[strongSwan] Dynamic IP to VPS site-to-site
Noel Kuntze
noel at familie-kuntze.de
Fri Dec 26 14:27:04 CET 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Eric,
Do you have a passthrough policy configured on your router for localNet to localNet?
Also, please read [1]. DId you except IPsec traffic from NAT? If you did, please
show me your current iptables rules. Do you have a complete log of that failure?
If not, please reproduce it with logging enabled.
[1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
Mit freundlichen Grüßen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 26.12.2014 um 10:40 schrieb Eric Y. Zhang:
> on client :ipsec start --nofork
> end up like this
> 09[KNL] creating acquire job for policy 192.168.89.1/32[icmp] <http://192.168.89.1/32[icmp]> === 192.168.87.1/32[icmp] <http://192.168.87.1/32[icmp]> with reqid {1}
> 05[CFG] ignoring acquire, connection attempt pending
> 06[KNL] creating delete job for ESP CHILD_SA with SPI c24d7360 and reqid {1}
> 06[JOB] CHILD_SA with reqid 1 not found for delete
> 03[IKE] giving up after 5 retransmits
> 03[IKE] establishing IKE_SA failed, peer not responding
>
>
> On Fri, Dec 26, 2014 at 5:27 PM, Eric Y. Zhang <debiansid at gmail.com <mailto:debiansid at gmail.com>> wrote:
>
> vpn-2-ctu-openwrt: child: 0.0.0.0/0 <http://0.0.0.0/0> === 192.168.89.0/24 <http://192.168.89.0/24> PASS
> Security Associations (1 up, 0 connecting):
> vpn-2-ctu-openwrt[1]: ESTABLISHED 57 seconds ago, 192.99.70.158[C=CH, O=strongSwan, CN=192.99.70.158]...110.188.32.238[C=CH, O=strongSwan, CN=192.168.89.1]
> vpn-2-ctu-openwrt[1]: IKEv2 SPIs: 4eafbff72188a47c_i 396f31d11faa1052_r*, public key reauthentication in 53 minutes
> vpn-2-ctu-openwrt[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
> vpn-2-ctu-openwrt{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c04787a2_i cb4f91c5_o
> vpn-2-ctu-openwrt{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 13 minutes
> vpn-2-ctu-openwrt{1}: 0.0.0.0/0 <http://0.0.0.0/0> === 192.168.89.0/24 <http://192.168.89.0/24>
>
> after sign the openwrt server cert with same root ca as in VPS, it looks like the tunnel is up, but still cannot ping .
>
> On Fri, Dec 26, 2014 at 3:46 PM, Eric Y. Zhang <debiansid at gmail.com <mailto:debiansid at gmail.com>> wrote:
>
> 04[KNL] creating acquire job for policy 192.168.89.1/32[icmp] <http://192.168.89.1/32%5Bicmp%5D> === 192.168.87.1/32[icmp] <http://192.168.87.1/32%5Bicmp%5D> with reqid {1}
> 04[IKE] initiating IKE_SA net-net[1] to 192.99.70.158
> 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> 04[NET] sending packet: from 192.168.88.101[500] to 192.99.70.158[500] (676 bytes)
> 02[NET] received packet: from 192.99.70.158[500] to 192.168.88.101[500] (465 bytes)
> 02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> 02[IKE] local host is behind NAT, sending keep alives
> 02[IKE] received 1 cert requests for an unknown ca
> 02[IKE] sending cert request for "C=CH, O=strongSwan, CN=192.168.89.1"
> 02[IKE] authentication of 'C=CH, O=strongSwan, CN=192.168.89.1' (myself) with RSA signature successful
> 02[IKE] sending end entity cert "C=CH, O=strongSwan, CN=192.168.89.1"
> 02[IKE] establishing CHILD_SA net-net{1}
> 02[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(EAP_ONLY) ]
> 02[NET] sending packet: from 192.168.88.101[4500] to 192.99.70.158[4500] (1868 bytes)
> 01[NET] received packet: from 192.99.70.158[4500] to 192.168.88.101[4500] (76 bytes)
> 01[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> 01[IKE] received AUTHENTICATION_FAILED notify error
>
>
> On Fri, Dec 26, 2014 at 1:18 PM, Eric Y. Zhang <debiansid at gmail.com <mailto:debiansid at gmail.com>> wrote:
>
> conn net-net
> left=%defaultroute
> leftsubnet=192.168.89.0/24 <http://192.168.89.0/24>
> leftcert=vpnHostCert.pem
> leftid="C=CH, O=strongSwan, CN=192.168.89.1"
> leftfirewall=yes
> right=VPS IP
> #rightsubnet=192.168.87.0/24 <http://192.168.87.0/24>
> rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> rightid="C=CH, O=strongSwan, CN=VPS IP"
> auto=route
>
> ipsec statusall
> net-net: %any...vps ip IKEv2
> net-net: local: [C=CH, O=strongSwan, CN=192.168.89.1] uses public key authentication
> net-net: cert: "C=CH, O=strongSwan, CN=192.168.89.1"
> net-net: remote: [C=CH, O=strongSwan, CN=vps ip] uses public key a uthentication
> net-net: child: 192.168.89.0/24 <http://192.168.89.0/24> === 0.0.0.0/0 <http://0.0.0.0/0> TUNNEL
> Shunted Connections:
> local-net: 192.168.89.0/24 <http://192.168.89.0/24> === 192.168.89.0/24 <http://192.168.89.0/24> PASS
> Routed Connections:
> net-net{1}: ROUTED, TUNNEL
> net-net{1}: 192.168.89.0/24 <http://192.168.89.0/24> === 0.0.0.0/0 <http://0.0.0.0/0>
> Security Associations (0 up, 0 connecting):
> none
>
> but I can not ping my VPS via ipsec tunnel.
>
> any idea?
>
>
> On Fri, Dec 26, 2014 at 8:45 AM, Eric Zhang <debiansid at gmail.com <mailto:debiansid at gmail.com>> wrote:
>
> You mean I have to use vps side's root ca to issue and sign server cert and user cert for openwrt side?
>
> Sent from Mobile
>
>
> > On 2014年12月26日, at 03:36, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
> >
> >
> Hello Eric,
>
> You can use email adresses in the DN and the SAN fields of the certificate of the router to authenticate it against the server.
> Example: ipsec pki --issue [...] --dn "C=DE, O=FooBar Corp, CN=bar at baz.de <mailto:bar at baz.de>" --san "bar at baz.de <mailto:bar at baz.de>"
>
> Then set the email address in the rightid on the server.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> > >> Am 25.12.2014 um 07:06 schrieb Eric Zhang:
> > >> Yes,my local side is ADSL which has dynamic ip,can I setup certs to authenticate?
> > >>
> > >> Sent from Mobile
> > >>
> > >>
> > >>> On 2014年12月24日, at 22:45, Zesen Qian <strongswan-users at riaqn.com <mailto:strongswan-users at riaqn.com>> wrote:
> > >>>
> > >>> Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> writes:
> > >>>
> > >>>> Hello Eric,
> > >>>>
> > >>>> See [1] for authentication using X509 certificates and site-to-site tunnels.
> > >>>>
> > >>>> [1] http://www.strongswan.org/uml/testresults/ikev2/net2net-cert/
> > >>>>
> > >>>> Mit freundlichen Grüßen/Regards,
> > >>>> Noel Kuntze
> > >>>>
> > >>>> GPG Key ID: 0x63EC6658
> > >>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> > >>>>
> > >>>>> Am 24.12.2014 um 00:42 schrieb Eric Zhang:
> > >>>>> How can I use RSA authentication with X.509 certificates to setup ip tunnel between my PPPoE to VPS (which has fix IP)?
> > >>>>>
> > >>>>> Thanks
> > >>>>>
> > >>>>> Eric
> > >>>>
> > >>>>
> > >>>> _______________________________________________
> > >>>> Users mailing list
> > >>>> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> > >>>> https://lists.strongswan.org/mailman/listinfo/users
> > >>> Hello Noel,
> > >>> I guess the question Eric want to ask is mainly about site-to-site
> > >>> with "dynamic IP" on one side, while the other side has fixed IP.
> > >>> I 'm also eager to know since it's my situation too. :) My IPv6
> > >>> address is dynamic.
> > >>> If I ommit the left= paramter, which defaults to %any, it
> > >>> sometimes(and randomly) would use ::1 on local, which surely
> > >>> won't success. Other times it would use the global address which
> > >>> works just find.
> > >>>
> > >>> --
> > >>> Zesen Qian (钱泽森)
> > >>> Undergraduate
> > >>> School of Software
> > >>> Shanghai Jiao Tong University
>
> >
> >
>
>
>
>
> --
> Life is harsh
>
>
>
>
> --
> Life is harsh
>
>
>
>
> --
> Life is harsh
>
>
>
>
> --
> Life is harsh
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJUnWImAAoJEDg5KY9j7GZY+cEP/0qgdZoaHx0nqC1mwk57Kz7K
6pKbQd8qXlJ5lzROoZuv4qwHVojSkTkCUjV/qm8ZjuqjRzvg0opOyxz32Q5EdGsz
cYq5hKE9rhN7fiqwmGyfJcuRcQE53lExJiJDVy4aGlJkl0h0DBzvZ36ca2fb7DfJ
L6ZdkzXPLIn6R4EapxMO5kUxJfpRez4Mq7U68vxunSW+YpYS1v3Ye86uWtd4KZb6
Q9zVeGswiNbxt4cnV9TLTfKv2Y+2ml9lmHRaqFk729WDHKTMEmnSpQrEHrzWbMC2
emxCIjtoknySiMCoANRdBGJieJTvJtral+Nbkhl46wSVhG99VtrNhkGA3HPwKyUo
Ya0wXaKy90rVC6sncU+D8RJUur3Y8/1a+yy7L3QocJFDNizDGR2Gpd+7edYzO9TH
loLh65WjWlSD0hw1dFVMH6i1s9uz5Hf5XwUYYtVnlGPN1Lp/A2HsdrJa0kPa2L4i
MdJw0X5KxlV8yhUEUZZ2lgMXZTH5RoeHG5r//bK0EFQWyaReF5K1yEhHzLqoLygy
voGAwLw/VO4cBB6daFOePpYphp2kQXSJ2XsVXlQEXXcRd/hF+kROkEo+FQ2laMf/
VrW5XATp1XS5sTShRiqG3HM/B7bl+w2G8evCmrBIaSZSD+fZ2kJ5HwDiqKRhrle5
xHW/ahNpaTg2/hDIX2qn
=TPKc
-----END PGP SIGNATURE-----
More information about the Users
mailing list