[strongSwan] What is the correct subnet for rightsourceip?
Hello, I have seen many examples using subnet /24. However, that's only 254 ip addresses, meaning only 254 could connect to the VPN at a time. rightsourceip=10.10.10.0/24, fdf3:5237:bf63::/64 Is there any harm if I chose subset /22 to increase it to 1022 IPs? rightsourceip=10.10.10.0/22, fdf3:5237:bf63::/64 Many thanks, Houman
Re: [strongSwan] How to get StrongSwan work with IPv6?
Hello Noel, Good call. I have tried it with *tcpdump icmp6* 12:51:32.014856 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 55160, length 114 12:51:32.014980 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 52502, length 111 12:51:33.015768 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 55160, length 114 12:51:33.015853 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 52502, length 111 12:51:37.230741 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 59089, length 141 12:51:37.230773 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 49622, length 153 12:51:37.230832 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 52451, length 179 12:51:37.231091 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 63183, length 141 12:51:37.231276 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 60488, length 153 12:51:37.244840 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 63401, length 179 12:51:41.217794 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 62192, length 117 12:51:41.399465 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 63183, length 141 12:51:41.399497 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 49622, length 153 12:51:41.399515 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 57891, length 179 12:51:41.399526 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 59089, length 141 12:51:41.399536 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 52451, length 179 12:51:41.399555 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 60488, length 153 12:51:42.267324 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 62192, length 117 12:51:48.624243 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 57891, length 179 12:51:48.624270 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 60718, length 153 This is strange because the firewall should be ok: *filter :INPUT DROP [0:0] :FORWARD DROP [4571:533993] :OUTPUT ACCEPT [3620:1295287] :OUTGOING - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p udp -m udp --dport 500 -j ACCEPT -A INPUT -p udp -m udp --dport 4500 -j ACCEPT -A INPUT -p esp -m esp -j ACCEPT -A INPUT -m ah -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -j OUTGOING -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT -A OUTGOING -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A OUTGOING -m hashlimit --hashlimit-upto 5/sec --hashlimit-burst 5 --hashlimit-mode srcip,dstip --hashlimit-name NETSCANv6 --hashlimit-dstmask 64 -j ACCEPT COMMIT IPv6 doesn't need NAT. So what is here unreachable? Thanks, Houman On Sun, 14 Nov 2021 at 23:26, Noel Kuntze wrote: > Hello Houman, > > Looks like it's time for tcpdump, wireshark, ... . > Collect traffic dumps as shown on the wiki[1] to figure out what replies > the peer gets and what is forwarded. > > Also, verify your testing method and client configuration, specifically > iptables/ip6tables if it's Linux. > > Kind regards > Noel > > [1] > https://wiki.strongswan.org/projects/strongswan/wiki/CorrectTrafficDump > > Am 12.11.21 um 08:26 schrieb Houman: > > Good morning, > > > > I have disabled forseencaps and enabled IPv6. I can establish a VPN > connection via IPv6. But no traffic goes through. IPv4 connection is > working. > > I'm sharing my config below. I would really appreciate it if > somebody could h
[strongSwan] How to get StrongSwan work with IPv6?
gswan-starter* ● strongswan-starter.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf Loaded: loaded (/lib/systemd/system/strongswan-starter.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2021-11-11 20:16:27 UTC; 11h ago Main PID: 905 (starter) Tasks: 18 (limit: 2276) Memory: 11.3M CPU: 685ms CGroup: /system.slice/strongswan-starter.service ├─905 /usr/libexec/ipsec/starter --daemon charon --nofork └─918 /usr/libexec/ipsec/charon Nov 11 20:16:27 de-test-1 systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf. Nov 11 20:16:27 de-test-1 ipsec[905]: Starting strongSwan 5.9.4 IPsec [starter]... Nov 11 20:16:27 de-test-1 ipsec_starter[905]: Starting strongSwan 5.9.4 IPsec [starter]... Nov 11 20:16:29 de-test-1 ipsec[905]: charon (918) started after 1620 ms Nov 11 20:16:29 de-test-1 ipsec_starter[905]: charon (918) started after 1620 ms *ip6tables-save* *filter :INPUT DROP [0:0] :FORWARD DROP [176:15578] :OUTPUT ACCEPT [2539:673098] :OUTGOING - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 275 -j ACCEPT -A INPUT -p udp -m udp --dport 500 -j ACCEPT -A INPUT -p udp -m udp --dport 4500 -j ACCEPT -A INPUT -p esp -m esp -j ACCEPT -A INPUT -m ah -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -j OUTGOING -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT -A OUTGOING -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A OUTGOING -m hashlimit --hashlimit-upto 5/sec --hashlimit-burst 5 --hashlimit-mode srcip,dstip --hashlimit-name NETSCANv6 --hashlimit-dstmask 64 -j ACCEPT COMMIT # Completed on Fri Nov 12 07:18:59 2021 # Generated by ip6tables-save v1.8.7 on Fri Nov 12 07:18:59 2021 *nat :PREROUTING ACCEPT [848:78316] :INPUT ACCEPT [12:2456] :OUTPUT ACCEPT [17:1616] :POSTROUTING ACCEPT [677:61898] -A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT -A POSTROUTING -m addrtype ! --src-type LOCAL -j MASQUERADE COMMIT *ip route show table all* default via 172.31.1.1 dev eth0 172.31.1.1 dev eth0 scope link broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 local 162.55.173.134 dev eth0 table local proto kernel scope host src 162.55.173.134 broadcast 162.55.173.134 dev eth0 table local proto kernel scope link src 162.55.173.134 ::1 dev lo proto kernel metric 256 pref medium 2a01:4f8:c17:1f2d::1 dev eth0 proto kernel metric 256 pref medium 2a01:4f8:c17:1f2d:cafe::123 dev eth0 proto kernel metric 256 pref medium 2a01:4f8:c17:1f2d:::/80 dev eth0 proto kernel metric 256 pref medium fe80::/64 dev eth0 proto kernel metric 256 pref medium default via fe80::1 dev eth0 metric 1024 onlink pref medium local ::1 dev lo table local proto kernel metric 0 pref medium local 2a01:4f8:c17:1f2d::1 dev eth0 table local proto kernel metric 0 pref medium local 2a01:4f8:c17:1f2d:cafe::123 dev eth0 table local proto kernel metric 0 pref medium local 2a01:4f8:c17:1f2d::: dev eth0 table local proto kernel metric 0 pref medium anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium local fe80::9400:ff:fef1:6bcb dev eth0 table local proto kernel metric 0 pref medium multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium *ip address* 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 96:00:00:f1:6b:cb brd ff:ff:ff:ff:ff:ff altname enp0s3 altname ens3 inet 162.55.173.134/32 brd 162.55.173.134 scope global dynamic eth0 valid_lft 82750sec preferred_lft 82750sec inet6 2a01:4f8:c17:1f2d:::/80 scope global valid_lft forever preferred_lft forever inet6 2a01:4f8:c17:1f2d:cafe::123/128 scope global valid_lft forever preferred_lft forever inet6 2a01:4f8:c17:1f2d::1/128 scope global valid_lft forever preferred_lft forever inet6 fe80::9400:ff:fef1:6bcb/64 scope link valid_lft forever preferred_lft forever Please let me know if you need anything else. Much appreciated. Thank you, Houman
[strongSwan] Latest Android doesn't compile
Hello Tobias, The latest Android Frontend is no longer compiling after your latest changes. I'm using boringSSL instead of openssl as recommended. [arm64-v8a] StaticLibrary : libcrypto_static.a [arm64-v8a] SharedLibrary : libstrongswan.so fcntl(): Bad file descriptor ld: error: relocation R_AARCH64_PREL64 cannot be used against symbol OPENSSL_armcap_P; recompile with -fPIC >>> defined in /Users/houmie/Projects/strongswan/src/frontends/android/app/src/main/obj/local/arm64-v8a/libcrypto_static.a(sha1-armv8.o) >>> referenced by sha1-armv8.o:(.text+0x1240) in archive /Users/houmie/Projects/strongswan/src/frontends/android/app/src/main/obj/local/arm64-v8a/libcrypto_static.a ld: error: relocation R_AARCH64_PREL64 cannot be used against symbol OPENSSL_armcap_P; recompile with -fPIC >>> defined in /Users/houmie/Projects/strongswan/src/frontends/android/app/src/main/obj/local/arm64-v8a/libcrypto_static.a(sha1-armv8.o) >>> referenced by sha256-armv8.o:(.text+0xF48) in archive /Users/houmie/Projects/strongswan/src/frontends/android/app/src/main/obj/local/arm64-v8a/libcrypto_static.a ld: error: relocation R_AARCH64_PREL64 cannot be used against symbol OPENSSL_armcap_P; recompile with -fPIC >>> defined in /Users/houmie/Projects/strongswan/src/frontends/android/app/src/main/obj/local/arm64-v8a/libcrypto_static.a(sha1-armv8.o) >>> referenced by sha512-armv8.o:(.text+0x10C8) in archive /Users/houmie/Projects/strongswan/src/frontends/android/app/src/main/obj/local/arm64-v8a/libcrypto_static.a clang++: error: linker command failed with exit code 1 (use -v to see invocation) make: *** [/Users/houmie/Library/Android/sdk/ndk/22.0.6917172/build/core/ build-binary.mk:728: /Users/houmie/Projects/strongswan/src/frontends/android/app/src/main/obj/local/arm64-v8a/libstrongswan.so] Error 1 make: *** Waiting for unfinished jobs [x86] SharedLibrary : libstrongswan.so fcntl(): Bad file descriptor [armeabi-v7a] SharedLibrary : libstrongswan.so fcntl(): Bad file descriptor fcntl(): Bad file descriptor [x86_64] Compile: crypto_static <= p256-64.c > Task :app:buildNative FAILED Any suggestions, please? Many Thanks, Houman
Re: [strongSwan] StrongSwan for Android
Hi Tobias, Thank you so much. I got it working. I needed only this last step: git clone git:// git.strongswan.org/android-ndk-boringssl.git -b ndk-static openssl to execute from src/frontends/android/app/src/main/jni/ Superb! Kind Regards, Houman On Thu, 29 Oct 2020 at 07:39, Tobias Brunner wrote: > Hi Houman, > > Please follow the instructions on [1]. > > Regards, > Tobias > > [1] > https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClientBuild >
[strongSwan] StrongSwan for Android
Hi Tobias, I really hope you can help me with this. I'm trying to build the Android Client https://github.com/strongswan/strongswan/tree/master/src/frontends/android I have successfully compiled StrongSwan on my Mac as requested in README.ndk (first paragraph). I have also ndk successfully installed in Android Studio, but it fails when I try to run it in Android simulator with the following error message: Execution failed for task ':app:buildNative'. > Process 'command '/Users/houmie/Library/Android/sdk/ndk/21.3.6528147/ndk-build'' finished with non-zero exit value 2 Is this because I need to copy BoringSSL sources in app/src/main/jni/openssl as explained in the second paragraph in the README.ndk? But where is this path? I don't see it in the StrongSwan directory hierarchy. Many Thanks, Houman
Re: [strongSwan] DH group ECP_256 unacceptable, requesting ECP_256
Hi Tobias, I came across the same issue that someone else had raised with you 10 months ago. Unfortunately it seems he was right about the bug. https://wiki.strongswan.org/issues/3290 This is what I'm getting: Oct 16 07:36:48 de-fsn-x charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.0, Linux 5.4.0-1028-aws, x86_64) Oct 16 07:36:48 de-fsn-x charon: 00[KNL] unable to create IPv4 routing table rule Oct 16 07:36:48 de-fsn-x charon: 00[KNL] unable to create IPv6 routing table rule Oct 16 07:36:48 de-fsn-x charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Oct 16 07:36:48 de-fsn-x charon: 00[CFG] loaded ca certificate "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" from '/etc/ipsec.d/cacerts/chain.pem' Oct 16 07:36:48 de-fsn-x charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Oct 16 07:36:48 de-fsn-x ipsec[1855]: /usr/libexec/ipsec/charon: symbol lookup error: /usr/lib/ipsec/plugins/libstrongswan-wolfssl.so: undefined symbol: mp_read_unsigned_bin Oct 16 07:36:48 de-fsn-x charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Oct 16 07:36:48 de-fsn-x charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Oct 16 07:36:48 de-fsn-x ipsec[506]: charon has died -- restart scheduled (5sec) Oct 16 07:36:48 de-fsn-x ipsec[506]: charon refused to be started Oct 16 07:36:48 de-fsn-x charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' Oct 16 07:36:48 de-fsn-x charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' This is how I compiled everything: git clone https://github.com/wolfSSL/wolfssl.git cd wolfssl/ ./autogen.sh ./configure --disable-crypttests --disable-examples --enable-keygen --enable-rsapss --enable-aesccm --enable-aesctr --enable-des3 --enable-camellia --enable-curve25519 --enable-ed25519 --enable-curve448 --enable-ed448 --enable-sha3 --enable-shake256 make make check make install mv /usr/local/lib/libwolfssl.* /usr/lib/ cd .. wget https://download.strongswan.org/strongswan-5.9.0.tar.bz2 tar xjvf strongswan-5.9.0.tar.bz2 cd strongswan-5.9.0 ./configure --prefix=/usr --sysconfdir=/etc --enable-eap-radius --enable-eap-identity --enable-systemd --enable-swanctl --enable-gcm --enable-aesni --enable-wolfssl make install Thank you, Houman On Thu, 15 Oct 2020 at 19:31, Houman wrote: > Hello Tobias, > > Thank you for your reply. Excellent, now I understand. > > If I compile WolfSSL into /usr/local/lib and then compile StrongSwan > with --enable-wolfssl. Will StrongSwan automatically pick up the latest > WolfSSL lib like that? > Or do I need to set a path as well? > > Many Thanks, > Houman > > On Thu, 15 Oct 2020 at 16:53, Tobias Brunner > wrote: > >> Hi, >> >> > Is that another plugin that I need to compile? >> >> Yes, you need one of the third-party crypto plugins (openssl, wolfssl, >> botan). See [1] for the list of all algorithms and the plugins that >> provide them. >> >> Regards, >> Tobias >> >> [1] >> https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites >> >
Re: [strongSwan] DH group ECP_256 unacceptable, requesting ECP_256
Hello Tobias, Thank you for your reply. Excellent, now I understand. If I compile WolfSSL into /usr/local/lib and then compile StrongSwan with --enable-wolfssl. Will StrongSwan automatically pick up the latest WolfSSL lib like that? Or do I need to set a path as well? Many Thanks, Houman On Thu, 15 Oct 2020 at 16:53, Tobias Brunner wrote: > Hi, > > > Is that another plugin that I need to compile? > > Yes, you need one of the third-party crypto plugins (openssl, wolfssl, > botan). See [1] for the list of all algorithms and the plugins that > provide them. > > Regards, > Tobias > > [1] https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites >
[strongSwan] DH group ECP_256 unacceptable, requesting ECP_256
Hey guys, I figured out my issue this morning. I needed to compile StrongSwan with --enable-gcm. Now I can use AES256GCM. Pretty sweet. When I try to use diffieHellmanGroup = group19 on iOS though I get the following error message on the server. Oct 15 15:17:03 de-fsn-x charon: 15[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256 Oct 15 15:17:03 de-fsn-x charon: 15[IKE] DH group ECP_256 unacceptable, requesting ECP_256 Is that another plugin that I need to compile? Why is that DH group unacceptable? Many Thanks, Houman
[strongSwan] How to allow AES256GCM and diffieHellmanGroup 19
Hello, (Sorry about the previous message without a subject line) I would like to change the encryption to support the following on iOS: ikev2.ikeSecurityAssociationParameters.encryptionAlgorithm = .algorithmAES256GCM ikev2.ikeSecurityAssociationParameters.integrityAlgorithm = .SHA384 ikev2.ikeSecurityAssociationParameters.diffieHellmanGroup = .group19 ikev2.childSecurityAssociationParameters.encryptionAlgorithm = .algorithmAES256GCM ikev2.childSecurityAssociationParameters.integrityAlgorithm = .SHA384 ikev2.childSecurityAssociationParameters.diffieHellmanGroup = .group19 This is how the server is setup: config setup strictcrlpolicy=yes uniqueids=never conn ${SERVERNAME} auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes ike=aes256gcm16-aes192gcm16-aes128gcm16-prfsha256-ecp521-ecp256-modp4096-modp2048, aes256-sha256-ecp521-ecp256-modp4096-modp2048! esp=aes256gcm16-aes192gcm16-aes128gcm16-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1! dpdaction=clear dpddelay=180s dpdtimeout=3600s rekey=no left=%any leftid=@${VPNHOST} leftcert=cert.pem leftsendcert=always leftsubnet=0.0.0.0/0, ::/0 right=%any rightid=%any rightauth=eap-radius eap_identity=%any rightdns=${DNS1},${DNS2} rightsourceip=${VPNIPPOOL},${VPNIP6POOL} leftfirewall=no But I can't connect, what do I have to change to make this possible, please? Thanks Houman
[strongSwan] (no subject)
Hello, I would like to change the encryption to support the following on iOS: ikev2.ikeSecurityAssociationParameters.encryptionAlgorithm = .algorithmAES256GCM ikev2.ikeSecurityAssociationParameters.integrityAlgorithm = .SHA384 ikev2.ikeSecurityAssociationParameters.diffieHellmanGroup = .group19 ikev2.childSecurityAssociationParameters.encryptionAlgorithm = .algorithmAES256GCM ikev2.childSecurityAssociationParameters.integrityAlgorithm = .SHA384 ikev2.childSecurityAssociationParameters.diffieHellmanGroup = .group19 This is how the server is setup: config setup strictcrlpolicy=yes uniqueids=never conn ${SERVERNAME} auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes ike=aes256gcm16-aes192gcm16-aes128gcm16-prfsha256-ecp521-ecp256-modp4096-modp2048, aes256-sha256-ecp521-ecp256-modp4096-modp2048! esp=aes256gcm16-aes192gcm16-aes128gcm16-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1! dpdaction=clear dpddelay=180s dpdtimeout=3600s rekey=no left=%any leftid=@${VPNHOST} leftcert=cert.pem leftsendcert=always leftsubnet=0.0.0.0/0, ::/0 right=%any rightid=%any rightauth=eap-radius eap_identity=%any rightdns=${DNS1},${DNS2} rightsourceip=${VPNIPPOOL},${VPNIP6POOL} leftfirewall=no But I can't connect, what do I have to change to make this possible, please? Thanks Houman
[strongSwan] What compilation flag is needed for systemctl?
Hello, Today I have compiled the latest StrongSwan 5.9 with the following flags: ./configure --prefix=/usr --sysconfdir=/etc --enable-eap-radius Everything goes smoothly, but it seems I don't have any services installed. systemctl restart ipsec ends up with Unit ipsec.service could not be found. Did I have to use the flag --enable-systemd when compiling? And everything would be in the right place? I'm on Ubuntu 20.04. Any other advice along the way is much appreciated, Thank you, Houman
[strongSwan] Can I obfuscate StrongSwan (IKEv2)?
Hello, Our VPN was recently blocked in UAE by one of their major ISP providers. The connection is established but no traffic goes through. I'm unsure how they have achieved this, but potentially they run a DPI on their network and block our packets. I was hoping to see if there is something I could do to obfuscate it to remain anonymous? For example there is the XOR patch for OpenVPN https://github.com/clayface/openvpn_xorpatch. Although not perfect, it helps a bit. Is there something like that for StrongSwan where I could patch StrongSwan from source and compile it (and cross my fingers)? :-) Many Thanks, Houman
Re: [strongSwan] StrongSwan 5.8.2 - received netlink error: Invalid argument (22)
Hi Tobias, Thanks again for your help. I have changed *forceencaps* to *no* in /etc/ipsec.conf, saved and rebooted. I still get the same errors. Although the "faking NAT situation to enforce UDP encapsulation" is not showing anymore. Is this now something else? Jul 7 00:28:58 de-fsn-6 charon: 12[ENC] generating INFORMATIONAL response 24 [ ] Jul 7 00:28:58 de-fsn-6 charon: 12[NET] sending packet: from 144.76.11x.xxx[4500] to 2.50.157.xxx[4500] (80 bytes) Jul 7 00:28:59 de-fsn-6 charon: 11[NET] received packet: from 2001:8f8:xxx:xxx:504c:4f39:258e:8191[4500] to 2a01:4f8:192:::2[4500] (144 bytes) Jul 7 00:28:59 de-fsn-6 charon: 11[ENC] parsed INFORMATIONAL request 11 [ N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP) ] Jul 7 00:28:59 de-fsn-6 charon: 11[IKE] local host is behind NAT, sending keep alives Jul 7 00:28:59 de-fsn-6 charon: 11[KNL] received netlink error: Invalid argument (22) Jul 7 00:28:59 de-fsn-6 charon: 11[KNL] unable to update SAD entry with SPI cf20af06 Jul 7 00:28:59 de-fsn-6 charon: 11[KNL] received netlink error: Invalid argument (22) Jul 7 00:28:59 de-fsn-6 charon: 11[KNL] unable to update SAD entry with SPI 0b13a954 Jul 7 00:28:59 de-fsn-6 charon: 11[ENC] generating INFORMATIONAL response 11 [ N(NATD_S_IP) N(NATD_D_IP) ] Jul 7 00:28:59 de-fsn-6 charon: 11[NET] sending packet: from 2a01:4f8:xxx:732c::2[4500] to 2001:8f8:xxx:53d3:504c:4f39:xxx:8191[4500] (128 bytes) Jul 7 00:28:59 de-fsn-6 charon: 01[KNL] creating acquire job for policy 128.116.xxx.3/32[tcp/https] === 10.10.18.xxx/32[tcp/56633] with reqid {2595} Jul 7 00:28:59 de-fsn-6 charon: 01[CFG] trap not found, unable to acquire reqid 2595 Jul 7 00:29:00 de-fsn-6 charon: 06[NET] received packet: from 2001:8f8:1163::504c:4f39:258e:8191[4500] to 2a01:4f8:xxx:::2[4500] (144 bytes) Jul 7 00:29:00 de-fsn-6 charon: 06[ENC] parsed INFORMATIONAL request 11 [ N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP) ] Jul 7 00:29:00 de-fsn-6 charon: 06[IKE] received retransmit of request with ID 11, retransmitting response Jul 7 00:29:00 de-fsn-6 charon: 06[NET] sending packet: from 2a01:4f8:192:::2[4500] to 2001:8f8:1163:53d3:504c::258e:8191[4500] (128 bytes) Jul 7 00:29:01 de-fsn-6 charon: 15[IKE] retransmit 5 of request with message ID 0 It is very strange that the same configuration works with StringSwan 5.7.2 but 5.8.2 throws these errors. Something must have changed that I'm missing, I think. If you see no other possibility, I suppose I have no other choice than disabling IPV6 by setting *use_ipv6 = no* in */etc/strongswan.d/charon/socket-default.conf* I was hoping not to do it, as some ISP might only support IPv6 and by doing that I might cause new problems. What do you think? Maybe I should live with that error. After all, it happens only 5 times a day. What is the most sensible thing to do? Many Thanks, Houman On Mon, 6 Jul 2020 at 11:12, Tobias Brunner wrote: > Hi Houman, > > > I could disable *forceencaps=no* but having it enabled helps overcoming > > restrictive firewalls. So maybe it's better for my users if I > > disabled IPv6 instead. Do you agree? > > Or is forcing it not such a big deal after all? > > Depends on the clients. Many will be behind a NAT anyway, others (e.g. > our Android client) will also force UDP encapsulation. Only for > unnatted clients behind restrictive firewalls that can't force it > themselves, will forcing it on the server make a difference. > > > What is strange is that I thought I had disabled ipv6, like this: > > ... > > net.ipv6.conf.all.disable_ipv6 = 1 > > net.ipv6.conf.default.disable_ipv6 = 1 > > I don't think that affects interfaces that are already up, so you might > have to explicitly set it for the specific interface too. > > > Where do I disable it then? > > You may disable charon.plugins.socket-default.use_ipv6 so the plugin > won't open an IPv6 socket. > > Regards, > Tobias >
Re: [strongSwan] StrongSwan 5.8.2 - received netlink error: Invalid argument (22)
Hi Tobias, Thank you so much for the detailed explanation. You brought up some interesting points. I could disable *forceencaps=no* but having it enabled helps overcoming restrictive firewalls. So maybe it's better for my users if I disabled IPv6 instead. Do you agree? Or is forcing it not such a big deal after all? What is strange is that I thought I had disabled ipv6, like this: */etc/sysctl.conf* net.ipv4.ip_forward = 1 net.ipv4.ip_no_pmtu_disc = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 Where do I disable it then? Many Thanks, Houman On Mon, 6 Jul 2020 at 10:08, Tobias Brunner wrote: > Hi Houman, > > > We have two types of servers. Same users are doing ok on servers with > > StrongSwan 5.7.2 on kernel 5.3.0-53-generic. > > > > But on the servers with StrongSwan 5.8.2 with kernel* 5.4.0-39-generic, > > *the issue arises. (Not for all users, but quite a few) > > I had a closer look at the log and now saw what the problem is. It has > nothing to do with the strongSwan or kernel version. > > The problem is that the client moves from an IPv4 address to an IPv6 > address and you apparently have UDP-encapsulation forced (see the > "faking NAT situation to enforce UDP encapsulation"). However, the > Linux kernel currently does not support UDP encapsulation for IPv6 (the > upcoming 5.8 kernel will be the first one with support for it), so you > get that error when the daemon tries to replace the IPv4 SA with an IPv6 > SA that has UDP encapsulation enabled. Try without forcing UDP > encapsulation (or disable IPv6 in the socket-default plugin if you don't > want clients to use it). > > Regards, > Tobias >
Re: [strongSwan] StrongSwan 5.8.2 - received netlink error: Invalid argument (22)
Hi Tobias, We have two types of servers. Same users are doing ok on servers with StrongSwan 5.7.2 on kernel 5.3.0-53-generic. But on the servers with StrongSwan 5.8.2 with kernel* 5.4.0-39-generic, *the issue arises. (Not for all users, but quite a few) increase the log level for knl to 2 to see which operation failed May you please elaborate a bit more how to change the log level for knl? In which config do I do that? Many Thanks, Houman On Mon, 6 Jul 2020 at 09:20, Tobias Brunner wrote: > Hi, > > > I'm seeing a strange error in StrongSwan U5.8.2/K5.4.0-39-generic > > (Ubuntu 20.04). > > I don't get this error with StrongSwan U5.7.2/K5.3.0-53-generic (Ubuntu > > 19.10). > > In the same situation (i.e. if a client's IP address changes)? Or just > in general? Can you replicate this error? > > > received netlink error: Invalid argument (22) > > As the error indicates, this is returned by the kernel if it doesn't > like the provided data. Either when querying the existing SA or when > replacing it with updated IP addresses (increase the log level for knl > to 2 to see which operation failed). Also, what kernel version are you > using? > > Regards, > Tobias >
[strongSwan] StrongSwan 5.8.2 - received netlink error: Invalid argument (22)
Hello, I'm seeing a strange error in StrongSwan U5.8.2/K5.4.0-39-generic (Ubuntu 20.04). I don't get this error with StrongSwan U5.7.2/K5.3.0-53-generic (Ubuntu 19.10). received netlink error: Invalid argument (22) Jul 4 04:54:22 de-fsn-6 charon: 05[IKE] authentication of 'de-fsn-6.VPN.net' (myself) with RSA signature successful Jul 4 04:54:22 de-fsn-6 charon: 05[IKE] sending end entity cert "CN= de-fsn-6.VPN.net" Jul 4 04:54:22 de-fsn-6 charon: 05[IKE] sending issuer cert "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" Jul 4 04:54:22 de-fsn-6 charon: 05[ENC] generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ] Jul 4 04:54:22 de-fsn-6 charon: 05[ENC] splitting IKE message (2928 bytes) into 3 fragments Jul 4 04:54:22 de-fsn-6 charon: 05[ENC] generating IKE_AUTH response 1 [ EF(1/3) ] Jul 4 04:54:22 de-fsn-6 charon: 05[ENC] generating IKE_AUTH response 1 [ EF(2/3) ] Jul 4 04:54:22 de-fsn-6 charon: 05[ENC] generating IKE_AUTH response 1 [ EF(3/3) ] Jul 4 04:54:22 de-fsn-6 charon: 05[NET] sending packet: from 144.76.113.xxx[4500] to 31.215.103.xxx[4500] (1236 bytes) Jul 4 04:54:22 de-fsn-6 charon: 05[NET] sending packet: from 144.76.113.xxx[4500] to 31.215.103.xxx[4500] (1236 bytes) Jul 4 04:54:22 de-fsn-6 charon: 05[NET] sending packet: from 144.76.113.xxx[4500] to 31.215.103.xxx[4500] (612 bytes) Jul 4 04:54:22 de-fsn-6 ipsec[706]: 01[NET] received packet: from 39.33.54.xxx[4500] to 144.76.113.xxx[4500] (144 bytes) Jul 4 04:54:22 de-fsn-6 ipsec[706]: 01[ENC] parsed INFORMATIONAL request 409 [ N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP) ] Jul 4 04:54:22 de-fsn-6 ipsec[706]: 01[ENC] generating INFORMATIONAL response 409 [ N(NATD_S_IP) N(NATD_D_IP) ] Jul 4 04:54:22 de-fsn-6 ipsec[706]: 01[NET] sending packet: from 144.76.113.xxx[4500] to 39.33.54.xxx[4500] (128 bytes) Jul 4 04:54:22 de-fsn-6 ipsec[706]: 08[NET] received packet: from :8f8:112d:ed31:2474:a82d:88cc:544[4500] to :4f7:192:732c::2[4500] (144 bytes) Jul 4 04:54:22 de-fsn-6 ipsec[706]: 08[ENC] parsed INFORMATIONAL request 12 [ N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP) ] Jul 4 04:54:22 de-fsn-6 ipsec[706]: 08[IKE] remote host is not behind NAT anymore Jul 4 04:54:22 de-fsn-6 ipsec[706]: 08[IKE] faking NAT situation to enforce UDP encapsulation Jul 4 04:54:22 de-fsn-6 ipsec[706]: 08[KNL] received netlink error: Invalid argument (22) Jul 4 04:54:22 de-fsn-6 ipsec[706]: 08[KNL] unable to update SAD entry with SPI c8a1394b Jul 4 04:54:22 de-fsn-6 ipsec[706]: 08[KNL] received netlink error: Invalid argument (22) Jul 4 04:54:22 de-fsn-6 ipsec[706]: 08[KNL] unable to update SAD entry with SPI 0b956c9a Jul 4 04:54:22 de-fsn-6 ipsec[706]: 08[ENC] generating INFORMATIONAL response 12 [ N(NATD_S_IP) N(NATD_D_IP) ] Jul 4 04:54:22 de-fsn-6 ipsec[706]: 08[NET] sending packet: from :4f7:192:732c::2[4500] to :8f8:112d:ed31:2474:a82d:88cc:544[4500] (128 bytes) Jul 4 04:54:22 de-fsn-6 ipsec[706]: 13[KNL] creating acquire job for policy xxx.111.251.62/32[tcp/https] === 10.10.34.25/32[tcp/51510] with reqid {31606} Jul 4 04:54:22 de-fsn-6 ipsec[706]: 13[CFG] trap not found, unable to acquire reqid 31606 Jul 4 04:54:22 de-fsn-6 ipsec[706]: 09[NET] received packet: from :8f8:112d:ed31:2474:a82d:88cc:544[4500] to :4f7:192:732c::2[4500] (144 bytes) Jul 4 04:54:22 de-fsn-6 ipsec[706]: 09[ENC] parsed INFORMATIONAL request 12 [ N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP) ] Jul 4 04:54:22 de-fsn-6 ipsec[706]: 09[IKE] received retransmit of request with ID 12, retransmitting response */etc/ipsec.conf* config setup strictcrlpolicy=yes uniqueids=never conn Falkenstein-6 auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes ike=aes256gcm16-aes192gcm16-aes128gcm16-prfsha256-ecp521-ecp256-modp4096-modp2048, aes256-sha256-ecp521-ecp256-modp4096-modp2048! esp=aes256gcm16-aes192gcm16-aes128gcm16-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1! dpdaction=clear dpddelay=180s dpdtimeout=3600s rekey=no left=%any leftid=@de-fsn-6.VPN.net leftcert=cert.pem leftsendcert=always leftsubnet=0.0.0.0/0, ::/0 right=%any rightid=%any rightauth=eap-radius eap_identity=%any rightdns=8.8.8.8,8.8.4.4 rightsourceip=10.10.10.0/17,fdd2:54c4:4c90:1::300/113 leftfirewall=no Any idea what this could be? Many Thanks, Houman
Re: [strongSwan] Is there an official docker image for StrongSwan?
Hi Andreas, Thank you, that's very helpful. On Sun, 28 Jun 2020 at 17:29, Andreas Steffen < andreas.stef...@strongswan.org> wrote: > Hi Houman, > > I created a strongSwan 5.8.4 image a couple of months ago for a > a tutorial so it builds only a limited number of plugins: > > https://hub.docker.com/repository/docker/strongx509/strongswan > > I hope this helps > > Andreas > > On 28.06.20 17:58, Houman wrote: > > Hello, > > > > I'm new to Docker and was wondering where I could find the official > > StrongSwan docker image? > > There isn't any official version on docker hub and most of the > > community stuff is fairly outdated. If there isn't any, what is the > > best way to make my own? > > > > Thank you for advice, > > Houman > > == > Andreas Steffen andreas.stef...@strongswan.org > strongSwan - the Open Source VPN Solution! www.strongswan.org > Institute for Networked Solutions > HSR University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===[INS-HSR]== >
[strongSwan] Is there an official docker image for StrongSwan?
Hello, I'm new to Docker and was wondering where I could find the official StrongSwan docker image? There isn't any official version on docker hub and most of the community stuff is fairly outdated. If there isn't any, what is the best way to make my own? Thank you for advice, Houman
[strongSwan] Strongswan systemctl missing in 5.8.2?
Hello, This worked fine in StrongSwan 5.7.2 on Ubuntu 19.10. But Strongswan 5.8.2 on Ubuntu 20.04 seems to be missing it systemctl status strongswan Unit strongswan.service could not be found. What am I missing please? Thanks, Houman
[strongSwan] Seeking a consultant to help me blocking netscan use via StrongSwan
Hello, One of my StrongSwan users is using my VPN to scan the network ports via netscan. I have deployed StrongSwan with a server provider called Hetzner and they don't like it at all. So I need to find a way to block port scanning, unless there is a better solution to do it via StrongSwan, iptables may be the only choice. Please get in touch with me, if you have the experience and can help out, Many Thanks, Houman
[strongSwan] Where are the logs on StrongSwan Ubuntu 19.10?
Hello, I have tested the latest StrongSwan on Ubuntu 19.10. I don't seem to be able to connect, but neither can I see any entries in /var/log/syslog. Could it be that the default log output has moved to somewhere else? In my deployment script, I have set this: mkdir /etc/systemd/system/strongswan.service.d echo "[Service] StandardOutput=null " > /etc/systemd/system/strongswan.service.d/override.conf Many Thanks, Houman
[strongSwan] Is there a sources.list for latest StrongSwan?
Hello, I'm using StrongSwan on Ubuntu 18.04 LTS. The packaged StrongSwan version is still 5.6.2 and has now fallen quite behind. FreeRaduis offers a seamless way to install the latest version on Ubuntu: echo 'deb http://packages.networkradius.com/releases/ubuntu-bionic bionic main' >> /etc/apt/sources.list apt-key adv --keyserver keys.gnupg.net --recv-key 0x41382202 apt update apt full-upgrade -y Is there something similar for StrongSwan, where I could seamlessly upgrade it to the latest version? Or is the only way to download and compile the binary? Many Thanks, Houman
Re: [strongSwan] (Vici) How to disconnect a VPN connection on the server side?
Hi Tobias, That's great news. You are right, I can see those entries in sys logs. But there is still a strange issue. At 12:09:27 despite the initial disconnect request and acknowledgement, StrongSwan doesn't disconnect the user. Oct 15 12:09:27 stag-1 charon: 05[CFG] reassigning offline lease to 'houman' Oct 15 12:09:27 stag-1 charon: 05[IKE] assigning virtual IP :54c4::1::301 to peer 'houman' Oct 15 12:09:27 stag-1 charon: 05[IKE] CHILD_SA stag-1{26} established with SPIs c8a04ba5_i 041b28de_o and TS 0.0.0.0/0 ::/0 === 10.10.10.1/32 xxx:54c4:4c90:1::301/128 Oct 15 12:09:27 stag-1 charon: 05[CFG] sending RADIUS Accounting-Request to server 'server-a' Oct 15 12:09:27 stag-1 charon: 13[CFG] received RADIUS DAE Disconnect-Request for houman from 127.0.0.1 Oct 15 12:09:27 stag-1 charon: 13[CFG] no IKE_SA matches Disconnect-Request, sending Disconnect-NAK Oct 15 12:09:27 stag-1 charon: 05[CFG] received RADIUS Accounting-Response from server 'server-a' Oct 15 12:09:27 stag-1 charon: 05[ENC] generating IKE_AUTH response 6 [ AUTH CPRP(ADDR ADDR6 DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ] Oct 15 12:09:27 stag-1 charon: 05[NET] sending packet: from 172.31.X.X[4500] to 5.78.X.X[4500] (352 bytes) 10 seconds later (because of the Acct-Interim-Interval) a second disconnect request is sent. post-auth { update reply { Acct-Interim-Interval = 10 } } Oct 15 12:09:37 stag-1 charon: 16[CFG] sending RADIUS Accounting-Request to server 'server-a' Oct 15 12:09:37 stag-1 charon: 07[CFG] received RADIUS DAE Disconnect-Request for houman from 127.0.0.1 Oct 15 12:09:37 stag-1 charon: 07[CFG] closing 1 IKE_SA matching Disconnect-Request, sending Disconnect-ACK Oct 15 12:09:37 stag-1 charon: 07[IKE] deleting IKE_SA stag-1[35] between 172.31.xx.xx[stag-1.xxx.com]…5.78.xxx.xx[stag-1.xxx.com] Oct 15 12:09:37 stag-1 charon: 07[IKE] sending DELETE for IKE_SA stag-1[35] Oct 15 12:09:37 stag-1 charon: 07[ENC] generating INFORMATIONAL request 0 [ D ] Oct 15 12:09:37 stag-1 charon: 07[NET] sending packet: from 172.31.xx.xx[4500] to 5.78.xx.xx[4500] (80 bytes) Oct 15 12:09:37 stag-1 charon: 16[CFG] received RADIUS Accounting-Response from server 'server-a' Oct 15 12:09:37 stag-1 charon: 06[NET] received packet: from 5.78.xx.xx[4500] to 172.31.xx.xx[4500] (80 bytes) Oct 15 12:09:37 stag-1 charon: 06[ENC] parsed INFORMATIONAL response 0 [ ] Oct 15 12:09:37 stag-1 charon: 06[IKE] IKE_SA deleted Oct 15 12:09:37 stag-1 charon: 06[CFG] sending RADIUS Accounting-Request to server 'server-a' Oct 15 12:09:37 stag-1 charon: 11[CFG] received RADIUS DAE Disconnect-Request for houman from 127.0.0.1 Oct 15 12:09:37 stag-1 charon: 11[CFG] no IKE_SA matches Disconnect-Request, sending Disconnect-NAK Oct 15 12:09:37 stag-1 charon: 06[CFG] received RADIUS Accounting-Response from server 'server-a' Oct 15 12:09:37 stag-1 charon: 06[CFG] lease fdd2:54c4:4c90:1::301 by 'houman' went offline Oct 15 12:09:37 stag-1 charon: 06[CFG] lease 10.10.10.1 by 'houman' went offline Only this time it actually works and the user is disconnected. Why isn't it working the first time around? Many Thanks, Houman On Tue, 15 Oct 2019 at 15:34, Tobias Brunner wrote: > Hi Houman, > > > What attributes *should* be in the Disconnect-Request beside User-Name? > > None, that's fine. If you receive a NAK that means no IKE_SA was found > with a matching remote identity. You should see something like this in > the strongSwan log: > > > received RADIUS DAE Disconnect-Request for houman from 127.0.0.1 > > no IKE_SA matches houman, sending Disconnect-NAK > > Regards, > Tobias >
Re: [strongSwan] (Vici) How to disconnect a VPN connection on the server side?
Hello Tobias, Thank you, for your help on this. I have managed to utilise eap-radius plugin to listen to disconnect messages from Freeradius. I get strange reporting in the logs. It seems that StrongSwan rejects the initial disconnect message with a NAK. (4) Sent Disconnect-Request Id 11 from 0.0.0.0:42481 to 127.0.0.1:3799 length 28 (4) User-Name = "houman" (4) Sent Accounting-Response Id 178 from 127.0.0.1:1813 to 127.0.0.1:51530 length 0 (4) Finished request (4) Cleaning up request packet ID 178 with timestamp +6 Waking up in 2.1 seconds. (4) Clearing existing : attributes (4) Received Disconnect-NAK Id 11 from 127.0.0.1:3799 to 127.0.0.1:42481 length 20 What attributes *should* be in the Disconnect-Request beside User-Name? Is there anything else I need to avoid getting a NAK from StrongSwan? Many Thanks, Houman On Tue, 10 Sep 2019 at 12:02, Tobias Brunner wrote: > Hi Houman, > > > Do you think that is possible to do via FreeRadius? > > See [1]. > > > Just to be > > clear there is always a 1:1 relationship between IKE_SA and a user at a > > time, correct? > > Probably, that is, if you don't allow multiple IKE_SAs per user identity. > > > If I end an IKE_SA, I won't be kicking several users by > > mistake? > > Not if you do so by unique ID (by name wouldn't be a good idea because > all IKE_SAs by roadwarriors will share the name of the connection). > > > So in other words what > > I'm trying to achieve is possible with Vici right? > > Yes. > > Regards, > Tobias > > [1] > > https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius#Session-Timeout-and-Dynamic-Authorization-Extension >
Re: [strongSwan] How to block Netstat attacks from VPN users?
Hello Noel, I just tried the suggested solution below and sadly it blocks the entire VPN. iptables -I FORWARD 2 -d 192.168.0.0/16 -j REJECT iptables -I FORWARD 2 -d 172.16.0.0/12 -j REJECT iptables -I FORWARD 2 -d 10.0.0.0/8 -j REJECT Unless I have inserted the rules at the wrong spot, it doesn't look good. See below, please: # Generated by iptables-save v1.6.1 on Mon Oct 14 18:33:31 2019 *mangle :PREROUTING ACCEPT [54716:20906174] :INPUT ACCEPT [26852:4628015] :FORWARD ACCEPT [27829:16271441] :OUTPUT ACCEPT [25477:18649644] :POSTROUTING ACCEPT [52098:34734180] -A FORWARD -s 10.10.10.0/24 -o eth0 -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360 COMMIT # Completed on Mon Oct 14 18:33:31 2019 # Generated by iptables-save v1.6.1 on Mon Oct 14 18:33:31 2019 *nat :PREROUTING ACCEPT [1575:110530] :INPUT ACCEPT [28:8296] :OUTPUT ACCEPT [429:29655] :POSTROUTING ACCEPT [429:29655] -A POSTROUTING -s 10.10.10.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE COMMIT # Completed on Mon Oct 14 18:33:31 2019 # Generated by iptables-save v1.6.1 on Mon Oct 14 18:33:31 2019 *filter :INPUT DROP [1:40] :FORWARD DROP [0:0] :OUTPUT ACCEPT [102:15526] -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT -A INPUT -p udp -m udp --dport 500 -j ACCEPT -A INPUT -p udp -m udp --dport 4500 -j ACCEPT -A FORWARD -s 10.10.10.0/24 -d 10.10.10.0/24 -j DROP -A FORWARD -d 10.0.0.0/8 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -d 172.16.0.0/12 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -d 192.168.0.0/16 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT COMMIT If this doesn't work I have to fallback to your initial solution: iptables -I FORWARD 2 -m conntrack --ctstate NEW -m hashlimit --hashlimit-name NETSCAN --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-upto 5/s -j ACCEPT With the following outcome: # Generated by iptables-save v1.6.1 on Mon Oct 14 18:40:26 2019 *filter :INPUT DROP [192413:18329342] :FORWARD DROP [340475:90672719] :OUTPUT ACCEPT [425183776:485173348374] -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT -A INPUT -p udp -m udp --dport 500 -j ACCEPT -A INPUT -p udp -m udp --dport 4500 -j ACCEPT -A FORWARD -s 10.10.0.0/17 -d 10.10.0.0/17 -j DROP -A FORWARD -m conntrack --ctstate NEW -m hashlimit --hashlimit-upto 5/sec --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name NETSCAN -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT COMMIT # Completed on Mon Oct 14 18:40:26 2019 # Generated by iptables-save v1.6.1 on Mon Oct 14 18:40:26 2019 *nat :PREROUTING ACCEPT [133256521:12349660945] :INPUT ACCEPT [805996:248685578] :OUTPUT ACCEPT [151185:15397949] :POSTROUTING ACCEPT [151185:15397949] -A POSTROUTING -s 10.10.0.0/17 -o enp2s0 -m policy --dir out --pol ipsec -j ACCEPT -A POSTROUTING -s 10.10.0.0/17 -o enp2s0 -j MASQUERADE COMMIT # Completed on Mon Oct 14 18:40:26 2019 # Generated by iptables-save v1.6.1 on Mon Oct 14 18:40:26 2019 *mangle :PREROUTING ACCEPT [47285409804:29854894928171] :INPUT ACCEPT [16114043471:4661974048771] :FORWARD ACCEPT [31166444886:25192112917092] :OUTPUT ACCEPT [20092152323:23622919704514] :POSTROUTING ACCEPT [51247881050:48812187889401] -A FORWARD -s 10.10.0.0/17 -o enp2s0 -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360 COMMIT # Completed on Mon Oct 14 18:40:26 2019 The latter doesn't stop the VPN, but I won't know it really prevents someone from running netscan until someone tries a new attempt again. :) What do you think? Many Thanks, Houman On Mon, 14 Oct 2019 at 17:05, Noel Kuntze wrote: > Hello Houman, > > Depends on what exactly you're doing on your server. It's not possible to > give you a generalized answer. > You shouldn't script with iptables though. Use iptables-save and -restore > (save prints out a serialised form of your loaded iptables rules, restore > loads data in said form). > > Kind regards > > Noel > > Am 14.10.19 um 14:30 schrieb Houman: > > Hello Noel, > > > > It's a bare-metal server that I'm renting (it's not a virtual server) so > I assume that it should be in its own private subnet. I have tried to > follow up with them, but their support doesn't communicate very well in > English. All I could gather is the following: > > > > 1) Based on the ROOT SERVER SERVICE AGREEMENT, the scanning of foreign > networks or foreign IP addresses
Re: [strongSwan] How to block Netstat attacks from VPN users?
Hello Noel, It's a bare-metal server that I'm renting (it's not a virtual server) so I assume that it should be in its own private subnet. I have tried to follow up with them, but their support doesn't communicate very well in English. All I could gather is the following: 1) Based on the ROOT SERVER SERVICE AGREEMENT, the scanning of foreign networks or foreign IP addresses is not permitted. 2) These RFC1918 networks are not reachable via my external interface (Then why is it a problem? I don't understand them) I did some further research. It seems it is better to do the REJECT rule only on the interface that is connected to the Internet. Otherwise, I could be blocking LAN or vpn peer-to-peer communications. export INET_IFACE=$(ip route get 8.8.8.8 | awk -- '{printf $5}') iptables -A FORWARD -o $INET_IFACE -d 10.0.0.0/8 -j REJECT iptables -A FORWARD -o $INET_IFACE -d 172.16.0.0/12 -j REJECT iptables -A FORWARD -o $INET_IFACE -d 192.168.0.0/16 -j REJECT Do you agree with this? Or is it rather unnecessary for a StrongSwan server? Thanks, Houman On Mon, 14 Oct 2019 at 14:00, Noel Kuntze wrote: > Hello Houman, > > You can do that. I wonder though why that is a problem. Are they providing > a private subnet on the link of your server? > > Kind regards > > Noel > > Am 14.10.19 um 12:03 schrieb Houman: > > Hi Noel, > > > > That makes sense, thank you. > > > > I received a followup email from our server provider (about a new > netscan attempt from one of our users today). > > > > """ > > We would recommend that you set up a local firewall and block outgoing > traffic to the following prefixes > > https://tools.ietf.org/html/rfc1918 > > > 10.0.0.0/8 <http://10.0.0.0/8> > > > 172.16.0.0/12 <http://172.16.0.0/12> > > > 192.168.0.0/16 <http://192.168.0.0/16> > > Please block this range of RFC1918 on your server. > > We would like to avoid further network abuse from your end. > > """ > > > > Is this as simple as > > > > iptables -A FORWARD -d 10.0.0.0/8 <http://10.0.0.0/8> -j REJECT > > iptables -A FORWARD -d 172.16.0.0/12 <http://172.16.0.0/12> -j REJECT > > iptables -A FORWARD -d 192.168.0.0/16 <http://192.168.0.0/16> -j REJECT > > > > Or am I oversimplifying this? > > > > Many Thanks, > > Houman > > > > > > On Mon, 14 Oct 2019 at 13:02, Noel Kuntze > wrote: > > > > Hello Houman, > > > > Depends on if you have a whitelist or blacklist rule set. > > > > With the ruleset you have provided in this email, you need to accept > the stuff you want. So up to 5 new connections per second. > > > > Kind regards > > > > Noel > > > > Am 14.10.19 um 10:40 schrieb Houman: > > > Hi Noel, > > > > > > Actually based on my firewall config, I think I have to DROP it > instead of ACCEPT if it's over the 5/sec limit? Don't you agree? > > > > > > iptables -I FORWARD 2 -m conntrack --ctstate NEW -m hashlimit > --hashlimit-name NETSCAN --hashlimit-mode srcip --hashlimit-srcmask 32 > --hashlimit-above 5/s -j DROP > > > > > > So I replace *hashlimit-upto* with *hashlimit-above* following > with a DROP. > > > > > > This is my current firewall settings based on your previous > suggestion. If Iptables is clever enough to DROP the connection > if hashlimit-upto is exceeded, it should work as well. > > > > > > # iptables-save > > > *filter > > > :INPUT DROP [6374:460035] > > > :FORWARD DROP [7119:2071794] > > > :OUTPUT ACCEPT [19665335:23255290771] > > > -A INPUT -i lo -j ACCEPT > > > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > > > -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT > > > -A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT > > > -A INPUT -p udp -m udp --dport 500 -j ACCEPT > > > -A INPUT -p udp -m udp --dport 4500 -j ACCEPT > > > -A FORWARD -s 10.10.0.0/17 <http://10.10.0.0/17> < > http://10.10.0.0/17> -d 10.10.0.0/17 <http://10.10.0.0/17> < > http://10.10.0.0/17> -j DROP > > > -A FORWARD -m conntrack --ctstate NEW -m hashlimit > --hashlimit-upto 5/sec --hashlimit-burst 5 --hashlimit-mode srcip > --hashlimit-name NETSCAN -j ACCEPT > > > -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT > > > -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT > > > COMMIT > > > # Completed on Mon Oct 14 08:30:14 2019 > > > # Genera
Re: [strongSwan] How to block Netstat attacks from VPN users?
Hi Noel, That makes sense, thank you. I received a followup email from our server provider (about a new netscan attempt from one of our users today). """ We would recommend that you set up a local firewall and block outgoing traffic to the following prefixes https://tools.ietf.org/html/rfc1918 > 10.0.0.0/8 > 172.16.0.0/12 > 192.168.0.0/16 Please block this range of RFC1918 on your server. We would like to avoid further network abuse from your end. """ Is this as simple as iptables -A FORWARD -d 10.0.0.0/8 -j REJECT iptables -A FORWARD -d 172.16.0.0/12 -j REJECT iptables -A FORWARD -d 192.168.0.0/16 -j REJECT Or am I oversimplifying this? Many Thanks, Houman On Mon, 14 Oct 2019 at 13:02, Noel Kuntze wrote: > Hello Houman, > > Depends on if you have a whitelist or blacklist rule set. > > With the ruleset you have provided in this email, you need to accept the > stuff you want. So up to 5 new connections per second. > > Kind regards > > Noel > > Am 14.10.19 um 10:40 schrieb Houman: > > Hi Noel, > > > > Actually based on my firewall config, I think I have to DROP it instead > of ACCEPT if it's over the 5/sec limit? Don't you agree? > > > > iptables -I FORWARD 2 -m conntrack --ctstate NEW -m hashlimit > --hashlimit-name NETSCAN --hashlimit-mode srcip --hashlimit-srcmask 32 > --hashlimit-above 5/s -j DROP > > > > So I replace *hashlimit-upto* with *hashlimit-above* following with a > DROP. > > > > This is my current firewall settings based on your previous suggestion. > If Iptables is clever enough to DROP the connection if hashlimit-upto is > exceeded, it should work as well. > > > > # iptables-save > > *filter > > :INPUT DROP [6374:460035] > > :FORWARD DROP [7119:2071794] > > :OUTPUT ACCEPT [19665335:23255290771] > > -A INPUT -i lo -j ACCEPT > > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > > -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT > > -A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT > > -A INPUT -p udp -m udp --dport 500 -j ACCEPT > > -A INPUT -p udp -m udp --dport 4500 -j ACCEPT > > -A FORWARD -s 10.10.0.0/17 <http://10.10.0.0/17> -d 10.10.0.0/17 < > http://10.10.0.0/17> -j DROP > > -A FORWARD -m conntrack --ctstate NEW -m hashlimit --hashlimit-upto > 5/sec --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name NETSCAN > -j ACCEPT > > -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT > > -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT > > COMMIT > > # Completed on Mon Oct 14 08:30:14 2019 > > # Generated by iptables-save v1.6.1 on Mon Oct 14 08:30:14 2019 > > *nat > > :PREROUTING ACCEPT [222978690:20761159044] > > :INPUT ACCEPT [1143238:398065963] > > :OUTPUT ACCEPT [245876:24207759] > > :POSTROUTING ACCEPT [245876:24207759] > > -A POSTROUTING -s 10.10.0.0/17 <http://10.10.0.0/17> -o enp2s0 -m > policy --dir out --pol ipsec -j ACCEPT > > -A POSTROUTING -s 10.10.0.0/17 <http://10.10.0.0/17> -o enp2s0 -j > MASQUERADE > > COMMIT > > # Completed on Mon Oct 14 08:30:14 2019 > > # Generated by iptables-save v1.6.1 on Mon Oct 14 08:30:14 2019 > > *mangle > > :PREROUTING ACCEPT [76920955633:50815277695359] > > :INPUT ACCEPT [27612054762:8305407205459] > > :FORWARD ACCEPT [49298861266:42508240159831] > > :OUTPUT ACCEPT [34323442858:39692165780388] > > :POSTROUTING ACCEPT [83603096494:82195502934979] > > -A FORWARD -s 10.10.0.0/17 <http://10.10.0.0/17> -o enp2s0 -p tcp -m > policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss > 1361:1536 -j TCPMSS --set-mss 1360 > > COMMIT > > > > On Mon, 14 Oct 2019 at 11:14, Houman hou...@gmail.com>> wrote: > > > > Hello Noel, > > > > Thanks for your solution, I just tried it: > > > > iptables -I FORWARD 2 -m conntrack --ctstate NEW -m hashlimit > --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-upto 5/s -j ACCEPT > > > > But I got this error message: > > > > iptables v1.6.1: hashlimit: option "--hashlimit-name" must be > specified > > > > I googled and added the missing name like this: > > > > iptables -I FORWARD 2 -m conntrack --ctstate NEW -m hashlimit > --hashlimit-name NETSCAN --hashlimit-mode srcip --hashlimit-srcmask 32 > --hashlimit-upto 5/s -j ACCEPT > > > > Do you agree with this approach to prevent VPN users from > running Netscans? > > > > Many Thanks, > > Houman > > > > > > On Wed, 31 Jul 2019 at 14:51, Noel Kuntze > wrote: > > > >
Re: [strongSwan] How to block Netstat attacks from VPN users?
Hi Noel, Actually based on my firewall config, I think I have to DROP it instead of ACCEPT if it's over the 5/sec limit? Don't you agree? iptables -I FORWARD 2 -m conntrack --ctstate NEW -m hashlimit --hashlimit-name NETSCAN --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-above 5/s -j DROP So I replace *hashlimit-upto* with *hashlimit-above* following with a DROP. This is my current firewall settings based on your previous suggestion. If Iptables is clever enough to DROP the connection if hashlimit-upto is exceeded, it should work as well. # iptables-save *filter :INPUT DROP [6374:460035] :FORWARD DROP [7119:2071794] :OUTPUT ACCEPT [19665335:23255290771] -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT -A INPUT -p udp -m udp --dport 500 -j ACCEPT -A INPUT -p udp -m udp --dport 4500 -j ACCEPT -A FORWARD -s 10.10.0.0/17 -d 10.10.0.0/17 -j DROP -A FORWARD -m conntrack --ctstate NEW -m hashlimit --hashlimit-upto 5/sec --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name NETSCAN -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT COMMIT # Completed on Mon Oct 14 08:30:14 2019 # Generated by iptables-save v1.6.1 on Mon Oct 14 08:30:14 2019 *nat :PREROUTING ACCEPT [222978690:20761159044] :INPUT ACCEPT [1143238:398065963] :OUTPUT ACCEPT [245876:24207759] :POSTROUTING ACCEPT [245876:24207759] -A POSTROUTING -s 10.10.0.0/17 -o enp2s0 -m policy --dir out --pol ipsec -j ACCEPT -A POSTROUTING -s 10.10.0.0/17 -o enp2s0 -j MASQUERADE COMMIT # Completed on Mon Oct 14 08:30:14 2019 # Generated by iptables-save v1.6.1 on Mon Oct 14 08:30:14 2019 *mangle :PREROUTING ACCEPT [76920955633:50815277695359] :INPUT ACCEPT [27612054762:8305407205459] :FORWARD ACCEPT [49298861266:42508240159831] :OUTPUT ACCEPT [34323442858:39692165780388] :POSTROUTING ACCEPT [83603096494:82195502934979] -A FORWARD -s 10.10.0.0/17 -o enp2s0 -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360 COMMIT On Mon, 14 Oct 2019 at 11:14, Houman wrote: > Hello Noel, > > Thanks for your solution, I just tried it: > > iptables -I FORWARD 2 -m conntrack --ctstate NEW -m hashlimit > --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-upto 5/s -j ACCEPT > > But I got this error message: > > iptables v1.6.1: hashlimit: option "--hashlimit-name" must be specified > > I googled and added the missing name like this: > > iptables -I FORWARD 2 -m conntrack --ctstate NEW -m hashlimit > --hashlimit-name NETSCAN --hashlimit-mode srcip --hashlimit-srcmask 32 > --hashlimit-upto 5/s -j ACCEPT > > Do you agree with this approach to prevent VPN users from running Netscans? > > Many Thanks, > Houman > > > On Wed, 31 Jul 2019 at 14:51, Noel Kuntze > wrote: > >> Hello Houman, >> >> A "netscan" attack isn't actually anything worthy of an abuse email. >> It's not part of a benign usage pattern of a VPN service, but it itself >> isn't illegal or anything. >> You can only slow down such scans by rate limiting the number of new >> connections using the hashlimit match module, for example. >> >> E.g. -A FORWARD -m conntrack --ctstate NEW -m hashlimit --hashlimit-mode >> srcip --hashlimit-srcmask 32 --hashlimit-upto 5/s -j ACCEPT >> >> Kind regards >> >> Noel >> >> Am 30.07.19 um 16:39 schrieb Houman: >> > Sorry I mistyped. I meant Netscan. >> > >> > The abuse message was saying: *NetscanOutLevel: Netscan detected from >> xx.xx.xx.xx* >> > >> > This is possible though, that VPN users run a netscan and scan the >> ports. Am I correct? >> > >> > Thanks, >> > >> > On Tue, 30 Jul 2019 at 15:30, Thor Simon > <mailto:thor.si...@twosigma.com>> wrote: >> > >> > I don't think netstat does what you think it does. It is a _local_ >> tool. Perhaps the "abuse notification" you received is a phishing attack? >> > >> > Hae a look at the manual page: >> > >> > http://manpages.ubuntu.com/manpages/trusty/man8/netstat.8.html >> > >> > >> > From: Houman mailto:hou...@gmail.com>> >> > Sent: Jul 30, 2019 10:18 AM >> > To: users@lists.strongswan.org <mailto:users@lists.strongswan.org> >> > Subject: [strongSwan] How to block Netstat attacks from VPN users? >> > >> > Hello, >> > >> > I had an interesting abuse notification that someone has run a >> netstat through our VPN. >
Re: [strongSwan] How to block Netstat attacks from VPN users?
Hello Noel, Thanks for your solution, I just tried it: iptables -I FORWARD 2 -m conntrack --ctstate NEW -m hashlimit --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-upto 5/s -j ACCEPT But I got this error message: iptables v1.6.1: hashlimit: option "--hashlimit-name" must be specified I googled and added the missing name like this: iptables -I FORWARD 2 -m conntrack --ctstate NEW -m hashlimit --hashlimit-name NETSCAN --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-upto 5/s -j ACCEPT Do you agree with this approach to prevent VPN users from running Netscans? Many Thanks, Houman On Wed, 31 Jul 2019 at 14:51, Noel Kuntze wrote: > Hello Houman, > > A "netscan" attack isn't actually anything worthy of an abuse email. > It's not part of a benign usage pattern of a VPN service, but it itself > isn't illegal or anything. > You can only slow down such scans by rate limiting the number of new > connections using the hashlimit match module, for example. > > E.g. -A FORWARD -m conntrack --ctstate NEW -m hashlimit --hashlimit-mode > srcip --hashlimit-srcmask 32 --hashlimit-upto 5/s -j ACCEPT > > Kind regards > > Noel > > Am 30.07.19 um 16:39 schrieb Houman: > > Sorry I mistyped. I meant Netscan. > > > > The abuse message was saying: *NetscanOutLevel: Netscan detected from > xx.xx.xx.xx* > > > > This is possible though, that VPN users run a netscan and scan the > ports. Am I correct? > > > > Thanks, > > > > On Tue, 30 Jul 2019 at 15:30, Thor Simon <mailto:thor.si...@twosigma.com>> wrote: > > > > I don't think netstat does what you think it does. It is a _local_ > tool. Perhaps the "abuse notification" you received is a phishing attack? > > > > Hae a look at the manual page: > > > > http://manpages.ubuntu.com/manpages/trusty/man8/netstat.8.html > > > > > > From: Houman mailto:hou...@gmail.com>> > > Sent: Jul 30, 2019 10:18 AM > > To: users@lists.strongswan.org <mailto:users@lists.strongswan.org> > > Subject: [strongSwan] How to block Netstat attacks from VPN users? > > > > Hello, > > > > I had an interesting abuse notification that someone has run a > netstat through our VPN. > > > > > timeprotocol src_ip src_port dest_ip > dest_port > > > > --- > > > Tue Jul 30 13:38:01 2019 UDP 136.243.xxx.xxx 21346 => > 172.20.10.17 21346 > > > Tue Jul 30 13:38:01 2019 UDP 136.243.xxx.xxx 21346 => > 172.20.10.19 21346 > > > > I was wondering if there is a good way to block all VPN users from > running hacker tools such as netstat (port scanning) altogether. Is there > a reliable way to do that with iptables? > > > > I came across this snippet that should block port scans, but I'm not > sure if that would block a VPN user after all since the VPN traffic is > masqueraded. > > > > iptables -A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m > limit --limit 1/s -j RETURN > > iptables -A port-scan -j DROP --log-level 6 > > iptables -A specific-rule-set -p tcp --syn -j syn-flood > > iptables -A specific-rule-set -p tcp --tcp-flags SYN,ACK,FIN,RST RST > -j port-scan > > > > Any suggestions, please? > > Many Thanks, > > Houman > > > > > > > > -- > Noel Kuntze > IT security consultant > > GPG Key ID: 0x0739AD6C > Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C > > >
Re: [strongSwan] How to block torrent traffic in StrongSwan?
Hello Volodymyr, Thank you for your email. I think DPI goes a step too far for privacy reasons. But I'm happy to go down the route of blocking well-known trackers. Is there a way to obtain the list from somewhere? Many Thanks, Houman On Sun, 29 Sep 2019 at 16:35, Volodymyr Litovka wrote: > Hello, Houman, > > to be able to find and block torrent traffic, you need to implement DPI > (Deep Packet Inspection) on your gateway and even this does not > guarantee success, because modern torrent clients like uTorrent > implement very sofisticated mimicry mechanisms and, from my experience, > are very successful in passing DPIs, firewalls etc. > > Using iptables you can try to block well-know trackers, but this > approach will require constant updating. > > On 29.09.2019 12:17, Houman wrote: > > Hello, > > > > I would like to block VPN users from using torrents. I'm not sure if > > this is something that can be done in StrongSwan settings, maybe there > > is a way through IPTables to achieve this? > > > > Any advice would be appreciated, > > > > Many Thanks, > > Houman > > -- > Volodymyr Litovka >"Vision without Execution is Hallucination." -- Thomas Edison > >
[strongSwan] How to block torrent traffic in StrongSwan?
Hello, I would like to block VPN users from using torrents. I'm not sure if this is something that can be done in StrongSwan settings, maybe there is a way through IPTables to achieve this? Any advice would be appreciated, Many Thanks, Houman
[strongSwan] How to check the health of a StrongSwan server?
Hello, How can I check if the VPN server is healthy and can accept new connections? I found this Ruby script https://github.com/sensu-plugins/sensu-plugins-strongswan/blob/master/bin/check-strongswan.rb which utilises ‘ipsec status’ to check for health. My Ruby isn’t very good to make full sense of it. When I run ‘ipsec status’ from the command line, all I get is the listing of each active connection. But a server can be without any active connection and still be healthy. So I can’t follow the thought process. Do you guys know of a way to check the health status of a strongswan server? Many Thanks, Houman
Re: [strongSwan] (Vici) How to disconnect a VPN connection on the server side?
Hello Tobias, Thank you for your reply. Not directly (at least not via vici, it might be possible via RADIUS, > depending on the RADIUS server). > This is concerning if this wasn't possible. I have FreeRadius 3.0.16, maybe I should explain the use case I'm trying to achieve. I have setup a limit by monthly-usage in FreeRadius. Each user can use 10 GB and after that, any attempt to connect to the VPN server fails. echo 'ATTRIBUTE Monthly-Usage 3001integer64' >> /etc/freeradius/3.0/dictionary sed -i '/authorize {/a\ update request {\ Monthly-Usage = "%{sql:SELECT COALESCE((SUM(`acctoutputoctets`)), 0) FROM radacct WHERE `username`='"'"'%{User-Name}'"'"' AND Month(acctupdatetime)=(Month(NOW())) AND Year(acctupdatetime)=Year(NOW())}"\ }\ ' /etc/freeradius/3.0/sites-enabled/default INSERT INTO radcheck (username,attribute,op,VALUE) VALUES ('houman','Monthly-Usage','<',100); This works, however, once the limit has been reached, he continues to remain connected, nothing forces him out. Only if he disconnects and tries to connect again, he would be prevented. I was thinking to check every 5 minutes to see if someone has reached the monthly usage and is still connected to kick him out. Do you think that is possible to do via FreeRadius? What do you mean? [1] provides an overview and has a link to the > README.md file that describes the available commands and even contains > simple code examples. The Python bindings are basically a wrapper that > provides a convenient interface for these commands. > Ah my bad. I was looking at https://pypi.org/project/vici/ but I found more documentation at the github project. That returns the configured connections, so that's not really useful to > you. More interesting will be the list of established IKE_SAs > (s.list_sas). There is no option to filter by remote/user ID, so you have to enumerate the established SAs (list-sa documents the returned > information) and check remote-(eap-)id yourself. > > Perfect. I think the username in Radcheck is the same as the remote-(eap-)id you mentioned. So I have to find a way to filter that within the IKE_SA and then to terminate the IKE_SA itself. Just to be clear there is always a 1:1 relationship between IKE_SA and a user at a time, correct? If I end an IKE_SA, I won't be kicking several users by mistake? It will be only the one user using that? So in other words what I'm trying to achieve is possible with Vici right? Many Thanks, Houman
[strongSwan] (Vici) How to disconnect a VPN connection on the server side?
Hello, Is there is a way to disconnect a specific strongswan user from the command line? I have found the Vici plugin, but there is no documentation whatsoever. It says check the comments in the code and it's still not clear to me. All I could do so far was this import vici s = vici.Session() >>> s.list_conns() I have one connection on this test server, But I need somehow to filter for a specific user, if I had more connections. Looking at the code there is a "filters" as an argument to pass in: def list_conns(self, filters=None): """Retrieve loaded connections. :param filters: retrieve only matching configuration names (optional) :type filters: dict :return: generator for loaded connections as dict :rtype: generator """ return self.streamed_request("list-conns", "list-conn", filters) But I'm stuck as I don't know how to set that. There must be some kind of documentation for this right? I suppose once I have the actual SA, I could pass it to terminate(). Many Thanks, Houman
Re: [strongSwan] Should each StrongSwan have its own FreeRadius or should they share one?
Hello Michael, You brought up some very good points. I'm currently only using the authentication in RADIUS by utilising the username/password in the Radcheck table. I also make use of Radacct table to see for how long a user was connected, from which location the connection was made and to which VPN server the user is connected. Other than that all VPN servers are the same and don't differ. > If your VPN servers do not differ I would set up two RADIUS server (for > > redundancy) that use the one database (master / slave setup for > redundancy). I have found this blog post <https://thenetworkcable.wordpress.com/2014/11/28/creating-redundant-freeradius-servers-with-mysql-replication/> that explains how to run two freeradius and two mysql servers in replication. So it seems that two databases are needed after all. But you advised to just use one database with two FreeRadius in replication. Do I have to do anything specifically in the configs to make them work in replication with a single database? Or is it as simple as creating an AWS Loadbalancer that points to both freeradius servers as round-robin? And in turn all VPN servers are pointing to the same Load balancer endpoint? I suppose nothing stops me of having two database/replication in this scenario to make it more resilient, isn't it? Many Thanks, Houman On Wed, 21 Aug 2019 at 08:52, Michael Schwartzkopff wrote: > Am 21.08.19 um 08:20 schrieb Houman: > > Hello, > > > > I have multiple StrongSwan VPN servers setup and each of them has its own > > FreeRadius server. Each of the freeradius servers then points to the > > central database in a separate location. This works without any problem. > > But I wonder if this is the right approach after all. > > > > Maybe I should have only one FreeRadius server installed next to the > > database, and have each VPN server connect to the central freeradius > server > > instead? > > > > As in setting *accounting = yes* and *address= [remote IP of freeradius > > server]* in /etc/strongswan.d/charon/eap-radius.conf for each VPN. > > > > What is the most optimal way? > > > > Many Thanks, > > Houman > > > > As always, it depends ... > > First of all you need to write down, what you want to achieve. > > Then you have to find the best solution for you. The "best" might be the > most simple, the easiest to maintain, the one with the least effort in > setting up, the one that has least components, the one with the least > complexity or a combination of everything. > > What do you want to acchieve? Authentication / Authorization of VPN > client through a central backend database? Do you need accouting? > > If your VPN servers do not differ I would set up two RADIUS server (for > redundancy) that use the one database (master / slave setup for > redundancy). > > If your VPN servers differ and the outcome of your Authorization depends > on the VPN server, I would set up different virtual RADIUS servers. > > But everything depends on your setup. Be sure you know what you want. > > > Mit freundlichen Grüßen, > > -- > > [*] sys4 AG > > https://sys4.de, +49 (89) 30 90 46 64 > Schleißheimer Straße 26/MG,80333 München > > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 > Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief > Aufsichtsratsvorsitzender: Florian Kirstein > > >
[strongSwan] Should each StrongSwan have its own FreeRadius or should they share one?
Hello, I have multiple StrongSwan VPN servers setup and each of them has its own FreeRadius server. Each of the freeradius servers then points to the central database in a separate location. This works without any problem. But I wonder if this is the right approach after all. Maybe I should have only one FreeRadius server installed next to the database, and have each VPN server connect to the central freeradius server instead? As in setting *accounting = yes* and *address= [remote IP of freeradius server]* in /etc/strongswan.d/charon/eap-radius.conf for each VPN. What is the most optimal way? Many Thanks, Houman
Re: [strongSwan] How to determine how many connections are currently active?
Hi Andreas, Thank you very much. That worked nicely, much easier than I thought it would be. The difference between INSTALLED (519) and ESTABLISHED (520) was nearly the same in my case. What is the main difference between them in this context? Many Thanks, Houman On Wed, 31 Jul 2019 at 11:14, Andreas Steffen < andreas.stef...@strongswan.org> wrote: > Hi Houman, > > you can get the number of active IKE SAs via > > swanctl --list-sas | grep ESTABLISHED | wc -l > > if you are using the vici interface or > > ipsec statusall | grep ESTABLISHED | wc -l > > if you are using the legacy whack interface. > > For the total number of active CHILD SAs replace ESTABLISHED > by INSTALLED in the grep query. > > Best regards > > Andreas > > On 31.07.19 10:05, Houman wrote: > > Good morning, > > > > > > What is the best way to determine how many connections are currently > > active on the StrongSwan server? > > > > > > Maybe there is a simpler way but I thought of one way. I’m using > > FreeRadius with Mysql DB as storage. > > > > > > There are three fields that capture the start (acctstarttime), ongoing > > (acctupdatetime) and the end (acctstoptime) of a connection. > > > > > > I could theoretically filter for all acctupdatetime that start from > > today and have a acctstoptime that is null. The count of these records > > would be the approximate number of active connections to the server. > > > > > > Is there a better way to achieve this or do you agree to this approach? > > > > > > > > Many Thanks, > > > > Houman > > > > -- > == > Andreas Steffen andreas.stef...@strongswan.org > strongSwan - the Open Source VPN Solution! www.strongswan.org > Institute for Networked Solutions > HSR University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===[INS-HSR]== >
[strongSwan] How to determine how many connections are currently active?
Good morning, What is the best way to determine how many connections are currently active on the StrongSwan server? Maybe there is a simpler way but I thought of one way. I’m using FreeRadius with Mysql DB as storage. There are three fields that capture the start (acctstarttime), ongoing (acctupdatetime) and the end (acctstoptime) of a connection. I could theoretically filter for all acctupdatetime that start from today and have a acctstoptime that is null. The count of these records would be the approximate number of active connections to the server. Is there a better way to achieve this or do you agree to this approach? Many Thanks, Houman
Re: [strongSwan] How to block Netstat attacks from VPN users?
Sorry I mistyped. I meant Netscan. The abuse message was saying: *NetscanOutLevel: Netscan detected from xx.xx.xx.xx* This is possible though, that VPN users run a netscan and scan the ports. Am I correct? Thanks, On Tue, 30 Jul 2019 at 15:30, Thor Simon wrote: > I don't think netstat does what you think it does. It is a _local_ tool. > Perhaps the "abuse notification" you received is a phishing attack? > > Hae a look at the manual page: > > http://manpages.ubuntu.com/manpages/trusty/man8/netstat.8.html > > ________ > From: Houman > Sent: Jul 30, 2019 10:18 AM > To: users@lists.strongswan.org > Subject: [strongSwan] How to block Netstat attacks from VPN users? > > Hello, > > I had an interesting abuse notification that someone has run a netstat > through our VPN. > > > timeprotocol src_ip src_port dest_ip dest_port > > > --- > > Tue Jul 30 13:38:01 2019 UDP 136.243.xxx.xxx 21346 =>172.20.10.17 > 21346 > > Tue Jul 30 13:38:01 2019 UDP 136.243.xxx.xxx 21346 =>172.20.10.19 > 21346 > > I was wondering if there is a good way to block all VPN users from running > hacker tools such as netstat (port scanning) altogether. Is there a > reliable way to do that with iptables? > > I came across this snippet that should block port scans, but I'm not sure > if that would block a VPN user after all since the VPN traffic is > masqueraded. > > iptables -A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit > --limit 1/s -j RETURN > iptables -A port-scan -j DROP --log-level 6 > iptables -A specific-rule-set -p tcp --syn -j syn-flood > iptables -A specific-rule-set -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j > port-scan > > Any suggestions, please? > Many Thanks, > Houman > > > >
[strongSwan] How to block Netstat attacks from VPN users?
Hello, I had an interesting abuse notification that someone has run a netstat through our VPN. > timeprotocol src_ip src_port dest_ip dest_port > --- > Tue Jul 30 13:38:01 2019 UDP 136.243.xxx.xxx 21346 =>172.20.10.17 21346 > Tue Jul 30 13:38:01 2019 UDP 136.243.xxx.xxx 21346 =>172.20.10.19 21346 I was wondering if there is a good way to block all VPN users from running hacker tools such as netstat (port scanning) altogether. Is there a reliable way to do that with iptables? I came across this snippet that should block port scans, but I'm not sure if that would block a VPN user after all since the VPN traffic is masqueraded. iptables -A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN iptables -A port-scan -j DROP --log-level 6 iptables -A specific-rule-set -p tcp --syn -j syn-flood iptables -A specific-rule-set -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j port-scan Any suggestions, please? Many Thanks, Houman
Re: [strongSwan] received netlink error: Network is unreachable
Hello Noel, It works! I tested it for 24 hours and not a single issue anymore. Thank you very much for your help. For the record, this is the file I have edited. /etc/strongswan.d/charon.conf I uncommented the line *install_routes = yes* and changed it to *install_routes = no* Thanks, Houman On Thu, 18 Jul 2019 at 12:35, Noel Kuntze wrote: > Hello Houman, > > I took a look at it and it seems the problem is that your default route is > > default via fe80::1 dev enp2s0 proto static metric 1024 pref medium > > fe80::1 is a link-local address, so I assume the problem is that the > kernel doesn't have a clue which interface it exactly can be reached over. > > but that doesn't matter, because you can disable route installation > anyway, because you don't need it in your use case. > So just set charon.install_routes=no and you're fine. It will improve > performance on your setup, too. > > Kind regards > > Noel > > Am 18.07.19 um 13:24 schrieb Houman: > > Hi Noel, > > > > I just tried to send it to the group but the message body was larger > than 100kb and it was held back. > > > > I hope it's ok that I'm attaching them here directly. I hope this is > what you were looking for. > > > > Many Thanks, > > Houman > > > > > > On Thu, 18 Jul 2019 at 10:04, Noel Kuntze > wrote: > > > > Hello Houman, > > > > Those are still not all the IPv4 *and IPv6* routing tables. > > Use `ip route show table all` for IPv4 and `ip -6 route show table > all` for IPv6. > > > > Kind regards > > > > Noel > > > > Am 18.07.19 um 10:29 schrieb Houman: > > > Hello Noel. > > > > > > Sorry, it's still too early in the morning for me. > > > > > > *> netstat -rn* > > > * > > > * > > > Kernel IP routing table > > > Destination Gateway Genmask Flags MSS Window > irtt Iface > > > 0.0.0.0 136.243.104.xxx 0.0.0.0 UG0 0 > 0 enp2s0 > > > > > > *> route -n* > > > Kernel IP routing table > > > Destination Gateway Genmask Flags Metric Ref > Use Iface > > > 0.0.0.0 136.243.104.xxx 0.0.0.0 UG0 0 >0 enp2s0 > > > > > > *> iproute* > > > default via 136.243.104.xxx dev enp2s0 proto static onlink > > > > > > If I have missed anything please let me know, > > > > > > Many Thanks, > > > Houman > > > > > > > > > On Thu, 18 Jul 2019 at 08:07, Noel Kuntze > wrote: > > > > > > Hello Houman, > > > > > > Those are not *routing* tables. Those are your *iptables* > rules. > > > > > > Kind regards > > > > > > Noel > > > > > > Am 18.07.19 um 09:02 schrieb Houman: > > > > Hello Noel, > > > > > > > > You're right. It's interesting that I always get the > following error right after that. "unable to install source route for %any". > > > > > > > > Please find both the IPv4 and IPv6 routing tables as well as > the ipsec.conf below. > > > > > > > > Please note that IPv6 is disabled since my configuration > wasn't entirely supported on the latest Ubuntu 18.04 as we had established > previously. > > > > > > > > *IPv4* > > > > > > > > # Generated by iptables-save v1.6.1 on Thu Jul 18 06:54:18 > 2019 > > > > *filter > > > > :INPUT DROP [2615693:262169077] > > > > :FORWARD DROP [4655474:1206379130] > > > > :OUTPUT ACCEPT [8219816926:9451426041332] > > > > -A INPUT -i lo -j ACCEPT > > > > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > > > > -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT > > > > -A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT > > > > -A INPUT -p udp -m udp --dport 500 -j ACCEPT > > > > -A INPUT -p udp -m udp --dport 4500 -j ACCEPT > > > > -A FORWARD -s 10.10.0.0/17 <http://10.10.0.0/17> < > http://10.10.0.0/17> <http://10.10.0.0/17> -d 10.10.0.0/17 < > http://10.10.0.0/17> <http://10.10.0.0/17> <http://10.10
Re: [strongSwan] received netlink error: Network is unreachable
Hello Noel. Sorry, it's still too early in the morning for me. *> netstat -rn* Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 136.243.104.xxx 0.0.0.0 UG0 0 0 enp2s0 *> route -n* Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 0.0.0.0 136.243.104.xxx 0.0.0.0 UG0 00 enp2s0 *> iproute* default via 136.243.104.xxx dev enp2s0 proto static onlink If I have missed anything please let me know, Many Thanks, Houman On Thu, 18 Jul 2019 at 08:07, Noel Kuntze wrote: > Hello Houman, > > Those are not *routing* tables. Those are your *iptables* rules. > > Kind regards > > Noel > > Am 18.07.19 um 09:02 schrieb Houman: > > Hello Noel, > > > > You're right. It's interesting that I always get the following error > right after that. "unable to install source route for %any". > > > > Please find both the IPv4 and IPv6 routing tables as well as the > ipsec.conf below. > > > > Please note that IPv6 is disabled since my configuration wasn't entirely > supported on the latest Ubuntu 18.04 as we had established previously. > > > > *IPv4* > > > > # Generated by iptables-save v1.6.1 on Thu Jul 18 06:54:18 2019 > > *filter > > :INPUT DROP [2615693:262169077] > > :FORWARD DROP [4655474:1206379130] > > :OUTPUT ACCEPT [8219816926:9451426041332] > > -A INPUT -i lo -j ACCEPT > > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > > -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT > > -A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT > > -A INPUT -p udp -m udp --dport 500 -j ACCEPT > > -A INPUT -p udp -m udp --dport 4500 -j ACCEPT > > -A FORWARD -s 10.10.0.0/17 <http://10.10.0.0/17> -d 10.10.0.0/17 < > http://10.10.0.0/17> -j DROP > > -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT > > -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT > > COMMIT > > # Completed on Thu Jul 18 06:54:18 2019 > > # Generated by iptables-save v1.6.1 on Thu Jul 18 06:54:18 2019 > > *nat > > :PREROUTING ACCEPT [212142454:17804580572] > > :INPUT ACCEPT [1326262:431133155] > > :OUTPUT ACCEPT [174309:20072403] > > :POSTROUTING ACCEPT [174309:20072403] > > -A POSTROUTING -s 10.10.0.0/17 <http://10.10.0.0/17> -o enp2s0 -m > policy --dir out --pol ipsec -j ACCEPT > > -A POSTROUTING -s 10.10.0.0/17 <http://10.10.0.0/17> -o enp2s0 -j > MASQUERADE > > COMMIT > > # Completed on Thu Jul 18 06:54:18 2019 > > # Generated by iptables-save v1.6.1 on Thu Jul 18 06:54:18 2019 > > *mangle > > :PREROUTING ACCEPT [78101233478:52605889723396] > > :INPUT ACCEPT [28473561018:8872181346525] > > :FORWARD ACCEPT [49618124462:43732105143957] > > :OUTPUT ACCEPT [34893259071:40508743962892] > > :POSTROUTING ACCEPT [84492095926:84235652892511] > > -A FORWARD -s 10.10.0.0/17 <http://10.10.0.0/17> -o enp2s0 -p tcp -m > policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss > 1361:1536 -j TCPMSS --set-mss 1360 > > COMMIT > > # Completed on Thu Jul 18 06:54:18 2019 > > > > *and IPv6* > > > > # Generated by ip6tables-save v1.6.1 on Thu Jul 18 06:55:55 2019 > > *filter > > :INPUT DROP [53380:3843262] > > :FORWARD DROP [0:0] > > :OUTPUT ACCEPT [54922:3965190] > > -A INPUT -i lo -j ACCEPT > > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > > -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT > > -A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT > > -A INPUT -p udp -m udp --dport 500 -j ACCEPT > > -A INPUT -p udp -m udp --dport 4500 -j ACCEPT > > -A FORWARD -s fdd2:54c4:4c90:1::/113 -d fdd2:54c4:4c90:1::/113 -j DROP > > -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT > > -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT > > COMMIT > > # Completed on Thu Jul 18 06:55:55 2019 > > # Generated by ip6tables-save v1.6.1 on Thu Jul 18 06:55:55 2019 > > *nat > > :PREROUTING ACCEPT [16411485:1786456120] > > :INPUT ACCEPT [2:392] > > :OUTPUT ACCEPT [232:18788] > > :POSTROUTING ACCEPT [232:18788] > > -A POSTROUTING -s fdd2:54c4:4c90:1::/113 -o eth0 -m policy --dir out > --pol ipsec -j ACCEPT > > -A POSTROUTING -s fdd2:54c4:4c90:1::/113 -o eth0 -j MASQUERADE > > COMMIT > > # Completed on Thu Jul 18 06:55:55 2019 > > > > *and ipsec.conf* > > > > config setup > > strictcrlpolicy=yes > > uniqueids=never > > conn Falkenstein-2 > > auto=add > > compress=no > > type=tunnel
Re: [strongSwan] received netlink error: Network is unreachable
Hello Noel, You're right. It's interesting that I always get the following error right after that. "unable to install source route for %any". Please find both the IPv4 and IPv6 routing tables as well as the ipsec.conf below. Please note that IPv6 is disabled since my configuration wasn't entirely supported on the latest Ubuntu 18.04 as we had established previously. *IPv4* # Generated by iptables-save v1.6.1 on Thu Jul 18 06:54:18 2019 *filter :INPUT DROP [2615693:262169077] :FORWARD DROP [4655474:1206379130] :OUTPUT ACCEPT [8219816926:9451426041332] -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT -A INPUT -p udp -m udp --dport 500 -j ACCEPT -A INPUT -p udp -m udp --dport 4500 -j ACCEPT -A FORWARD -s 10.10.0.0/17 -d 10.10.0.0/17 -j DROP -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT COMMIT # Completed on Thu Jul 18 06:54:18 2019 # Generated by iptables-save v1.6.1 on Thu Jul 18 06:54:18 2019 *nat :PREROUTING ACCEPT [212142454:17804580572] :INPUT ACCEPT [1326262:431133155] :OUTPUT ACCEPT [174309:20072403] :POSTROUTING ACCEPT [174309:20072403] -A POSTROUTING -s 10.10.0.0/17 -o enp2s0 -m policy --dir out --pol ipsec -j ACCEPT -A POSTROUTING -s 10.10.0.0/17 -o enp2s0 -j MASQUERADE COMMIT # Completed on Thu Jul 18 06:54:18 2019 # Generated by iptables-save v1.6.1 on Thu Jul 18 06:54:18 2019 *mangle :PREROUTING ACCEPT [78101233478:52605889723396] :INPUT ACCEPT [28473561018:8872181346525] :FORWARD ACCEPT [49618124462:43732105143957] :OUTPUT ACCEPT [34893259071:40508743962892] :POSTROUTING ACCEPT [84492095926:84235652892511] -A FORWARD -s 10.10.0.0/17 -o enp2s0 -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360 COMMIT # Completed on Thu Jul 18 06:54:18 2019 *and IPv6* # Generated by ip6tables-save v1.6.1 on Thu Jul 18 06:55:55 2019 *filter :INPUT DROP [53380:3843262] :FORWARD DROP [0:0] :OUTPUT ACCEPT [54922:3965190] -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT -A INPUT -p udp -m udp --dport 500 -j ACCEPT -A INPUT -p udp -m udp --dport 4500 -j ACCEPT -A FORWARD -s fdd2:54c4:4c90:1::/113 -d fdd2:54c4:4c90:1::/113 -j DROP -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT COMMIT # Completed on Thu Jul 18 06:55:55 2019 # Generated by ip6tables-save v1.6.1 on Thu Jul 18 06:55:55 2019 *nat :PREROUTING ACCEPT [16411485:1786456120] :INPUT ACCEPT [2:392] :OUTPUT ACCEPT [232:18788] :POSTROUTING ACCEPT [232:18788] -A POSTROUTING -s fdd2:54c4:4c90:1::/113 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT -A POSTROUTING -s fdd2:54c4:4c90:1::/113 -o eth0 -j MASQUERADE COMMIT # Completed on Thu Jul 18 06:55:55 2019 *and ipsec.conf* config setup strictcrlpolicy=yes uniqueids=never conn Falkenstein-2 auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes ike=aes256gcm16-aes192gcm16-aes128gcm16-prfsha256-ecp521-ecp256-modp4096-modp2048, aes256-sha256-ecp521-ecp256-modp4096-modp2048! esp=aes256gcm16-aes192gcm16-aes128gcm16-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1! dpdaction=clear dpddelay=180s dpdtimeout=3600s rekey=no left=%any leftid=@de-fsn-2.x.net leftcert=cert.pem leftsendcert=always leftsubnet=0.0.0.0/0, ::/0 right=%any rightid=%any rightauth=eap-radius eap_identity=%any rightdns=8.8.8.8,8.8.4.4 rightsourceip=10.10.10.0/17,fdd2:54c4:4c90:1::300/113 leftfirewall=no Many Thanks, Houman On Thu, 18 Jul 2019 at 07:42, Noel Kuntze wrote: > Hello Houman, > > That happens when the main routing table (Or other tables in newer > kernels) does not have any routes that allow the new route to be installed > (next hop is not reachable over a local interface). > For the exact reason, you'd need to at least provide the IPv6 routing > tables. > > Kind regards > > Noel > > Am 18.07.19 um 00:47 schrieb Houman: > > Hello, > > > > I'm getting this error in the syslog. > > > > It still connects but I keep getting this error sometimes: > > *charon: 15[KNL] received netlink error: Network is unreachable (101)* > > > > Why is that? > > > > *Syslog:* > > > > Jul 17 21:31:08 de-fsn-2 charon: 09[CFG] reassigning offline lease to > 'c8c09c88-8a67-4af6-8620-xx' > > > > Jul 17 21:31:08 de-fsn-2 charon: 09[IKE] assigning virtual IP > 10.10.55.127 to peer 'c8c09c88-8a67-4af6-8620-xx' > > > > Jul 17 21:31:08 de-fsn-2 charon: 09[IKE] peer requested virtual IP %any6 > > > > Jul 17 21:31:08 de-fsn-
[strongSwan] received netlink error: Network is unreachable
Hello, I'm getting this error in the syslog. It still connects but I keep getting this error sometimes: *charon: 15[KNL] received netlink error: Network is unreachable (101)* Why is that? *Syslog:* Jul 17 21:31:08 de-fsn-2 charon: 09[CFG] reassigning offline lease to 'c8c09c88-8a67-4af6-8620-xx' Jul 17 21:31:08 de-fsn-2 charon: 09[IKE] assigning virtual IP 10.10.55.127 to peer 'c8c09c88-8a67-4af6-8620-xx' Jul 17 21:31:08 de-fsn-2 charon: 09[IKE] peer requested virtual IP %any6 Jul 17 21:31:08 de-fsn-2 charon: 09[CFG] reassigning offline lease to 'c8c09c88-8a67-4af6-8620-xx' Jul 17 21:31:08 de-fsn-2 charon: 09[IKE] assigning virtual IP fdd2:54c4:4c90:1::307f to peer 'c8c09c88-8a67-4af6-8620-xx' Jul 17 21:31:08 de-fsn-2 charon: 09[KNL] received netlink error: Network is unreachable (101) Jul 17 21:31:08 de-fsn-2 charon: 09[KNL] unable to install source route for %any Jul 17 21:31:08 de-fsn-2 charon: 09[IKE] CHILD_SA Falkenstein-2{455771} established with SPIs c6b5caac_i 0c8a8cdf_o and TS 0.0.0.0/0 ::/0 === 10.10.55.127/32 fdd2:54c4:4c90:1::307f/128 Jul 17 21:31:08 de-fsn-2 charon: 09[CFG] sending RADIUS Accounting-Request to server 'server-a' Jul 17 21:31:08 de-fsn-2 charon: 15[NET] received packet: from 109.177.xx.xxx[4500] to 136.243.xxx.xxx[4500] (112 bytes) Jul 17 21:31:08 de-fsn-2 charon: 09[CFG] received RADIUS Accounting-Response from server 'server-a' Jul 17 21:31:08 de-fsn-2 charon: 09[ENC] generating IKE_AUTH response 6 [ AUTH CPRP(ADDR ADDR6 DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) ] Jul 17 21:31:08 de-fsn-2 charon: 15[ENC] parsed IKE_AUTH request 6 [ AUTH ] Jul 17 21:31:08 de-fsn-2 charon: 09[NET] sending packet: from 136.243.xxx.xxx[4500] to 86.97.xx.xxx[4500] (368 bytes) Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] authentication of 'VPN' with EAP successful Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] authentication of ' de-fsn-2.x.net' (myself) with EAP Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] IKE_SA Falkenstein-2[549905] established between 136.243.xxx.xxx[de-fsn-2.x.net ]...109.177.xx.xxx[VPN] Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] peer requested virtual IP %any Jul 17 21:31:08 de-fsn-2 charon: 15[CFG] reassigning offline lease to 'b05ccf72-7bad-425e-95e0-x' Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] assigning virtual IP 10.10.50.102 to peer 'b05ccf72-7bad-425e-95e0-x' Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] peer requested virtual IP %any6 Jul 17 21:31:08 de-fsn-2 charon: 15[CFG] reassigning offline lease to 'b05ccf72-7bad-425e-95e0-x' Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] assigning virtual IP fdd2:54c4:4c90:1::2b66 to peer 'b05ccf72-7bad-425e-95e0-x' Jul 17 21:31:08 de-fsn-2 charon: 15[KNL] received netlink error: Network is unreachable (101) Jul 17 21:31:08 de-fsn-2 charon: 15[KNL] unable to install source route for %any Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] CHILD_SA Falkenstein-2{455772} established with SPIs c23f2271_i 07d2a903_o and TS 0.0.0.0/0 ::/0 === 10.10.50.102/32 fdd2:54c4:4c90:1::2b66/128 Jul 17 21:31:08 de-fsn-2 charon: 15[CFG] sending RADIUS Accounting-Request to server 'server-a' Jul 17 21:31:08 de-fsn-2 charon: 13[NET] received packet: from 94.206.xxx.xxx[4500] to 136.243.xxx.xxx[4500] (368 bytes) Jul 17 21:31:08 de-fsn-2 charon: 15[CFG] received RADIUS Accounting-Response from server 'server-a' Jul 17 21:31:08 de-fsn-2 charon: 15[ENC] generating IKE_AUTH response 6 [ AUTH CPRP(ADDR ADDR6 DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) ] Jul 17 21:31:08 de-fsn-2 charon: 13[ENC] unknown attribute type (25) Jul 17 21:31:08 de-fsn-2 charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(EAP_ONLY) ] Jul 17 21:31:08 de-fsn-2 charon: 15[NET] sending packet: from 136.243.xxx.xxx[4500] to 109.177.xx.xxx[4500] (368 bytes) Jul 17 21:31:08 de-fsn-2 charon: 13[CFG] looking for peer configs matching 136.243.xxx.xxx[de-fsn-2.x.net]...94.206.xxx.xxx[VPN] Jul 17 21:31:08 de-fsn-2 charon: 13[CFG] selected peer config 'Falkenstein-2' Many Thanks, Houman
Re: [strongSwan] pool '10.10.10.0/24' is full, unable to assign address
Hi Noel, That's fantastic. You mean this setup could deal with 25,600 at a time? That would be incredible. So if I pick CIDR: *10.10.10.0/17 <http://10.10.10.0/17> *that could work with *32768. *Do you think that's too much? or should I rather go lower with *10.10.10.0/18 <http://10.10.10.0/18> ,*which comes down to *16384*. Many Thanks, Houman On Mon, 10 Jun 2019 at 10:35, Noel Kuntze wrote: > Hello Houman, > > Easily. Add a couple of zeros. And you don't need that much memory. > > Kind regards > Noel > > Am 10.06.19 um 10:51 schrieb Houman: > > Hey guys, > > > > I'm getting the following error message in Syslog: > > > > *pool '10.10.10.0/24 <http://10.10.10.0/24>' is full, unable to assign > address* > > > > This means I have more than 256 users at a time on the server. > > > > What is the ideal setting for a VPN on s server with Intel Xeon > E3-1246V3 (8 CPU) with 32 Gb RAM? Are 512 users doable on this server above? > > > > I think *10.10.10.0/23 <http://10.10.10.0/23> *means 512 IPs can be > allocated. Do you agree that this IP pool for strongswan makes sense? > > > > > > Many Thanks, > > Houman > >
[strongSwan] pool '10.10.10.0/24' is full, unable to assign address
Hey guys, I'm getting the following error message in Syslog: *pool '10.10.10.0/24 <http://10.10.10.0/24>' is full, unable to assign address* This means I have more than 256 users at a time on the server. What is the ideal setting for a VPN on s server with Intel Xeon E3-1246V3 (8 CPU) with 32 Gb RAM? Are 512 users doable on this server above? I think *10.10.10.0/23 <http://10.10.10.0/23> *means 512 IPs can be allocated. Do you agree that this IP pool for strongswan makes sense? Many Thanks, Houman
[strongSwan] VPN connection times out
address* 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether be:8d:3e:0f:9d:42 brd ff:ff:ff:ff:ff:ff inet 157.230.xx.xxx/20 brd 157.230.31.255 scope global eth0 valid_lft forever preferred_lft forever inet 10.19.0.6/16 brd 10.19.255.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::bc8d:3eff:fe0f:9d42/64 scope link valid_lft forever preferred_lft forever 3: eth1: mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 7a:0e:63:78:ba:b7 brd ff:ff:ff:ff:ff:ff inet 10.135.41.65/16 brd 10.135.255.255 scope global eth1 valid_lft forever preferred_lft forever inet6 fe80::780e:63ff:fe78:bab7/64 scope link valid_lft forever preferred_lft forever Please let me if you need to see anything else, Many Thanks, Houman
[strongSwan] EAP_MSCHAPV2 failed for peer VPN
Hello guys, Around three days ago, I received multiple reports from my users (all from UAE) that the VPN isn't working. Looking at the logs I can see that some users are getting this error shown in StrongSwan: Apr 27 08:02:42 gb-lon-1 ipsec[795]: 14[IKE] RADIUS authentication of '5697324e-xxx-9273-0e0f3d1cbb28' failed Apr 27 08:02:42 gb-lon-1 ipsec[795]: 14[IKE] EAP method EAP_MSCHAPV2 failed for peer VPN I can connect to it without any trouble from London. Could the VPN IP have been blocked in UAE? Or has a recent security update in Ubuntu 18.04 caused a side effect? Trying to think of any reason why this could happen out of the blue. Many Thanks, Houman
Re: [strongSwan] Is it possible to see which IP addresses the VPN users are accessing?
Hello Noel, Thank you for the tip. I will definitely look into RELP. For now, I finally got it working with a JSON output for testing purposes only. I added this to the iptables: *sudo iptables -I FORWARD ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j NFLOG --nflog-prefix "Web 80" --nflog-group 1* Chain INPUT (policy ACCEPT) num target prot opt source destination 1ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 2ACCEPT tcp -- anywhere anywhere tcp dpt:https 3ACCEPT tcp -- anywhere anywhere tcp dpt:2022 4ACCEPT all -- anywhere anywhere 5DROP all -- anywhere anywhere state INVALID 6ACCEPT udp -- anywhere anywhere udp dpt:isakmp 7ACCEPT udp -- anywhere anywhere udp dpt:ipsec-nat-t 8DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) num target prot opt source destination 1NFLOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN state NEW nflog-prefix "Web 80" nflog-group 1 2ACCEPT all -- ip-10-10-10-0.eu-west-2.compute.internal/24 anywhere policy match dir in pol ipsec proto esp 3ACCEPT all -- anywhere ip-10-10-10-0.eu-west-2.compute.internal/24 policy match dir out pol ipsec proto esp 4DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) num target prot opt source destination It works nicely. BUT the source IP shows as 10.10.10.8 I was expecting to see my real IP address. What am I missing, please? I know I can't add it to the INPUT because the VPN is masquerading. I have to put the rule against FORWARD, otherwise, I get no entries in the log. So what to do? { "timestamp": "2019-04-17T09:37:40.502387", "dvc": "My awesome Netfilter firewall", "raw.pktlen": 64, "raw.pktcount": 1, "oob.prefix": "Web 80", "oob.time.sec": 1555493860, "oob.time.usec": 502387, "oob.mark": 0, "oob.ifindex_in": 2, "oob.ifindex_out": 2, "oob.hook": 2, "raw.mac_len": 14, "oob.family": 2, "oob.protocol": 2048, "action": "allowed", "raw.type": 1, "raw.mac.addrlen": 6, "ip.protocol": 6, "ip.tos": 0, "ip.ttl": 63, "ip.totlen": 64, "ip.ihl": 5, "ip.csum": 44141, "ip.id": 0, "ip.fragoff": 16384, "src_port": 55560, "dest_port": 80, "tcp.seq": 1199851582, "tcp.ackseq": 0, "tcp.window": 65535, "tcp.offset": 0, "tcp.reserved": 0, "tcp.urg": 0, "tcp.ack": 0, "tcp.psh": 0, "tcp.rst": 0, "tcp.syn": 1, "tcp.fin": 0, "tcp.res1": 0, "tcp.res2": 3, "tcp.csum": 26423, "oob.in": "eth0", "oob.out": "eth0", "src_ip": "10.10.10.8", "dest_ip": "52.85.70.228", "mac.saddr.str": "xx", "mac.daddr.str": "xx", "mac.str": "xx" } Many Thanks, Houman On Tue, 16 Apr 2019 at 21:40, Noel Kuntze wrote: > Hello Houman, > > I'd keep the logs as text only and stream them to a logging service via > RELP (don't use syslog over tcp. It can loose messages. RELP ensures > delivery by design.). > Unless you really got a boatload of clients (> 4000) on a single system, I > doubt you'll run into problems. > > Kind regards > > Noel > > Am 16.04.19 um 22:19 schrieb Houman: > > Hello Noel, > > > > Thank you very much for your detailed answer. I started looking into > ulogd2. Tutorials and documentation seem a bit scarce, but I'm sure I will > find my way around it eventually. If you have a good recommendation > please let me know. > > > > Do you recommend keeping ulogd2's logs locally or rather feed them into > a local LogStash? I wonder which one is faster and less resource hungry. > > > > Many Thanks, > > Houman > > > > > > > > > > > > > > On Mon, 15 Apr 2019 at 19:26, Noel Kuntze > wrote: > > > > Hello Houman, > > > > No, that is not a layer that strongSwan or freeradius does have > access to. You need to log (and account) the user's traffic using, for > example, a netflow collector or ulogd2 (which can use Linux's native > conntrack
Re: [strongSwan] Is it possible to see which IP addresses the VPN users are accessing?
Hello Noel, Thank you very much for your detailed answer. I started looking into ulogd2. Tutorials and documentation seem a bit scarce, but I'm sure I will find my way around it eventually. If you have a good recommendation please let me know. Do you recommend keeping ulogd2's logs locally or rather feed them into a local LogStash? I wonder which one is faster and less resource hungry. Many Thanks, Houman On Mon, 15 Apr 2019 at 19:26, Noel Kuntze wrote: > Hello Houman, > > No, that is not a layer that strongSwan or freeradius does have access to. > You need to log (and account) the user's traffic using, for example, a > netflow collector or ulogd2 (which can use Linux's native conntrack > connection tracking system) to capture the relevant data. Using ulogd2 is > advised, because unless you disabled conntrack for the relevant > connections, you are basically guaranteed to get all information from > conntrack (unless ulogd2 can't keep up, but then you don't have enough > resources, so you have another issue already). > > Kind regards > > Noel > > Am 15.04.19 um 20:13 schrieb Houman: > > Hello, > > > > We got a notification from the German Federal Office for Information > Security that one of our users has been using a website with malware to > steal personal information and commit online-banking fraud. To cover their > tracks they have been using our StrongSwan VPN. > > > > > > We have now blocked the IPs that resolve to the given website to prevent > this from happening. Unfortunately, The freeRadius logs and syslog we have > in place are not enough to pinpoint it to the exact culprit. > > > > > > Is there a way to run strongswan with maximum verbose logs to see which > EAP-Radius user has been accessing which IP address at what time? We would > like to ban users like this in future. > > > > > > From Freeradius we get to see the acctstartdate, acctupdatedate and > acctstopdate but there is no way to relate this to their activities. > > > > > > > > Many Thanks, > > > > Houman > >
[strongSwan] Is it possible to see which IP addresses the VPN users are accessing?
Hello, We got a notification from the German Federal Office for Information Security that one of our users has been using a website with malware to steal personal information and commit online-banking fraud. To cover their tracks they have been using our StrongSwan VPN. We have now blocked the IPs that resolve to the given website to prevent this from happening. Unfortunately, The freeRadius logs and syslog we have in place are not enough to pinpoint it to the exact culprit. Is there a way to run strongswan with maximum verbose logs to see which EAP-Radius user has been accessing which IP address at what time? We would like to ban users like this in future. >From Freeradius we get to see the acctstartdate, acctupdatedate and acctstopdate but there is no way to relate this to their activities. Many Thanks, Houman
Re: [strongSwan] Windows 10 connects to StrongSwan but IP doesn't change
Hi Filipe, Sorry for the late reply. Below is the information you had requested. It shows 10.10.10.1 instead of 10.10.10.0. Is that the problem? What can I do? PPP adapter vpn-1.domain.net: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : vpn-1.domain.net Physical Address. . . . . . . . . : DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 10.10.10.1(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : DNS Servers . . . . . . . . . . . : 208.67.222.222 208.67.220.220 NetBIOS over Tcpip. . . . . . . . : Enabled Many Thanks, Houman On Tue, 2 Apr 2019 at 16:09, Felipe Arturo Polanco wrote: > Hi, > > Do an ipconfig /all in windows and check that you have an 10.10.10.0/24 > IP in the output. > > On Tue, Apr 2, 2019 at 6:03 AM Houman wrote: > >> Hey guys, >> >> I wonder if this email went through and someone has an idea why this is >> happening. >> >> Many Thanks, >> Houman >> >> On Fri, 29 Mar 2019 at 17:04, Houman wrote: >> >>> Hello, >>> >>> Please help me with this, as I'm completely stuck. >>> >>> Windows 10 can connect to my StrongSwan server. But the IP address >>> doesn't change to the VPN. It still shows the local IP address. Accordingly >>> blocked websites remain blocked. >>> >>> config setup >>> strictcrlpolicy=yes >>> uniqueids=never >>> conn roadwarrior >>> auto=add >>> compress=no >>> type=tunnel >>> keyexchange=ikev2 >>> fragmentation=yes >>> forceencaps=yes >>> ike=aes256gcm16-prfsha256-ecp521,aes256-sha256-ecp384 >>> esp=aes256-sha1,3des-sha1! >>> dpdaction=clear >>> dpddelay=180s >>> rekey=no >>> left=%any >>> leftid=@vpn-1.domain.net >>> leftcert=cert.pem >>> leftsendcert=always >>> leftsubnet=0.0.0.0/0 >>> right=%any >>> rightid=%any >>> rightauth=eap-radius >>> eap_identity=%any >>> rightdns=208.67.222.222,208.67.220.220 >>> rightsourceip=10.10.10.0/24 >>> rightsendcert=never >>> >>> >>> Mar 29 16:50:45 vpn-1 charon: 08[NET] received packet: from >>> 91.98.xxx.xxx[500] to 172.31.0.243[500] (632 bytes) >>> >>> Mar 29 16:50:45 vpn-1 charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA >>> KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ] >>> >>> Mar 29 16:50:45 vpn-1 charon: 08[IKE] received MS NT5 ISAKMPOAKLEY v9 >>> vendor ID >>> >>> Mar 29 16:50:45 vpn-1 charon: 08[IKE] received MS-Negotiation Discovery >>> Capable vendor ID >>> >>> Mar 29 16:50:45 vpn-1 charon: 08[IKE] received Vid-Initial-Contact >>> vendor ID >>> >>> Mar 29 16:50:45 vpn-1 charon: 08[ENC] received unknown vendor ID: >>> 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02 >>> >>> Mar 29 16:50:45 vpn-1 charon: 08[IKE] 91.98.xxx.xxx is initiating an >>> IKE_SA >>> >>> Mar 29 16:50:45 vpn-1 charon: 08[IKE] local host is behind NAT, sending >>> keep alives >>> >>> Mar 29 16:50:45 vpn-1 charon: 08[IKE] remote host is behind NAT >>> >>> Mar 29 16:50:45 vpn-1 charon: 08[ENC] generating IKE_SA_INIT response 0 >>> [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ] >>> >>> Mar 29 16:50:45 vpn-1 charon: 08[NET] sending packet: from >>> 172.31.0.243[500] to 91.98.xxx.xxx[500] (448 bytes) >>> >>> Mar 29 16:50:45 vpn-1 charon: 09[NET] received packet: from >>> 91.98.xxx.xxx[4500] to 172.31.0.243[4500] (576 bytes) >>> >>> Mar 29 16:50:45 vpn-1 charon: 09[ENC] parsed IKE_AUTH request 1 [ >>> EF(1/4) ] >>> >>> Mar 29 16:50:45 vpn-1 charon: 09[ENC] received fragment #1 of 4, waiting >>> for complete IKE message >>> >>> Mar 29 16:50:45 vpn-1 charon: 10[NET] received packet: from >>> 91.98.xxx.xxx[4500] to 172.31.0.243[4500] (576 bytes) >>> >>> Mar 29 16:50:45 vpn-1 charon: 10[ENC] parsed IKE_AUTH request 1 [ >>> EF(2/4) ] >>> >>> Mar 29 16:50:45 vpn-1 charon: 10[ENC] received fragment #2 of 4, waiting >>> for complete IKE message >>> >>> Mar 29 16:50:45 vpn-1 charon: 12[NET] received packet: from >>> 91.98.xxx.xxx[4500] to 172.31.0.243[4500] (576 bytes) >>> >>> Mar 29 16:50:45
Re: [strongSwan] Windows 10 connects to StrongSwan but IP doesn't change
Hey guys, I wonder if this email went through and someone has an idea why this is happening. Many Thanks, Houman On Fri, 29 Mar 2019 at 17:04, Houman wrote: > Hello, > > Please help me with this, as I'm completely stuck. > > Windows 10 can connect to my StrongSwan server. But the IP address doesn't > change to the VPN. It still shows the local IP address. Accordingly blocked > websites remain blocked. > > config setup > strictcrlpolicy=yes > uniqueids=never > conn roadwarrior > auto=add > compress=no > type=tunnel > keyexchange=ikev2 > fragmentation=yes > forceencaps=yes > ike=aes256gcm16-prfsha256-ecp521,aes256-sha256-ecp384 > esp=aes256-sha1,3des-sha1! > dpdaction=clear > dpddelay=180s > rekey=no > left=%any > leftid=@vpn-1.domain.net > leftcert=cert.pem > leftsendcert=always > leftsubnet=0.0.0.0/0 > right=%any > rightid=%any > rightauth=eap-radius > eap_identity=%any > rightdns=208.67.222.222,208.67.220.220 > rightsourceip=10.10.10.0/24 > rightsendcert=never > > > Mar 29 16:50:45 vpn-1 charon: 08[NET] received packet: from > 91.98.xxx.xxx[500] to 172.31.0.243[500] (632 bytes) > > Mar 29 16:50:45 vpn-1 charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE > No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ] > > Mar 29 16:50:45 vpn-1 charon: 08[IKE] received MS NT5 ISAKMPOAKLEY v9 > vendor ID > > Mar 29 16:50:45 vpn-1 charon: 08[IKE] received MS-Negotiation Discovery > Capable vendor ID > > Mar 29 16:50:45 vpn-1 charon: 08[IKE] received Vid-Initial-Contact vendor > ID > > Mar 29 16:50:45 vpn-1 charon: 08[ENC] received unknown vendor ID: > 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02 > > Mar 29 16:50:45 vpn-1 charon: 08[IKE] 91.98.xxx.xxx is initiating an IKE_SA > > Mar 29 16:50:45 vpn-1 charon: 08[IKE] local host is behind NAT, sending > keep alives > > Mar 29 16:50:45 vpn-1 charon: 08[IKE] remote host is behind NAT > > Mar 29 16:50:45 vpn-1 charon: 08[ENC] generating IKE_SA_INIT response 0 [ > SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ] > > Mar 29 16:50:45 vpn-1 charon: 08[NET] sending packet: from > 172.31.0.243[500] to 91.98.xxx.xxx[500] (448 bytes) > > Mar 29 16:50:45 vpn-1 charon: 09[NET] received packet: from > 91.98.xxx.xxx[4500] to 172.31.0.243[4500] (576 bytes) > > Mar 29 16:50:45 vpn-1 charon: 09[ENC] parsed IKE_AUTH request 1 [ EF(1/4) ] > > Mar 29 16:50:45 vpn-1 charon: 09[ENC] received fragment #1 of 4, waiting > for complete IKE message > > Mar 29 16:50:45 vpn-1 charon: 10[NET] received packet: from > 91.98.xxx.xxx[4500] to 172.31.0.243[4500] (576 bytes) > > Mar 29 16:50:45 vpn-1 charon: 10[ENC] parsed IKE_AUTH request 1 [ EF(2/4) ] > > Mar 29 16:50:45 vpn-1 charon: 10[ENC] received fragment #2 of 4, waiting > for complete IKE message > > Mar 29 16:50:45 vpn-1 charon: 12[NET] received packet: from > 91.98.xxx.xxx[4500] to 172.31.0.243[4500] (576 bytes) > > Mar 29 16:50:45 vpn-1 charon: 12[ENC] parsed IKE_AUTH request 1 [ EF(3/4) ] > > Mar 29 16:50:45 vpn-1 charon: 12[ENC] received fragment #3 of 4, waiting > for complete IKE message > > Mar 29 16:50:45 vpn-1 charon: 11[NET] received packet: from > 91.98.xxx.xxx[4500] to 172.31.0.243[4500] (112 bytes) > > Mar 29 16:50:45 vpn-1 charon: 11[ENC] parsed IKE_AUTH request 1 [ EF(4/4) ] > > Mar 29 16:50:45 vpn-1 charon: 11[ENC] received fragment #4 of 4, > reassembling fragmented IKE message > > Mar 29 16:50:45 vpn-1 charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi > CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] > > Mar 29 16:50:45 vpn-1 charon: 11[IKE] received 57 cert requests for an > unknown ca > > Mar 29 16:50:45 vpn-1 charon: 11[CFG] looking for peer configs matching > 172.31.0.243[%any]...91.98.xxx.xxx[192.168.1.104] > > Mar 29 16:50:45 vpn-1 charon: 11[CFG] selected peer config 'roadwarrior' > > Mar 29 16:50:45 vpn-1 ipsec[1051]: 05[ENC] parsed CREATE_CHILD_SA request > 15 [ SA No TSi TSr ] > > Mar 29 16:50:45 vpn-1 ipsec[1051]: 05[IKE] CHILD_SA roadwarrior{3} > established with SPIs ccadd085_i d57f9f2c_o and TS 0.0.0.0/0 === > 10.10.10.1/32 > > Mar 29 16:50:45 vpn-1 ipsec[1051]: 05[ENC] generating CREATE_CHILD_SA > response 15 [ SA No TSi TSr ] > > Mar 29 16:50:45 vpn-1 ipsec[1051]: 05[NET] sending packet: from > 172.31.0.243[4500] to 91.98.xxx.xxx[4500] (204 bytes) > > Mar 29 16:50:45 vpn-1 ipsec[1051]: 07[NET] received packet: from > 91.98.xxx.xxx[4500] to 172.31.0.243[4500] (76 bytes) > > Mar 29 16:50:45 vpn-1 ipsec[1051]: 07[ENC] parsed INFORMATIONAL request 16 > [ D ] > > Mar 29 16:50:45 vpn-1 ipsec[1051]: 07[IKE] received DELETE for
[strongSwan] Windows 10 connects to StrongSwan but IP doesn't change
Hello, Please help me with this, as I'm completely stuck. Windows 10 can connect to my StrongSwan server. But the IP address doesn't change to the VPN. It still shows the local IP address. Accordingly blocked websites remain blocked. config setup strictcrlpolicy=yes uniqueids=never conn roadwarrior auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes ike=aes256gcm16-prfsha256-ecp521,aes256-sha256-ecp384 esp=aes256-sha1,3des-sha1! dpdaction=clear dpddelay=180s rekey=no left=%any leftid=@vpn-1.domain.net leftcert=cert.pem leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-radius eap_identity=%any rightdns=208.67.222.222,208.67.220.220 rightsourceip=10.10.10.0/24 rightsendcert=never Mar 29 16:50:45 vpn-1 charon: 08[NET] received packet: from 91.98.xxx.xxx[500] to 172.31.0.243[500] (632 bytes) Mar 29 16:50:45 vpn-1 charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ] Mar 29 16:50:45 vpn-1 charon: 08[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID Mar 29 16:50:45 vpn-1 charon: 08[IKE] received MS-Negotiation Discovery Capable vendor ID Mar 29 16:50:45 vpn-1 charon: 08[IKE] received Vid-Initial-Contact vendor ID Mar 29 16:50:45 vpn-1 charon: 08[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02 Mar 29 16:50:45 vpn-1 charon: 08[IKE] 91.98.xxx.xxx is initiating an IKE_SA Mar 29 16:50:45 vpn-1 charon: 08[IKE] local host is behind NAT, sending keep alives Mar 29 16:50:45 vpn-1 charon: 08[IKE] remote host is behind NAT Mar 29 16:50:45 vpn-1 charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ] Mar 29 16:50:45 vpn-1 charon: 08[NET] sending packet: from 172.31.0.243[500] to 91.98.xxx.xxx[500] (448 bytes) Mar 29 16:50:45 vpn-1 charon: 09[NET] received packet: from 91.98.xxx.xxx[4500] to 172.31.0.243[4500] (576 bytes) Mar 29 16:50:45 vpn-1 charon: 09[ENC] parsed IKE_AUTH request 1 [ EF(1/4) ] Mar 29 16:50:45 vpn-1 charon: 09[ENC] received fragment #1 of 4, waiting for complete IKE message Mar 29 16:50:45 vpn-1 charon: 10[NET] received packet: from 91.98.xxx.xxx[4500] to 172.31.0.243[4500] (576 bytes) Mar 29 16:50:45 vpn-1 charon: 10[ENC] parsed IKE_AUTH request 1 [ EF(2/4) ] Mar 29 16:50:45 vpn-1 charon: 10[ENC] received fragment #2 of 4, waiting for complete IKE message Mar 29 16:50:45 vpn-1 charon: 12[NET] received packet: from 91.98.xxx.xxx[4500] to 172.31.0.243[4500] (576 bytes) Mar 29 16:50:45 vpn-1 charon: 12[ENC] parsed IKE_AUTH request 1 [ EF(3/4) ] Mar 29 16:50:45 vpn-1 charon: 12[ENC] received fragment #3 of 4, waiting for complete IKE message Mar 29 16:50:45 vpn-1 charon: 11[NET] received packet: from 91.98.xxx.xxx[4500] to 172.31.0.243[4500] (112 bytes) Mar 29 16:50:45 vpn-1 charon: 11[ENC] parsed IKE_AUTH request 1 [ EF(4/4) ] Mar 29 16:50:45 vpn-1 charon: 11[ENC] received fragment #4 of 4, reassembling fragmented IKE message Mar 29 16:50:45 vpn-1 charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] Mar 29 16:50:45 vpn-1 charon: 11[IKE] received 57 cert requests for an unknown ca Mar 29 16:50:45 vpn-1 charon: 11[CFG] looking for peer configs matching 172.31.0.243[%any]...91.98.xxx.xxx[192.168.1.104] Mar 29 16:50:45 vpn-1 charon: 11[CFG] selected peer config 'roadwarrior' Mar 29 16:50:45 vpn-1 ipsec[1051]: 05[ENC] parsed CREATE_CHILD_SA request 15 [ SA No TSi TSr ] Mar 29 16:50:45 vpn-1 ipsec[1051]: 05[IKE] CHILD_SA roadwarrior{3} established with SPIs ccadd085_i d57f9f2c_o and TS 0.0.0.0/0 === 10.10.10.1/32 Mar 29 16:50:45 vpn-1 ipsec[1051]: 05[ENC] generating CREATE_CHILD_SA response 15 [ SA No TSi TSr ] Mar 29 16:50:45 vpn-1 ipsec[1051]: 05[NET] sending packet: from 172.31.0.243[4500] to 91.98.xxx.xxx[4500] (204 bytes) Mar 29 16:50:45 vpn-1 ipsec[1051]: 07[NET] received packet: from 91.98.xxx.xxx[4500] to 172.31.0.243[4500] (76 bytes) Mar 29 16:50:45 vpn-1 ipsec[1051]: 07[ENC] parsed INFORMATIONAL request 16 [ D ] Mar 29 16:50:45 vpn-1 ipsec[1051]: 07[IKE] received DELETE for ESP CHILD_SA with SPI af63e684 Mar 29 16:50:45 vpn-1 ipsec[1051]: 07[IKE] closing CHILD_SA roadwarrior{2} with SPIs cf6737f5_i (104 bytes) af63e684_o (0 bytes) and TS 0.0.0.0/0 === 10.10.10.1/32 Mar 29 16:50:45 vpn-1 ipsec[1051]: 07[IKE] sending DELETE for ESP CHILD_SA with SPI cf6737f5 Mar 29 16:50:45 vpn-1 ipsec[1051]: 07[IKE] CHILD_SA closed Mar 29 16:50:45 vpn-1 ipsec[1051]: 07[ENC] generating INFORMATIONAL response 16 [ D ] Mar 29 16:50:45 vpn-1 ipsec[1051]: 07[NET] sending packet: from 172.31.0.243[4500] to 91.98.xxx.xxx[4500] (76 bytes) Mar 29 16:50:45 vpn-1 ipsec[1051]: 10[IKE] sending keep alive to 91.98.xxx.xxx[4500] Mar 29 16:50:45 vpn-1 ipsec[1051]: 11[IKE] sending keep alive to 91.98.xxx.xxx[4500] Mar 29 16:50:45 vpn-1 ipsec[1051]: 14[IKE] sending
[strongSwan] Health check on Strongswan?
Hello, Is there a way to check for the health of the VPN server? Is there a port I could potentially ping and expect certain return value that indicates the VPN is still up and running? Many Thanks, Houman
[strongSwan] Are these StrongSwan settings optimal for iOS devices?
Hello, I have set up a StrongSwan server on Ubuntu 18.04 and am really enjoying it. I was hoping to check with you guys to see if these settings are optimal or if it could be still improved. I only allow iOS devices to connect to this server. So I don't care that much about Windows and Android at this point. Security is important but fast handshake and speed are also a key factor. What do you think? config setup strictcrlpolicy=yes uniqueids=never conn roadwarrior auto=add compress=yes type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes ike=aes256-sha256-ecp521-ecp256-modp4096-modp2048! esp=aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1! dpdaction=clear dpddelay=180s rekey=no left=%any leftid=@my.server.com leftcert=cert.pem leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-radius eap_identity=%any rightdns=208.67.222.222,208.67.220.220 rightsourceip=10.10.10.0/24 rightsendcert=never Many Thanks, Houman
[strongSwan] How to improve connection loss when moving from 4G to Wifi?
Hello, I've set up strongSwan U5.6.2/K4.15.0-43-generic on Ubuntu 18.04. It works very well. However is there any way to improve connection or loss of when moving from cellular 4G to WiFi / WiFi to 4G? I thought that IKEv2 could do that seamlessly? Many Thanks,
[strongSwan] How to prevent StrongSwan VPN to be detected by Netflix?
Hi, I have setup a StrongSwan VPN server but when I try to watch Netflix over it, Netflix recognises that I'm using a VPN and doesn't play the movie. Is there any way to configure StrongSwan to avoid that? I did some research that the trick lies in the DNS rather than VPN. I'm still researching but if someone were so kind and advised me on this, please, I would really appreciate it. Many Thanks,
[strongSwan] Trusted PPA for StrongSwan?
Is there any trusted source for StrongSwan on Ubuntu 18.04? I was hoping to keep to date with the latest stable release. Many Thanks,
[strongSwan] How to limit IKEv2 traffic per user?
Hello, I have attempted to limit the VPN speed to 10Mbit per user. But when I do a DSL speed test with two devices simultaneously, it seems that the total traffic is limited to 10Mbit/s instead rather than each device having 10Mbit/s on their own. ETH0ORSIMILAR="eth0" SERVER_LIMIT="10mbit" tc qdisc del dev $ETH0ORSIMILAR root tc qdisc add dev $ETH0ORSIMILAR root handle 1: htb iptables -I FORWARD -s 10.10.10.0/24 -j MARK --set-mark 51 iptables -I FORWARD -d 10.10.10.0/24 -j MARK --set-mark 51 tc class add dev $ETH0ORSIMILAR parent 1:1 classid 1:51 htb rate $SERVER_LIMIT ceil $SERVER_LIMIT tc qdisc add dev $ETH0ORSIMILAR parent 1:51 sfq perturb 10 tc filter add dev $ETH0ORSIMILAR protocol ip parent 1: prio 1 handle 51 fw flowid 1:51 I had followed this tutorial to achieve this: https://linuxscriptshub.com/bandwidth-control-on-ikev2-with-tc-and-iptables/ I'm essentially marking 10.10.10.0/24 vpn ip pool with number 51. After the marking, based on the single private IP address with iptables, I'd do the bandwidth limiting based on the marking id 51. Is this correct how I have done it? further iptables settings: VPNIPPOOL="10.10.10.0/24" # accept anything on the loopback interface iptables -A INPUT -i lo -j ACCEPT # drop invalid packets iptables -A INPUT -m state --state INVALID -j DROP # rate-limit repeated new requests from same IP to any ports iptables -I INPUT -i $ETH0ORSIMILAR -m state --state NEW -m recent --set iptables -I INPUT -i $ETH0ORSIMILAR -m state --state NEW -m recent --update --seconds 60 --hitcount 12 -j DROP # accept IPSec/NAT-T for VPN (ESP not needed with forceencaps, as ESP goes inside UDP) iptables -A INPUT -p udp --dport 500 -j ACCEPT iptables -A INPUT -p udp --dport 4500 -j ACCEPT # forward VPN traffic anywhere iptables -A FORWARD --match policy --pol ipsec --dir in --proto esp -s $VPNIPPOOL -j ACCEPT iptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d $VPNIPPOOL -j ACCEPT # reduce MTU/MSS values for dumb VPN clients iptables -t mangle -A FORWARD --match policy --pol ipsec --dir in -s $VPNIPPOOL -o $ETH0ORSIMILAR -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360 # masquerade VPN traffic over eth0 etc. iptables -t nat -A POSTROUTING -s $VPNIPPOOL -o $ETH0ORSIMILAR -m policy --pol ipsec --dir out -j ACCEPT # exempt IPsec traffic from masquerading iptables -t nat -A POSTROUTING -s $VPNIPPOOL -o $ETH0ORSIMILAR -j MASQUERADE ipsec config: config setup strictcrlpolicy=yes uniqueids=never conn roadwarrior auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes ike=aes256-sha256-ecp521-ecp256-modp4096-modp2048! esp=aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1! dpdaction=clear dpddelay=180s rekey=no left=%any leftid=@${VPNHOST} leftcert=cert.pem leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-radius eap_identity=%any rightdns=208.67.222.222,208.67.220.220 rightsourceip=${VPNIPPOOL} rightsendcert=never Many Thanks, Houman
Re: [strongSwan] Sudden issues with Windows 10 clients
Hello Jafar, Thank you for the final proposals. I have entered them and it works great with iOS and OSX. I have no Windows to test it yet. The only reason I had picked 3des-shal1, was because the StrongSwan Wiki claims this was needed for Mac (OSX) https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients. But I can see it works even without that. My user in Iran still can't connect successfully. I have followed your instructions. I have tailed the syslog below, hence this is all I can see: May 12 11:03:07 vpn-server charon: 02[NET] received packet: from 91.99.xxx.xxx[500] to 172.31.xxx.xxx[500] (604 bytes) May 12 11:03:07 vpn-server charon: 02[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] May 12 11:03:07 vpn-server charon: 02[IKE] 91.99.xxx.xxx is initiating an IKE_SA May 12 11:03:07 vpn-server charon: 02[IKE] local host is behind NAT, sending keep alives May 12 11:03:07 vpn-server charon: 02[IKE] remote host is behind NAT May 12 11:03:07 vpn-server charon: 02[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ] May 12 11:03:07 vpn-server charon: 02[NET] sending packet: from 172.31.xxx.xxx[500] to 91.99.xxx.xxx[500] (448 bytes) May 12 11:03:13 vpn-server charon: 11[NET] received packet: from 91.99.xxx.xxx[500] to 172.31.xxx.xxx[500] (604 bytes) May 12 11:03:13 vpn-server charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] May 12 11:03:13 vpn-server charon: 11[IKE] received retransmit of request with ID 0, retransmitting response May 12 11:03:13 vpn-server charon: 11[NET] sending packet: from 172.31.xxx.xxx[500] to 91.99.xxx.xxx[500] (448 bytes) May 12 11:03:16 vpn-server charon: 12[NET] received packet: from 91.99.xxx.xxx[500] to 172.31.xxx.xxx[500] (604 bytes) May 12 11:03:16 vpn-server charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] May 12 11:03:16 vpn-server charon: 12[IKE] received retransmit of request with ID 0, retransmitting response May 12 11:03:16 vpn-server charon: 12[NET] sending packet: from 172.31.xxx.xxx[500] to 91.99.xxx.xxx[500] (448 bytes) May 12 11:03:27 vpn-server charon: 10[IKE] sending keep alive to 91.99.xxx.xxx[500] May 12 11:03:37 vpn-server charon: 05[JOB] deleting half open IKE_SA after timeout I have also executed ipsec statusall Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-1057-aws, x86_64): uptime: 68 minutes, since May 12 09:55:31 2018 malloc: sbrk 1773568, mmap 0, used 572416, free 1201152 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1 loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity Virtual IP pools (size/online/offline): 10.10.10.0/24: 254/0/1 Listening IP addresses: 172.31.xxx.xxx Connections: roadwarrior: %any...%any IKEv2, dpddelay=180s roadwarrior: local: [vpn1.xxx.com] uses public key authentication roadwarrior:cert: "CN=vpn1.xxx.com" roadwarrior: remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any' roadwarrior: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear Security Associations (0 up, 0 connecting): none I can't quite see from this if they have blocked ESP or not. But I suspect this is the case. Many Thanks for your help, Houman On 11 May 2018 at 16:00, Jafar Al-Gharaibeh <ja...@atcorp.com> wrote: > 1) The log shows that while it took a couple of attempts to establish and > IKE SA, it was eventually up with and ESP Child SA as well. So, as far as I > can see in your logs, the connection should be up. What happens next? do > the logs show that the connection is dropped for some reason? what is the > output of "ipsec statusall"? Can you confirm that you are receiving ESP > packets afterward, or if ESP is blocked? > > 2) Depending on the vpn clients you use, your proposals seem OK. I would > expand them a bit with better DH group in case the client supports it in > both IKE and ESP configs. In ESP case you can have two proposals, with and > without DH groups if you have clients that can't do DH with ESP. Unless you > really think you need 3des-sha1 for some clients, there is no reason to > keep it. Here is an example: > > ike=aes256-sha256-ecp521-ecp256-modp4096-modp2048! > es
Re: [strongSwan] Sudden issues with Windows 10 clients
Hello Jafar, Apologies, as I didn't explain what I had already tried. 1) I have tried your suggestion: ike=aes256-sha256-prfsha256-modp2048-modp1024! esp=aes256-sha256,aes256-sha1,3des-sha1! I can connect to it via iOS 11 and OSX High Sierra without any problem from UK. And I no longer get that error message: "DH group MODP_2048 inacceptable, requesting MODP_1024". However my user still can't connect. As he is connecting from Iran, I strongly suspect this is because of a recent tightening of the VPN traffic due to the recent political circumstances. Further below I have pasted the log when he is trying to connect unsuccessfully. It says "Connecting..." and after a few sconds, it drops. 2) Unrelated to that, considering what we discussed in this thread, it seems I could skip both *prfsha256* and *modp1024*. Would you say this is now the perfect settings for iOS 10+, OSX and Windows 10? * ike=aes256-sha256-modp2048!* * esp=aes256-sha256,aes256-sha1,3des-sha1!* Many Thanks for your help, Houman Btw here is the log when he is trying to connect: May 11 07:55:16 vpn-server charon: 02[NET] received packet: from 109.230.xxx.xx[500] to 172.31.xxx.xxx[500] (604 bytes) May 11 07:55:16 vpn-server charon: 02[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] May 11 07:55:16 vpn-server charon: 02[IKE] 109.230.xxx.xx is initiating an IKE_SA May 11 07:55:16 vpn-server charon: 02[IKE] local host is behind NAT, sending keep alives May 11 07:55:16 vpn-server charon: 02[IKE] remote host is behind NAT May 11 07:55:16 vpn-server charon: 02[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ] May 11 07:55:16 vpn-server charon: 02[NET] sending packet: from 172.31.xxx.xxx[500] to 109.230.xxx.xx[500] (448 bytes) May 11 07:55:36 vpn-server charon: 01[IKE] sending keep alive to 109.230.xxx.xx[500] May 11 07:55:46 vpn-server charon: 11[JOB] deleting half open IKE_SA after timeout May 11 07:57:44 vpn-server charon: 16[NET] received packet: from 109.230.xxx.xx[1] to 172.31.xxx.xxx[500] (624 bytes) May 11 07:57:44 vpn-server charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ] May 11 07:57:44 vpn-server charon: 16[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID May 11 07:57:44 vpn-server charon: 16[IKE] received MS-Negotiation Discovery Capable vendor ID May 11 07:57:44 vpn-server charon: 16[IKE] received Vid-Initial-Contact vendor ID May 11 07:57:44 vpn-server charon: 16[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02 May 11 07:57:44 vpn-server charon: 16[IKE] 109.230.xxx.xx is initiating an IKE_SA May 11 07:57:44 vpn-server charon: 16[IKE] local host is behind NAT, sending keep alives May 11 07:57:44 vpn-server charon: 16[IKE] remote host is behind NAT May 11 07:57:44 vpn-server charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] May 11 07:57:44 vpn-server charon: 16[NET] sending packet: from 172.31.xxx.xxx[500] to 109.230.xxx.xx[1] (440 bytes) May 11 07:57:45 vpn-server charon: 04[NET] received packet: from 109.230.xxx.xx[1024] to 172.31.xxx.xxx[4500] (1536 bytes) May 11 07:57:45 vpn-server charon: 04[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] May 11 07:57:45 vpn-server charon: 04[IKE] received 54 cert requests for an unknown ca May 11 07:57:45 vpn-server charon: 04[CFG] looking for peer configs matching 172.31.xxx.xxx[%any]...109.230.xxx.xx[192.168.1.103] May 11 07:57:45 vpn-server charon: 04[CFG] selected peer config 'roadwarrior' May 11 07:57:45 vpn-server charon: 04[IKE] initiating EAP_IDENTITY method (id 0x00) May 11 07:57:45 vpn-server charon: 04[IKE] peer supports MOBIKE May 11 07:57:45 vpn-server charon: 04[IKE] authentication of 'vpn1.xxx.com' (myself) with RSA signature successful May 11 07:57:45 vpn-server charon: 04[IKE] sending end entity cert "CN= vpn1.xxx.com" May 11 07:57:45 vpn-server charon: 04[IKE] sending issuer cert "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" May 11 07:57:45 vpn-server charon: 04[ENC] generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ] May 11 07:57:45 vpn-server charon: 04[NET] sending packet: from 172.31.xxx.xxx[4500] to 109.230.xxx.xx[1024] (3616 bytes) May 11 07:57:45 vpn-server charon: 02[NET] received packet: from 109.230.xxx.xx[1024] to 172.31.xxx.xxx[4500] (96 bytes) May 11 07:57:45 vpn-server charon: 02[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ] May 11 07:57:45 vpn-server charon: 02[IKE] received EAP identity 'houmie' May 11 07:57:45 vpn-server charon: 02[IKE] initiating EAP_MSCHAPV2 method (id 0x6C) May 11 07:57:45 vpn-server charon: 02[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ] May 11 07:57:45 vpn-server charon: 02[NET] sending packet: from 172.31.xxx.xxx[4500]
Re: [strongSwan] Sudden issues with Windows 10 clients
10.0/24 rightsendcert=never Please let me know if you see any obvious problem. But I strongly believe they have blocked the IKEV2 traffic... Many Thanks, Houman On 9 May 2018 at 15:40, Jafar Al-Gharaibeh <ja...@atcorp.com> wrote: > Hi Tobias, > > Thanks for the correction. What I meant to say is : > > The PRF algorithm is derived from the integrity algorithm, > but only if a DH group is also configured. > > Correct? > > Regards, > Jafar > > > On 5/9/2018 2:21 AM, Tobias Brunner wrote: > >> Hi Jafar, >> >> No need to configure a prf, it is already assumed when you >>> configured a DH group; so you can drop prfsha256. >>> >> Small correction, the PRF algorithm, if not configured explicitly, is >> not derived from the DH group, but the integrity algorithm, in this case >> sha256. >> >> Regards, >> Tobias >> >> >
Re: [strongSwan] Sudden issues with Windows 10 clients
Thank you both Christian and Jafar for the clear proposals. So yes, if I wanted to support Windows 10, iOS/OSX and Linux with the stronger set of encryption. Do I set *aes256-sha256-prfsha256-modp2048 *into *ike* only? Or both in *ike* and *esp*? This part wasn't quite clear to me. Yeah, I have already set [NegotiateDH2048_AES256] in Windows 10. Many Thanks, Houman On 8 May 2018 at 08:40, Christian Salway <christian.sal...@naimuri.com> wrote: > The problem with Windows (10 at least) is that it offers the weakest > ciphers first, so you should remove sha1 and 3des. > > The minimum proposals you should have and which are compatible with > Windows 10, OSX, IOS and Linux are the following. > > *proposals = aes256-sha256-prfsha256-modp2048-modp1024* > > Although I would recommend adding the Windows 10 registry key [ > NegotiateDH2048_AES256] to use strong ciphers and then you can remove > MODP1024 > > > <http://www.naimuri.com> > > On 7 May 2018, at 15:50, Jafar Al-Gharaibeh <ja...@atcorp.com> wrote: > > Houman, > > The Windows client proposals do not match your configured proposals. > Your Windows client expect DG group 15 (MODP2048), where as you have: > > aes256-3des-sha1-modp1024 > > change that to: > > aes256-3des-sha1-modp2048 > > I'd also add sha256 at least before sha1 (deemed insecure). If you still > have other clients expecting modp1024, make it: > > aes256-3des-sha256-sha1-modp2048-modp1024 > > That should get you covered. > > Regards, > Jafar > > > On 5/7/2018 8:17 AM, Houman wrote: > > Hello, > > Until a week ago a user with Windows 10 had no issue connecting to the > StrongSwan server. But now out of the blue, he can't connect to the > StrongSwan server anymore. > > The log on the server is: > > May 7 12:31:06 vpn-p1 charon: 08[IKE] received proposals inacceptable > May 7 12:31:06 vpn-p1 charon: 08[ENC] generating IKE_SA_INIT response 0 [ > N(NO_PROP) ] > May 7 12:31:06 vpn-p1 charon: 08[NET] sending packet: from > xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes) > May 7 12:32:09 vpn-p1 systemd[1]: Started Session 35 of user root. > May 7 12:46:21 vpn-p1 systemd[1]: Starting Cleanup of Temporary > Directories... > May 7 12:46:21 vpn-p1 systemd-tmpfiles[7016]: > [/usr/lib/tmpfiles.d/var.conf:14] Duplicate line for path "/var/log", > ignoring. > May 7 12:46:21 vpn-p1 systemd[1]: Started Cleanup of Temporary > Directories. > May 7 13:00:13 vpn-p1 systemd[1]: Starting Certbot... > May 7 13:00:13 vpn-p1 systemd[1]: Started Certbot. > May 7 13:08:20 vpn-p1 systemd[1]: Started Session 36 of user root. > May 7 13:11:27 vpn-p1 charon: 12[NET] received packet: from > 91.98.xxx.xxx[500] to xxx.x.xx.92[500] (624 bytes) > May 7 13:11:27 vpn-p1 charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA > KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ] > May 7 13:11:27 vpn-p1 charon: 12[IKE] received MS NT5 ISAKMPOAKLEY v9 > vendor ID > May 7 13:11:27 vpn-p1 charon: 12[IKE] received MS-Negotiation Discovery > Capable vendor ID > May 7 13:11:27 vpn-p1 charon: 12[IKE] received Vid-Initial-Contact vendor > ID > May 7 13:11:27 vpn-p1 charon: 12[ENC] received unknown vendor ID: > 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02 > May 7 13:11:27 vpn-p1 charon: 12[IKE] 91.98.xxx.xxx is initiating an > IKE_SA > May 7 13:11:27 vpn-p1 charon: 12[CFG] received proposals: > IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, > IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, > IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048 > May 7 13:11:27 vpn-p1 charon: 12[CFG] configured proposals: > IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521, > IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, > IKE:AES_CBC_256/3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 > May 7 13:11:27 vpn-p1 charon: 12[IKE] remote host is behind NAT > May 7 13:11:27 vpn-p1 charon: 12[IKE] received proposals inacceptable > May 7 13:11:27 vpn-p1 charon: 12[ENC] generating IKE_SA_INIT response 0 [ > N(NO_PROP) ] > May 7 13:11:27 vpn-p1 charon: 12[NET] sending packet: from > xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes) > May 7 13:11:28 vpn-p1 charon: 16[NET] received packet: from > 91.98.xxx.xxx[500] to xxx.x.xx.92[500] (624 bytes) > May 7 13:11:28 vpn-p1 charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA > KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ] > May 7 13:11:28 vpn-p1 charon: 16[IKE] received MS NT5 ISAKMPOAKLEY v9 > vendor ID > May 7 13:11:28 vpn-p1 charon: 16[IKE] received MS-Negotiation Discovery > Capable vendor ID > May 7 13:11:28 vpn-p1 charon: 16[IKE] received Vid-Initial-Contact vendor > ID > May 7 13:11:28 vpn-p1
[strongSwan] Sudden issues with Windows 10 clients
Hello, Until a week ago a user with Windows 10 had no issue connecting to the StrongSwan server. But now out of the blue, he can't connect to the StrongSwan server anymore. The log on the server is: May 7 12:31:06 vpn-p1 charon: 08[IKE] received proposals inacceptable May 7 12:31:06 vpn-p1 charon: 08[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ] May 7 12:31:06 vpn-p1 charon: 08[NET] sending packet: from xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes) May 7 12:32:09 vpn-p1 systemd[1]: Started Session 35 of user root. May 7 12:46:21 vpn-p1 systemd[1]: Starting Cleanup of Temporary Directories... May 7 12:46:21 vpn-p1 systemd-tmpfiles[7016]: [/usr/lib/tmpfiles.d/var.conf:14] Duplicate line for path "/var/log", ignoring. May 7 12:46:21 vpn-p1 systemd[1]: Started Cleanup of Temporary Directories. May 7 13:00:13 vpn-p1 systemd[1]: Starting Certbot... May 7 13:00:13 vpn-p1 systemd[1]: Started Certbot. May 7 13:08:20 vpn-p1 systemd[1]: Started Session 36 of user root. May 7 13:11:27 vpn-p1 charon: 12[NET] received packet: from 91.98.xxx.xxx[500] to xxx.x.xx.92[500] (624 bytes) May 7 13:11:27 vpn-p1 charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ] May 7 13:11:27 vpn-p1 charon: 12[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID May 7 13:11:27 vpn-p1 charon: 12[IKE] received MS-Negotiation Discovery Capable vendor ID May 7 13:11:27 vpn-p1 charon: 12[IKE] received Vid-Initial-Contact vendor ID May 7 13:11:27 vpn-p1 charon: 12[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02 May 7 13:11:27 vpn-p1 charon: 12[IKE] 91.98.xxx.xxx is initiating an IKE_SA May 7 13:11:27 vpn-p1 charon: 12[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048 May 7 13:11:27 vpn-p1 charon: 12[CFG] configured proposals: IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_CBC_256/3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 May 7 13:11:27 vpn-p1 charon: 12[IKE] remote host is behind NAT May 7 13:11:27 vpn-p1 charon: 12[IKE] received proposals inacceptable May 7 13:11:27 vpn-p1 charon: 12[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ] May 7 13:11:27 vpn-p1 charon: 12[NET] sending packet: from xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes) May 7 13:11:28 vpn-p1 charon: 16[NET] received packet: from 91.98.xxx.xxx[500] to xxx.x.xx.92[500] (624 bytes) May 7 13:11:28 vpn-p1 charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ] May 7 13:11:28 vpn-p1 charon: 16[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID May 7 13:11:28 vpn-p1 charon: 16[IKE] received MS-Negotiation Discovery Capable vendor ID May 7 13:11:28 vpn-p1 charon: 16[IKE] received Vid-Initial-Contact vendor ID May 7 13:11:28 vpn-p1 charon: 16[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02 May 7 13:11:28 vpn-p1 charon: 16[IKE] 91.98.xxx.xxx is initiating an IKE_SA May 7 13:11:28 vpn-p1 charon: 16[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048 May 7 13:11:28 vpn-p1 charon: 16[CFG] configured proposals: IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_CBC_256/3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 May 7 13:11:28 vpn-p1 charon: 16[IKE] remote host is behind NAT May 7 13:11:28 vpn-p1 charon: 16[IKE] received proposals inacceptable May 7 13:11:28 vpn-p1 charon: 16[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ] May 7 13:11:28 vpn-p1 charon: 16[NET] sending packet: from xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes) The Server's ipsec.conf is: config setup strictcrlpolicy=yes uniqueids=never conn roadwarrior auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes ike=aes256gcm16-sha256-ecp521,aes256-sha256-ecp384,aes256-3des-sha1-modp1024! esp=aes256gcm16-sha256,aes256-3des-sha256-sha1! dpdaction=clear dpddelay=180s rekey=no left=%any leftid=@${VPNHOST} leftcert=cert.pem leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-radius eap_identity=%any rightdns=208.67.222.222,208.67.220.220 rightsourceip=${VPNIPPOOL} rightsendcert=never Have the supported ike/esp proposals somehow been changed recently after a recent Windows 10 update? I have made these changes on the Windows 10, after googling for a solution: - The firewall on Windows 10 is currently disabled. - I have set NegotiateDH2048_AES256 = 1 in Regedit - AssumeUDPEncapsulationContextOnSendRule = 2 in Regedit I can't think of anything
Re: [strongSwan] IPsec broken for iphone with ios11?
I had the exact same problem. I couldn't connect via iOS 11.2.6 on iPhone X. After upgrading to iOS 11.3 I can connect to StrongSwan again without having touched any configuration. Although it could be that the OS was somehow stuck and the hard restart after update "cleared" it up. I should have restarted before the upgrade for a better test. On 31 March 2018 at 16:08, Harald Dunkelwrote: > On 03/29/18 18:23, Harald Dunkel wrote: > > Hi folks, > > > > is it just me, or is IPsec broken for ios 11 (iphone)? I can establish > > an IPsec connection once, but if I reconnect then the routing appears > > to be broken. I cannot ping the DNServer on the remote net. > > > > My ipad (ios 10) with a similar profile has no such problem. > > > > Can anybody reproduce this? > > > > Using the new ios 11.3 or macos 10.13.4 the problem vanished. > > > Regards > Harri >
[strongSwan] Enabled eap-radius doesn't log session information
Hello, I have setup StrongSwan successfully with FreeRadius. I can create a new user in the radcheck table inside radius DB and authenticate with the VPN with that user afterwards. However, there is no information saved inside the radacct table. I was expecting to see the session time of a connected user and find out a way to count the traffic a user has been utilising. But why is the table empty? I install StrongSwan like this, I don't specifically compile it with *./configure --enable-eap-radius* Instead, I install it like this, is that ok? add-apt-repository ppa:freeradius/stable-3.0 -y apt-get install -y language-pack-en strongswan strongswan-ikev2 libstrongswan-standard-plugins strongswan-libcharon libcharon-extra-plugins freeradius freeradius-utils freeradius-mysql *# vim /etc/strongswan.conf* charon { load_modular = yes plugins { include strongswan.d/charon/*.conf } } include strongswan.d/*.conf *# vim /etc/strongswan.d/charon/eap-radius.conf* servers { server-a { accounting = yes secret = ${CLIENT_SECRET} address = 127.0.0.1 auth_port = 1812 acct_port = 1813 } } *# vim /etc/ipsec.conf* config setup strictcrlpolicy=yes uniqueids=never conn roadwarrior auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes ike=aes256gcm16-sha256-ecp521,aes256-sha256-ecp384,aes256-3des-sha1-modp1024! esp=aes256gcm16-sha256,aes256-3des-sha256-sha1! dpdaction=clear dpddelay=180s rekey=no left=%any leftid=@${VPNHOST} leftcert=cert.pem leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-radius eap_identity=%any rightdns=208.67.222.222,208.67.220.220 rightsourceip=${VPNIPPOOL} rightsendcert=never Merry Christmas and thank you, Houman
[strongSwan] How to use sqlcounter to disconnect a user after reaching the daily quota?
Hello & Merry Christmas. I have managed to enable accounting after all and it seems that the module sqlcounter is loaded too. Looking at the documentation here <https://freeradius.org/radiusd/man/rlm_counter.txt> The rlm_counter module provides a general framework to measure total data transferred in a given period. This is very useful in a 'Prepaid Service' situation, where a user has paid for a finite amount of usage and should not be allowed to use more than that service. This is perfect as I need exactly that. It seems I have to change count_attribute to data usage in order to measure the usage instead of time. Nonetheless, I'm very confused how I'm supposed to utilise this module. I can see the module is loaded when I run it as freeradius -X. But how do I set it up to allow each user only 3 GB of data usage within a month? Or even for testing purposes 100KB on daily basis? When the month or day has passed, then the user should be allowed access again. Which config file do I have to edit? Many Thanks for your advice, Houman
[strongSwan] Enabled eap-radius doesn't log session information
Hello, I have setup StrongSwan successfully with FreeRadius. I can create a new user in the radcheck table inside radius DB and authenticate with the VPN with that user afterwards. However, there is no information saved inside the radacct table. I was expecting to see the session time of a connected user and find out a way to count the traffic a user has been utilising. But why is the table empty? I install StrongSwan like this, I don't specifically compile it with *./configure --enable-eap-radius* Instead, I install it like this, is that ok? add-apt-repository ppa:freeradius/stable-3.0 -y apt-get install -y language-pack-en strongswan strongswan-ikev2 libstrongswan-standard-plugins strongswan-libcharon libcharon-extra-plugins freeradius freeradius-utils freeradius-mysql *# vim /etc/strongswan.conf* charon { load_modular = yes plugins { include strongswan.d/charon/*.conf } } include strongswan.d/*.conf *# vim /etc/strongswan.d/charon/eap-radius.conf* servers { server-a { accounting = yes secret = ${CLIENT_SECRET} address = 127.0.0.1 auth_port = 1812 acct_port = 1813 } } *# vim /etc/ipsec.conf* config setup strictcrlpolicy=yes uniqueids=never conn roadwarrior auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes ike=aes256gcm16-sha256-ecp521,aes256-sha256-ecp384,aes256- 3des-sha1-modp1024! esp=aes256gcm16-sha256,aes256-3des-sha256-sha1! dpdaction=clear dpddelay=180s rekey=no left=%any leftid=@${VPNHOST} leftcert=cert.pem leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-radius eap_identity=%any rightdns=208.67.222.222,208.67.220.220 rightsourceip=${VPNIPPOOL} rightsendcert=never Merry Christmas and thank you, Houman
Re: [strongSwan] Can StrongSwan be loadbalanced?
Thanks Anvar, I was very excited about the link https://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability that you shared earlier. Unfortunately, it doesn't do a good job of explaining how two StrongSwan servers have to be set up to work in collaboration, in order to share the traffic and take over if one of them fails. Do you happen to know a step by step tutorial? I haven't found anything on google. Thanks, On Mon, Nov 13, 2017 at 4:36 PM, Anvar Kuchkartaev <an...@anvartay.com> wrote: > 50 and 51 there are protocol identifiers not port numbers. They are not > tcp and not udp they are different transport layer protocols (the same > layer resides tcp and udp). Protocol 50 is protocol ESP (Encapsulating > Security Payload), protocol 51 is AH (Authentication Header). > https://en.m.wikipedia.org/wiki/List_of_IP_protocol_numbers > > You might be interested following articles: > http://www.linuxvirtualserver.org/software/ipvs.html > https://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability > > Anvar Kuchkartaev > an...@anvartay.com > *From: *Houman > *Sent: *lunes, 13 de noviembre de 2017 04:19 p.m. > *To: *users@lists.strongswan.org > *Subject: *[strongSwan] Can StrongSwan be loadbalanced? > > Hello, > > I have made quite a bit of research on how to load balance StrongSwan, > however, I get contradicting messages. > > e.g. from my understanding, StrongSwan (IKEv2) works over UDP and not > TCP. Hence Aws load balancer is out of the question. But so is HAProxy !!! > > But I discovered that latest NGINX 1.10+ supports UDP load balancing and > it was easy to set it up. > > I am currently listening to ports 500 and 4500 and it doesn't quite work. > I have raised an issue here: https://wiki.strongswan.org/issues/2464 > > Do I need to listen to port 50 and 51 as well? > > Any tips or advice for me, please? > Many Thanks, > Houman > > > >
Re: [strongSwan] StrongSwan and EAP (FreeRadius)
I have changed both configs to 127.0.0.1 and restarted both StrongSwan and FreeRadius but I got the same error message. Then I changed them both to 0.0.0.0 and restarted both servers, and I still get the same error message. Any idea what this could be? On Wed, Nov 15, 2017 at 9:01 AM, Michael Schwartzkopff <m...@sys4.de> wrote: > Am 15.11.2017 um 09:58 schrieb Houman: > > Hallo Michael, > > > > > > Thanks for your reply. Indeed I should have checked the radius log. It > > seems the shared secret is incorrect, but there do match in configs as > > pasted below. > > Where else could the secret have been used that I have missed? Thanks > > > > *vim /var/log/freeradius/radius.log* > > > > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Attempting to connect to > > database "radius" > > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional > > connection (0), 1 of 32 pending slots used > > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional > > connection (1), 1 of 31 pending slots used > > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional > > connection (2), 1 of 30 pending slots used > > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional > > connection (3), 1 of 29 pending slots used > > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional > > connection (4), 1 of 28 pending slots used > > Wed Nov 15 08:49:50 2017 : Info: Need 5 more connections to reach 10 > spares > > Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional > > connection (5), 1 of 27 pending slots used > > Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server > > Wed Nov 15 08:49:50 2017 : Warning: Ignoring "ldap" (see > > raddb/mods-available/README.rst) > > Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server default > > Wed Nov 15 08:49:50 2017 : Info: # Skipping contents of 'if' as it is > > always 'false' -- /etc/freeradius/sites-enabled/inner-tunnel:331 > > Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server inner-tunnel > > Wed Nov 15 08:49:50 2017 : Info: Ready to process requests > > Wed Nov 15 08:49:57 2017 : Info: Dropping packet without response because > > of error: Received packet from 127.0.0.1 with invalid > > Message-Authenticator! (Shared secret is incorrect.) > > > > > > > > *vim /etc/strongswan.conf* > > > > charon { > > load_modular = yes > > compress = yes > > plugins { > > include strongswan.d/charon/*.conf > >eap-radius { > > servers { > > server-a { > > accounting = yes > > secret = 123456 > > address = 127.0.0.1 > > auth_port = 1812 > > acct_port = 1813 > > } > > } > > } > > } > > include strongswan.d/*.conf > > } > > > > > > > > *vim /etc/freeradius/clients.conf* > > > > client 0.0.0.0 { > > secret = 123456 > > nas_type= other > > shortname = 0.0.0.0 > > require_message_authenticator = no > > } > > > > > > > > On Wed, Nov 15, 2017 at 7:55 AM, Michael Schwartzkopff <m...@sys4.de> > wrote: > > > >> Am 15.11.2017 um 08:24 schrieb Houman: > >>> Hi, > >>> > >>> I'm new to the concept of EAP and might be misunderstanding something. > >>> Apologies up front. > >>> > >>> I have finally been able to install FreeRadius and enable the SQL > module. > >>> I have created a user in the database and was hoping to establish a VPN > >>> connection via that user. > >>> > >>> INSERT INTO radcheck (username,attribute,op,VALUE) VALUES > >>> ('houman','Cleartext-Password',':=','test123'); > >>> > >>> > >>> When I try to connect from my MacBook into the StrongSwan server I get > >> this > >>> log. It looks promising but eventually, it says initiating EAP_RADIUS > >>> method failed. > >>> > >>> I'm not quite sure if this has failed due a bad configuration on my > side > >> or > >>> it is for other reasons that I don't quite understand how EAP should > >> work. > >>> Please be so kind and advise, > >>> Thanks,
Re: [strongSwan] StrongSwan and EAP (FreeRadius)
Hallo Michael, Thanks for your reply. Indeed I should have checked the radius log. It seems the shared secret is incorrect, but there do match in configs as pasted below. Where else could the secret have been used that I have missed? Thanks *vim /var/log/freeradius/radius.log* Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Attempting to connect to database "radius" Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used Wed Nov 15 08:49:50 2017 : Info: Need 5 more connections to reach 10 spares Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server Wed Nov 15 08:49:50 2017 : Warning: Ignoring "ldap" (see raddb/mods-available/README.rst) Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server default Wed Nov 15 08:49:50 2017 : Info: # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/sites-enabled/inner-tunnel:331 Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server inner-tunnel Wed Nov 15 08:49:50 2017 : Info: Ready to process requests Wed Nov 15 08:49:57 2017 : Info: Dropping packet without response because of error: Received packet from 127.0.0.1 with invalid Message-Authenticator! (Shared secret is incorrect.) *vim /etc/strongswan.conf* charon { load_modular = yes compress = yes plugins { include strongswan.d/charon/*.conf eap-radius { servers { server-a { accounting = yes secret = 123456 address = 127.0.0.1 auth_port = 1812 acct_port = 1813 } } } } include strongswan.d/*.conf } *vim /etc/freeradius/clients.conf* client 0.0.0.0 { secret = 123456 nas_type= other shortname = 0.0.0.0 require_message_authenticator = no } On Wed, Nov 15, 2017 at 7:55 AM, Michael Schwartzkopff <m...@sys4.de> wrote: > Am 15.11.2017 um 08:24 schrieb Houman: > > Hi, > > > > I'm new to the concept of EAP and might be misunderstanding something. > > Apologies up front. > > > > I have finally been able to install FreeRadius and enable the SQL module. > > I have created a user in the database and was hoping to establish a VPN > > connection via that user. > > > > INSERT INTO radcheck (username,attribute,op,VALUE) VALUES > > ('houman','Cleartext-Password',':=','test123'); > > > > > > When I try to connect from my MacBook into the StrongSwan server I get > this > > log. It looks promising but eventually, it says initiating EAP_RADIUS > > method failed. > > > > I'm not quite sure if this has failed due a bad configuration on my side > or > > it is for other reasons that I don't quite understand how EAP should > work. > > > > Please be so kind and advise, > > Thanks, > > Houman > > > > > > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] received packet: from > > 88.98.201.107[51247] to 172.31.9.51[500] (300 bytes) > > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] parsed IKE_SA_INIT > request 0 > > [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] > > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] 88.98.201.107 is > initiating > > an IKE_SA > > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] local host is behind NAT, > > sending keep alives > > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] remote host is behind NAT > > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] generating IKE_SA_INIT > > response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) > ] > > Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] sending packet: from > > 172.31.9.51[500] to 88.98.201.107[51247] (316 bytes) > > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] received packet: from > > 88.98.201.107[51248] to 172.31.9.51[4500] (344 bytes) > > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] unknown attribute type > (25) > > Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] parsed IKE_AUTH request 1 > [ > > IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr
[strongSwan] StrongSwan and EAP (FreeRadius)
Hi, I'm new to the concept of EAP and might be misunderstanding something. Apologies up front. I have finally been able to install FreeRadius and enable the SQL module. I have created a user in the database and was hoping to establish a VPN connection via that user. INSERT INTO radcheck (username,attribute,op,VALUE) VALUES ('houman','Cleartext-Password',':=','test123'); When I try to connect from my MacBook into the StrongSwan server I get this log. It looks promising but eventually, it says initiating EAP_RADIUS method failed. I'm not quite sure if this has failed due a bad configuration on my side or it is for other reasons that I don't quite understand how EAP should work. Please be so kind and advise, Thanks, Houman Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] received packet: from 88.98.201.107[51247] to 172.31.9.51[500] (300 bytes) Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] 88.98.201.107 is initiating an IKE_SA Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] local host is behind NAT, sending keep alives Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] remote host is behind NAT Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ] Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] sending packet: from 172.31.9.51[500] to 88.98.201.107[51247] (316 bytes) Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] received packet: from 88.98.201.107[51248] to 172.31.9.51[4500] (344 bytes) Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] unknown attribute type (25) Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] looking for peer configs matching 172.31.9.51[vpn2.t.com]...88.98.201.107[vpn2.t.com] Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] selected peer config 'roadwarrior' Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] initiating EAP_IDENTITY method (id 0x00) Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] peer supports MOBIKE Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] authentication of 'vpn2.t.com' (myself) with RSA signature successful Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] sending end entity cert "CN= vpn2.t.com" Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] sending issuer cert "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ] Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] splitting IKE message with length of 3334 bytes into 7 fragments Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response 1 [ EF(1/7) ] Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response 1 [ EF(2/7) ] Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response 1 [ EF(3/7) ] Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response 1 [ EF(4/7) ] Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response 1 [ EF(5/7) ] Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response 1 [ EF(6/7) ] Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response 1 [ EF(7/7) ] Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] sending packet: from 172.31.9.51[4500] to 88.98.201.107[51248] (544 bytes) Nov 15 07:13:21 ip-172-31-9-51 charon: message repeated 5 times: [ 14[NET] sending packet: from 172.31.9.51[4500] to 88.98.201.107[51248] (544 bytes)] Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] sending packet: from 172.31.9.51[4500] to 88.98.201.107[51248] (440 bytes) Nov 15 07:13:21 ip-172-31-9-51 charon: 15[NET] received packet: from 88.98.201.107[51248] to 172.31.9.51[4500] (80 bytes) Nov 15 07:13:21 ip-172-31-9-51 charon: 15[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ] Nov 15 07:13:21 ip-172-31-9-51 charon: 15[IKE] received EAP identity 'houman' Nov 15 07:13:21 ip-172-31-9-51 charon: 15[CFG] sending RADIUS Access-Request to server 'server-a' Nov 15 07:13:23 ip-172-31-9-51 charon: 15[CFG] retransmit 1 of RADIUS Access-Request (timeout: 2.8s) Nov 15 07:13:24 ip-172-31-9-51 charon: 06[MGR] ignoring request with ID 2, already processing Nov 15 07:13:26 ip-172-31-9-51 charon: 15[CFG] retransmit 2 of RADIUS Access-Request (timeout: 3.9s) Nov 15 07:13:27 ip-172-31-9-51 charon: 05[MGR] ignoring request with ID 2, already processing Nov 15 07:13:30 ip-172-31-9-51 charon: 15[CFG] retransmit 3 of RADIUS Access-Request (timeout: 5.5s) Nov 15 07:13:30 ip-172-31-9-51 charon: 04[MGR] ignoring request with ID 2, already processing Nov 15 07:13:35 ip-17
[strongSwan] Can StrongSwan be loadbalanced?
Hello, I have made quite a bit of research on how to load balance StrongSwan, however, I get contradicting messages. e.g. from my understanding, StrongSwan (IKEv2) works over UDP and not TCP. Hence Aws load balancer is out of the question. But so is HAProxy !!! But I discovered that latest NGINX 1.10+ supports UDP load balancing and it was easy to set it up. I am currently listening to ports 500 and 4500 and it doesn't quite work. I have raised an issue here: https://wiki.strongswan.org/issues/2464 Do I need to listen to port 50 and 51 as well? Any tips or advice for me, please? Many Thanks, Houman