IT strikes again -----Original Message----- From: Noel Kuntze [mailto:[email protected]] Sent: Wednesday, May 03, 2017 2:15 PM To: Modster, Anthony <[email protected]>; [email protected] Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels
I did. Some software on your end converted it into some obscure "https://secure-web.cisco.com"; link. On 03.05.2017 23:00, Modster, Anthony wrote: > Hello Noel > > ? can you send me the link to "HelpRequests[1] page" > > -----Original Message----- > From: Noel Kuntze > [mailto:[email protected]] > Sent: Wednesday, May 03, 2017 1:37 PM > To: Modster, Anthony <[email protected]>; > [email protected] > Subject: [SUSPECT EMAIL: No Reputation] Re: [strongSwan] [SUSPECT > EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple > tunnels > > For each interface. > > On 03.05.2017 22:24, Modster, Anthony wrote: >> Hello Noel >> >> Quick question, do you want the tcpdump capture for each interface, or >> capture at the secure gateway side. >> >> -----Original Message----- >> From: Noel Kuntze >> [mailto:[email protected]] >> Sent: Wednesday, May 03, 2017 12:08 PM >> To: Modster, Anthony <[email protected]>; >> [email protected] >> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No >> Reputation] multiple tunnels >> >> Hello Anthony, >> >> On 03.05.2017 20:36, Modster, Anthony wrote: >>> Each tunnel would be bound to a separate interface (eth1.13 and ppp0). >>> Our application would open a socket for each tunnel end point, and bind to >>> it (so there is no routing needed). >> What kind of socket? Raw IP? >> >>> We verified that ESP packets are being sent from each application socket to >>> the assigned interface. >> Huh? Don't you mean "We verified that ESP packets are sent for each packet >> that is emitted from the application socket to the assigned interface"? >> >>> We verified that IKE packets are being sent to each interface from Charon. >> This is very curious. Please verify that they are indeed sent out from two >> different interfaces. >> As I previously mentioned, routing decisions are made based on the >> destination address, not the source address, so IKE packets for either >> IKE_SA would traverse the same interface and use the same route, except if >> you used policy based routing. >> >> Anyway, I require logs to figure out what happens exactly. Please create >> them using the file logger definition from the HelpRequests[1] page. >> >> Kind regards, >> Noel >> >> [1] >> https://secure-web.cisco.com/1j3GkDWiMC47CUy7JEZrTMFVOcm1wcAG1qjUD4ej >> w >> TAGcl7Ie8pH_oYW3ermSmwJCHgfvbtGVlYFEBP8roXNFVxQH5MyW5aLMsU9pDAUSxyzCA >> s >> lioVIyuREQoLk_-CP9Gus-3GQRkuDUOYzov0N5ZPq6tsv_2mW9NGMkRK-O3WZpWyeuW-W >> H >> B5bGM1JBQu1w0xtwPy7ehB2hEZcy-cCyXQ/https%3A%2F%2Fwiki.strongswan.org% >> 2 Fprojects%2Fstrongswan%2Fwiki%2FHelpRequests >> >>> ? does this sound ok >>> I will send more after your response. >>> >>> -----Original Message----- >>> From: Noel Kuntze >>> [mailto:[email protected]] >>> Sent: Wednesday, May 03, 2017 10:38 AM >>> To: Modster, Anthony <[email protected]>; >>> [email protected] >>> Subject: [SUSPECT EMAIL: No Reputation] Re: [strongSwan] [SUSPECT >>> EMAIL: No Reputation] Re: multiple tunnels >>> >>> Hello Anthony, >>> >>> On 03.05.2017 19:24, Modster, Anthony wrote: >>>> We are using two interfaces at once from same host to the same secure >>>> gateway. >>> Why? >>> Why even two IKE_SAs? Just use one IKE_SA and have the two CHILD_SAs be >>> managed under one. >>> >>>> root@wglng-6:~# ip route show >>>> 10.64.64.64 dev ppp0 proto kernel scope link src 166.204.4.61 >>>> 192.168.1.0/24 dev eth1.13 proto kernel scope link src >>>> 192.168.1.134 >>>> Note: I did not show interfaces that are not applicable >>>> >>>> Both tunnels are up and were able to ping and send data thru the tunnels. >>>> root@wglng-6:~# swanctl --list-sas >>>> sgateway1-radio0: #2, ESTABLISHED, IKEv2, 08173d8797a410eb_i* >>>> 5fa1f29dce075fd4_r >>>> local '[email protected]' @ 166.204.4.61[4500] [20.20.20.9] >>>> remote 'C=CA, O=Carillon Information Security Inc., OU=TEST, OU=Devices, >>>> OU=Aircraft Operator Ground Stations, OU=Teledyne Controls, >>>> CN=ELS-VPAPP-WGL08 - ID' @ 76.232.248.210[4500] >>>> AES_CBC-256/HMAC_SHA2_512_256/PRF_HMAC_SHA1/ECP_256 >>>> established 922s ago, rekeying in 43s, reauth in 2455s >>>> sgateway1-radio0: #4, reqid 2, INSTALLED, TUNNEL-in-UDP, >>>> ESP:AES_CBC-256/HMAC_SHA1_96 >>>> installed 336s ago, rekeying in 211s, expires in 325s >>>> in c2e01069, 1320 bytes, 33 packets, 6s ago >>>> out e1c27d5f, 1452 bytes, 33 packets, 6s ago >>>> local 20.20.20.9/32 >>>> remote 10.100.20.15/32 >>>> sgateway1-gldl: #1, ESTABLISHED, IKEv2, 00989cc440834937_i* >>>> 5e3c5e4b5c1ec4cf_r >>>> local '[email protected]' @ 192.168.1.134[4500] [20.20.20.8] >>>> remote 'C=CA, O=Carillon Information Security Inc., OU=TEST, OU=Devices, >>>> OU=Aircraft Operator Ground Stations, OU=Teledyne Controls, >>>> CN=ELS-VPAPP-WGL08 - ID' @ 76.232.248.210[4500] >>>> AES_CBC-256/HMAC_SHA2_512_256/PRF_HMAC_SHA1/ECP_256 >>>> established 1049s ago, rekeying in 150s, reauth in 2257s >>>> sgateway1-gldl: #3, reqid 1, INSTALLED, TUNNEL-in-UDP, >>>> ESP:AES_CBC-256/HMAC_SHA1_96 >>>> installed 469s ago, rekeying in 104s, expires in 191s >>>> in c45db512, 1880 bytes, 47 packets, 6s ago >>>> out 77309eef, 2068 bytes, 47 packets, 6s ago >>>> local 20.20.20.8/32 >>>> remote 10.100.20.15/32 >>>> >>>> strongswan creates the following in table 220 root@wglng-6:~# ip >>>> route show table 220 >>>> 10.100.20.15 via 192.168.1.1 dev eth1.13 proto static src >>>> 20.20.20.8 >>>> >>>> When we bring down eth1.13, the tunnel for ppp0 becomes unusable. >>> What do you mean with "the tunnel for ppp0"? The interface is irrelevant. >>> Packets are routed based on their destination. Charon does not pick two >>> different paths for two different IKE_SAs to the same peer. >>> >>> Are you aware that charon uses one path for all the IKE_SAs to one peer? >>> Charon should choose another path to the remote peer, if there is one (and >>> the "src" parameter of the corresponding route allows that). I guess your >>> routing table doesn't allow that. >>> >>> Please provide logs that show the problem. >>> >>>> We think the problem is that ppp0 does not have a via in table 220. >>> Irrelevant. See above. >>> >>>> If you need more information, let me know. >>>> >>>> Thanks >>>> >>>> -----Original Message----- >>>> From: Noel Kuntze >>>> [mailto:[email protected]] >>>> Sent: Wednesday, May 03, 2017 7:33 AM >>>> To: Modster, Anthony <[email protected]>; >>>> [email protected] >>>> Subject: [SUSPECT EMAIL: No Reputation] Re: [strongSwan] multiple >>>> tunnels >>>> >>>> Hello Anthony, >>>> >>>> On 03.05.2017 06:57, Modster, Anthony wrote: >>>>> >>>>> >>>>> ? how to setup ipsec policy >>>>> >>>>> >>>>> >>>>> We want to use multiple tunnels on separate interfaces on the same host >>>>> to one secure gateway. >>>>> >>>>> >>>>> >>>>> The secure gateway only has one external IP address. >>>>> >>>> Depends on your exact requirements. You need to elaborate on this. >>>> >>>> Kind regards, >>>> Noel >>>> >>>> -- Noel Kuntze IT security consultant GPG Key ID: 0x0739AD6C >>>> Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C >>>> _______________________________________________ Users mailing list >>>> [email protected] >>>> https://secure-web.cisco.com/1umLFBujqnWj6QpzkmjOs5N9U3Ek-8bie0MXpB >>>> 6 >>>> w >>>> Z >>>> 9ss1vhilBrSfF13tKoWL6NTRe0CPd1SRvuy2CT2LgFRD1gjLQ21atsRzKU836ZbhigA >>>> z >>>> 4 >>>> k >>>> 14W-T9yeoOC4t2-xDiwbecTeWHYlRtlO1w7TQmXEEzPLgNH25aPblOjUYxnVk3llkYq >>>> 0 >>>> W >>>> l >>>> d7pEH7cKab9tMboT6476CmpbjuM8HztzzA/https%3A%2F%2Flists.strongswan.o >>>> r >>>> g >>>> % >>>> 2Fmailman%2Flistinfo%2Fusers >>>> >> _______________________________________________ >> Users mailing list >> [email protected] >> https://secure-web.cisco.com/1ZUqhowo0_mv9V5kD25oaNH8gLBZLx66slK6Ff21 >> L >> c9NCBKfl3Gs-GcDc9rITZdgrJ-gm4T7JliTiQ8tSyQ00Yvr4q_dP85oAHK-y6amf1lwgW >> 4 >> AgyJ5jvH2M04bEqEFcCxg6lss3F2tKV0s2k6RGOVF2-XjR0apCbvx4RxQkwAj2uGqSXzj >> f >> ZJzz0AqTsW6cseBSHwc-jMy4lczBfcy-Zg/https%3A%2F%2Flists.strongswan.org >> % >> 2Fmailman%2Flistinfo%2Fusers >> _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
