Re: [strongSwan] FreeBSD 12.x .vs. 13.x - change in strongswan as well?

[Tobias Brunner]

Hi Karl,

And, it appears, Windows is insisting on using the CN when presenting 
the identity (instead of the field(s) in the SAN) unless you set the 
option on the VPN profile to allow an override -- and then you have 
to hand-key it on each connection.  I don't believe there is any way 
to tell Windows to use the SAN identity or identities on its own.


Yes, as documented on [1], the Windows client uses the CN value as EAP 
identity with EAP-TLS (i.e. user certificates).  I didn't know this 
can actually be changed, so that might be something we could add to 
the docs.  Could you provide details  on this?  Anyway, without 
explicit changes on the client, this only works if the certificate 
contains a matching SAN.


Yes here's where it is; you have to go at the connection from the 
control panel, not from the Windows 10+ "quick list" in settings.


And then click "Properties" which gets you this:

At the very bottom is "use a different user name."  Select that and you 
will get prompted for it when you go to connect; if the SAN includes the 
email address (which it has to for it to be useful as a S/Mime 
certificate, for example) you can enter it there and it works.


Thanks.  That looks simpler than I expected (I assumed it required 
fiddling with group policies or the like).


The problem is that the EAP identity does not contain a type, so 
unless the data is ASN.1 (e.g. a full binary DN), the rules at [2] 
apply when the identity is parsed.  In your case, with


the "CN" of these certs is the full name of the person, not an email 
address


the SAN would have to be of type dNSName as that's the default 
fallback for the parser.  Considering that the full name probably 
contains spaces that might be a bit weird but it's perfectly legal as 
dNSName is of type IA5String, which accepts all ASCII characters, and 
DNS names may consist of any 8-bit characters (only to host names 
apply some further restrictions).


Gotcha.  If I have to reissue then I may as well change the CN to the 
email address, which isn't horrible for user I suppose; at least its 
consistent with what they know.  I've got this out in the field (my own 
personal server is a "who cares" but for everyone else...) and that plus 
the local CA setup has been automated and working out there for quite 
some time.  What I may do is tell people how to override for now but 
change the back end stuff on issuing so when certificates roll over the 
CN is the email address instead of the user's full name.


Sounds reasonable.

I don't like the idea of issuing certs with a DNSName that isn't 
properly-formed; who knows what might try to use that as a lookup (it 
would fail if handed to a resolver, obviously, but still.)


Don't know of any component that would do that, but yeah, it's probably 
not ideal.


If I ping the connection from the server it is transmitting. Looking at 
the client end I see the traffic coming in and the reply traffic going 
back out, but I never get the reply back on the server.  The only thing 
I see coming back from the client at all on the server end is IKE 
keepalives, which implies that the phone or the network is blocking 
encapsulated outbound traffic or (perhaps) Microsoft has screwed the 
pooch with their internal VPN code in the most-recent update.  Without 
being able to tcpdump the devices in the middle (the phone, obviously, 
never mind the telco network) figuring out exactly who's doing me dirty 
is not easy.


Hm, the IKE keepalives (or any other IKE packets) take the same path the 
UDP-encapsulated ESP packets from the client will.  So if the client 
actually sends a UDP-encapsulated ESP packet back, it's really weird 
that it gets dropped.  In particular, because the pings are small enough 
to rule out fragmentation issues.  So unless there is a firewall that 
does deep inspection and drops ESP packets from the client this is quite 
weird.  Does it happen with tethered non-Windows clients, too (e.g. 
macOS or Linux)?
Not being able to wireshark or tcpdump in the phone doesn't help me 
trying to run this down, obviously, and I suspect this is some sort of 
active interference with port 500 


Note that UDP port 4500 is relevant here as the NAT situation triggers 
NAT traversal (i.e. UDP encapsulation).


I'm going to be spending a fair bit more time going after this for 
obvious reasons; I have a sneaky suspicion this is either in the phone 
firmware or carrier but need to verify that by finding an open hotspot 
where I can see if it works as it has for the last several years there 
and I may have to root a phone device so I can get in there with a root 
shell and see if I can find something there.  If not then obviously its 
being blocked in the carrier infrastructure or their tethering 
provisioning pushed to the phone.


I guess it's possible that Android does something weird.  For instance, 
treat packets with destination port 4500 specially somehow.  As 
responder, that's necessary in order to 

Re: [strongSwan] FreeBSD 12.x .vs. 13.x - change in strongswan as well?

[Tobias Brunner]

Hi Karl,

Using the "stroke" interface does not impact this; it appears to be 
something changed between 5.9.5 and 5.9.6 and the release notes imply 
this is likely the cause:


  * The client identity (e.g. the IKE or EAP identity for EAP-TLS) is
again enforced by libtls.


Yes, this was a regression introduced with the TLS 1.3 changes in 5.9.2. 
 Any version between that and 5.9.6 didn't verify that the client's 
identity is confirmed by the certificate (so users could authenticate as 
any identity as long as they had a valid and trusted certificate).


And, it appears, Windows is insisting on using the CN when presenting 
the identity (instead of the field(s) in the SAN) unless you set the 
option on the VPN profile to allow an override -- and then you have to 
hand-key it on each connection.  I don't believe there is any way to 
tell Windows to use the SAN identity or identities on its own.


Yes, as documented on [1], the Windows client uses the CN value as EAP 
identity with EAP-TLS (i.e. user certificates).  I didn't know this can 
actually be changed, so that might be something we could add to the 
docs.  Could you provide details  on this?  Anyway, without explicit 
changes on the client, this only works if the certificate contains a 
matching SAN.


The problem is that the EAP identity does not contain a type, so unless 
the data is ASN.1 (e.g. a full binary DN), the rules at [2] apply when 
the identity is parsed.  In your case, with



the "CN" of these certs is the full name of the person, not an email address


the SAN would have to be of type dNSName as that's the default fallback 
for the parser.  Considering that the full name probably contains spaces 
that might be a bit weird but it's perfectly legal as dNSName is of type 
IA5String, which accepts all ASCII characters, and DNS names may consist 
of any 8-bit characters (only to host names apply some further 
restrictions).


Regards,
Tobias

[1] 
https://docs.strongswan.org/docs/5.9/interop/windowsCertRequirements.html#_client_certificates

[2] https://docs.strongswan.org/docs/5.9/config/identityParsing.html

[strongSwan] Server Migration and Changes to the Services at strongswan.org

[Tobias Brunner]

Dear strongSwan Community,

We are currently in the process of migrating the server hosting
strongswan.org.  However, not all services it currently provides will
be migrated.


First and foremost, we are discontinuing our mailing lists (users, dev
and the long unused announce).  For community support we'd like to refer
you to our discussion forum at GitHub [1].  If you'd like to participate
and help fellow users, please subscribe to notifications for updates to
discussions via the "Watch" feature.  Before opening a new discussion,
please refer to #196 [2] for helpful instructions.
The same forum may also be used by developers to ask for help or propose
and discuss changes.  Pull requests are also welcome at GitHub (make
sure to read the contribution requirements [3]).
To keep up with new releases, you may subscribe to notifications for new
releases at GitHub (use the "Custom" option when subscribing to events,
so you only get notified about things that interest you).

Thanks a lot to all users who participated on these mailing lists over
the years.  The list archives will be migrated and continue to be
available at https://lists.strongswan.org.


Second, the Git server at git.strongswan.org will be terminated.  The
main strongSwan repository has been at GitHub for a while now and we
don't feel the need to maintain that additional mirror.  If you still
use git.strongswan.org as remote for your local repository, please
update the config e.g. via

  git remote set-url origin https://github.com/strongswan/strongswan.git

The android-ndk-boringssl (BoringSSL version for the Android client) and
linux-dumm (Linux kernel patches for high-availability) repositories
have also been moved to GitHub, their new URLs are as follows:

  https://github.com/strongswan/boringssl.git
  https://github.com/strongswan/linux.git


The above changes will take effect roughly by the end of the month, but
could be sooner, depending on our current hosting provider.


Most of the documentation has already been moved from
wiki.strongswan.org to https://docs.strongswan.org.  One notable
exception is the ipsec/ipsec.conf documentation, which we don't plan
to migrate.  That and the old issues and changelogs are why
wiki.strongswan.org will remain as read-only archive for the foreseeable
future.


If you have any questions regarding these changes, please let us know.

Best Regards,
The strongSwan Team

[1] https://github.com/strongswan/strongswan/discussions
[2] https://github.com/strongswan/strongswan/discussions/196
[3] https://docs.strongswan.org/docs/5.9/devs/contributions.html

Re: [strongSwan] FreeBSD 13.1-STABLE / StrongSwan 5.9?

[Tobias Brunner]

Update: The kldload is not automatically initiated by the strongswan rc 
file; this is an obvious omission since GENERIC now includes only a stub 
and the actual ipsec driver must dynamically loaded. > I'll put a note in "bugzila" on it since the kernel config now requires

you kldload the module or it doesn't work.


Weird that this never came up before.

The enc and IPSEC_NAT_T 
declarations are not required and neither is in GENERIC.


IPSEC_NAT_T has apparently been removed because the NAT-T support is 
non-optional since FreeBSD 12 (the same merge added the ipsec.ko module 
and the IPSEC_SUPPORT option [1]).


Regards,
Tobias

[1] 
https://cgit.freebsd.org/src/commit/?id=fcf596178b5f2be36424ecbc1b6a3224b29c91d2

Re: [strongSwan] FreeBSD 13.1-STABLE / StrongSwan 5.9?

[Tobias Brunner]

Hi Karl,

I am running GENERIC on the gateway as the docs say 
that's now ok; I used to run a custom kernel for other reasons (mostly 
PPS which I don't use anymore as I no longer have a local NTP clock) and 
the only material difference I can see is that the 12.2-STABLE custom 
kernel has the "enc" driver included in it ("device    enc") while 
GENERIC does not.


Not sure if that driver is necessary or only required to do advanced 
filtering.  You should definitely check if the kernel includes the 
following options (or if you can kldload a module that provides them):


options   IPSEC
devicecrypto
# also needed because the Android app requires UDP encapsulation
options   IPSEC_NAT_T

Regards,
Tobias

Re: [strongSwan] Error Message: "unsupported mode"?

[Tobias Brunner]

Hi Michael,


What exactly does "IPsec SA: unsupported mode" mean? unsupported mode
"transport"?


You are using the kernel-libipsec plugin, which implements IPsec in 
userland and requires tunnel mode.  You probably don't want to use that, 
see [1] for details.


Regards,
Tobias

[1] https://docs.strongswan.org/docs/5.9/plugins/kernel-libipsec.html

Re: [strongSwan] conditional expressions in swanctl.conf?

[Tobias Brunner]

Hi Harri,


is there some way to express

if peercert->OU == develop
pool = pool1
else
pool = pool2



You can match identities with wildcards, see [1].

Regards,
Tobias

[1] https://www.strongswan.org/testing/testresults/ikev2/wildcards/

Re: [strongSwan] charon-systemd: 11[KNL] received netlink error: No such file or directory (2)

[Tobias Brunner]

Hi Michael,


fips_mode is default, i.e. disabled. At least according to
charon/openssl.conf.


I was not referring to the openssl plugin, but clearly to the kernel. 
Check e.g. via `cat /proc/sys/crypto/fips_enabled` if it runs in FIPS 
mode.  Note that this can only be changed via `fips` kernel command line 
option.


Regards,
Tobias

Re: [strongSwan] transform policy without SPI?

[Tobias Brunner]

Hi Michael,


In the transform policy we see the connection but without SPIs
in "in" and "fwd" direction. An SPI does only exist for the "out"
direction. How is that possible?


That's normal and always the case.


Under what circumstance is that normal? After the termination of the
child connection?


No, for any established CHILD_SA.  strongSwan only sets the SPI on 
outbound policies, never on the others.


Regards,
Tobias

Re: [strongSwan] transform policy without SPI?

[Tobias Brunner]

Hi Michael,


In the transform policy we see the connection but without SPIs
in "in" and "fwd" direction. An SPI does only exist for the "out"
direction. How is that possible?


That's normal and always the case.

Regards,
Tobias

Re: [strongSwan] how to tell charon-nm to use 500/udp and 4500/udp

[Tobias Brunner]

Hi Harald,


is there some way to tell charon-nm to use 4500/udp for the outgoing
connection, instead of an arbitrary port, if available? Same for
500/udp.


You can explicitly configure the ports via strongswan.conf
(charon-nm.port and charon-nm.port_nat_t).  Just make sure you don't use
charon or charon-systemd on the same host to avoid conflicts.



Of course I will look into this, but how comes using 500/udp and 4500/udp
isn't the default?


Primarily, to avoid conflicts with regular (i.e. non-NM) versions of the 
daemon that might be running concurrently on the same system.  Using 
ephemeral source ports also makes using custom server ports easy 
(configurable in the NM plugin) as that would otherwise require changing 
the source port away from 500 anyway.


> Thats how I read https://wiki.strongswan.org/projects/\
> strongswan/wiki/ConnSection, left|rightikeport.

Which has absolutely nothing to do with charon-nm (uses a completely 
different configuration interface).



I assume a problem on the AVM Fritzbox in this context. 500/udp and
4500/udp at both ends appears to be more reliable.


That doesn't really make sense as there could always be a NAT in between
that changes the source ports.



I am aware of that. It is not working, i.e. we cannot assume a reasonable
implementation. Fact is, the traffic returned by my VPN gateway (4500/udp
to lets say 32480/udp) at the end of phase 2 (IKE2) doesn't reach the home
office laptop of my colleague (both strongswan). I just cannot say if this
is sabotaged by his IP provider or if this is a broken stateful package
filter or some other bug in the Fritzbox. What would be your guess here?


How large is that message?  Although you use 5.9.6 on both ends (i.e. 
IKE fragmentation should generally be enabled), it could still be a 
fragmentation issue if the default fragment size of 1280 bytes is too 
much (you could try reducing charon.fragment_size).



Also, has AVM finally released a version of their system that supports
IKEv2?  Took them long enough.  But considering their track record
regarding IKEv1, I guess we have to expect interoperability issues for
the next 20 years.


This is a misunderstanding. Both peers are running a recent Debian and
strongswan 5.9.6. The Fritzbox is just the modem/gateway/firewall in
my colleagues home network. I understand that the Fritzbox runs its own
IPsec connections. Yet another reason to assume a bug in the Fritzbox
in this context.


I see.  Can you capture traffic on that box?

Regards,
Tobias

Re: [strongSwan] how to tell charon-nm to use 500/udp and 4500/udp

[Tobias Brunner]

Hi Harald,


is there some way to tell charon-nm to use 4500/udp for the outgoing
connection, instead of an arbitrary port, if available? Same for
500/udp.


You can explicitly configure the ports via strongswan.conf 
(charon-nm.port and charon-nm.port_nat_t).  Just make sure you don't use 
charon or charon-systemd on the same host to avoid conflicts.



I assume a problem on the AVM Fritzbox in this context. 500/udp and
4500/udp at both ends appears to be more reliable.


That doesn't really make sense as there could always be a NAT in between 
that changes the source ports.


Also, has AVM finally released a version of their system that supports 
IKEv2?  Took them long enough.  But considering their track record 
regarding IKEv1, I guess we have to expect interoperability issues for 
the next 20 years.



However, I am not
sure at all where the temporary port comes from.


What are you referring to?

Regards,
Tobias

Re: [strongSwan] Connect to one site through another

[Tobias Brunner]

Hi,


unless I'm missing something else I need to add in my configuration.


You seem to be using kernel-libipsec [1], don't!  Just use 
kernel-netlink instead.


Regards,
Tobias

[1] https://docs.strongswan.org/docs/5.9/plugins/kernel-libipsec.html

Re: [strongSwan] MacOS Cert authentication failing

[Tobias Brunner]

Hi,

Jul 05 12:09:42 pvn charon-systemd[39509]: no trusted certificate found 
for 'len-mac-...@mypvn.net' to verify TLS peer


Looks like there is a typo in the Local Identity on the client 
(mypvn.net vs. myvpn.net)


Regards,
Tobias

Re: [strongSwan] iphone-to-strongswan configuration - working example.

[Tobias Brunner]

Hi Kamil,


It has to be:
--8<---cut here---start->8---
openssl pkcs12 -export -legacy -inkey private/key -in cert -out cert.p12
--8<---cut here---end--->8---
and then profile was installed correctly.


Note that `-legacy` is an option only available since OpenSSL 3.  It 
causes the legacy crypto provider to get loaded, which makes RC2 and 
3DES available and the latter the default algorithm to encrypt the 
private key.  Without that option AES256-CBC is used instead and PBKDF2 
replaces the legacy PKCS#12 KDF to derive the encryption key.  Apple 
clients apparently only support the old PKCS#5 schemes.


I've added this to the known issues in the documentation [1].

Regards,
Tobias

[1] 
https://docs.strongswan.org/docs/5.9/interop/appleIkev2Profile.html#_known_issues

Re: [strongSwan] LIST_SA child_sa bytes-in values for passive connections

[Tobias Brunner]

Hi Philip,


 1. How can I detect whether a LIST_SA is reporting an active or passive
IKE_SA (Child_SA) connection?


The IKE_SA should have state PASSIVE set on the passive host and state 
ESTABLISHED on the active one.



 2. Are the Child_SA byte and packet counters always set to zero for a
passive connection?


I guess that depends on the direction and on whether the kernel is 
patched (see [1] for details).  But they will definitely not be accurate.


Regards,
Tobias

[1] 
https://docs.strongswan.org/docs/5.9/features/highAvailability.html#_kernel_implementation

Re: [strongSwan] Strongswan caching CRL's when setting is set to "no"

[Tobias Brunner]

Hi Eric,


Does ".reauth_time” and leaving “break_before_make” alone force a reauth 
and certificate validity check on IKE/ISAKMP from non-cached crl’s?


Could you please clarify your question (e.g. why do you mention 
break_before_make in this context?


make_before_break defaults to no.  1) no interruptions in link 2) impact on CRL 
test


It does add a delay to the online certificate validation (via OCSP/CRL) 
on the client, but not change the basic functionality.  Instead of 
validating the certificate while the SA is created, the client waits 
until the new SA is fully established (and tears down the SA if the 
certificate is not valid).



what do you mean with "from non-cached CRLs”?


This was testing to see if it would pull the CRL on each wreath.  In my mind, 
if the CRL is hosted and changes and the CRL is never reloaded from its source, 
a revoked certificate can be used up until a start/restart occurs


It can be used as long as there is no CRL available that revokes it (or 
a negative OCSP response).  If a cached CRL (or OCSP response) is still 
valid, that's what will be used without fetching anything (if the fetch 
fails, the cached status will be accepted unless strict revocation 
checking is enabled).  A restart or purging CRLs/OCSP responses at 
runtime (e.g. via a cron job) will affect the in-memory cache (which 
could also be disabled completely), if CRLs are also cached on disk, 
they have to be removed manually.


As mentioned before, relatively short-lived delta CRLs can be used to 
trigger more frequent fetches (or use OCSP for even more current status 
reports).



are you considering setting reath_time on the client or the server -


Yes.  No effect on reload CRL


No, it does not affect how/when CRLs are fetched.  But without 
reauthentication, certificates are currently not re-checked at all (i.e. 
a client could keep the IKE_SA alive indefinitely).  If you configure it 
on the server, it either initiates a reauthentication itself, if it can 
due to the config, or it requests the client to reauthenticate (the 
IKE_SA is deleted if the client does not reauthenticate in time).



and with what type of authentication/config?


Certs for auth


OK, unless you use virtual IPs, then both peers can initiate a 
reauthentication.



why do you mention ISAKMP, are you actually considering using IKEv1?).


Not considering IKEv1


OK, good.


Looks like if the server cert is revoked, I will need to reach out to all spoke 
instances to bounce so they’ll find out it’s revoked.


They won't find out until (1) they reauthenticate/reestablish the IKE_SA 
and (2) they use a CRL that actually revokes the certificate.  Depending 
on how long the CRL is valid and the caching behavior (as discussed 
before) this can take a while.


Regards,
Tobias

Re: [strongSwan] Strongswan caching CRL's when setting is set to "no"

[Tobias Brunner]

Hi Eric,

Does ".reauth_time” and leaving “break_before_make” alone force a 
reauth and certificate validity check on IKE/ISAKMP from non-cached crl’s?


Could you please clarify your question (e.g. why do you mention 
break_before_make in this context? what do you mean with "from 
non-cached CRLs"? are you considering setting reath_time on the client 
or the server - and with what type of authentication/config? why do you 
mention ISAKMP, are you actually considering using IKEv1?).


Regards,
Tobias

Re: [strongSwan] Strongswan caching CRL's when setting is set to "no"

[Tobias Brunner]

Hi Eric,

16[IKE] received end entity cert "CN=pfsense.semperen.net 
, C=US, ST=OH, L=Van Wert, O=The Semperen 
Group, OU=Network Operations"
16[CFG]   using certificate "CN=pfsense.semperen.net 
, C=US, ST=OH, L=Van Wert, O=The Semperen 
Group, OU=Network Operations"
16[CFG]   using trusted ca certificate "CN=semperen-ipsec-ca, C=US, 
ST=OH, L=Van Wert, O=The Semperen Group, OU=Network Operations"
16[CFG] checking certificate status of "CN=pfsense.semperen.net 
, C=US, ST=OH, L=Van Wert, O=The Semperen 
Group, OU=Network Operations"
 > 16[CFG]   fetching crl from 
'https://ipsec-crl.s3.us-east-2.amazonaws.com/Semperen%2BIPSec%2BSigning%2BAuthority%2BCRL.crl 
' 
… 
16[CFG]   using trusted certificate "CN=semperen-ipsec-ca, C=US, ST=OH, 
L=Van Wert, O=The Semperen Group, OU=Network Operations"
16[CFG]   crl correctly signed by "CN=semperen-ipsec-ca, C=US, ST=OH, 
L=Van Wert, O=The Semperen Group, OU=Network Operations"

16[CFG]   crl is valid: until Oct 13 19:33:11 2049
16[CFG] certificate status is good
16[CFG]   reached self-signed root ca with a path length of 0


This happens on demand when the peer certificate is verified, not when 
the daemon is started.


Regards,
Tobias

Re: [strongSwan] Strongswan caching CRL's when setting is set to "no"

[Tobias Brunner]

Hi Eric,

What's the point of SS having an option to auto fetch a CRL at startup 


There is no such option.

Regards,
Tobias

Re: [strongSwan] Strongswan caching CRL's when setting is set to "no"

[Tobias Brunner]

Hi Eric,

  When IKE reauthenticates the log says it is loading crl from the 
directory (which has nothing in it).


What exactly are you referring to here?  Logs?

 Also forcing “rereadcrls” doesn’t 
cause a new fetch.  “files” and “curl” plugins are loaded.


If there is a cached CRL (note that `cachecrls` refers to caching CRLs 
persistently in /etc/ipsec.d/crls, not the in-memory cache) that's still 
valid, there won't be a new fetch.  And the `rereadcrls` command has no 
effect on this as it only triggers a reload of CRLs from 
/etc/ipsec.d/crls, it does not purge any in-memory caches (try 
`purgecrls` for that).  Also see this thread [1].


Regards,
Tobias

[1] https://lists.strongswan.org/pipermail/users/2022-April/015291.html

Re: [strongSwan] TPM 2.0 - unknown hash algorithm not supported by TPM

[Tobias Brunner]

Hi,


And the scheme detected is SIGN_RSA_EMSA_PKCS1_NULL 0x1


You can't use IKEv1 with TPM 2.0 because the latter doesn't support the 
former's legacy signature schemes.


Regards,
Tobias

Re: [strongSwan] Fwd: [tpm2] tpm2_import is modifying the keyid of my private key

[Tobias Brunner]

Cross-posted at [1].

Regards,
Tobias

[1] 
https://www.linuxquestions.org/questions/linux-software-2/tpm2_import-is-modifying-the-keyid-of-my-private-key-4175712044/

Re: [strongSwan] Strongswan network manager plugin 1.5.2 on linux doesn't clear resolv.conf on disconnection

[Tobias Brunner]

Hi Ettore,

Everything works great but on diconnect the resolv.conf file remains 
populated with dns adresses obtained from server on connection.

What can I do?


The NetworkManager backend (charon-nm), which is independent of the GUI 
plugin whose version you reference, does not load the resolve plugin, by 
default (i.e. it won't modify resolv.conf directly or via resolvconf). 
Make sure you didn't load it manually somehow [1].  Also, even if it's 
loaded, the DNS servers should get removed once the IKE_SA is terminated 
(check the log).


If the plugin is not loaded (i.e. the DNS servers are not installed by 
charon-nm), the file might get modified by NM (or some other component), 
so check for errors in other logs and for existing bug reports for these 
components.


Regards,
Tobias

[1] https://docs.strongswan.org/docs/5.9/plugins/pluginLoad.html

Re: [strongSwan] Android client not connecting with ECDSA certificate authentication

[Tobias Brunner]

Hi Ettore,

Apr 25 23:49:52 woppami charon: 08[CFG] looking for peer configs 
matching 192.168.1.8[.aaa.aaa]...ee.ff.gg.hh[b..aaa]

Apr 25 23:49:52 woppami charon: 08[CFG] no matching peer config found


Fix this.

Regards,
Tobias

Re: [strongSwan] strongswan client 5.6.2 on linux unable to use ECDSA certs or keys

[Tobias Brunner]

Hi Ettore,


I found strange that log claims about "RSA failed" instead od ECDSA.


You need at least 5.7.0 to parse keys other than RSA in charon-nm [1].

Regards,
Tobias

[1] 
https://github.com/strongswan/strongswan/commit/3a41febb1cd4851d56289497698feee0f7775365

Re: [strongSwan] How does strongswan handle renewed or expired CRLs?

[Tobias Brunner]

Hi Harri,


Even on
"ipsec rereadcrls" the new CRL was ignored.


This reads CRLs from /etc/ipsec.d/crls, nothing else.  To flush the
in-memory cache use `ipsec purgecrls` (CRLs cached on disk have to be
deleted manually from the directory above, note that that requires a
restart).



this is hard to anticipate. Running rereadcrls, why should I want to
prefer the cached CRLs over the CRLs to be found in the net? To avoid
a DNS lookup and a single web access?


You'd only run `rereadcrls` if you actually stored CRLs in that 
directory, in which case you probably updated them once you run that 
command.  On the other hand, if you generally fetch CRLs, there is no 
need to ever run that command, just run `purgecrls`.



Typically the PKIs create a CRL for lets say 30 days. In case of emergency
a new CRL might be issued on the next day. How is strongswan supposed
to be notified about this emergency? There is no flow of information here.


I guess that's just how CRLs work (see [1]).  If you want quicker 
revocation, use OCSP, delta CRLs that are released more often, or clear 
the cache manually to load the updated CRL if you know this happened.



I would suggest to invest into the web access at least once per day,
regardless when the CRL is supposed to expire. If the remote site is not
reachable, then we can fall back to the cached version.


We currently don't have the information when a CRL was fetched or cached 
(as mentioned, there are multiple caches/credential sets that can 
provide CRLs), so that's tricky to implement.  But I guess you could 
cron `purgecrls` daily (there is no fallback to a previous CRL then, 
though).  Regularly fetching the CRL manually and storing it in 
/etc/ipsec.d/crls, followed by `rereadcrls` and `purgecrls`, might also 
be an option.


Regards,
Tobias

[1] https://datatracker.ietf.org/doc/html/rfc5280#section-6.3.3

Re: [strongSwan] Configuration help request

[Tobias Brunner]

Hi Alexey,

07[CFG] looking for peer configs matching 
x.x.x.x[x.x.x.x]...y.y.y.y[y.y.y.y]

07[CFG] no matching peer config found
07[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
07[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (80 bytes)

And the question is: why no matching peer found as peers and key is in 
place?


The peer proposes the IP addresses as identities (it's what you see in 
[] in the "looking for peer configs matching ..." log message), which 
clearly don't match "key" (whatever that is exactly).  So just remove 
those `id = key` lines (the default identities are the IP addresses) and 
associate the secret with y.y.y.y (i.e. set `id-1 = y.y.y.y` there).


Regards,
Tobias

Re: [strongSwan] Masquerade iptables statements override strongswan policies

[Tobias Brunner]

Hi,


However, clients on the
network behind the pi seem to have issues sending traffic over tunnels
unless I remove my masquerading iptables configuration; specifically, this
one:

  Chain POSTROUTING (policy ACCEPT)
  target prot opt source   destination
  MASQUERADE  all  --  anywhere anywhere


Please see [1].

Regards,
Tobias

[1] 
https://docs.strongswan.org/strongswan-docs/5.9/howtos/forwarding.html#_general_nat_problems

Re: [strongSwan] How does strongswan handle renewed or expired CRLs?

[Tobias Brunner]

Hi Harri,


Apparently certificate revocation lists have an expiration date. AFAIU
this is the maximum time a CRL should be cached.


Technically, it's the date by which the next CRL will be issued.  A CRL 
is considered valid until that date.



I had revoked a few road-warrior certificates and put a new CRL on
my web server within this grace period, but strongswan refused to
check the URL for an update, as Apache's access.log shows.


strongSwan only checks the URL if no valid CRL is found locally. 
Either manually installed or cached (in-memory and, if charon.cache_crls 
and/or cachecrls in config setup is enabled, on disk).



Even on
"ipsec rereadcrls" the new CRL was ignored.


This reads CRLs from /etc/ipsec.d/crls, nothing else.  To flush the 
in-memory cache use `ipsec purgecrls` (CRLs cached on disk have to be 
deleted manually from the directory above, note that that requires a 
restart).



And a related question: Do I have to assume that all road-warrior
certificates become unusable, if the CRL mentioned in the certificates
expires?


Only if strictcrlpolicy is enabled (revocation in swanctl.conf).

Regards,
Tobias

Re: [strongSwan] GRE over IPSec dual connections from road warriors strange behavior

[Tobias Brunner]

Hi John,


I have looked at the logs and they list only information about the IPSec 
tunnels(which
typically work) and nothing about the GRE.


That's mainly because GRE tunnels, without key/seq, are basically 
stateless (nothing is negotiated, if there are transmit errors you'd see 
that only in the link/tunnel stats, if at all).



The main issue is the IPSec tunnels come
up fine but the GRE tunnels cannot send data. Either one or both GRE tunnels 
cannot send data.


You should check the traffic stats for the IPsec tunnels and GRE 
interfaces (`ip -s ...`) to see what exactly is sent/received, if 
possible also on the other end.


The debug logs from the Cisco end show that the tunnels come up and are torn down by the 
strongswan end.


Due to DPD?  Or what's the reason they are torn down?


The dropped packets all happen at the RUT-950 end


How did you determine that?

Regards,
Tobias

Re: [strongSwan] SAs do not establish with OpenBSD iked

[Tobias Brunner]

Hi,


Mon, 2022-03-28, 10:15:36 05[CFG] conn OPENBSD_GW
Mon, 2022-03-28, 10:15:36 05[CFG]   left=192.168.13.1
Mon, 2022-03-28, 10:15:36 05[CFG]   leftsubnet=192.168.13.0/24
Mon, 2022-03-28, 10:15:36 05[CFG]   leftauth=secret
Mon, 2022-03-28, 10:15:36 05[CFG]   leftid=swan.example.com
Mon, 2022-03-28, 10:15:36 05[CFG]   right=10.1.1.9
Mon, 2022-03-28, 10:15:36 05[CFG]   rightsubnet=192.168.253.0/27
Mon, 2022-03-28, 10:15:36 05[CFG]   rightid=openbsd
Mon, 2022-03-28, 10:15:36 05[CFG]   ike=aes256-sha512-modp4096
Mon, 2022-03-28, 10:15:36 05[CFG]   esp=aes256-sha512-modp4096
Mon, 2022-03-28, 10:15:36 05[CFG]   dpddelay=30
Mon, 2022-03-28, 10:15:36 05[CFG]   dpdtimeout=150
Mon, 2022-03-28, 10:15:36 05[CFG]   sha256_96=no
Mon, 2022-03-28, 10:15:36 05[CFG]   mediation=no
Mon, 2022-03-28, 10:15:36 05[CFG]   keyexchange=ikev2


`rightauth=secret` is missing here (it defaults to pubkey).

Regards,
Tobias

Re: [strongSwan] SAs do not establish with OpenBSD iked

[Tobias Brunner]

Hi,

Please add the strongSwan log (see [1] for a config snippet).

Regards,
Tobias

[1] 
https://docs.strongswan.org/strongswan-docs/5.9/support/helpRequests.html#_configuration_snippets

Re: [strongSwan] Route-Based Site-to-site VPN

[Tobias Brunner]

Hi Ed,

how would i go about installing routes in a higher priority 
table for the new site-to-site i want to configure?


strongSwan installs routes in table 220 (see `ip route list table 220`), 
which has priority 220 (see `ip rule` if the daemon is running).  So you 
have to install your routes in a table that has higher priority (lower 
numeric value) than that.  See the man pages for `ip rule` and `ip 
route` for details.


How can i see charon installed routes? Are these the ones i see with ip 
xfrm policy?


No, those are the IPsec policies.  They are independent of the routing 
decision (which happens before checking for matching policies).



So, if i do

ip tunnel add vti100 local X.X.X.X remote Y.Y.Y.Y mode vti key 111

ip link set vti0 up

ip route add 10.0.10.0/24 dev vti100

Would that be sufficient at least for this /24?


You probably want to add `src 192.168.132.20` to your `ip route add` 
command so that address is used as source and not e.g. X.X.X.X.  And if 
automatic routes are installed for other connections, installing in the 
main routing table might not work if there are any conflicts (if so, 
install the route in a higher-priority table).


Regards,
Tobias

Re: [strongSwan] Route-Based Site-to-site VPN

[Tobias Brunner]

Hi Ed,

Would that have any effect on the rest of my tunnels? What does 
disabling route installation by the IKE daemon means exactly in this 
case and why is it needed?


The main reason for the automatic route installation is to select a 
specific source IP (one contained in the local traffic selectors) to 
send packets that originate from the IPsec gateway itself through the 
tunnel.  Otherwise, the packets won't match the negotiated IPsec policies.


For instance, in our testing environment, if gateways moon and sun 
negotiate a tunnel between 10.1.0.0/16 and 10.2.0.0/16, we want to make 
sure that moon uses 10.1.0.1 when sending packets to hosts in 
10.2.0.0/16 and not 192.168.0.1, which its default route might indicate. 
 So a specific route to 10.2.0.0/16 is installed in table 220 that 
lists 10.1.0.1 as preferred source address.


Whether such routes are necessary depends on the negotiated traffic 
selectors, the existing (or any manually installed) routes, and whether 
the gateway is only forwarding traffic (in which case existing routes 
might already cover the traffic) or is actually sending traffic to 
remote hosts itself.


Anyway, with any of the route-based approaches the automatically 
installed routes are generally not correct (they go via physical 
interfaces), which is why charon.install_routes should be disabled and 
routes via tunnel interfaces have to be managed externally (installing 
them in routing tables that have higher priority than the one strongSwan 
uses is also an option to still use automatic routes for policy-based 
tunnels).


Regards,
Tobias

Re: [strongSwan] Multiple subnets in local_ts not installing desired route

[Tobias Brunner]

Hi Jonathan,

I have tried inverting the local_ts list, and using traffic selectors 
(although I’d need a wildcard), but haven’t been able to make it work. I 
have no idea how Strongswan chooses the interface it sets up in the 
routing table.


A route is installed for every outbound IPsec policy.  The source IP 
selected for each is the first address found that's contained in the 
local traffic selector.


In your case, there will be two policies, however, both have the same 
remote selector/subnet, so there will only be one route.  That is, when 
the second policy is installed, the route installed with the first is 
replaced/updated.  Since the traffic selectors are sorted (makes 
comparing and narrowing them easier), it will always be an address in 
10.200.209.0/24 that ends up in the route.


There is currently no way to change or control this behavior.  So you 
basically have two options, disable automatic route installation 
completely (charon.install_routes) and install your own routes (might 
not even be necessary depending on your existing routes), or renumber 
your subnets so the one you want to ignore comes first when sorted.


Regards,
Tobias

Re: [strongSwan] tunnel stuck, won’t seem to timeout and can’t manually delete either

[Tobias Brunner]

Hi David,


I didn’t mention that we have Strongswan running in a high-availability setup, there is a 
msg referring to "segment 1" in the log. I don’t think that has anything to do 
with the issue with tunnel 68486, just wanted to mention it.


I wouldn't rule that out completely.  There is definitely something 
weird going on here:



Jan 31 11:24:05.815 08[IKE]  queueing IKE_DPD task
Jan 31 11:24:05.815 08[IKE]  activating new tasks
Jan 31 11:24:05.815 08[IKE]activating IKE_DPD task
Jan 31 11:24:09.815 14[IKE]  retransmit 1 of request with 
message ID 0


We see that the DPD is initiated and a first retransmit is sent four 
seconds after the initial message (we don't see that explicitly in the 
log, but lets assume there was a message sent).  But now the second 
retransmit is only sent after a very long delay (over twelve hours):



Feb  1 00:01:36.311 10[IKE]  retransmit 2 of request with 
message ID 0


That doesn't really make sense.  What retransmission settings [1] have 
you configured?


Also, not sure what log settings you used, but there are definitely 
messages missing that could be helpful.  See [2] for basic debug log 
settings, however, in this case log messages on level 2 for the job 
subsystem might also be helpful (so maybe don't set that to 1 if you use 
the log snippet).


Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/Retransmission
[2] 
https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests#Configuration-snippets

Re: [strongSwan] tunnel stuck, won’t seem to timeout and can’t manually delete either

[Tobias Brunner]

Hi Dave,

We need more of the log to see what exactly is happening with the IKE_SA 
with unique ID 68486 before it got stuck in this state (or the SA before 
if there were any IKE_SA rekeyings).


Regards,
Tobias

Re: [strongSwan] Reinventing the wheel (not): updown and multiple children

[Tobias Brunner]

Hi Carlos,


I'm trying to come up with an updown script for xfrm interface handling.
So far I've managed to get routed working, now I want to have policy
based VPNs covered too.

But then I assume I have to create the XFRM only if it's not there
already, and then manage adding routes to a table much like starter does.

Is there an easy way to know when to remove the interface ?
(so last updown call actually deletes the interface when going down)
Counting would be the sure way, but may be there's a hook already built in ?


If your goal is that all children share the same interface, you can 
create one in the ike-updown VICI event (not the updown script, which is 
called for every combination of local and remote TS of every CHILD_SA). 
 There is an example script [1] in the route-based/net2net-xfrmi-ike 
test scenario [2].  You could also create the interface independent of 
any IKE or Child SA related events e.g. via charon.start-scripts or when 
the system starts.


Regards,
Tobias

[1] 
https://github.com/strongswan/strongswan/blob/master/testing/tests/route-based/net2net-xfrmi-ike/hosts/sun/etc/updown.py
[2] 
https://www.strongswan.org/testing/testresults/route-based/net2net-xfrmi-ike/

Re: [strongSwan] Multiple CHILD_SA in one IKE_SA with same TS

[Tobias Brunner]

Hi Marcel,

I am connecting multiple XFRM interfaces, each being in a different VRF, 
between two servers running strongSwan 5.9.4.


As I am running dynamic routing protocols over those XFRM interfaces, 
all traffic selectors of the CHILD_SAs have been set to 0.0.0.0/0 & ::/0.


Now, the responder is not being able to distinguish between the 
CHILD_SAs anymore (due to the same TS) for one IKE_SA and all the 
CHILD_SAs of the initiator end up in the same (the first) CHILD_SA in 
the responder, meaning the different XFRM interfaces of the initiator 
are being terminated all in the same XFRM interface of the responder.


My current workaround is to create one IKE_SA per CHILD_SA as I am able 
to set the local and remote ID in the IKE_SA and use these to 
distinguish the tunnels as the local and remote addresses are the same 
aswell. Unfortunately. the CHILD_SA parameter "reqid" is a local setting 
only and looking at the docs I can't see another way to set some "ID" of 
some sort to be able to distinguish between overlapping/identical 
traffic selectors. Am I missing something here or is this the only 
possible workaround?


The labeled-ipsec branch might be of interest to you (still experimental 
and undergoing some major changes in the near future).  In a non-SELinux 
mode (in the current branch just don't compile with --enable-selinux), 
the labels simply act as additional identifier/selector on the IKEv2 
layer when negotiating CHILD_SAs and selecting child configs.  This 
allows using the label like a transmitted mark/if_id.


Regards,
Tobias

Re: [strongSwan] IPSEC IKEv2 disconnecting after ~8 hours - Windows 10 Client

[Tobias Brunner]

Hi Ed,


I added reauth=no to the config now. Lets see if it rekeys.


It won't if you kept rekey=no in your config, that disables rekeying and 
reauthentication (all settings related to rekeying/lifetimes etc. are 
ignored).


Regards,
Tobias

Re: [strongSwan] IPSEC IKEv2 disconnecting after ~8 hours - Windows 10 Client

[Tobias Brunner]

Hi Ed,

I did change ikelifetime to 360m (6 hrs) but i 
am still having issues. Could that still be the cipher?


No, you want to disable reauthentication (reauth=no) so the IKE_SA is 
actually rekeyed to avoid this error:


These are the logs after modifying ikelifetime so thst the strongswan 
server initiates the rekey before windows ->



charon: 06[IKE] initiator did not reauthenticate as requested

charon: 06[IKE] IKE_SA VPN_x_[71277] will timeout in 3 minutes


A related ticket can be found at [1].

Regards,
Tobias

[1] https://wiki.strongswan.org/issues/3400

Re: [strongSwan] disable sending vendor id

[Tobias Brunner]

Hi Marco,


kindly, I would like to know if there is a way to
make strongswan not send the 'vendor id'.


There is currently no option to generally disable Vendor IDs as some are 
basically integral part of IKEv1 e.g. to use XAuth or DPDs, and 
especially to negotiate NAT-Traversal (only the strongSwan and Cisco 
Unity vendor IDs can be disabled with individual settings, both are 
disabled by default).


Better use IKEv2 anyway.

Regards,
Tobias

Re: [strongSwan] EAP-AKA Configuration

[Tobias Brunner]

Hi Vlad,

I'm trying to use a SIM card for EAP-AKA ,how can I configure strongswan 
to get the quintuplets from the SIM card using a sim card reader?  All I 
found is that some of you put the K in the ipsec.secrets but I don't 
want to do that I want to use the SIM, is that possible?


You have to write a custom implementation of the simaka_card_t interface 
that implements the get_quintuplet() method [1].  Examples can be found 
in the eap_aka_3gpp, eap-aka-3gpp2, and eap-simaka-sql plugins (there 
are others that implement the get_triplet() method for EAP-SIM e.g. 
eap-sim-file or eap-sim-pcsc).


Regards,
Tobias

[1] 
https://github.com/strongswan/strongswan/blob/master/src/libsimaka/simaka_card.h

Re: [strongSwan] charon appears to either crash and/or restart during HA takeover

[Tobias Brunner]

Hi Dave,


 1. *The crash appears to have been caused by the “pulling message
failed condition?*


While there is a similar log message in the upstream ha plugin (ours 
logs the system error too), you seem to be using a patched version (all 
those "HA:" log messages are not in our code base, neither does the 
upstream plugin use sockets that could be reset/disconnected).  So 
please contact the devs of those changes.



 2. *I don’t find a core anywhere, should charon have generated a core
as result of the “thread 5 received 11” condition?*


Depends on your system settings.


 3. *Are there significant HA fixes/enhancements in strongswan 5.9.x ?
Maybe we should upgrade?*


Not since 5.8.0, but using current versions is recommended anyway.

Regards,
Tobias

Re: [strongSwan] kmod-libipsec issue with L2TP/IPSEC

[Tobias Brunner]

Hi,


I am trying to setup a VPN server on openWRT x86 platform.
The VPN server will serve both site-to-site and remote access vpn.

To accomplish this- I am using strongSwan 5.6.3 along with xl2tpd for 
the remote access vpn part.


Why not IKEv2 with IPsec in tunnel mode without IKEv1 and L2TP?

Issue is when I load kmod-libipsec in charon I can't establish the l2tp 
connection.


Definitely not if you have to use transport mode as libipsec only 
supports tunnel mode (see the error messages in the log).  If you can't 
change the config accordingly, you can't use libipsec.


Meanwhile there is ipsec0 interface in the ifconfig and site to site 
tunnel works.


If kmod-libipsec is not loaded remote vpn works but cant establish the 
site to site vpn part.


Why is that?  You should be able to set up a site-to-site tunnel without 
issues using the kernel's IPsec implementation.


Regards,
Tobias

Re: [strongSwan] Multiple Win10 roadwarrior clients on the same NATted network

[Tobias Brunner]

Hi Lorenzo,


I remember about the inability to have more than one IPSec roadwarrior client on the same 
NATted network. I've been searching for hours but couldn't find if this is 
"still" a thing.
The more explicit and recent article on the subject I found is this[1], which 
basically lowers the security of the VPN client, but should allow multiple 
clients in the same network to connect. I cannot make tests at the moment, I'm 
just investigating on possible solution, so I was wondering if someone knows 
more in detail how it works.


Just use IKEv2 and you won't have those NAT issues that occur with L2TP 
and IPsec in transport mode (although, the Windows IKEv2 client has 
other issues and limitations [1]).


Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients

Re: [strongSwan] IKEv2 not able to get past server keep alive?

[Tobias Brunner]

Hi Jody,


It apparently can see the authentication and says it’s good


It doesn't, only its own authentication is successful (read the log more 
closely).  For the client, it requests EAP authentication in the 
IKE_AUTH response, but since there never is a follow up IKE_AUTH 
request, the IKE_SA is not completed and gets destroyed after a while.


Either the client doesn't like the server certificate (e.g. because it's 
expired or it doesn't trust the issuing CA - or a required intermediate 
CA certificate is missing -, the identity, i.e. server IP, seems to be 
fine and match the certificate as the server uses that itself), or it 
doesn't receive the IKE_AUTH response at all (while it is fragmented 
into two fragments, the first might still be too large, reducing 
charon.fragment_size might help).


Regards,
Tobias

Re: [strongSwan] IKEV2 Support for 96-bit HMAC-SHA-256

[Tobias Brunner]

Hi Obi,

Is there a way to check 
this during runtime?


ipsec statusall

How to go about from here if pfkey is used to support the 
AUTH_HMAC_SHA2_256_96 algorithm?


Disable it, you don't want to use it on Linux.

Regards,
Tobias

Re: [strongSwan] IKEV2 Support for 96-bit HMAC-SHA-256

[Tobias Brunner]

Hi Obi,


The environment is Stronswan version 5.5.3, Linux kernel 4.1.52.


Were there any patches applied?  Are you sure you're using the 
kernel-netlink and not the kernel-pfkey plugin?  Because since 4.3.6 
there is a static mapping in the kernel-netlink plugin from 
AUTH_HMAC_SHA2_256_96 to "sha256" (instead of "hmac(sha256)").  So with 
any version newer than that, there should never be this message:



algorithm HMAC_SHA2_256_96 not supported by kernel!


Unless the integrity_algs array was deliberately modified or you are not 
using the kernel-netlink plugin.


Regards,
Tobias

Re: [strongSwan] How to route all client traffic through the server?

[Tobias Brunner]

Hi Neddie,


However, nothing is added to the client's route table. The output from the 
command:

ip r


strongSwan installs routes in table 220, so check `ip route list table 
220` and read the log if there is no route listed.


Regards,
Tobias

Re: [strongSwan] OPNsense - phase 2 SAs being dropped for no apparent reason

[Tobias Brunner]

Hi Patrick,


The phase 1 entries are all set to "start immediately" - these are all 24x7
pre-configured connections, though we use IKE, of course, and not manual SPDs.


If there always is outbound traffic from your side, change the config to 
something that results in auto=route instead of auto=start, so the 
tunnel will automatically get (re-)created on matching traffic.  But 
investigating why it gets closed by the peer in the first place might 
also be worthwhile (might be some inactivity timeout, which would 
contradict the "always traffic" claim, or an issue during rekeying - 
you'll have to analyze the logs).


Regards,
Tobias

Re: [strongSwan] problem with IOS / Iphone, android works okay, please help :)

[Tobias Brunner]

Hi Lewis,


Oct  7 15:27:19 charon[21758]: 12[TLS] no trusted certificate found for
'user' to verify TLS peer


Is "user" a subjectAltName in the client certificate?

Regards,
Tobias

Re: [strongSwan] IPIP virtual interface experiencing discards

[Tobias Brunner]

Hi Edvinas,


Any help ? Thanks


Please do not cross-post [1].

Regards,
Tobias

[1] https://github.com/strongswan/strongswan/discussions/655

Re: [strongSwan] IKEv2 Initiator for Site-to-site to SonicWALL

[Tobias Brunner]

Hi Sasha,

However, this example and all discussion of such scenarios I have found 
uses the legacy ipsec.conf config.  Have I somehow misinterpreted how to 
implement this scenario using the modern swanctl.conf configuration?


Possibly, who can say without configs or logs [1].

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

Re: [strongSwan] Py-vici reported outdated on repology

[Tobias Brunner]

Hi Dries,

Following Projects list - Repology 
 
it seems the package is outdated and a 5.9.3 package should be available?


It apparently picked up a package Noel created for Alpine Linux.  The 
vici Python bindings don't have their own version number, it's simply 
derived from whatever the current PACKAGE_VERSION in configure is.  So 
if a Python package is created from the current repository/tarball, 
chances are that it will have a higher version number than the latest 
release on PyPI, which is only updated after changes to the bindings.



Is it possible the python package on PyPi hasn’t been updated yet?


There has only been one change to the Python bindings since 5.8.4, which 
fixes a mainly cosmetic issue for error messages (changes their encoding 
to avoid a b'' wrapper when printed).  That was released with 5.9.2 (see 
[1]).  I either forgot or didn't deem this change significant enough to 
push an update to PyPI after the 5.9.2 release.


I've now pushed one (version is 5.9.3), which also updates some metadata 
regarding supported Python 3 versions.


Regards,
Tobias

[1] 
https://github.com/strongswan/strongswan/commit/2610cd792832b21391f9b39c05bdd8944966de27

Re: [strongSwan] strongswan no shared key found

[Tobias Brunner]

Hi,


[ENC] generating QUICK_MODE request 925866246 [ HASH SA No ID ID ]
[NET] sending packet: from locip[500] to ipsecip[500] (172 bytes)
[NET] received packet: from ipsecip[500] to locip[500] (108 bytes)
[ENC] parsed INFORMATIONAL_V1 request 3675363864 [ HASH N((24576)) ]
[IKE] received (24576) notify
[NET] received packet: from ipsecip[500] to locip[500] (92 bytes)
[ENC] parsed INFORMATIONAL_V1 request 2592328021 [ HASH N(NO_PROP) ]
[IKE] received NO_PROPOSAL_CHOSEN error notify

Does anyone know how I could proceed?


You received a NO_PROPOSAL_CHOSEN notify to the Quick Mode request, so 
what you configured in esp_proposals or mode is apparently not what the 
peer expected.  Maybe there is no PFS, so try removing modp1024 from the 
ESP proposal.  Or it should be tunnel mode, i.e. set mode=tunnel (or 
remove the setting), with or without PFS.  If none of that works, 
contact the admins to learn what the correct settings actually are (of 
course, you should have started with that in the first place :).


Regards,
Tobias

Re: [strongSwan] IPSec route based VPN - VTI interface TX Errors NoRoute

[Tobias Brunner]

Hi Tiago,


Pings from the Linux system are being seem as errors NoRoute by the tunnel. > 
...
Shunted Connections:
Bypass LAN 10.10.10.0/30:  10.10.10.0/30 === 10.10.10.0/30 PASS


The reason is most likely this passthrough IPsec policy installed by the 
bypass-lan plugin for the subnet that is reachable (according to the 
main routing table) via ip_vti1.  For a ping from 10.10.10.2 to 
10.10.10.1, the VTI interface won't find an IPsec policy to protect the 
packet (the passthrough policy has a higher priority), so it gets dropped.


To avoid that, either install the routes via VTI in table 220 (which is 
ignored by the bypass-lan plugin automatically), exclude the VTI 
interface explicitly via charon.plugins.bypass-lan.interfaces_ignore, or 
just disable the bypass-lan plugin completely if you don't need it.


Regards,
Tobias

Re: [strongSwan] Strongswan 5.6.1 X509 certificate validation

[Tobias Brunner]

Hi Philip,

The Ubuntu strongSwan 5.6.1 base application I am working with validates 
certificates wth CRLs using OpenSSL before installing all certs and CRLs 
  via a VICI interface.


·I am surprised to see this code as I thought it would be part of 
strongSwan certification validation.


·I have not yet found any words that describe what certificate 
validation is performed by strongSwan.


Please point me at the words that describe how strongSwan validates 
certificates against ICA and CA certificates, and also CRLs.


Locally loaded certificates are never checked against CRLs or via OCSP. 
 That only happens for certificates received from peers and requires 
the revocation plugin and a fetcher plugin (e.g. curl), and for OCSP, 
the x509 plugin is required too.


A trust chain is built for local certificates if the corresponding CA 
certificates are available, but that's only done to determine the 
intermediate CA certificates that might have to be sent to peers.  An 
invalid or incomplete trust chain for local certificates won't result in 
an immediate failure (authentication might still fail on the peer if 
intermediate CA certificates are not sent, or certificates have expired 
or were revoked).


So if you want to make absolutely certain that the locally installed 
certificates are valid, you might need such an external validation 
before installing them.  Instead of using OpenSSL this could also be 
done via `pki --verify` if it's available [1] (the `--online` option 
requires the same plugins I mentioned above).


Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/IpsecPkiVerify

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built error in a Hub and Spoke Setup

[Tobias Brunner]

Hi,


error installing route with policy 192.168.10.0/24 === 192.168.20.0/24 out


Why are you using kernel-libipsec [1] on your hub?

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/kernel-libipsec

Re: [strongSwan] site-to-site tunnel, ping doesn't work.

[Tobias Brunner]

Hi Carl-Clemens,


i've installed strongswan on debiann 11. i've configured an
ipsec-PSK-site-to-site tunnel on both sides via /etc/ipsec.conf and
/etc/ipsec.secrets.

1. I miss a strongswan.service-file now.


If you just install the strongswan package (which in turn installs the 
strongswan-charon and strongswan-starter packages and their 
dependencies), you won't get that as the service file for the legacy 
starter/charon daemons is called strongswan-starter.service.


The strongswan.service file is provided by the charon-systemd package 
for the daemon of the same name (requires configuration via swanctl.conf 
instead of ipsec.conf).



2. Ipsec-Tunnel is established, but i can't ping. (telnet also doesnt
work)


Please see [1].

Regards,
Tobias

[1] 
https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling

Re: [strongSwan] DPD and rekeying useless for road^w home warriors

[Tobias Brunner]

Hi Kajetan,


How is it supposed to work in real life?


Maybe by force-sending NAT keepalives (IKE messages with a single byte 
as payload), which are usually only sent if a NAT is detected (and only 
by the client behind the NAT, and only if there was no outbound 
traffic).  However, since they are not answered, a firewall might still 
delete the state.  Also, many clients probably won't support this, and 
sending them from the server might not keep the state alive (again, the 
client won't send anything from behind the firewall as a response). 
I've no practical experience, so no idea how firewalls would actually 
behave.


An alternative would be to force-send DPDs (i.e. only consider if IKE 
traffic was exchanged and ignore any IPsec traffic that might have been 
received) and possibly with a lower interval.  That could be done from 
the client or the server I guess, but on the server, the number of 
retransmits might have to be increased to allow clients to roam around 
for a while without connectivity (not a problem if your clients are not 
mobile).


Note that strongSwan currently supports neither of these two options. 
So the only solution then is probably to delay initiating any exchanges 
from the server for a long time (i.e. use high DPD and rekey intervals), 
so clients are responsible for keeping the IKE_SAs alive.


A similar problem might occur if there was no ESP traffic for a while 
and that state was susequently closed, so traffic from the server would 
get dropped unless the client starts sending first.  The IKE daemon 
couldn't really do anything about that.



For clients connecting over
IPv4 I *think* this works fine because of active traffic being
encapsulated in UDP 4500.


That's the case if a NAT is detected (fake or real) and it works the 
same for IPv6.



Support for IPv6 UDP IPsec has been added only
recently to Linux kernel and I'm not even sure if Windows or Mac OS
clients can do this.


No idea if they do.  You could try forcing UDP encap on the server 
(fakes a NAT situation) to see how these clients react when connecting 
via IPv6.



Also - why go with UDP at all? Pure ESP has lower
overhead, doesn't it?


Yes, avoid UDP encap whenever possible.


When I started developing the VPN solution, I came across the problem
that clients (mostly Windows and Mac) sometimes loose connection
(problems at ISP, at home WiFi, having the laptop sleep, etc), reconnect
and demand the same IP address. This address is granted by Strongswan
but it is impossible to install policies in Kernel as the old ones still
exist.


Not sure if this is the same issue as the one in [1], but there was a 
fix for that in 5.9.2.  An alternative would be to enforce a uniqueness 
policy (only allows a single IKE_SA per client identity, though).



I have given up on rekeying, timers are set to some absurd values
ensuring that clients can work fine the whole day.


Yeah, some proprietary clients don't like it if the server initiates 
rekeyings (or they implement it incorrectly).


Regards,
Tobias

[1] https://wiki.strongswan.org/issues/3541

Re: [strongSwan] Establishing IKE_SA failed, peer not responding

[Tobias Brunner]

Hi Marcelo,

The first two Main Mode exchanges apparently work fine, but then there 
is no response to the third request, which is encrypted.  So it's 
possible that the PSK is incorrect and the peer can't decrypt the message.


Regards,
Tobias

Re: [strongSwan] Query on INITIAL_CONTACT

[Tobias Brunner]

INITIAL_CONTACT (while acting as initiator) has been a day-1 
behaviour on StrongSwan (please do correct if this understanding is 
incorrect).


No, but it has been sent as initiator since 4.5.1 (assuming you are 
referring to IKEv2).


Regards,
Tobias

Re: [strongSwan] Query on INITIAL_CONTACT

[Tobias Brunner]

Hi Mohit,

This text seems to indicate that StrongSwan sends out INITIAL_CONTACT 
when it is acting as an initiator unless the above option is set to 'never'.


My question is if this has been the behaviour of StrongSwan's 
implementation since day-1? If a device is using an older version of 
StrongSwan's implementation, will the above documented behaviour hold true?


Older versions (before 5.6.1) also didn't send the notify when the value 
was set to "no".


Regards,
Tobias

Re: [strongSwan] IKEv2 + MFA with RADIUS

[Tobias Brunner]

Hi Mike,

We have rightauth set to eap-radius, but I’m yet to find a way of 
changing the EAP method.


That's the RADIUS server's job, so you should probably contact your 
provider.  It has to request the EAP method it requires to authenticate 
the clients (it's interesting that it starts with EAP-MD5).  However, if 
the client responds with an expanded Nak message, which lists the EAP 
methods it supports or wants to use, the server might not be able to 
initiate a method for which it actually supports MFA.  So depending on 
the client's supported EAP methods, this might not be possible at all.


Regards,
Tobias

Re: [strongSwan] problem connecting linux laptop to VPN using network-manager-strongswan 1.4.5-2.1

[Tobias Brunner]

Hi David,


Jun 27 17:05:15 Z560 charon-nm: 06[IKE] EAP_IDENTITY not supported,
sending EAP_NAK


Make sure the eap-identity plugin is installed (see [1]).

Regards,
Tobias

[1] 
https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#Plugin-is-missing

Re: [strongSwan] question about DPD

[Tobias Brunner]

Hi Harri,


question about DPD in a road-warrior configuration: Is it
sufficient for either side to answer DPD packets, or should
both sides run their own DPD in parallel, independent from
the DPD sent by their peer?


DPDs are INFORMATIONAL exchanges, so both peers will send a message in a 
single DPD exchange, doesn't really matter which peer initiates it. 
However, in road warrior setups with mobile clients it's usually better 
if the server doesn't send DPDs for a relatively long time as it might 
otherwise remove state when a client is asleep or roaming about for a 
while.  Keeping the state allows such clients to quickly restore 
connectivity via MOBIKE.



Reason for asking is, I have the impression that some home
office gateways keep track only of the outgoing traffic
(laptop to VPN gateway) to keep their stateful firewall
alive, ignoring incoming DPD traffic sent by the VPN gateway.


Again, DPDs are exchanges, so for any inbound INFORMATIONAL request 
there will be an outbound INFORMATIONAL response.


But DPDs are not really intended to keep firewall or NAT mappings alive, 
as they are usually sent only if no packet (IKE or ESP) has been 
_received_ from the peer for the configured DPD delay (which might also 
be longer that the lifetime of firewall/NAT mappings).


If a client is behind a NAT, there is a second mechanism that prevents 
NAT mappings from disappearing, NAT keepalives, which use the opposite 
trigger, i.e. they are sent if no other traffic (IKE or ESP) has been 
_sent_ to the peer.  However, for strongSwan, there is currently no 
option to force sending such keepalives if there is no NAT (e.g. to keep 
firewall states alive).  If there is a NAT, you might have to adjust the 
keepalive interval if the NAT mappings/firewall states disappear often 
(depends on the client if you can actually adjust that).


Regards,
Tobias

Re: [strongSwan] activate only a small part of a right subnet

[Tobias Brunner]

Hi,

> If I change the 
> rightsubnet to only use this one host, the tunnel will not properly come 
> up, as it does not match the partner settings anymore.

This is called traffic selector (TS) narrowing, and it's one of the
major improvements of IKEv2 over IKEv1.  Unfortunately, some IKEv2
implementations are just minimally patched IKEv1 implementations, so
they don't support narrowing (or multiple TS per CHILD_SA).  I think
this violates RFC 7296, section 2.9 (see [1]), so you may want to report
that to the remote admins.

> Is there a way to 
> build the SA with the large subnet, but internally only add routes for a 
> smaller subnet?

Theoretically, yes.  But there are no configuration options for it.  You
could disable policy installation (installpolicy=no) and do that
manually in an updown script (a route might also be necessary), or you
could write a custom plugin that narrows the local TS before policies
for the IPsec SAs are installed (NARROW_INITIATOR_POST_*).

However, both approaches get complicated by your using traps
(auto=route).   If you disable policy installation, you'd need to
install those trap policies manually too (and the updown script is not
called at that point, so you'd need to do that outside e.g. from a start
script).
And if you don't disable the policy installation and go the plugin
route, you'd need the outbound trap policy (i.e. your configuration) to
be narrow already (it would otherwise capture all traffic to the larger
remote subnet even if the eventually installed policy is narrowed,
because the whole point is to send matching traffic through the IPsec SA
once it exists), then a larger TS has to be negotiated and then a
narrowed TS should again be used when installing policies for the
negotiated IPsec SAs.  That could be done from a plugin as you can, as
mentioned above, change the TS before they are installed and also before
they are sent (NARROW_INITIATOR_PRE_*).  So that's possible but maybe
not that easy if you're not familiar with the codebase.

A simpler alternative could be to install bypass policies for the parts
of the remote TS you don't want to tunnel.  These policies have a higher
priority than regular or trap policies, so traffic matching those
destinations won't trigger traps or get tunneled later.  For instance,
if you have 172.16.0.0/12 as remote subnet and only want to tunnel
traffic to 172.16.4.53/32 (I don't know the actual IP, so...) you need
to add a passthrough connection (see [2]) with the following:


rightsubnet=172.16.0.0/22,172.16.4.0/27,172.16.4.32/28,172.16.4.48/30,172.16.4.52/32,172.16.4.54/31,172.16.4.56/29,172.16.4.64/26,172.16.4.128/25,172.16.5.0/24,172.16.6.0/23,172.16.8.0/21,172.16.16.0/20,172.16.32.0/19,172.16.64.0/18,172.16.128.0/17,172.17.0.0/16,172.18.0.0/15,172.20.0.0/14,172.24.0.0/13

Regards,
Tobias

[1] https://datatracker.ietf.org/doc/html/rfc7296#section-2.9
[2]
https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples#Passthrough-policy

Re: [strongSwan] Android App - Server IPv6

[Tobias Brunner]

Hi Claude,

> I'm trying to force my Android Strongswan app to use IPv6 to connect to
> our VPN server. However it seems that the app is trying to do a DNS
> resolution on the IPv6 address instead of using it as it is. Do I need
> to respect a specific format (quotes,...) if I use an IPv6 address ?

No, any valid IPv6 address should work.  However, have you enabled the
"Use IPv6 transport addresses" option in the advanced profile settings?

Regards,
Tobias

Re: [strongSwan] migrating from swanctl to networkmanager

[Tobias Brunner]

Hi Marc,

> The line C_GetAttributeValue(NULL) error: ATTRIBUTE_TYPE_INVALID might
> be the root cause

Seems likely as it apparently happens when enumerating the certificates
on the token.

The attributes we request from the token when enumerating certificate
objects are CKA_VALUE, CKA_LABEL and CKA_TRUSTED, it might be the latter
that causes the error.

Currently, there is a check that disables requesting the attribute for
PKCS#11 libraries that announce a version < 2.20.  But there is probably
no guarantee that the attribute can be provided even for current
implementations (the spec lists it in a table of "common" certificate
object attributes without a default value).

However, according to the PKCS#11 spec, the observed return value is not
an actual error.  It just indicates that at least one attribute was
invalid and could not be retrieved from the object (those attributes are
marked with CK_UNAVAILABLE_INFORMATION via their length field).  The
token still must have processed all other requested attributes (i.e. we
should get the certificate and label back anyway).  So I guess we could
handle this a bit more lenient.

I pushed a potential fix to the pkcs11-attributes branch.

Regards,
Tobias

Re: [strongSwan] NO_PROPOSAL_CHOSEN when using 5.6.2 on Ubuntu 18.04

[Tobias Brunner]

Hi Karuna,

> @Tobias Brunner <mailto:tob...@strongswan.org> do you have any inputs on
> this issue?

Make sure your config file uses Unix line endings (\n) and not Windows
(\r\n), which the file you sent does.

Regards,
Tobias

Re: [strongSwan] FreeBSD endpoints issue

[Tobias Brunner]

Hi,

> I have just a last small issue I can deal with. The source IP used is
> the first one defined on internal interface, and not the one matching
> the local_ts.

As I mentioned, we can't control this on FreeBSD (no preferred source
address can be listed in the routes), it's basically up to the system
which IP address it selects.  If it's not the right one and you can't
get the system to change its behavior, you have to either include that
IP in the traffic selectors (or negotiate a separate CHILD_SA if the
peer doesn't support multiple traffic selectors) or maybe NAT traffic to
the right IP (not sure if FreeBSD supports this sort of thing).

Regards
Tobias

Re: [strongSwan] FreeBSD endpoints issue

[Tobias Brunner]

Hi,

> That's seems logic to me, because by default packet sent to remote LAN are
> using the route LAN_B gateway IP_PUBLIC_A, so kernel is using IP_PUBLIC_A
> as source (checks by tcpdump).

On FreeBSD, we can't easily install routes that force a specific source
address, which we do on Linux.  However, there is an option that
installs routes directing traffic to the internal interface, which
should force that IP address as source.  Please try enabling
charon.plugins.kernel-pfkey.route_via_internal in strongswan.conf.

Regards,
Tobias

Re: [strongSwan] does aa3d5bf7916ce8fed0051feadae0b0139d5fbe24 (tun device for charon-nm) affect iptables?

[Tobias Brunner]

Hi Harri,

> ip link shows me a new network interface "tun0" that wasn't there before
> the strongswan upgrade, AFAIR.

Yes, that's the dummy TUN device that's created so systemd-resolved can
associate DNS servers with it (see [1]).

> Do I have to define additional rules in
> iptables for tun0?

I don't think so, the device is not really used and only locally accessible.

Regards,
Tobias

[1] https://wiki.strongswan.org/issues/3615

Re: [strongSwan] does aa3d5bf7916ce8fed0051feadae0b0139d5fbe24 (tun device for charon-nm) affect iptables?

[Tobias Brunner]

Hi Harri,

> is it possible that aa3d5bf7916ce8fed0051feadae0b0139d5fbe24 (Revert "nm: 
> Remove dummy TUN device") affects iptables?

In what way?

Regards,
Tobias

Re: [strongSwan] IKE-Auth Problem

[Tobias Brunner]

Hi,

> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> received AUTHENTICATION_FAILED notify error
> establishing connection 'connection_RLP_test' failed
>> What is the problem, what can I do to solve it ?

You *received* an AUTHENTICATION_FAILED notify, i.e. the authentication
on the peer failed.  So read the log there.

Regards,
Tobias

Re: [strongSwan] Problem using asymmetric keys against Cisco IOS

[Tobias Brunner]

Hi John,

> I want strongswan to see a key ID of CORS89.
>
> How do I do that?

Reading the linked document thoroughly might have helped.  But after
seeing you struggling, I changed the documentation a bit so hopefully
it's clearer now.

> conn Test 
>
> leftid=@#:CORS89 

Why the :?  And as documented, # is used for comments, so quoting is
necessary.

> conn Test 
>
> leftid="@#:CORS89" 

Quotes!  But again the :?  And as documented, @# expects a hex-encoded
value.

> conn Test 
>
> leftid="#:CORS89"  

No idea where you got that syntax from.

> conn Test 
>
> leftid="=CORS89"  

This results in KEY_ID because, again as documented, = triggers parsing
of a DN and since that fails, a fallback to KEY_ID (but the value
includes the =).

> conn Test 
>
> leftid="CORS89" 

That's what you originally had and that defaults to FQDN.

So to answer your initial question:

  leftid=keyid:CORS89

Regards,
Tobias

Re: [strongSwan] Problem using asymmetric keys against Cisco IOS

[Tobias Brunner]

Hi John,

> It identified my strongswan client CORS89 but it thinks its an FQDN rather 
> than and ID.
> 
> In the ipsec.conf for leftid I used '@CORS89' and in the ipsec.secrets I also 
> used @CORS89 so
> why would the Cisco think its a FQDN rather than just a key-id?

Of course it's a FQDN, why would you think prefixing it with an @
changes that?  Please see [1].

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/IdentityParsing

Re: [strongSwan] Strongswan part of Ubuntu 18.04 LTS = Duplicate client IPs.. and same for Ubuntu 20.04 LTS

[Tobias Brunner]

Hi Magnus,

> All 3 VPN clients were assigned the same IP and are connected in
> parallel and dropping packets obviously, don't know what to tell you but
> maybe someone can test this?

Please prove such claims.  You haven't sent any status or, even better,
log output (see [1] for recommended log levels).

Note that if the clients send INITIAL_CONTACT notifies, uniqueids=no has
the same effect as uniqueids=yes.  Configure uniqueids=never to allow
multiple clients with the same identity to connect even if they send
INITIAL_CONTACT.

Regards,
Tobias

[1]
https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests#Configuration-snippets

Re: [strongSwan] Strongswan part of Ubuntu 18.04 LTS = Duplicate client IPs.. and same for Ubuntu 20.04 LTS

[Tobias Brunner]

Hi Magnus,

> root@vpn:~# ipsec leases
> Leases in pool '10.0.214.220-10.0.214.250', usage: 1/31, 1 online
>      10.0.214.220   online   ‘/userid/'
> root@vpn:~#

This output makes no sense if three clients are concurrently connected
(online leases are not reassigned).  Check the output of `ipsec
statusall`, are there really three clients online (with duplicate
traffic selectors)?  Or do you have uniqueids enabled and clients just
got the same offline lease assigned after the existing IKE_SA was closed
(check the log)?

> *If I change:*
> *rightsourceip=10.0.214.220-10.0.214.250*
> 
> *to:*
> rightsourceip=10.0.214.0/24
> 
> The VPN server then hands out unique IPs in both 18.04 LTS and 20.04 LTS

That makes even less sense because other than how the address pool is
constructed (i.e. how the size and base address are determined) there is
no difference in the implementation.  There is even a unit test that
uses the same identity to request multiple (different) addresses from a
range-based address pool.

Regards,
Tobias

Re: [strongSwan] Cannot load private key

[Tobias Brunner]

Hi Udo,

> Why is the correct password denied by swanctl?

Either the password is simply wrong, or the key is stored in a format
that's currently not supported.  Could you send me the key?

Regards,
Tobias

Re: [strongSwan] why multiple SAs for one peer?

[Tobias Brunner]

Hi Victor,

> What's the reason for strongSwan to create (sometimes) multiple SAs for
> a single peer?

Could be a misconfiguration, like combining trap policies with
reauthentication (see [1]).  Without the information Noel requested we
really can't tell more, though.

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey

Re: [strongSwan] swanctl deadlock

[Tobias Brunner]

Hi Volodymyr,

> I'm using call to swanctl in updown script in order to distinguish
> between deleting connection and IKE rekeying, checking for existence of
> IKE session and, thus, trying to avoid unnecessary changes to the network:

You can't detect IKE rekeying from the updown script as no updown event
is generated during it.  If you are referring to reauthentication, it
might be easier to do refcounting.

> but this creates deadlock when I'm restarting service by 'systemctl
> restart strongswan': if there are existing sessions, then first and all
> subsequent calls to swanctl (from updown script) freeze infinitely,
> stopping charon restart itself - progress possible only by repeatedly
> killing every launched 'swanctl' using SIGKILL signal.

While the updown script is called, the daemon's event bus is locked.
This pretty much makes any call from it to the daemon prone to
deadlocks.  Note that vici clients that listen to events don't have that
problem because they are notified asynchronously.

Regards,
Tobias

Re: [strongSwan] no private key found

[Tobias Brunner]

Hi Udo,

> The private keyfile is loaded, but the keys cannot be found. I double 
> checked that the keyfile matches the certificate.

Loading the private key has no effect as long as connections are not
associated with a certificate (or raw public key) that matches it.

For ipsec.conf, you have to do that explicitly via leftcert (or
leftsigkey).  With swanctl.conf, certificates may also be loaded
independently and associated to the connection via identity.

Regards,
Tobias

Re: [strongSwan] ESP transport mode questions

[Tobias Brunner]

Hi,

> 1. Why is the policy_Y set, if after negotiating the ESP parameters and 
> configuring the ESP SA, it remains unassociated with any ESP SA?

Only the outbound policy is explicitly associated with an SA (to switch
SAs in a controlled way during rekeying).  The inbound policy is still
associated with the inbound SA (or SAs during rekeying) of this CHILD_SA
via reqid.  Use `ip -s xfrm policy` to see statistics.

> 2. Is it possible to configure for a TCP connection not two ESP SAs, 
> each acting in its own direction, but one? For example, an exotic case 
> where I only need to apply encryption in one direction?

SAs are always negotiated in pairs (one in each direction, they are
unidirectional).  I guess if you really wanted to, you could manually
delete policies and SAs you don't need afterwards (on both ends).  It's
also possible to selectively protect traffic using marks.

Regards,
Tobias

Re: [strongSwan] make_before_break and rekeying

[Tobias Brunner]

Hi Volodymyr,

> - what is wrong with make_before_break, why it (according to logs)
> closes and then creates new SA?

That option only affects IKE_SA reauthentication.  CHILD_SA rekeying is
different and should always happen overlapping.  However, with your
settings, the SA expires pretty much immediately (you can't set lifetime
so low without changing the margin too), so it gets deleted (it's
already gone in the kernel once it expired) and recreated.  See [1] for
details on rekey settings.

> - what does it mean "no acceptable ENCRYPTION_ALGORITHM found" on
> responder side during SA renegotiation?

You have two ESP proposals configured on the responder, one with AEAD
algorithms (AES-GCM) and one with classic algorithms (AES-CBC + HMAC).
The first one doesn't match the client's proposal, as it only proposes
AES-CBC.

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey

Re: [strongSwan] StrongSwan for Android

[Tobias Brunner]

Hi Houman,

Please follow the instructions on [1].

Regards,
Tobias

[1]
https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClientBuild

Re: [strongSwan] kernel traps with auto=route, and "install_routes=no" - how to view traps installed and the routes if any installed by Strongswan-Charon

[Tobias Brunner]

Hi Rajiv,

> root# ip route show table 220
> 192.168.6.0/24 via 44.44.44.1 dev eth0 proto
> static src 192.168.1.1
> 
> - So when i send a ping from the Local-PC to Remote-PC, the tunnel does
> come up and i recieve the ping-responses
> 
> So i did not understand which source-ipaddr got changed here?

That's only relevant for packets sent locally from the IPsec host (i.e.
from local-peergw, so it uses 192.168.1.1 if it e.g. pings Remote-PC and
not 44.44.44.20 that the default route would suggest).

> And how is the behavior or procedure different when i disable table 220
> (install_routes=no)?

Since you have a default route that can be used to forward packets from
the local to the remote subnet (if that wasn't the case, packets would
get dropped before IPsec processing) and if you don't send packets
directly from local-peergw, you won't need any routes in table 220.

Regards,
Tobias

Re: [strongSwan] How to handle duplicate client IDs?

[Tobias Brunner]

Hi Grischa,

> Is there a way to workaround or decent solution for this edge case?

No edge case, you have the duplicheck plugin loaded.  Read [1] and then
disable it because it's only really useful for very specific use cases.

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/Duplicheck

Re: [strongSwan] error notify plugin

[Tobias Brunner]

Hi Anthony,

> What causes this error on the peer side ?

Hard to say, could be anything (depends on the authentication method,
the credentials etc.).  As always, if an error notify is *received*,
check the log of the other peer.

Regards,
Tobias

Re: [strongSwan] DH group ECP_256 unacceptable, requesting ECP_256

[Tobias Brunner]

Hi,

> Is that another plugin that I need to compile?

Yes, you need one of the third-party crypto plugins (openssl, wolfssl,
botan).  See [1] for the list of all algorithms and the plugins that
provide them.

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites

Re: [strongSwan] constraint check failed on different auth methods of sides

[Tobias Brunner]

Hi Volodymyr,

> when I'm trying to use different auth methods on both sides: PSK on left
> side and pubkey on right side. Is this functionality - different methods
> of mutual authentication - was introduced somewhere in between of 5.6.2
> and 5.8.2?

No, that has pretty much always been supported (to be precise since
4.3.0).  Maybe your config is simply incorrect (you only posted one side
and pretty much nothing of the logs, so we can only guess).

Regards,
Tobias

Re: [strongSwan] Windows VPN client issue with Strongswan

[Tobias Brunner]

Hi Makarand,

> 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) 
> N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
> 06[NET] sending packet: from 10.10.5.1[500] to 10.10.5.7[500] (353 bytes)
> 15[JOB] deleting half open IKE_SA with 10.10.5.7 after timeout

This could indicate an IP fragmentation issue (IKE_AUTH too large with
certificate and certificate requests, fragments dropped).  But since
both peers support IKEv2 fragmentation (FRAG_SUP) that seems unlikely.

While there is no NAT between the hosts, with MOBIKE there will still be
a switch to UDP port 4500, so make sure no firewall blocks that port.

What error is the client reporting exactly?  Does it actually send an
IKE_AUTH request?

> I was expecting a windows cert request. Instead I see a CA Cert req.

The request is for certificates issued by that CA.

Regards,
Tobias

Re: [strongSwan] Packet loss in ipsec tunnel

[Tobias Brunner]

Hi,

> * When is replay-window stats increased ? 

Whenever a packet arrives with a sequence number that's lower than the
lower end of the replay window (i.e. with seq < highest_received_seq -
window).  Could be an actually delayed packet but might also be because
the window is simply too small for your line speed and traffic pattern,
e.g. because packets arrive so fast and in quick succession that the
window is moved constantly and too quickly so slightly delayed (or
perhaps larger) packets have to be dropped.

> * I've noticed that on devices not experiencing packet losses over the
> ipsec tunnel all the stats = 0 (replay-window, replay & fail).

Yes, those stats indicate errors, so it's good if everything is 0 there.

> * I'm suspecting a replay window issue for received ipsec packets that
> are dropped..

Did you configure a replay window size
(connections..children..replay_window in swanctl.conf)?
The default is 32, which is pretty low.

Regards,
Tobias

Re: [strongSwan] Restricting protocol and port numbers question

[Tobias Brunner]

Hi Rajiv,

> 1. with policies based on ports/protocols used, Would the routes need to
> be added still, if we say disable use of table 220 by applying the
> option "install_routes=no" in charon.conf???

As I said, no routes are installed for policies with port/protocol
anyway.  So why disable route installation globally?

> 2. Iam unable recall precisely now (as i write)...does "swanctl.conf"
> require table-220 to be used (by default)???...or rather the question
> would be, if i use swanctl.conf for the tunnel with ports/protocol
> policies, would i need to add routes in table-220

No idea what you are asking, sorry.

> 3. Same as above, can we use install_routes=no with swantctl and avoid
> adding routes for the remote-subnets???

You can always disable automatic route installation completely with that
option, it has nothing to do with the config backend or the kind of
policies that are installed.

What you have to keep in mind is that your system has to have routes
configured for the tunneled traffic whether that is a route you install
manually, one installed by strongSwan, or one that already exists (a
default route often does the trick).

Regards,
Tobias

Re: [strongSwan] Separate logging details/logfile for each ike_name?

[Tobias Brunner]

Hi,

> Is this currently possible? I can see how to enable ike_name in the
> logging, but not how to send to different output.

No, that's not possible.  You'd have to write your own logger plugin
that does something like that, or do this in your logging daemon, or
post-process the log files.  Note that not every log message has an
IKE/connection-name assigned.

Regards,
Tobias

Re: [strongSwan] updown - server which disconnects one roadworrior when another connects

[Tobias Brunner]

Hi,

> up-client is called for each combination of remote ts and local ts 
> components, as is down-client, when a CHILD_sa is established/destroyed.
> So when a CHILD_SA is rekeyed, both are called in the order the CHILD_SAs are 
> negotiated/destroyed.

The updown script is *not* called for IKE or CHILD_SA rekeyings.
However, if reauthentication is used with IKEv2, the script will be
called as new CHILD_SA are created.  A down-event will be called either
before or after the reauthentication and the corresponding up-event
depending on whether make-before-break reauthentication is used by the
client, see [1].

By the way, the VICI interface does expose the ike/child-rekey events.
But reauthentication is not handled differently.

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey

Re: [strongSwan] matching by eap_id with eap_radius

[Tobias Brunner]

Hi Volodymyr,

> So, the question - is there way to match connection by different EAP ids
> when using eap_radius?

Only via remote.groups/class attributes, see [1].

Regards,
Tobias

[1]
https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius#Group-selection

Re: [strongSwan] Connectivity between Windows 2019 server and Ubuntu 16.04 stops; can TS be explicitly specified

[Tobias Brunner]

Hi Karuna,

> As you clarified `ipsec update` or `ipsec reload` don't pick up the
> changes in ipsec.secrets and ipsec.d subfolders. Which command
> load/reloads the changes in ipsec.secrets and ipsec.d subfolders?

See [1].  But I'd actually recommend you switch to swanctl/vici [2],
which can handle such stuff much better.  For one, changed certificates
referenced in configs are detected, and you can even avoid referencing
certificates (just configure the identity) and (re-)load them separately.

> Would
> this command terminate and re-establish the SA?

No, as I said before, existing connections are not affected by config
changes.

> And with the intent to
> avoid network disruption and since authentication only takes place when
> IKE SA is first established or re-negotiated, is there a way to make the
> new certificate effective only when the IKE SA is re-negotiated?

Depends on whether you are responder or initiator of the
reauthentication and whether the certificate is explicitly referenced in
the config.  As responder the new config/certificate would be picked up,
as initiator only if the certificate is not explicitly referenced in the
config.

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/ipseccommand
[2] https://wiki.strongswan.org/projects/strongswan/wiki/swanctl