[strongSwan] [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels
Modster, Anthony
Anthony.Modster at Teledyne.com
Wed May 3 23:58:53 CEST 2017
Hello Noel
I got the following message back from strongswan
Your mail to 'Users' with the subject
RE: [SUSPECT EMAIL: No Reputation] Re: [strongSwan] [SUSPECT
EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels
Is being held until the list moderator can review it for approval.
The reason it is being held:
Message body is too big: 620463 bytes with a limit of 100 KB
Either the message will get posted to the list, or you will receive notification of the moderator's decision. If you would like to cancel this posting, please visit the following URL:
https://lists.strongswan.org/mailman/confirm/users/137beef69e319db5596b300d8bbf386cb140506f
-----Original Message-----
From: Modster, Anthony
Sent: Wednesday, May 03, 2017 2:55 PM
To: 'Noel Kuntze' <noel.kuntze+strongswan-users-ml at thermi.consulting>; users at lists.strongswan.org
Subject: RE: [SUSPECT EMAIL: No Reputation] Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels
Hello Noel
1. let me know if any of the files are missing (s/b 3) 2. let me know if the log levels are ok (our settings were more than support required)
The following test and its results will be sent to strongswan for eveluation.
bring up ethernet eth1.13
when interface comes up start, tcpdump -i eth1.13 -w test_restart_eth113.dat
note: ipsec tunnel will start
wait for tunnel
bring up ppp0
when interface comes up start, tcpdump -i ppp0 -w test_restart_ppp0.dat wait for tunnel disconnect ethernet
note: ppp0 will stop communicating
wait for ppp0 to recover (about 9 mins)
log files:
test_restart_eth113.dat
test_restart_ppp0.dat
test_restart_security_edit.log
-----Original Message-----
From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml at thermi.consulting]
Sent: Wednesday, May 03, 2017 1:37 PM
To: Modster, Anthony <Anthony.Modster at Teledyne.com>; users at lists.strongswan.org
Subject: [SUSPECT EMAIL: No Reputation] Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels
For each interface.
On 03.05.2017 22:24, Modster, Anthony wrote:
> Hello Noel
>
> Quick question, do you want the tcpdump capture for each interface, or capture at the secure gateway side.
>
> -----Original Message-----
> From: Noel Kuntze
> [mailto:noel.kuntze+strongswan-users-ml at thermi.consulting]
> Sent: Wednesday, May 03, 2017 12:08 PM
> To: Modster, Anthony <Anthony.Modster at Teledyne.com>;
> users at lists.strongswan.org
> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No
> Reputation] multiple tunnels
>
> Hello Anthony,
>
> On 03.05.2017 20:36, Modster, Anthony wrote:
>> Each tunnel would be bound to a separate interface (eth1.13 and ppp0).
>> Our application would open a socket for each tunnel end point, and bind to it (so there is no routing needed).
> What kind of socket? Raw IP?
>
>> We verified that ESP packets are being sent from each application socket to the assigned interface.
> Huh? Don't you mean "We verified that ESP packets are sent for each packet that is emitted from the application socket to the assigned interface"?
>
>> We verified that IKE packets are being sent to each interface from Charon.
> This is very curious. Please verify that they are indeed sent out from two different interfaces.
> As I previously mentioned, routing decisions are made based on the destination address, not the source address, so IKE packets for either IKE_SA would traverse the same interface and use the same route, except if you used policy based routing.
>
> Anyway, I require logs to figure out what happens exactly. Please create them using the file logger definition from the HelpRequests[1] page.
>
> Kind regards,
> Noel
>
> [1]
> https://secure-web.cisco.com/1j3GkDWiMC47CUy7JEZrTMFVOcm1wcAG1qjUD4ejw
> TAGcl7Ie8pH_oYW3ermSmwJCHgfvbtGVlYFEBP8roXNFVxQH5MyW5aLMsU9pDAUSxyzCAs
> lioVIyuREQoLk_-CP9Gus-3GQRkuDUOYzov0N5ZPq6tsv_2mW9NGMkRK-O3WZpWyeuW-WH
> B5bGM1JBQu1w0xtwPy7ehB2hEZcy-cCyXQ/https%3A%2F%2Fwiki.strongswan.org%2
> Fprojects%2Fstrongswan%2Fwiki%2FHelpRequests
>
>> ? does this sound ok
>> I will send more after your response.
>>
>> -----Original Message-----
>> From: Noel Kuntze
>> [mailto:noel.kuntze+strongswan-users-ml at thermi.consulting]
>> Sent: Wednesday, May 03, 2017 10:38 AM
>> To: Modster, Anthony <Anthony.Modster at Teledyne.com>;
>> users at lists.strongswan.org
>> Subject: [SUSPECT EMAIL: No Reputation] Re: [strongSwan] [SUSPECT
>> EMAIL: No Reputation] Re: multiple tunnels
>>
>> Hello Anthony,
>>
>> On 03.05.2017 19:24, Modster, Anthony wrote:
>>> We are using two interfaces at once from same host to the same secure gateway.
>> Why?
>> Why even two IKE_SAs? Just use one IKE_SA and have the two CHILD_SAs be managed under one.
>>
>>> root at wglng-6:~# ip route show
>>> 10.64.64.64 dev ppp0 proto kernel scope link src 166.204.4.61
>>> 192.168.1.0/24 dev eth1.13 proto kernel scope link src
>>> 192.168.1.134
>>> Note: I did not show interfaces that are not applicable
>>>
>>> Both tunnels are up and were able to ping and send data thru the tunnels.
>>> root at wglng-6:~# swanctl --list-sas
>>> sgateway1-radio0: #2, ESTABLISHED, IKEv2, 08173d8797a410eb_i* 5fa1f29dce075fd4_r
>>> local 'RA00006 at Teledyne.com' @ 166.204.4.61[4500] [20.20.20.9]
>>> remote 'C=CA, O=Carillon Information Security Inc., OU=TEST, OU=Devices, OU=Aircraft Operator Ground Stations, OU=Teledyne Controls, CN=ELS-VPAPP-WGL08 - ID' @ 76.232.248.210[4500]
>>> AES_CBC-256/HMAC_SHA2_512_256/PRF_HMAC_SHA1/ECP_256
>>> established 922s ago, rekeying in 43s, reauth in 2455s
>>> sgateway1-radio0: #4, reqid 2, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA1_96
>>> installed 336s ago, rekeying in 211s, expires in 325s
>>> in c2e01069, 1320 bytes, 33 packets, 6s ago
>>> out e1c27d5f, 1452 bytes, 33 packets, 6s ago
>>> local 20.20.20.9/32
>>> remote 10.100.20.15/32
>>> sgateway1-gldl: #1, ESTABLISHED, IKEv2, 00989cc440834937_i* 5e3c5e4b5c1ec4cf_r
>>> local 'RA00006 at Teledyne.com' @ 192.168.1.134[4500] [20.20.20.8]
>>> remote 'C=CA, O=Carillon Information Security Inc., OU=TEST, OU=Devices, OU=Aircraft Operator Ground Stations, OU=Teledyne Controls, CN=ELS-VPAPP-WGL08 - ID' @ 76.232.248.210[4500]
>>> AES_CBC-256/HMAC_SHA2_512_256/PRF_HMAC_SHA1/ECP_256
>>> established 1049s ago, rekeying in 150s, reauth in 2257s
>>> sgateway1-gldl: #3, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA1_96
>>> installed 469s ago, rekeying in 104s, expires in 191s
>>> in c45db512, 1880 bytes, 47 packets, 6s ago
>>> out 77309eef, 2068 bytes, 47 packets, 6s ago
>>> local 20.20.20.8/32
>>> remote 10.100.20.15/32
>>>
>>> strongswan creates the following in table 220 root at wglng-6:~# ip
>>> route show table 220
>>> 10.100.20.15 via 192.168.1.1 dev eth1.13 proto static src
>>> 20.20.20.8
>>>
>>> When we bring down eth1.13, the tunnel for ppp0 becomes unusable.
>> What do you mean with "the tunnel for ppp0"? The interface is irrelevant.
>> Packets are routed based on their destination. Charon does not pick two different paths for two different IKE_SAs to the same peer.
>>
>> Are you aware that charon uses one path for all the IKE_SAs to one peer?
>> Charon should choose another path to the remote peer, if there is one (and the "src" parameter of the corresponding route allows that). I guess your routing table doesn't allow that.
>>
>> Please provide logs that show the problem.
>>
>>> We think the problem is that ppp0 does not have a via in table 220.
>> Irrelevant. See above.
>>
>>> If you need more information, let me know.
>>>
>>> Thanks
>>>
>>> -----Original Message-----
>>> From: Noel Kuntze
>>> [mailto:noel.kuntze+strongswan-users-ml at thermi.consulting]
>>> Sent: Wednesday, May 03, 2017 7:33 AM
>>> To: Modster, Anthony <Anthony.Modster at Teledyne.com>;
>>> users at lists.strongswan.org
>>> Subject: [SUSPECT EMAIL: No Reputation] Re: [strongSwan] multiple
>>> tunnels
>>>
>>> Hello Anthony,
>>>
>>> On 03.05.2017 06:57, Modster, Anthony wrote:
>>>>
>>>>
>>>> ? how to setup ipsec policy
>>>>
>>>>
>>>>
>>>> We want to use multiple tunnels on separate interfaces on the same host to one secure gateway.
>>>>
>>>>
>>>>
>>>> The secure gateway only has one external IP address.
>>>>
>>> Depends on your exact requirements. You need to elaborate on this.
>>>
>>> Kind regards,
>>> Noel
>>>
>>> -- Noel Kuntze IT security consultant GPG Key ID: 0x0739AD6C
>>> Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
>>> _______________________________________________ Users mailing list
>>> Users at lists.strongswan.org
>>> https://secure-web.cisco.com/1umLFBujqnWj6QpzkmjOs5N9U3Ek-8bie0MXpB6
>>> w
>>> Z
>>> 9ss1vhilBrSfF13tKoWL6NTRe0CPd1SRvuy2CT2LgFRD1gjLQ21atsRzKU836ZbhigAz
>>> 4
>>> k
>>> 14W-T9yeoOC4t2-xDiwbecTeWHYlRtlO1w7TQmXEEzPLgNH25aPblOjUYxnVk3llkYq0
>>> W
>>> l
>>> d7pEH7cKab9tMboT6476CmpbjuM8HztzzA/https%3A%2F%2Flists.strongswan.or
>>> g
>>> %
>>> 2Fmailman%2Flistinfo%2Fusers
>>>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://secure-web.cisco.com/1ZUqhowo0_mv9V5kD25oaNH8gLBZLx66slK6Ff21L
> c9NCBKfl3Gs-GcDc9rITZdgrJ-gm4T7JliTiQ8tSyQ00Yvr4q_dP85oAHK-y6amf1lwgW4
> AgyJ5jvH2M04bEqEFcCxg6lss3F2tKV0s2k6RGOVF2-XjR0apCbvx4RxQkwAj2uGqSXzjf
> ZJzz0AqTsW6cseBSHwc-jMy4lczBfcy-Zg/https%3A%2F%2Flists.strongswan.org%
> 2Fmailman%2Flistinfo%2Fusers
>
More information about the Users
mailing list