[strongSwan] Users Digest, Vol 84, Issue 16

ali reza Tabatabaei alirmusio at icloud.com
Sat Jan 14 23:51:10 CET 2017 

hi 

Sent from my iPhone

> On Jan 15, 2017, at 2:04 AM, users-request at lists.strongswan.org wrote:
> 
> Send Users mailing list submissions to
>    users at lists.strongswan.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
>    https://lists.strongswan.org/mailman/listinfo/users
> or, via email, send a message with subject or body 'help' to
>    users-request at lists.strongswan.org
> 
> You can reach the person managing the list at
>    users-owner at lists.strongswan.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Users digest..."
> 
> 
> Today's Topics:
> 
>   1. Re: strongTNCpolicy manager page not rendering properly
>      (Andreas Steffen)
>   2. Re: Android TNC server basic setup (Mark M)
>   3. StrongSwan using Loopback IP address (Patrick Velder)
>   4. Re: StrongSwan using Loopback IP address (Noel Kuntze)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Sat, 14 Jan 2017 20:32:17 +0800
> From: Andreas Steffen <andreas.steffen at strongswan.org>
> To: Mark M <mark076h at yahoo.com>, Users <users at lists.strongswan.org>
> Subject: Re: [strongSwan] strongTNCpolicy manager page not rendering
>    properly
> Message-ID: <587A1A51.1080200 at strongswan.org>
> Content-Type: text/plain; charset="utf-8"; Format="flowed"
> 
> Hi Mark,
> 
> sorry I forgot to mention that the following command must be
> executed first:
> 
>   sudo /var/www/tnc/manage.py collectstatic
> 
> I updated the HOWTO accordingly.
> 
> Best regards
> 
> Andreas
> 
>> On 14.01.2017 14:00, Mark M wrote:
>> Hi,
>> 
>> I followed the setup guide from the stronTNC GitHub page and everything
>> seems to work ok except for the webpage itself. It looks like it does
>> not render properly for some reason. it like a basic html page.
>> 
>> It looks like this - https://i.imgur.com/nd7dpGM.jpg
>> 
>> Thanks,
>> 
>> Mark
>> 
>> 
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>> 
> 
> -- 
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
> 
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/pkcs7-signature
> Size: 3859 bytes
> Desc: S/MIME Cryptographic Signature
> URL: <http://lists.strongswan.org/pipermail/users/attachments/20170114/54697425/attachment-0001.bin>
> 
> ------------------------------
> 
> Message: 2
> Date: Sat, 14 Jan 2017 20:15:14 +0000 (UTC)
> From: Mark M <mark076h at yahoo.com>
> To: Andreas Steffen <andreas.steffen at strongswan.org>,
>    "users at lists.strongswan.org" <users at lists.strongswan.org>
> Subject: Re: [strongSwan] Android TNC server basic setup
> Message-ID: <2089959039.3359227.1484424914997 at mail.yahoo.com>
> Content-Type: text/plain; charset="utf-8"
> 
> Andreas,
> The guides that I follow do not create the /etc/pts/config.db database?
> Thanks,
> Mark 
> 
>    On Thursday, January 12, 2017 2:26 PM, Mark M <mark076h at yahoo.com> wrote:
> 
> 
> Andreas,
> Thank you for the info,
> Now when I follow the guide to install the policy manager I only get the default apache page.
> I am following this guide - https://wiki.strongswan.org/projects/strongswan/wiki/StrongTNC
> Thanks,
> Mark 
> 
>    On Thursday, January 12, 2017 6:09 AM, Andreas Steffen <andreas.steffen at strongswan.org> wrote:
> 
> 
> Hi Mark,
> 
> you can find a [little-outdated] TNC server configuration HOWTO
> under the following link:
> 
>   https://wiki.strongswan.org/projects/strongswan/wiki/TNCS
> 
> In the meantime the TNC measurement policies are not hard-coded
> any more in /etc/strongswan.conf but can be configured via the
> strongTNC policy manager available from the strongSwan gitHub
> repository
> 
>   https://wiki.strongswan.org/projects/strongswan/wiki/StrongTnc
> 
> The IMVs on the strongTNC server must now connect to the strongTNC 
> /etc/pts/config.db database. A sample configuration can be found here
> 
> 
> https://wiki.strongswan.org/projects/strongswan/wiki/IMA#Set-up-the-Attestation-Server
> 
> Hope this helps!
> 
> Andreas
> 
>> On 11.01.2017 10:43, Mark M wrote:
>> Hi,
>> 
>> I would like to setup a basic demo of the android client using TNC
>> connecting to a strongSwan server as show in in this guide -
>> https://wiki.strongswan.org/projects/strongswan/wiki/BYOD
>> 
>> Is there a guide I can follow for a basic strongSwan server setup to
>> test out TNC with the android client? And is there anything special that
>> needs to be configured on the android client or does the android client
>> support TNC by default?
>> 
>> Thanks,
>> 
>> Mark
> 
> ======================================================================
> Andreas Steffen                        andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
> 
> 
> 
> 
> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.strongswan.org/pipermail/users/attachments/20170114/ccd241d8/attachment-0001.html>
> 
> ------------------------------
> 
> Message: 3
> Date: Sat, 14 Jan 2017 22:26:15 +0100
> From: Patrick Velder <lists at velder.li>
> To: "users at lists.strongswan.org" <users at lists.strongswan.org>
> Subject: [strongSwan] StrongSwan using Loopback IP address
> Message-ID: <2b00950c-9796-548a-d22f-fc7b12b2a3eb at velder.li>
> Content-Type: text/plain; charset=utf-8; format=flowed
> 
> Hi
> 
> I'm operating a setup running BGP with a configured loopback: 
> 185.117.xx.254.
> As the loopback IP is reachable over all upstreams / peers / 
> downstreams, I'd like to use this IP as "leftsourceip":
> 
> Config:
> 
>> 
>> conn %default
>>  keyexchange=ikev1
>>  ikelifetime=86400s
>>  ike=aes256-sha512-modp4096!
>>  esp=aes256-sha512-modp1024!
>>  lifetime=1800s
>>  auto=start
>>  aggressive=no
>> 
>> conn cr1-home
>>  left=185.117.xx.254
>>  right=84.75.xx.133
>>  authby=pubkey
>>  leftrsasigkey=/etc/ipsec.d/public/xx.pem
>>  rightrsasigkey=/etc/ipsec.d/public/yy.pem
>>  dpdaction=restart
>>  dpddelay=10s
>>  dpdtimeout=60s
>> 
>> # Transport GRE
>> conn cr1-home-gre
>>  also=cr1-home
>>  type=transport
>>  leftprotoport=gre
>>  rightprotoport=gre
>> 
>> # Monitoring <-> Home
>> conn cr1-home-monitoring
>>  also=cr1-home
>>  type=tunnel
>>  leftsubnet=185.117.xx.64/29
>>  rightsubnet=10.0.0.0/20
>> 
> Now the problem is that StrongSwan tries to add a route for 
> "10.0.0.0/20" (rightsubnet) to "my transit's nexthop" (185.95.xxx.41) 
> via the "loopback interface" (dummy0), which of course fails as there is 
> only one /32 configured on the loopback interface:
> 
>> Jan 14 22:07:12 cr1 charon: 07[KNL] using 185.95.xx.41 as nexthop to 
>> reach 84.75.xx.133/32
>> Jan 14 22:07:12 cr1 charon: 07[KNL] installing route: 10.0.0.0/20 via 
>> 185.95.xx.41 src 185.117.xx.65 dev dummy0
>> Jan 14 22:07:12 cr1 charon: 07[KNL] unable to install source route for 
>> 185.117.xx.65
> 
> Is there a way to fix that?
> 
> Regards
> Patrick
> 
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Sat, 14 Jan 2017 23:33:45 +0100
> From: Noel Kuntze <noel at familie-kuntze.de>
> To: Patrick Velder <lists at velder.li>, "users at lists.strongswan.org"
>    <users at lists.strongswan.org>
> Subject: Re: [strongSwan] StrongSwan using Loopback IP address
> Message-ID: <dc021504-0b63-a1fd-9abf-8454906ae8db at familie-kuntze.de>
> Content-Type: text/plain; charset="utf-8"
> 
>> On 14.01.2017 22:26, Patrick Velder wrote:
>> As the loopback IP is reachable over all upstreams / peers / downstreams, I'd like to use this IP as "leftsourceip":
> "leftsourceip" is not for doing anything with source routes in modern (>5.0.0) strongswan. It's only for assigning
> and requesting "virtual" IPs.
> 
>> Now the problem is that StrongSwan tries to add a route for "10.0.0.0/20" (rightsubnet) to "my transit's nexthop" 
>> (185.95.xxx.41) via the "loopback interface" (dummy0), which of course fails as there is only one /32 configured on
>> the loopback interface: 
> Try a more up to date version. I remember there being a patch for that.
> 
> 
> -- 
> 
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
> 
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> 
> 
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: signature.asc
> Type: application/pgp-signature
> Size: 866 bytes
> Desc: OpenPGP digital signature
> URL: <http://lists.strongswan.org/pipermail/users/attachments/20170114/7d7cd3c0/attachment.sig>
> 
> ------------------------------
> 
> Subject: Digest Footer
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 
> ------------------------------
> 
> End of Users Digest, Vol 84, Issue 16
> *************************************

More information about the Users mailing list