<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Amazingly, got it working with software roadwarrior :-)<div class=""><br class=""></div><div class="">Thanks a lot!<br class=""><div class="">
<div><br class="">-- <br class="">Volodymyr Litovka<br class=""> "Vision without Execution is Hallucination." -- Thomas Edison</div>
</div>
<div><br class=""><blockquote type="cite" class=""><div class="">On 23 Sep 2019, at 19:50, Noel Kuntze <<a href="mailto:noel.kuntze+strongswan-users-ml@thermi.consulting" class="">noel.kuntze+strongswan-users-ml@thermi.consulting</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">Hello,<br class=""><br class="">You're doing it wrong(tm).<br class="">See here:<br class=""><blockquote type="cite" class=""><blockquote type="cite" class=""> remote_ts = 0.0.0.0/0<br class=""></blockquote></blockquote><br class="">Don't do that. Leave it as the default (dynamic).<br class="">That probably solves it.<br class=""><br class="">Kind regards<br class=""><br class="">Noel<br class=""><br class="">Am 20.09.19 um 18:02 schrieb Volodymyr Litovka:<br class=""><blockquote type="cite" class="">Dear friends,<br class=""><br class="">spent few days on exploring the question, got no results and need your help.<br class=""><br class="">I have the following task: many different clients (OSX, Windows, Cisco routers) which are mobile (i.e. no fixed IP address) need to access protected area. Basically, I’m trying to use the following configuration of swanctl:<br class=""><br class="">connections {<br class=""> ikev2-eap-mschapv2 {<br class=""> version = 2<br class=""> local_addrs = my.vpn.ip<br class=""> remote_addrs = %any<br class=""> proposals = [ all compatible with clients ]<br class=""> encap = yes<br class=""> fragmentation = yes<br class=""> mobike = yes<br class=""> dpd_delay = 300s<br class=""> send_certreq = yes<br class=""> send_cert = always<br class=""> rekey_time = 3h<br class=""> pools = radius<br class=""> local-1 {<br class=""> certs = fullchain.pem<br class=""> id = @my.vpn.fqdn<br class=""> }<br class=""> remote-1 {<br class=""> id = %any<br class=""> eap_id = %any<br class=""> auth = eap-radius<br class=""> }<br class=""> children {<br class=""> carlo {<br class=""> ah_proposals =<br class=""> esp_proposals = [ compatible ]<br class=""> # Protected area's network<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre"> </span>local_ts = 172.16.17.0/24<br class=""> remote_ts = 0.0.0.0/0<br class=""> # mark_in = 0x53<br class=""> # mark_out = 0x53<br class=""> rekey_time = 2h<br class=""> mode = tunnel<br class=""> dpd_action = clear<br class=""> ipcomp = no<br class=""> }<br class=""> }<br class=""> }<br class=""> }<br class=""><br class="">This config works for end-clients like OSX (without any limitations) and Windows (this OS don’t understand TS and routes needs to be added manually), but all examples for Cisco, at the end of the all, require Tunnel interface.<br class=""><br class="">So, the first question: is it ever possible to have unified configuration for so different end-points or I need to use different ‘connections’ for different kinds of end-points?<br class=""><br class="">Well, VTIs come to mind. According to <a href="https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN#Sharing-VTI-Devices" class="">https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN#Sharing-VTI-Devices</a> it is possible to share one vti for multiple connections and I’m doing the following:<br class=""><br class="">1) configure linux host with these commands:<br class="">1.1) ip tunnel add vti0 mode vti local 10.11.13.1 remote 0.0.0.0 okey 0x53 ikey 0x53<br class="">1.2) ip link set vti0 up<br class="">1.3) ip addr add 10.11.13.1/24 vti0<br class=""><br class="">where 10.11.13.0/24 - pool of VIPs, managed by FreeRadius<br class=""><br class="">1.4) disable rp_filter on all interfaces:<br class=""># cat /proc/sys/net/ipv4/conf/all/rp_filter<br class="">0<br class=""># cat /proc/sys/net/ipv4/conf/default/rp_filter<br class="">0<br class=""># cat /proc/sys/net/ipv4/conf/vti0/rp_filter<br class="">0<br class=""><br class="">2) reconfigure strongswan:<br class="">2.1) disable install_routes in strongswan.d/charon.conf<br class="">2.2) populate mark_in/mark_out in children section of swanctl.conf’s connection with corresponding value (0x53)<br class="">2.3) add 10.11.13.1 to local_ts<br class=""><br class="">After these procedures, I have the following ip addressing/routing on VPN host (Ubuntu 18.04):<br class=""><br class=""># ip a<br class="">[ … ]<br class="">4: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000<br class=""> link/ipip 0.0.0.0 brd 0.0.0.0<br class="">5: vti0@NONE: <NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN group default qlen 1000<br class=""> link/ipip 10.11.13.1 brd 0.0.0.0<br class=""> inet 10.11.13.1/24 scope global vti0<br class=""> valid_lft forever preferred_lft forever<br class=""> inet6 fe80::5efe:a0b:d01/64 scope link<br class=""> valid_lft forever preferred_lft forever<br class=""><br class=""># ip route<br class="">[ … ]<br class="">default via x.x.x.1 dev wan0 proto static<br class="">10.11.13.0/24 dev vti0 proto kernel scope link src 10.11.13.1<br class=""><br class="">but, when connecting from my OSX workstation, having the following ip addressing/routing:<br class=""><br class=""># ifconfig<br class="">[ … ]<br class="">ipsec0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1400<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>options=6403<RXCSUM,TXCSUM,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM><br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>inet 10.11.13.185 --> 10.11.13.185 netmask 0xffffff00<br class=""># netstat -rn<br class="">[ … ]<br class="">Destination Gateway Flags Netif Expire<br class="">default 192.168.1.1 UGSc en0<br class="">default link#13 UCSI ipsec0<br class="">10.11.13.1 10.11.13.185 UGHS ipsec0<br class="">10.11.13.185 10.11.13.185 UH ipsec0<br class="">172.16.17/24 10.11.13.185 UGSc ipsec0<br class=""><br class="">have no pings from end-point to 10.11.13.1, while see incoming packets over SA:<br class=""><br class=""># swanctl --list-sas<br class="">ikev2-eap-mschapv2: #3, ESTABLISHED, IKEv2, 2cfab88ccbd3333c_i 0abe5fd97176a44c_r*<br class=""> local ‘my.vpn.fqdn' @ my.vpn.ip[4500]<br class=""> remote 'vugluskr' @ 31.40.110.89[4500] EAP: 'doka' [10.11.13.185]<br class=""> AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048<br class=""> established 44s ago, rekeying in 9979s<br class=""> carlo: #3, reqid 2, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA2_256_128<br class=""> installed 44s ago, rekeying in 6539s, expires in 7876s<br class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""> in cc88e120 (0x00000053), 2940 bytes, 35 packets<br class=""></blockquote></blockquote></blockquote> out 01310fe2 (0x00000053), 0 bytes, 0 packets<br class=""> local 10.11.13.1/32 172.16.17.0/24<br class=""> remote 0.0.0.0/0<br class=""><br class="">probably, because there is no routing from VPN host to connected endpoint:<br class=""><br class=""># ping 10.11.13.185 -I 10.11.13.1<br class="">PING 10.11.13.185 (10.11.13.185) from 10.11.13.1 : 56(84) bytes of data.<br class="">From 10.11.13.1 icmp_seq=1 Destination Host Unreachable<br class="">From 10.11.13.1 icmp_seq=2 Destination Host Unreachable<br class=""><br class="">So, the second question: what I’m doing wrong? Whether I choose the right way to find a solution to the task or I'm driving in a wrong direction?<br class=""><br class="">Thank you.<br class=""><br class="">P.S. I’m unable to connect Cisco router anyway ;-) and after I tried many configurations, I will ask question on this later.<br class=""><br class=""></blockquote><br class=""></div></div></blockquote></div><br class=""></div></body></html>