Re: [strongSwan] [strongswan] davici: Fix codesonar warnings

2020-06-15 Thread Martin Willi
Hi, > Fixed below codesonar warning. > isprint() is invoked here with an argument of signed type char, but > only has defined behavior for int arguments that are either > representable as unsigned char or equal to the value of macro EOF(- > 1). > > To avoid this unexpected behaviour, typecasted

Re: [strongSwan] Memory leak when routing internet traffic via VPN

2019-11-11 Thread Martin Willi
Hi, > If I have "leftsubnet=172.30.0.0/16,0.0.0.0/0", the server leaks > memory - available memory decreases steadily until all memory+swap > are consumed and the server needs to be rebooted. No processes are > using this memory - the sum of all shared + RSS is much lower than > what htop reports

Re: [strongSwan] Cannot compile strong-swan from git

2019-07-14 Thread Martin Willi
Hi Ben, > First, maybe autogen could detect this missing gperf right at the > beginning and tell the user? ./autogen.sh is just a wrapper for autogen -i these days, so it won't help users calling that directly. Doing such a check in ./configure is no option, as gperf is not required for an

Re: [strongSwan] Davici library configure shell?

2019-02-13 Thread Martin Willi
> Where is configure shell in the git? As with most autotools based packages, ./configure is generated and therefore not part of git. When building from git sources, you'll have to generate it using autoreconf. Alternatively, use the distribution tarballs from [1], which include the generated

Re: [strongSwan] VICI and multiple threads

2017-09-08 Thread Martin Willi
Hi Anthony, > [...] and he didmention the possibility for using DAVICI. > mention the possibility for using DAVICI. The problem at the time was > Andreas lost the support person for this module. So we decided not to > take the risk. I don't think there is much of an issue here. I definitely will

Re: [strongSwan] Best practices regarding monitoring

2017-06-18 Thread Martin Willi
Hi Peter > So, am I correct to assume that you guys usually evaluate the output > of `ipsec statusall` Preferably I'd do that over vici [1], as it provides a much better interface for various languages to query tunnel status or re-initiate tunnels. > Do you simply send pings to remote systems

Re: [strongSwan] IPsec performance figures

2017-05-04 Thread Martin Willi
Hi, > are there any reliable performance figures for IPsec throughput on > x86_64 Linux machines? Nothing I could reference here. > Is 10 GBit/s feasable? If yes, how? On commodity hardware, maybe, but only if/when: * using AES-GCM with AESNI/CLMUL, which can handle ~1Gbit/s/core * your NIC

Re: [strongSwan] Tunnels with dynamic IP and another route issue

2017-04-26 Thread Martin Willi
Hi, > How exactly do these kind of kind of multipath routes compare to > multiple routes with different priorities/metrics?  In your case you > have multiple paths with the same weight, how is the actual > nexthop/interface chosen by the kernel? The nexthop of a multipath route is selected

Re: [strongSwan] IPSEC remote access routing

2017-01-29 Thread Martin Willi
Hi, > > The following is my Strongswan servers routing table (default > > routes). > > nexthop via 90.225.x.x  dev vlan845 weight 1 > > nexthop via 10.248.x.x  dev ppp1 weight 256 > > nexthop via 85.24.x.x  dev vlan847 weight 1 > > nexthop via 46.195.x.x  dev ppp0

Re: [strongSwan] Maximizing throughput / kernel bottlenecks

2016-04-11 Thread Martin Willi
(one of which is quite old - running a dual core netburst P4 @2.8, the other two are VMs on decent hardware, all of which have no load) are hitting walls at 300mb/s On a Netburst architecture you can't expect more; it does not have any acceleration for AES-GCM. but can hit 980mb/s

Re: [strongSwan] Maximizing throughput / kernel bottlenecks

2016-03-31 Thread Martin Willi
Hi, > There is no appreaciable load on any of the systems > during throughput testing. Please note that IPsec is usually processed in soft IRQ, so have a look at the "si" field in top. If you are CPU bound, "perf" is very powerful in analyzing the bottleneck on productive systems. If you are not

Re: [strongSwan] IKEv1 xauth-pam to IKEv2 eap-gtc?

2015-11-08 Thread Martin Willi
Hi John, > The IKEv1 connections use pubkey & xauth-pam authentication: > Is there a migration path for IKEv2 connections that makes sense? I see > there is an eap-gtc module that supports pam but it's not clear in the > documentation how to configure this to use a specific pam_service. EAP

Re: [strongSwan] Issues with HA configuration

2015-09-28 Thread Martin Willi
Hi Peter, > If the hash is on SOURCE IP then won’t it potentially hash to a > different segment depending on the direction of the message? Yes. The current code does not enforce a return path over the same segment, so a connection might return over the other node. You'll have to consider that if

Re: [strongSwan] Multiple vpn clients behind NAT support

2015-07-02 Thread Martin Willi
Hi, From behind NAT only one client is able to connect at a time. If one remote access vpn in up second vpn connection is failed connect. The Windows L2TP/IPsec client uses transport mode to secure L2TP. A gateway can't distinguish two clients behind the same NAT without some tricks, as they

Re: [strongSwan] Any working two-factor authentication with Windows?

2015-06-29 Thread Martin Willi
Hi, I would like to know if there exist any two-factor combination where one of them is RADIUS, either IKEv1 or IKEv2, which works with Windows (Win7 and above) native VPN client. AFAIK Windows does not support RFC4739. In IKEv1 there is a proprietary extension called AuthIP in Windows, but

Re: [strongSwan] Multiple proposals with different authentication types

2015-06-29 Thread Martin Willi
Hi, [...] when the cisco initiates a connection with both the transforms, the RSA-SIG being first in the list, strongswan replies back with a proposal that contains RSA-SIG, because it is the first in the list, even though the connection is defined as PSK. Is this a bug and is there a way

Re: [strongSwan] Strongswan EAP-TTLS + user/password(chap)

2015-06-24 Thread Martin Willi
Hi, Is there any way that i could use user/password inside eap-ttls tunnel? windows clients are able to initiate IKE tunnel with eap-ttls and user+password as their authentication protocol and I'm trying to use Strongswan as my server side. strongSwan EAP-TTLS currently does not support

Re: [strongSwan] forecast iptables commit failed: Invalid argument

2015-06-19 Thread Martin Willi
Can you please share the ipsec configuration files that you used on x86 architecture, so that we can check if we are missing any generic or architecture specific dependencies. Our test suite features a regression test for the forecast plugin, see [1]. Regards Martin

Re: [strongSwan] forecast iptables commit failed: Invalid argument

2015-06-18 Thread Martin Willi
Hi, OpenWrt daemon.info charon: 15[CFG] forecast iptables commit failed: Invalid argument Please check that your kernel supports the MARK target and the udp/esp matches. What architecture is OpenWRT running on? Not unlikely that it is an alignment issue, I didn't test the plugin beyond

Re: [strongSwan] Throughput on high BDP networks

2015-06-01 Thread Martin Willi
Hi, I can see the multiple kworker threads spread across all 12 cores in these fairly high powered systems but I am still dropping packets and performance is not much improved. If all your cores are processing traffic, then pcrypt probably works as it should. What does fairly high powered

Re: [strongSwan] Throughput on high BDP networks

2015-06-01 Thread Martin Willi
Even at these rates, the CPU did not appear to be very busy. We had one at 85% occupied but that was the one running nuttcp. On the outgoing path, the Linux kernel usually accounts ESP encryption under the process that sends traffic using a socket send() call. So these 85% probably include

Re: [strongSwan] Failing to login due to constraint check failed

2015-05-28 Thread Martin Willi
why it wasn't sending identity before but does sent it now? The client now offers EAP authentication by omitting the AUTH payload in the first IKE_AUTH exchange. This allows the server to trigger the EAP-Identity exchange, followed by EAP-MSCHAPv2. and why does authentication fail? The

Re: [strongSwan] Failing to login due to constraint check failed

2015-05-27 Thread Martin Willi
Hi, What I don't understand is why it is failing on EAP identity when I clearly defined 'eap_identity=%any' parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] parsed IKE_AUTH request 1

Re: [strongSwan] Implications of Weak DH / Logjam on IPSec

2015-05-21 Thread Martin Willi
Gerd, you are probably aware of the recent Weak DH / Logjam attack on Diffie-Hellman, see: https://weakdh.org/ Yes. Our TLS stack as server uses at least MODP2048, so is not directly affected. I've queued a fix to reject groups smaller 1024-bit as client, subject for the next release, see

Re: [strongSwan] EAP-AKA: EAP method not supported, sending EAP_NAK

2015-05-21 Thread Martin Willi
Hi Holger, server requested EAP_AKA authentication (id 0x00) EAP method not supported, sending EAP_NAK loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem open ssl xcbc cmac hmac ctr ccm gcm attr

Re: [strongSwan] Is there any way to specify/configure different initiator_tsr for each initiator?

2015-05-20 Thread Martin Willi
Hi, all CHILD SAs will have the same traffic selector (i.e., 40.0.0.1/8) on responder side, as proposed by initiator. Is there any way to specify/configure different initiator_tsr for each initiator? Currently all initiators use the same subnet as defined with initiator_tsr. So no, there is

Re: [strongSwan] Is there any way to specify/configure different initiator_tsr for each initiator?

2015-05-20 Thread Martin Willi
As per the implementation, an SPD entry would contain the destination IP as selector field and uses the same as a key to search the SPD table. I don't think this will work; The remote selector does not have to be unique per CHILD_SA/policy. Having multiple CHILD_SAs having the same remote

Re: [strongSwan] Strongswan does not removes CA Certificate from its internal objects (RAM) even after removing the certificate from cacerts directory or ca section.

2015-05-13 Thread Martin Willi
Hi, ca section1 cacert=/usr/local/etc/ipsec.d/cacerts/CA.pem 6. After removing this and executing ipsec update we expect that the SA will not get established as the end which does not have root CA of peer will reject the IKE_AUTH. All CA certificates placed under the cacerts

Re: [strongSwan] PKCS#12 and leftid

2015-05-12 Thread Martin Willi
I don't really get how I'm supposed to use leftid, am I supposed to find a string-ASN.1 converter ? No, you define a string representation of your identity. strongSwan detects the identity type, and tries to convert it to the appropriate binary encoding (ASN.1 in the case of a DN). While you

Re: [strongSwan] PKCS#12 and leftid

2015-05-11 Thread Martin Willi
Hi, 1) [...] For example my certificate subjet is : C=FR, ST=Région Parisienne, L=Paris, OU=Org, CN=1.Org, E=jacques.moni...@gmail.com but when I do ipsec listall I have : C=FR, ST=R?gion Parisienne, L=Paris, OU=Org, CN=1.Org, E=jacques.moni...@gmail.com Converting Distinguished Names

Re: [strongSwan] Packets dropped during CHILD SA rekeying

2015-04-29 Thread Martin Willi
Emeric, It seems to be related to: https://wiki.strongswan.org/issues/839#note-1 It is, and as discussed in that ticket, is a consequence of the pair-wise (un-)installation of SAs. To properly fix this issue, we would have to defer outbound SA installation/activation as exchange responder to

Re: [strongSwan] Different cipher suites for each connection parameters

2015-04-29 Thread Martin Willi
Hi Lars, Is it possible to have different cipher suites for all the conn parameters in ipsec.conf? Yes. But for IKE proposals, algorithm selection happens very early in the exchange, before any peer identity gets exchanged. This is because these details are explicitly protected under the

Re: [strongSwan] IPSec VPN between Cisco ASA and StrongSwan

2015-04-27 Thread Martin Willi
Hi, It seems to me (I found some hints but no real doc) that you have to specify the direction like this: lefthost righthost : PSK rightpsk righthost lefthost : PSK leftpsk This can work, but I don't think that it must in all cases. The lookup function for shared keys takes the

Re: [strongSwan] IPSec VPN between Cisco ASA and StrongSwan

2015-04-27 Thread Martin Willi
So what is the added benefit of having two PSKs, since IKEv2 explicitly allows that compared to IKEv1? While it is allowed in IKEv2, I don't see much benefit from doing that. RFC 7296 says: In particular, the initiator may be using a shared key while the responder may have a public

Re: [strongSwan] How to avoid the parsing of strongswan.conf file and set the configuration options programmatically?

2015-04-22 Thread Martin Willi
Hi, set_strongswan_conf_options(lfile); system(starter --daemon charon); You can't set options in the current process, and then expect that these options get inherited to a child process spawned using system() or any exec*() function. If you want to set strongswan.conf options

Re: [strongSwan] Can StrongSwan support Multicast Dissemination Protocol (MDP) ?

2015-04-22 Thread Martin Willi
Hi, Please can you advise whether StrongSWan can support Multicast Dissemination Protocol (MDP) ? strongSwan does not provide any form of explicit support for that protocol. Possible that you can use strongSwan as building block to secure MPD traffic, but I've no experience with that. Regards

Re: [strongSwan] To configure strongswan libraries path.

2015-04-21 Thread Martin Willi
Hi, Is there a way I can avoid this and specify the path to the library files and the package folder currently present in lib/ipsec/ as compared to the old version where it was stored directly in lib/. Yes, have a look at the --with-ipsecdir, --with-ipseclibdir and --with-plugindir options

Re: [strongSwan] How to tunnel traffic towards the public IP of the remote gateway?

2015-04-17 Thread Martin Willi
Hi, Does %dynamic work in net2net? Or only in road-warrior scenarios? If any has been negotiated, %dynamic resolves to the virtual IP for that endpoint. If not, it resolves to the IKE endpoint address. It can be used in either scenario, but has a slightly different behavior. Regards Martin

Re: [strongSwan] Adding Custom Algorithm

2015-04-15 Thread Martin Willi
Hi, How we can add custom Algorithm for ESP in Strongswan 4.6.4. ESP is usually handled by the kernel, so you'll have to implement your algorithm there. On Linux, you'll have to provide your algorithm through the Linux Crypto API. Once that is done, you need to define a transform identifier

Re: [strongSwan] VICI python egg

2015-04-15 Thread Martin Willi
Hi Noel, foo=collections.OrderedDict(strongswan.list_sas()) ValueError: need more than 1 value to unpack list_sas() returns a generator over SA dictionaries, an iterable over a list. Creating a dictionary from that does not make much sense, as there in no key for the value. Instead, you

Re: [strongSwan] IPsec between Cisco CSR and Strongswan - Response is outside of window received 0x1, expect 0x2 = mess_id 0x2

2015-04-14 Thread Martin Willi
Hi, The issue that I'm facing is that SA on Strongswan side is up but stuck in IN-NEG” status on Cisco side (Response is outside of window received 0x1, expect 0x2 = mess_id 0x2). 16[ENC] parsed IKE_AUTH request 1 [ V IDi CERT CERTREQ ... ] [...] 16[IKE] IKE_SA csr-swan[1] established

Re: [strongSwan] Using syslog logger for charon

2015-04-07 Thread Martin Willi
Hi, Is there a mechanism to change the level of required log to 'debug', so that they will get automatically redirected to /var/log/debug. No, charon currently always logs with LOG_INFO. With strongswan.conf you can control the facility only (using the auth or daemon section). Regards Martin

Re: [strongSwan] failure with ike using sha2

2015-03-30 Thread Martin Willi
Hi Luka, I have just found out, that recent openssl 1.0.2 commit 929b0d70c19f60227f89fac63f22a21f21950823 breaks hmac when using openssl plugin for hmac functions This commit prevents the pre-initialization with an empty key we use to avoid any non-initialized use of HMAC_Update(). Most

Re: [strongSwan] failure with ike using sha2

2015-03-30 Thread Martin Willi
Please let me know if there is a fix for openssl since changing the load order of plugin is not recommended. If you are using OpenSSL 1.0.2a, you might try the strongSwan fix provided at [1]. Regards Martin [1]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=openssl-hmac

Re: [strongSwan] StrongSwan Mac OS X app DNS

2015-03-24 Thread Martin Willi
Hi Ken, Not sure if keeping the current DNS servers installed is the best approach, maybe we should remove the previous servers. But we currently just add them to have them as a fallback. I've pushed a new build [1] based on 5.3.0-rc1 that instead of appending the servers to the list, it

Re: [strongSwan] IPv6 (Link Local) Router Soliciations over VPN (for Windows 7)

2015-03-24 Thread Martin Willi
Hi Richard, If we add ff00::/8 to rightsubnet [...] the Router Solicitation and Router Advertisement packets pass correctly. The client gets a default route, and everything works. However, when we try to connect the VPN from a second client, it fails to connect because of duplicate traffic

Re: [strongSwan] StronSwan 5.2.1, Authentication with Radius (multiple rounds RFC 4739)

2015-03-23 Thread Martin Willi
Hi Michael, 1. users should authenticate with a certificate (optional, but planned for the future) (Certificate is checked by StrongSwan) 2. users should authenticate against our active directory via freeRadius (username + password) 3. users should also enter an OTP (send as SMS by the

Re: [strongSwan] Is it possible to update the host certificate without ipsec restart?

2015-03-23 Thread Martin Willi
Hi, i need to change the host certificate (/etc/ipsec.d/certs/xxx.pem Certificates from the ipsec.d/certs directory do not get loaded implicitly, but get referenced in your ipsec.conf conn definition. Use ipsec update or ipsec reload to reload the connection, refer to the manpage for details.

Re: [strongSwan] Ikev2 Windows 7 and 8

2015-03-23 Thread Martin Willi
Hi Chris, leftsubnet=10.72.0.0/16,192.168.1.0/24,public ip subnet/29,another public ip subnet/29 On Windows 7 and Windows 8 we can only access the private ip subnets after connecting to strongswan. We have to add manually routes to access the public ip subnet via the tunnel. Is this a

Re: [strongSwan] ESN support for IKEv1

2015-03-20 Thread Martin Willi
ESN support must be negotiated, as defined in RFC 4304, 2.2.1: This of course is RFC 4303 (ESP), sorry for the confusion. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] ESN support for IKEv1

2015-03-20 Thread Martin Willi
Hi, The wiki mentions this ESN support is only for IKEv2. Is it so? Yes. As per my understanding this ESN feature refers to sequence numbers in ESP. So why is this support dependent on version of IKE? ESN support must be negotiated, as defined in RFC 4304, 2.2.1: To support high-speed

Re: [strongSwan] NAT-T port configuration

2015-03-19 Thread Martin Willi
Hi, 1. Is it possible to use port other than 4500 for NAT-T UDP encapsulation. If yes how can I configure it ? Yes, with the port_nat_t option in strongswan.conf, refer to [1] for details. To initiate a connection to a host with non-default ports, use the ipsec.conf rightikeport option.

Re: [strongSwan] strongSwan 5.1.2 on Ubuntu Trusty (14.0.4) and AppArmor

2015-03-19 Thread Martin Willi
Hi Fabrice, But when i execute ipsec statusall command, it replies : reading from socket failed: Permission denied When i suppress /etc/apparmor.d/usr.lib.ipsec.stroke AppArmor profile, the command replies correctly. We don't ship any AppArmor profiles from upstream, so you most likely

Re: [strongSwan] ipsec reload fails to kill obsolete connections?

2015-03-18 Thread Martin Willi
Yves, When we generate a new version of these files we issue an ipsec reload (not just update). I'd expect that to kill connections that are not relevant anymore, but this is not the case ipsec statusall shows them still as defined and up and running. ipsec reload by design does not affect

Re: [strongSwan] ikev2 strongswan IKE_SA_INIT not have RFC 3947 Specification Vendor ID payload

2015-03-17 Thread Martin Willi
Hi, During our testing with IKEv2, we found that the 1st packet(IKE_SA_INIT) does not have any information on vendor ID payload which is a MUST criteria as per the RFC. As per the RFC 3947. “In the first two messages of Phase1, the vendor id payload for this specification MUST be sent

Re: [strongSwan] StrongSwan Mac OS X app questions

2015-03-16 Thread Martin Willi
Ken, Are there any issues with DNS StrongSwan Mac OS X app? The osx-attr plugin prepends the negotiated DNS servers to the currently configured ones. You may check with scutil if that works as expected. Not sure if keeping the current DNS servers installed is the best approach, maybe we

Re: [strongSwan] Queries on vulnerability fixes

2015-03-12 Thread Martin Willi
Hi, As per the description of vulnerabilities in above links, the vulnerability is only applicable and will lead to crash in pluto IKE daemon alone. Charon is not mentioned. You should apply these fixes even if using charon only, the libstrongswan code is used by charon. Not sure where this

Re: [strongSwan] Loss of tunnel service while reauthenticating IKE_SA?

2015-03-12 Thread Martin Willi
Hi Tom, Is there a reason that, when using two Strongswan endpoints, one would not choose reauth=no? Yes. Reauthentication re-evaluates authentication credentials, checks the certificate status or rechecks permissions in the AAA backend. IKE_SA rekeying, as used with reauth=no, only refreshes

Re: [strongSwan] High availability failover problem

2015-03-11 Thread Martin Willi
Hi, Is it essential for both nodes to receive all the ESP packets? Yes. Cannot be ESP sequence numbers synchronized through the HA plugin? No, this is not how the HA plugin works. ESP sequence numbers move very fast, making a synchronization in userland difficult. You may try to synchronize

Re: [strongSwan] unable to install policy 192.168.0.0/16 === 10.176.0.0/13 in (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists

2015-03-10 Thread Martin Willi
On Sam, 2015-03-07 at 21:52 +, Tormod Macleod wrote: Hello, I'm getting the above error when rekeying. I think it might be related to issue #431? I've tried the workaround of setting reauth=no but this did not resolve the issue. I have only started running into this since we started

Re: [strongSwan] High availability failover problem

2015-03-10 Thread Martin Willi
Aleksey, when I test failover [...], traffic won't flow through standby node until rekey on child SA is done To me this sound like an ESP sequence number issue. I assume you have patched your kernel to include our ClusterIP IPsec extensions, as discussed at [1]. You may find some never patches

Re: [strongSwan] unable to install policy 192.168.0.0/16 === 10.176.0.0/13 in (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists

2015-03-10 Thread Martin Willi
Hi, Sorry for my previous mail, this time with some content: I have only started running into this since we started using more than one subnet in the left side of the connection. leftsubnet=10.176.0.0/13,10.130.0.0/16 rightsubnet=192.168.0.0/16 Iona-VPN-FW[1]: IKEv2

Re: [strongSwan] High availability failover problem

2015-03-10 Thread Martin Willi
Then you should check if ClusterIP works as expected, and both on the inbound and outbound paths the ESP packets hit both nodes. To clarify, on the outbound path this of course is plain traffic subject to ESP encapsulation. Regards Martin ___ Users

Re: [strongSwan] Performance with lots of tunnels and (XFRM) policies

2015-03-10 Thread Martin Willi
Noel, I would like to know how the performance of strongswan/Linux is with about 1000 established tunnels and ~3000 (XFRM) policies. I think XFRM policy lookup in the kernel scales fine, handling ~3000 policies shouldn't be a problem at all. How much traffic can be forwarded? Is the

Re: [strongSwan] Windows 2008 R2 to Linux connection issues

2015-03-10 Thread Martin Willi
Hi, 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 13[NET] sending packet: from 10.1.186.35[500] to 10.1.186.174[500] (432 bytes) 17[KNL] WFP MM failure: 10.1.186.35/32 === 10.1.186.174/32, 0x3601, filterId 0 Have you disabled the IKEEXT Windows IKE

Re: [strongSwan] Usage questions: DPD and auto=

2015-03-09 Thread Martin Willi
Hi Tom, 1.) Since IKEv2 does not use DPD, should one omit the dpdaction directives from ipsec.conf for a connection using IKEv2? While IKEv2 does not use DPD, it provides a very similar mechanism called liveness checks. The dpdaction and dpddelay keywords work for both IKEv1 and IKEv2 in

Re: [strongSwan] Charon reset

2015-03-09 Thread Martin Willi
Ken, The initiator received signal 6 (SIGABRT) after eight hours of operation. Actually, the offending signal is SIGSEGV (11). charon catches that, prints a backtrace, and then calls abort() to terminate itself. I have a ~182MB core file from the initiator. How can I get it to you? I don't

Re: [strongSwan] Charon reset

2015-03-09 Thread Martin Willi
I will try to more quickly produce the crash by setting ikelifetime. Is there a recommended (or minimum) value? You may set it to 30s or so, but make sure to adjust rekeymargin/rekeyfuzz accordingly. (gdb) p *cert $4 = {get_type = 0xd30fe0, get_subject = 0x7f5e631a9ed8 main_arena+88,

Re: [strongSwan] Charon reset

2015-03-06 Thread Martin Willi
Hi Ken, 09[DMN] thread 9 received 11 09[LIB] dumping 2 stack frame addresses: 09[LIB] /lib64/libpthread.so.0 @ 0x7fb8fd3ab000 [0x7fb8fd3ba710] 09[LIB] - sigaction.c:0 09[LIB] /lib64/libc.so.6 @ 0x7fb8fce13000 [0x7fb8fd1a2ed8] 09[LIB] - interp.c:0 09[DMN] killing ourself,

Re: [strongSwan] [strongSwan-dev] need for calling TASK_IKE_CONFIG before TASK_CHILD_CREATE in task_manager_v2.c

2015-03-05 Thread Martin Willi
My understanding was ip address assignment to interface can happen later after child SA is negotiated with tunnel end point using the virtual ip stored in the Strongswan internal data structures. No, this won't work. Negotiating the CHILD_SA installs IPsec SAs and policies to the kernel,

Re: [strongSwan] [strongSwan-dev] need for calling TASK_IKE_CONFIG before TASK_CHILD_CREATE in task_manager_v2.c

2015-03-05 Thread Martin Willi
Hi, What is the need for activate the TASK_IKE_CONFIG before TASK_CHILD_CREATE. While these tasks get executed during the same exchange(s) with an IKE_AUTH piggybacked CHILD_SA, the order is still important. If a virtual IP is negotiated, this must be done beforehand. The CHILD_SA IPsec

Re: [strongSwan] StrongSwan - Mac OS X IPsec tunnel stops forwarding traffic

2015-03-05 Thread Martin Willi
Hi, StrongSwan V5.2.0 is configured to be an IPsec VPN gateway on a Linux machine. A Mac laptop connects to it using the native Mac OS X v10.10.2 Cisco IPsec VPN client. The connection is established and works well for roughly 6,516 seconds (1 hour, 48 minutes, 36 seconds; or ~108 minutes)

Re: [strongSwan] Some IKEv2 questions

2015-03-04 Thread Martin Willi
Of not is Section 3.12.1: Dead Peer Detection is implemented only for server-to-server site-to-site-tunnel mode IPsec tunnels on Windows Server 2012 and Windows Server 2012 R2. Dead Peer Detection is not implemented on Windows 8 or Windows 8.1 for IKEv2-based VPN (that is, VPN

Re: [strongSwan] Some IKEv2 questions

2015-03-04 Thread Martin Willi
Hi, Can I support different types of authentication method simultaneously for IKEv2? i.e. can I support both PEAP-MSCHAPv2 and EAP-TLS at the same time ? As initiator/client, you can configure leftauth=eap without a method to authenticate with whatever the responder offers. On the

Re: [strongSwan] Some IKEv2 questions

2015-03-04 Thread Martin Willi
Kindly asking to keep the discussion on the list, thanks. IKEv2 supports certificate authentication without EAP, which is much simpler and faster. Would I be able to do this with the StrongSwan applet for Mac OS X ? No, the strongSwan OS X App currently supports EAP-MSCHAPv2 only using

Re: [strongSwan] Nested IPsec Tunnels

2015-03-03 Thread Martin Willi
Hi Ryan, I have an application scenario where I need to test Nested IPsec Tunnels. I googled and came up with some old threads talking about how this isn't supported with strongSwan unless I use two boxes, or a VM to route the traffic through again. Is this still the case? Yes, this is

Re: [strongSwan] HA plugin: stopping charon does not remove IKE_SA/CHILD_SA from other nodes

2015-03-02 Thread Martin Willi
Hi, In that particular configuration (no monitoring/heartbeat) stopping charon on the active node should clear the connections on the remote gateway (OK) and on the other node (not OK), right? The active node will delete the IKE_SA, and send a close event to the passive node. If you are not

Re: [strongSwan] Working simple setup was working, now no packets pass

2015-03-02 Thread Martin Willi
Hi James, Here's the log with error... 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ] 08[NET] sending packet: from server.external.ip[4500] to client.external.ip[15546] (2204 bytes) 11[NET] received packet: from

Re: [strongSwan] xAuth request for VICI

2015-03-02 Thread Martin Willi
Hi Sam, 1) Is there alternative for 'leftfirewall=yes' in the VICI interface to automatically setup iptables rules? There is no option for the default updown script, but you may manually specify ipsec _updown in the CHILD_SA updown configuration option. 2) What is the syntax for loading a

Re: [strongSwan] deleting half open IKE_SA after timeout

2015-02-27 Thread Martin Willi
Hi Denis 07[ENC] generating ID_PROT response 0 [ ID CERT SIG ] 07[NET] sending packet: from 179.179.179.179[4500] to 46.211.133.122[39592] (1660 bytes) 07[ENC] generating TRANSACTION request 2234314252 [ HASH CPRQ(X_USER X_PWD) ] 07[NET] sending packet: from 179.179.179.179[4500] to

Re: [strongSwan] HA plugin: stopping charon does not remove IKE_SA/CHILD_SA from other nodes

2015-02-27 Thread Martin Willi
When charon is stopped on one of the nodes, DELETE are sent to the remote hosts: Actually, it should not if it has an active heartbeat connection with the other node. If a node knows that another node is active, it should deactivate all responsible segments locally before shutting down, and

Re: [strongSwan] xAuth request for VICI

2015-02-27 Thread Martin Willi
Hi, Your fix to use the ordered dictionary worked perfectly. Thank you very much. It is now accepting vpn connections. Great. I'll check how we can mention that issue in the documentation. Regarding the `vips` configuration, I thought that it was the replacement for the `rightsourceip`

Re: [strongSwan] multiple addresses for the left|right option

2015-02-27 Thread Martin Willi
Hi, I am wondering how the specification of multiple addresses in the left|right option works. right=134.111.75.171,134.111.75.172 The right option can take multiple addresses, but only to match the connection when responding to initiators. For example, how many kernel policies I should

Re: [strongSwan] stateless high availability

2015-02-27 Thread Martin Willi
Hi, Is there a way to configure a device to connect to a gateway [ eg 10.1.1.254]. If that gateway fails [ detected via DPD],it would connect to 10.1.1.253 [ his backup gateway]? No, specifying fallback addresses is currently not implemented in strongSwan. I've tried with

Re: [strongSwan] sonicwall with main mode

2015-02-27 Thread Martin Willi
Hi, rightid=001122334455667788 *IDir '62.43.189.77' does not match to '001122334455667788*' Your Sonicwall uses '62.43.189.77' as its identity. Your strongSwan configuration strictly requires '0011223344556677880' as defined by rightid. Either change your Sonicwall or your strongSwan

Re: [strongSwan] strongswan retransmit request problem

2015-02-27 Thread Martin Willi
Hi, I'm trying to setup strongswan 5.2 but am experiencing problems where the leftside can't seem to connect to the right side and keeps retransmitting the request till it times out. Most likely this is a connectivity or firewalling issue. You should check where that IKE_SA_INIT message gets

Re: [strongSwan] xAuth request for VICI

2015-02-26 Thread Martin Willi
Sam, test: remote: uses XAuth authentication: any test: remote: [C=US, O=xx, CN=test] uses public key authentication The order of remote authentication rounds is wrong; XAuth follows public key, not vice-versa. As your config tree looks correct, most likely the order of authentication

Re: [strongSwan] xAuth request for VICI

2015-02-26 Thread Martin Willi
Are you using the Python library? I think ruby gets this right, as it is guaranteed that Hashes enumerate their values in the order that the corresponding keys were inserted.. Probably not true for Python. Maybe using collections.OrderedDict to define your tree helps. Regards Martin

Re: [strongSwan] Regarding strongswan UCI support

2015-02-25 Thread Martin Willi
Hi, I am not observing init script to configure ipsec.conf and ipsec.secrets from /etc/config/strongswan configuration file. Is this available in any patch or in any other release? where can I find the init script for it? We don't provide any init scripts from upstream (beside some systemd

Re: [strongSwan] xAuth request for VICI

2015-02-25 Thread Martin Willi
Hi, I have attempted to create the same configuration using a call to the VICI with this dictionary: Have you tried to configure that in swanctl.conf to avoid any problems with your dictionary? Here such an XAuth configuration works fine when defined in swanctl.conf. This keeps returning

Re: [strongSwan] Query on client authentication using EAP-TLS

2015-02-23 Thread Martin Willi
Hi Akash, no TLS peer certificate found for '223456789123...@nai.epc.mnc213.mcc090.3gppnetwork.org', skipping client authentication EAP_TLS method failed As the TLS stack does not find a usable certificate with a private for your ID, it skips client authentication. Your server most likely

Re: [strongSwan] Cannot get eap-radius working on Strongswan 5

2015-02-23 Thread Martin Willi
Hi, My new setup uses MD5 passwords in Radius, while my old config used NT-hash. It seems now with radius-eap I have problems authenticating against the MD5 passwords. It is using eap-mschapv2 and it seems it is not a supported combination - This can't work, a server verifying clients with

Re: [strongSwan] [strongSwan-users] When Tunnel mode Becomes Transport Mode

2015-02-20 Thread Martin Willi
Hi Daniel, [...] think of a typical Site-to-Site scenario where Subnets are protected by their respective gateways. However, the expert told me that it is possible to use Transport Mode instead of Tunnel Mode for this scenario a well. As the endpoints that communicate from within the

Re: [strongSwan] Cannot get eap-radius working on Strongswan 5

2015-02-20 Thread Martin Willi
Hi Milen, 07[IKE] initiating EAP_IDENTITY method (id 0x00) 07[IKE] peer supports MOBIKE 07[IKE] authentication of '[...]' (myself) with RSA signature successful 07[IKE] sending end entity cert [...] 07[ENC] generating IKE_AUTH response 1 [IDr CERT AUTH EAP/REQ/ID ] 07[NET] sending packet:

Re: [strongSwan] How to send IDi and DN separately?

2015-02-16 Thread Martin Willi
Hi, How to send IDi and DN separately such that DN doesn't overwrite IDi? strongSwan requires that the IDi matches one of the identities in the certificate, and enforces that if it does not. To use a different ID, you should include that ID as subjectAltName in your certificate. If you really

Re: [strongSwan] Building without Kernel support

2015-02-16 Thread Martin Willi
Hi Ryan, I’m trying to build strongSwan without Kernel dependencies. I’d like to use something like the lib-ipsec module (but modified), to receive the child SA’s for use on a crypto processor. strongSwan has different kernel backends. If you don't want to use one of ours, you might provide

Re: [strongSwan] ikev2 eap-radius ttls pap

2015-02-09 Thread Martin Willi
Hi Thomas, is it possible to uses strongswan with eap-ttls and pap? EAP-TTLS in strongSwan currently supports tunneling other EAP methods only. PAP is not an EAP method, but a different protocol for password authentication. Plain (non-EAP) PAP, CHAP or MSCHAP is not supported in our EAP-TTLS

Re: [strongSwan] IKEv2 redirect support?

2015-01-28 Thread Martin Willi
Hi Ryan, Does strongSwan currently support RFC-5685, IKEv2 redirect? No, RFC 5686 is currently not supported by strongSwan. At this time we have no plans to implement this extension. Regards Martin ___ Users mailing list Users@lists.strongswan.org

Re: [strongSwan] INITIAL_CONTACT notification in responder mode

2015-01-28 Thread Martin Willi
Hi Pavan, My question is whether INITIAL_CONTACT notification can be sent in IKE_AUTH response? If yes, in which condition this notification will be sent by responder? Theoretically yes, but strongSwan never sends INITIAL_CONTACT as responder, only as initiator. While sending the notify as

Re: [strongSwan] Load tester for xauth

2015-01-27 Thread Martin Willi
Hi, Anyone who knows how to configure load-tester to support xauth, please help me. Really appreciated. Please refer to my answer and the patch for ticket #835 [1]. Regards Martin [1]https://wiki.strongswan.org/issues/835#change-2837 ___ Users

  1   2   3   4   5   6   7   8   9   >