[strongSwan] StrongSwan Mac OS X app questions

Ken Nelson ken at cazena.com
Sat Mar 14 18:15:28 CET 2015


Follow-on question:  when the SS Mac client establishes a connection, a popup occurs for the user to enter a password.  Does the client cache the password for the entire session lifetime?  I established connection with a StrongSwan VPN gateway and left is up with a continuous 5 second ping to a machine inside the gateway.  After roughly 2 hours, 40 minutes the connection failed to authenticate and the tunnel stopped passing traffic.  Does the Mac app present the original password during re-authentication?

Configuration:
VPN gateway: Strongswan v5.2.2 on Centos 6.6
Client: StrongSwan Mac OS X app version 5.2.2(1) on OS X v10.10.2


Here’s the client log:

generating INFORMATIONAL response 5 [ D ]
sending packet: from 10.0.1.205[64888] to w.x.y.z[4500] (76 bytes)
reauthenticating IKE_SA sstest[15]
deleting IKE_SA sstest[15] between 10.0.1.205[sstest]…w.x.y.z[gw.cz.com<http://gw.cz.com>]
sending DELETE for IKE_SA sstest[15]
generating INFORMATIONAL request 7 [ D ]
sending packet: from 10.0.1.205[64888] to w.x.y.z[4500] (76 bytes)
received packet: from w.x.y.z[4500] to 10.0.1.205[64888] (76 bytes)
parsed INFORMATIONAL response 7 [ ]
IKE_SA deleted



Here’s the server log:

Mar 13 22:44:59 secgw charon: 02[NET] received packet: from a.b.c.d[32936] to 10.8.95.244[4500] (76 bytes)
Mar 13 22:44:59 secgw charon: 02[ENC] parsed INFORMATIONAL request 7 [ D ]
Mar 13 22:44:59 secgw charon: 02[IKE] received DELETE for IKE_SA remote-access-ikev2-ss[1]
Mar 13 22:44:59 secgw charon: 02[IKE] deleting IKE_SA remote-access-ikev2-ss[1] between 10.8.95.244[gw.cz.com<http://gw.cz.com>]...a.b.c.d[sstest]
Mar 13 22:44:59 secgw charon: 02[IKE] IKE_SA deleted
Mar 13 22:44:59 secgw vpn: - sstest 10.255.252.1/32 == a.b.c.d -- 10.8.95.244 == 10.8.64.0/19
Mar 13 22:44:59 secgw charon: 02[ENC] generating INFORMATIONAL response 7 [ ]
Mar 13 22:44:59 secgw charon: 02[NET] sending packet: from 10.8.95.244[4500] to a.b.c.d[32936] (76 bytes)
Mar 13 22:44:59 secgw charon: 02[CFG] lease 10.255.252.1 by 'sstest' went offline
Mar 13 22:44:59 secgw charon: 14[NET] received packet: from a.b.c.d[33495] to 10.8.95.244[4500] (1108 bytes)
Mar 13 22:44:59 secgw charon: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Mar 13 22:44:59 secgw charon: 14[IKE] a.b.c.d is initiating an IKE_SA
Mar 13 22:44:59 secgw charon: 14[IKE] local host is behind NAT, sending keep alives
Mar 13 22:44:59 secgw charon: 14[IKE] remote host is behind NAT
Mar 13 22:44:59 secgw charon: 14[IKE] sending cert request for "C=US, ST=Massachusetts, L=Waltham, O=CZ, CN=CZ Secure Gateway CA, E=support at CZ-dev.com<mailto:E=support at CZ-dev.com>"
Mar 13 22:44:59 secgw charon: 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Mar 13 22:44:59 secgw charon: 14[NET] sending packet: from 10.8.95.244[4500] to a.b.c.d[33495] (465 bytes)
Mar 13 22:44:59 secgw charon: 16[NET] received packet: from a.b.c.d[32936] to 10.8.95.244[4500] (380 bytes)
Mar 13 22:44:59 secgw charon: 16[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Mar 13 22:44:59 secgw charon: 16[CFG] looking for peer configs matching 10.8.95.244[%any]...a.b.c.d[sstest]
Mar 13 22:44:59 secgw charon: 16[CFG] selected peer config 'remote-access-ikev2-ss'
Mar 13 22:44:59 secgw charon: 16[IKE] initiating EAP_IDENTITY method (id 0x00)
Mar 13 22:44:59 secgw charon: 16[IKE] peer supports MOBIKE
Mar 13 22:44:59 secgw charon: 16[IKE] authentication of 'gw.cz.com<http://gw.cz.com>' (myself) with RSA signature successful
Mar 13 22:44:59 secgw charon: 16[IKE] sending end entity cert "C=US, ST=Massachusetts, L=Waltham, O=CZ, CN=gw.cz.com<http://gw.cz.com>, E=support at CZ.com<mailto:E=support at CZ.com>"
Mar 13 22:44:59 secgw charon: 16[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Mar 13 22:44:59 secgw charon: 16[NET] sending packet: from 10.8.95.244[4500] to a.b.c.d[32936] (2204 bytes)
Mar 13 22:45:03 secgw charon: 13[NET] received packet: from a.b.c.d[32936] to 10.8.95.244[4500] (380 bytes)
Mar 13 22:45:03 secgw charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Mar 13 22:45:03 secgw charon: 13[IKE] received retransmit of request with ID 1, retransmitting response
Mar 13 22:45:03 secgw charon: 13[NET] sending packet: from 10.8.95.244[4500] to a.b.c.d[32936] (2204 bytes)
Mar 13 22:45:03 secgw charon: 15[NET] received packet: from a.b.c.d[32936] to 10.8.95.244[4500] (76 bytes)
Mar 13 22:45:03 secgw charon: 15[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Mar 13 22:45:03 secgw charon: 15[IKE] received EAP identity 'sstest'
Mar 13 22:45:03 secgw charon: 15[IKE] initiating EAP_MD5 method (id 0x43)
Mar 13 22:45:03 secgw charon: 15[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MD5 ]
Mar 13 22:45:03 secgw charon: 15[NET] sending packet: from 10.8.95.244[4500] to a.b.c.d[32936] (92 bytes)
Mar 13 22:45:03 secgw charon: 01[NET] received packet: from a.b.c.d[32936] to 10.8.95.244[4500] (76 bytes)
Mar 13 22:45:03 secgw charon: 01[ENC] parsed INFORMATIONAL request 3 [ N(AUTH_FAILED) ]
Mar 13 22:45:03 secgw charon: 01[ENC] generating INFORMATIONAL response 3 [ N(AUTH_FAILED) ]
Mar 13 22:45:03 secgw charon: 01[NET] sending packet: from 10.8.95.244[4500] to a.b.c.d[32936] (76 bytes)





On Mar 13, 2015, at 2:27 PM, Ken Nelson <ken at CZ.com<mailto:ken at CZ.com>> wrote:


I’ve successfully connected the StrongSwan Mac OS X app version 5.2.2 (1) to a StrongSwan v5.2.2 VPN gateway.  A few questions/issues:


1.  DNS is not working.  I have rightdns=10.8.65.164 defined in the configuration (right is the remote access client).  The StrongSwan Mac OS X log indicates it is installing the DNS server address:

handling UNITY_SPLIT_INCLUDE attribute failed
handling UNITY_LOCAL_LAN attribute failed
installing 10.8.65.164 as DNS server
handling UNITY_DEF_DOMAIN attribute failed
installing 10.8.65.164 as DNS server
installing new virtual IP 10.255.252.1

The VPN gateway has the Cisco Unity attributes defined as it also support the native Mac OS X client.

Once the tunnel is up, I can ping the server (10.8.54.164) but can not resolve any hostnames it serves up.

Are there any issues with DNS & StrongSwan Mac OS X app?


2.  EAP-GTC authentication.  I would like to use EAP-GTC authentication with the Mac app and would be willing to modify the app to add this feature.  Any comments on how to do this or the level of difficulty are appreciated.


3.  Machine authentication.  Why doesn’t the Mac app require a client certificate for machine authentication, as is required for the native Mac client?


4.  Password configuration.  It would be nice to be able to configure the user’s password, instead of having to enter it on every tunnel invocation.
_______________________________________________
Users mailing list
Users at lists.strongswan.org<mailto:Users at lists.strongswan.org>
https://lists.strongswan.org/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150314/5bb0f609/attachment-0001.html>


More information about the Users mailing list