[strongSwan] Dynamic IP to VPS site-to-site
Noel Kuntze
noel at familie-kuntze.de
Fri Dec 26 21:05:31 CET 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Eric,
I experienced some difficulties with certificates or private keys not getting loaded correctly.
Mostly, PEM works. Make sure you have the apropriate modules loaded to enable charon
to read the files.
Mit freundlichen Grüßen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 26.12.2014 um 16:22 schrieb Eric Y. Zhang:
> Hi all
> based on my test, it turns out that pem format cert does not be supported on openWRT, did I miss anything about that?
>
> On Fri, Dec 26, 2014 at 10:00 PM, Eric Y. Zhang <debiansid at gmail.com <mailto:debiansid at gmail.com>> wrote:
>
> Hi Noel
> I managed to make it work, just recreate all of certs following steps here:https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA
>
> and I have no idea why my last configuration does not work.
>
> the difference is --outform pem I used before.
>
> https://gist.githubusercontent.com/songchenwen/14c1c663ea65d5d4a28b/raw/cef8d8bafe6168388b105f780c442412e6f8ede7/server_key.sh
> https://gist.githubusercontent.com/songchenwen/14c1c663ea65d5d4a28b/raw/54843ae2e5e6d1159134cd9a90a08c31ff5a253d/client_key.sh
>
> I use those 2 shell to create all certs before.
>
> this will cause new question , I want to migrate this configuration to my another VPS which has the pem form certs for now.
>
> How can I make that work?
>
> thanks
>
> Eric
>
>
>
>
> On Fri, Dec 26, 2014 at 9:27 PM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
>
>
> Hello Eric,
>
> Do you have a passthrough policy configured on your router for localNet to localNet?
> Also, please read [1]. DId you except IPsec traffic from NAT? If you did, please
> show me your current iptables rules. Do you have a complete log of that failure?
> If not, please reproduce it with logging enabled.
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
>
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 26.12.2014 um 10:40 schrieb Eric Y. Zhang:
> > on client :ipsec start --nofork
> > end up like this
> > 09[KNL] creating acquire job for policy 192.168.89.1/32[icmp] <http://192.168.89.1/32%5Bicmp%5D> <http://192.168.89.1/32[icmp] <http://192.168.89.1/32%5Bicmp%5D>> === 192.168.87.1/32[icmp] <http://192.168.87.1/32%5Bicmp%5D> <http://192.168.87.1/32[icmp] <http://192.168.87.1/32%5Bicmp%5D>> with reqid {1}
> > 05[CFG] ignoring acquire, connection attempt pending
> > 06[KNL] creating delete job for ESP CHILD_SA with SPI c24d7360 and reqid {1}
> > 06[JOB] CHILD_SA with reqid 1 not found for delete
> > 03[IKE] giving up after 5 retransmits
> > 03[IKE] establishing IKE_SA failed, peer not responding
>
>
> > On Fri, Dec 26, 2014 at 5:27 PM, Eric Y. Zhang <debiansid at gmail.com <mailto:debiansid at gmail.com> <mailto:debiansid at gmail.com <mailto:debiansid at gmail.com>>> wrote:
>
> > vpn-2-ctu-openwrt: child: 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> === 192.168.89.0/24 <http://192.168.89.0/24> <http://192.168.89.0/24> PASS
> > Security Associations (1 up, 0 connecting):
> > vpn-2-ctu-openwrt[1]: ESTABLISHED 57 seconds ago, 192.99.70.158[C=CH, O=strongSwan, CN=192.99.70.158]...110.188.32.238[C=CH, O=strongSwan, CN=192.168.89.1]
> > vpn-2-ctu-openwrt[1]: IKEv2 SPIs: 4eafbff72188a47c_i 396f31d11faa1052_r*, public key reauthentication in 53 minutes
> > vpn-2-ctu-openwrt[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
> > vpn-2-ctu-openwrt{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c04787a2_i cb4f91c5_o
> > vpn-2-ctu-openwrt{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 13 minutes
> > vpn-2-ctu-openwrt{1}: 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> === 192.168.89.0/24 <http://192.168.89.0/24> <http://192.168.89.0/24>
>
> > after sign the openwrt server cert with same root ca as in VPS, it looks like the tunnel is up, but still cannot ping .
>
> > On Fri, Dec 26, 2014 at 3:46 PM, Eric Y. Zhang <debiansid at gmail.com <mailto:debiansid at gmail.com> <mailto:debiansid at gmail.com <mailto:debiansid at gmail.com>>> wrote:
>
> > 04[KNL] creating acquire job for policy 192.168.89.1/32[icmp] <http://192.168.89.1/32%5Bicmp%5D> <http://192.168.89.1/32%5Bicmp%5D> === 192.168.87.1/32[icmp] <http://192.168.87.1/32%5Bicmp%5D> <http://192.168.87.1/32%5Bicmp%5D> with reqid {1}
> > 04[IKE] initiating IKE_SA net-net[1] to 192.99.70.158
> > 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > 04[NET] sending packet: from 192.168.88.101[500] to 192.99.70.158[500] (676 bytes)
> > 02[NET] received packet: from 192.99.70.158[500] to 192.168.88.101[500] (465 bytes)
> > 02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> > 02[IKE] local host is behind NAT, sending keep alives
> > 02[IKE] received 1 cert requests for an unknown ca
> > 02[IKE] sending cert request for "C=CH, O=strongSwan, CN=192.168.89.1"
> > 02[IKE] authentication of 'C=CH, O=strongSwan, CN=192.168.89.1' (myself) with RSA signature successful
> > 02[IKE] sending end entity cert "C=CH, O=strongSwan, CN=192.168.89.1"
> > 02[IKE] establishing CHILD_SA net-net{1}
> > 02[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(EAP_ONLY) ]
> > 02[NET] sending packet: from 192.168.88.101[4500] to 192.99.70.158[4500] (1868 bytes)
> > 01[NET] received packet: from 192.99.70.158[4500] to 192.168.88.101[4500] (76 bytes)
> > 01[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> > 01[IKE] received AUTHENTICATION_FAILED notify error
>
>
> > On Fri, Dec 26, 2014 at 1:18 PM, Eric Y. Zhang <debiansid at gmail.com <mailto:debiansid at gmail.com> <mailto:debiansid at gmail.com <mailto:debiansid at gmail.com>>> wrote:
>
> > conn net-net
> > left=%defaultroute
> > leftsubnet=192.168.89.0/24 <http://192.168.89.0/24> <http://192.168.89.0/24>
> > leftcert=vpnHostCert.pem
> > leftid="C=CH, O=strongSwan, CN=192.168.89.1"
> > leftfirewall=yes
> > right=VPS IP
> > #rightsubnet=192.168.87.0/24 <http://192.168.87.0/24> <http://192.168.87.0/24>
> > rightsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
> > rightid="C=CH, O=strongSwan, CN=VPS IP"
> > auto=route
>
> > ipsec statusall
> > net-net: %any...vps ip IKEv2
> > net-net: local: [C=CH, O=strongSwan, CN=192.168.89.1] uses public key authentication
> > net-net: cert: "C=CH, O=strongSwan, CN=192.168.89.1"
> > net-net: remote: [C=CH, O=strongSwan, CN=vps ip] uses public key a uthentication
> > net-net: child: 192.168.89.0/24 <http://192.168.89.0/24> <http://192.168.89.0/24> === 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> TUNNEL
> > Shunted Connections:
> > local-net: 192.168.89.0/24 <http://192.168.89.0/24> <http://192.168.89.0/24> === 192.168.89.0/24 <http://192.168.89.0/24> <http://192.168.89.0/24> PASS
> > Routed Connections:
> > net-net{1}: ROUTED, TUNNEL
> > net-net{1}: 192.168.89.0/24 <http://192.168.89.0/24> <http://192.168.89.0/24> === 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
> > Security Associations (0 up, 0 connecting):
> > none
>
> > but I can not ping my VPS via ipsec tunnel.
>
> > any idea?
>
>
> > On Fri, Dec 26, 2014 at 8:45 AM, Eric Zhang <debiansid at gmail.com <mailto:debiansid at gmail.com> <mailto:debiansid at gmail.com <mailto:debiansid at gmail.com>>> wrote:
>
> > You mean I have to use vps side's root ca to issue and sign server cert and user cert for openwrt side?
>
> > Sent from Mobile
>
>
> > > On 2014年12月26日, at 03:36, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>> wrote:
> > >
> > >
> > Hello Eric,
>
> > You can use email adresses in the DN and the SAN fields of the certificate of the router to authenticate it against the server.
> > Example: ipsec pki --issue [...] --dn "C=DE, O=FooBar Corp, CN=bar at baz.de <mailto:bar at baz.de> <mailto:bar at baz.de <mailto:bar at baz.de>>" --san "bar at baz.de <mailto:bar at baz.de> <mailto:bar at baz.de <mailto:bar at baz.de>>"
>
> > Then set the email address in the rightid on the server.
>
> > Mit freundlichen Grüßen/Regards,
> > Noel Kuntze
>
> > GPG Key ID: 0x63EC6658
> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> > > >> Am 25.12.2014 um 07:06 schrieb Eric Zhang:
> > > >> Yes,my local side is ADSL which has dynamic ip,can I setup certs to authenticate?
> > > >>
> > > >> Sent from Mobile
> > > >>
> > > >>
> > > >>> On 2014年12月24日, at 22:45, Zesen Qian <strongswan-users at riaqn.com <mailto:strongswan-users at riaqn.com> <mailto:strongswan-users at riaqn.com <mailto:strongswan-users at riaqn.com>>> wrote:
> > > >>>
> > > >>> Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>> writes:
> > > >>>
> > > >>>> Hello Eric,
> > > >>>>
> > > >>>> See [1] for authentication using X509 certificates and site-to-site tunnels.
> > > >>>>
> > > >>>> [1] http://www.strongswan.org/uml/testresults/ikev2/net2net-cert/
> > > >>>>
> > > >>>> Mit freundlichen Grüßen/Regards,
> > > >>>> Noel Kuntze
> > > >>>>
> > > >>>> GPG Key ID: 0x63EC6658
> > > >>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> > > >>>>
> > > >>>>> Am 24.12.2014 um 00:42 schrieb Eric Zhang:
> > > >>>>> How can I use RSA authentication with X.509 certificates to setup ip tunnel between my PPPoE to VPS (which has fix IP)?
> > > >>>>>
> > > >>>>> Thanks
> > > >>>>>
> > > >>>>> Eric
> > > >>>>
> > > >>>>
> > > >>>> _______________________________________________
> > > >>>> Users mailing list
> > > >>>> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
> > > >>>> https://lists.strongswan.org/mailman/listinfo/users
> > > >>> Hello Noel,
> > > >>> I guess the question Eric want to ask is mainly about site-to-site
> > > >>> with "dynamic IP" on one side, while the other side has fixed IP.
> > > >>> I 'm also eager to know since it's my situation too. :) My IPv6
> > > >>> address is dynamic.
> > > >>> If I ommit the left= paramter, which defaults to %any, it
> > > >>> sometimes(and randomly) would use ::1 on local, which surely
> > > >>> won't success. Other times it would use the global address which
> > > >>> works just find.
> > > >>>
> > > >>> --
> > > >>> Zesen Qian (钱泽森)
> > > >>> Undergraduate
> > > >>> School of Software
> > > >>> Shanghai Jiao Tong University
>
> > >
> > >
>
>
>
>
> > --
> > Life is harsh
>
>
>
>
> > --
> > Life is harsh
>
>
>
>
> > --
> > Life is harsh
>
>
>
>
> > --
> > Life is harsh
>
>
>
>
>
> --
> Life is harsh
>
>
>
>
> --
> Life is harsh
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJUnb+IAAoJEDg5KY9j7GZYyA8P/iqaq4kaOtbCGZ2CecIF7pQS
NvZRCITd4UR24RUWJ0qBuW6cOMVp1O1M2VKxl9bgTwwjQIbhpewWNTeF+U2dOfSu
Ph3qMkdW8YXPD69yfZkgDKn42UNlHPAVlg8/WSSr2X1tzHBejoOsMyH+7ELQay86
D+L0WkFP52hKC/KPi5uLYSQnV0Y0iykjCI4dkQiAUdyz8ACZNygCEqQvisD41P1t
1ajhdWw98pyXUsyOZezWiCR4Fi5aK7RIJIDcFE8cshI3+d+qzaESN53bESGa8sYn
Y9mfXe+GugcwyNXpMT50gTHyxqp3IYsjEn6Sgta+zP6WLrwxRozIds2MZ5nD2R5K
T4OKIOKK5X1EJOloemeVi7/xc0VNcWXQZUqT+hhJ3wq362vM/Kc/DatHiPqqDaRh
ovZ5Yt4XQtj9KBT1qg1SsekprxF8ttS7I4iZ2D0aDah1QZBNR7JbG8V51pC7Zwro
gu9eDjbd5lBs1QzDTQpI4w/q2kBkLGpUEMcUPKyFlmNSGQiw5sX9K5vPrSI7J6Nb
rzNKctIB3SWyEk9oDVinv1Cu2d/6m06bj7nLJVCQR1jHyXMDSJPNsRBDnwGRrTK2
0QUtMc6q9biYQFi54UroLmNwEz7HEj13ldk0KOMmQZdFq4qEAp6KbmxeIMjG/bFR
CJAy06vpCjj5kbz9OKLK
=zjdr
-----END PGP SIGNATURE-----
More information about the Users
mailing list