[strongSwan] Dynamic IP to VPS site-to-site
Eric Y. Zhang
debiansid at gmail.com
Fri Dec 26 16:22:51 CET 2014
Hi all
based on my test, it turns out that pem format cert does not be supported
on openWRT, did I miss anything about that?
On Fri, Dec 26, 2014 at 10:00 PM, Eric Y. Zhang <debiansid at gmail.com> wrote:
> Hi Noel
> I managed to make it work, just recreate all of certs following steps here:
> https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA
>
> and I have no idea why my last configuration does not work.
>
> the difference is --outform pem I used before.
>
> https://gist.githubusercontent.com/songchenwen/14c1c663ea65d5d4a28b/raw/cef8d8bafe6168388b105f780c442412e6f8ede7/server_key.sh
> https://gist.githubusercontent.com/songchenwen/14c1c663ea65d5d4a28b/raw/54843ae2e5e6d1159134cd9a90a08c31ff5a253d/client_key.sh
>
> I use those 2 shell to create all certs before.
>
> this will cause new question , I want to migrate this configuration to my
> another VPS which has the pem form certs for now.
>
> How can I make that work?
>
> thanks
>
> Eric
>
>
>
>
> On Fri, Dec 26, 2014 at 9:27 PM, Noel Kuntze <noel at familie-kuntze.de>
> wrote:
>
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Hello Eric,
>>
>> Do you have a passthrough policy configured on your router for localNet
>> to localNet?
>> Also, please read [1]. DId you except IPsec traffic from NAT? If you did,
>> please
>> show me your current iptables rules. Do you have a complete log of that
>> failure?
>> If not, please reproduce it with logging enabled.
>>
>> [1]
>> https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
>>
>>
>> Mit freundlichen Grüßen/Regards,
>> Noel Kuntze
>>
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>> Am 26.12.2014 um 10:40 schrieb Eric Y. Zhang:
>> > on client :ipsec start --nofork
>> > end up like this
>> > 09[KNL] creating acquire job for policy 192.168.89.1/32[icmp]
>> <http://192.168.89.1/32%5Bicmp%5D> <http://192.168.89.1/32[icmp]> ===
>> 192.168.87.1/32[icmp] <http://192.168.87.1/32%5Bicmp%5D> <
>> http://192.168.87.1/32[icmp]> with reqid {1}
>> > 05[CFG] ignoring acquire, connection attempt pending
>> > 06[KNL] creating delete job for ESP CHILD_SA with SPI c24d7360 and
>> reqid {1}
>> > 06[JOB] CHILD_SA with reqid 1 not found for delete
>> > 03[IKE] giving up after 5 retransmits
>> > 03[IKE] establishing IKE_SA failed, peer not responding
>> >
>> >
>> > On Fri, Dec 26, 2014 at 5:27 PM, Eric Y. Zhang <debiansid at gmail.com
>> <mailto:debiansid at gmail.com>> wrote:
>> >
>> > vpn-2-ctu-openwrt: child: 0.0.0.0/0 <http://0.0.0.0/0> ===
>> 192.168.89.0/24 <http://192.168.89.0/24> PASS
>> > Security Associations (1 up, 0 connecting):
>> > vpn-2-ctu-openwrt[1]: ESTABLISHED 57 seconds ago,
>> 192.99.70.158[C=CH, O=strongSwan, CN=192.99.70.158]...110.188.32.238[C=CH,
>> O=strongSwan, CN=192.168.89.1]
>> > vpn-2-ctu-openwrt[1]: IKEv2 SPIs: 4eafbff72188a47c_i
>> 396f31d11faa1052_r*, public key reauthentication in 53 minutes
>> > vpn-2-ctu-openwrt[1]: IKE proposal:
>> AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>> > vpn-2-ctu-openwrt{1}: INSTALLED, TUNNEL, ESP in UDP SPIs:
>> c04787a2_i cb4f91c5_o
>> > vpn-2-ctu-openwrt{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0
>> bytes_o, rekeying in 13 minutes
>> > vpn-2-ctu-openwrt{1}: 0.0.0.0/0 <http://0.0.0.0/0> ===
>> 192.168.89.0/24 <http://192.168.89.0/24>
>> >
>> > after sign the openwrt server cert with same root ca as in VPS, it
>> looks like the tunnel is up, but still cannot ping .
>> >
>> > On Fri, Dec 26, 2014 at 3:46 PM, Eric Y. Zhang <debiansid at gmail.com
>> <mailto:debiansid at gmail.com>> wrote:
>> >
>> > 04[KNL] creating acquire job for policy 192.168.89.1/32[icmp]
>> <http://192.168.89.1/32%5Bicmp%5D> <http://192.168.89.1/32%5Bicmp%5D>
>> === 192.168.87.1/32[icmp] <http://192.168.87.1/32%5Bicmp%5D> <
>> http://192.168.87.1/32%5Bicmp%5D> with reqid {1}
>> > 04[IKE] initiating IKE_SA net-net[1] to 192.99.70.158
>> > 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No
>> N(NATD_S_IP) N(NATD_D_IP) ]
>> > 04[NET] sending packet: from 192.168.88.101[500] to
>> 192.99.70.158[500] (676 bytes)
>> > 02[NET] received packet: from 192.99.70.158[500] to
>> 192.168.88.101[500] (465 bytes)
>> > 02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
>> N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
>> > 02[IKE] local host is behind NAT, sending keep alives
>> > 02[IKE] received 1 cert requests for an unknown ca
>> > 02[IKE] sending cert request for "C=CH, O=strongSwan,
>> CN=192.168.89.1"
>> > 02[IKE] authentication of 'C=CH, O=strongSwan, CN=192.168.89.1'
>> (myself) with RSA signature successful
>> > 02[IKE] sending end entity cert "C=CH, O=strongSwan,
>> CN=192.168.89.1"
>> > 02[IKE] establishing CHILD_SA net-net{1}
>> > 02[ENC] generating IKE_AUTH request 1 [ IDi CERT
>> N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(EAP_ONLY) ]
>> > 02[NET] sending packet: from 192.168.88.101[4500] to
>> 192.99.70.158[4500] (1868 bytes)
>> > 01[NET] received packet: from 192.99.70.158[4500] to
>> 192.168.88.101[4500] (76 bytes)
>> > 01[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>> > 01[IKE] received AUTHENTICATION_FAILED notify error
>> >
>> >
>> > On Fri, Dec 26, 2014 at 1:18 PM, Eric Y. Zhang <
>> debiansid at gmail.com <mailto:debiansid at gmail.com>> wrote:
>> >
>> > conn net-net
>> > left=%defaultroute
>> > leftsubnet=192.168.89.0/24 <http://192.168.89.0/24>
>> > leftcert=vpnHostCert.pem
>> > leftid="C=CH, O=strongSwan, CN=192.168.89.1"
>> > leftfirewall=yes
>> > right=VPS IP
>> > #rightsubnet=192.168.87.0/24 <
>> http://192.168.87.0/24>
>> > rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>> > rightid="C=CH, O=strongSwan, CN=VPS IP"
>> > auto=route
>> >
>> > ipsec statusall
>> > net-net: %any...vps ip IKEv2
>> > net-net: local: [C=CH, O=strongSwan,
>> CN=192.168.89.1] uses public key authentication
>> > net-net: cert: "C=CH, O=strongSwan,
>> CN=192.168.89.1"
>> > net-net: remote: [C=CH, O=strongSwan, CN=vps ip]
>> uses public key a
>> uthentication
>> > net-net: child: 192.168.89.0/24 <
>> http://192.168.89.0/24> === 0.0.0.0/0 <http://0.0.0.0/0> TUNNEL
>> > Shunted Connections:
>> > local-net: 192.168.89.0/24 <http://192.168.89.0/24>
>> === 192.168.89.0/24 <http://192.168.89.0/24> PASS
>> > Routed Connections:
>> > net-net{1}: ROUTED, TUNNEL
>> > net-net{1}: 192.168.89.0/24 <http://192.168.89.0/24>
>> === 0.0.0.0/0 <http://0.0.0.0/0>
>> > Security Associations (0 up, 0 connecting):
>> > none
>> >
>> > but I can not ping my VPS via ipsec tunnel.
>> >
>> > any idea?
>> >
>> >
>> > On Fri, Dec 26, 2014 at 8:45 AM, Eric Zhang <
>> debiansid at gmail.com <mailto:debiansid at gmail.com>> wrote:
>> >
>> > You mean I have to use vps side's root ca to issue and
>> sign server cert and user cert for openwrt side?
>> >
>> > Sent from Mobile
>> >
>> >
>> > > On 2014年12月26日, at 03:36, Noel Kuntze <
>> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
>> > >
>> > >
>> > Hello Eric,
>> >
>> > You can use email adresses in the DN and the SAN fields of the
>> certificate of the router to authenticate it against the server.
>> > Example: ipsec pki --issue [...] --dn "C=DE, O=FooBar Corp, CN=
>> bar at baz.de <mailto:bar at baz.de>" --san "bar at baz.de <mailto:bar at baz.de>"
>> >
>> > Then set the email address in the rightid on the server.
>> >
>> > Mit freundlichen Grüßen/Regards,
>> > Noel Kuntze
>> >
>> > GPG Key ID: 0x63EC6658
>> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>> >
>> > > >> Am 25.12.2014 um 07:06 schrieb Eric Zhang:
>> > > >> Yes,my local side is ADSL which has dynamic ip,can
>> I setup certs to authenticate?
>> > > >>
>> > > >> Sent from Mobile
>> > > >>
>> > > >>
>> > > >>> On 2014年12月24日, at 22:45, Zesen Qian <
>> strongswan-users at riaqn.com <mailto:strongswan-users at riaqn.com>> wrote:
>> > > >>>
>> > > >>> Noel Kuntze <noel at familie-kuntze.de <mailto:
>> noel at familie-kuntze.de>> writes:
>> > > >>>
>> > > >>>> Hello Eric,
>> > > >>>>
>> > > >>>> See [1] for authentication using X509
>> certificates and site-to-site tunnels.
>> > > >>>>
>> > > >>>> [1]
>> http://www.strongswan.org/uml/testresults/ikev2/net2net-cert/
>> > > >>>>
>> > > >>>> Mit freundlichen Grüßen/Regards,
>> > > >>>> Noel Kuntze
>> > > >>>>
>> > > >>>> GPG Key ID: 0x63EC6658
>> > > >>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839
>> 298F 63EC 6658
>> > > >>>>
>> > > >>>>> Am 24.12.2014 um 00:42 schrieb Eric Zhang:
>> > > >>>>> How can I use RSA authentication with X.509
>> certificates to setup ip tunnel between my PPPoE to VPS (which has fix IP)?
>> > > >>>>>
>> > > >>>>> Thanks
>> > > >>>>>
>> > > >>>>> Eric
>> > > >>>>
>> > > >>>>
>> > > >>>> _______________________________________________
>> > > >>>> Users mailing list
>> > > >>>> Users at lists.strongswan.org <mailto:
>> Users at lists.strongswan.org>
>> > > >>>>
>> https://lists.strongswan.org/mailman/listinfo/users
>> > > >>> Hello Noel,
>> > > >>> I guess the question Eric want to ask is
>> mainly about site-to-site
>> > > >>> with "dynamic IP" on one side, while the
>> other side has fixed IP.
>> > > >>> I 'm also eager to know since it's my
>> situation too. :) My IPv6
>> > > >>> address is dynamic.
>> > > >>> If I ommit the left= paramter, which defaults
>> to %any, it
>> > > >>> sometimes(and randomly) would use ::1 on
>> local, which surely
>> > > >>> won't success. Other times it would use the
>> global address which
>> > > >>> works just find.
>> > > >>>
>> > > >>> --
>> > > >>> Zesen Qian (钱泽森)
>> > > >>> Undergraduate
>> > > >>> School of Software
>> > > >>> Shanghai Jiao Tong University
>> >
>> > >
>> > >
>> >
>> >
>> >
>> >
>> > --
>> > Life is harsh
>> >
>> >
>> >
>> >
>> > --
>> > Life is harsh
>> >
>> >
>> >
>> >
>> > --
>> > Life is harsh
>> >
>> >
>> >
>> >
>> > --
>> > Life is harsh
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2
>>
>> iQIcBAEBCAAGBQJUnWImAAoJEDg5KY9j7GZY+cEP/0qgdZoaHx0nqC1mwk57Kz7K
>> 6pKbQd8qXlJ5lzROoZuv4qwHVojSkTkCUjV/qm8ZjuqjRzvg0opOyxz32Q5EdGsz
>> cYq5hKE9rhN7fiqwmGyfJcuRcQE53lExJiJDVy4aGlJkl0h0DBzvZ36ca2fb7DfJ
>> L6ZdkzXPLIn6R4EapxMO5kUxJfpRez4Mq7U68vxunSW+YpYS1v3Ye86uWtd4KZb6
>> Q9zVeGswiNbxt4cnV9TLTfKv2Y+2ml9lmHRaqFk729WDHKTMEmnSpQrEHrzWbMC2
>> emxCIjtoknySiMCoANRdBGJieJTvJtral+Nbkhl46wSVhG99VtrNhkGA3HPwKyUo
>> Ya0wXaKy90rVC6sncU+D8RJUur3Y8/1a+yy7L3QocJFDNizDGR2Gpd+7edYzO9TH
>> loLh65WjWlSD0hw1dFVMH6i1s9uz5Hf5XwUYYtVnlGPN1Lp/A2HsdrJa0kPa2L4i
>> MdJw0X5KxlV8yhUEUZZ2lgMXZTH5RoeHG5r//bK0EFQWyaReF5K1yEhHzLqoLygy
>> voGAwLw/VO4cBB6daFOePpYphp2kQXSJ2XsVXlQEXXcRd/hF+kROkEo+FQ2laMf/
>> VrW5XATp1XS5sTShRiqG3HM/B7bl+w2G8evCmrBIaSZSD+fZ2kJ5HwDiqKRhrle5
>> xHW/ahNpaTg2/hDIX2qn
>> =TPKc
>> -----END PGP SIGNATURE-----
>>
>>
>
>
> --
> Life is harsh
>
--
Life is harsh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141226/514c2008/attachment-0001.html>
More information about the Users
mailing list