<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000066" bgcolor="#FFFFFF">
<p>Well, breakthrough. I moved on from the IPSec gateway and phone
to the mailserver, and in swanctl.conf immediately discovered a:<br>
</p>
<p>connections {<br>
</p>
<p>This has been missing for a long time from the gateway's
swanctl.conf, and explains why swanctl -L wasn't returning
anything. May look dumb, but this all could be shinola and I
wouldn't see the difference. (neither would anyone else)<br>
</p>
<p>So I put this in swanctl.conf on the IPSec gateway and then it
immediately objected that I have:<br>
</p>
<p>cert = cygnus-Cert.pem</p>
<p>That doesn't seem to be in the man page (per se) so I commented
it out and then the daemon started. (although it only recognized
the last id=)<br>
</p>
<p>Now trying to establish a connection from the phone it times out
for something from 4500. The gateway says it's sent that bundle
to 4500, so there might be something wrong with the firewalls.</p>
<p>This IPsec gateway is an independent OpenStack instance, which is
reached from the outside by DNAT through the LAN gateway. SNAT in
Shorewall on the LAN gateway is handled by a special file called
snat, which is set up. I see no firewall blockage in logs, but
that's not unusual for Shorewall to hide those.</p>
<p>Using <i><font color="#990000">tcpdump 'tcp port 500'</font></i><font
color="#990000"> (and 4500)</font> yields nothing in the WAN
gateway and IPSec gateway on the relevant interfaces, although
obviously -something- is getting through for the connection to be
substantially negotiated. I don't know what's wrong with that.<br>
</p>
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 03/20/2018 02:32 PM, Info wrote:<br>
</div>
<blockquote type="cite"
cite="mid:a25fabd8-ae42-e0e8-8192-243775311cb4@quantum-equities.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<p>Pretty bad, isn't it.</p>
<p>Try to remember when you were first starting out and had
everything to learn, and had never gotten any of this working
yet. That's where I am.</p>
<p>I'm trying to give you everything you need to determine the
problem, and the key symptom is swanctl -L on the IPSec gateway
gives nothing. I believe I'm setting it all up as it's supposed
to be. SELinux Permissive. This is why I'm wondering if it's a
RedHat bug?</p>
# /usr/sbin/swanctl --load-all<br>
loaded certificate from
'/etc/strongswan/swanctl/x509/cygnus-Cert.pem'<br>
loaded certificate from
'/etc/strongswan/swanctl/x509/hydrus-Cert.pem'<br>
loaded certificate from
'/etc/strongswan/swanctl/x509/lepus-Cert.pem'<br>
loaded certificate from
'/etc/strongswan/swanctl/x509/scorpius-Cert.pem'<br>
loaded certificate from
'/etc/strongswan/swanctl/x509ca/aries-CAcert.pem'<br>
loaded rsa key from
'/etc/strongswan/swanctl/private/cygnus-Key.pem'<br>
no authorities found, 0 unloaded<br>
no pools found, 0 unloaded<br>
no connections found, 0 unloaded<br>
# swanctl -L<br>
#<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">On 03/20/2018 12:16 PM, Info wrote:<br>
</div>
<blockquote type="cite"
cite="mid:a617e9e9-fa0e-2b98-392c-2e8e4337d6a0@quantum-equities.com">
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
<br>
<div class="moz-cite-prefix">On 03/20/2018 12:34 AM, Tobias
Brunner wrote:<br>
</div>
<blockquote type="cite"
cite="mid:09294022-a5da-8747-ed09-11bf458bfb82@strongswan.org">
<pre wrap="">Hi,
</pre>
<br>
<blockquote type="cite">
<pre wrap=""> When my gateway must
validate with machines inside the LAN (as cygnus.darkmatter.org) and
outside (as quantum-equities.com), how can it prove that it's the right
machine if not DNS resolvable by checking CN=?
</pre>
</blockquote>
<pre wrap="">That's exactly what SANs are for and why you an use --san multiple times.</pre>
</blockquote>
Ah HA! So it is the SAN which is pivotal. I couldn't find this
anywhere.<br>
<br>
<br>
<blockquote type="cite"
cite="mid:09294022-a5da-8747-ed09-11bf458bfb82@strongswan.org">
<blockquote type="cite">
<pre wrap="">And how does the phone prove it is who it is in the Android app when its
IP changes and is not resolvable? The responder has to take its word
for it since it has the private key? If so, why is --san and --dn required?
</pre>
</blockquote>
<pre wrap="">The server uses the trust chain to verify that the client certificate is
issued by a trusted CA certificate and checks the signature in the AUTH
payload that proves the client is in possession of the private key. The
DN and SANs are used as identification of the clients (and you could
e.g. match them in different configs).</pre>
</blockquote>
Ah HA! This is a choice nugget of info, thank you<br>
.<br>
<blockquote type="cite"
cite="mid:09294022-a5da-8747-ed09-11bf458bfb82@strongswan.org"><br>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap=""># swanctl -L
# swanctl -l
(no response, for some reason)
</pre>
</blockquote>
<pre wrap="">Yes, and that reason is: No config has been loaded. Did you run
swanctl --load-conns (-c) or --load-all (-q)?
</pre>
</blockquote>
<pre wrap="">I haven't mentioned this, but I'm running CentOS7 which handles this in
systemd:
ExecStart=/usr/sbin/charon-systemd
ExecStartPost=/usr/sbin/swanctl --load-all --noprompt
... and yet I still have nothing with
</pre>
</blockquote>
<pre wrap="">Then you obviously haven't added the connection configs to the right
file. Did you add them to /etc/strongswan/swanctl/swanctl.conf?</pre>
</blockquote>
Maybe not so obvious, but yes sir, modifications only made to
swanctl.conf and charon.conf, and daemon started with ststemctl
start strongswan-swanctl. (CentOS7) I've described in detail
all requested info in the <a moz-do-not-send="true"
href="https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests">HelpRequests
page</a>, in my email to this list of 18/03/2018 16:52. The
problem hasn't changed, but I'll update it here:<br>
<br>
-------------------------------------------------------------------------------------------<br>
<br>
This post is formatted as per <a
href="https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests"
moz-do-not-send="true">here</a>.<br>
<br>
I'm using the bare minimum swanctl.conf and I've regenerated all
my keys and certs again, with multiple SANs for the IPSec
gateway. <br>
<br>
The IPSec gateway, is a virtual machine in the LAN, and DNATted
to by the LAN gateway<br>
<br>
The problem is when the phone tries to connect with the Android
app, its log says "NO_PROPOSAL_CHOSEN". The IPSec gateway's log
shows likewise. On the IPSec gateway there is no response to #
swanctl -L nor # swanctl -l.<br>
<br>
Also I would like to set the phone and other remotes to
'initiate only' but there doesn't seem to be a way in the
Android app. And for other remote machines there no longer
seems to be that option.<br>
<br>
On the IPSec gateway:<br>
<br>
Log levels are as per instructions, and charon.log is attached.<br>
<br>
strongswan.conf<br>
charon {<br>
load_modular = yes<br>
plugins {<br>
include strongswan.d/charon/*.conf<br>
}<br>
}<br>
<br>
include strongswan.d/*.conf<br>
<br>
<br>
swanctl.conf<br>
iikev2-pubkey {<br>
version = 2<br>
rekey_time = 0s<br>
local {<br>
cert = cygnus-Cert.pem<br>
id = quantum-equities.com<br>
id = cygnus.darkmatter.org<br>
}<br>
remote {<br>
# defaults are fine.<br>
}<br>
children {<br>
ikev2-pubkey {<br>
local_ts = 192.168.1.0/24 #,::/0<br>
mode = transport<br>
}<br>
}<br>
}<br>
<br>
<br>
charon.conf<br>
charon {<br>
<br>
# two defined file loggers<br>
filelog {<br>
/var/log/charon.log {<br>
time_format = %a, %Y-%m-%d %R<br>
ike_name = yes<br>
append = no<br>
default = 2<br>
flush_line = yes<br>
}<br>
stderr {<br>
mgr = 0<br>
net = 1<br>
enc = 1<br>
asn = 1<br>
job = 1<br>
knl = 1<br>
}<br>
}<br>
<br>
<br>
# swanctl -L<br>
# swanctl -l<br>
(no response, for some reason)<br>
<br>
# systemctl status strongswan-swanctl<br>
<font color="#009900">●</font> strongswan-swanctl.service -
strongSwan IPsec IKEv1/IKEv2 daemon using swanctl<br>
Loaded: loaded
(/usr/lib/systemd/system/strongswan-swanctl.service; enabled;
vendor preset: disabled)<br>
Active: <font color="#009900">active (running)</font> since
Tue 2018-03-20 11:08:41 PDT; 2s ago<br>
Process: 25749 ExecStartPost=/usr/sbin/swanctl --load-all
--noprompt (code=exited, status=0/SUCCESS)<br>
Main PID: 25730 (charon-systemd)<br>
Status: "charon-systemd running, strongSwan 5.5.3, Linux
4.13.0-1.el7.elrepo.x86_64, x86_64"<br>
CGroup:
/system.slice/strongswan-swanctl.service
<br>
└─25730
/usr/sbin/charon-systemd
<br>
<br>
Mar 20 11:08:41 cygnus.darkmtter.org swanctl[25749]: no
authorities found, 0 unloaded <br>
Mar 20 11:08:41 cygnus.darkmtter.org swanctl[25749]: no pools
found, 0 unloaded <br>
Mar 20 11:08:41 cygnus.darkmtter.org systemd[1]: Started
strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.<br>
Mar 20 11:08:41 cygnus.darkmtter.org swanctl[25749]: no
connections found, 0 unloaded <br>
Mar 20 11:08:41 cygnus.darkmtter.org swanctl[25749]: loaded
certificate from '/etc/strongswan/swanctl/x509/cygnus-Cert.pem'<br>
Mar 20 11:08:41 cygnus.darkmtter.org swanctl[25749]: loaded
certificate from '/etc/strongswan/swanctl/x509/hydrus-Cert.pem'<br>
Mar 20 11:08:41 cygnus.darkmtter.org swanctl[25749]: loaded
certificate from '/etc/strongswan/swanctl/x509/lepus-Cert.pem'<br>
Mar 20 11:08:41 cygnus.darkmtter.org swanctl[25749]: loaded
certificate from
'/etc/strongswan/swanctl/x509/scorpius-Cert.pem'<br>
Mar 20 11:08:41 cygnus.darkmtter.org swanctl[25749]: loaded
certificate from
'/etc/strongswan/swanctl/x509ca/aries-CAcert.pem'<br>
Mar 20 11:08:41 cygnus.darkmtter.org swanctl[25749]: loaded
private key from
'/etc/strongswan/swanctl/private/cygnus-Key.pem'<br>
<br>
# iptables-save<br>
(attached)<br>
<br>
# ip route show table all<br>
default via 192.168.1.1 dev
eth0
<br>
169.254.0.0/16 dev eth0 scope link metric
1002 <br>
192.168.1.0/24 dev eth0 proto kernel scope link src
192.168.1.16 <br>
broadcast 127.0.0.0 dev lo table local proto kernel scope link
src 127.0.0.1 <br>
local 127.0.0.0/8 dev lo table local proto kernel scope host src
127.0.0.1 <br>
local 127.0.0.1 dev lo table local proto kernel scope host src
127.0.0.1 <br>
broadcast 127.255.255.255 dev lo table local proto kernel scope
link src 127.0.0.1 <br>
broadcast 192.168.1.0 dev eth0 table local proto kernel scope
link src 192.168.1.16 <br>
local 192.168.1.16 dev eth0 table local proto kernel scope host
src 192.168.1.16 <br>
broadcast 192.168.1.255 dev eth0 table local proto kernel scope
link src 192.168.1.16 <br>
unreachable ::/96 dev lo metric 1024 error -113 <br>
unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113 <br>
unreachable 2002:a00::/24 dev lo metric 1024 error -113 <br>
unreachable 2002:7f00::/24 dev lo metric 1024 error -113 <br>
unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 <br>
unreachable 2002:ac10::/28 dev lo metric 1024 error -113 <br>
unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 <br>
unreachable 2002:e000::/19 dev lo metric 1024 error -113 <br>
unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113 <br>
fe80::/64 dev eth0 proto kernel metric 256 <br>
fe80::/64 dev ipsec0 proto kernel metric 256 <br>
local ::1 dev lo table local proto kernel metric 0 <br>
local fe80::5054:ff:fec0:9330 dev lo table local proto kernel
metric 0 <br>
local fe80::bc44:9b91:2691:e6a2 dev lo table local proto kernel
metric 0 <br>
ff00::/8 dev eth0 table local metric 256 <br>
ff00::/8 dev ipsec0 table local metric 256<br>
<br>
<br>
# ip address<br>
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue
state UNKNOWN qlen 1000<br>
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br>
inet 127.0.0.1/8 scope host lo<br>
valid_lft forever preferred_lft forever<br>
inet6 ::1/128 scope host <br>
valid_lft forever preferred_lft forever<br>
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast state UP qlen 1000<br>
link/ether 52:54:00:c0:23:30 brd ff:ff:ff:ff:ff:ff<br>
inet 192.168.1.16/24 brd 192.168.1.255 scope global eth0<br>
valid_lft forever preferred_lft forever<br>
inet6 fe80::5054:ff:fec0:9330/64 scope link <br>
valid_lft forever preferred_lft forever<br>
24: ipsec0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu
1400 qdisc pfifo_fast state UNKNOWN qlen 500<br>
link/none <br>
inet6 fe80::22e9:6b12:6b8e:b558/64 scope link flags 800 <br>
valid_lft forever preferred_lft forever<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>