Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

Sun, 24 Dec 2017 11:55:19 -0800 

On 12/24/2017 11:21 AM, Colony.three via Shorewall-users wrote:
>  
>>
>>
>>     IPSEC configuration issue. I previously posted Strongswan config files
>>     for my working DNAT setup.
>>      
>>     -Tom
>>
> 
> True, and I'm basing my endpoint (IPSEC gateway) config on that:
> 
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=3
> keyexchange=ikev2
> 
> conn ipv4
> left=192.168.111.16
> leftid=quantum-equities.com
> leftsubnet=192.168.111.0/24,10.1.1.0/24
> leftcert=carl-ipseccert.pem
> [email protected]
> 
> right=%any
> rightsourceip=192.168.111.0/24

I believe the above subnet must be distinct from those listed in leftsubnet.

> rightdns=192.168.111.10
> auto=add
> 
> 
> The StrongSwan app doesn't allow much flexibility in what can be set, so
> I think that's right:
> Server: quantum-equities.com
> VPN Type: IKEv2 Certificate
> User Cert: carl-ipsec's VPN cert
> User ID: [email protected]
> <mailto:[email protected]>
> CA Cert: Select automatically
> Profile Name: quantum-equities.com
> ... no Advanced Settings.
> 
> 
> The error has only changed once, when I added hosts and tunnels, and
> that change was only the source daemon. (went from strongswan to
> charon)  I'm putting my ipsec.conf file in /etc/strongswan/ipsec.d which
> should be picked up by the daemon, and seems to be from systemctl status
> strongswan.
> 
> ● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
>    Loaded: loaded (/usr/lib/systemd/system/strongswan.service; enabled;
> vendor preset: disabled)
>    Active: active (running) since Sun 2017-12-24 11:09:50 PST; 3s ago
> Main PID: 47590 (starter)
>    CGroup: /system.slice/strongswan.service
> <http://system.slice/strongswan.service>
>            ├─47590 /usr/libexec/strongswan/starter --daemon charon --nofork
>            └─47599 /usr/libexec/strongswan/charon
> 
> Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[CFG] loading aa
> certificates from '/etc/strongswan/ipsec.d/aacerts'
> Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[CFG] loading ocsp
> signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'
> Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[CFG] loading
> attribute certificates from '/etc/strongswan/ipsec.d/acerts'
> Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[CFG] loading crls
> from '/etc/strongswan/ipsec.d/crls'
> Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[CFG] loading
> secrets from '/etc/strongswan/ipsec.secrets'
> Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[CFG]   loaded RSA
> private key from '/etc/strongswan/ipsec.d/private/carl-ipseckey.pem'
> Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[LIB] loaded
> plugins: charon random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl
> revocation hmac stroke kernel-netlink socket-default updown
> Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[JOB] spawning 16
> worker threads
> Dec 24 11:09:50 zeta.darkmatter.org ipsec_starter[47590]: charon (47599)
> started after 20 ms
> Dec 24 11:09:50 zeta.darkmatter.org strongswan[47590]: charon (47599)
> started after 20 ms
> 
> For some reason the endpoint sees me trying to authenticate from
> 172.58.40.177 rather than from at 29.124.236.116, my phone's actual IP.
> 
> I must be consistently doing something fundamentally wrong, which few
> other people out there have done, judging from searches.  Two weeks
> full-time, trying to learn and fix this, and I am out of ideas.  It
> seems hopeless.
> 
> Dec 24 11:15:17 zeta charon: 05[NET] received packet: from
> 172.58.40.177[23037] to 192.168.111.16[500] (704 bytes)
> Dec 24 11:15:17 zeta charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA
> KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Dec 24 11:15:17 zeta charon: 05[IKE] no IKE config found for
> 192.168.111.16...172.58.40.177, sending NO_PROPOSAL_CHOSEN
> Dec 24 11:15:17 zeta charon: 05[ENC] generating IKE_SA_INIT response 0 [
> N(NO_PROP) ]
> Dec 24 11:15:17 zeta charon: 05[NET] sending packet: from
> 192.168.111.16[500] to 172.58.40.177[23037] (36 bytes)
> 

I saw something similar when I neglected to add a subjectAltName
(gateway.shorewall.net) to the local endpoint's cert.

FWIW, I've attached a log extract of a successful SA establishment.

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

Dec 24 11:36:56 gateway ipsec[2126]: 06[NET] received packet: from 
172.20.1.131[500] to 70.90.191.121[500] (1300 bytes)
Dec 24 11:36:56 gateway charon: 12[IKE] authentication of 
'gateway.shorewall.net' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Dec 24 11:36:56 gateway ipsec[2126]: 06[ENC] parsed IKE_SA_INIT request 0 [ SA 
KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Dec 24 11:36:56 gateway ipsec[2126]: 06[IKE] 172.20.1.131 is initiating an 
IKE_SA
Dec 24 11:36:56 gateway ipsec[2126]: 06[IKE] sending cert request for "C=US, 
O=Shorewall, CN=Shorewall CA"
Dec 24 11:36:56 gateway ipsec[2126]: 06[ENC] generating IKE_SA_INIT response 0 
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) 
N(MULT_AUTH) ]
Dec 24 11:36:56 gateway ipsec[2126]: 06[NET] sending packet: from 
70.90.191.121[500] to 172.20.1.131[500] (617 bytes)
Dec 24 11:36:56 gateway ipsec[2126]: 03[NET] received packet: from 
172.20.1.131[4500] to 70.90.191.121[4500] (1236 bytes)
Dec 24 11:36:56 gateway ipsec[2126]: 03[ENC] parsed IKE_AUTH request 1 [ 
EF(1/2) ]
Dec 24 11:36:56 gateway ipsec[2126]: 03[ENC] received fragment #1 of 2, waiting 
for complete IKE message
Dec 24 11:36:56 gateway ipsec[2126]: 12[NET] received packet: from 
172.20.1.131[4500] to 70.90.191.121[4500] (516 bytes)
Dec 24 11:36:56 gateway ipsec[2126]: 12[ENC] parsed IKE_AUTH request 1 [ 
EF(2/2) ]
Dec 24 11:36:56 gateway ipsec[2126]: 12[ENC] received fragment #2 of 2, 
reassembling fragmented IKE message
Dec 24 11:36:56 gateway ipsec[2126]: 12[ENC] parsed IKE_AUTH request 1 [ IDi 
CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) 
N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) 
N(EAP_ONLY) ]
Dec 24 11:36:56 gateway ipsec[2126]: 12[IKE] received cert request for "C=US, 
O=Shorewall, CN=Shorewall CA"
Dec 24 11:36:56 gateway ipsec[2126]: 12[IKE] received end entity cert "C=US, 
O=Shorewall, CN=debianvm"
Dec 24 11:36:56 gateway ipsec[2126]: 12[CFG] looking for peer configs matching 
70.90.191.121[gateway.shorewall.net]...172.20.1.131[debianvm.shorewall.net]
Dec 24 11:36:56 gateway ipsec[2126]: 12[CFG] selected peer config 'ipv4'
Dec 24 11:36:56 gateway ipsec[2126]: 12[CFG]   using certificate "C=US, 
O=Shorewall, CN=debianvm"
Dec 24 11:36:56 gateway ipsec[2126]: 12[CFG]   using trusted ca certificate 
"C=US, O=Shorewall, CN=Shorewall CA"
Dec 24 11:36:56 gateway ipsec[2126]: 12[CFG] checking certificate status of 
"C=US, O=Shorewall, CN=debianvm"
Dec 24 11:36:56 gateway ipsec[2126]: 12[CFG] certificate status is not available
Dec 24 11:36:56 gateway ipsec[2126]: 12[CFG]   reached self-signed root ca with 
a path length of 0
Dec 24 11:36:56 gateway ipsec[2126]: 12[IKE] authentication of 
'debianvm.shorewall.net' with RSA_EMSA_PKCS1_SHA2_256 successful
Dec 24 11:36:56 gateway ipsec[2126]: 12[IKE] peer supports MOBIKE
Dec 24 11:36:56 gateway ipsec[2126]: 12[IKE] authentication of 
'gateway.shorewall.net' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Dec 24 11:36:56 gateway ipsec[2126]: 12[IKE] IKE_SA ipv4[144] established 
between 
70.90.191.121[gateway.shorewall.net]...172.20.1.131[debianvm.shorewall.net]
Dec 24 11:36:56 gateway ipsec[2126]: 12[IKE] scheduling reauthentication in 
3369s
Dec 24 11:36:56 gateway charon: 12[IKE] IKE_SA ipv4[144] established between 
70.90.191.121[gateway.shorewall.net]...172.20.1.131[debianvm.shorewall.net]
Dec 24 11:36:56 gateway ipsec[2126]: 12[IKE] maximum IKE_SA lifetime 3549s
Dec 24 11:36:56 gateway ipsec[2126]: 12[IKE] sending end entity cert "C=US, 
O=Shorewall, CN=gateway"
Dec 24 11:36:56 gateway ipsec[2126]: 12[IKE] peer requested virtual IP %any
Dec 24 11:36:56 gateway charon: 12[IKE] scheduling reauthentication in 3369s
Dec 24 11:36:56 gateway charon: 12[IKE] maximum IKE_SA lifetime 3549s
Dec 24 11:36:56 gateway charon: 12[IKE] sending end entity cert "C=US, 
O=Shorewall, CN=gateway"
Dec 24 11:36:56 gateway charon: 12[IKE] peer requested virtual IP %any
Dec 24 11:36:56 gateway charon: 12[CFG] reassigning offline lease to 
'debianvm.shorewall.net'
Dec 24 11:36:56 gateway charon: 12[IKE] assigning virtual IP 172.20.3.1 to peer 
'debianvm.shorewall.net'
Dec 24 11:36:56 gateway charon: 12[IKE] CHILD_SA ipv4{435} established with 
SPIs c5838473_i cdab76c9_o and TS 70.90.191.122/31 70.90.191.124/31 
172.20.1.0/24 172.20.2.0/24 === 172.20.3.1/32
Dec 24 11:36:56 gateway charon: 12[ENC] generating IKE_AUTH response 1 [ IDr 
CERT AUTH CPRP(ADDR DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) 
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) 
N(ADD_6_ADDR) N(ADD_6_ADDR) ]
Dec 24 11:36:56 gateway charon: 12[ENC] splitting IKE message with length of 
1536 bytes into 2 fragments
Dec 24 11:36:56 gateway charon: 12[ENC] generating IKE_AUTH response 1 [ 
EF(1/2) ]
Dec 24 11:36:56 gateway charon: 12[ENC] generating IKE_AUTH response 1 [ 
EF(2/2) ]

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to