Unrelated to that, considering what we discussed in this thread, it
seems I could skip both *prfsha256* and *modp1024*. Would you say this is
now the perfect settings for iOS 10+, OSX and Windows 10?

* ike=aes256-sha256-modp2048!*
* esp=aes256-sha256,aes256-sha1,3des-sha1!*

Many Thanks for your help,
Houman

Btw here is the log when he is trying to connect:

May 11 07:55:16 vpn-server charon: 02[NET] received packet: from
109.230.xxx.xx[500] to 172.31.xxx.xxx[500] (604 bytes)

May 11 07:55:16 vpn-server charon: 02[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]

May 11 07:55:16 vpn-server charon: 02[IKE] 109.230.xxx.xx is initiating an
IKE_SA

May 11 07:55:16 vpn-server charon: 02[IKE] local host is behind NAT,
sending keep alives

May 11 07:55:16 vpn-server charon: 02[IKE] remote host is behind NAT

May 11 07:55:16 vpn-server charon: 02[ENC] generating IKE_SA_INIT response
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]

May 11 07:55:16 vpn-server charon: 02[NET] sending packet: from
172.31.xxx.xxx[500] to 109.230.xxx.xx[500] (448 bytes)

May 11 07:55:36 vpn-server charon: 01[IKE] sending keep alive to
109.230.xxx.xx[500]

May 11 07:55:46 vpn-server charon: 11[JOB] deleting half open IKE_SA after
timeout

May 11 07:57:44 vpn-server charon: 16[NET] received packet: from
109.230.xxx.xx[1] to 172.31.xxx.xxx[500] (624 bytes)

May 11 07:57:44 vpn-server charon: 16[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]

May 11 07:57:44 vpn-server charon: 16[IKE] received MS NT5 ISAKMPOAKLEY v9
vendor ID

May 11 07:57:44 vpn-server charon: 16[IKE] received MS-Negotiation
Discovery Capable vendor ID

May 11 07:57:44 vpn-server charon: 16[IKE] received Vid-Initial-Contact
vendor ID

May 11 07:57:44 vpn-server charon: 16[ENC] received unknown vendor ID:
01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02

May 11 07:57:44 vpn-server charon: 16[IKE] 109.230.xxx.xx is initiating an
IKE_SA

May 11 07:57:44 vpn-server charon: 16[IKE] local host is behind NAT,
sending keep alives

May 11 07:57:44 vpn-server charon: 16[IKE] remote host is behind NAT

May 11 07:57:44 vpn-server charon: 16[ENC] generating IKE_SA_INIT response
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]

May 11 07:57:44 vpn-server charon: 16[NET] sending packet: from
172.31.xxx.xxx[500] to 109.230.xxx.xx[1] (440 bytes)

May 11 07:57:45 vpn-server charon: 04[NET] received packet: from
109.230.xxx.xx[1024] to 172.31.xxx.xxx[4500] (1536 bytes)

May 11 07:57:45 vpn-server charon: 04[ENC] parsed IKE_AUTH request 1 [ IDi
CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]

May 11 07:57:45 vpn-server charon: 04[IKE] received 54 cert requests for an
unknown ca

May 11 07:57:45 vpn-server charon: 04[CFG] looking for peer configs
matching 172.31.xxx.xxx[%any]...109.230.xxx.xx[192.168.1.103]

May 11 07:57:45 vpn-server charon: 04[CFG] selected peer config
'roadwarrior'

May 11 07:57:45 vpn-server charon: 04[IKE] initiating EAP_IDENTITY method
(id 0x00)

May 11 07:57:45 vpn-server charon: 04[IKE] peer supports MOBIKE

May 11 07:57:45 vpn-server charon: 04[IKE] authentication of 'vpn1.xxx.com'
(myself) with RSA signature successful

May 11 07:57:45 vpn-server charon: 04[IKE] sending end entity cert "CN=
vpn1.xxx.com"

May 11 07:57:45 vpn-server charon: 04[IKE] sending issuer cert "C=US,
O=Let's Encrypt, CN=Let's Encrypt Authority X3"

May 11 07:57:45 vpn-server charon: 04[ENC] generating IKE_AUTH response 1 [
IDr CERT CERT AUTH EAP/REQ/ID ]

May 11 07:57:45 vpn-server charon: 04[NET] sending packet: from
172.31.xxx.xxx[4500] to 109.230.xxx.xx[1024] (3616 bytes)

May 11 07:57:45 vpn-server charon: 02[NET] received packet: from
109.230.xxx.xx[1024] to 172.31.xxx.xxx[4500] (96 bytes)

May 11 07:57:45 vpn-server charon: 02[ENC] parsed IKE_AUTH request 2 [
EAP/RES/ID ]

May 11 07:57:45 vpn-server charon: 02[IKE] received EAP identity 'houmie'

May 11 07:57:45 vpn-server charon: 02[IKE] initiating EAP_MSCHAPV2 method
(id 0x6C)

May 11 07:57:45 vpn-server charon: 02[ENC] generating IKE_AUTH response 2 [
EAP/REQ/MSCHAPV2 ]

May 11 07:57:45 vpn-server charon: 02[NET] sending packet: from
172.31.xxx.xxx[4500] 

Re: [strongSwan] Sudden issues with Windows 10 clients

[Houman]

10.0/24

  rightsendcert=never

Please let me know if you see any obvious problem. But I strongly believe
they have blocked the IKEV2 traffic...

Many Thanks,
Houman



On 9 May 2018 at 15:40, Jafar Al-Gharaibeh <ja...@atcorp.com> wrote:

> Hi Tobias,
>
> Thanks for the correction.   What I meant to say is :
>
>  The PRF algorithm is derived from the integrity algorithm,
> but only if a DH group is also configured.
>
>  Correct?
>
> Regards,
> Jafar
>
>
> On 5/9/2018 2:21 AM, Tobias Brunner wrote:
>
>> Hi Jafar,
>>
>>   No need to configure a prf, it is already assumed when you
>>> configured a DH group; so you can drop prfsha256.
>>>
>> Small correction, the PRF algorithm, if not configured explicitly, is
>> not derived from the DH group, but the integrity algorithm, in this case
>> sha256.
>>
>> Regards,
>> Tobias
>>
>>
>

Re: [strongSwan] Sudden issues with Windows 10 clients

[Houman]

Thank you both Christian and Jafar for the clear proposals.

So yes, if I wanted to support Windows 10, iOS/OSX and Linux with the
stronger set of encryption. Do I set *aes256-sha256-prfsha256-modp2048 *into
*ike* only?  Or both in *ike* and *esp*?

This part wasn't quite clear to me.

Yeah, I have already set [NegotiateDH2048_AES256] in Windows 10.

Many Thanks,
Houman



On 8 May 2018 at 08:40, Christian Salway <christian.sal...@naimuri.com>
wrote:

> The problem with Windows (10 at least) is that it offers the weakest
> ciphers first, so you should remove sha1 and 3des.
>
> The minimum proposals you should have and which are compatible with
> Windows 10, OSX, IOS and Linux are the following.
>
> *proposals = aes256-sha256-prfsha256-modp2048-modp1024*
>
> Although I would recommend adding the Windows 10 registry key [
> NegotiateDH2048_AES256] to use strong ciphers and then you can remove
> MODP1024
>
>
> <http://www.naimuri.com>
>
> On 7 May 2018, at 15:50, Jafar Al-Gharaibeh <ja...@atcorp.com> wrote:
>
> Houman,
>
>   The Windows client proposals do not match your configured proposals.
> Your Windows client expect DG group 15 (MODP2048), where as you have:
>
> aes256-3des-sha1-modp1024
>
> change that to:
>
> aes256-3des-sha1-modp2048
>
> I'd also add sha256 at least before sha1 (deemed insecure). If you still
> have other clients expecting modp1024, make it:
>
> aes256-3des-sha256-sha1-modp2048-modp1024
>
> That should get you covered.
>
> Regards,
> Jafar
>
>
> On 5/7/2018 8:17 AM, Houman wrote:
>
> Hello,
>
> Until a week ago a user with Windows 10 had no issue connecting to the
> StrongSwan server. But now out of the blue, he can't connect to the
> StrongSwan server anymore.
>
> The log on the server is:
>
> May  7 12:31:06 vpn-p1 charon: 08[IKE] received proposals inacceptable
> May  7 12:31:06 vpn-p1 charon: 08[ENC] generating IKE_SA_INIT response 0 [
> N(NO_PROP) ]
> May  7 12:31:06 vpn-p1 charon: 08[NET] sending packet: from
> xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes)
> May  7 12:32:09 vpn-p1 systemd[1]: Started Session 35 of user root.
> May  7 12:46:21 vpn-p1 systemd[1]: Starting Cleanup of Temporary
> Directories...
> May  7 12:46:21 vpn-p1 systemd-tmpfiles[7016]:
> [/usr/lib/tmpfiles.d/var.conf:14] Duplicate line for path "/var/log",
> ignoring.
> May  7 12:46:21 vpn-p1 systemd[1]: Started Cleanup of Temporary
> Directories.
> May  7 13:00:13 vpn-p1 systemd[1]: Starting Certbot...
> May  7 13:00:13 vpn-p1 systemd[1]: Started Certbot.
> May  7 13:08:20 vpn-p1 systemd[1]: Started Session 36 of user root.
> May  7 13:11:27 vpn-p1 charon: 12[NET] received packet: from
> 91.98.xxx.xxx[500] to xxx.x.xx.92[500] (624 bytes)
> May  7 13:11:27 vpn-p1 charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA
> KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
> May  7 13:11:27 vpn-p1 charon: 12[IKE] received MS NT5 ISAKMPOAKLEY v9
> vendor ID
> May  7 13:11:27 vpn-p1 charon: 12[IKE] received MS-Negotiation Discovery
> Capable vendor ID
> May  7 13:11:27 vpn-p1 charon: 12[IKE] received Vid-Initial-Contact vendor
> ID
> May  7 13:11:27 vpn-p1 charon: 12[ENC] received unknown vendor ID:
> 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
> May  7 13:11:27 vpn-p1 charon: 12[IKE] 91.98.xxx.xxx is initiating an
> IKE_SA
> May  7 13:11:27 vpn-p1 charon: 12[CFG] received proposals:
> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
> IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
> May  7 13:11:27 vpn-p1 charon: 12[CFG] configured proposals:
> IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521,
> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384,
> IKE:AES_CBC_256/3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> May  7 13:11:27 vpn-p1 charon: 12[IKE] remote host is behind NAT
> May  7 13:11:27 vpn-p1 charon: 12[IKE] received proposals inacceptable
> May  7 13:11:27 vpn-p1 charon: 12[ENC] generating IKE_SA_INIT response 0 [
> N(NO_PROP) ]
> May  7 13:11:27 vpn-p1 charon: 12[NET] sending packet: from
> xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes)
> May  7 13:11:28 vpn-p1 charon: 16[NET] received packet: from
> 91.98.xxx.xxx[500] to xxx.x.xx.92[500] (624 bytes)
> May  7 13:11:28 vpn-p1 charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA
> KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
> May  7 13:11:28 vpn-p1 charon: 16[IKE] received MS NT5 ISAKMPOAKLEY v9
> vendor ID
> May  7 13:11:28 vpn-p1 charon: 16[IKE] received MS-Negotiation Discovery
> Capable vendor ID
> May  7 13:11:28 vpn-p1 charon: 16[IKE] received Vid-Initial-Contact vendor
> ID
> May  7 13:11:28 vpn-p1

[strongSwan] Sudden issues with Windows 10 clients

[Houman]

Hello,

Until a week ago a user with Windows 10 had no issue connecting to the
StrongSwan server. But now out of the blue, he can't connect to the
StrongSwan server anymore.

The log on the server is:

May  7 12:31:06 vpn-p1 charon: 08[IKE] received proposals inacceptable
May  7 12:31:06 vpn-p1 charon: 08[ENC] generating IKE_SA_INIT response 0 [
N(NO_PROP) ]
May  7 12:31:06 vpn-p1 charon: 08[NET] sending packet: from
xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes)
May  7 12:32:09 vpn-p1 systemd[1]: Started Session 35 of user root.
May  7 12:46:21 vpn-p1 systemd[1]: Starting Cleanup of Temporary
Directories...
May  7 12:46:21 vpn-p1 systemd-tmpfiles[7016]:
[/usr/lib/tmpfiles.d/var.conf:14] Duplicate line for path "/var/log",
ignoring.
May  7 12:46:21 vpn-p1 systemd[1]: Started Cleanup of Temporary Directories.
May  7 13:00:13 vpn-p1 systemd[1]: Starting Certbot...
May  7 13:00:13 vpn-p1 systemd[1]: Started Certbot.
May  7 13:08:20 vpn-p1 systemd[1]: Started Session 36 of user root.
May  7 13:11:27 vpn-p1 charon: 12[NET] received packet: from
91.98.xxx.xxx[500] to xxx.x.xx.92[500] (624 bytes)
May  7 13:11:27 vpn-p1 charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
May  7 13:11:27 vpn-p1 charon: 12[IKE] received MS NT5 ISAKMPOAKLEY v9
vendor ID
May  7 13:11:27 vpn-p1 charon: 12[IKE] received MS-Negotiation Discovery
Capable vendor ID
May  7 13:11:27 vpn-p1 charon: 12[IKE] received Vid-Initial-Contact vendor
ID
May  7 13:11:27 vpn-p1 charon: 12[ENC] received unknown vendor ID:
01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
May  7 13:11:27 vpn-p1 charon: 12[IKE] 91.98.xxx.xxx is initiating an IKE_SA
May  7 13:11:27 vpn-p1 charon: 12[CFG] received proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
May  7 13:11:27 vpn-p1 charon: 12[CFG] configured proposals:
IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384,
IKE:AES_CBC_256/3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
May  7 13:11:27 vpn-p1 charon: 12[IKE] remote host is behind NAT
May  7 13:11:27 vpn-p1 charon: 12[IKE] received proposals inacceptable
May  7 13:11:27 vpn-p1 charon: 12[ENC] generating IKE_SA_INIT response 0 [
N(NO_PROP) ]
May  7 13:11:27 vpn-p1 charon: 12[NET] sending packet: from
xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes)
May  7 13:11:28 vpn-p1 charon: 16[NET] received packet: from
91.98.xxx.xxx[500] to xxx.x.xx.92[500] (624 bytes)
May  7 13:11:28 vpn-p1 charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
May  7 13:11:28 vpn-p1 charon: 16[IKE] received MS NT5 ISAKMPOAKLEY v9
vendor ID
May  7 13:11:28 vpn-p1 charon: 16[IKE] received MS-Negotiation Discovery
Capable vendor ID
May  7 13:11:28 vpn-p1 charon: 16[IKE] received Vid-Initial-Contact vendor
ID
May  7 13:11:28 vpn-p1 charon: 16[ENC] received unknown vendor ID:
01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
May  7 13:11:28 vpn-p1 charon: 16[IKE] 91.98.xxx.xxx is initiating an IKE_SA
May  7 13:11:28 vpn-p1 charon: 16[CFG] received proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
May  7 13:11:28 vpn-p1 charon: 16[CFG] configured proposals:
IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384,
IKE:AES_CBC_256/3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
May  7 13:11:28 vpn-p1 charon: 16[IKE] remote host is behind NAT
May  7 13:11:28 vpn-p1 charon: 16[IKE] received proposals inacceptable
May  7 13:11:28 vpn-p1 charon: 16[ENC] generating IKE_SA_INIT response 0 [
N(NO_PROP) ]
May  7 13:11:28 vpn-p1 charon: 16[NET] sending packet: from
xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes)

The Server's ipsec.conf is:

config setup
  strictcrlpolicy=yes
  uniqueids=never
conn roadwarrior
  auto=add
  compress=no
  type=tunnel
  keyexchange=ikev2
  fragmentation=yes
  forceencaps=yes

ike=aes256gcm16-sha256-ecp521,aes256-sha256-ecp384,aes256-3des-sha1-modp1024!
  esp=aes256gcm16-sha256,aes256-3des-sha256-sha1!
  dpdaction=clear
  dpddelay=180s
  rekey=no
  left=%any
  leftid=@${VPNHOST}
  leftcert=cert.pem
  leftsendcert=always
  leftsubnet=0.0.0.0/0
  right=%any
  rightid=%any
  rightauth=eap-radius
  eap_identity=%any
  rightdns=208.67.222.222,208.67.220.220
  rightsourceip=${VPNIPPOOL}
  rightsendcert=never

Have the supported ike/esp proposals somehow been changed recently after a
recent Windows 10 update?

I have made these changes on the Windows 10, after googling for a solution:

- The firewall on Windows 10 is currently disabled.
- I have set NegotiateDH2048_AES256 = 1 in Regedit
- AssumeUDPEncapsulationContextOnSendRule = 2 in Regedit

I can't think of anything 

Re: [strongSwan] IPsec broken for iphone with ios11?

[Houman]

I had the exact same problem.  I couldn't connect via iOS 11.2.6 on iPhone
X.  After upgrading to iOS 11.3 I can connect to StrongSwan again without
having touched any configuration.

Although it could be that the OS was somehow stuck and the hard restart
after update "cleared" it up. I should have restarted before the upgrade
for a better test.



On 31 March 2018 at 16:08, Harald Dunkel  wrote:

> On 03/29/18 18:23, Harald Dunkel wrote:
> > Hi folks,
> >
> > is it just me, or is IPsec broken for ios 11 (iphone)? I can establish
> > an IPsec connection once, but if I reconnect then the routing appears
> > to be broken. I cannot ping the DNServer on the remote net.
> >
> > My ipad (ios 10) with a similar profile has no such problem.
> >
> > Can anybody reproduce this?
> >
>
> Using the new ios 11.3 or macos 10.13.4 the problem vanished.
>
>
> Regards
> Harri
>

[strongSwan] Enabled eap-radius doesn't log session information

[Houman]

Hello,

I have setup StrongSwan successfully with FreeRadius.  I can create a new
user in the radcheck table inside radius DB and authenticate with the VPN
with that user afterwards.

However, there is no information saved inside the radacct table. I was
expecting to see the session time of a connected user and find out a way to
count the traffic a user has been utilising.

But why is the table empty?

I install StrongSwan like this, I don't specifically compile it with
*./configure
--enable-eap-radius*

Instead, I install it like this, is that ok?

add-apt-repository ppa:freeradius/stable-3.0 -y
apt-get install -y language-pack-en strongswan strongswan-ikev2
libstrongswan-standard-plugins strongswan-libcharon libcharon-extra-plugins
freeradius freeradius-utils freeradius-mysql


*# vim /etc/strongswan.conf*

charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}

include strongswan.d/*.conf


*# vim /etc/strongswan.d/charon/eap-radius.conf*

servers {
server-a {
accounting = yes
secret = ${CLIENT_SECRET}
address = 127.0.0.1
auth_port = 1812
acct_port = 1813
}
}


*# vim /etc/ipsec.conf*

config setup
  strictcrlpolicy=yes
  uniqueids=never
conn roadwarrior
  auto=add
  compress=no
  type=tunnel
  keyexchange=ikev2
  fragmentation=yes
  forceencaps=yes

ike=aes256gcm16-sha256-ecp521,aes256-sha256-ecp384,aes256-3des-sha1-modp1024!
  esp=aes256gcm16-sha256,aes256-3des-sha256-sha1!
  dpdaction=clear
  dpddelay=180s
  rekey=no
  left=%any
  leftid=@${VPNHOST}
  leftcert=cert.pem
  leftsendcert=always
  leftsubnet=0.0.0.0/0
  right=%any
  rightid=%any
  rightauth=eap-radius
  eap_identity=%any
  rightdns=208.67.222.222,208.67.220.220
  rightsourceip=${VPNIPPOOL}
  rightsendcert=never


Merry Christmas and thank you,
Houman

[strongSwan] How to use sqlcounter to disconnect a user after reaching the daily quota?

[Houman]

Hello & Merry Christmas.


I have managed to enable accounting after all and it seems that the module
sqlcounter is loaded too.

Looking at the documentation here
<https://freeradius.org/radiusd/man/rlm_counter.txt>

The  rlm_counter  module  provides  a general framework to measure
total data transferred in a given period. This is very useful in a
'Prepaid Service' situation, where a user has paid for a  finite
amount  of  usage and should not be allowed to use more than that
service.

This is perfect as I need exactly that.

It seems I have to change count_attribute to data usage in order to measure
the usage instead of time.

Nonetheless, I'm very confused how I'm supposed to utilise this module.

I can see the module is loaded when I run it as freeradius -X.

But how do I set it up to allow each user only 3 GB of data usage within a
month?
Or even for testing purposes 100KB on daily basis?
When the month or day has passed, then the user should be allowed access
again.

Which config file do I have to edit?

Many Thanks for your advice,
Houman

[strongSwan] Enabled eap-radius doesn't log session information

[Houman]

Hello,

I have setup StrongSwan successfully with FreeRadius.  I can create a new
user in the radcheck table inside radius DB and authenticate with the VPN
with that user afterwards.

However, there is no information saved inside the radacct table. I was
expecting to see the session time of a connected user and find out a way to
count the traffic a user has been utilising.

But why is the table empty?

I install StrongSwan like this, I don't specifically compile it with
*./configure
--enable-eap-radius*

Instead, I install it like this, is that ok?

add-apt-repository ppa:freeradius/stable-3.0 -y
apt-get install -y language-pack-en strongswan strongswan-ikev2
libstrongswan-standard-plugins strongswan-libcharon libcharon-extra-plugins
freeradius freeradius-utils freeradius-mysql


*# vim /etc/strongswan.conf*

charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}

include strongswan.d/*.conf


*# vim /etc/strongswan.d/charon/eap-radius.conf*

servers {
server-a {
accounting = yes
secret = ${CLIENT_SECRET}
address = 127.0.0.1
auth_port = 1812
acct_port = 1813
}
}


*# vim /etc/ipsec.conf*

config setup
  strictcrlpolicy=yes
  uniqueids=never
conn roadwarrior
  auto=add
  compress=no
  type=tunnel
  keyexchange=ikev2
  fragmentation=yes
  forceencaps=yes
  ike=aes256gcm16-sha256-ecp521,aes256-sha256-ecp384,aes256-
3des-sha1-modp1024!
  esp=aes256gcm16-sha256,aes256-3des-sha256-sha1!
  dpdaction=clear
  dpddelay=180s
  rekey=no
  left=%any
  leftid=@${VPNHOST}
  leftcert=cert.pem
  leftsendcert=always
  leftsubnet=0.0.0.0/0
  right=%any
  rightid=%any
  rightauth=eap-radius
  eap_identity=%any
  rightdns=208.67.222.222,208.67.220.220
  rightsourceip=${VPNIPPOOL}
  rightsendcert=never


Merry Christmas and thank you,
Houman

Re: [strongSwan] Can StrongSwan be loadbalanced?

[Houman]

Thanks Anvar,

I was very excited about the link
https://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability that
you shared earlier.
Unfortunately, it doesn't do a good job of explaining how two StrongSwan
servers have to be set up to work in collaboration, in order to share the
traffic and take over if one of them fails.

Do you happen to know a step by step tutorial?  I haven't found anything on
google.

Thanks,




On Mon, Nov 13, 2017 at 4:36 PM, Anvar Kuchkartaev <an...@anvartay.com>
wrote:

> 50 and 51 there are protocol identifiers not port numbers. They are not
> tcp and not udp they are different transport layer protocols (the same
> layer resides tcp and udp). Protocol 50 is protocol ESP (Encapsulating
> Security Payload), protocol 51 is AH (Authentication Header).
> ‎https://en.m.wikipedia.org/wiki/List_of_IP_protocol_numbers
>
> You might be interested following articles:
> ‎http://www.linuxvirtualserver.org/software/ipvs.html
> https://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability
>
> Anvar Kuchkartaev
> an...@anvartay.com
> *From: *Houman
> *Sent: *lunes, 13 de noviembre de 2017 04:19 p.m.
> *To: *users@lists.strongswan.org
> *Subject: *[strongSwan] Can StrongSwan be loadbalanced?
>
> Hello,
>
> I have made quite a bit of research on how to load balance StrongSwan,
> however, I get contradicting messages.
>
> e.g. from my understanding, StrongSwan (IKEv2) works over UDP and not
> TCP.  Hence Aws load balancer is out of the question.  But so is HAProxy !!!
>
> But I discovered that latest NGINX 1.10+ supports UDP load balancing and
> it was easy to set it up.
>
> I am currently listening to ports 500 and 4500 and it doesn't quite work.
> I have raised an issue here: https://wiki.strongswan.org/issues/2464
>
> Do I need to listen to port 50 and 51 as well?
>
> Any tips or advice for me, please?
> Many Thanks,
> Houman
>
>
>
>

Re: [strongSwan] StrongSwan and EAP (FreeRadius)

[Houman]

I have changed both configs to 127.0.0.1 and restarted both StrongSwan and
FreeRadius but I got the same error message.
Then I changed them both to 0.0.0.0 and restarted both servers, and I still
get the same error message.

Any idea what this could be?

On Wed, Nov 15, 2017 at 9:01 AM, Michael Schwartzkopff <m...@sys4.de> wrote:

> Am 15.11.2017 um 09:58 schrieb Houman:
> > Hallo Michael,
> >
> >
> > Thanks for your reply.  Indeed I should have checked the radius log.  It
> > seems the shared secret is incorrect, but there do match in configs as
> > pasted below.
> > Where else could the secret have been used that I have missed?  Thanks
> >
> > *vim /var/log/freeradius/radius.log*
> >
> > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Attempting to connect to
> > database "radius"
> > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> > connection (0), 1 of 32 pending slots used
> > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> > connection (1), 1 of 31 pending slots used
> > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> > connection (2), 1 of 30 pending slots used
> > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> > connection (3), 1 of 29 pending slots used
> > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> > connection (4), 1 of 28 pending slots used
> > Wed Nov 15 08:49:50 2017 : Info: Need 5 more connections to reach 10
> spares
> > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> > connection (5), 1 of 27 pending slots used
> > Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server 
> > Wed Nov 15 08:49:50 2017 : Warning: Ignoring "ldap" (see
> > raddb/mods-available/README.rst)
> > Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server default
> > Wed Nov 15 08:49:50 2017 : Info:  # Skipping contents of 'if' as it is
> > always 'false' -- /etc/freeradius/sites-enabled/inner-tunnel:331
> > Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server inner-tunnel
> > Wed Nov 15 08:49:50 2017 : Info: Ready to process requests
> > Wed Nov 15 08:49:57 2017 : Info: Dropping packet without response because
> > of error: Received packet from 127.0.0.1 with invalid
> > Message-Authenticator!  (Shared secret is incorrect.)
> >
> >
> >
> > *vim /etc/strongswan.conf*
> >
> > charon {
> >   load_modular = yes
> >   compress = yes
> >  plugins {
> > include strongswan.d/charon/*.conf
> >eap-radius {
> > servers {
> > server-a {
> > accounting = yes
> > secret = 123456
> > address = 127.0.0.1
> > auth_port = 1812
> > acct_port = 1813
> > }
> > }
> > }
> > }
> > include strongswan.d/*.conf
> > }
> >
> >
> >
> > *vim /etc/freeradius/clients.conf*
> >
> > client 0.0.0.0 {
> > secret  = 123456
> > nas_type= other
> > shortname   = 0.0.0.0
> > require_message_authenticator = no
> > }
> >
> >
> >
> > On Wed, Nov 15, 2017 at 7:55 AM, Michael Schwartzkopff <m...@sys4.de>
> wrote:
> >
> >> Am 15.11.2017 um 08:24 schrieb Houman:
> >>> Hi,
> >>>
> >>> I'm new to the concept of EAP and might be misunderstanding something.
> >>> Apologies up front.
> >>>
> >>> I have finally been able to install FreeRadius and enable the SQL
> module.
> >>> I have created a user in the database and was hoping to establish a VPN
> >>> connection via that user.
> >>>
> >>> INSERT INTO radcheck (username,attribute,op,VALUE) VALUES
> >>> ('houman','Cleartext-Password',':=','test123');
> >>>
> >>>
> >>> When I try to connect from my MacBook into the StrongSwan server I get
> >> this
> >>> log. It looks promising but eventually, it says initiating EAP_RADIUS
> >>> method failed.
> >>>
> >>> I'm not quite sure if this has failed due a bad configuration on my
> side
> >> or
> >>> it is for other reasons that I don't quite understand how EAP should
> >> work.
> >>> Please be so kind and advise,
> >>> Thanks,

Re: [strongSwan] StrongSwan and EAP (FreeRadius)

[Houman]

Hallo Michael,


Thanks for your reply.  Indeed I should have checked the radius log.  It
seems the shared secret is incorrect, but there do match in configs as
pasted below.
Where else could the secret have been used that I have missed?  Thanks

*vim /var/log/freeradius/radius.log*

Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Attempting to connect to
database "radius"
Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
connection (0), 1 of 32 pending slots used
Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
connection (1), 1 of 31 pending slots used
Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
connection (2), 1 of 30 pending slots used
Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
connection (3), 1 of 29 pending slots used
Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
connection (4), 1 of 28 pending slots used
Wed Nov 15 08:49:50 2017 : Info: Need 5 more connections to reach 10 spares
Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
connection (5), 1 of 27 pending slots used
Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server 
Wed Nov 15 08:49:50 2017 : Warning: Ignoring "ldap" (see
raddb/mods-available/README.rst)
Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server default
Wed Nov 15 08:49:50 2017 : Info:  # Skipping contents of 'if' as it is
always 'false' -- /etc/freeradius/sites-enabled/inner-tunnel:331
Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server inner-tunnel
Wed Nov 15 08:49:50 2017 : Info: Ready to process requests
Wed Nov 15 08:49:57 2017 : Info: Dropping packet without response because
of error: Received packet from 127.0.0.1 with invalid
Message-Authenticator!  (Shared secret is incorrect.)



*vim /etc/strongswan.conf*

charon {
  load_modular = yes
  compress = yes
 plugins {
include strongswan.d/charon/*.conf
   eap-radius {
servers {
server-a {
accounting = yes
secret = 123456
address = 127.0.0.1
auth_port = 1812
acct_port = 1813
}
}
}
}
include strongswan.d/*.conf
}



*vim /etc/freeradius/clients.conf*

client 0.0.0.0 {
secret  = 123456
nas_type= other
shortname   = 0.0.0.0
require_message_authenticator = no
}



On Wed, Nov 15, 2017 at 7:55 AM, Michael Schwartzkopff <m...@sys4.de> wrote:

> Am 15.11.2017 um 08:24 schrieb Houman:
> > Hi,
> >
> > I'm new to the concept of EAP and might be misunderstanding something.
> > Apologies up front.
> >
> > I have finally been able to install FreeRadius and enable the SQL module.
> > I have created a user in the database and was hoping to establish a VPN
> > connection via that user.
> >
> > INSERT INTO radcheck (username,attribute,op,VALUE) VALUES
> > ('houman','Cleartext-Password',':=','test123');
> >
> >
> > When I try to connect from my MacBook into the StrongSwan server I get
> this
> > log. It looks promising but eventually, it says initiating EAP_RADIUS
> > method failed.
> >
> > I'm not quite sure if this has failed due a bad configuration on my side
> or
> > it is for other reasons that I don't quite understand how EAP should
> work.
> >
> > Please be so kind and advise,
> > Thanks,
> > Houman
> >
> >
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] received packet: from
> > 88.98.201.107[51247] to 172.31.9.51[500] (300 bytes)
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] parsed IKE_SA_INIT
> request 0
> > [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] 88.98.201.107 is
> initiating
> > an IKE_SA
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] local host is behind NAT,
> > sending keep alives
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] remote host is behind NAT
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] generating IKE_SA_INIT
> > response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH)
> ]
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] sending packet: from
> > 172.31.9.51[500] to 88.98.201.107[51247] (316 bytes)
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] received packet: from
> > 88.98.201.107[51248] to 172.31.9.51[4500] (344 bytes)
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] unknown attribute type
> (25)
> > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] parsed IKE_AUTH request 1
> [
> > IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr 

[strongSwan] StrongSwan and EAP (FreeRadius)

[Houman]

Hi,

I'm new to the concept of EAP and might be misunderstanding something.
Apologies up front.

I have finally been able to install FreeRadius and enable the SQL module.
I have created a user in the database and was hoping to establish a VPN
connection via that user.

INSERT INTO radcheck (username,attribute,op,VALUE) VALUES
('houman','Cleartext-Password',':=','test123');


When I try to connect from my MacBook into the StrongSwan server I get this
log. It looks promising but eventually, it says initiating EAP_RADIUS
method failed.

I'm not quite sure if this has failed due a bad configuration on my side or
it is for other reasons that I don't quite understand how EAP should work.

Please be so kind and advise,
Thanks,
Houman


Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] received packet: from
88.98.201.107[51247] to 172.31.9.51[500] (300 bytes)
Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] parsed IKE_SA_INIT request 0
[ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] 88.98.201.107 is initiating
an IKE_SA
Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] local host is behind NAT,
sending keep alives
Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] remote host is behind NAT
Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] generating IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] sending packet: from
172.31.9.51[500] to 88.98.201.107[51247] (316 bytes)
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] received packet: from
88.98.201.107[51248] to 172.31.9.51[4500] (344 bytes)
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] unknown attribute type (25)
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] parsed IKE_AUTH request 1 [
IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6
DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] looking for peer configs
matching 172.31.9.51[vpn2.t.com]...88.98.201.107[vpn2.t.com]
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] selected peer config
'roadwarrior'
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] initiating EAP_IDENTITY
method (id 0x00)
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] peer supports MOBIKE
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] authentication of 'vpn2.t.com'
(myself) with RSA signature successful
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] sending end entity cert "CN=
vpn2.t.com"
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] sending issuer cert "C=US,
O=Let's Encrypt, CN=Let's Encrypt Authority X3"
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] splitting IKE message with
length of 3334 bytes into 7 fragments
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
1 [ EF(1/7) ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
1 [ EF(2/7) ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
1 [ EF(3/7) ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
1 [ EF(4/7) ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
1 [ EF(5/7) ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
1 [ EF(6/7) ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
1 [ EF(7/7) ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] sending packet: from
172.31.9.51[4500] to 88.98.201.107[51248] (544 bytes)
Nov 15 07:13:21 ip-172-31-9-51 charon: message repeated 5 times: [ 14[NET]
sending packet: from 172.31.9.51[4500] to 88.98.201.107[51248] (544 bytes)]
Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] sending packet: from
172.31.9.51[4500] to 88.98.201.107[51248] (440 bytes)
Nov 15 07:13:21 ip-172-31-9-51 charon: 15[NET] received packet: from
88.98.201.107[51248] to 172.31.9.51[4500] (80 bytes)
Nov 15 07:13:21 ip-172-31-9-51 charon: 15[ENC] parsed IKE_AUTH request 2 [
EAP/RES/ID ]
Nov 15 07:13:21 ip-172-31-9-51 charon: 15[IKE] received EAP identity
'houman'
Nov 15 07:13:21 ip-172-31-9-51 charon: 15[CFG] sending RADIUS
Access-Request to server 'server-a'
Nov 15 07:13:23 ip-172-31-9-51 charon: 15[CFG] retransmit 1 of RADIUS
Access-Request (timeout: 2.8s)
Nov 15 07:13:24 ip-172-31-9-51 charon: 06[MGR] ignoring request with ID 2,
already processing
Nov 15 07:13:26 ip-172-31-9-51 charon: 15[CFG] retransmit 2 of RADIUS
Access-Request (timeout: 3.9s)
Nov 15 07:13:27 ip-172-31-9-51 charon: 05[MGR] ignoring request with ID 2,
already processing
Nov 15 07:13:30 ip-172-31-9-51 charon: 15[CFG] retransmit 3 of RADIUS
Access-Request (timeout: 5.5s)
Nov 15 07:13:30 ip-172-31-9-51 charon: 04[MGR] ignoring request with ID 2,
already processing
Nov 15 07:13:35 ip-17

[strongSwan] Can StrongSwan be loadbalanced?

[Houman]

Hello,

I have made quite a bit of research on how to load balance StrongSwan,
however, I get contradicting messages.

e.g. from my understanding, StrongSwan (IKEv2) works over UDP and not TCP.
Hence Aws load balancer is out of the question.  But so is HAProxy !!!

But I discovered that latest NGINX 1.10+ supports UDP load balancing and it
was easy to set it up.

I am currently listening to ports 500 and 4500 and it doesn't quite work. I
have raised an issue here: https://wiki.strongswan.org/issues/2464

Do I need to listen to port 50 and 51 as well?

Any tips or advice for me, please?
Many Thanks,
Houman