<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
Follow-on question: when the SS Mac client establishes a connection, a popup occurs for the user to enter a password. Does the client cache the password for the entire session lifetime? I established connection with a StrongSwan VPN gateway and left is up
with a continuous 5 second ping to a machine inside the gateway. After roughly 2 hours, 40 minutes the connection failed to authenticate and the tunnel stopped passing traffic. Does the Mac app present the original password during re-authentication?
<div class=""><br class="">
</div>
<div class="">Configuration:</div>
<div class="">VPN gateway: Strongswan v5.2.2 on Centos 6.6</div>
<div class="">Client: StrongSwan Mac OS X app version 5.2.2(1) on OS X v10.10.2<br class="">
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Here’s the client log:</div>
<div class=""><br class="">
</div>
<div class="">
<div class="">generating INFORMATIONAL response 5 [ D ]</div>
<div class="">sending packet: from 10.0.1.205[64888] to w.x.y.z[4500] (76 bytes)</div>
<div class="">reauthenticating IKE_SA sstest[15]</div>
<div class="">deleting IKE_SA sstest[15] between 10.0.1.205[sstest]…w.x.y.z[<a href="http://gw.cz.com" class="">gw.cz.com</a>]</div>
<div class="">sending DELETE for IKE_SA sstest[15]</div>
<div class="">generating INFORMATIONAL request 7 [ D ]</div>
<div class="">sending packet: from 10.0.1.205[64888] to w.x.y.z[4500] (76 bytes)</div>
<div class="">received packet: from w.x.y.z[4500] to 10.0.1.205[64888] (76 bytes)</div>
<div class="">parsed INFORMATIONAL response 7 [ ]</div>
<div class="">IKE_SA deleted</div>
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Here’s the server log:</div>
<div class=""><br class="">
</div>
<div class="">
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:44:59 secgw charon: 02[NET] received packet: from a.b.c.d[32936] to 10.8.95.244[4500] (76 bytes)</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:44:59 secgw charon: 02[ENC] parsed INFORMATIONAL request 7 [ D ]</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:44:59 secgw charon: 02[IKE] received DELETE for IKE_SA remote-access-ikev2-ss[1]</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:44:59 secgw charon: 02[IKE] deleting IKE_SA remote-access-ikev2-ss[1] between 10.8.95.244[<a href="http://gw.cz.com" class="">gw.cz.com</a>]...a.b.c.d[sstest]</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:44:59 secgw charon: 02[IKE] IKE_SA deleted</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:44:59 secgw vpn: - sstest 10.255.252.1/32 == a.b.c.d -- 10.8.95.244 == 10.8.64.0/19</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:44:59 secgw charon: 02[ENC] generating INFORMATIONAL response 7 [ ]</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:44:59 secgw charon: 02[NET] sending packet: from 10.8.95.244[4500] to a.b.c.d[32936] (76 bytes)</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:44:59 secgw charon: 02[CFG] lease 10.255.252.1 by 'sstest' went offline</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:44:59 secgw charon: 14[NET] received packet: from a.b.c.d[33495] to 10.8.95.244[4500] (1108 bytes)</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:44:59 secgw charon: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:44:59 secgw charon: 14[IKE] a.b.c.d is initiating an IKE_SA</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:44:59 secgw charon: 14[IKE] local host is behind NAT, sending keep alives</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:44:59 secgw charon: 14[IKE] remote host is behind NAT</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:44:59 secgw charon: 14[IKE] sending cert request for "C=US, ST=Massachusetts, L=Waltham, O=CZ, CN=CZ Secure Gateway CA,
<a href="mailto:E=support@CZ-dev.com" class="">E=support@CZ-dev.com</a>"</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:44:59 secgw charon: 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:44:59 secgw charon: 14[NET] sending packet: from 10.8.95.244[4500] to a.b.c.d[33495] (465 bytes)</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:44:59 secgw charon: 16[NET] received packet: from a.b.c.d[32936] to 10.8.95.244[4500] (380 bytes)</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:44:59 secgw charon: 16[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:44:59 secgw charon: 16[CFG] looking for peer configs matching 10.8.95.244[%any]...a.b.c.d[sstest]</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:44:59 secgw charon: 16[CFG] selected peer config 'remote-access-ikev2-ss'</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:44:59 secgw charon: 16[IKE] initiating EAP_IDENTITY method (id 0x00)</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:44:59 secgw charon: 16[IKE] peer supports MOBIKE</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:44:59 secgw charon: 16[IKE] authentication of '<a href="http://gw.cz.com" class="">gw.cz.com</a>' (myself) with RSA signature successful</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:44:59 secgw charon: 16[IKE] sending end entity cert "C=US, ST=Massachusetts, L=Waltham, O=CZ, CN=<a href="http://gw.cz.com" class="">gw.cz.com</a>,
<a href="mailto:E=support@CZ.com" class="">E=support@CZ.com</a>"</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:44:59 secgw charon: 16[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:44:59 secgw charon: 16[NET] sending packet: from 10.8.95.244[4500] to a.b.c.d[32936] (2204 bytes)</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:45:03 secgw charon: 13[NET] received packet: from a.b.c.d[32936] to 10.8.95.244[4500] (380 bytes)</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:45:03 secgw charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:45:03 secgw charon: 13[IKE] received retransmit of request with ID 1, retransmitting response</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:45:03 secgw charon: 13[NET] sending packet: from 10.8.95.244[4500] to a.b.c.d[32936] (2204 bytes)</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:45:03 secgw charon: 15[NET] received packet: from a.b.c.d[32936] to 10.8.95.244[4500] (76 bytes)</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:45:03 secgw charon: 15[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:45:03 secgw charon: 15[IKE] received EAP identity 'sstest'</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:45:03 secgw charon: 15[IKE] initiating EAP_MD5 method (id 0x43)</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:45:03 secgw charon: 15[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MD5 ]</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:45:03 secgw charon: 15[NET] sending packet: from 10.8.95.244[4500] to a.b.c.d[32936] (92 bytes)</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:45:03 secgw charon: 01[NET] received packet: from a.b.c.d[32936] to 10.8.95.244[4500] (76 bytes)</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:45:03 secgw charon: 01[ENC] parsed INFORMATIONAL request 3 [ N(AUTH_FAILED) ]</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:45:03 secgw charon: 01[ENC] generating INFORMATIONAL response 3 [ N(AUTH_FAILED) ]</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Mar 13 22:45:03 secgw charon: 01[NET] sending packet: from 10.8.95.244[4500] to a.b.c.d[32936] (76 bytes)</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div>
<blockquote type="cite" class="">
<div class="">On Mar 13, 2015, at 2:27 PM, Ken Nelson <<a href="mailto:ken@CZ.com" class="">ken@CZ.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class=""><br class="">
I’ve successfully connected the StrongSwan Mac OS X app version 5.2.2 (1) to a StrongSwan v5.2.2 VPN gateway. A few questions/issues:<br class="">
<br class="">
<br class="">
1. DNS is not working. I have rightdns=10.8.65.164 defined in the configuration (right is the remote access client). The StrongSwan Mac OS X log indicates it is installing the DNS server address:<br class="">
<br class="">
handling UNITY_SPLIT_INCLUDE attribute failed<br class="">
handling UNITY_LOCAL_LAN attribute failed<br class="">
installing 10.8.65.164 as DNS server<br class="">
handling UNITY_DEF_DOMAIN attribute failed<br class="">
installing 10.8.65.164 as DNS server<br class="">
installing new virtual IP 10.255.252.1<br class="">
<br class="">
The VPN gateway has the Cisco Unity attributes defined as it also support the native Mac OS X client. <br class="">
<br class="">
Once the tunnel is up, I can ping the server (10.8.54.164) but can not resolve any hostnames it serves up.<br class="">
<br class="">
Are there any issues with DNS & StrongSwan Mac OS X app? <br class="">
<br class="">
<br class="">
2. EAP-GTC authentication. I would like to use EAP-GTC authentication with the Mac app and would be willing to modify the app to add this feature. Any comments on how to do this or the level of difficulty are appreciated.
<br class="">
<br class="">
<br class="">
3. Machine authentication. Why doesn’t the Mac app require a client certificate for machine authentication, as is required for the native Mac client?<br class="">
<br class="">
<br class="">
4. Password configuration. It would be nice to be able to configure the user’s password, instead of having to enter it on every tunnel invocation.<br class="">
_______________________________________________<br class="">
Users mailing list<br class="">
<a href="mailto:Users@lists.strongswan.org" class="">Users@lists.strongswan.org</a><br class="">
https://lists.strongswan.org/mailman/listinfo/users</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</body>
</html>