[strongSwan] Dynamic IP to VPS site-to-site
Noel Kuntze
noel at familie-kuntze.de
Fri Dec 26 19:13:21 CET 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Eric,
Assuming your VPS has a static IP, you can set a SAN field to the IP address of the VPS and one SAN field to the DNS name.
Having the whole DN in a SAN field isn't correct, as far as I know.
Mit freundlichen Grüßen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 26.12.2014 um 15:00 schrieb Eric Y. Zhang:
> Hi Noel
> I managed to make it work, just recreate all of certs following steps here:https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA
>
> and I have no idea why my last configuration does not work.
>
> the difference is --outform pem I used before.
> https://gist.githubusercontent.com/songchenwen/14c1c663ea65d5d4a28b/raw/cef8d8bafe6168388b105f780c442412e6f8ede7/server_key.sh
> https://gist.githubusercontent.com/songchenwen/14c1c663ea65d5d4a28b/raw/54843ae2e5e6d1159134cd9a90a08c31ff5a253d/client_key.sh
> I use those 2 shell to create all certs before.
>
> this will cause new question , I want to migrate this configuration to my another VPS which has the pem form certs for now.
>
> How can I make that work?
>
> thanks
>
> Eric
>
>
>
>
> On Fri, Dec 26, 2014 at 9:27 PM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
>
>
> Hello Eric,
>
> Do you have a passthrough policy configured on your router for localNet to localNet?
> Also, please read [1]. DId you except IPsec traffic from NAT? If you did, please
> show me your current iptables rules. Do you have a complete log of that failure?
> If not, please reproduce it with logging enabled.
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
>
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 26.12.2014 um 10:40 schrieb Eric Y. Zhang:
> > on client :ipsec start --nofork
> > end up like this
> > 09[KNL] creating acquire job for policy 192.168.89.1/32[icmp] <http://192.168.89.1/32[icmp]> <http://192.168.89.1/32[icmp]> === 192.168.87.1/32[icmp] <http://192.168.87.1/32[icmp]> <http://192.168.87.1/32[icmp]> with reqid {1}
> > 05[CFG] ignoring acquire, connection attempt pending
> > 06[KNL] creating delete job for ESP CHILD_SA with SPI c24d7360 and reqid {1}
> > 06[JOB] CHILD_SA with reqid 1 not found for delete
> > 03[IKE] giving up after 5 retransmits
> > 03[IKE] establishing IKE_SA failed, peer not responding
>
>
> > On Fri, Dec 26, 2014 at 5:27 PM, Eric Y. Zhang <debiansid at gmail.com <mailto:debiansid at gmail.com> <mailto:debiansid at gmail.com <mailto:debiansid at gmail.com>>> wrote:
>
> > vpn-2-ctu-openwrt: child: 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> === 192.168.89.0/24 <http://192.168.89.0/24> <http://192.168.89.0/24> PASS
> > Security Associations (1 up, 0 connecting):
> > vpn-2-ctu-openwrt[1]: ESTABLISHED 57 seconds ago, 192.99.70.158[C=CH, O=strongSwan, CN=192.99.70.158]...110.188.32.238[C=CH, O=strongSwan, CN=192.168.89.1]
> > vpn-2-ctu-openwrt[1]: IKEv2 SPIs: 4eafbff72188a47c_i 396f31d11faa1052_r*, public key reauthentication in 53 minutes
> > vpn-2-ctu-openwrt[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
> > vpn-2-ctu-openwrt{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c04787a2_i cb4f91c5_o
> > vpn-2-ctu-openwrt{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 13 minutes
> > vpn-2-ctu-openwrt{1}: 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> === 192.168.89.0/24 <http://192.168.89.0/24> <http://192.168.89.0/24>
>
> > after sign the openwrt server cert with same root ca as in VPS, it looks like the tunnel is up, but still cannot ping .
>
> > On Fri, Dec 26, 2014 at 3:46 PM, Eric Y. Zhang <debiansid at gmail.com <mailto:debiansid at gmail.com> <mailto:debiansid at gmail.com <mailto:debiansid at gmail.com>>> wrote:
>
> > 04[KNL] creating acquire job for policy 192.168.89.1/32[icmp] <http://192.168.89.1/32[icmp]> <http://192.168.89.1/32%5Bicmp%5D> === 192.168.87.1/32[icmp] <http://192.168.87.1/32[icmp]> <http://192.168.87.1/32%5Bicmp%5D> with reqid {1}
> > 04[IKE] initiating IKE_SA net-net[1] to 192.99.70.158
> > 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > 04[NET] sending packet: from 192.168.88.101[500] to 192.99.70.158[500] (676 bytes)
> > 02[NET] received packet: from 192.99.70.158[500] to 192.168.88.101[500] (465 bytes)
> > 02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> > 02[IKE] local host is behind NAT, sending keep alives
> > 02[IKE] received 1 cert requests for an unknown ca
> > 02[IKE] sending cert request for "C=CH, O=strongSwan, CN=192.168.89.1"
> > 02[IKE] authentication of 'C=CH, O=strongSwan, CN=192.168.89.1' (myself) with RSA signature successful
> > 02[IKE] sending end entity cert "C=CH, O=strongSwan, CN=192.168.89.1"
> > 02[IKE] establishing CHILD_SA net-net{1}
> > 02[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(EAP_ONLY) ]
> > 02[NET] sending packet: from 192.168.88.101[4500] to 192.99.70.158[4500] (1868 bytes)
> > 01[NET] received packet: from 192.99.70.158[4500] to 192.168.88.101[4500] (76 bytes)
> > 01[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> > 01[IKE] received AUTHENTICATION_FAILED notify error
>
>
> > On Fri, Dec 26, 2014 at 1:18 PM, Eric Y. Zhang <debiansid at gmail.com <mailto:debiansid at gmail.com> <mailto:debiansid at gmail.com <mailto:debiansid at gmail.com>>> wrote:
>
> > conn net-net
> > left=%defaultroute
> > leftsubnet=192.168.89.0/24 <http://192.168.89.0/24> <http://192.168.89.0/24>
> > leftcert=vpnHostCert.pem
> > leftid="C=CH, O=strongSwan, CN=192.168.89.1"
> > leftfirewall=yes
> > right=VPS IP
> > #rightsubnet=192.168.87.0/24 <http://192.168.87.0/24> <http://192.168.87.0/24>
> > rightsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
> > rightid="C=CH, O=strongSwan, CN=VPS IP"
> > auto=route
>
> > ipsec statusall
> > net-net: %any...vps ip IKEv2
> > net-net: local: [C=CH, O=strongSwan, CN=192.168.89.1] uses public key authentication
> > net-net: cert: "C=CH, O=strongSwan, CN=192.168.89.1"
> > net-net: remote: [C=CH, O=strongSwan, CN=vps ip] uses public key a uthentication
> > net-net: child: 192.168.89.0/24 <http://192.168.89.0/24> <http://192.168.89.0/24> === 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> TUNNEL
> > Shunted Connections:
> > local-net: 192.168.89.0/24 <http://192.168.89.0/24> <http://192.168.89.0/24> === 192.168.89.0/24 <http://192.168.89.0/24> <http://192.168.89.0/24> PASS
> > Routed Connections:
> > net-net{1}: ROUTED, TUNNEL
> > net-net{1}: 192.168.89.0/24 <http://192.168.89.0/24> <http://192.168.89.0/24> === 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
> > Security Associations (0 up, 0 connecting):
> > none
>
> > but I can not ping my VPS via ipsec tunnel.
>
> > any idea?
>
>
> > On Fri, Dec 26, 2014 at 8:45 AM, Eric Zhang <debiansid at gmail.com <mailto:debiansid at gmail.com> <mailto:debiansid at gmail.com <mailto:debiansid at gmail.com>>> wrote:
>
> > You mean I have to use vps side's root ca to issue and sign server cert and user cert for openwrt side?
>
> > Sent from Mobile
>
>
> > > On 2014年12月26日, at 03:36, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>> wrote:
> > >
> > >
> > Hello Eric,
>
> > You can use email adresses in the DN and the SAN fields of the certificate of the router to authenticate it against the server.
> > Example: ipsec pki --issue [...] --dn "C=DE, O=FooBar Corp, CN=bar at baz.de <mailto:bar at baz.de> <mailto:bar at baz.de <mailto:bar at baz.de>>" --san "bar at baz.de <mailto:bar at baz.de> <mailto:bar at baz.de <mailto:bar at baz.de>>"
>
> > Then set the email address in the rightid on the server.
>
> > Mit freundlichen Grüßen/Regards,
> > Noel Kuntze
>
> > GPG Key ID: 0x63EC6658
> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> > > >> Am 25.12.2014 um 07:06 schrieb Eric Zhang:
> > > >> Yes,my local side is ADSL which has dynamic ip,can I setup certs to authenticate?
> > > >>
> > > >> Sent from Mobile
> > > >>
> > > >>
> > > >>> On 2014年12月24日, at 22:45, Zesen Qian <strongswan-users at riaqn.com <mailto:strongswan-users at riaqn.com> <mailto:strongswan-users at riaqn.com <mailto:strongswan-users at riaqn.com>>> wrote:
> > > >>>
> > > >>> Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>> writes:
> > > >>>
> > > >>>> Hello Eric,
> > > >>>>
> > > >>>> See [1] for authentication using X509 certificates and site-to-site tunnels.
> > > >>>>
> > > >>>> [1] http://www.strongswan.org/uml/testresults/ikev2/net2net-cert/
> > > >>>>
> > > >>>> Mit freundlichen Grüßen/Regards,
> > > >>>> Noel Kuntze
> > > >>>>
> > > >>>> GPG Key ID: 0x63EC6658
> > > >>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> > > >>>>
> > > >>>>> Am 24.12.2014 um 00:42 schrieb Eric Zhang:
> > > >>>>> How can I use RSA authentication with X.509 certificates to setup ip tunnel between my PPPoE to VPS (which has fix IP)?
> > > >>>>>
> > > >>>>> Thanks
> > > >>>>>
> > > >>>>> Eric
> > > >>>>
> > > >>>>
> > > >>>> _______________________________________________
> > > >>>> Users mailing list
> > > >>>> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
> > > >>>> https://lists.strongswan.org/mailman/listinfo/users
> > > >>> Hello Noel,
> > > >>> I guess the question Eric want to ask is mainly about site-to-site
> > > >>> with "dynamic IP" on one side, while the other side has fixed IP.
> > > >>> I 'm also eager to know since it's my situation too. :) My IPv6
> > > >>> address is dynamic.
> > > >>> If I ommit the left= paramter, which defaults to %any, it
> > > >>> sometimes(and randomly) would use ::1 on local, which surely
> > > >>> won't success. Other times it would use the global address which
> > > >>> works just find.
> > > >>>
> > > >>> --
> > > >>> Zesen Qian (钱泽森)
> > > >>> Undergraduate
> > > >>> School of Software
> > > >>> Shanghai Jiao Tong University
>
> > >
> > >
>
>
>
>
> > --
> > Life is harsh
>
>
>
>
> > --
> > Life is harsh
>
>
>
>
> > --
> > Life is harsh
>
>
>
>
> > --
> > Life is harsh
>
>
>
>
>
> --
> Life is harsh
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJUnaVAAAoJEDg5KY9j7GZYiV0P/R/iOjs6GZmfNGY+hiix4YgE
RdDwRe7YnaiDw9XqvFQk6b2plUpZXz3kORBjoFte8q+5Fx4KTgFX7y21v5yTZf1V
4tjlj+jl1yKwI8aSHqq2vgQ+0sgnZjbylEYGeeu8FCGsGsBQy4V8MKJb0BU/ElqV
clYy6ec4P/ttNnWUD1EJvuc96A5SIkLb/KVff3xmx/SjUaYq5C2xGYdELlj/fnnr
PROTaVRIn3F6Jsa9QXMswRsHYaDu2sMurLbPm78x7mXG6qZm+Smv4pdsTekk9wXK
k/+EhNL7fplggHXYCC2ypzKZP1GeLZZwwZwrmKjXjAUOdjqml+0KNy6NTc9u1yhM
EeHyYFbmI/LJDS97/heQciWCySEFMshQTeqbRgV0BJEfnHiTNI1zbhTxsd/CHjHH
iLZrDmnLnt91alH6Lme2EKKe6fBoT0IsLo0by8cmWN5cSVsro8Dj2KwokM4atXro
Wcb0EYlaDn0vG5cJ3c0I3JCQ7stuhiHsL2QUBoA3QRzlfB4EK+QRCQ8moAu4W5xT
2s9TU0TxOVKTen9jZW7+V/8FdciuQJusgv9b00vCsMJVsznRjGNJpFWns/u0B2e5
t+xC/Nrh7BJe3yZjiIXGVSa5KbMt95IoD18l7Pf9FV+38JyFNYJnCUpaiWVnZsTp
uSaulaY5xgoeBATCgMFH
=4LFm
-----END PGP SIGNATURE-----
More information about the Users
mailing list