On 12/24/2017 11:21 AM, Colony.three via Shorewall-users wrote: > >> >> >> IPSEC configuration issue. I previously posted Strongswan config files >> for my working DNAT setup. >> >> -Tom >> > > True, and I'm basing my endpoint (IPSEC gateway) config on that: > > conn %default > ikelifetime=60m > keylife=20m > rekeymargin=3m > keyingtries=3 > keyexchange=ikev2 > > conn ipv4 > left=192.168.111.16 > leftid=quantum-equities.com > leftsubnet=192.168.111.0/24,10.1.1.0/24 > leftcert=carl-ipseccert.pem > leftid=@quantum-equities.com > > right=%any > rightsourceip=192.168.111.0/24
I believe the above subnet must be distinct from those listed in leftsubnet. > rightdns=192.168.111.10 > auto=add > > > The StrongSwan app doesn't allow much flexibility in what can be set, so > I think that's right: > Server: quantum-equities.com > VPN Type: IKEv2 Certificate > User Cert: carl-ipsec's VPN cert > User ID: c.a.c...@quantum-equities.com > <mailto:c.a.c...@quantum-equities.com> > CA Cert: Select automatically > Profile Name: quantum-equities.com > ... no Advanced Settings. > > > The error has only changed once, when I added hosts and tunnels, and > that change was only the source daemon. (went from strongswan to > charon) I'm putting my ipsec.conf file in /etc/strongswan/ipsec.d which > should be picked up by the daemon, and seems to be from systemctl status > strongswan. > > ● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf > Loaded: loaded (/usr/lib/systemd/system/strongswan.service; enabled; > vendor preset: disabled) > Active: active (running) since Sun 2017-12-24 11:09:50 PST; 3s ago > Main PID: 47590 (starter) > CGroup: /system.slice/strongswan.service > <http://system.slice/strongswan.service> > ├─47590 /usr/libexec/strongswan/starter --daemon charon --nofork > └─47599 /usr/libexec/strongswan/charon > > Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[CFG] loading aa > certificates from '/etc/strongswan/ipsec.d/aacerts' > Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[CFG] loading ocsp > signer certificates from '/etc/strongswan/ipsec.d/ocspcerts' > Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[CFG] loading > attribute certificates from '/etc/strongswan/ipsec.d/acerts' > Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[CFG] loading crls > from '/etc/strongswan/ipsec.d/crls' > Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[CFG] loading > secrets from '/etc/strongswan/ipsec.secrets' > Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[CFG] loaded RSA > private key from '/etc/strongswan/ipsec.d/private/carl-ipseckey.pem' > Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[LIB] loaded > plugins: charon random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl > revocation hmac stroke kernel-netlink socket-default updown > Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[JOB] spawning 16 > worker threads > Dec 24 11:09:50 zeta.darkmatter.org ipsec_starter[47590]: charon (47599) > started after 20 ms > Dec 24 11:09:50 zeta.darkmatter.org strongswan[47590]: charon (47599) > started after 20 ms > > For some reason the endpoint sees me trying to authenticate from > 172.58.40.177 rather than from at 29.124.236.116, my phone's actual IP. > > I must be consistently doing something fundamentally wrong, which few > other people out there have done, judging from searches. Two weeks > full-time, trying to learn and fix this, and I am out of ideas. It > seems hopeless. > > Dec 24 11:15:17 zeta charon: 05[NET] received packet: from > 172.58.40.177[23037] to 192.168.111.16[500] (704 bytes) > Dec 24 11:15:17 zeta charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA > KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] > Dec 24 11:15:17 zeta charon: 05[IKE] no IKE config found for > 192.168.111.16...172.58.40.177, sending NO_PROPOSAL_CHOSEN > Dec 24 11:15:17 zeta charon: 05[ENC] generating IKE_SA_INIT response 0 [ > N(NO_PROP) ] > Dec 24 11:15:17 zeta charon: 05[NET] sending packet: from > 192.168.111.16[500] to 172.58.40.177[23037] (36 bytes) > I saw something similar when I neglected to add a subjectAltName (gateway.shorewall.net) to the local endpoint's cert. FWIW, I've attached a log extract of a successful SA establishment. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
Dec 24 11:36:56 gateway ipsec[2126]: 06[NET] received packet: from
172.20.1.131[500] to 70.90.191.121[500] (1300 bytes)
Dec 24 11:36:56 gateway charon: 12[IKE] authentication of
'gateway.shorewall.net' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Dec 24 11:36:56 gateway ipsec[2126]: 06[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Dec 24 11:36:56 gateway ipsec[2126]: 06[IKE] 172.20.1.131 is initiating an
IKE_SA
Dec 24 11:36:56 gateway ipsec[2126]: 06[IKE] sending cert request for "C=US,
O=Shorewall, CN=Shorewall CA"
Dec 24 11:36:56 gateway ipsec[2126]: 06[ENC] generating IKE_SA_INIT response 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG)
N(MULT_AUTH) ]
Dec 24 11:36:56 gateway ipsec[2126]: 06[NET] sending packet: from
70.90.191.121[500] to 172.20.1.131[500] (617 bytes)
Dec 24 11:36:56 gateway ipsec[2126]: 03[NET] received packet: from
172.20.1.131[4500] to 70.90.191.121[4500] (1236 bytes)
Dec 24 11:36:56 gateway ipsec[2126]: 03[ENC] parsed IKE_AUTH request 1 [
EF(1/2) ]
Dec 24 11:36:56 gateway ipsec[2126]: 03[ENC] received fragment #1 of 2, waiting
for complete IKE message
Dec 24 11:36:56 gateway ipsec[2126]: 12[NET] received packet: from
172.20.1.131[4500] to 70.90.191.121[4500] (516 bytes)
Dec 24 11:36:56 gateway ipsec[2126]: 12[ENC] parsed IKE_AUTH request 1 [
EF(2/2) ]
Dec 24 11:36:56 gateway ipsec[2126]: 12[ENC] received fragment #2 of 2,
reassembling fragmented IKE message
Dec 24 11:36:56 gateway ipsec[2126]: 12[ENC] parsed IKE_AUTH request 1 [ IDi
CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP)
N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH)
N(EAP_ONLY) ]
Dec 24 11:36:56 gateway ipsec[2126]: 12[IKE] received cert request for "C=US,
O=Shorewall, CN=Shorewall CA"
Dec 24 11:36:56 gateway ipsec[2126]: 12[IKE] received end entity cert "C=US,
O=Shorewall, CN=debianvm"
Dec 24 11:36:56 gateway ipsec[2126]: 12[CFG] looking for peer configs matching
70.90.191.121[gateway.shorewall.net]...172.20.1.131[debianvm.shorewall.net]
Dec 24 11:36:56 gateway ipsec[2126]: 12[CFG] selected peer config 'ipv4'
Dec 24 11:36:56 gateway ipsec[2126]: 12[CFG] using certificate "C=US,
O=Shorewall, CN=debianvm"
Dec 24 11:36:56 gateway ipsec[2126]: 12[CFG] using trusted ca certificate
"C=US, O=Shorewall, CN=Shorewall CA"
Dec 24 11:36:56 gateway ipsec[2126]: 12[CFG] checking certificate status of
"C=US, O=Shorewall, CN=debianvm"
Dec 24 11:36:56 gateway ipsec[2126]: 12[CFG] certificate status is not available
Dec 24 11:36:56 gateway ipsec[2126]: 12[CFG] reached self-signed root ca with
a path length of 0
Dec 24 11:36:56 gateway ipsec[2126]: 12[IKE] authentication of
'debianvm.shorewall.net' with RSA_EMSA_PKCS1_SHA2_256 successful
Dec 24 11:36:56 gateway ipsec[2126]: 12[IKE] peer supports MOBIKE
Dec 24 11:36:56 gateway ipsec[2126]: 12[IKE] authentication of
'gateway.shorewall.net' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Dec 24 11:36:56 gateway ipsec[2126]: 12[IKE] IKE_SA ipv4[144] established
between
70.90.191.121[gateway.shorewall.net]...172.20.1.131[debianvm.shorewall.net]
Dec 24 11:36:56 gateway ipsec[2126]: 12[IKE] scheduling reauthentication in
3369s
Dec 24 11:36:56 gateway charon: 12[IKE] IKE_SA ipv4[144] established between
70.90.191.121[gateway.shorewall.net]...172.20.1.131[debianvm.shorewall.net]
Dec 24 11:36:56 gateway ipsec[2126]: 12[IKE] maximum IKE_SA lifetime 3549s
Dec 24 11:36:56 gateway ipsec[2126]: 12[IKE] sending end entity cert "C=US,
O=Shorewall, CN=gateway"
Dec 24 11:36:56 gateway ipsec[2126]: 12[IKE] peer requested virtual IP %any
Dec 24 11:36:56 gateway charon: 12[IKE] scheduling reauthentication in 3369s
Dec 24 11:36:56 gateway charon: 12[IKE] maximum IKE_SA lifetime 3549s
Dec 24 11:36:56 gateway charon: 12[IKE] sending end entity cert "C=US,
O=Shorewall, CN=gateway"
Dec 24 11:36:56 gateway charon: 12[IKE] peer requested virtual IP %any
Dec 24 11:36:56 gateway charon: 12[CFG] reassigning offline lease to
'debianvm.shorewall.net'
Dec 24 11:36:56 gateway charon: 12[IKE] assigning virtual IP 172.20.3.1 to peer
'debianvm.shorewall.net'
Dec 24 11:36:56 gateway charon: 12[IKE] CHILD_SA ipv4{435} established with
SPIs c5838473_i cdab76c9_o and TS 70.90.191.122/31 70.90.191.124/31
172.20.1.0/24 172.20.2.0/24 === 172.20.3.1/32
Dec 24 11:36:56 gateway charon: 12[ENC] generating IKE_AUTH response 1 [ IDr
CERT AUTH CPRP(ADDR DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR)
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR)
N(ADD_6_ADDR) N(ADD_6_ADDR) ]
Dec 24 11:36:56 gateway charon: 12[ENC] splitting IKE message with length of
1536 bytes into 2 fragments
Dec 24 11:36:56 gateway charon: 12[ENC] generating IKE_AUTH response 1 [
EF(1/2) ]
Dec 24 11:36:56 gateway charon: 12[ENC] generating IKE_AUTH response 1 [
EF(2/2) ]
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
