[strongSwan] IKE modeconfig IP address assignment
Troy Telford
ttelford.groups at gmail.com
Fri Sep 24 17:37:13 CEST 2010
> do pluto and charon both load the attr-sql and sqlite plugins?
> ipsec statusall should enumerate them.
For pluto:
000 loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem sqlite openssl hmac gmp xauth attr attr-sql resolve
For charon:
loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem sqlite openssl fips-prf xcbc hmac agent gmp attr attr-sql resolve kernel-netlink socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 dhcp
(It looks like the answer is yes to both)
My ipsec.sql is imported from:
http://www.strongswan.org/uml/testresults/ikev1/ip-pool-db/moon.ipsec.sql
And, for the sake of thoroughness, my /etc/strongswan.conf:
charon {
threads = 16
plugins {
sql {
loglevel = -1
database = sqlite:///etc.ipsec.d/ipsec.db
}
}
}
pluto {
}
libstrongswan {
}
libhydra {
plugins {
attr-sql {
database = sqlite:///etc/ipsec.d/ipsec.db
}
}
}
pool {
load = sqlite
}
Lastly, the output of ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.4.1):
000 interface eth0/eth0 2001:1938:240::1:500
000 interface lo/lo ::1:500
000 interface sixxs/sixxs 2001:1938:81:a5::2:500
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth2/eth2 192.168.2.1:4500
000 interface eth2/eth2 192.168.2.1:500
000 interface eth0/eth0 192.168.1.1:4500
000 interface eth0/eth0 192.168.1.1:500
000 interface eth1/eth1 76.27.20.26:4500
000 interface eth1/eth1 76.27.20.26:500
000 interface tun0/tun0 192.168.3.1:4500
000 interface tun0/tun0 192.168.3.1:500
000 %myid = '%any'
000 loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem sqlite openssl hmac gmp xauth attr attr-sql resolve
000 debug options: none
000
000 "rw-dmz": 192.168.2.0/24===192.168.1.1[myhost.fdqn.net]---76.27.16.1...%any[C=US,<foo>, CN=*, E=*]===%hostpool; unrouted; eroute owner: #0
000 "rw-dmz": CAs: "C=US, <foo>"..."C=US, <foo>"
000 "rw-dmz": ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 1
000 "rw-dmz": dpd_action: clear; dpd_delay: 30s; dpd_timeout: 120s;
000 "rw-dmz": policy: PUBKEY+ENCRYPT+COMPRESS+TUNNEL+PFS+DONTREKEY; prio: 24,32; interface: eth0;
000 "rw-dmz": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "rw-l2tp": 76.27.20.26[myhost.fdqn.net]:17/1701---76.27.16.1...%any[C=US,<foo>, CN=*, E=*]:17/%any; unrouted; eroute owner: #0
000 "rw-l2tp": CAs: "C=US, <foo>"..."C=US, <foo>"
000 "rw-l2tp": ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 1
000 "rw-l2tp": dpd_action: clear; dpd_delay: 30s; dpd_timeout: 120s;
000 "rw-l2tp": policy: PUBKEY+ENCRYPT+COMPRESS+TUNNEL; prio: 32,32; interface: eth1;
000 "rw-l2tp": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "rw-l2tp-nat": 76.27.20.26[myhost.fdqn.net]:17/1701---76.27.16.1...%virtual[C=US,<foo>, CN=*, E=*]:17/%any===?; unrouted; eroute owner: #0
000 "rw-l2tp-nat": CAs: "C=US, <foo>"..."C=US, <foo>"
000 "rw-l2tp-nat": ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 1
000 "rw-l2tp-nat": dpd_action: clear; dpd_delay: 30s; dpd_timeout: 120s;
000 "rw-l2tp-nat": policy: PUBKEY+ENCRYPT+COMPRESS+TUNNEL; prio: 32,32; interface: eth1;
000 "rw-l2tp-nat": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "rw-l2tp-psk": 76.27.20.26[76.27.20.26]:17/1701---76.27.16.1...%any[%any]:17/%any; unrouted; eroute owner: #0
000 "rw-l2tp-psk": ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 1
000 "rw-l2tp-psk": dpd_action: clear; dpd_delay: 30s; dpd_timeout: 120s;
000 "rw-l2tp-psk": policy: PSK+ENCRYPT+COMPRESS; prio: 32,32; interface: eth1;
000 "rw-l2tp-psk": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "rw-l2tp-psk-nat": 76.27.20.26[76.27.20.26]:17/1701---76.27.16.1...%virtual[%any]:17/%any===?; unrouted; eroute owner: #0
000 "rw-l2tp-psk-nat": ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 1
000 "rw-l2tp-psk-nat": dpd_action: clear; dpd_delay: 30s; dpd_timeout: 120s;
000 "rw-l2tp-psk-nat": policy: PSK+ENCRYPT+COMPRESS; prio: 32,32; interface: eth1;
000 "rw-l2tp-psk-nat": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "rw-local": 192.168.1.0/24===76.27.20.26[myhost.fdqn.net]---76.27.16.1...%any[C=US,<foo>, CN=*, E=*]===%hostpool; unrouted; eroute owner: #0
000 "rw-local": CAs: "C=US, <foo>"..."C=US, <foo>"
000 "rw-local": ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 1
000 "rw-local": dpd_action: clear; dpd_delay: 30s; dpd_timeout: 120s;
000 "rw-local": policy: PUBKEY+ENCRYPT+COMPRESS+TUNNEL+PFS+DONTREKEY; prio: 24,32; interface: eth1;
000 "rw-local": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "rw-local-nat": 192.168.1.0/24===76.27.20.26[myhost.fdqn.net]---76.27.16.1...%virtual[C=US,<foo>, CN=*, E=*]===?; unrouted; eroute owner: #0
000 "rw-local-nat": CAs: "C=US, <foo>"..."C=US, <foo>"
000 "rw-local-nat": ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 1
000 "rw-local-nat": dpd_action: clear; dpd_delay: 30s; dpd_timeout: 120s;
000 "rw-local-nat": policy: PUBKEY+ENCRYPT+COMPRESS+TUNNEL+PFS+DONTREKEY; prio: 24,32; interface: eth1;
000 "rw-local-nat": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
Status of IKEv2 charon daemon (strongSwan 4.4.1):
uptime: 9 hours, since Sep 24 00:07:12 2010
malloc: sbrk 516096, mmap 0, used 441552, free 74544
worker threads: 7 idle of 16, job queue load: 0, scheduled events: 0
loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem sqlite openssl fips-prf xcbc hmac agent gmp attr attr-sql resolve kernel-netlink socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 dhcp
Listening IP addresses:
192.168.2.1
192.168.1.1
2001:1938:240::1
76.27.20.26
2001:1938:81:a5::2
192.168.3.1
Connections:
rw-charon-mobike: 76.27.20.26...%any, dpddelay=30s
rw-charon-mobike: local: [myhost.fdqn.net] uses public key authentication
rw-charon-mobike: cert: "C=US,<foo>, CN=myhost.fdqn.net, E=root at myhost.fdqn.net"
rw-charon-mobike: remote: [C=US,<foo>, CN=*, E=*] uses any authentication
rw-charon-mobike: child: 192.168.1.0/24 === dynamic , dpdaction=clear
rw-charon: child: 192.168.1.0/24 === dynamic , dpdaction=clear
rw: 76.27.20.26...%any, dpddelay=30s
rw: local: [myhost.fdqn.net] uses public key authentication
rw: cert: "C=US,<foo>, CN=myhost.fdqn.net, E=root at myhost.fdqn.net"
rw: remote: [C=US,<foo>, CN=*, E=*] uses any authentication
rw: child: dynamic === dynamic , dpdaction=clear
Security Associations:
none
Thanks.
> Regards
>
> Andreas
>
> On 24.09.2010 07:20, Troy Telford wrote:
>> I must be a problem child... but I'm learning fast.
>>
>> I'm mostly satisfied with L2TP (Save for my last tunnel/transport
>> question), so I've moved on to the more secure 'pure' IPsec
>> configurations.
>>
>> I've been working on IP Address & DNS assignment setup via IKEv1 & IKEv2;
>>
>> I've been following:
>> http://www.strongswan.org/uml/testresults/ikev1/ip-pool-db/
>> http://www.strongswan.org/uml/testresults/ikev2/ip-pool-db/
>>
>> I have the ipsec pool configured properly, I believe; 'ipsec pool
>> --status' shows the pool I'm expecting, at any rate. However, with
>> both IKEv1 (Racoon/OS X) and IKEv2 (Win 7), I'm unable to get IP
>> addresses.
>>
>> With IKEv1, I've got the OS X client so it is able to establish an
>> IPsec SA. It has the config option "mode_cfg on". However, I'm not
>> seeing any ModeCfg messages in 'auth.log | grep pluto'.
>>
>> For IKEv2, the error is:
>> Sep 23 22:37:52 pilot charon: 13[IKE] peer requested virtual IP %any
>> Sep 23 22:37:52 pilot charon: 13[IKE] no virtual IP found, sending
>> INTERNAL_ADDRESS_FAILURE
>>
>> My network is as follows:
>> <something> - Dynamic address; I use DynDNS to resolve it to a host name.
>> 192.168.1.1/24 (Main address space)
>> 192.168.2.1/24 (DMZ address space; unused)
>> 192.168.3.1/24 (Used for OpenVPN - for locations where ESP is blocked
>> at the firewall)
>> 192.168.4.1/26 (IPsec pool)
>>
>> So I think a connection would be along the lines of:
>> (Int. network) (Internet IP) (RW ISP) Road Warrior
>> 192.168.0.0/21 -- ISP Assigned IP .. ISP Assigned IP -- NAT IP
>>
>> My configuration (with L2TP removed, for clarity) is as follows:
>>
>> config setup
>> crlcheckinterval="600"
>> cachecrls=yes
>> nat_traversal=yes
>>
>> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.1.0/24,%v4:!192.168.2.0/24,%v4:!192.168.3.0/24,%v4:!192.168.4.0/24
>>
>>
>> interfaces=%defaultroute
>>
>> conn %default
>> keyingtries=1
>> ikelifetime=60m
>> keylife=20m
>> rekeymargin=3m
>> keyexchange=ikev2
>> ike=aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536
>> esp=aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536
>> compress=yes
>> left=%defaultroute
>> right=%any
>> dpddelay=30
>> dpdtimeout=120
>> dpdaction=clear
>> pfs=yes
>>
>> conn rw-local-nat
>> rightsubnet=vhost:%no,%priv
>> also=rw-local
>>
>> conn rw-local
>> keyexchange=ikev1
>> # Supposedly rekey can be no, because the client will ask for it...
>> rekey=no
>> leftsubnet=192.168.1.0/24
>> rightsourceip=%hostpool
>> also=rw
>>
>> conn rw-charon
>> leftsubnet=192.168.1.0/24
>> # In case we want a different (volatile) pool
>> # rightsourceip=192.168.4.64/26
>> rightsourceip=%hostpool
>> also=rw
>>
>> conn rw
>> authby=rsasig
>> leftrsasigkey=%cert
>> rightrsasigkey=%cert
>> leftcert=pilotCert.pem
>> leftid=@pilot.pariahzero.net
>> rightid="C=US... CN=*, E=*"
>> rightca=%same
>> auto=add
>>
>> $ ipsec pool --status
>> dns servers: 192.168.1.1
>> no nbns servers found.
>> name start end timeout size online
>> usage
>> hostpool 192.168.4.2 192.168.4.63 static 62 0 ( 0%)
>> 0 ( 0%)
>>
>> $ ipsec pool --statusattr
>> type description pool identity value
>> 3 INTERNAL_IP4_DNS 192.168.1.1
>>
>> $ ipsec pool --showattr
>> internal_ip4_netmask --addr (INTERNAL_IP4_NETMASK)
>> internal_ip6_netmask --addr (INTERNAL_IP6_NETMASK)
>> netmask --addr (INTERNAL_IP4_NETMASK, INTERNAL_IP6_NETMASK)
>> internal_ip4_dns --addr (INTERNAL_IP4_DNS)
>> internal_ip6_dns --addr (INTERNAL_IP6_DNS)
>> dns --addr (INTERNAL_IP4_DNS, INTERNAL_IP6_DNS)
>> internal_ip4_nbns --addr (INTERNAL_IP4_NBNS)
>> internal_ip6_nbns --addr (INTERNAL_IP6_NBNS)
>> nbns --addr (INTERNAL_IP4_NBNS, INTERNAL_IP6_NBNS)
>> wins --addr (INTERNAL_IP4_NBNS, INTERNAL_IP6_NBNS)
>> internal_ip4_dhcp --addr (INTERNAL_IP4_DHCP)
>> internal_ip6_dhcp --addr (INTERNAL_IP6_DHCP)
>> dhcp --addr (INTERNAL_IP4_DHCP, INTERNAL_IP6_DHCP)
>> internal_ip4_server --addr (INTERNAL_IP4_SERVER)
>> internal_ip6_server --addr (INTERNAL_IP6_SERVER)
>> server --addr (INTERNAL_IP4_SERVER, INTERNAL_IP6_SERVER)
>> application_version --string (APPLICATION_VERSION)
>> version --string (APPLICATION_VERSION)
>> unity_banner --string (UNITY_BANNER)
>> banner --string (UNITY_BANNER)
>> unity_def_domain --string (UNITY_DEF_DOMAIN)
>> unity_splitdns_name --string (UNITY_SPLITDNS_NAME)
>> unity_split_include --subnet (UNITY_SPLIT_INCLUDE)
>> unity_local_lan --subnet (UNITY_LOCAL_LAN)
>>
>> So what do I need to do in order to get IP address assignment working?
>
>
> --
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
--
Troy Telford
ttelford.groups at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100924/c7f0e98e/attachment.html>
More information about the Users
mailing list