Re: [strongSwan] High latencies

[Turbo Fredriksson]

On 19 Sep 2017, at 18:28, Turbo Fredriksson <tu...@bayour.com> wrote:

> I’ve really never been a friend of tcpdump. I could never get it to give
> me what I needed.

Well, running:

sudo tcpdump -i eth0 port 6379 2>&1 | tee /tmp/y &

and then the redis client after that:

strace -s3000 redis-cli -h elasticache.domain.tld -n 3 get ‘my_key'

gives:

connect(3, {sa_family=AF_INET, sin_port=htons(6379), 
sin_addr=inet_addr("10.127.1.88")}, 16) = -1 EINPROGRESS (Operation now in 
progress)
poll([{fd=3, events=POLLOUT}], 1, -1)   = 1 ([{fd=3, revents=POLLOUT}])
getsockopt(3, SOL_SOCKET, SO_ERROR, [0], [4]) = 0
fcntl(3, F_GETFL)   = 0x802 (flags O_RDWR|O_NONBLOCK)
fcntl(3, F_SETFL, O_RDWR)   = 0
setsockopt(3, SOL_TCP, TCP_NODELAY, [1], 4) = 0
setsockopt(3, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
setsockopt(3, SOL_TCP, TCP_KEEPIDLE, [15], 4) = 0
setsockopt(3, SOL_TCP, TCP_KEEPINTVL, [5], 4) = 0
setsockopt(3, SOL_TCP, TCP_KEEPCNT, [3], 4) = 0
write(3, "*2\r\n$6\r\nSELECT\r\n$1\r\n3\r\n", 23) = 23
read(3, "+OK\r\n", 16384)   = 5
write(3, "*2\r\n$3\r\nget\r\n$61\r\nmy_key\r\n", 81) = 81
read(3, 19:38:46.362921 IP london-host.domain.tld.38992 > 
elasticache.domain.tld.6379: Flags [S], seq 4048965279, win 26883, options [mss 
8961,sackOK,TS val 26646460 ecr 0,nop,wscale 7], length 0
19:38:46.374093 IP elasticache.domain.tld.6379 > london-host.domain.tld.38992: 
Flags [S.], seq 752350642, ack 4048965280, win 28960, options [mss 
1460,sackOK,TS val 3959394223 ecr 26646460,nop,wscale 7], length 0
19:38:46.374114 IP london-host.domain.tld.38992 > elasticache.domain.tld.6379: 
Flags [.], ack 1, win 211, options [nop,nop,TS val 26646463 ecr 3959394223], 
length 0
19:38:46.374971 IP london-host.domain.tld.38992 > elasticache.domain.tld.6379: 
Flags [P.], seq 1:24, ack 1, win 211, options [nop,nop,TS val 26646463 ecr 
3959394223], length 23: RESP "SELECT" "3"
19:38:46.385974 IP elasticache.domain.tld.6379 > london-host.domain.tld.38992: 
Flags [.], ack 24, win 227, options [nop,nop,TS val 3959394226 ecr 26646463], 
length 0
19:38:46.385983 IP elasticache.domain.tld.6379 > london-host.domain.tld.38992: 
Flags [P.], seq 1:6, ack 24, win 227, options [nop,nop,TS val 3959394226 ecr 
26646463], length 5: RESP "OK"
19:38:46.386007 IP london-host.domain.tld.38992 > elasticache.domain.tld.6379: 
Flags [.], ack 6, win 211, options [nop,nop,TS val 26646466 ecr 3959394226], 
length 0
19:38:46.386148 IP london-host.domain.tld.38992 > elasticache.domain.tld.6379: 
Flags [P.], seq 24:105, ack 6, win 211, options [nop,nop,TS val 26646466 ecr 
3959394226], length 81: RESP "get" “my_key"
19:38:46.420651 IP elasticache.domain.tld.6379 > london-host.domain.tld.38992: 
Flags [P.], seq 14486:14524, ack 105, win 227, options [nop,nop,TS val 
3959394235 ecr 26646466], length 38: RESP "YWxpemVFbmQkilxjW/dTC20CAAB4cHh4eAA="
19:38:46.420685 IP london-host.domain.tld.38992 > elasticache.domain.tld.6379: 
Flags [.], ack 6, win 211, options [nop,nop,TS val 26646475 ecr 
3959394226,nop,nop,sack 1 {14486:14524}], length 0
19:39:01.420024 IP london-host.domain.tld.38992 > elasticache.domain.tld.6379: 
Flags [.], ack 6, win 211, options [nop,nop,TS val 26650225 ecr 
3959394226,nop,nop,sack 1 {14486:14524}], length 0
19:39:01.431410 IP elasticache.domain.tld.6379 > london-host.domain.tld.38992: 
Flags [.], ack 105, win 227, options [nop,nop,TS val 3959397987 ecr 26646475], 
length 0
19:39:09.558605 IP london-host.domain.tld.38992 > elasticache.domain.tld.6379: 
Flags [F.], seq 105, ack 6, win 211, options [nop,nop,TS val 26652259 ecr 
3959394226,nop,nop,sack 1 {14486:14524}], length 0
19:39:09.569686 IP elasticache.domain.tld.6379 > london-host.domain.tld.38992: 
Flags [F.], seq 14524, ack 106, win 227, options [nop,nop,TS val 3959400022 ecr 
26652259], length 0
19:39:09.569705 IP london-host.domain.tld.38992 > elasticache.domain.tld.6379: 
Flags [R], seq 4048965385, win 0, length 0
19:39:24.569222 IP london-host.domain.tld.39074 > elasticache.domain.tld.6379: 
Flags [S], seq 1012226767, win 26883, options [mss 8961,sackOK,TS val 26656012 
ecr 0,nop,wscale 7], length 0
19:39:24.580344 IP elasticache.domain.tld.6379 > london-host.domain.tld.39074: 
Flags [S.], seq 2528408788, ack 1012226768, win 28960, options [mss 
1460,sackOK,TS val 3959403774 ecr 26656012,nop,wscale 7], length 0
19:39:24.580364 IP london-host.domain.tld.39074 > elasticache.domain.tld.6379: 
Flags [.], ack 1, win 211, option


So if I understand this correctly, the response comes back (at 
19:38:46.420651), but the client
command doesn’t output it in the shell.. That value it returns, is the last 
part of the full value.
Not sure if tcpdump “cuts” the data or not.

The rest of all that I have no idea what it means.

The client seems to be doing the SELECT+

Re: [strongSwan] High latencies

[Turbo Fredriksson]

On 19 Sep 2017, at 18:08, Noel Kuntze 
 wrote:

> Likely has to do with pmtu discovery. You can use tcpdump and alike to try to 
> figure out what
> actually happens on the network or continue wondering about what the strange 
> machines do.

I’ve really never been a friend of tcpdump. I could never get it to give
me what I needed.

But I’ll see what I can find out, thanx.


signature.asc
Description: Message signed with OpenPGP

Re: [strongSwan] High latencies

[Turbo Fredriksson]

On 19 Sep 2017, at 16:00, Noel Kuntze 
 wrote:

> Check the tcp metrics (ip tcp_metrics) and look at the MSS.

There’s no metrics at all related to mss on either of the VPN instances:

root@jumpbox-london:~# ip tcp_metrics | grep -i mss
root@jumpbox-london:~#

root@jumpbox:~# ip tcp_metrics 2>&1 | grep -i mss
root@jumpbox:~#

> MSS likely found out the right MSS very quickly with the lower MTU.
> Other than guessing, I can't help you, because I have no access to your 
> environment.
> I doubt anybody else can do anything else than that.

Well, the MTU was done more than ten minutes before the
iptable rules and it still didn’t work..

I even tried restarting the tunnel. Didn’t work, I added the iptable rules,
tested - didn’t work. I then reverted those changes and THEN it worked.
For a very brief period.


I can even reproduce it!

1) Set MTU 1500 on all hosts
2) Add the iptable rules
3) Set the MTU to 9001 on all hosts

But

1) Add the iptable rules

alone doesn’t work! But “kick” the MTU back and forth, and it works. I’m going
to leave it for a while to see if it’s permanent. It’s been working for several 
minutes
now! :)

Yeah, still works. Spooky!



On 19 Sep 2017, at 16:08, Simon Deziel  wrote:

> You mentioned EC2 so please double check that your Security Group let
> ICMP go through.

Checked and double checked. All instances allow ICMP ingress and egress.



On 19 Sep 2017, at 16:12, Noel Kuntze 
 wrote:

> Now that you mention it: Also check the Network ACLs

I haven’t modified any NACLs. They’re all standard - allowing everything.


signature.asc
Description: Message signed with OpenPGP

Re: [strongSwan] High latencies

[Turbo Fredriksson]

On 19 Sep 2017, at 15:57, Turbo Fredriksson <tu...@bayour.com> wrote:

> all of a sudden it worked!!

Does anyone know a priest in London? It stopped working again! I hate when
things like this happens!! :)


signature.asc
Description: Message signed with OpenPGP

Re: [strongSwan] High latencies

[Turbo Fredriksson]

This is spooky!!

I ran

ip link set dev eth0 mtu 1500

on all instances in the chain. Then run

iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS 
--clamp-mss-to-pmtu
iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS 
--set-mss 128

on both the VPN instances.

Still didn’t work.

I then reverted all that, set the MTU on the interface BACK to 9001 on
all the instances AND deleted those iptable rules - s/-A/-D/g, and all of
a sudden it worked!!

Very spooky!


signature.asc
Description: Message signed with OpenPGP

Re: [strongSwan] High latencies

[Turbo Fredriksson]

On 19 Sep 2017, at 15:16, Noel Kuntze 
 wrote:

> Usage of the MSS target in iptables, usage of kernel-netlink.mtu or of MTUs 
> on the routes in the routing tables

root@jumpbox-london:~# iptables-save | grep -i MSS
root@jumpbox-london:~# ip route show
default via 10.110.3.1 dev eth0
10.110.3.0/24 dev eth0  proto kernel  scope link  src 10.110.3.76
root@jumpbox-london:~# ip route get 10.99.0.174
10.99.0.174 via 10.110.3.1 dev eth0  src 10.110.3.76
cache

“10.99.0.174” is jumpbox-ireland..

> You break PMTU discovery if you don't accept ctstate RELATED or drop ICMP 
> before accepting ctstate RELATED.

No idea what any of that mean! :)


signature.asc
Description: Message signed with OpenPGP

Re: [strongSwan] High latencies

[Turbo Fredriksson]

Copying a file from ‘London VPN’ to ‘Redis client London’ via scp
completes without any problem and I don’t see any “hiccups” or
stop-and-start of the copy. The file downloads at 13MB/s, which
isn’t fast, but good enough I’m sure.

Re: [strongSwan] High latencies

[Turbo Fredriksson]

On 19 Sep 2017, at 14:57, Noel Kuntze 
 wrote:

> Did you fix the MSS? Is the MTU on the tunnel correct? Did you maybe break 
> PMTU discovery?

Not sure, can’t remember… How do I check?

[strongSwan] High latencies

[Turbo Fredriksson]

I’m not sure if this is a Strongswan problem, but I see some indications
that it might be, so I’m posting it here. If this is not the right place, let me
know and I’ll take it elsewhere.


I have setup a new region (London) in our AWS environment and are
trying to connect one of instances in there to our ElastiCache (Redis3.2)
cluster which is located in London.


I get latencies of 20ms (not sure if that’s to much of it’s just a fluke).

EC2 Instance (Redis client London) -> EC2 Instance (London VPN) -> VPN -> 
EC2 Instance (Ireland VPN) -> Redis

From any instance in Ireland, I get a latency of less than 1ms…

EC2 Instance (Redis client Ireland) -> Redis

If I try it from my laptop at work, it’s about 15ms.

Laptop (Redis client Office) -> VPN -> EC2 Instance (Ireland VPN) -> Redis



If I strace the redis-cli command on ‘Redis client London’, I see that the
initial connect completes without any (noticeable) delay. However, GET
on a value (~14kb), never completes. If I do it from a telnet session directly
to the Redis cluster, the GET eventually completes (one or two minutes).



signature.asc
Description: Message signed with OpenPGP

Re: [strongSwan] 24/7/365 tunnel?

[Turbo Fredriksson]

On 14 Sep 2017, at 11:23, Eric Germann  wrote:

> I’ve found auto=route to be much more stable in AWS.  Spins up when it’s down 
> but needed and starts passing traffic.

Ok, thanx! I’ll let it run like this for a couple of days so I get a feel
for how it works and then try that if I have to..



signature.asc
Description: Message signed with OpenPGP

Re: [strongSwan] 24/7/365 tunnel?

[Turbo Fredriksson]

I’ve been playing with:

type=tunnel
auto=start
dpdaction=restart
dpddelay=2400s

which never worked. I’ve now changed this to:

type=tunnel
auto=start
dpdaction=restart
dpddelay=10
dpdtimeout=60

and so far so good. Although I haven’t waited long enough, so I’m
going to let it be for the next few days to see if that works in the long
run.

Would it help to set ‘auto=route’ instead? Thing is, I need this link to
be started at boot AND be up 24/7/365 - I have a (bunch of) web apps
in London that need access to databases in Ireland to work.


I’m considering setting up DBs in London as well, but that will both
cost a small fortune AND replication/updates on the DBs will be
problematic. So I’d prefer a “perfect” link between them...


> On 13 Sep 2017, at 20:16, Noel Kuntze 
> <noel.kuntze+strongswan-users-ml@thermi.consulting> wrote:
> 
> Hi,
> 
> DPD just checks if the remote peer is still "there" and reachable. It doesn't 
> do anything with the CHILD_SAs.
> It only helps to keep up the IKE_SA and keep it working (e.g. it wouldn't 
> work anymore if the NAT mapping on an intermediate NAT router
> would expire). Peers are free to delete CHILD_SAs and IKE_SAs without 
> renegotiating new ones, destroying the tunnel.
> 
> Use auto=route (swanctl equivalent is start_action=trap), as advised 
> previously.
> 
> Kind regards
> 
> Noel
> 
> On 13.09.2017 17:38, Michael Schwartzkopff wrote:
>> Am 13.09.2017 um 17:33 schrieb Eric Germann:
>>> Usually if it "takes down the tunnel" it's due to no traffic. Keep 
>>> interesting traffic going and it will stay up.
>>> 
>>> If you have the ability to set "auto = route" it will reestablish the 
>>> tunnel as needed. We run several hundred tunnels this way in AWS without 
>>> issue.
>>> 
>>> EKG
>>> 
>>> 
>>>> On Sep 13, 2017, at 09:21, Turbo Fredriksson <tu...@bayour.com> wrote:
>>>> 
>>>> I’m trying to setup a tunnel between two regions in
>>>> AWS.
>>>> 
>>>> Works fine, other than the fact that Strongswan seems to take
>>>> down the tunnel automatically (?) after a few hours.
>>>> 
>>>> How can I 1) make sure there’s no timeout (?) and 2) that IF
>>>> the tunnel goes down, for whatever reason, that it will reinitiate
>>>> the connection automatically?
>>>> 
>> Dead Peer Detection (DPD) sends packets that keep the tunnel up.
>> 
>> 
>> Michael Schwartzkopff
>> 
>> Mit freundlichen Grüßen,
>> 
> 



signature.asc
Description: Message signed with OpenPGP

[strongSwan] 24/7/365 tunnel?

[Turbo Fredriksson]

I’m trying to setup a tunnel between two regions in
AWS.

Works fine, other than the fact that Strongswan seems to take
down the tunnel automatically (?) after a few hours.

How can I 1) make sure there’s no timeout (?) and 2) that IF
the tunnel goes down, for whatever reason, that it will reinitiate
the connection automatically?



signature.asc
Description: Message signed with OpenPGP

[strongSwan] Commercial support?

[Turbo Fredriksson]

I’m having some trouble with my VPN connections, and I’d like to
get some commercial support.

Anyone feel up to helping me out?
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Successfully established connection goes offline after some time

[Turbo Fredriksson]

On 19 Jan 2017, at 12:18, Varun Singh  wrote:

> I have strongSwan 5.3.5 on Ubuntu 16.04LTS. When I connect iOS VPN client to 
> it, it connects successfully and I am able to browse the internet. But after 
> some time, the connection goes offline.

If it helps, I have the same problem. I just haven’t had time to deal with it.
At the moment, I just reconnect which takes a few seconds so it haven’t
been high on my (very, very long! :) TODO list.

But I’ll keep an eye on this thread and see if someone have an (easy) fix.

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] MultiOS to strongSwan host to network VPN?

[Turbo Fredriksson]

I’ve been trying for a couple of days now to make my strongSwan setup
to connect to my LDAP/KerberosV servers.

From what I can tell there’s [at least] two ways to do this:

1. PAM - this works fine in the os/sshd etc so that was my first try
-> My OSX/Windows7 [native] clients can’t seem to be able to 
authenticate
though :(

2. RADIUS - really didn’t want to do that, but I could if it works
-> Apparently that won’t work either because Windows can only 
do MSCHAPv2,
which don’t send cleartext passwords, which Radius needs :(.

Is there any other way I’ve missed?



Previously, when I installed my NAT/GW/VPN server, I used OpenS/WAN but that’s
dead and buried now apparently. So several months ago when I upgraded to the
next Linux dist version, I choose strongSwan. That’s now working just fine with
EAP-MSCHAPv2 and PSKs..

With OpenS/WAN I used L2TP (which uses PPPd) that authenticated to my Samba
server, which in turned authenticated against the LDAP/KerberosV servers..

I can’t remember now, it was years since I set it up and I didn’t look in 
detail when
I killed it, but RADIUS was in there somehow as well (I think between PPPd and
Samba).

But before I start setting up L2TP, PPPd, Samba and Radius just to authenticate 
my
VPN users, is there _ANYTHING_ I’ve missed?


I took a quick look at OpenVPN (which I’ve administrated, but not setup, at a 
previous
employer) and apparently that can do LDAP auths. But I don’t feel much 
confidence in
OpenVPN (it also require me to install a separate client - which I’d prefer not 
to do if
at all possible), so I rather not go that route either. Unless I have no choice 
:(.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Running on AWS behind Elastic IP

[Turbo Fredriksson]

On 16 Nov 2016, at 19:42, Mathew Marulla  wrote:

> Confused now...   Is your VPN entirely within AWS?

Yes.

>  If not, how are you connecting over the public internet with a private IP?

I don’t. I connect to the EIP. But StrongSWAN don’t need to know that.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Running on AWS behind Elastic IP

[Turbo Fredriksson]

On 16 Nov 2016, at 17:56, Mathew Marulla  wrote:

> If I am reading your reply correctly, it seems you are getting this to work 
> by not using an elastic IP, but just the public IP of your instance.  Then 
> using a script to update it as needed.  Maybe that’s the only way…
> 
> I will try removing the elastic IP and seeing if the instance is aware of 
> it’s own public IP, i.e.; by looking in ifconfig.  Because the elastic IP 
> certainly does not show up there.

No, that should be the _private_ IP! That’s the only one that StrongSWAN 
is/will be aware of
and that’s the IP it binds to..

It doesn’t need to know about the EIP.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Running on AWS behind Elastic IP

[Turbo Fredriksson]

On 16 Nov 2016, at 05:27, Mathew Marulla  wrote:

> Although I have read just about every tutorial and similar posting I can find 
> about running StrongSwan on an EC2 instance, I still can not seem to get it 
> to work.

I’m doing the same thing, but I started “from scratch” (didn’t have any existing
setup so this is the first setup).

My ipsec.conf:

—— s n i p ——
config setup
uniqueids=no
strictcrlpolicy=no

# NOTE: The 'leftid' must be present as a "Subject Alternative Name" in the 
cert!!
conn %default
left=%ETH0%
leftid=vpn.domain.tld
leftcert=hostname.pem
leftsubnet=
leftfirewall=yes
leftsendcert=always
leftdns=%DNS%

rightdns=%DNS%

keyexchange=ikev2
dpdaction=clear
dpddelay=2400s
fragmentation=yes
forceencaps=yes
compress=yes

ca domain
cacert=domain.tld.pem
auto=add

conn client
leftsourceip=%ETH0%

right=%any
rightid=%any
rightsourceip=
rightauth=eap-mschapv2

eap_identity=%identity
type=tunnel
auto=add
—— s n i p ——

%ETH0% and %DNS% is changed by a script at boot (by first finding the IP of
‘eth0’ and the ’nameserver’ entry in resolv.conf) because EC2 instances use 
DHCP.
So I’m not coding any ‘external’ IP (EIP), just the ‘internal’ (DHCP/private) 
one..

I’m not, currently, using any (ELB) load balancers in front of StrongSWAN, but
I might do that in the future. Maybe.


I can authenticate and setup the route etc - I can access the ‘internal’ IP via 
the
VPN just fine.

I have yet to get access to the other VPCs over the VPN. I can access them
if I first ssh into the VPN server and then ssh to a host in another VPC.

This is done with VPC peering, but I had _assumed_ that that would  work
for VPN as well. But it’s not..

I can’t access any other instance in the VPN VPC though.

I’m pretty sure that have something to do with the routing table(s), but I 
haven’t
had time to look into this. I’m pretty sure the StrongSWAN setup is working
correctly though, I’m using the exact same setup at home and there everything
work just fine.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] No VPN connection

[Turbo Fredriksson]

> On 4 Nov 2016, at 20:03, Turbo Fredriksson <tu...@bayour.com> wrote:

> Nov  4 20:50:38 ip-10-203-0-15 charon: 05[MGR] checkin IKE_SA client[1]
> Nov  4 20:50:38 ip-10-203-0-15 charon: 05[MGR] check-in of IKE_SA successful.
> Nov  4 20:50:38 ip-10-203-0-15 charon: 03[NET] sending packet: from 
> [4500] to [4500]

If I instead disable WiFi on my laptop and connect via my mobile phone, I get:

Nov  4 21:16:55 ip-10-203-0-15 charon: 07[IKE] local host is behind NAT, 
sending keep alives
Nov  4 21:16:55 ip-10-203-0-15 charon: 07[IKE] remote host is behind NAT
[…]
Nov  4 21:16:55 ip-10-203-0-15 charon: 06[MGR] checkin IKE_SA client[1]
Nov  4 21:16:55 ip-10-203-0-15 charon: 06[MGR] check-in of IKE_SA successful.
Nov  4 21:16:55 ip-10-203-0-15 charon: 04[NET] sending packet: from 
10.203.0.24[4500] to 92.40.248.93[17753]
Nov  4 21:16:55 ip-10-203-0-15 charon: message repeated 2 times: [ 04[NET] 
sending packet: from [4500] to 
[17753]]

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] No VPN connection

[Turbo Fredriksson]

On 4 Nov 2016, at 20:03, Turbo Fredriksson <tu...@bayour.com> wrote:

> Nov  4 19:46:51 ip-10-203-0-15 charon: 06[NET] sending packet: from 
> [4500] to [4500] (372 bytes)

Enabling some debugging, the next lines after this is:

Nov  4 20:50:38 ip-10-203-0-15 charon: 05[MGR] checkin IKE_SA client[1]
Nov  4 20:50:38 ip-10-203-0-15 charon: 05[MGR] check-in of IKE_SA successful.
Nov  4 20:50:38 ip-10-203-0-15 charon: 03[NET] sending packet: from 
[4500] to [4500]

And this is probably the problem! On that (CLIENT_EXTERNAL_IP) is _MY_ NAT/VPN 
gateway.
So I can’t forward that in to my client..

Solution?
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] No VPN connection

[Turbo Fredriksson]

I’m trying to setup a new StrongSWAN server for work, so I’m using my own, 
private
setup as base for this.

This server is located on a Ubuntu 16.04/LTS server in AWS.

Eventually I got as far as it (my client) actually trying to do the connection.

But the client ‘just stops’. It never finishes the connection! And there’s no 
message
or anything of why not. It just … stops.

Below is the logging from an attempt.

- s n i p -
==> /var/log/syslog <==
Nov  4 19:46:51 ip-10-203-0-15 charon: 07[NET] received packet: from 
[500] to [500] (604 bytes)
Nov  4 19:46:51 ip-10-203-0-15 charon: 07[ENC] parsed IKE_SA_INIT request 0 [ 
SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Nov  4 19:46:51 ip-10-203-0-15 charon: 07[IKE]  is 
initiating an IKE_SA

==> /var/log/auth.log <==
Nov  4 19:46:51 ip-10-203-0-15 charon: 07[IKE]  is 
initiating an IKE_SA

==> /var/log/syslog <==
Nov  4 19:46:51 ip-10-203-0-15 charon: 07[IKE] local host is behind NAT, 
sending keep alives
Nov  4 19:46:51 ip-10-203-0-15 charon: 07[IKE] remote host is behind NAT
Nov  4 19:46:51 ip-10-203-0-15 charon: 07[IKE] sending cert request for 
""
Nov  4 19:46:51 ip-10-203-0-15 charon: 07[ENC] generating IKE_SA_INIT response 
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Nov  4 19:46:51 ip-10-203-0-15 charon: 07[NET] sending packet: from 
[500] to [500] (473 bytes)
Nov  4 19:46:51 ip-10-203-0-15 charon: 06[NET] received packet: from 
[4500] to [4500] (512 bytes)
Nov  4 19:46:51 ip-10-203-0-15 charon: 06[ENC] parsed IKE_AUTH request 1 [ IDi 
N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) 
N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Nov  4 19:46:51 ip-10-203-0-15 charon: 06[CFG] looking for peer configs 
matching 
[]...[]
Nov  4 19:46:51 ip-10-203-0-15 charon: 06[CFG] selected peer config 'client'
Nov  4 19:46:51 ip-10-203-0-15 charon: 06[IKE] initiating EAP_IDENTITY method 
(id 0x00)
Nov  4 19:46:51 ip-10-203-0-15 charon: 06[IKE] received 
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Nov  4 19:46:51 ip-10-203-0-15 charon: 06[IKE] peer supports MOBIKE
Nov  4 19:46:51 ip-10-203-0-15 charon: 06[IKE] authentication of '' 
(myself) with RSA signature successful
Nov  4 19:46:51 ip-10-203-0-15 charon: 06[IKE] sending end entity cert 
""
Nov  4 19:46:51 ip-10-203-0-15 charon: 06[ENC] generating IKE_AUTH response 1 [ 
IDr CERT AUTH EAP/REQ/ID ]
Nov  4 19:46:51 ip-10-203-0-15 charon: 06[ENC] splitting IKE message with 
length of 1280 bytes into 3 fragments
Nov  4 19:46:51 ip-10-203-0-15 charon: 06[ENC] generating IKE_AUTH response 1 [ 
EF(1/3) ]
Nov  4 19:46:51 ip-10-203-0-15 charon: 06[ENC] generating IKE_AUTH response 1 [ 
EF(2/3) ]
Nov  4 19:46:51 ip-10-203-0-15 charon: 06[ENC] generating IKE_AUTH response 1 [ 
EF(3/3) ]
Nov  4 19:46:51 ip-10-203-0-15 charon: 06[NET] sending packet: from 
[4500] to [4500] (532 bytes)
Nov  4 19:46:51 ip-10-203-0-15 charon: 06[NET] sending packet: from 
[4500] to [4500] (532 bytes)
Nov  4 19:46:51 ip-10-203-0-15 charon: 06[NET] sending packet: from 
[4500] to [4500] (372 bytes)
- s n i p -

Looking at my own private server, they’re pretty much identical. The difference 
is that my
own server have the line 

Nov  4 17:52:38 Contego charon: 09[NET] received packet: from 
[4500] to [4500] (80 bytes)
[etc]

The main difference is that the work VPN server is running in a AWS instance, 
which means
that the external IP “don’t exist” (on the instance). Instead, that’s “outside” 
(?) of the instance
(which kind’a explains the “local host is behind NAT). So Charon is bound to 
the SERVER_INTERNAL_IP
which is the black IP it got from the AWS DHCP server.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Apple IOS 10 VPN

[Turbo Fredriksson]

On 30 Oct 2016, at 16:59, Turbo Fredriksson <tu...@bayour.com> wrote:

> I’ve been following this myself and it works on my Android phone, but not on 
> my
> new OSX 10.12.1.

Oops, sorry for vasting space and oxygen.. The keyword here is “new OSX”. I 
forgot to
add my CA to the list of accepted CAs. Did it years ago on my old machine of 
course, but
completely forgot I had to do it on this one as well :).
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Apple IOS 10 VPN

[Turbo Fredriksson]

On 30 Oct 2016, at 01:09, Derek Cameron  wrote:

> Here is a configuration that works for iOS 10: 
> http://xpu.ca/strongswan-ubuntu/ 

I’ve been following this myself and it works on my Android phone, but not on my
new OSX 10.12.1.

I get

looking for peer configs matching 
[]…[turbo]
no matching peer config found

On Android, I don’t have to enter the remote ID and it works with or without 
that (ends
up as “looking for … [%any]”). But on OSX I _must_ enter that.

Comparing the two connection attempts, that ‘looking for peer configs’ is 
_identical_, but
the OSX client doesn’t work.


If I don’t enter the ‘Local ID’ (it’s optional), then the ‘[turbo]’ parts ends 
up as it’s local
NAT address.

My config:

— snip —
config setup

conn %default
keyexchange=ikev2
left=
leftid=“"
leftcert=server.pem
leftsubnet=0.0.0.0/0
right=%any
rightsourceip=192.168.6.0/24
rightdns=192.168.6.1
dpdaction=clear
— snip —

I had to put the DN in there because I got:

loaded certificate “" from ’server.pem'
id ’server.domain.tld' not confirmed by certificate, defaulting to 
‘’
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Promote routes to the VPN client?

[Turbo Fredriksson]

I installed my NAT/IPSEC/GW many, many years ago with OpenSWAN and
"a while" (also probably "many, many years ago" :) ago, I upgraded
that to StrongSWAN.

My config is almost entirely still OpenSWAN, but that seems to be ok..

However, my use-case have slightly changed since that time in the far
away past.

I no longer only have ONE network, I have several..

How do I 'promote' those networks to the other side?

These networks I'd like to 'promote' is:

   10.0.[1-5].0/24
   192.168.69.0/24

The IPSEC network (?) is 192.168.6.0/24, so at the moment I have
to run a script:

- s n i p -
set -- $(netstat -rn | egrep '^default.*ppp0')
ip="${2}"

route add -net 10.0.1.0/24 "${ip}"
route add -net 10.0.4.0/24 "${ip}"
route add -net 10.0.5.0/24 "${ip}"
route add -net 192.168.69.0/24 "${ip}"
- s n i p -

But is there a way to avoid this, and have this done automagically
when I take up the VPN?

My config on my VPN server:

- s n i p -
config setup
protostack=netkey
nat_traversal=yes

virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.6.0/24,%v4:!192.168.69.0/24,%v4:!10.0.1.0/24,%v4:!10.0.4.0/24,%v4:!10.0.5.0/24
interfaces=%defaultroute
charonstart=yes
plutostart=yes
klipsdebug=all
#plutodebug="control controlmore"
#plutodebug="control lifecycle klips dns oppo private"
plutodebug=all
charondebug=all
- s n i p -

I _thought_ that those last '!' entries would do that for me, but apparently
not..

I also get a bunch of "deprecated keywords" when I start up, but I can't
see anywhere that that mattered, so I've just let it be. But since I'm starting
to be quite annoyed about the routing thingie, I could just as well ask about
this as well:

- s n i p -
Mar 28 22:29:29 Contego ipsec_starter[6771]: Starting strongSwan 5.2.1 IPsec 
[starter]...
Mar 28 22:29:29 Contego ipsec_starter[6771]: # deprecated keyword 'charonstart' 
in config setup
Mar 28 22:29:29 Contego ipsec_starter[6771]: # deprecated keyword 'interfaces' 
in config setup
Mar 28 22:29:29 Contego ipsec_starter[6771]: # deprecated keyword 'klipsdebug' 
in config setup
Mar 28 22:29:29 Contego ipsec_starter[6771]: # deprecated keyword 
'nat_traversal' in config setup
Mar 28 22:29:29 Contego ipsec_starter[6771]: # deprecated keyword 'plutodebug' 
in config setup
Mar 28 22:29:29 Contego ipsec_starter[6771]: # deprecated keyword 'plutostart' 
in config setup
Mar 28 22:29:29 Contego ipsec_starter[6771]: # unknown keyword 'protostack'
Mar 28 22:29:29 Contego ipsec_starter[6771]: # deprecated keyword 
'virtual_private' in config setup
- s n i p -
-- 
Med ett schysst järnrör slår man hela världen med häpnad
- Sockerconny

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] expected record boundary in key

[Turbo Fredriksson]

 I'm trying to setup the usage of certificates etc with strongSWAN, but
 there might be something I've missed.


 I have had my own CA for many years, genererating working certificates
 for a bunch of services (ldaps, https, etc).


 When I try to add 'leftcert', I can no longer use PSK.

   conn %default
 ...
 leftcert=host_domain_tld.pem
 leftid=@host.domain.tld

 This gives me the following in the logs:

   Feb  7 15:35:20 192.168.69.1 pluto[3398]:   id 'host.domain.tld' not 
 confirmed by certificate, defaulting to 'C=SE, O=Bayour.COM, OU=System, 
 CN=host.domain.tld, E=tu...@bayour.com'

 and if removing the leftid:

   Feb  7 15:36:28 192.168.69.1 pluto[3466]:   id '%any' not confirmed 
 by certificate, defaulting to 'C=SE, O=Bayour.COM, OU=System, 
 CN=host.domain.tld, E=tu...@bayour.com'

 Fair enough. Don't really matter that much, but what should I write in 
 the
 ipsec.secrets file?

   C=SE, O=Bayour.COM, OU=System, CN=host.domain.tld, 
 E=tu...@bayour.com A_RIGHTID_IP : PSK SomESecReet
   C=SE, O=Bayour.COM, OU=System, CN=host.domain.tld, 
 E=tu...@bayour.com %any : PSK aNothEERseCreT

 gives me:

   Feb  7 15:38:18 192.168.69.1 pluto[3545]: loading secrets from 
 /var/lib/strongswan/ipsec.secrets.inc
   Feb  7 15:38:18 192.168.69.1 pluto[3545]:   loaded PSK secret for 
 %any
   Feb  7 15:38:18 192.168.69.1 pluto[3545]: 
 /var/lib/strongswan/ipsec.secrets.inc line 1: expected record boundary 
 in key
   Feb  7 15:38:18 192.168.69.1 pluto[3545]:   loaded PSK secret for 
 %any
   Feb  7 15:38:18 192.168.69.1 pluto[3545]: 
 /var/lib/strongswan/ipsec.secrets.inc line 2: expected record boundary 
 in key

 Using my own, external IP instead of the cert path works, but I have a 
 dynamic
 IP, so I prefer not to use that (complicates things :).


___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] expected record boundary in key

[Turbo Fredriksson]

 On Tue, 07 Feb 2012 16:44:41 +0200, Turbo Fredriksson wrote:
conn %default
  ...
  leftcert=host_domain_tld.pem

 [...]

C=SE, O=Bayour.COM, OU=System, CN=host.domain.tld, 
 E=tu...@bayour.com %any : PSK aNothEERseCreT

 And if I try to connect, this is what I get in the logs:

   Feb  7 15:53:56 192.168.69.1 pluto[3613]: L2TP-PSK-noNAT[1] 
 REMOTE_IP1 #2: Can't authenticate: no preshared key found for 'C=SE, 
 O=Bayour.COM, OU=System, CN=host.domain.tld, E=tu...@bayour.com' and 
 '%any'.  Attribute OAKLEY_AUTHENTICATION_METHOD

 ... because it couldn't load it earlier.

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Net2Net w/ StrongSWAN/OpenBSD

[Turbo Fredriksson]

 I'm trying to connect to a friends OpenBSD firewall using OpenSWAN
 on my Linux, kernel 2.6.32 but it keeps failing.

 After 8h, we got this far (on the OpenBSD side):

 160024.269867 Default attribute_unacceptable: life attribute received, 
 none in policy
 160024.269873 Negt 20 ike_phase_1_validate_prop: failure
 160024.269877 Negt 30 message_negotiate_sa: proposal 0 failed
 160024.269881 Default message_negotiate_sa: no compatible proposal 
 found
 160024.269886 Default dropped message from 83.252.97.254 port 500 due 
 to notification type NO_PROPOSAL_CHOSEN

 Does anyone have a working example how to set something like this up?
 --
 ... but you know as soon as Oracle starts waving its wallet at a 
 Company it's time to run - fast.
 /illumos mailing list

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users