Re: [strongSwan] Local network (routing)

[Michael Schwartzkopff]

On 10.10.22 15:44, Rene Maurer wrote:

Hi

I am using strongSwan U5.4.0/K4.4.107 (embedded device).

The ipsec tunnel is established over a mobile network and it works fine.

Additionally I have an Ethernet interface eth0 with the address 
10.162.110.161. eth0 is connected to 10.162.110.165.


I am looking for a way to access the devices connected to eth0 also 
locally and not only through the tunnel (connections 10.162.110.161 
<=> 10.162.110.165 should work).


Is that even possible? If so how?



You should be able to access the net 10.162.110.160/29 direct. Please 
check i.e. with tcpdump.




I have:
-
# ipsec status
Security Associations (1 up, 0 connecting):
 one[1]: ESTABLISHED 9 seconds ago, 
10.162.225.65[]...91.230.141.233[]
 one{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cb51bd6c_i 
b9503f34_o

 one{1}:   10.162.110.160/29 === 10.0.0.0/
-
# route -n
Destination Gateway Genmask Flags Metric Ref    
Use Iface

0.0.0.0 0.0.0.0 0.0.0.0 U 0 0    0 ppp0
10.162.110.160  0.0.0.0 255.255.255.248 U 100 0    0 eth0
-
ip route show table 220
10.0.0.0/8 via xxx.xxx.xxx.xxx dev ppp0 proto static src 10.162.110.161
--
# ipsec.conf:
conn one
    # we are left
    left=10.162.225.65
    leftid=*
    leftsubnet=10.162.110.160/29
    leftcert=.crt
    leftsendcert=always

    # XXX is right
    right=xxx.xxx.xxx.xxx.
    rightid=
    rightsubnet=10.0.0.0/8
    auto=start
--

Regards
René



Mit freundlichen Grüßen,

--

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64

Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263

Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

Re: [strongSwan] Error Message: "unsupported mode"?

[Michael Schwartzkopff]

On 01.10.22 16:43, Carlos Velasco wrote:

Hi Michael,

I think remote end wants Transport mode "N(USE_TRANSP)", and local 
says it is not supported.
I suppose you are using Linux in local with "kernel-netlink" module 
for strongswan (default), so I would check if module transport is 
enabled in your kernel.
Refer to this doc: 
https://docs.strongswan.org/docs/5.9/install/kernelModules.html


"IP: IPsec transport mode [CONFIG_INET_XFRM_MODE_TRANSPORT]" usually 
can be checked with command in doc:

grep '\' /boot/config-`uname -r`

Also, if it is compiled as module (m), try to load it manually, I 
think module name is "xfrm4_mode_transport".


If it is not Linux, you must check your local OS (or strongswan 
module, if not using kernel-netlink) to properly support Transport mode.


Regards,
Carlos Velasco


Thanks. Will check.




Michael Schwartzkopff escribió el 01/10/2022 a las 15:48:

Hi,


I googled but I did not find a reasonable answer. We try to set up some
specific strongswan-strongswan connection in transport mode. The log 
says:



NET received packet: from x.x.x.x[4500] to y.y.y.y[4500] (240 bytes)}
ENC parsed CREATE_CHILD_SA request 7 [ N(USE_TRANSP) SA No KE TSi TSr ]}
CFG selected proposal: ESP:CHACHA20_POLY1305/CURVE_25519/NO_EXT_SEQ}
ESP IPsec SA: unsupported mode}
ESP failed to create SAD entry}
ESP IPsec SA: unsupported mode}
ESP failed to create SAD entry}
IKE unable to install inbound and outbound IPsec SA (SAD) in kernel}
IKE failed to establish CHILD_SA, keeping IKE_SA}
ENC generating CREATE_CHILD_SA response 7 [ N(NO_PROP) ]}

What exactly does "IPsec SA: unsupported mode" mean? unsupported mode
"transport"?

Or unsupported cipher algorithms? Or anything else went wrong?


Mit freundlichen Grüßen,




Mit freundlichen Grüßen,

--

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64

Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263

Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

[strongSwan] Error Message: "unsupported mode"?

[Michael Schwartzkopff]

Hi,


I googled but I did not find a reasonable answer. We try to set up some 
specific strongswan-strongswan connection in transport mode. The log says:



NET received packet: from x.x.x.x[4500] to y.y.y.y[4500] (240 bytes)}
ENC parsed CREATE_CHILD_SA request 7 [ N(USE_TRANSP) SA No KE TSi TSr ]}
CFG selected proposal: ESP:CHACHA20_POLY1305/CURVE_25519/NO_EXT_SEQ}
ESP IPsec SA: unsupported mode}
ESP failed to create SAD entry}
ESP IPsec SA: unsupported mode}
ESP failed to create SAD entry}
IKE unable to install inbound and outbound IPsec SA (SAD) in kernel}
IKE failed to establish CHILD_SA, keeping IKE_SA}
ENC generating CREATE_CHILD_SA response 7 [ N(NO_PROP) ]}

What exactly does "IPsec SA: unsupported mode" mean? unsupported mode 
"transport"?


Or unsupported cipher algorithms? Or anything else went wrong?


Mit freundlichen Grüßen,

--

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64

Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263

Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

Re: [strongSwan] conditional expressions in swanctl.conf?

[Michael Schwartzkopff]

On 21.09.22 13:38, Harald Dunkel wrote:

Hi folks,

is there some way to express

if peercert->OU == develop
    pool = pool1
else
    pool = pool2

in swanctl.conf? Some conditional expressions?

Hopefully I was not too blind to find it in the Wiki.


Regards
Harri



Hi,


I think this kind of conditional config is not possible within 
strongswan. I solved that problem with a RADIUS backend that passed 
group membership back to the VPN server in the CLASS attribute. 
strongswan can use this class attribute as rightgroup in the config.


For details see: https://blog.sys4.de/strongswan-vpn-based-on-groups-en.html




Mit freundlichen Grüßen,

--

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64

Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263

Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

Re: [strongSwan] IKE SA, but no child SA

[Michael Schwartzkopff]

Thanks. Do you have a Quick hint for me to fix the config?

07.07.2022 15:19:54 noel.kuntze+strongswan-users-ml@thermi.consulting:

> Hi,
> 
> Then of course because they're each behind NAT the one TS being dynamic, they 
> will propose different, non intersecting ones for that one.
> 
> Kind regards
> Noel
> 
> Am 7. Juli 2022 13:15:40 UTC schrieb Michael Schwartzkopff :
>> On 07.07.22 15:07, noel.kuntze+strongswan-users-ml@thermi.consulting wrote:
>> 
>>
>>
>>
>>> 
>>> 
>>> 
>>> Hi Manfred,
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> If the peer is strongswqn: Initiate with --child x, not --ike x
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> Otherwise: client problem, it sends no TSi or TSr.
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> Kind regards
>>> 
>>>     
>>> 
>>> Noel
>>> 
>>> 
>>> 
>>> 
>>>
>>>
>>>
>> 
>> 
>> Perhaps interesting to add: Both, carol and moon are behind NAT. moon is on 
>> AWS.
>> 
>> 
>> 
>>
>>
>>
>>> 
>>> 
>>> 
>>> Am 7. Juli 2022 12:49:06 UTC schrieb Michael Schwartzkopff 
>>> :
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>>> 
>>>>  
>>>>  
>>>>  Hi,
>>>>  
>>>>  
>>>>  
>>>> 
>>>>  
>>>>  
>>>>  
>>>> I set up a RW connection according to
>>>>  
>>>>  
>>>>  
>>>> https://docs.strongswan.org/docs/5.9/config/quickstart.html#_roadwarrior_case
>>>>  and
>>>>  
>>>>  
>>>>  
>>>> 
>>>>  
>>>>  
>>>>  
>>>> https://www.strongswan.org/testing/testresults/ikev2/rw-cert/
>>>>  
>>>>  
>>>>  
>>>> 
>>>>  
>>>>  
>>>>  
>>>> swanctl -L shows:
>>>>  
>>>>  
>>>>  
>>>> root@moon:~# swanctl -L
>>>>  
>>>>  
>>>>  
>>>> rw: IKEv1/2, no reauthentication, rekeying every 14400s
>>>>  
>>>>  
>>>>  
>>>>   local:  %any
>>>>  
>>>>  
>>>>  
>>>>   remote: %any
>>>>  
>>>>  
>>>>  
>>>>   local public key authentication:
>>>>  
>>>>  
>>>>  
>>>> id: moon.example.org
>>>>  
>>>>  
>>>>  
>>>> certs: C=TEST, O=TEST, CN=moon.example.org
>>>>  
>>>>  
>>>>  
>>>>   remote public key authentication:
>>>>  
>>>>  
>>>>  
>>>>   rw: TUNNEL, rekeying every 3600s
>>>>  
>>>>  
>>>>  
>>>> local:  172.31.11.0/24
>>>>  
>>>>  
>>>>  
>>>> remote: dynamic
>>>>  
>>>>  
>>>>  
>>>> 
>>>>  
>>>>  
>>>>  
>>>> root@misch:~# swanctl -L
>>>>  
>>>>  
>>>>  
>>>> home: IKEv1/2, no reauthentication, rekeying every 14400s
>>>>  
>>>>  
>>>>  
>>>>   local:  %any
>>>>  
>>>>  
>>>>  
>>>>   remote: xx.xx

[strongSwan] strongswan performance figures?

[Michael Schwartzkopff]

Hi,


does anyone know what reasonable performance figures with recent 
hardware are?



Is encryption offload to the network card an option? Anyone experience 
with this?



Mit freundlichen Grüßen,

--

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64

Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263

Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

[strongSwan] Performance figures for strongswan?

[Michael Schwartzkopff]

Hi,

some time ago I did performance measurements for IPsec throughput and 
also read some doc about the CPU limits for encrypted throughput.


But this was some time ago.

Does anyone know recent performance figures for strongswan on standard 
servers?


What about a throughput that exceeds 1 Gbit/s.
Is that possible?

Is hardware offload in network cards possible? I read some doc from Oracle.

Thanks for any hints.

Mit freundlichen Grüßen,

--

[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

[strongSwan] Performance figures for strongswan?

[Michael Schwartzkopff]

Hi,

some time ago I did performance measurements for IPsec throughput and 
also read some doc about the CPU limits for encrypted throughput.


But this was some time ago.

Does anyone know recent performance figures for strongswan on standard 
servers?


What about a throughput that exceeds 1 Gbit/s.
Is that possible?

Is hardware offload in network cards possible? I read some doc from Oracle.

Thanks for any hints.

Mit freundlichen Grüßen,

--

[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

[strongSwan] strongswan with kerberos?

[Michael Schwartzkopff]

Hi,


is it possible to set up a strongswan server with a FreeIPA backend as 
provider for identity, authentication and authorization?



FreeIPA uses LDAP / kerberos and a quick search did not show any 
reasonable results.


Or is the certmonger in FreeIPA the way to got with user-based certificates?


Mit freundlichen Grüßen,

--

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64

Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263

Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

Re: [strongSwan] Routing between two remote sites

[Michael Schwartzkopff]

On 25.01.22 16:07, VTwin Farriers wrote:

Thank you all for your responses.

I have the same local_ts/remote_ts values on my East and Central swanctl.conf files. I 
would think this should work but for some reason I get the TS_UNACCEPTABLE error. 
Removing "10.128.0.0/24" from the swanctl.conf files on east and central will 
then work.


swanctl.conf (East)

connections {
eastcentral {
version=2
local_addrs=a.b.c.d
proposals=aes256-sha1-modp1024, default
local-0 {
auth = psk
}
remote-0 {
auth = psk
}
remote_addrs=w.x.y.z
children {
eastcentral {
esp_proposals=aes256-sha1, default
dpd_action=restart
remote_ts=10.64.0.0/16,10.128.0.0/64
local_ts=10.0.0.0/16
}
}
}
}


swanctl.conf (Central):

connections {
centraleast {
version=2
local_addrs=w.x.y.z
proposals=aes256-sha1-modp1024, default
local-0 {
auth = psk
}
remote-0 {
auth = psk
}
remote_addrs=a.b.c.d
children {
centraleast {
esp_proposals=aes256-sha1, default
dpd_action=restart
remote_ts=10.0.0.0/16
local_ts=10.64.0.0/16,10.128.0.0/16
}
}
}
}



[root@EastRouter swanctl]# strongswan up eastcentral
initiating IKE_SA eastcentral[1] to w.x.y.z
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from a.b.c.d[500] to w.x.y.z[500] (1204 bytes)
received packet: from w.x.y.z[500] to a.b.c.d[500] (344 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) 
N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
remote host is behind NAT
no IDi configured, fall back on IP address
authentication of 'a.b.c.d' (myself) with pre-shared key
establishing CHILD_SA eastcentral{1}
generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) 
N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from a.b.c.d[4500] to w.x.y.z[4500] (668 bytes)
received packet: from w.x.y.z[4500] to a.b.c.d[4500] (220 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) 
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) 
N(ADD_4_ADDR) N(TS_UNACCEPT) ]
authentication of 'w.x.y.z' with pre-shared key successful
IKE_SA eastcentral[1] established between a.b.c.d[a.b.c.d]...w.x.y.z[w.x.y.z]
scheduling rekeying in 13393s
maximum IKE_SA lifetime 14833s
received TS_UNACCEPTABLE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
peer supports MOBIKE
establishing connection 'eastcentral' failed



In the config on the east router your have:
remote_ts=10.64.0.0/16,10.128.0.0/64


On the central gateway you have:

local_ts=10.64.0.0/16,10.128.0.0/16



The subnets for 10.128.0.0 do not fit. Especially since /64 does not 
make sense in a legacy IP network.



Mit freundlichen Grüßen,

--

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64

Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263

Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

Re: [strongSwan] Routing between two remote sites

[Michael Schwartzkopff]

On 25.01.22 03:13, VTwin Farriers wrote:

If I try to add 10.128.0.0/16 to the configuration for East <=> Central, I get:

received TS_UNACCEPTABLE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA

when I attempt to bring up the connection.

This seems to be related to the fact there is no interface or route on Central which 
is on the 10.128.0.0 subnet, 10.128.0.0/16 traffic is passed to West via the 
West<=>Central ipsec link.

swanctl.conf:

connections {
EastCentral {
version=2
local_addrs=a.b.c.d
proposals=aes256-sha1-modp1024, default
local-0 {
auth = psk
}
remote-0 {
auth = psk
}
remote_addrs=w.x.y.z
children {
EastCentral {
esp_proposals=aes256-sha1, default
dpd_action=restart
local_ts=10.0.0.0/16
remote_ts=10.64.0.0/16,10.128.0.0/16

}
}
}
}
secrets {
ike-w.x.y.za.b.c.d {
secret = "SantizedForYourProtection"
id-1=w.x.y.z
id-0=a.b.c.d
}
}



do you have the 10.128.0.0/16 configured on the central gateway as a 
local_ts for the connection to east?



Mit freundlichen Grüßen,

--

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64

Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263

Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

Re: [strongSwan] IKEv2 + MFA with RADIUS

[Michael Schwartzkopff]

On 29.06.21 16:11, Mike Hill wrote:
> Hi,
>
> We use JumpCloud as our directory (as-a-service), which also gives us a 
> RADIUS server to authenticate against. We have this working fine (without the 
> MFA) for user authentication against JumpCloud’s RADIUS using the built-in 
> macOS VPN client (IKEv2), but having trouble when enabling MFA on JumpCloud’s 
> side.
>
> Their documentation states that MSCHAPv2 is not supported for MFA-enabled VPN 
> connections, and they recommend EAP-TTLS/PAP. When connecting, it should be a 
> case of entering username and password with TOTP separated by a comma e.g. 
> MyB@dPa33word,1203456.
>
> When attempting to connect, /var/log/syslog shows:
>
> Jun 25 17:23:29 talon-swan charon: 07[ENC] parsed IKE_AUTH request 2 [ 
> EAP/RES/ID ]
> Jun 25 17:23:29 vpn-swan charon: 07[IKE] received EAP identity 'test.user'
> Jun 25 17:23:29 vpn-swan charon: 07[CFG] RADIUS server 
> 'eu1.radius.jumpcloud.com' is candidate: 210
> Jun 25 17:23:29 talon-swan charon: 07[CFG] sending RADIUS Access-Request to 
> server 'eu1.radius.jumpcloud.com'
> Jun 25 17:23:29 vpn-swan charon: 07[CFG] received RADIUS Access-Challenge 
> from server 'eu1.radius.jumpcloud.com'
> Jun 25 17:23:29 vpn-swan charon: 07[IKE] initiating EAP_MD5 method (id 0x01)
> Jun 25 17:23:29 vpn-swan charon: 07[ENC] generating IKE_AUTH response 2 [ 
> EAP/REQ/MD5 ]
> Jun 25 17:23:29 vpn-swan charon: 07[NET] sending packet: from 
> 10.118.128.63[4500] to 86.2.169.107[4500] (83 bytes)
> Jun 25 17:23:29 vpn-swan charon: 08[NET] received packet: from 
> 86.2.169.107[4500] to 10.118.128.63[4500] (72 bytes)
> Jun 25 17:23:29 vpn-swan charon: 08[ENC] parsed IKE_AUTH request 3 [ 
> EAP/RES/NAK ]
> Jun 25 17:23:29 vpn-swan charon: 08[CFG] sending RADIUS Access-Request to 
> server 'eu1.radius.jumpcloud.com'
> Jun 25 17:23:29 vpn-swan charon: 08[CFG] received RADIUS Access-Challenge 
> from server 'eu1.radius.jumpcloud.com'
> Jun 25 17:23:29 vpn-swan charon: 08[ENC] generating IKE_AUTH response 3 [ 
> EAP/REQ/MSCHAPV2 ]
> Jun 25 17:23:29 vpn-swan charon: 08[NET] sending packet: from 
> 10.118.128.63[4500] to 86.2.169.107[4500] (104 bytes)
> Jun 25 17:23:29 vpn-swan charon: 10[NET] received packet: from 
> 86.2.169.107[4500] to 10.118.128.63[4500] (136 bytes)
> Jun 25 17:23:29 vpn-swan charon: 10[ENC] parsed IKE_AUTH request 4 [ 
> EAP/RES/MSCHAPV2 ]
> Jun 25 17:23:29 vpn-swan charon: 10[CFG] sending RADIUS Access-Request to 
> server 'eu1.radius.jumpcloud.com'
> Jun 25 17:23:30 vpn-swan charon: 09[MGR] ignoring request with ID 4, already 
> processing
> Jun 25 17:23:30 vpn-swan charon: 10[CFG] received RADIUS Access-Reject from 
> server 'eu1.radius.jumpcloud.com'
> Jun 25 17:23:30 vpn-swan charon: 10[IKE] RADIUS authentication of 'test.user' 
> failed
> Jun 25 17:23:30 vpn-swan charon: 10[IKE] EAP method EAP_MSCHAPV2 failed for 
> peer 192.168.1.235
> Jun 25 17:23:30 vpn-swan charon: 10[ENC] generating IKE_AUTH response 4 [ 
> EAP/FAIL ]
>
> On JumpCloud’s side, we have the error:
>
> mfa: multifactor authentication required; not supported for PEAP/MS-CHAP
>
> We have rightauth set to eap-radius, but I’m yet to find a way of changing 
> the EAP method. Does anyone have strongSwan + MFA working for macOS clients 
> or can anyone point me in the right direction, please?
>
> References:
>
> https://support.jumpcloud.com/support/s/article/Logging-in-to-RADIUS-with-TOTP-MFA
>
> https://support.jumpcloud.com/support/s/article/configuring-a-wireless-access-point-wap-vpn-or-router-for-jumpclouds-radius1-2019-08-21-10-36-47
>
> Many thanks,
>
> Mike



hi,


if you want to set up your own RADIUS server, I'd recommend FreeRADIUS.
Setup otp see:


https://wiki.freeradius.org/guide/multiOTP-HOWTO



Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

Re: [strongSwan] IPSEC vpn(strongswan) + users in AD

[Michael Schwartzkopff]

On 26.02.21 19:39, Gregory Edigarov wrote:
> Good day,
>
> some clues wanted.
>
> strongswan -> freeradius -> AD
>
> conn ikev2-vpn
>     auto=add
>     compress=no
>     type=tunnel
>     keyexchange=ikev2
>     fragmentation=yes
>     forceencaps=yes
>     dpdaction=clear
>     dpddelay=300s
>     rekey=no
>     left=%any
>     leftid=@mailtest.go-lamp.com
>     leftcert=server-cert.pem
>     leftsendcert=always
>     leftsubnet=0.0.0.0/0
>     right=%any
>     rightid=%any
>     rightauth=eap-radius
>     rightsourceip=10.10.10.0/24
>     rightdns=8.8.8.8,8.8.4.4
>     rightsendcert=never
>     eap_identity=%identity
>
> freeradius - I could show config, but I need to do a cleanup first.
>
> AD is out of my control
>
> Radius request is shown below:
> (15) Received Access-Request Id 95 from 127.0.0.1:42093 to
> 127.0.0.1:1812 length 227
> (15)   User-Name = "testuser"
> (15)   NAS-Port-Type = Virtual
> (15)   Service-Type = Framed-User
> (15)   NAS-Port = 10
> (15)   NAS-Port-Id = "ikev2-vpn"
> (15)   NAS-IP-Address = 185.78.235.225
> (15)   Called-Station-Id = "185.78.235.225[4500]"
> (15)   Calling-Station-Id = "82.117.245.149[53824]"
> (15)   EAP-Message =
> 0x020200431a0202003e31e2af5f308985e5021868674940c015e4e22bfe0b82797c5f5f18498fcfbbcbf1e99ffaa07427826d006564696761726f76
> (15)   NAS-Identifier = "strongSwan"
> (15)   State = 0xb601b33cb703a9c425336eef8323aee1
> (15)   Message-Authenticator = 0x39a3a2b21bdd858e031ee2064b307a51
> (15) session-state: No cached attributes
> (15) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (15)   authorize {
> (15) policy filter_username {
> (15)   if () {
> (15)   if ()  -> TRUE
> (15)   if ()  {
> (15) if ( =~ / /) {
> (15) if ( =~ / /)  -> FALSE
> (15) if ( =~ /@[^@]*@/ ) {
> (15) if ( =~ /@[^@]*@/ )  -> FALSE
> (15) if ( =~ /\.\./ ) {
> (15) if ( =~ /\.\./ )  -> FALSE
> (15) if (( =~ /@/) && ( !~ /@(.+)\.(.+)$/))  {
> (15) if (( =~ /@/) && ( !~
> /@(.+)\.(.+)$/))   -> FALSE
> (15) if ( =~ /\.$/)  {
> (15) if ( =~ /\.$/)   -> FALSE
> (15) if ( =~ /@\./)  {
> (15) if ( =~ /@\./)   -> FALSE
> (15)   } # if ()  = notfound
> (15) } # policy filter_username = notfound
> (15) policy filter_password {
> (15)   if ( &&   ( !=
> "%{string:User-Password}")) {
> (15)   if ( &&   ( !=
> "%{string:User-Password}"))  -> FALSE
> (15) } # policy filter_password = notfound
> (15) [preprocess] = ok
> (15) [mschap] = noop
> (15) eap: Peer sent EAP Response (code 2) ID 2 length 67
> (15) eap: No EAP Start, assuming it's an on-going EAP conversation
> (15) [eap] = updated
> (15) files: users: Matched entry DEFAULT at line 152
> (15) [files] = ok
> rlm_ldap (ldap): Reserved connection (16)
> (15) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
> (15) ldap:    --> (samaccountname=testuser)
> (15) ldap: Performing search in "dc=office,dc=local" with filter
> "(samaccountname=testuser)", scope "sub"
> (15) ldap: Waiting for search result...
> rlm_ldap (ldap): Rebinding to URL
> ldap://ForestDnsZones.office.local/DC=ForestDnsZones,DC=office,DC=local
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Rebinding to URL
> ldap://DomainDnsZones.office.local/DC=DomainDnsZones,DC=office,DC=local
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Rebinding to URL
> ldap://office.local/CN=Configuration,DC=office,DC=local
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Bind successful
> (15) ldap: User object found at DN "CN=Some Name,OU=Network & Technical
> support,DC=office,DC=local"
> (15) ldap: Processing user attributes
> (15) ldap: WARNING: No "known good" password added. Ensure the admin
> user has permission to read the password attribute
> (15) ldap: WARNING: PAP authentication will *NOT* work with Active
> Directory (if that is what you were trying to configure)
> rlm_ldap (ldap): Deleting connection (16) - Was referred to a different
> LDAP server
> (15) [ldap] = ok
> (15) [expiration] = noop
> (15) [logintime] = noop
> (15)   } # authorize = updated
> (15) Found Auth-Type = eap
> (15) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (15)   authenticate {
> (15) eap: Expiring EAP session with state 0xb601b33cb703a9c4
> (15) eap: Finished EAP session with state 0xb601b33cb703a9c4
> (15) eap: Previous EAP request found for state 0xb601b33cb703a9c4,
> released from the list
> (15) eap: Peer sent packet with method EAP MSCHAPv2 (26)
> (15) eap: Calling submodule eap_mschapv2 to process data
> (15) eap_mschapv2: # Executing group from file
> /etc/freeradius/3.0/sites-enabled/default
> (15) eap_mschapv2:   authenticate {
> (15) mschap: WARNING: No Cleartext-Password configured.  Cannot create
> 

Re: [strongSwan] IKE-Auth Problem

[Michael Schwartzkopff]

On 12.01.21 12:00, fatcha...@gmx.de wrote:
> Hi,
>
> Im using a strongswan-5.7.2-1.el7.x86_64 on a CentOS Linux release 7.9.2009 
> (Core)as a vpn-gateway with already some working connections. I got some 
> problems with a connection which want's to switch over to certificate 
> authentication.
> this is what I get when I start the connection:
>
> [root@tig strongswan]# strongswan up connection_RLP_test
> initiating IKE_SA lotto_RLP_test[19] to xxx.xxx.xxx.44
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> sending packet: from xxx.xxx.xxx.20[500] to xxx.xxx.xxx.44[500] (464 bytes)
> received packet: from xxx.xxx.xxx.44[500] to xxx.xxx.xxx.20[500] (469 bytes)
> parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ N(HTTP_CERT_LOOK) ]
> selected proposal: 
> IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
> received cert request for "C=de, O=connection RLP, CN=RLP CA 2015"
> received 3 cert requests for an unknown ca
> sending cert request for "C=de, O=connection RLP, CN=RLP CA 2015"
> authentication of 'C=DE, ST=local, L=local, O=bay , OU=bay1, 
> CN=vpn.gateway.de, E=t...@gateway.de' (myself) with RSA signature successful
> sending end entity cert "C=DE, ST=local, L=local, O=bay GmbH, OU=bay1, 
> CN=vpn.gateway.de, E=t...@gateway.de"
> establishing CHILD_SA connection_RLP_test{24}
> generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA 
> TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
> sending packet: from xxx.xxx.xxx.20[500] to xxx.xxx.xxx.44[500] (1840 bytes)
> received packet: from xxx.xxx.xxx.44[500] to xxx.xxx.xxx.20[500] (96 bytes)
> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> received AUTHENTICATION_FAILED notify error
> establishing connection 'connection_RLP_test' failed
>
> What is the problem, what can I do to solve it ?
>
> Any suggestions are welcome
>
> stay save and healthy
>
> fatcharly


Authentication on the other side failed. See logs of the other side.

the other side sends you an information, that the auth failed. No chance
on your side, to find out why. My wild suggestion: Perhaps the other
side does not trust the CA that signed your server certificate. Or the
cert chain is broken, or something else.



Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

[strongSwan] ESP-encap port different than 4500

[Michael Schwartzkopff]

Hi,


I have two different VPN servers behind ONE NAT address. Yes, I know it
is nonsense, but it is the situation given here.


One runs with 500/4500. Everything is find. I configured the firewall to
forward packets on these port to the first VPN server.


I want to use port 510 and 4510 for the second server. I configured
charon.conf according.

On the client side I configured rightikeport=510. So the client sends
the init request from port 500 to port 510. The server recognizes the
NAT-T on both ends, sends back the response.


The clients sends third packet from port 4500 to port 4500, which fails
of course.


Is there any possibility to tell the client to use port 45100 of the
ESP-encap port?


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] Export XFRM StrongSwan / IPSec routes to Quagga (OSPF)

[Michael Schwartzkopff]

On 26.10.20 05:47, TomK wrote:
> Hey All,
>
> I've configured the VTI's and routing is now fully working between the
> 9 VLAN's.
>
> XFRM, as far as I can tell, isn't as well documented.  I might try
> this later on o see if OpenWRT supprots it.
>
> Thx,
>
> On 10/25/2020 9:48 PM, TomK wrote:
>> Hey Noel,
>>
>> I have four VLAN's on the Azure side.  I need all these VLAN's
>> visible to my on-prem VLAN's, 5 on-prem VLAN's in total.  The on-prem
>> GW can see those Azure VLAN's.  The mapping works well.
>>
>> However, the on-prem StrongSwan GW running on my Raspberry Pi 2
>> (OpenWRT) isn't redistributing the Azure VLAN's at the moment since
>> they are sitting in table 220 where OSPF can't see them.
>>
>>  From the Azure side, I can ping the on-prem GW just fine, including
>> the ability to ssh to the on-prem OpenWRT GW from Azure.  However, I
>> can't ping any of the other on-prem VLAN's from the Azure side, of
>> course. Not until OSPF sees the Azure VLAN's I'm thinking.
>>
>> This is mostly a POC so I have plenty of room to experiment. This is
>> the goal.
>>
>> Cheers,
>> TK
>>
>>
>> On 10/25/2020 8:51 PM, Noel Kuntze wrote:
>>> Hello Tom,
>>>
>>> That is the right wiki page.
>>> What I forgot to mention though is that with interfaces, you can
>>> then talk your routing protocol over it.
>>> It does not give you information about the subnets though for which
>>> IPsec policies are installed.
>>>
>>> What is the goal of this in the end?
>>>
>>> Kind regards
>>>
>>> Noel
>>>
>>> Am 26.10.20 um 01:33 schrieb TomK:
 Hey Noel,

 Thanks.  That would certainly make it automatic with either BIRD or
 Quagga.

 I'll have a look at the pages again to see what it takes to create
 these.  Thinking this is still the right page for VTI and XFRM
 information?

 https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN

 Cheers,
 TK

 On 10/25/2020 4:59 PM, Noel Kuntze wrote:
> Hi Tom,
>
> The routes in table 220 are only used to tell the kernel which
> source IP to use for sending packets to a remote network.
> They aren't part of XFRM and only tangentially pertain IPsec.
> Also, routes are only added if they are required, so those routes
> in table 220 are not necessarily complete.
>
> A better solution for your use case would be to use route based
> IPsec by using dedicated VTIs or XFRM interfaces and running
> OSPF/BGP/whatever over those virtual links.
>
> Kind regards
>
> Noel
>
> Am 25.10.20 um 19:05 schrieb TomK:
>> Hey All,
>>
>> I'm interested in finding out how to import routes from
>> StrongSwan IPSec installed XFRM tables (220) into Quagga (OSPF,
>> 254)?
>>
>> The XFRM policy based rules are saved in table 220 while Quagga
>> (OSPF) saves the routes in table 254.  I have an IPSec StrongSwan
>> on-prem GW paired up with one of the Cloud providers.  The
>> connection is established fine however I can't ping the remote
>> VLAN's from any other device on the on-prem network except from
>> the on-prem GW itself.
>>
>> I would like to make OSPF aware of table 220 so it can import the
>> rules.  Or at least find another way to export the rules in table
>> 220 and into table 254.  Either import from or export to would
>> work but I haven't been able to find articles on the web
>> addressing this issue.
>>
>> Is this possible?
>>
>


>>>
>>
>>
>
>

Hi,


I wrote two blog articles explaining how to achieve do route based VPN
with dynamic routing.

https://blog.sys4.de/routing-based-vpn-with-strongswan-de.html

https://blog.sys4.de/routing-based-vpn-with-strongswan-ii-de.html


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] How to handle duplicate client IDs?

[Michael Schwartzkopff]

On 22.10.20 16:00, Grischa Stegemann wrote:
> Hello All
>
> We are connecting hardware IP phones with their built-in IPsec client
> to our strongSwan server.
> The phones can do IKEv2 with PSK plus EAP authentication.
>
> Everything is working fine until two "road warrior phones" happen do
> have the same RFC1918 IPv4 address within their corresponding local
> (home user) networks behind their individual NAT gateways.
>
> E.g. during IKE_AUTH we get
>
> looking for peer configs matching
> xxx.xxx.xxx.xxx[%any]...yyy.yyy.yyy.yyy[192.168.1.10]
>
> for the first client.
> Then the connection and the SA are built with '192.168.1.10' as the
> client's identifier.
>
> Now a second phone comes along with
> looking for peer configs matching
> xxx.xxx.xxx.xxx[%any]...zzz.zzz.zzz.zzz[192.168.1.10]
>
> After successful PSK and EAP authentication the new client gets a
> different virtual ip assigned, which is good, but then the duplicate
> SA kicks in:
>
> detected duplicate IKE_SA for '192.168.1.10', triggering delete for
> old IKE_SA
>
>
> I have tried uniqueids=no and uniqueids=never but this does not solve
> the problem. And I have to admit that I did not fully understand the
> use of this parameter. :-(
>
> Our ipsec.conf is rather simple:
>
> conn IKEv2-PSK-EAP
>     left=%any
>     leftid=@myhostname.mydomain
>     leftsubnet=0.0.0.0/0
>     leftauth=psk
>     rightsourceip=10.0.200.0/24
>     right=%any
>     rightid=%any
>     rightauth=eap-mschapv2
>     rightauth2=psk


Can you configure the phone to use anything else than its IP address for
identification. i.e. hostname? Logs?


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] Effect of xfrm_acq_expires mismatch retransmit timeout?

[Michael Schwartzkopff]

On 01.06.20 19:27, Noel Kuntze wrote:
> Hello Micahel,
>
> xfrm_acq_expires is the time the kernel holds an acquire event before it 
> drops it.
> The kernel only sends one acquire event for a policy, not several ones. When 
> it receives packets with a matching policy but without a corresponding IPsec 
> SA,
> it checks if it already sent an acquire event. If an acquire event was not 
> reacted to within $xfrm_acq_expires seconds, that acquire event is forgotten 
> about by the kernel.
> So basically xfrm_acq_expires is the minimum time between two acquire events 
> for a policy.
>
> Kind regards
>
> Noel


Thanks for the explanation.


>
> Am 29.05.20 um 15:41 schrieb Michael Schwartzkopff:
>> Hi,
>>
>> what would be the effect if the charon.plugins.xfrm_acq_expires does not
>> fit the charon.retransmit_* options?
>>
>> I tried to understand what the xfrm_acq_expires exactrly does, but the
>> docs in the internet are very limited. As far as I understood, it sets a
>> timer when the SPI times out. Every time, traffic is seens for a SPI,
>> the timer is reset (?)
>>
>> If the total retransmit timeout is larger than the xfrm_acq_expired,
>> could it happen that the SPI timed out before charon times out and the
>> encrypted communication breaks?
>>
>> Or is there any good timing diagram for encrytped traffic though the kernel?
>>
>>
>> Mit freundlichen Grüßen,
>>

Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] Duplicate IKE_SA?

[Michael Schwartzkopff]

On 01.06.20 19:23, Noel Kuntze wrote:
> Hello Michael,
>
> It might be that both sides use auto=route or auto=start and initiated in 
> parallel and uniqueids=no is set, so duplicate SAs are not deleted.
>
> That is pure speculation though. ;)
>
> Kind regards
>
> Noel

side A has auto=start and reauth=no

side B had auto=route and rekey=no


From the logs that I have, I see that only side B starts negotiation.
But perhaps side A also started from the beginning. I don't have the logs.


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

[strongSwan] Duplicate IKE_SA?

[Michael Schwartzkopff]

Hi,


we have a central gateway and several remote gateways. The setup should
be very simple, all fixed IP Addresses, PSK authentication.

When I look to the status of the connections, I see that EVERY IKE_SA
exists duplicate. The expiry times are far from being close to the timeout.


Sample output of statusall:

Connections:
   VPN_a:  192.0.2.128...192.0.2.1  IKEv2, dpddelay=10s
   VPN_a:   local:  [192.0.2.1] uses pre-shared key authentication
   VPN_a:   remote: [192.0.2.128] uses pre-shared key authentication
   VPN_a:   child:  dynamic === 192.0.2.128/32 TUNNEL, dpdaction=hold

Security Associations (4 up, 0 connecting):
   VPN_a[502011]: ESTABLISHED 47 minutes ago,
192.0.2.128[192.0.2.128]...192.0.2.1[192.0.2.1]
   VPN_a[502011]: IKEv2 SPIs: 93fea54e631018b3_i e19e477bde676b42_r*,
rekeying disabled
   VPN_a[502011]: IKE proposal:
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
   VPN_a{502324}:  INSTALLED, TUNNEL, reqid 3, ESP SPIs: c2a96e2c_i
c36e31d1_o
   VPN_a{502324}:  AES_CBC_256/HMAC_SHA2_256_128, 3182 bytes_i (74 pkts,
15s ago), 7655 bytes_o (110 pkts, 0s ago), rekeying disabled
   VPN_a{502324}:   192.0.2.128/32 === 192.0.2.1/32
   VPN_a[502009]: ESTABLISHED 66 minutes ago,
192.0.2.128[192.0.2.128]...192.0.2.1[192.0.2.1]
   VPN_a[502009]: IKEv2 SPIs: 40ab1a098c160549_i ded33f2f40286969_r*,
rekeying disabled
   VPN_a[502009]: IKE proposal:
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
   VPN_a{502323}:  INSTALLED, TUNNEL, reqid 3, ESP SPIs: c2b8ec27_i
cbabcc83_o
   VPN_a{502323}:  AES_CBC_256/HMAC_SHA2_256_128, 2226 bytes_i (51 pkts,
15s ago), 4681 bytes_o (72 pkts, 0s ago), rekeying disabled
   VPN_a{502323}:   192.0.2.128/32 === 192.0.2.1/32


Any ideas, why the gateways set up two IKE SAs?


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

[strongSwan] Effect of xfrm_acq_expires mismatch retransmit timeout?

[Michael Schwartzkopff]

Hi,

what would be the effect if the charon.plugins.xfrm_acq_expires does not
fit the charon.retransmit_* options?

I tried to understand what the xfrm_acq_expires exactrly does, but the
docs in the internet are very limited. As far as I understood, it sets a
timer when the SPI times out. Every time, traffic is seens for a SPI,
the timer is reset (?)

If the total retransmit timeout is larger than the xfrm_acq_expired,
could it happen that the SPI timed out before charon times out and the
encrypted communication breaks?

Or is there any good timing diagram for encrytped traffic though the kernel?


Mit freundlichen Grüßen,

-- 

[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein



signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] had to manually up a connection

[Michael Schwartzkopff]

On 06.03.20 15:58, Tobias Brunner wrote:
> Hi Felipe,
>
>> I see that the first packet in matching
>> traffic is always lost: in a ping session, packet with seq=1 never makes
>> it to the other side, only from seq=2 onwards.
>>
>> Why does this happen?
> It's a known property of the Linux kernel.  Packets, in particular the
> triggering one, are not cached and lost until the IPsec SAs are established.
>
>> and is there a way to avoid it?
> Not that I'm aware.
>
>> I'm thinking about
>> SNMP traps over IPSec that are not retransmitted since they use UDP.
> Neither UDP, IP, nor IPsec guarantee delivery of any sent packets, you
> always have to reckon with packet loss.
>
> Regards,
> Tobias



Use SNMPv3 informs. The SNMP manager sends a confirmation having
received it.

Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] StrongSwan eap-radius with EAP-TLS, ASN.1 Radius-Username

[Michael Schwartzkopff]

On 03.03.20 15:06, Stefan Hartmann wrote:
> Hello list,
>
> I 'm trying to set up a VPN Remote Access aka Road Warrior with
> EAP-TLS similar as the scenario
> https://www.strongswan.org/testing/testresults/swanctl/rw-eap-tls-radius/.
>
> I want to switch from Cisco ASA to Strongswan.
>
> I use strongswan 5.8.1-1 on Debian Bullseye.
>
> My Freeradius is 3.0.17+dfsg-1.1 on a Debian Buster and is already
> running a few years as KDC/LDAP/RADIUS etc:
>     used for WLAN AAA EAP-TLS, EAP-TTLS/PAP, PEAP-MSCHAPv2
>     used as AAA server for Cisco ASA ie authn via PAP
>     used as KDC ...
>
> The first setup with strongswan functions perfectly with EAP-TTLS with
> inner EAP-GTC against the Kerberos KDC.
>
>
> The setup for EAP-TLS functions only, if I comment out the
> filter_username in sites-enabled/default, otherwise the passed
> username from strongswan to the AAA server is rejected.
>
> # freeradius -X
> ...
> } # if ( =~ / /)  = reject
> (0)   } # if ()  = reject
> (0) } # policy filter_username = reject
> (0)   } # authorize = reject
> (0) Invalid user (Rejected: User-Name contains whitespace): [0??1?0
> ??UDE1I0G??U? ?@Ingenieurbuero fuer IT/EDV und Netzwerktechnik -
> Stefan Hartmann1?0???UUsers1?0???U??? testuser-ldap] (from client
> BULLSEYE port 5 cli 172.31.201.100[500])
>
>
> Analyzing with Wireshark shows, that the username is the passed
> ASN.1-Subject-DN from the certificate:
>     30 81 81 31 0b 30  09 06 03 55 04 06 13 02   ..0..1.0
> ...U
> 0010  44 45 31 49 30 47 06 03  55 04 0a 0c 40 49 6e 67   DE1I0G..
> U...@Ing
> 0020  65 6e 69 65 75 72 62 75  65 72 6f 20 66 75 65 72   enieurbu ero
> fuer
> 0030  20 49 54 2f 45 44 56 20  75 6e 64 20 4e 65 74 7a    IT/EDV  und
> Netz
> ...
>
>
> # strongswan config
> # VPN-Gw swanctl.conf
> connections {
>     RA-SRV4_IKE2-AUTHN-EAP {
>     ...
>     local {
>     auth = pubkey
> certs = BULLSEYE_SAN-DNS-email.cert.pem
>     }   
>     remote {
> auth = eap-radius   
> id = "C = DE, O = Ingenieurbuero fuer IT/EDV und Netzwerktechnik -
> Stefan Hartmann, OU = Users, CN = *"
>     }
>     ...
>
>
> # Roadwarrior
> connections {
>     RA-KLIENT4_IKE2-AUTHN-EAP {
>     ...
>     local {
>     auth = eap-tls
>     certs = testuser-ldap.cert.pem
>     aaa_id = "C = DE, O = Ingenieurbuero fuer IT/EDV und
> Netzwerktechnik - Stefan Hartmann, OU = CA, CN = srv-kdc.hafenthal.de"
>
>     # testing
>     #id = "C = DE, O = Ingenieurbuero fuer IT/EDV und Netzwerktechnik
> - Stefan Hartmann, OU = Users, CN = testuser-ldap"
>     #id = testuser-lo...@hafenthal.de
> 
>    }
>
>
> Can I configure strongswan client or server or eap-radius-plugin, that
> it passes either the subject-DN in ASCII or the SubjAltName email?
>
> The scenario
> https://www.strongswan.org/testing/testresults/swanctl/rw-eap-tls-radius/
> shows also the ASN.1 raw username, therefore I think, this is intended.
>
> A possible workaround:
> write a freeradius policy.d/filter_strongswan unlang function which
> transforms the username and then do the filter_username check.
>
>
> Nb. With a fake certificate you can pass arbitrarily hex code to the
> freeradius daemon, from every user on the inet to the auth-server ie
> heart of your site! This could be/become a nice attack vector - this
> on my view as a pentester!
>
>
> Thanks for your thoughts and replies!
>

Hi,


RADIUS does not expect a whitespace in the username. strongswan passes
the ID on the the radius server. In your case is has whitespace. The
policy filter in freeradius kicks in and rejects the request.

I'd improve the policy filter in freeradius to accept whitespace IF the
NAS is your strongswan. Please see the debug output of freeradius for
the NAS attribute. So you can update your filter like:

if ( == "strongswan") {

  other policy tests except the whitespace"

} else {

 all original filter

}


Please see the file /etc/freeradius/3.0/policy.d/filter for the
preprocess username filter.


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] Stongswan and Meraki

[Michael Schwartzkopff]

On 26.02.20 23:50, Mark wrote:
> Hi,
>
> I have a couple of random seeming problems between Meraki MX devices and
> Strongswan via pfsense and I'm at a bit of a loss on how to gather more
> information. Hoping for some pointers here
>
> The Meraki side is their latest firmware and the pfsense is running
> FreeBSD strongSwan U5.7.1/K11.2-RELEASE-p10. I have several sets of
> these vpn's but the most problematic one has around 40 phase 1 peers,
> each with 2 or 3 phase 2 configurations, this is on a single pfsense
> instance with the 40 phase 1 peers being mx devices on the internet.
>
> These are all IKEv1 configurations.
>
> For the most part, we have solid and reliable VPN's among the devices,
> but sometimes the two endpoints appear to get out of sync. This can
> happen every few days or it can happen every couple of hours.
>
> I see instances of the strongswan side successfully rekeying, but the
> Meraki side logging an SPI expiration and never having logged an
> established event for that same SPI. The result is that the pfsense side
> will send traffic forever but the MX apparently just discards the
> incoming traffic.
>
> In other instances, I will see sometimes 5 or 6 phase 2 SPI pairs for
> the same network set on the same conneciton
>
> In either of these two cases, my operational symptom will be that
> traffic is not passing.  In both cases, an ipsec down connection &&
> ipsec up connection makes traffic flow again.
>
> I've engaged Meraki many times including as the problems are happening,
> and I always get an inconclusive answer/ no answer.
>
> This is an example config, they're generally all the same for the
> different phase 1 and phase 2 connections
>
> conn con1000
>     fragmentation = yes
>     keyexchange = ikev1
>     reauth = yes
>     forceencaps = yes
>     mobike = no
>
>     rekey = yes
>     installpolicy = yes
>     type = tunnel
>     dpdaction = restart
>     dpddelay = 10s
>     dpdtimeout = 60s
>     auto = route
>     left = leftnet
>     right = rghtnet
>     leftid = leftid
>     ikelifetime = 28800s
>     lifetime = 3600s
>     ike = aes256-sha1-modp1024!
>     esp = aes256-sha1,aes192-sha1,aes128-sha1!
>     leftauth = psk
>     rightauth = psk
>     rightid = rightid
>     aggressive = no
>     rightsubnet = 10.1.1.0/24
>     leftsubnet = 10.10.1.0/24
>
>
> I suspect that some of my problems might be related to delivery problems
> for the encapsulated packets over the internet but I don't know how I
> can go about knowing that. I have the ability to capture packets on the
> wan side of the pfsense/strongswan devices, but I don't quite know what
> I'm looking for in the network traffic.
>
> Any pointers to help me get the data I need to make these tunnels way
> more reliable?
>
> Thanks
>
> Mark


Please send logs of both sides during an outage.

Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein



signature.asc
Description: OpenPGP digital signature

[strongSwan] Authorization of network access via VPN

[Michael Schwartzkopff]

Hi,


with the RADIUS module authentication and accounting can be achieved
easily against every backend RADIUS can talk to. Policying is possible
with RADIUS. So everything works nicely.


I want to deal with authorization in a strongswan / RADIUS setup. As far
as I understood the docu,  the RADIUS server can pass group membership
attribute in the Class attribute. Strongswan can use this information in
its rightgroup option in ipsec.conf. A con section fits, if at least one
group is returned by the RADIUS server.


This works nicely in scenarios where I have disjunct access rights for
user groups. i.e. accouting can access other internal servers as user in
the engineering group and a user is never in both groups.


Is it possible to setup (or implement) a setup where every group has
different access rights?

This could be acchived by filter-lists based in group membership that
swan would use as leftsubnet. Or strongswan could call a updown script
and passes on the group membership. That script would setup the firewall
correctly.


An other thoughts?


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] EAP-PEAP

[Michael Schwartzkopff]

On 24.01.20 15:14, korsar...@gmail.com wrote:
> Hi,
> I try to connect strongswan client on Ubuntu 18.04 to the strongswan
> server using EAP-PEAP on Windows Network Policy Server, but it doesn't
> work. Windows clients connect fine.
>
> Server logs:
> charon: 11[CFG] RADIUS Access-Request timed out after 4 attempts
> charon: 11[IKE] EAP method EAP_PEAP failed for peer MyVPNuser
>
> Client logs:
> charon-nm: 06[IKE] EAP-MS-CHAPv2 succeeded: '(null)'
> charon-nm: 06[IKE] sending tunneled EAP-PEAP AVP [EAP/RES/MSCHAPV2]
> charon-nm: 06[ENC] generating IKE_AUTH request 9 [ EAP/RES/PEAP ]
> charon-nm: 06[NET] sending packet: from 192.168.103.95[60160] to
> 11.11.11.11[4500] (108 bytes)
> charon-nm: 13[NET] received packet: from 11.11.11.11[4500] to
> 192.168.103.95[60160] (172 bytes)
> charon-nm: 13[ENC] parsed IKE_AUTH response 9 [ EAP/REQ/PEAP ]
> charon-nm: 13[IKE] received tunneled EAP-PEAP AVP [EAP/REQ/ID]
> charon-nm: 13[IKE] server requested EAP_IDENTITY authentication (id 0x09)
> charon-nm: 13[IKE] sending tunneled EAP-PEAP AVP [EAP/RES/ID]
> charon-nm: 13[ENC] generating IKE_AUTH request 10 [ EAP/RES/PEAP ]
> charon-nm: 13[NET] sending packet: from 192.168.103.95[60160] to
> 11.11.11.11[4500] (124 bytes)
> charon-nm: 14[IKE] retransmit 1 of request with message ID 10
> charon-nm: 14[NET] sending packet: from 192.168.103.95[60160] to
> 11.11.11.11[4500] (124 bytes)
> charon-nm: 09[IKE] retransmit 2 of request with message ID 10
> charon-nm: 09[NET] sending packet: from 192.168.103.95[60160] to
> 11.11.11.11[4500] (124 bytes)
> charon-nm: 10[NET] received packet: from 11.11.11.11[4500] to
> 192.168.103.95[60160] (76 bytes)
> charon-nm: 10[ENC] parsed IKE_AUTH response 10 [ EAP/FAIL ]
> charon-nm: 10[IKE] received EAP_FAILURE, EAP authentication failed
> charon-nm: 10[ENC] generating INFORMATIONAL request 11 [ N(AUTH_FAILED) ]
> charon-nm: 10[NET] sending packet: from 192.168.103.95[60160] to
> 11.11.11.11[4500] (76 bytes)
> NetworkManager[723]:   [1579812873.7333]
> vpn-connection[0x55c27fae61a0,43409cea-49d3-4cdc-acde-84146d74abe6,"VPN
> 1",0]: VPN plugin: failed: connect-failed (1)
> NetworkManager[723]:   [1579812873.7334]
> vpn-connection[0x55c27fae61a0,43409cea-49d3-4cdc-acde-84146d74abe6,"VPN
> 1",0]: VPN plugin: failed: connect-failed (1)
> NetworkManager[723]:   [1579812873.7336]
> vpn-connection[0x55c27fae61a0,43409cea-49d3-4cdc-acde-84146d74abe6,"VPN
> 1",0]: VPN plugin: state changed: stopping (5)
> NetworkManager[723]:   [1579812873.7337]
> vpn-connection[0x55c27fae61a0,43409cea-49d3-4cdc-acde-84146d74abe6,"VPN
> 1",0]: VPN plugin: state changed: stopped (6)
>
> May you help me?


the log clearly says "authentication failed" This is handled in the
backend RADIUS server. The reason for the failure is hidden in the log
files of the RADIUS server.


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] Route-based VPNs (XFRM Interfaces) vs policies based VPNs

[Michael Schwartzkopff]

On 20.12.19 17:42, Marco Berizzi wrote:
> Hello everyone,
>
> I need to setup a 0.0.0.0/0 to 0.0.0.0/0 ipsec tunnel.
> I was thinking to setup it with the new xfrm interfaces:
> I don't need route all the 0.0.0.0/0 throught this vpn.
>
> My question is how 'route based' and 'policies based'
> VPNs will coexist on the same linux box.
>
> For example, if I'm going to implement a 0.0.0.0/0 to
> 0.0.0.0/0 vpn with the xfrm interfaces and then I will
> route the traffic only for the 155.192.168.0/24 network
> throught the ipsec0 device (for example), and then I
> implement a classic policy based vpn (without the xfrm
> interface) with the following traffic selectors
> 166.172.16.0/24 and 177.16.172.0/24, what will happen?
> Will the linux kernel process the packets for the
> 166.172.16.0/24 and 177.16.172.0/24 into the right ipsec
> policy?
>
> Thanks
>
> Marco

I think mixing policy and route based VPNs on the same machine with
overlapping network ranges will cause trouble. I'd change to only
route-based VPNs in that case.


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] allow multiple EAP identities but not %any

[Michael Schwartzkopff]

On 30.10.19 14:53, Christoph Harder wrote:
> Hello everybody,
>
> is it possible to define multiple EAP identities per connection,
> without using %any ?
>
> For example in the swanctl.conf I define two connections and in the
> secrets section I define multiple EAP secrets/identities.
> Is there any way to specify connections..remote.eap_id
> so that only certain (but more than one) identities will be accepted?
> Or is there only the option to allow either all known identities or
> only a single one when using the swanctl.conf (and EAP identities
> stored in the secrets section)?
>
> Best regards,
> Christoph Harder
>

Hi,


I do not know if strongswan is flexible enough for your purpose. But if
you have a RADIUS server as  backend authentication, you could
accomplish your task in RADIUS.


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

Re: [strongSwan] ipsec connection fails: no matching peer config found

[Michael Schwartzkopff]

On 18.10.19 10:53, Tobias Brunner wrote:
> Hi Michael,
>
>> found the reason. I had rightid="muc.XXX.de" in my client config. The
>> logs do not show that the gateway ID is quoted. After removing the
>> quotes the connection came up.
> The quotes do not matter, unless they are some kind of typographic
> quotes like “ = U+201C or ” = U+201D (i.e. not " = U+0022).  However,
> you'd see that in the log (as ???).  So it's more likely you had a typo
> in the XXX part of that identity.
>
now it works with the quotes. Strange.

I checked the logs, but no visible difference in the XXX between these
two entries:

Oct 17 18:37:04 muc charon: 15[CFG] <108> looking for peer configs
matching 192.168.178.8[muc.XXX.de]...46.81.179.210[m...@xxx.de]

Oct 17 18:37:04 muc charon: 15[CFG] <108> no matching peer config found


and

Oct 18 10:06:01 muc charon: 09[CFG] <124> looking for peer configs
matching 192.168.178.8[muc.XXX.de]...217.111.91.203[m...@xxx.de]

Oct 18 10:06:01 muc charon: 09[CFG]  selected peer
config 'con-mobile'


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

Re: [strongSwan] ipsec connection fails: no matching peer config found

[Michael Schwartzkopff]

On 17.10.19 19:01, Michael Schwartzkopff wrote:
> Hi,
>
> I have a problem with one specific ipsec client. It cannot connect. The
> logs on the server side say:
>
> Oct 17 18:50:15 muc charon: 11[CFG] <111> looking for peer configs
> matching 192.168.178.8[muc.XXX.de]...46.81.179.210[m...@xxx.de]
> Oct 17 18:50:15 muc charon: 11[CFG] <111> no matching peer config found
>
>
> The status command on the server side says:
>
> Connections:
>   con-mobile:  192.168.178.8...%any  IKEv2, dpddelay=10s
>   con-mobile:   local:  [muc.XXX.de] uses public key authentication
>   con-mobile:    cert:  "CN=muc.XXX.de"
>   con-mobile:   remote: [*@XXX.de] uses EAP_RADIUS authentication with
> EAP identity '%any'
>
>
> So why does the server have a problem to identify the new incomming
> connection?
>
>
> The server side logs for another (working) client look like:
>
> Oct 17 18:57:17 muc charon: 12[CFG] <115> looking for peer configs
> matching 192.168.178.8[%any]...109.41.194.144[m...@xxx.de]
> Oct 17 18:57:17 muc charon: 12[CFG]  selected peer
> config 'con-mobile'
>
>
> Server: strongswan on pfsense (FreeBSD strongSwan U5.7.1/K11.2-RELEASE-p10)
>
> non-working client: strongswan on linux (Linux strongSwan
> U5.8.1/K5.3.6-arch1-1-ARCH)
>
> working client: strongswan on android. (2.2.0)
>
>
> Mit freundlichen Grüßen,
>
Hi,


found the reason. I had rightid="muc.XXX.de" in my client config. The
logs do not show that the gateway ID is quoted. After removing the
quotes the connection came up.


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

[strongSwan] ipsec connection fails: no matching peer config found

[Michael Schwartzkopff]

Hi,

I have a problem with one specific ipsec client. It cannot connect. The
logs on the server side say:

Oct 17 18:50:15 muc charon: 11[CFG] <111> looking for peer configs
matching 192.168.178.8[muc.XXX.de]...46.81.179.210[m...@xxx.de]
Oct 17 18:50:15 muc charon: 11[CFG] <111> no matching peer config found


The status command on the server side says:

Connections:
  con-mobile:  192.168.178.8...%any  IKEv2, dpddelay=10s
  con-mobile:   local:  [muc.XXX.de] uses public key authentication
  con-mobile:    cert:  "CN=muc.XXX.de"
  con-mobile:   remote: [*@XXX.de] uses EAP_RADIUS authentication with
EAP identity '%any'


So why does the server have a problem to identify the new incomming
connection?


The server side logs for another (working) client look like:

Oct 17 18:57:17 muc charon: 12[CFG] <115> looking for peer configs
matching 192.168.178.8[%any]...109.41.194.144[m...@xxx.de]
Oct 17 18:57:17 muc charon: 12[CFG]  selected peer
config 'con-mobile'


Server: strongswan on pfsense (FreeBSD strongSwan U5.7.1/K11.2-RELEASE-p10)

non-working client: strongswan on linux (Linux strongSwan
U5.8.1/K5.3.6-arch1-1-ARCH)

working client: strongswan on android. (2.2.0)


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

Re: [strongSwan] xauth authentication backend

[Michael Schwartzkopff]

Am 30.09.19 um 11:58 schrieb Noel Kuntze:
> Hello,
>
> You can express arbitrary authentication logic in FreeRADIUS. I do not know 
> if you can do checks in parallel to save time
> or if FreeRADIUS does that by itself automatically already.
>
> No, you can't load plugins at runtime.
>
> (Yeah, mixed top and bottom posting like pros)
>
> Kind regards
>
> Noel
>
> Am 30.09.19 um 10:39 schrieb Michael Schwartzkopff:
>> Am 30.09.19 um 10:00 schrieb Christoph Harder:
>>> Hello,
>>>
>>> thank you for the help so far.
>>>
>>> Is the local RADIUS server the recommend approach or would it be
>>> possible to write a custom xauth-plugin?
>>>
>>> I suspect most RADIUS servers do provide a way to do authentication by
>>> database (e.g. a locally running SQL database) or directory (LDAP and
>>> Active Directory) and possibly more backends, but not necessarily both
>>> at the same time using an OR operation (user is either member of the
>>> correct user group in the directory or found in a local database).
>>>
>>> Is there a way to load plugins dynamically at runtime?
>>>
>>> Best regards,
>>> Christoph Harder
>> FreeRADIUS offers the possibility to authenticate against several
>> backends. The lastest versions also offer the possibility to have a
>> syntax like "this or that"
>>
>>
>>
>>> Am 27.09.19 um 17:37 schrieb Noel Kuntze:
>>>> Hello,
>>>>
>>>> You will need to go through a local RADIUS server, in which you need
>>>> to implement your custom authentication logic
>>>> (meaning the checking against all those different backends). You'll
>>>> use the eap-radius plugin for that, which will
>>>> then automatically also forward all XAUTH authentications to the
>>>> configured RADIUS server.
>>>>
>>>> Multiple authentication rounds means that the client actively
>>>> participates in every of those rounds and each one
>>>> has to succeed, meaning it has to be aware of those. In your case,
>>>> that evidently won't work for you.
>>>>
>>>> Kind regards
>>>>
>>>> Noel
>>>>
>>>> Am 27.09.19 um 16:05 schrieb Felipe Arturo Polanco:
>>>>> Hi,
>>>>>
>>>>> You can check out multiple authentication rounds, it will provide
>>>>> with chain authentication using multiple backends.
>>>>>
>>>>> On Fri, Sep 27, 2019 at 7:38 AM Christoph Harder
>>>>> mailto:char...@telco-tech.de>> wrote:
>>>>>
>>>>>  Hello everybody,
>>>>>
>>>>>  currently I do have the problem, that I need to setup xauth but
>>>>> with a
>>>>>  custom authentication backend. To be more specific, I need to
>>>>> check if a
>>>>>  user that tries to authenticate with xauth exists in one of
>>>>> multiple
>>>>>  backends and if his/her credentials are correct (e.g.
>>>>> simultaniously
>>>>>  looking in a local DB, one or more LDAP directories and/or a
>>>>> RADIUS server).
>>>>>
>>>>>  Is there any way to perform custom authentication and
>>>>> authorization?
>>>>>
>>>>>  Sadly PAM is not an option/not available on this system.
>>>>>
>>>>>  The ext-auth plugin is missing the password, so I can't use it
>>>>> to check
>>>>>  if the user actually provided the correct credentials only if
>>>>> he/she
>>>>>  exists and is authorized to connect.
>>>>>
>>>>>  Best regards,
>>>>>  Christoph Harder
>>>>>
>>>>>  --
>>>>>  TELCO TECH GmbH
>>>>>  Niederlassung Berlin
>>>>>  Mädewalder Weg 2
>>>>>  12621 Berlin
>>>>>  Tel.: +49 30 565862610
>>>>>  Web: www.telco-tech.de <http://www.telco-tech.de>
>>>>>  Amtsgericht Potsdam-Stadt HRB 55 79
>>>>>  Geschäftsführung:
>>>>>  Bernd Schulz
>>>>>  Silke Schirmer
>>>>>
>> Mit freundlichen Grüßen,
>>
FreeRADIUS docu for redundant / failover backend authentication (or more
general: modules):

https://wiki.freeradius.org/config/Fail-over



Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] xauth authentication backend

[Michael Schwartzkopff]

Am 30.09.19 um 10:00 schrieb Christoph Harder:
> Hello,
>
> thank you for the help so far.
>
> Is the local RADIUS server the recommend approach or would it be
> possible to write a custom xauth-plugin?
>
> I suspect most RADIUS servers do provide a way to do authentication by
> database (e.g. a locally running SQL database) or directory (LDAP and
> Active Directory) and possibly more backends, but not necessarily both
> at the same time using an OR operation (user is either member of the
> correct user group in the directory or found in a local database).
>
> Is there a way to load plugins dynamically at runtime?
>
> Best regards,
> Christoph Harder

FreeRADIUS offers the possibility to authenticate against several
backends. The lastest versions also offer the possibility to have a
syntax like "this or that"



>
> Am 27.09.19 um 17:37 schrieb Noel Kuntze:
>> Hello,
>>
>> You will need to go through a local RADIUS server, in which you need
>> to implement your custom authentication logic
>> (meaning the checking against all those different backends). You'll
>> use the eap-radius plugin for that, which will
>> then automatically also forward all XAUTH authentications to the
>> configured RADIUS server.
>>
>> Multiple authentication rounds means that the client actively
>> participates in every of those rounds and each one
>> has to succeed, meaning it has to be aware of those. In your case,
>> that evidently won't work for you.
>>
>> Kind regards
>>
>> Noel
>>
>> Am 27.09.19 um 16:05 schrieb Felipe Arturo Polanco:
>>> Hi,
>>>
>>> You can check out multiple authentication rounds, it will provide
>>> with chain authentication using multiple backends.
>>>
>>> On Fri, Sep 27, 2019 at 7:38 AM Christoph Harder
>>> mailto:char...@telco-tech.de>> wrote:
>>>
>>>  Hello everybody,
>>>
>>>  currently I do have the problem, that I need to setup xauth but
>>> with a
>>>  custom authentication backend. To be more specific, I need to
>>> check if a
>>>  user that tries to authenticate with xauth exists in one of
>>> multiple
>>>  backends and if his/her credentials are correct (e.g.
>>> simultaniously
>>>  looking in a local DB, one or more LDAP directories and/or a
>>> RADIUS server).
>>>
>>>  Is there any way to perform custom authentication and
>>> authorization?
>>>
>>>  Sadly PAM is not an option/not available on this system.
>>>
>>>  The ext-auth plugin is missing the password, so I can't use it
>>> to check
>>>  if the user actually provided the correct credentials only if
>>> he/she
>>>  exists and is authorized to connect.
>>>
>>>  Best regards,
>>>  Christoph Harder
>>>
>>>  --
>>>  TELCO TECH GmbH
>>>  Niederlassung Berlin
>>>  Mädewalder Weg 2
>>>  12621 Berlin
>>>  Tel.: +49 30 565862610
>>>  Web: www.telco-tech.de 
>>>  Amtsgericht Potsdam-Stadt HRB 55 79
>>>  Geschäftsführung:
>>>  Bernd Schulz
>>>  Silke Schirmer
>>>
>>
>

Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] Should each StrongSwan have its own FreeRadius or should they share one?

[Michael Schwartzkopff]

Am 21.08.19 um 08:20 schrieb Houman:
> Hello,
>
> I have multiple StrongSwan VPN servers setup and each of them has its own
> FreeRadius server. Each of the freeradius servers then points to the
> central database in a separate location. This works without any problem.
> But I wonder if this is the right approach after all.
>
> Maybe I should have only one FreeRadius server installed next to the
> database, and have each VPN server connect to the central freeradius server
> instead?
>
> As in setting *accounting = yes* and *address= [remote IP of freeradius
> server]* in /etc/strongswan.d/charon/eap-radius.conf for each VPN.
>
> What is the most optimal way?
>
> Many Thanks,
> Houman
>

As always, it depends ...

First of all you need to write down, what you want to achieve.

Then you have to find the best solution for you. The "best" might be the
most simple, the easiest to maintain, the one with the least effort in
setting up, the one that has least components, the one with the least
complexity or a combination of everything.

What do you want to acchieve? Authentication / Authorization of VPN
client through a central backend database? Do you need accouting?

If your VPN servers do not differ I would set up two RADIUS server (for
redundancy) that use the one database (master / slave setup for redundancy).

If your VPN servers differ and the outcome of your Authorization depends
on the VPN server, I would set up different virtual RADIUS servers.

But everything depends on your setup. Be sure you know what you want.


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] Specifying RADIUS attributes per-connection?

[Michael Schwartzkopff]

Am 12.08.19 um 16:02 schrieb brent s.:
> On 8/12/19 9:55 AM, Tobias Brunner wrote:
>> Hi Brent,
>>
>>> 1.) The named connection that listens (and serves as a tunneled gateway)
>>> on 203.0.113.1 should route through 203.0.113.1 to the RADIUS server,
>>> and 203.0.113.2 should route through 203.0.113.2 to the RADIUS server,
>>> so they get detected as unique NAS addresses. 203.0.113.2 should not
>>> route through 203.0.113.1 to the RADIUS server, and vice versa. This is
>>> to ensure that the correct NAS (and therefore the correct set of
>>> authentications) can be detected by RADIUS.
>> Can't you just use the appropriate attribute(s) in the requests from
>> strongSwan to make that distinction?
>>
>> Regards,
>> Tobias
>>
> Thanks Tobias-
>
> *Maybe*. I'd need to check if the authentication backend module I'm
> using in RADIUS would allow me to do that (and without breathe king RADIUS
> for other services), but it's a good idea. It just feels strange to
> rewrite the NAS Identifier with what would that even be, the Called
> Station ID attribute?
>
>


Your should be able to run RADIUS in debug mode. Than the RADIUS server
logs all Attributes.

Inside the EAP tunnel there should be visible a lot of attributes.


At least FreeRADIUS offers a lot of possibilities for return attributes.


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] Need advice on how to connect multiple sites and hosts to a VPN

[Michael Schwartzkopff]

Am 25.04.19 um 15:52 schrieb Marwan Khalili:
> Hi,
>
> We currently have a host-to-site (roadwarrior) IKEv2 solution that we wish to 
> expand further. Our clients are calling for a solution that allows multiple 
> sites and hosts to connect to the same VPN.
>
> Example of a use case would be that a client has installed routers in various 
> offices and wishes to connect these networks to a VPN. The client also wishes 
> to connect multiple PCs to the VPN (e.g. from home).
>
> Does anyone have experience in how to setup such a solution or any advice 
> if/how it could be possible using strongSwan?
>
>

How many sites / offices do you want to connect?

Do you want to be able to communicate any-to-any? Or only from anyone to
a datacenter?

What architecture do you like to implement? A hub/spoke system would be
the easiest.


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] Prevent traffic outside VPN

[Michael Schwartzkopff]

Am 29.03.19 um 16:54 schrieb Tony Phillips:
> When my tunnel comes up, locations at the destination of the VPN are 
> reachable as desired.
>
> However, in my use case, I want to prevent anything talking to the client on 
> its real interface (bypassing the tunnel).   Right now, even with the tunnel 
> up, I can SSH into the client's real eth0 interface's IP address *and* the 
> tunnel IP address.
>
> I've tried removing the original default route (and of course adding a 
> host-specific route so the client knows how to get to the VPN server), but 
> still doesn't stop traffic from "outside" the VPN from reaching the client.
>
> Here's my ipsec.conf file:
>
> config setup
> charondebug=1
>
> conn %default
> ikelifetime=20m
> reauth=yes
> rekey=yes
> keylife=10m
> rekeymargin=3m
> rekeyfuzz=0%
> keyingtries=1
> type=tunnel
>
> conn test
> keyexchange=ikev1
> ikelifetime=1440m
> keylife=60m
> aggressive=yes
> ike=aes-sha1-modp1024
> esp=aes-sha1
> xauth=client
> left=10.181.43.20
> leftid=(omitted)
> leftsourceip=%modeconfig
> leftauth=psk
> rightauth=psk
> leftauth2=xauth
> right=10.248.1.2
> rightsubnet=0.0.0.0/
> xauth_identity=test
> auto=add
>
> From my understanding of the documentation, what I'm asking for SHOULD be the 
> default behavior.  But I'm obviously missing something.
>
> The address I'm given by the VPN server is in the 10.248.60/19 range.
>
>
>

Set up a local firewall. Trigger it with the setup of the tunnel.

Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] VPN with sophos: remote deletes child SAs

[Michael Schwartzkopff]

Am 18.03.19 um 10:19 schrieb Tobias Brunner:
> Hi Michael,
>
>> Any additional ideas?
> Read the log on the Sophos side.
>
> Regards,
> Tobias

Thanks. I am already in the process to get access to that device.


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

[strongSwan] VPN with sophos: remote deletes child SAs

[Michael Schwartzkopff]

Hi,


we see a strange problem when trying to establish a VPN to a sophos.
Initially strongswan sets up the the child SAs:


charon: 10[NET] received packet: from x.x.x.x[500] to y.y.y.y[500] (1902
bytes)
charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N((16430)) N((16431)) N(REDIR_SUP) ]
charon: 10[IKE] x.x.x.x is initiating an IKE_SA
charon: 10[IKE] remote host is behind NAT
charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
charon: 10[NET] sending packet: from y.y.y.y[500] to x.x.x.x[500] (1208
bytes)
charon: 12[NET] received packet: from x.x.x.x[24289] to y.y.y.y[4500]
(352 bytes)
charon: 12[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr
N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
charon: 12[CFG] looking for peer configs matching 
charon: 12[CFG] selected peer config 'deleted'
charon: 12[IKE] authentication of 'remotehost' with pre-shared key
successful
charon: 12[IKE] authentication of 'y.y.y.y' (myself) with pre-shared key
charon: 12[IKE] IKE_SA profi[4] established between x.x.x.x and y.y.y.y

charon: 12[IKE] scheduling reauthentication in 10211s
charon: 12[IKE] maximum IKE_SA lifetime 10751s
charon: 12[IKE] CHILD_SA deleted{4} established with SPIs c8e82c4a_i
cb8713c3_o and TS y.y.y.y/32 === rightsubnet/24
charon: 12[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr
N(AUTH_LFT) ]
charon: 12[NET] sending packet: from y.y.y.y[4500] to x.x.x.x[24289]
(224 bytes)


But then the remote side deletes us the nice new SPIs


charon: 14[NET] received packet: from x.x.x.x[24289] to y.y.y.y[4500]
(80 bytes)
charon: 14[ENC] parsed INFORMATIONAL request 2 [ D ]
charon: 14[IKE] received DELETE for ESP CHILD_SA with SPI cb8713c3
charon: 14[IKE] closing CHILD_SA profi{4} with SPIs c8e82c4a_i (0 bytes)
cb8713c3_o (0 bytes) and TS y.y.y.y/32 === rightsubnet/24
charon: 14[IKE] sending DELETE for ESP CHILD_SA with SPI c8e82c4a
charon: 14[IKE] CHILD_SA closed


I don't know what we misconfigured on the sophos side. I think we
configured both subnets on their side also.


Any additional ideas?

Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 10 client -error: deleting half open IKE_SA with 154.**.***.** after timeout

[Michael Schwartzkopff]

answers inline.

Am 19.02.19 um 00:43 schrieb MOSES KARIUKI:
> Dear Team,
>
> I have been having long days trying to configure Strongswan on Ubuntu
> 18.04. I am not able to connect to the VPN from Windows 10 client, after
> following the instructions on this link :
> https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-18-04-2
> and setting up windows for modp_2048 following these instructions here :
> https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048

(...)

After starting IKE your server gets at some point an answer from the client

> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 09[NET] received packet: from
> 154.77.***.**[4500] to 102.1*9.2**.***[4500] (580 bytes)
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 09[ENC] parsed IKE_AUTH request 1 [
> EF(1/3) ]
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 09[ENC] received fragment #1 of 3,
> waiting for complete IKE message
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 10[NET] received packet: from
> 154.77.***.**[4500] to 102.1*9.2**.***[4500] (580 bytes)
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 10[ENC] parsed IKE_AUTH request 1 [
> EF(2/3) ]
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 10[ENC] received fragment #2 of 3,
> waiting for complete IKE message
> Feb 19 02:10:01 VM-e2b7 charon: 11[ENC] splitting IKE message with length
> of 1936 bytes into 2 fragments
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[NET] received packet: from
> 154.77.***.**[4500] to 102.1*9.2**.***[4500] (532 bytes)
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[ENC] parsed IKE_AUTH request 1 [
> EF(3/3) ]
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[ENC] received fragment #3 of 3,
> reassembling fragmented IKE message
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[ENC] parsed IKE_AUTH request 1 [
> IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi
> TSr ]

The answer was fragmented. But all fragments were recieved.


> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] received 53 cert requests for
> an unknown ca
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[CFG] looking for peer configs
> matching 102.1*9.2**.***[%any]...154.77.***.**[192.168.43.156]
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[CFG]   candidate "ikev2-vpn",
> match: 1/1/28 (me/other/ike)
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[CFG] selected peer config
> 'ikev2-vpn'
your server found a config that matches the request.
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] EAP-Identity request
> configured, but not supported
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] initiating EAP_MSCHAPV2 method
> (id 0x64)
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] peer supports MOBIKE
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] authentication of
> '102.1*9.2**.***' (myself) with RSA signature successful
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[IKE] sending end entity cert
> "CN=102.1*9.2**.***"
> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[ENC] generating IKE_AUTH response 1
> [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]

Your server sends out the answer. the CN= is also uncommon.
Perhaps the client cannot authenticate the server?


> Feb 19 02:10:01 VM-e2b7 ipsec[1011]: 11[ENC] splitting IKE message with
> length of 1936 bytes into 2 fragments
> Feb 19 02:10:01 VM-e2b7 charon: 11[ENC] generating IKE_AUTH response 1 [
> EF(1/2) ]
> Feb 19 02:10:01 VM-e2b7 charon: 11[ENC] generating IKE_AUTH response 1 [
> EF(2/2) ]
> Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from
> 102.1*9.2**.***[4500] to 154.77.***.**[4500] (1236 bytes)
> Feb 19 02:10:01 VM-e2b7 charon: 11[NET] sending packet: from
> 102.1*9.2**.***[4500] to 154.77.***.**[4500] (772 bytes)
> Feb 19 02:10:01 VM-e2b7 kernel: [ 2543.189073] [UFW BLOCK] IN=ens3 OUT=
> MAC=06:97:9c:00:00:8f:00:1d:b5:c0:a7:c0:08:00 SRC=154.77.***.**
> DST=102.1*9.2**.*** LEN=52 TOS=0x10 PREC=0x20 TTL=116 ID=27223 DF PROTO=TCP
> SPT=54229 DPT=443 WINDOW=17520 RES=0x00 SYN URGP=0
> Feb 19 02:10:30 VM-e2b7 charon: 14[JOB] deleting half open IKE_SA with
> 154.77.***.** after timeout


But gets no answer. So after the timeout the server deletes the
half-open session.


Please check on the client, why it does not answer the packet. Are there
log on the client? Perhaps the auth methods are not accepted. Does the
client get this packet at all? Why does the client send a packet on port
tcp/443, that is dropped by the firewall of the server?

Perhaps the client wants authentication with certificates but the CA is
not installed on the VPN server?


> Feb 19 02:13:28 VM-e2b7 charon: 13[CFG] proposing traffic selectors for us:
> Feb 19 02:13:28 VM-e2b7 charon: 13[CFG]  0.0.0.0/0
> Feb 19 02:13:28 VM-e2b7 charon: 13[CFG] proposing traffic selectors for
> other:
> Feb 19 02:13:28 VM-e2b7 charon: 13[CFG]  dynamic
>
> Please assist with this. I am almost there.
>
> Thanks in advance.
>
> regards,
> Moses K
>

Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der 

[strongSwan] VPN with dynamic routing

[Michael Schwartzkopff]

Hi,

In some projects the problem of dynamic routing in combination with VPN
came up.


I went to my lab and found a solution with route based VPN and BGP. The
software I used was strongSwan and bird for BGP.


If you are interested you can find the documentation

VPN part: https://blog.sys4.de/routing-based-vpn-with-strongswan-de.html

BGP part: https://blog.sys4.de/routing-based-vpn-with-strongswan-ii-de.html


Please mail me for any feedback. Thanks.


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] fallback to local secrets when RADIUS server unavailable

[Michael Schwartzkopff]

Am 04.12.18 um 14:09 schrieb Dmitry Soloshenko:
> Hello, Tobias.
>
> Thank you for response.
>
>>> As an example, on Cisco router I would create 2 access groups and
>>> have 2
>>> profiles on Cisco VPN client: one for local auth, one for RADIUS.
>> And how/when does it switch between the two?
> In Cisco VPN client  access group name is specified in profile
> settings and this name is sent to VPN server during connection. User
> selects specific profile to connect to VPN server.
> For different access groups there are separate sections in config on
> VPN server, so one can specify different auth methods.

You can configure this with policies in the FreeRADIUS server.


>>> Any thoughts? Technical support clients are mostly Windows built-in
>>> VPN.
>> That's bad, because that client neither sends a remote identity (IDr is
>> never sent), nor any useful client identity (IDi, which just contained
>> the private IP address at one time when EAP was used, but that might
>> depend on the Windows version).  So with such clients your options are
>> limited, I'm afraid (using machine certificates, i.e. not EAP-TLS, would
>> work though).
> Ok, I think I may try machine certificates.
>

FreeRADIUS is very configurable. You can set up policies that trigger if
certain conditions hold.


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

[strongSwan] dpd action restart

[Michael Schwartzkopff]

Hi,


what does the ipsec client exactly do when the dpd action "restart" is
configured? Ok, it tries to reestablish the VPN connection. But does the
client to a new DNS resolution if a FQDN is configured as the "right"
parameter?

Is there any hook to force the client to do a new DNS lookup?

Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] DNS LoadBalancing and Failover

[Michael Schwartzkopff]

Am 16.09.2018 um 13:23 schrieb Markus P. Beckhaus:
> Hi Michael,
>
> thanks for your fast reply. The background of my question is to implement 
> failover with strongswan standard mechanisms wherever possible.
>
> In fact I do have *swan implementations in the field with wrappers for load 
> distribution and failover, but I'd rather get rid of as much individual code 
> as I can.
>
> Best Regards
>
> Markus 
>
>
>
> Am 16.09.18, 10:42 schrieb "Users im Auftrag von Michael Schwartzkopff" 
> :
>
> _
> 
> Sicherheitsprüfung  /  2018-09-16  10:42:21
> Nachricht: nicht verschlüsselt 
> Signatur: Nicht überprüfbar (Unterzeichner unbekannt)
> _
> 
> Am 16.09.2018 um 09:34 schrieb Markus P. Beckhaus:
> > Dear all,
> >
> > we are thinking about using a DNS Load-Balancer to distribute a huge 
> count of strongswan clients to multiple VPN gatweways. Also, the DNS 
> Load-Balancer should detect the failure of VPN gateways and remove them from 
> the DNS responses, thus poviding a kind of availability and failover.
> >
> > Here is the challenge:
> > If the strongswan clients detects the failure of a connection (e.g. 
> DPD), it must send a new DNS request to retrieve a list of still available 
> gateways and reconnect to one of them.
> >
> > From what I have read, I believe strongswan only does the DNS 
> resolution of the peer only once, when it reads the connection configuration.
> >
> > Does anyone have an idea, how solve the described requirement. 
> Naturally, any alternative proposals to address this load distribution and 
> failover requirements are welcome.
> >
> > Best Regards
> > --
> > Markus
> >
> 
> hi,
> 
> 
> we implemented a kind of such solution.
> 
> 
> We had all VPN server in one or two datacenters that were close to each
> other. So need for a geographic distribution of the clients.
> 
> DNS also was our first idea, but for some reasons we finally chose a
> wrapper solution fot the client config.
> 
> 
> DNS also should be possible and finally be superior solution. But you
> really want to implement DNSsec. You also could distribute keys or
> certificates of the servers in DNS. Thus the need to install (and
> update) the server authority on the clients is solved.
> 
> 
> After all, this should work quite well.
> 
> 
> Mit freundlichen Grüßen,
> 
> -- 
> 
> [*] sys4 AG
>  
> https://sys4.de, +49 (89) 30 90 46 64
> Schleißheimer Straße 26/MG,80333 München
>  
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
> Aufsichtsratsvorsitzender: Florian Kirstein
> 
> 
> 
>

Hi,


answering to the list, since it might be of general interest.


first of all, in my opinion you want to have a local loadbalancer in a
datacenter. It distrobutes the clients to the several servers in the
datacenter. Especially if you have some 100k clients, you need multiple
servers in each datacenter.

loadbalancers detect outages of servers and redirect the client to the
next available server.


DNS RR distribution: The problems as far as I see, is that the ipsec
client cannot detect the availability of a VPN server and automaticaly
failover to the next available server. When the clients starts and the
fqdn of the server is configued, it looks up the A (or ) RR in DNS.
It tries to connect to that IP address even, if it not available any more.

A wrapper does nothing else to check the availability of the VPN server
in use and reconfigres the connection to the next best available server
if the server got down. The wrapper also can measure the answering time
to choose the next best available.


The wrapper is completely separate from the VPN client (ipsec) software
that established the connection. The wrapper uses the swnctl interface
to re-configure the vpn client in case.


DNS with DNSsec is cool since you can use it to do the authentication of
the VPN server completely in DNS. No thirds party CAs any more that you
have to distribute to your clients.


Greetings,


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] DNS LoadBalancing and Failover

[Michael Schwartzkopff]

Am 16.09.2018 um 09:34 schrieb Markus P. Beckhaus:
> Dear all,
>
> we are thinking about using a DNS Load-Balancer to distribute a huge count of 
> strongswan clients to multiple VPN gatweways. Also, the DNS Load-Balancer 
> should detect the failure of VPN gateways and remove them from the DNS 
> responses, thus poviding a kind of availability and failover.
>
> Here is the challenge:
> If the strongswan clients detects the failure of a connection (e.g. DPD), it 
> must send a new DNS request to retrieve a list of still available gateways 
> and reconnect to one of them.
>
> From what I have read, I believe strongswan only does the DNS resolution of 
> the peer only once, when it reads the connection configuration.
>
> Does anyone have an idea, how solve the described requirement. Naturally, any 
> alternative proposals to address this load distribution and failover 
> requirements are welcome.
>
> Best Regards
> --
> Markus
>

hi,


we implemented a kind of such solution.


We had all VPN server in one or two datacenters that were close to each
other. So need for a geographic distribution of the clients.

DNS also was our first idea, but for some reasons we finally chose a
wrapper solution fot the client config.


DNS also should be possible and finally be superior solution. But you
really want to implement DNSsec. You also could distribute keys or
certificates of the servers in DNS. Thus the need to install (and
update) the server authority on the clients is solved.


After all, this should work quite well.


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] Multiple VPN servers possible?

[Michael Schwartzkopff]

Am 14.01.2018 um 15:34 schrieb Noel Kuntze:
> Hi,
>
> A wrapper script or some patches to strongSwan and add a feature to VICI to 
> specify a different destination IP for the CHILD_SA you want to initiate.
>
> Kind regards
>
> Noel
>
> On 12.01.2018 20:56, Michael Schwartzkopff wrote:
>> Hi,
>>
>>
>> is it possible to configure several / multiple VPN servers as entry
>> points to a data center?
>>
>>
>> My idea is to have several VPN servers with different IP addresses. The
>> client checks which one is available and connets to it to get a
>> connection to the data center.
>>
>>
>> Is this scenario possible with strongswan? How? Or do I have to write a
>> wrapper script to dynamically reconfigure strongswan?
>>
>> Thanks for any hints in the right direction.
>>
>> Mit freundlichen Grüßen,
>>

Hi,

I also though about a wrapper script that checks the availability of the
VPN servers and controls strongswan to use the server that sends the
best answer. The definition of "best" would be fastest, closest, or some
other metric.


To whom would I have to talk to get strongswan patched to add this
feature to the souce code?


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

[strongSwan] Multiple VPN servers possible?

[Michael Schwartzkopff]

Hi,


is it possible to configure several / multiple VPN servers as entry
points to a data center?


My idea is to have several VPN servers with different IP addresses. The
client checks which one is available and connets to it to get a
connection to the data center.


Is this scenario possible with strongswan? How? Or do I have to write a
wrapper script to dynamically reconfigure strongswan?

Thanks for any hints in the right direction.

Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] Strongswan + Radius + MySQL + Hashed Passwords: Possible?

[Michael Schwartzkopff]

Am 10.01.2018 um 04:39 schrieb RA:
> Hi.
>
> Thanks for your reply.  'NT-Password'  isn't working with Strongswan
> though radtest is checking it just fine:
>
> # smbencrypt mypass
> LM Hash NT Hash
> 
> 92315C8B485693A7AAD3B435B51404EE
> E0C32CDA6F6ECC163F442D002BBA3DAF
>
> # INSERT INTO radcheck (username, attribute, op, VALUE) VALUES
> # ('mylogin', 'NT-Password', ':=', 'E0C32CDA6F6ECC163F442D002BBA3DAF');
>
> # radtest mylogin mypass my.radius.server 10 mysecret
> Sending Access-Request of id 237 to x.x.x.x port 1812
> User-Name = "mylogin"
> User-Password = "mypass"
> NAS-IP-Address = x.x.x.x
> NAS-Port = 10
> Message-Authenticator = 0x
> rad_recv: Access-Accept packet from host x.x.x.x port 1812, id=237, length=20
> Do I need to make any changes on the radius or Strongswan side to make
> them work with NT-Password?
> Thanks & Regards,
> Ron

Hi,

this depends on your config. Does your client offer "ms-chapv2" as auth
mech? Perhaps it is better to use EAP (eap-radius in strongswan).

For debugging please look at the output of radiusd -X. Or paste the
output here.


> - Original message -
> From: Giuseppe De Marco 
> To: RA 
> Cc: users@lists.strongswan.org
> Subject: Re: [strongSwan] Strongswan + Radius + MySQL + Hashed Passwords: 
> Possible?Date: Tue, 9 Jan 2018 15:46:04 +0100
>
> Hi RA,
> Yes you can, I use NT-Password instead.
> I get this working on LDAP and Freeradius 
>
> 2018-01-09 14:07 GMT+01:00 RA :
>> Hi.
>>
>>  I have been able to follow the guides and tutorials online and
>>  successfully setup a Strongswan IKEv2 server which authenticates with
>>  a Freeradius server with MySQL back-end. Everywhere I saw
>>  instructions like these only:> 
>>  INSERT INTO radcheck (username, attribute, op, VALUE) VALUES ('test',
>>  'Cleartext-Password', ':=', 'pass123');> 
>>  Now this works just fine but I don't want to store plain text
>>  passwords in database and would prefer the "VALUE" column to be
>>  hashed in some way. But being new to this, I just don't know how &
>>  would be really glad if someone can provide pointers. Not sure
>>  whether its even possible or not.> 
>>  Thanks in advance.
>>
>>  Regards.
>>  Ron
>

Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

[strongSwan] Autorisation in vici?

[Michael Schwartzkopff]

Hi,


is there any kind of authentication / autorization in the vici
interface? Or does everybody that has access to the socket (or tcp
socket) full control over charon?


I did not find anything the docs.


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] Monitoring stronswan

[Michael Schwartzkopff]

Am 14.12.2017 um 11:49 schrieb Michael Stiller:
> Ah ok, 
>
> for that i enabled the vici plugin in strongswan and have a go program using  
> github.com/bronze1man/goStrongswanVici which implements a small http 
> listening healthcheck program.
>
> Best regards,
>
> Michael


Sounds good. I will give it a try. Thanks

>
>> On 14. Dec 2017, at 11:43, Michael Schwartzkopff <m...@sys4.de> wrote:
>>
>> Am 14.12.2017 um 11:40 schrieb Michael Stiller:
>>> Hi.
>>>
>>> What i do is, that i have another strongswan setup on (another) monitoring 
>>> machine.
>>>
>>> This one tries to connect to the vpn server periodically using a special 
>>> "monitoring user / monitoring command”.
>>>
>>> After the connection succeeded i do a “curl” to an "ip address mirror” and 
>>> compare it with the expected value (e.g. address of the vpn server)
>>>
>>> If not -> alarm.
>>>
>>> Best regards,
>>>
>>> Michael
>> Thanks for your answer. But that will not help in my case.
>>
>> Basically I am trying to set up a loadbalancer for a scalable VPN server
>> farm. The loadbalancer should detect, which backend VPN server is up and
>> which ist down.
>>
>> At the moment I try ike-scan to check the availability of my backend
>> servers.
>>
>> Michael.
>>
>>
>>>> On 14. Dec 2017, at 11:29, Michael Schwartzkopff <m...@sys4.de> wrote:
>>>>
>>>> Hi,
>>>>
>>>>
>>>> What is the best way to do a fault monitoring of a strongswan server? In
>>>> the first place, my monitoring service should check if the server is
>>>> able to offer the VPN service, which means i.e. that UDP/500 will send a
>>>> correct answer if checked from the outside.
>>>>
>>>>
>>>> Any ideas?
>>>>
>>>>
>>>> Mit freundlichen Grüßen,
>>>>
>>>> -- 
>>>>
>>>> [*] sys4 AG
>>>>
>>>> https://sys4.de, +49 (89) 30 90 46 64
>>>> Schleißheimer Straße 26/MG,80333 München
>>>>
>>>> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>>>> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
>>>> Aufsichtsratsvorsitzender: Florian Kirstein
>>>>
>>>>
>> Mit freundlichen Grüßen,
>>
>> -- 
>>
>> [*] sys4 AG
>>
>> https://sys4.de, +49 (89) 30 90 46 64
>> Schleißheimer Straße 26/MG,80333 München
>>
>> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
>> Aufsichtsratsvorsitzender: Florian Kirstein


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

[strongSwan] Monitoring stronswan

[Michael Schwartzkopff]

Hi,


What is the best way to do a fault monitoring of a strongswan server? In
the first place, my monitoring service should check if the server is
able to offer the VPN service, which means i.e. that UDP/500 will send a
correct answer if checked from the outside.


Any ideas?


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] StrongSwan and EAP (FreeRadius)

[Michael Schwartzkopff]

Am 15.11.2017 um 09:58 schrieb Houman:
> Hallo Michael,
>
>
> Thanks for your reply.  Indeed I should have checked the radius log.  It
> seems the shared secret is incorrect, but there do match in configs as
> pasted below.
> Where else could the secret have been used that I have missed?  Thanks
>
> *vim /var/log/freeradius/radius.log*
>
> Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Attempting to connect to
> database "radius"
> Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> connection (0), 1 of 32 pending slots used
> Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> connection (1), 1 of 31 pending slots used
> Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> connection (2), 1 of 30 pending slots used
> Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> connection (3), 1 of 29 pending slots used
> Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> connection (4), 1 of 28 pending slots used
> Wed Nov 15 08:49:50 2017 : Info: Need 5 more connections to reach 10 spares
> Wed Nov 15 08:49:50 2017 : Info: rlm_sql (sql): Opening additional
> connection (5), 1 of 27 pending slots used
> Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server 
> Wed Nov 15 08:49:50 2017 : Warning: Ignoring "ldap" (see
> raddb/mods-available/README.rst)
> Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server default
> Wed Nov 15 08:49:50 2017 : Info:  # Skipping contents of 'if' as it is
> always 'false' -- /etc/freeradius/sites-enabled/inner-tunnel:331
> Wed Nov 15 08:49:50 2017 : Info: Loaded virtual server inner-tunnel
> Wed Nov 15 08:49:50 2017 : Info: Ready to process requests
> Wed Nov 15 08:49:57 2017 : Info: Dropping packet without response because
> of error: Received packet from 127.0.0.1 with invalid
> Message-Authenticator!  (Shared secret is incorrect.)
>
>
>
> *vim /etc/strongswan.conf*
>
> charon {
>   load_modular = yes
>   compress = yes
>  plugins {
> include strongswan.d/charon/*.conf
>eap-radius {
> servers {
> server-a {
> accounting = yes
> secret = 123456
> address = 127.0.0.1
> auth_port = 1812
> acct_port = 1813
> }
> }
> }
> }
> include strongswan.d/*.conf
> }
>
>
>
> *vim /etc/freeradius/clients.conf*
>
> client 0.0.0.0 {
> secret  = 123456
> nas_type= other
> shortname   = 0.0.0.0
> require_message_authenticator = no
> }
>
>
>
> On Wed, Nov 15, 2017 at 7:55 AM, Michael Schwartzkopff <m...@sys4.de> wrote:
>
>> Am 15.11.2017 um 08:24 schrieb Houman:
>>> Hi,
>>>
>>> I'm new to the concept of EAP and might be misunderstanding something.
>>> Apologies up front.
>>>
>>> I have finally been able to install FreeRadius and enable the SQL module.
>>> I have created a user in the database and was hoping to establish a VPN
>>> connection via that user.
>>>
>>> INSERT INTO radcheck (username,attribute,op,VALUE) VALUES
>>> ('houman','Cleartext-Password',':=','test123');
>>>
>>>
>>> When I try to connect from my MacBook into the StrongSwan server I get
>> this
>>> log. It looks promising but eventually, it says initiating EAP_RADIUS
>>> method failed.
>>>
>>> I'm not quite sure if this has failed due a bad configuration on my side
>> or
>>> it is for other reasons that I don't quite understand how EAP should
>> work.
>>> Please be so kind and advise,
>>> Thanks,
>>> Houman
>>>
>>>
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] received packet: from
>>> 88.98.201.107[51247] to 172.31.9.51[500] (300 bytes)
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] parsed IKE_SA_INIT
>> request 0
>>> [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] 88.98.201.107 is
>> initiating
>>> an IKE_SA
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] local host is behind NAT,
>>> sending keep alives
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] remote host is behind NAT
>>> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] generating IKE_SA_INIT
>>> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH)
>&g

Re: [strongSwan] StrongSwan and EAP (FreeRadius)

[Michael Schwartzkopff]

Am 15.11.2017 um 08:24 schrieb Houman:
> Hi,
>
> I'm new to the concept of EAP and might be misunderstanding something.
> Apologies up front.
>
> I have finally been able to install FreeRadius and enable the SQL module.
> I have created a user in the database and was hoping to establish a VPN
> connection via that user.
>
> INSERT INTO radcheck (username,attribute,op,VALUE) VALUES
> ('houman','Cleartext-Password',':=','test123');
>
>
> When I try to connect from my MacBook into the StrongSwan server I get this
> log. It looks promising but eventually, it says initiating EAP_RADIUS
> method failed.
>
> I'm not quite sure if this has failed due a bad configuration on my side or
> it is for other reasons that I don't quite understand how EAP should work.
>
> Please be so kind and advise,
> Thanks,
> Houman
>
>
> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] received packet: from
> 88.98.201.107[51247] to 172.31.9.51[500] (300 bytes)
> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] parsed IKE_SA_INIT request 0
> [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] 88.98.201.107 is initiating
> an IKE_SA
> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] local host is behind NAT,
> sending keep alives
> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[IKE] remote host is behind NAT
> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[ENC] generating IKE_SA_INIT
> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 13[NET] sending packet: from
> 172.31.9.51[500] to 88.98.201.107[51247] (316 bytes)
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] received packet: from
> 88.98.201.107[51248] to 172.31.9.51[4500] (344 bytes)
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] unknown attribute type (25)
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] parsed IKE_AUTH request 1 [
> IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6
> DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] looking for peer configs
> matching 172.31.9.51[vpn2.t.com]...88.98.201.107[vpn2.t.com]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[CFG] selected peer config
> 'roadwarrior'
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] initiating EAP_IDENTITY
> method (id 0x00)
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] received
> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] peer supports MOBIKE
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] authentication of 'vpn2.t.com'
> (myself) with RSA signature successful
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] sending end entity cert "CN=
> vpn2.t.com"
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[IKE] sending issuer cert "C=US,
> O=Let's Encrypt, CN=Let's Encrypt Authority X3"
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
> 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] splitting IKE message with
> length of 3334 bytes into 7 fragments
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
> 1 [ EF(1/7) ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
> 1 [ EF(2/7) ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
> 1 [ EF(3/7) ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
> 1 [ EF(4/7) ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
> 1 [ EF(5/7) ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
> 1 [ EF(6/7) ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[ENC] generating IKE_AUTH response
> 1 [ EF(7/7) ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] sending packet: from
> 172.31.9.51[4500] to 88.98.201.107[51248] (544 bytes)
> Nov 15 07:13:21 ip-172-31-9-51 charon: message repeated 5 times: [ 14[NET]
> sending packet: from 172.31.9.51[4500] to 88.98.201.107[51248] (544 bytes)]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 14[NET] sending packet: from
> 172.31.9.51[4500] to 88.98.201.107[51248] (440 bytes)
> Nov 15 07:13:21 ip-172-31-9-51 charon: 15[NET] received packet: from
> 88.98.201.107[51248] to 172.31.9.51[4500] (80 bytes)
> Nov 15 07:13:21 ip-172-31-9-51 charon: 15[ENC] parsed IKE_AUTH request 2 [
> EAP/RES/ID ]
> Nov 15 07:13:21 ip-172-31-9-51 charon: 15[IKE] received EAP identity
> 'houman'
> Nov 15 07:13:21 ip-172-31-9-51 charon: 15[CFG] sending RADIUS
> Access-Request to server 'server-a'
> Nov 15 07:13:23 ip-172-31-9-51 charon: 15[CFG] retransmit 1 of RADIUS
> Access-Request (timeout: 2.8s)
> Nov 15 07:13:24 ip-172-31-9-51 charon: 06[MGR] ignoring request with ID 2,
> already processing
> Nov 15 07:13:26 ip-172-31-9-51 charon: 15[CFG] retransmit 2 of RADIUS
> Access-Request (timeout: 3.9s)
> Nov 15 07:13:27 ip-172-31-9-51 charon: 05[MGR] ignoring request with ID 2,
> already processing
> Nov 15 

Re: [strongSwan] 24/7/365 tunnel?

[Michael Schwartzkopff]

Am 13.09.2017 um 17:33 schrieb Eric Germann:
> Usually if it "takes down the tunnel" it's due to no traffic. Keep 
> interesting traffic going and it will stay up.
>
> If you have the ability to set "auto = route" it will reestablish the tunnel 
> as needed. We run several hundred tunnels this way in AWS without issue.  
>
> EKG
>
>
>> On Sep 13, 2017, at 09:21, Turbo Fredriksson <tu...@bayour.com> wrote:
>>
>> I’m trying to setup a tunnel between two regions in
>> AWS.
>>
>> Works fine, other than the fact that Strongswan seems to take
>> down the tunnel automatically (?) after a few hours.
>>
>> How can I 1) make sure there’s no timeout (?) and 2) that IF
>> the tunnel goes down, for whatever reason, that it will reinitiate
>> the connection automatically?
>>
Dead Peer Detection (DPD) sends packets that keep the tunnel up.


Michael Schwartzkopff

Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

[strongSwan] Meshed VPN with dynamic routing

[Michael Schwartzkopff]

Hi,

I am thinking about a fully meshed VPN like described in 

https://wiki.strongswan.org/projects/strongswan/wiki/SubnetsBehindMoreThanTwoGateways

But I want to make the routing dynamic. So if the link between site A and site 
B is interrupted the traffic between the subnets can be routed via the site C. 
Is such a scenario possible? How? Any hints?

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 

[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

signature.asc
Description: This is a digitally signed message part.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] IPsec performance figures

[Michael Schwartzkopff]

Hi,

are there any reliable performance figures for IPsec throughput on x86_64 Linux 
machines?

Is 10 GBit/s feasable? If yes, how?

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 

[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

signature.asc
Description: This is a digitally signed message part.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

[Michael Schwartzkopff]

Am Mittwoch, 18. Januar 2017, 13:27:58 schrieb Eric Germann:
> > On Jan 18, 2017, at 1:25 PM, Noel Kuntze <n...@familie-kuntze.de> wrote:
> 
> 
> 
> 
> Show me how to get SNMP stats per connection definition so we don’t have to
> use NetFlow and I’m all in.
> > Unrelated to the topic: Please try to avoid using the old, unmaintained,
> > bug ridden net-tools. Use iproute2 for everything (which you can do!).

If I find time and / or money I would write a SNMP subagent for strongswan.

But I got not really much feedback last time when this topic was discussed 
here on the list.

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

signature.asc
Description: This is a digitally signed message part.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

[Michael Schwartzkopff]

Am Mittwoch, 18. Januar 2017, 18:38:51 schrieb Noel Kuntze:
> On 18.01.2017 18:37, Varun Singh wrote:
> > Okay, so is 'not-creating-new-interfaces' a feature unique to
> > strongSwan or is it common for all VPN servers? Reason I am asking is,
> > may be I have misunderstood what the expert was saying. If not, I
> > should discuss this with him.
> 
> Neither strongSwan, nor openvpn do that. I have never seen something like
> that.

Old versions of openswan / freeswan did create interfaces.

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

signature.asc
Description: This is a digitally signed message part.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

[Michael Schwartzkopff]

Am Montag, 16. Januar 2017, 18:55:35 schrieben Sie:
> On Mon, Jan 16, 2017 at 6:32 PM, Michael Schwartzkopff <m...@sys4.de> wrote:
> > Am Montag, 16. Januar 2017, 18:30:15 schrieb Varun Singh:
> >> On Mon, Jan 16, 2017 at 6:18 PM, Michael Schwartzkopff <m...@sys4.de> 
> >> wrote:
> >> > Am Montag, 16. Januar 2017, 18:09:00 schrieb Varun Singh:
> >> >> On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff <m...@sys4.de> 
wrote:
> >> >> > Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen:
> >> >> >> Hi Varun,
> >> >> >> 
> >> >> >> we have customers who have successfully been running up to 60k
> >> >> >> concurrent tunnels. In order to maximize performance please have
> >> >> >> a look at the use of hash tables for IKE_SA lookup
> >> >> >> 
> >> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable
> >> >> >> 
> >> >> >> as well as job priority management
> >> >> >> 
> >> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority
> >> >> >> 
> >> >> >> We also recommend to use file-based logging since writing to syslog
> >> >> >> extremely slows down the charon daemon
> >> >> >> 
> >> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfi
> >> >> >>gur
> >> >> >>ati
> >> >> >>on
> >> >> >> 
> >> >> >> The bottleneck for IKE processing is the Diffie-Hellman key
> >> >> >> exchange
> >> >> >> where 70-80 % of the computing effort is spent. Use the ecp256 or
> >> >> >> the new curve25519 (available with strongSwan 5.5.2) DH groups for
> >> >> >> maximum performance.
> >> >> >> 
> >> >> >> ESP throughput is limited by the number of available cores and the
> >> >> >> processor clock frequency. Use aes128gcm16 for maximum performance.
> >> >> >> 
> >> >> >> Best regards
> >> >> >> 
> >> >> >> Andreas
> >> >> >> 
> >> >> >> On 16.01.2017 19:00, Varun Singh wrote:
> >> >> >> > Hi,
> >> >> >> > As I understand, strongSwan supports scalability from 4.x
> >> >> >> > onwards. I
> >> >> >> > am new to strongSwan and to VPN in general.
> >> >> >> > I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS.
> >> >> >> > Though I have read that strongSwan supports scalability, I
> >> >> >> > couldn't
> >> >> >> > find stats to support it.
> >> >> >> > Before adopting strongSwan, my team wanted to know *if it can
> >> >> >> > support
> >> >> >> > upto 100k simultaneous connections*. Hence I need to find
> >> >> >> > pointers
> >> >> >> > to
> >> >> >> > obtain this kind of information.
> >> >> > 
> >> >> > hi,
> >> >> > 
> >> >> > I think further scaling might be possible with loadbalancers. But
> >> >> > this
> >> >> > is
> >> >> > topic of deeper investigation of the project.
> >> >> > 
> >> >> > Mit freundlichen Grüßen,
> >> >> > 
> >> >> > Michael Schwartzkopff
> >> >> > 
> >> >> > --
> >> >> > [*] sys4 AG
> >> >> > 
> >> >> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
> >> >> > Schleißheimer Straße 26/MG, 80333 München
> >> >> > 
> >> >> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> >> >> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer
> >> >> > Aufsichtsratsvorsitzender: Florian Kirstein
> >> >> > ___
> >> >> > Users mailing list
> >> >> > Users@lists.strongswan.org
> >> >> > https://lists.strongswan.org/mailman/listinfo/users
> >> >> 
> >> >> Thanks Michael,
> &

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

[Michael Schwartzkopff]

Am Montag, 16. Januar 2017, 18:30:15 schrieb Varun Singh:
> On Mon, Jan 16, 2017 at 6:18 PM, Michael Schwartzkopff <m...@sys4.de> wrote:
> > Am Montag, 16. Januar 2017, 18:09:00 schrieb Varun Singh:
> >> On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff <m...@sys4.de> 
> >> wrote:
> >> > Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen:
> >> >> Hi Varun,
> >> >> 
> >> >> we have customers who have successfully been running up to 60k
> >> >> concurrent tunnels. In order to maximize performance please have
> >> >> a look at the use of hash tables for IKE_SA lookup
> >> >> 
> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable
> >> >> 
> >> >> as well as job priority management
> >> >> 
> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority
> >> >> 
> >> >> We also recommend to use file-based logging since writing to syslog
> >> >> extremely slows down the charon daemon
> >> >> 
> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfigur
> >> >>ati
> >> >>on
> >> >> 
> >> >> The bottleneck for IKE processing is the Diffie-Hellman key exchange
> >> >> where 70-80 % of the computing effort is spent. Use the ecp256 or
> >> >> the new curve25519 (available with strongSwan 5.5.2) DH groups for
> >> >> maximum performance.
> >> >> 
> >> >> ESP throughput is limited by the number of available cores and the
> >> >> processor clock frequency. Use aes128gcm16 for maximum performance.
> >> >> 
> >> >> Best regards
> >> >> 
> >> >> Andreas
> >> >> 
> >> >> On 16.01.2017 19:00, Varun Singh wrote:
> >> >> > Hi,
> >> >> > As I understand, strongSwan supports scalability from 4.x onwards. I
> >> >> > am new to strongSwan and to VPN in general.
> >> >> > I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS.
> >> >> > Though I have read that strongSwan supports scalability, I couldn't
> >> >> > find stats to support it.
> >> >> > Before adopting strongSwan, my team wanted to know *if it can
> >> >> > support
> >> >> > upto 100k simultaneous connections*. Hence I need to find pointers
> >> >> > to
> >> >> > obtain this kind of information.
> >> > 
> >> > hi,
> >> > 
> >> > I think further scaling might be possible with loadbalancers. But this
> >> > is
> >> > topic of deeper investigation of the project.
> >> > 
> >> > Mit freundlichen Grüßen,
> >> > 
> >> > Michael Schwartzkopff
> >> > 
> >> > --
> >> > [*] sys4 AG
> >> > 
> >> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
> >> > Schleißheimer Straße 26/MG, 80333 München
> >> > 
> >> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> >> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer
> >> > Aufsichtsratsvorsitzender: Florian Kirstein
> >> > _______
> >> > Users mailing list
> >> > Users@lists.strongswan.org
> >> > https://lists.strongswan.org/mailman/listinfo/users
> >> 
> >> Thanks Michael,
> >> I was just searching whether load balancing is supported by strongSwan
> >> or not. Came across this thread:
> >> https://lists.strongswan.org/pipermail/users/2013-November/005615.html
> >> 
> >> But this didn't lead to any conclusion.
> >> So is load balancing supported by strongSwan?
> > 
> > if you use LVS before the VPN server does not know about the load
> > balancing. You would have to find a solution for the reverse traffic,
> > i.e. IP pools on the VPN server.
> > 
> > LVS offers a feature to do loadbalancing with firewall marks. This might
> > be
> > nescessary for balancing IKE and ESP together.
> > 
> > I don't know if a SA sync between strongswan servers is possible.
> > 
> > But anyway: This setup shold be designed and tested very carefully.
> > 
> > 
> > Mit freundlichen Grüßen,
> > 
> > Michael Schwartzkopff
> > 
> &

Re: [strongSwan] hardware requirement for about 600 users

[Michael Schwartzkopff]

Am Mittwoch, 23. November 2016, 17:48:19 schrieb Poh Yong Hwang:
> Hi,
> 
> Can i check what is the hardware requirements to allow 600 users to
> accessing Ipsec VPN through strongswan and access to servers behind the vpn
> through NAT?
> 
> thanks!

How many users in paralell?
What bandwidth (aggregated)?
How many re-authentications per second (or minute)?

Any recent CPU should be able to handle "normal" internet connection speeds up 
to 100 MBit/s and user figures as given above.

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

signature.asc
Description: This is a digitally signed message part.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] High Scale VPN deployment recommendation?

[Michael Schwartzkopff]

Am Dienstag, 15. November 2016, 16:55:45 schrieb Hal Logan:
> Hello,
> 
> I'm putting a config together for a server that will have as many as 10,000
> concurrent VPN connections running to it. Client will be OpenWRT Chaos
> Calmer, server will be a highly modified CentOS. Both ends will be running
> StrongSwan u5.3.5. The clients will be running split tunnel connections.
> I've looked for case studies, references, or recommendations for
> configuration approaches that specifically reference high scale design but
> haven't found any.
> 
> For the server side, when routing traffic from the tunnels to other network
> resources is it generally more resource intensive to do that routing in the
> kernel, or would one expect lower utilization doing PBR or a road
> warrior-type approach?
> 
> Any insight or suggestions are appreciated. If it helps the community I'm
> glad to provide hardware specs and performance benchmarks over time.
> 
> Cheers and thank you,
> Hal

I would suggest to put the server(s) behind a loadbalancer. So you can scale 
better on the server side.

Your loadbalancer has to be able to balancer IKE and ESP together, i.e. 
forward the client always to the same server. Give LVS a try. You would have 
to use IP address pools distributed from the servers to enable the route back 
to the client via the different servers.

Normally the crypto operations per second limit the performance. If you use a 
CPU that does crypto operations in hardware please google for the performance 
data / throughput of that CPU. Also the kernel has to support that hardware 
encrption. But all modern kernels do that. Of course hardware enryption if 
only possible if you do not have "top secret" traffic and trust the hardware 
vendors.

Also have an eye on the VPN setup rate. Establishing a VPN link needs 
performance ,so you would like to have as few renegitiations per second as 
possible.

If you have 10k clients and a tunnel lifetime of 3600 sec, you would have 
about 3 IPsec SA negotioations per sec. That sounds reasonable.

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

signature.asc
Description: This is a digitally signed message part.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Support of forwarding of client DHCP requests in strongswan?

[Michael Schwartzkopff]

Am Sonntag, 5. Juni 2016, 19:41:30 schrieb Peter Bieringer:
> Hi,
> 
> after some hours of playing around and digging through Google I need now
> support...
> 
> Initial problem: Windows Phone 10 VPN client where "Split Tunneling =
> false" can't be set (unlike Windows 10 where Powershell command will help)
> 
> Probable solution: distribute routes to WP 10 via DHCP reply by
> responding with proper routes to the received DHCP inform message:
> 
> Received on ipsec0 interface (tcpdump):
> 
> 172.16.1.1.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request,
> length 300, htype 8, hlen 0, xid 0x5b8e69a6, secs 1536, Flags [none]
> Client-IP 172.16.1.1
> Vendor-rfc1048 Extensions
>   Magic Cookie 0x63825363
>   DHCP-Message Option 53, length 1: Inform
>   Client-ID Option 61, length 17: "***"
>   Hostname Option 12, length 13: "Windows-Phone"
>   Vendor-Class Option 60, length 8: "MSFT 5.0"
>   Parameter-Request Option 55, length 6:
> Domain-Name-Server, Netbios-Name-Server, Vendor-Option, 
> Subnet-Mask
> Classless-Static-Route-Microsoft, Domain-Name
> 
> 
> But I get now stucked, I haven't found any solution so far to feed this
> DHCP message received via ipsec0 to a DHCP server (tried ISC and dnsmasq
> listening on a tap interface with iptables NAT PREROUTING hints).
> dhcrelay also won't work, interface ipsec0 is not liked by any dhcp
> server...
> 
> Has anyone a working example for strongswan how to feed DHCP client
> messages received after IPsec is established to a DCHP server and
> respond proper with additional information?
> 
> e.g. something like a broadcast forwarding/snooper based on layer 2.
> 
> BTW: IPsec setup is IKEv2, system is running on Virtuozzo, so briding of
> interfaces is not an option, only tun/tap interfaces are available.

As far as I understand, IKE2 should be possible to hand out it own IP 
adresses. 

See:
https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp
https://wiki.strongswan.org/projects/strongswan/wiki/Dhcpplugin

Is this an otion in your setup? Or do the IP addresses really have to be 
passed on to the central DHCP server?

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

signature.asc
Description: This is a digitally signed message part.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Push route possible?

[Michael Schwartzkopff]

Hi,

I have the problem, that I have dynamic IPv6 addresses in remote network.

Is it somehow possible to inform my local VPN gateway about the actual network 
that is configured behind my remote gateway during phase 1?

Is it somehow possible to add the dynamic network to my righsubnet on my local 
gateway?

Any ideas? Thanks.

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

signature.asc
Description: This is a digitally signed message part.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] No udp encapsulation behind a NAT device?

[Michael Schwartzkopff]

Am Dienstag, 4. August 2015, 10:36:21 schrieb Tobias Brunner:
 Hi Michael,
 
  VPN connection is established:
 There are no CHILD_SAs listed there.  Only IKE_SAs.  Could you send the
 logs of when the SAs are established (including the initial messages
 where the NAT is detected).  What strongSwan version(s) are you using?

Yes. You are right. Now a child SA is established:

Security Associations (1 up, 0 connecting):
 kd1[1]: ESTABLISHED 2 seconds ago, 
10.6.X.175[10.6.2.175]...54.239.X.154[54.239.X.154]
 kd1[1]: IKEv2 SPIs: 6f060978fe1fac20_i* 2e96922093bddd64_r, pre-
shared key reauthentication in 2 hours
 kd1[1]: IKE proposal: 
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
 kd1{1}:  INSTALLED, TUNNEL, ESP SPIs: ce25f62c_i e5046162_o
 kd1{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 
46 minutes
 kd1{1}:   192.168.X.0/24 === 172.29.X.0/26

I am using 5.1.2-0ubuntu2.3.

The output during the Tunnel establishment is:

initiating IKE_SA kd1[1] to 54.239.x.154
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 10.6.x.175[500] to 54.239.x.154[500] (1084 bytes)
received packet: from 54.239.x.154[500] to 10.6.x.175[500] (248 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No ]
no IDi configured, fall back on IP address
authentication of '10.6.x.175' (myself) with pre-shared key
establishing CHILD_SA kd1
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr 
N(EAP_ONLY) ]
sending packet: from 10.6.x.175[500] to 54.239.x.154[500] (364 bytes)
received packet: from 54.239.x.154[500] to 10.6.x.175[500] (204 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
authentication of '54.239.x.154' with pre-shared key successful
IKE_SA kd1[1] established between 
10.6.x.175[10.6.x.175]...54.239.x.154[54.239.x.154]
scheduling reauthentication in 9771s
maximum IKE_SA lifetime 10311s
CHILD_SA kd1{1} established with SPIs cec2fc9e_i 67a2c2fc_o and TS 
192.168.x.0/24 === 172.29.x.0/26 
connection 'kd1' established successfully

Besides the N(NATD_S_IP) and N(NATD_D_IP) in the first packet I do not see 
anything about NAT.

So it seems the other VPN endpoint does not support NATed connections?

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

signature.asc
Description: This is a digitally signed message part.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] No udp encapsulation behind a NAT device?

[Michael Schwartzkopff]

Hi,

I am trying to establish a VPN tunnel to the amazon VNC network. My VPN server 
is behind a nat device.

My config is:

config setup

conn default
authby=secret
mobike=no
ike=aes128-sha1-modp1024!
conn kd1
authby=secret
right=54.239.63.A
rightsubnet=172.29.X.0/26
left=10.6.2.175
leftsubnet=192.168.Y.0/24
auto=start
leftfirewall=yes
conn kd2
authby=secret
right=54.239.63.B
rightsubnet=172.29.X.0/26
left=10.6.2.175
leftsubnet=192.168.Y.0/24
auto=start
leftfirewall=yes

VPN connection is established:
Connections:
 kd1:  10.6.2.175...54.239.63.A  IKEv1/2
 kd1:   local:  [10.6.2.175] uses pre-shared key authentication
 kd1:   remote: [54.239.63.A] uses pre-shared key authentication
 kd1:   child:  192.168.Y.0/24 === 172.29.X.0/26 TUNNEL
 kd2:  10.6.2.175...54.239.63.B  IKEv1/2
 kd2:   local:  [10.6.2.175] uses pre-shared key authentication
 kd2:   remote: [54.239.63.B] uses pre-shared key authentication
 kd2:   child:  192.168.Y.0/24 === 172.29.X.0/26 TUNNEL
Security Associations (2 up, 0 connecting):
 kd2[2]: ESTABLISHED 3 seconds ago, 
10.6.2.175[10.6.2.175]...54.239.63.B[54.239.63.B]
 kd2[2]: IKEv2 SPIs: 5562844ae3a92a97_i* c32bcb77d7c624c0_r, pre-
shared key reauthentication in 2 hours
 kd2[2]: IKE proposal: 
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
 kd1[1]: ESTABLISHED 3 seconds ago, 
10.6.2.175[10.6.2.175]...54.239.63.A[54.239.63.A]
 kd1[1]: IKEv2 SPIs: 8f7ac1254782bba1_i* 77dabaf1fda87a2d_r, pre-
shared key reauthentication in 2 hours
 kd1[1]: IKE proposal: 
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

But when I ping a server on the other side, tcpdump shows my esp packets 
leaving my external interface. No udp encapsulation happens. So NAT at the 
next hop fails and no packets are send over the internet.

If I configure forceencaps then the xfrm policy is not set up  and the packets 
are leaving in clear text.

Any ideas what might be wrong? 

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

signature.asc
Description: This is a digitally signed message part.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Log file documentation

[Michael Schwartzkopff]

Hi,

I tried to find a gocumentation of the entries in the strongswan log file. 
Especially I am looking to the dokumentation of the IKE attributes like 
NATD_S_IP,  NATD_D_IP, INVAL_KE, IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr 
N(EAP_ONLY).

An good hints?

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

signature.asc
Description: This is a digitally signed message part.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] FW: FW: strongswan ipsec monitor via SNMP

[Michael Schwartzkopff]

Am Freitag, 31. Juli 2015, 19:37:01 schrieb Nitin Agarwal:
 Hello Monti and Michael
 
 I also wanted to do same things and my team started the work on same.
 We have done good work on this and trying to update information via SNMP in
 OpenNMS.
 We wanted to integrate with OpenNMS, so that we can show in GUI and make
 custom reports. But, unfortunately, this was taking too much long time.
 So, this development was stopped.

I'd be glad if you were able to revive that project and I could contribute.

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

signature.asc
Description: This is a digitally signed message part.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] FW: FW: strongswan ipsec monitor via SNMP

[Michael Schwartzkopff]

Am Freitag, 31. Juli 2015, 19:37:01 schrieb Nitin Agarwal:
 Hello Monti and Michael
 
 I also wanted to do same things and my team started the work on same.
 We have done good work on this and trying to update information via SNMP in
 OpenNMS.
 We wanted to integrate with OpenNMS, so that we can show in GUI and make
 custom reports. But, unfortunately, this was taking too much long time.
 So, this development was stopped.
 
 If you want to develop same and integrate with OpenNMS, then I can share
 details with you.
 
 And, other than this, can anybody suggest any available monitoring tool for
 IPSEC tunnel which we can run on server and it will show status of all
 active tunnels with some reports or similar ?

Integration into OpenNMS should be very simple if you have a working SNMP 
agent. But the Agent ist the problem. This is really hard work.

A very simple solution is the extend feature of net-snmp. You could 
integrate your scripts into the net-snmp agent.So gathering some basic data, 
like
- number of tunnels in Phase 1
- number of tunnels in phase 2
- number of isakmp established
- ...

should be possible very easy. Just read man snmpd.conf. Please also feel free 
to contact me for further questions or for the integration into OpenNMS.

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

signature.asc
Description: This is a digitally signed message part.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] FW: strongswan ipsec monitor via SNMP

[Michael Schwartzkopff]

Am Freitag, 31. Juli 2015, 10:38:39 schrieb Monti, Marco:
 Hi Michael,
 
 So there is not any MIBs to use for ipsec as you know I would have to write
 a subagent from scratch I have tried to find out but seems there is not any
 
 What language and API would you suggest?
 
 Marco

Standard is C. But I used to write in perl. net-snmp has a nice API.

MIBs: you can get inspired by other VPN vendors: Check Point, Cisco, Juniper.

I will send you some slides how I did create a subagent for the Linux Cluster 
Manager. I gave that talk on a Linux  conference.

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

signature.asc
Description: This is a digitally signed message part.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] strongswan ipsec monitor via SNMP

[Michael Schwartzkopff]

Am Freitag, 31. Juli 2015, 10:12:11 schrieb Monti, Marco:
 Hi all,
 
 I'd like to monitor StrongSwan ipsec tunnel via SNMP I have not find out any
 documentation apart from write your agent, MIB and OIDs
 
 Is there a ready MIB for ipsec?
 
 
 Thx a lot
 
 Marco

hi,

writing your own SNMP Sub-Agent ist quite a task. But I could help you a 
little bit. But beware, I do not have too much time.

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

signature.asc
Description: This is a digitally signed message part.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Visibility on usage of a strongswan/ipsec server

[Michael Schwartzkopff]

Am Montag, 4. Mai 2015, 07:10:09 schrieb Andrew Foss:
 Folks,
 
 I am pushing a ~200mb/s though my ipsec server, but when I look at cpu
 with top or load average with uptime, the machine looks like it is idle.
 I am guessing that the work is being done in the kernel, but I still
 need to measure how much of the machine's capacity is being used by ipsec.
 
 Is there some other better place to look to see how much of the system
 strongswan/ipsec is occupying?
 
 andrew

what does the top program give in the CPU output line? How many cores does 
your machine have?


Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

signature.asc
Description: This is a digitally signed message part.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] High availability configuration

[Michael Schwartzkopff]

Am Sonntag, 22. Februar 2015, 14:57:13 schrieb unite:
 On 2015-02-21 20:52, Noel Kuntze wrote:
  -BEGIN PGP SIGNED MESSAGE-
  Hash: SHA256
  
  Hello Aleksey,
  
  Currently, strongSwan only supports high-availability in an
  active-active cluster.
  However, you can abuse it and make it active-passive by simply not
  using
  a multicast mac address and configuration on the the CLUSTERIP rule on
  the
  devices. That way, the SAs will be synchronized, but traffic will only
  be forwarded to
  one member of the cluster. Failover of the IP needs to be done by a
  cluster executive.
  Propagating the new MAC address of the IP needs to be done either by
  the kernel
  or the cluster executive. After the IP is assigned to the former
  passive and now active
  member, it will process the traffic.
  
  In an active-active configuration, the multicast mac address would
  ensure that the traffic traffic is
  always received by both nodes. A hash function over the layer three
  address would decide which host
  processes it. However, be aware that I had problems with multicast mac
  addresses with some newer Juniper switches.
  They do not seem to handle those addresses and forwarding the traffic
  correctly.

No. They started to handle it correctly. According to the specs a switch 
SHOULD NOT learn a multicast MAC adress that belongs to a unicast IP adress. 
Cisco always implemented it, but no other manufacturer. It seems that juniper 
started to implement it.

If you want to set up such a config, you have to configure the correct MAC 
address in the switches in the ports. Atherwise you could have loops and you 
will see much traffic.



(...)

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

signature.asc
Description: This is a digitally signed message part.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] eap-radius and ssha passwords

[Michael Schwartzkopff]

Am Sonntag, 22. Februar 2015, 21:31:29 schrieb Alexey Beketov:
 Hello,
 I'm trying to make strongswan authorize and authenticate against freeipa
 through eap-radius. Client is my android phone and strongswan app (I'd like
 to use MOBIKE). I've sucessfully configured freeradius to query freeipa via
 ldap protocol. After some playing I've figured out that freeipa stores
 passwords in ssha hash. So to got everything work freeradius needs
 passwords in clear-text or ssha. The only way I got IPSEC to work on my
 phone is using xauth + psk and native android vpn client. But that way is
 using ikev1 and thus I can't use MOBIKE. My question: Is there any way to
 use eap-radius and ssha passwords to get ikev2 support? May be it is
 possible to pass clear-text passwords using eap-radius?

What is the debug output of FreeRADIUS? What authentication protocol does 
MOBIKE use? You are aware of the authentication protocol and password storage 
compatibility matrix?

http://deployingradius.com/documents/protocols/compatibility.html

Do you do a ldapbind oder ldapsearch?

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

signature.asc
Description: This is a digitally signed message part.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] eap-md5: constraint requires public key authentication, but EAP was used

[Michael Schwartzkopff]

Hi,

I want to test a TNC setup according to
https://wiki.strongswan.org/projects/strongswan/wiki/TNCS
https://wiki.strongswan.org/projects/strongswan/wiki/TNCC

The authentication should be EAP-MD5, so the first sample on the web site.

I think I did follow the doc quite close, but I am stuck with ipsec up 
failing. The client log says:

(...)
EAP method EAP_TTLS succeeded, MSK established
authentication of 'CN=client' (myself) with EAP
generating IKE_AUTH request 12 [ AUTH ]
sending packet: from 192.168.57.16[4500] to 192.168.56.25[4500] (92 bytes)
received packet: from 192.168.56.25[4500] to 192.168.57.16[4500] (220 bytes)
parsed IKE_AUTH response 12 [ AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) 
N(ADD_4_ADDR) ]
authentication of 'CN=server' with EAP successful
removed TNCCS Connection ID 1
constraint requires public key authentication, but EAP was used
selected peer config 'test' inacceptable: constraint checking failed

On the server side I have:
conn test
left = 192.168.56.25
leftsubnet=192.168.56.0/24
leftcert=server.crt
leftauth=eap-ttls
#
rightgroups = allow
rightauth=eap-ttls
rightid=CN=client
right=%any
rightsendcert=never
#
auto = add

and on the client side I have:

conn test
left = 192.168.57.16
leftcert = client.crt
leftid=CN=client
leftauth=eap
#
right = 192.168.56.25
rightid = CN=server
rightsendcert=never
rightsubnet=192.168.56.0/24
#
auto = add

Anybody here who could help me why this authentication is failing?

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] PIv6 over IPv4 Tunnel

[Michael Schwartzkopff]

Am Mittwoch, 14. Januar 2015, 10:24:06 schrieb Michael Schwartzkopff:
 Hi,
 
 I have a IPv4 transport network. so moon (responder) and carol machines have
 IPv4 adresses. The IPv4 IPsec tunnel works.
 
 Can I assign IPv6 addresses to my carol host? Something like
 
   rightsourceip = 192.168.100.0/24,2001:db8::0/120
 
 on my moon machine and
 
   leftsourceip=%config4,%config6
 
 on the carol machine?
 
 During tunnel setup I see that the carol machine gets the IPv6 addresses
 pushed correctly but the moon machine (server) cannot ping6 carol (client):
 
 connect: Network is unreachable.
 
 I don't see any routing and transform entries for the ipv6 address of carol.

Solved it. Config was not completely correct.


Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] PIv6 over IPv4 Tunnel

[Michael Schwartzkopff]

Hi,

I have a IPv4 transport network. so moon (responder) and carol machines have 
IPv4 adresses. The IPv4 IPsec tunnel works.

Can I assign IPv6 addresses to my carol host? Something like

  rightsourceip = 192.168.100.0/24,2001:db8::0/120

on my moon machine and

  leftsourceip=%config4,%config6

on the carol machine?

During tunnel setup I see that the carol machine gets the IPv6 addresses 
pushed correctly but the moon machine (server) cannot ping6 carol (client): 

connect: Network is unreachable.

I don't see any routing and transform entries for the ipv6 address of carol.

Any ideas?

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Overlaping IP addresses

[Michael Schwartzkopff]

Hi,

We have a problem setting up VPNs and I wanted to know if StrongS/WAN can help 
us. Mainly we deal with overlapping IP addresse. This can happen in two cases:

1) Two customers use the same RFC1918 network internally. So it might happen 
that two boxes at customers get the same IP address. Does StrongS/WAN provide 
a solution for this problem? Can StrongS/WAN distwinguish between both 
clients? If yes, how?

2) A customer has two of our boxes in his network. Our VPN server only sees 
the extnal IP address of the NAT box, which is identical for both VPN clients 
internally. Can StrongS/WAN distuingish between both boxes? If yes, how?

Thanks for any hints.


Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

signature.asc
Description: This is a digitally signed message part.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users