Hello Noel ? can you send me the link to "HelpRequests[1] page"
-----Original Message----- From: Noel Kuntze [mailto:[email protected]] Sent: Wednesday, May 03, 2017 1:37 PM To: Modster, Anthony <[email protected]>; [email protected] Subject: [SUSPECT EMAIL: No Reputation] Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels For each interface. On 03.05.2017 22:24, Modster, Anthony wrote: > Hello Noel > > Quick question, do you want the tcpdump capture for each interface, or > capture at the secure gateway side. > > -----Original Message----- > From: Noel Kuntze > [mailto:[email protected]] > Sent: Wednesday, May 03, 2017 12:08 PM > To: Modster, Anthony <[email protected]>; > [email protected] > Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No > Reputation] multiple tunnels > > Hello Anthony, > > On 03.05.2017 20:36, Modster, Anthony wrote: >> Each tunnel would be bound to a separate interface (eth1.13 and ppp0). >> Our application would open a socket for each tunnel end point, and bind to >> it (so there is no routing needed). > What kind of socket? Raw IP? > >> We verified that ESP packets are being sent from each application socket to >> the assigned interface. > Huh? Don't you mean "We verified that ESP packets are sent for each packet > that is emitted from the application socket to the assigned interface"? > >> We verified that IKE packets are being sent to each interface from Charon. > This is very curious. Please verify that they are indeed sent out from two > different interfaces. > As I previously mentioned, routing decisions are made based on the > destination address, not the source address, so IKE packets for either IKE_SA > would traverse the same interface and use the same route, except if you used > policy based routing. > > Anyway, I require logs to figure out what happens exactly. Please create them > using the file logger definition from the HelpRequests[1] page. > > Kind regards, > Noel > > [1] > https://secure-web.cisco.com/1j3GkDWiMC47CUy7JEZrTMFVOcm1wcAG1qjUD4ejw > TAGcl7Ie8pH_oYW3ermSmwJCHgfvbtGVlYFEBP8roXNFVxQH5MyW5aLMsU9pDAUSxyzCAs > lioVIyuREQoLk_-CP9Gus-3GQRkuDUOYzov0N5ZPq6tsv_2mW9NGMkRK-O3WZpWyeuW-WH > B5bGM1JBQu1w0xtwPy7ehB2hEZcy-cCyXQ/https%3A%2F%2Fwiki.strongswan.org%2 > Fprojects%2Fstrongswan%2Fwiki%2FHelpRequests > >> ? does this sound ok >> I will send more after your response. >> >> -----Original Message----- >> From: Noel Kuntze >> [mailto:[email protected]] >> Sent: Wednesday, May 03, 2017 10:38 AM >> To: Modster, Anthony <[email protected]>; >> [email protected] >> Subject: [SUSPECT EMAIL: No Reputation] Re: [strongSwan] [SUSPECT >> EMAIL: No Reputation] Re: multiple tunnels >> >> Hello Anthony, >> >> On 03.05.2017 19:24, Modster, Anthony wrote: >>> We are using two interfaces at once from same host to the same secure >>> gateway. >> Why? >> Why even two IKE_SAs? Just use one IKE_SA and have the two CHILD_SAs be >> managed under one. >> >>> root@wglng-6:~# ip route show >>> 10.64.64.64 dev ppp0 proto kernel scope link src 166.204.4.61 >>> 192.168.1.0/24 dev eth1.13 proto kernel scope link src >>> 192.168.1.134 >>> Note: I did not show interfaces that are not applicable >>> >>> Both tunnels are up and were able to ping and send data thru the tunnels. >>> root@wglng-6:~# swanctl --list-sas >>> sgateway1-radio0: #2, ESTABLISHED, IKEv2, 08173d8797a410eb_i* >>> 5fa1f29dce075fd4_r >>> local '[email protected]' @ 166.204.4.61[4500] [20.20.20.9] >>> remote 'C=CA, O=Carillon Information Security Inc., OU=TEST, OU=Devices, >>> OU=Aircraft Operator Ground Stations, OU=Teledyne Controls, >>> CN=ELS-VPAPP-WGL08 - ID' @ 76.232.248.210[4500] >>> AES_CBC-256/HMAC_SHA2_512_256/PRF_HMAC_SHA1/ECP_256 >>> established 922s ago, rekeying in 43s, reauth in 2455s >>> sgateway1-radio0: #4, reqid 2, INSTALLED, TUNNEL-in-UDP, >>> ESP:AES_CBC-256/HMAC_SHA1_96 >>> installed 336s ago, rekeying in 211s, expires in 325s >>> in c2e01069, 1320 bytes, 33 packets, 6s ago >>> out e1c27d5f, 1452 bytes, 33 packets, 6s ago >>> local 20.20.20.9/32 >>> remote 10.100.20.15/32 >>> sgateway1-gldl: #1, ESTABLISHED, IKEv2, 00989cc440834937_i* >>> 5e3c5e4b5c1ec4cf_r >>> local '[email protected]' @ 192.168.1.134[4500] [20.20.20.8] >>> remote 'C=CA, O=Carillon Information Security Inc., OU=TEST, OU=Devices, >>> OU=Aircraft Operator Ground Stations, OU=Teledyne Controls, >>> CN=ELS-VPAPP-WGL08 - ID' @ 76.232.248.210[4500] >>> AES_CBC-256/HMAC_SHA2_512_256/PRF_HMAC_SHA1/ECP_256 >>> established 1049s ago, rekeying in 150s, reauth in 2257s >>> sgateway1-gldl: #3, reqid 1, INSTALLED, TUNNEL-in-UDP, >>> ESP:AES_CBC-256/HMAC_SHA1_96 >>> installed 469s ago, rekeying in 104s, expires in 191s >>> in c45db512, 1880 bytes, 47 packets, 6s ago >>> out 77309eef, 2068 bytes, 47 packets, 6s ago >>> local 20.20.20.8/32 >>> remote 10.100.20.15/32 >>> >>> strongswan creates the following in table 220 root@wglng-6:~# ip >>> route show table 220 >>> 10.100.20.15 via 192.168.1.1 dev eth1.13 proto static src >>> 20.20.20.8 >>> >>> When we bring down eth1.13, the tunnel for ppp0 becomes unusable. >> What do you mean with "the tunnel for ppp0"? The interface is irrelevant. >> Packets are routed based on their destination. Charon does not pick two >> different paths for two different IKE_SAs to the same peer. >> >> Are you aware that charon uses one path for all the IKE_SAs to one peer? >> Charon should choose another path to the remote peer, if there is one (and >> the "src" parameter of the corresponding route allows that). I guess your >> routing table doesn't allow that. >> >> Please provide logs that show the problem. >> >>> We think the problem is that ppp0 does not have a via in table 220. >> Irrelevant. See above. >> >>> If you need more information, let me know. >>> >>> Thanks >>> >>> -----Original Message----- >>> From: Noel Kuntze >>> [mailto:[email protected]] >>> Sent: Wednesday, May 03, 2017 7:33 AM >>> To: Modster, Anthony <[email protected]>; >>> [email protected] >>> Subject: [SUSPECT EMAIL: No Reputation] Re: [strongSwan] multiple >>> tunnels >>> >>> Hello Anthony, >>> >>> On 03.05.2017 06:57, Modster, Anthony wrote: >>>> >>>> >>>> ? how to setup ipsec policy >>>> >>>> >>>> >>>> We want to use multiple tunnels on separate interfaces on the same host to >>>> one secure gateway. >>>> >>>> >>>> >>>> The secure gateway only has one external IP address. >>>> >>> Depends on your exact requirements. You need to elaborate on this. >>> >>> Kind regards, >>> Noel >>> >>> -- Noel Kuntze IT security consultant GPG Key ID: 0x0739AD6C >>> Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C >>> _______________________________________________ Users mailing list >>> [email protected] >>> https://secure-web.cisco.com/1umLFBujqnWj6QpzkmjOs5N9U3Ek-8bie0MXpB6 >>> w >>> Z >>> 9ss1vhilBrSfF13tKoWL6NTRe0CPd1SRvuy2CT2LgFRD1gjLQ21atsRzKU836ZbhigAz >>> 4 >>> k >>> 14W-T9yeoOC4t2-xDiwbecTeWHYlRtlO1w7TQmXEEzPLgNH25aPblOjUYxnVk3llkYq0 >>> W >>> l >>> d7pEH7cKab9tMboT6476CmpbjuM8HztzzA/https%3A%2F%2Flists.strongswan.or >>> g >>> % >>> 2Fmailman%2Flistinfo%2Fusers >>> > _______________________________________________ > Users mailing list > [email protected] > https://secure-web.cisco.com/1ZUqhowo0_mv9V5kD25oaNH8gLBZLx66slK6Ff21L > c9NCBKfl3Gs-GcDc9rITZdgrJ-gm4T7JliTiQ8tSyQ00Yvr4q_dP85oAHK-y6amf1lwgW4 > AgyJ5jvH2M04bEqEFcCxg6lss3F2tKV0s2k6RGOVF2-XjR0apCbvx4RxQkwAj2uGqSXzjf > ZJzz0AqTsW6cseBSHwc-jMy4lczBfcy-Zg/https%3A%2F%2Flists.strongswan.org% > 2Fmailman%2Flistinfo%2Fusers > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
