[strongSwan] Dynamic IP to VPS site-to-site
Eric Y. Zhang
debiansid at gmail.com
Fri Dec 26 15:00:46 CET 2014
Hi Noel
I managed to make it work, just recreate all of certs following steps here:
https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA
and I have no idea why my last configuration does not work.
the difference is --outform pem I used before.
https://gist.githubusercontent.com/songchenwen/14c1c663ea65d5d4a28b/raw/cef8d8bafe6168388b105f780c442412e6f8ede7/server_key.sh
https://gist.githubusercontent.com/songchenwen/14c1c663ea65d5d4a28b/raw/54843ae2e5e6d1159134cd9a90a08c31ff5a253d/client_key.sh
I use those 2 shell to create all certs before.
this will cause new question , I want to migrate this configuration to my
another VPS which has the pem form certs for now.
How can I make that work?
thanks
Eric
On Fri, Dec 26, 2014 at 9:27 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Eric,
>
> Do you have a passthrough policy configured on your router for localNet to
> localNet?
> Also, please read [1]. DId you except IPsec traffic from NAT? If you did,
> please
> show me your current iptables rules. Do you have a complete log of that
> failure?
> If not, please reproduce it with logging enabled.
>
> [1]
> https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
>
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 26.12.2014 um 10:40 schrieb Eric Y. Zhang:
> > on client :ipsec start --nofork
> > end up like this
> > 09[KNL] creating acquire job for policy 192.168.89.1/32[icmp] <
> http://192.168.89.1/32[icmp]> === 192.168.87.1/32[icmp] <
> http://192.168.87.1/32[icmp]> with reqid {1}
> > 05[CFG] ignoring acquire, connection attempt pending
> > 06[KNL] creating delete job for ESP CHILD_SA with SPI c24d7360 and reqid
> {1}
> > 06[JOB] CHILD_SA with reqid 1 not found for delete
> > 03[IKE] giving up after 5 retransmits
> > 03[IKE] establishing IKE_SA failed, peer not responding
> >
> >
> > On Fri, Dec 26, 2014 at 5:27 PM, Eric Y. Zhang <debiansid at gmail.com
> <mailto:debiansid at gmail.com>> wrote:
> >
> > vpn-2-ctu-openwrt: child: 0.0.0.0/0 <http://0.0.0.0/0> ===
> 192.168.89.0/24 <http://192.168.89.0/24> PASS
> > Security Associations (1 up, 0 connecting):
> > vpn-2-ctu-openwrt[1]: ESTABLISHED 57 seconds ago,
> 192.99.70.158[C=CH, O=strongSwan, CN=192.99.70.158]...110.188.32.238[C=CH,
> O=strongSwan, CN=192.168.89.1]
> > vpn-2-ctu-openwrt[1]: IKEv2 SPIs: 4eafbff72188a47c_i
> 396f31d11faa1052_r*, public key reauthentication in 53 minutes
> > vpn-2-ctu-openwrt[1]: IKE proposal:
> AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
> > vpn-2-ctu-openwrt{1}: INSTALLED, TUNNEL, ESP in UDP SPIs:
> c04787a2_i cb4f91c5_o
> > vpn-2-ctu-openwrt{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0
> bytes_o, rekeying in 13 minutes
> > vpn-2-ctu-openwrt{1}: 0.0.0.0/0 <http://0.0.0.0/0> ===
> 192.168.89.0/24 <http://192.168.89.0/24>
> >
> > after sign the openwrt server cert with same root ca as in VPS, it
> looks like the tunnel is up, but still cannot ping .
> >
> > On Fri, Dec 26, 2014 at 3:46 PM, Eric Y. Zhang <debiansid at gmail.com
> <mailto:debiansid at gmail.com>> wrote:
> >
> > 04[KNL] creating acquire job for policy 192.168.89.1/32[icmp] <
> http://192.168.89.1/32%5Bicmp%5D> === 192.168.87.1/32[icmp] <
> http://192.168.87.1/32%5Bicmp%5D> with reqid {1}
> > 04[IKE] initiating IKE_SA net-net[1] to 192.99.70.158
> > 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) ]
> > 04[NET] sending packet: from 192.168.88.101[500] to
> 192.99.70.158[500] (676 bytes)
> > 02[NET] received packet: from 192.99.70.158[500] to
> 192.168.88.101[500] (465 bytes)
> > 02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> > 02[IKE] local host is behind NAT, sending keep alives
> > 02[IKE] received 1 cert requests for an unknown ca
> > 02[IKE] sending cert request for "C=CH, O=strongSwan,
> CN=192.168.89.1"
> > 02[IKE] authentication of 'C=CH, O=strongSwan, CN=192.168.89.1'
> (myself) with RSA signature successful
> > 02[IKE] sending end entity cert "C=CH, O=strongSwan,
> CN=192.168.89.1"
> > 02[IKE] establishing CHILD_SA net-net{1}
> > 02[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT)
> CERTREQ IDr AUTH SA TSi TSr N(EAP_ONLY) ]
> > 02[NET] sending packet: from 192.168.88.101[4500] to
> 192.99.70.158[4500] (1868 bytes)
> > 01[NET] received packet: from 192.99.70.158[4500] to
> 192.168.88.101[4500] (76 bytes)
> > 01[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> > 01[IKE] received AUTHENTICATION_FAILED notify error
> >
> >
> > On Fri, Dec 26, 2014 at 1:18 PM, Eric Y. Zhang <
> debiansid at gmail.com <mailto:debiansid at gmail.com>> wrote:
> >
> > conn net-net
> > left=%defaultroute
> > leftsubnet=192.168.89.0/24 <http://192.168.89.0/24>
> > leftcert=vpnHostCert.pem
> > leftid="C=CH, O=strongSwan, CN=192.168.89.1"
> > leftfirewall=yes
> > right=VPS IP
> > #rightsubnet=192.168.87.0/24 <http://192.168.87.0/24
> >
> > rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> > rightid="C=CH, O=strongSwan, CN=VPS IP"
> > auto=route
> >
> > ipsec statusall
> > net-net: %any...vps ip IKEv2
> > net-net: local: [C=CH, O=strongSwan,
> CN=192.168.89.1] uses public key authentication
> > net-net: cert: "C=CH, O=strongSwan, CN=192.168.89.1"
> > net-net: remote: [C=CH, O=strongSwan, CN=vps ip] uses
> public key a
> uthentication
> > net-net: child: 192.168.89.0/24 <
> http://192.168.89.0/24> === 0.0.0.0/0 <http://0.0.0.0/0> TUNNEL
> > Shunted Connections:
> > local-net: 192.168.89.0/24 <http://192.168.89.0/24> ===
> 192.168.89.0/24 <http://192.168.89.0/24> PASS
> > Routed Connections:
> > net-net{1}: ROUTED, TUNNEL
> > net-net{1}: 192.168.89.0/24 <http://192.168.89.0/24>
> === 0.0.0.0/0 <http://0.0.0.0/0>
> > Security Associations (0 up, 0 connecting):
> > none
> >
> > but I can not ping my VPS via ipsec tunnel.
> >
> > any idea?
> >
> >
> > On Fri, Dec 26, 2014 at 8:45 AM, Eric Zhang <
> debiansid at gmail.com <mailto:debiansid at gmail.com>> wrote:
> >
> > You mean I have to use vps side's root ca to issue and
> sign server cert and user cert for openwrt side?
> >
> > Sent from Mobile
> >
> >
> > > On 2014年12月26日, at 03:36, Noel Kuntze <
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
> > >
> > >
> > Hello Eric,
> >
> > You can use email adresses in the DN and the SAN fields of the
> certificate of the router to authenticate it against the server.
> > Example: ipsec pki --issue [...] --dn "C=DE, O=FooBar Corp, CN=
> bar at baz.de <mailto:bar at baz.de>" --san "bar at baz.de <mailto:bar at baz.de>"
> >
> > Then set the email address in the rightid on the server.
> >
> > Mit freundlichen Grüßen/Regards,
> > Noel Kuntze
> >
> > GPG Key ID: 0x63EC6658
> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >
> > > >> Am 25.12.2014 um 07:06 schrieb Eric Zhang:
> > > >> Yes,my local side is ADSL which has dynamic ip,can
> I setup certs to authenticate?
> > > >>
> > > >> Sent from Mobile
> > > >>
> > > >>
> > > >>> On 2014年12月24日, at 22:45, Zesen Qian <
> strongswan-users at riaqn.com <mailto:strongswan-users at riaqn.com>> wrote:
> > > >>>
> > > >>> Noel Kuntze <noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de>> writes:
> > > >>>
> > > >>>> Hello Eric,
> > > >>>>
> > > >>>> See [1] for authentication using X509
> certificates and site-to-site tunnels.
> > > >>>>
> > > >>>> [1]
> http://www.strongswan.org/uml/testresults/ikev2/net2net-cert/
> > > >>>>
> > > >>>> Mit freundlichen Grüßen/Regards,
> > > >>>> Noel Kuntze
> > > >>>>
> > > >>>> GPG Key ID: 0x63EC6658
> > > >>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839
> 298F 63EC 6658
> > > >>>>
> > > >>>>> Am 24.12.2014 um 00:42 schrieb Eric Zhang:
> > > >>>>> How can I use RSA authentication with X.509
> certificates to setup ip tunnel between my PPPoE to VPS (which has fix IP)?
> > > >>>>>
> > > >>>>> Thanks
> > > >>>>>
> > > >>>>> Eric
> > > >>>>
> > > >>>>
> > > >>>> _______________________________________________
> > > >>>> Users mailing list
> > > >>>> Users at lists.strongswan.org <mailto:
> Users at lists.strongswan.org>
> > > >>>>
> https://lists.strongswan.org/mailman/listinfo/users
> > > >>> Hello Noel,
> > > >>> I guess the question Eric want to ask is
> mainly about site-to-site
> > > >>> with "dynamic IP" on one side, while the other
> side has fixed IP.
> > > >>> I 'm also eager to know since it's my
> situation too. :) My IPv6
> > > >>> address is dynamic.
> > > >>> If I ommit the left= paramter, which defaults
> to %any, it
> > > >>> sometimes(and randomly) would use ::1 on
> local, which surely
> > > >>> won't success. Other times it would use the
> global address which
> > > >>> works just find.
> > > >>>
> > > >>> --
> > > >>> Zesen Qian (钱泽森)
> > > >>> Undergraduate
> > > >>> School of Software
> > > >>> Shanghai Jiao Tong University
> >
> > >
> > >
> >
> >
> >
> >
> > --
> > Life is harsh
> >
> >
> >
> >
> > --
> > Life is harsh
> >
> >
> >
> >
> > --
> > Life is harsh
> >
> >
> >
> >
> > --
> > Life is harsh
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJUnWImAAoJEDg5KY9j7GZY+cEP/0qgdZoaHx0nqC1mwk57Kz7K
> 6pKbQd8qXlJ5lzROoZuv4qwHVojSkTkCUjV/qm8ZjuqjRzvg0opOyxz32Q5EdGsz
> cYq5hKE9rhN7fiqwmGyfJcuRcQE53lExJiJDVy4aGlJkl0h0DBzvZ36ca2fb7DfJ
> L6ZdkzXPLIn6R4EapxMO5kUxJfpRez4Mq7U68vxunSW+YpYS1v3Ye86uWtd4KZb6
> Q9zVeGswiNbxt4cnV9TLTfKv2Y+2ml9lmHRaqFk729WDHKTMEmnSpQrEHrzWbMC2
> emxCIjtoknySiMCoANRdBGJieJTvJtral+Nbkhl46wSVhG99VtrNhkGA3HPwKyUo
> Ya0wXaKy90rVC6sncU+D8RJUur3Y8/1a+yy7L3QocJFDNizDGR2Gpd+7edYzO9TH
> loLh65WjWlSD0hw1dFVMH6i1s9uz5Hf5XwUYYtVnlGPN1Lp/A2HsdrJa0kPa2L4i
> MdJw0X5KxlV8yhUEUZZ2lgMXZTH5RoeHG5r//bK0EFQWyaReF5K1yEhHzLqoLygy
> voGAwLw/VO4cBB6daFOePpYphp2kQXSJ2XsVXlQEXXcRd/hF+kROkEo+FQ2laMf/
> VrW5XATp1XS5sTShRiqG3HM/B7bl+w2G8evCmrBIaSZSD+fZ2kJ5HwDiqKRhrle5
> xHW/ahNpaTg2/hDIX2qn
> =TPKc
> -----END PGP SIGNATURE-----
>
>
--
Life is harsh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141226/8f183cee/attachment-0001.html>
More information about the Users
mailing list