<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000066" bgcolor="#FFFFFF">
<br>
<div class="moz-cite-prefix">On 03/20/2018 12:34 AM, Tobias Brunner
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:09294022-a5da-8747-ed09-11bf458bfb82@strongswan.org">
<pre wrap="">Hi,
</pre>
<br>
<blockquote type="cite">
<pre wrap=""> When my gateway must
validate with machines inside the LAN (as cygnus.darkmatter.org) and
outside (as quantum-equities.com), how can it prove that it's the right
machine if not DNS resolvable by checking CN=?
</pre>
</blockquote>
<pre wrap="">
That's exactly what SANs are for and why you an use --san multiple times.</pre>
</blockquote>
Ah HA! So it is the SAN which is pivotal. I couldn't find this
anywhere.<br>
<br>
<br>
<blockquote type="cite"
cite="mid:09294022-a5da-8747-ed09-11bf458bfb82@strongswan.org">
<blockquote type="cite">
<pre wrap="">And how does the phone prove it is who it is in the Android app when its
IP changes and is not resolvable? The responder has to take its word
for it since it has the private key? If so, why is --san and --dn required?
</pre>
</blockquote>
<pre wrap="">
The server uses the trust chain to verify that the client certificate is
issued by a trusted CA certificate and checks the signature in the AUTH
payload that proves the client is in possession of the private key. The
DN and SANs are used as identification of the clients (and you could
e.g. match them in different configs).</pre>
</blockquote>
Ah HA! This is a choice nugget of info, thank you<br>
.<br>
<blockquote type="cite"
cite="mid:09294022-a5da-8747-ed09-11bf458bfb82@strongswan.org"><br>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap=""># swanctl -L
# swanctl -l
(no response, for some reason)
</pre>
</blockquote>
<pre wrap="">Yes, and that reason is: No config has been loaded. Did you run
swanctl --load-conns (-c) or --load-all (-q)?
</pre>
</blockquote>
<pre wrap="">I haven't mentioned this, but I'm running CentOS7 which handles this in
systemd:
ExecStart=/usr/sbin/charon-systemd
ExecStartPost=/usr/sbin/swanctl --load-all --noprompt
... and yet I still have nothing with
</pre>
</blockquote>
<pre wrap="">
Then you obviously haven't added the connection configs to the right
file. Did you add them to /etc/strongswan/swanctl/swanctl.conf?</pre>
</blockquote>
Maybe not so obvious, but yes sir, modifications only made to
swanctl.conf
and charon.conf, and daemon started with ststemctl start
strongswan-swanctl. (CentOS7) I've described in detail all
requested info in the <a moz-do-not-send="true"
href="https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests">HelpRequests
page</a>, in my email to this list of 18/03/2018 16:52. The
problem hasn't changed, but I'll update it here:<br>
<br>
-------------------------------------------------------------------------------------------<br>
<br>
This post is formatted as per <a
href="https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests">here</a>.<br>
<br>
I'm using the bare minimum swanctl.conf and I've regenerated all my
keys and certs again, with multiple SANs for the IPSec gateway. <br>
<br>
The IPSec gateway, is a virtual machine in the LAN, and DNATted to
by the LAN gateway<br>
<br>
The problem is when the phone tries to connect with the Android app,
its log says "NO_PROPOSAL_CHOSEN". The IPSec gateway's log shows
likewise. On the IPSec gateway there is no response to # swanctl -L
nor # swanctl -l.<br>
<br>
Also I would like to set the phone and other remotes to 'initiate
only' but there doesn't seem to be a way in the Android app. And
for other remote machines there no longer seems to be that option.<br>
<br>
On the IPSec gateway:<br>
<br>
Log levels are as per instructions, and charon.log is attached.<br>
<br>
strongswan.conf<br>
charon {<br>
load_modular = yes<br>
plugins {<br>
include strongswan.d/charon/*.conf<br>
}<br>
}<br>
<br>
include strongswan.d/*.conf<br>
<br>
<br>
swanctl.conf<br>
iikev2-pubkey {<br>
version = 2<br>
rekey_time = 0s<br>
local {<br>
cert = cygnus-Cert.pem<br>
id = quantum-equities.com<br>
id = cygnus.darkmatter.org<br>
}<br>
remote {<br>
# defaults are fine.<br>
}<br>
children {<br>
ikev2-pubkey {<br>
local_ts = 192.168.1.0/24 #,::/0<br>
mode = transport<br>
}<br>
}<br>
}<br>
<br>
<br>
charon.conf<br>
charon {<br>
<br>
# two defined file loggers<br>
filelog {<br>
/var/log/charon.log {<br>
time_format = %a, %Y-%m-%d %R<br>
ike_name = yes<br>
append = no<br>
default = 2<br>
flush_line = yes<br>
}<br>
stderr {<br>
mgr = 0<br>
net = 1<br>
enc = 1<br>
asn = 1<br>
job = 1<br>
knl = 1<br>
}<br>
}<br>
<br>
<br>
# swanctl -L<br>
# swanctl -l<br>
(no response, for some reason)<br>
<br>
# systemctl status strongswan-swanctl<br>
<font color="#009900">●</font> strongswan-swanctl.service -
strongSwan IPsec IKEv1/IKEv2 daemon using swanctl<br>
Loaded: loaded
(/usr/lib/systemd/system/strongswan-swanctl.service; enabled; vendor
preset: disabled)<br>
Active: <font color="#009900">active (running)</font> since Tue
2018-03-20 11:08:41 PDT; 2s ago<br>
Process: 25749 ExecStartPost=/usr/sbin/swanctl --load-all
--noprompt (code=exited, status=0/SUCCESS)<br>
Main PID: 25730 (charon-systemd)<br>
Status: "charon-systemd running, strongSwan 5.5.3, Linux
4.13.0-1.el7.elrepo.x86_64, x86_64"<br>
CGroup:
/system.slice/strongswan-swanctl.service
<br>
└─25730
/usr/sbin/charon-systemd
<br>
<br>
Mar 20 11:08:41 cygnus.darkmtter.org swanctl[25749]: no authorities
found, 0 unloaded <br>
Mar 20 11:08:41 cygnus.darkmtter.org swanctl[25749]: no pools found,
0 unloaded <br>
Mar 20 11:08:41 cygnus.darkmtter.org systemd[1]: Started strongSwan
IPsec IKEv1/IKEv2 daemon using swanctl.<br>
Mar 20 11:08:41 cygnus.darkmtter.org swanctl[25749]: no connections
found, 0 unloaded <br>
Mar 20 11:08:41 cygnus.darkmtter.org swanctl[25749]: loaded
certificate from '/etc/strongswan/swanctl/x509/cygnus-Cert.pem'<br>
Mar 20 11:08:41 cygnus.darkmtter.org swanctl[25749]: loaded
certificate from '/etc/strongswan/swanctl/x509/hydrus-Cert.pem'<br>
Mar 20 11:08:41 cygnus.darkmtter.org swanctl[25749]: loaded
certificate from '/etc/strongswan/swanctl/x509/lepus-Cert.pem'<br>
Mar 20 11:08:41 cygnus.darkmtter.org swanctl[25749]: loaded
certificate from '/etc/strongswan/swanctl/x509/scorpius-Cert.pem'<br>
Mar 20 11:08:41 cygnus.darkmtter.org swanctl[25749]: loaded
certificate from '/etc/strongswan/swanctl/x509ca/aries-CAcert.pem'<br>
Mar 20 11:08:41 cygnus.darkmtter.org swanctl[25749]: loaded private
key from '/etc/strongswan/swanctl/private/cygnus-Key.pem'<br>
<br>
# iptables-save<br>
(attached)<br>
<br>
# ip route show table all<br>
default via 192.168.1.1 dev
eth0
<br>
169.254.0.0/16 dev eth0 scope link metric
1002 <br>
192.168.1.0/24 dev eth0 proto kernel scope link src
192.168.1.16 <br>
broadcast 127.0.0.0 dev lo table local proto kernel scope link src
127.0.0.1 <br>
local 127.0.0.0/8 dev lo table local proto kernel scope host src
127.0.0.1 <br>
local 127.0.0.1 dev lo table local proto kernel scope host src
127.0.0.1 <br>
broadcast 127.255.255.255 dev lo table local proto kernel scope link
src 127.0.0.1 <br>
broadcast 192.168.1.0 dev eth0 table local proto kernel scope link
src 192.168.1.16 <br>
local 192.168.1.16 dev eth0 table local proto kernel scope host src
192.168.1.16 <br>
broadcast 192.168.1.255 dev eth0 table local proto kernel scope link
src 192.168.1.16 <br>
unreachable ::/96 dev lo metric 1024 error -113 <br>
unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113 <br>
unreachable 2002:a00::/24 dev lo metric 1024 error -113 <br>
unreachable 2002:7f00::/24 dev lo metric 1024 error -113 <br>
unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 <br>
unreachable 2002:ac10::/28 dev lo metric 1024 error -113 <br>
unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 <br>
unreachable 2002:e000::/19 dev lo metric 1024 error -113 <br>
unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113 <br>
fe80::/64 dev eth0 proto kernel metric 256 <br>
fe80::/64 dev ipsec0 proto kernel metric 256 <br>
local ::1 dev lo table local proto kernel metric 0 <br>
local fe80::5054:ff:fec0:9330 dev lo table local proto kernel metric
0 <br>
local fe80::bc44:9b91:2691:e6a2 dev lo table local proto kernel
metric 0 <br>
ff00::/8 dev eth0 table local metric 256 <br>
ff00::/8 dev ipsec0 table local metric 256<br>
<br>
<br>
# ip address<br>
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state
UNKNOWN qlen 1000<br>
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br>
inet 127.0.0.1/8 scope host lo<br>
valid_lft forever preferred_lft forever<br>
inet6 ::1/128 scope host <br>
valid_lft forever preferred_lft forever<br>
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast state UP qlen 1000<br>
link/ether 52:54:00:c0:23:30 brd ff:ff:ff:ff:ff:ff<br>
inet 192.168.1.16/24 brd 192.168.1.255 scope global eth0<br>
valid_lft forever preferred_lft forever<br>
inet6 fe80::5054:ff:fec0:9330/64 scope link <br>
valid_lft forever preferred_lft forever<br>
24: ipsec0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400
qdisc pfifo_fast state UNKNOWN qlen 500<br>
link/none <br>
inet6 fe80::22e9:6b12:6b8e:b558/64 scope link flags 800 <br>
valid_lft forever preferred_lft forever<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>