[strongSwan] One to Many VPN (Host-Host)

Info infosec at quantum-equities.com
Mon Mar 19 00:52:24 CET 2018


This post is formatted as per here
<https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests>.

I'm using the bare minimum swanctl.conf and I've regenerated all my keys
and certs again.  For the IPSec gateway, which is a virtual machine in
the LAN DNATted to by the LAN gateway, I've made its cert with --san
quantum-equities.com,cygnus.darkmatter.org, because the LAN gateway is
known outside as quantum-equities.com and the IPSec gateway is known in
the LAN as cygnus.darkmatter.org.  My assumption is it has to be
resolvable in both worlds.

I also tried to set --dn "C=US, O=Quantum,
CN=quantum-equities.com,cygnus.darkmatter.org" -- but strongswan pki
wasn't having it so I had to settle for just quantum-equities.com.

For the phone's key and cert, when it is the initiator, I know of no way
it can prove it is mars.darkmatter.org, other than what the cert says. 
It could be at any IP so I don't see how it can prove its identity?  The
IPSec gateway resolves to quantum-equities.com so it can prove its identity.

Also I would like to set the phone and other remotes to 'initiate only'
but there doesn't seem to be a way in the Android app.  And for other
remote machines there no longer seems to be that option.

Log levels are as per instructions and charon.log is attached.

strongswan.conf
charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf


swanctl.conf
ikev2-pubkey {
        version = 2
        rekey_time = 0s
        local {
                cert = cygnus-Cert.pem
                id = cygnus.darkmatter.org
        }
        remote {
                # defaults are fine.
        }
        children {
                ikev2-pubkey {
                        local_ts = 192.168.1.0/24
                        mode = transport
                }
        }
}


charon.conf
charon {

# two defined file loggers
    filelog {
        /var/log/charon.log {
            time_format = %a, %Y-%m-%d %R
            ike_name = yes
            append = no
            default = 2
            flush_line = yes
        }
        stderr {
                mgr = 0
                net = 1
                enc = 1
                asn = 1
                job = 1
                knl = 1
        }
    }


# swanctl -L
# swanctl -l
(no response, for some reason)

# systemctl status strongswan-swanctl
● strongswan-swanctl.service - strongSwan IPsec IKEv1/IKEv2 daemon using
swanctl
   Loaded: loaded (/usr/lib/systemd/system/strongswan-swanctl.service;
enabled; vendor preset: disabled)
   Active: active (running) since Sun 2018-03-18 12:14:37 PDT; 3h 58min ago
  Process: 59439 ExecStartPost=/usr/sbin/swanctl --load-all --noprompt
(code=exited, status=0/SUCCESS)
 Main PID: 59419 (charon-systemd)
   Status: "charon-systemd running, strongSwan 5.5.3, Linux
4.13.0-1.el7.elrepo.x86_64, x86_64"
   CGroup: /system.slice/strongswan-swanctl.service
           └─59419 /usr/sbin/charon-systemd

Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]: received
packet: from 172.56.42.34[45687] to 192.168.1.16[500] (704 bytes)
Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]: 10[NET]
received packet: from 172.56.42.34[45687] to 192.168.1.16[500] (704 bytes)
Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]: parsed
IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP)
N(HASH_ALG) N(REDIR_SUP) ]
Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]: 10[ENC]
parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]: 10[IKE] no
IKE config found for 192.168.1.16...172.56.42.34, sending NO_PROPOSAL_CHOSEN
Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]: 10[ENC]
generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]: 10[NET]
sending packet: from 192.168.111.16[500] to 172.56.42.34[45687] (36 bytes)
Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]: no IKE
config found for 192.168.111.16...172.56.42.34, sending NO_PROPOSAL_CHOSEN
Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]: generating
IKE_SA_INIT response 0 [ N(NO_PROP) ]
Mar 18 15:49:34 cygnus.darkmatter.org charon-systemd[59419]: sending
packet: from 192.168.1.16[500] to 172.56.42.34[45687] (36 bytes)



# iptables-save
# Generated by iptables-save v1.4.21 on Sun Mar 18 16:16:59 2018
*mangle
:PREROUTING ACCEPT [67734:7451963]
:INPUT ACCEPT [67734:7451963]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [53017:5165171]
:POSTROUTING ACCEPT [53017:5165171]
:tcfor - [0:0]
:tcin - [0:0]
:tcout - [0:0]
:tcpost - [0:0]
:tcpre - [0:0]
-A PREROUTING -j tcpre
-A INPUT -j tcin
-A FORWARD -j MARK --set-xmark 0x0/0xff
-A FORWARD -j tcfor
-A OUTPUT -j tcout
-A POSTROUTING -j tcpost
COMMIT
# Completed on Sun Mar 18 16:16:59 2018
# Generated by iptables-save v1.4.21 on Sun Mar 18 16:16:59 2018
*nat
:PREROUTING ACCEPT [8165:1316953]
:INPUT ACCEPT [32:14356]
:OUTPUT ACCEPT [9748:486535]
:POSTROUTING ACCEPT [4:178]
:eth0_masq - [0:0]
-A POSTROUTING -o eth0 -j eth0_masq
-A eth0_masq -s 192.168.111.0/24 -m policy --dir out --pol none -j
MASQUERADE
COMMIT
# Completed on Sun Mar 18 16:16:59 2018
# Generated by iptables-save v1.4.21 on Sun Mar 18 16:16:59 2018
*raw
:PREROUTING ACCEPT [67734:7451963]
:OUTPUT ACCEPT [53017:5165171]
-A PREROUTING -p udp -m udp --dport 10080 -j CT --helper amanda
-A PREROUTING -p tcp -m tcp --dport 21 -j CT --helper ftp
-A PREROUTING -p udp -m udp --dport 1719 -j CT --helper RAS
-A PREROUTING -p tcp -m tcp --dport 1720 -j CT --helper Q.931
-A PREROUTING -p tcp -m tcp --dport 6667 -j CT --helper irc
-A PREROUTING -p udp -m udp --dport 137 -j CT --helper netbios-ns
-A PREROUTING -p tcp -m tcp --dport 1723 -j CT --helper pptp
-A PREROUTING -p tcp -m tcp --dport 6566 -j CT --helper sane
-A PREROUTING -p udp -m udp --dport 5060 -j CT --helper sip
-A PREROUTING -p udp -m udp --dport 161 -j CT --helper snmp
-A PREROUTING -p udp -m udp --dport 69 -j CT --helper tftp
-A OUTPUT -p udp -m udp --dport 10080 -j CT --helper amanda
-A OUTPUT -p tcp -m tcp --dport 21 -j CT --helper ftp
-A OUTPUT -p udp -m udp --dport 1719 -j CT --helper RAS
-A OUTPUT -p tcp -m tcp --dport 1720 -j CT --helper Q.931
-A OUTPUT -p tcp -m tcp --dport 6667 -j CT --helper irc
-A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns
-A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
-A OUTPUT -p tcp -m tcp --dport 6566 -j CT --helper sane
-A OUTPUT -p udp -m udp --dport 5060 -j CT --helper sip
-A OUTPUT -p udp -m udp --dport 161 -j CT --helper snmp
-A OUTPUT -p udp -m udp --dport 69 -j CT --helper tftp
COMMIT
# Completed on Sun Mar 18 16:16:59 2018
# Generated by iptables-save v1.4.21 on Sun Mar 18 16:16:59 2018
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Drop - [0:0]
:Reject - [0:0]
:^fw-net - [0:0]
:^net-fw - [0:0]
:dynamic - [0:0]
:eth0_fwd - [0:0]
:eth0_in - [0:0]
:eth0_out - [0:0]
:fw-net - [0:0]
:fw-vpn - [0:0]
:logdrop - [0:0]
:logflags - [0:0]
:logreject - [0:0]
:net-fw - [0:0]
:net-vpn - [0:0]
:net_frwd - [0:0]
:reject - [0:0]
:sha-lh-0000b76ab76dee8fd100 - [0:0]
:sha-rh-c015b4228a3ba078c43d - [0:0]
:shorewall - [0:0]
:tcpflags - [0:0]
:vpn-fw - [0:0]
:vpn-net - [0:0]
:vpn_frwd - [0:0]
:~log0 - [0:0]
-A INPUT -i eth0 -j eth0_in
-A INPUT -i lo -j ACCEPT
-A INPUT -j Reject
-A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6
--log-uid
-A INPUT -g reject
-A FORWARD -i eth0 -j eth0_fwd
-A FORWARD -j Reject
-A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6
--log-uid
-A FORWARD -g reject
-A OUTPUT -o eth0 -j eth0_out
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j Reject
-A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:REJECT:" --log-level 6
--log-uid
-A OUTPUT -g reject
-A Drop
-A Drop -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed
ICMP types" -j ACCEPT
-A Drop -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP
types" -j ACCEPT
-A Drop -m addrtype --dst-type BROADCAST -j DROP
-A Drop -m addrtype --dst-type ANYCAST -j DROP
-A Drop -m addrtype --dst-type MULTICAST -j DROP
-A Drop -m conntrack --ctstate INVALID -j DROP
-A Drop -p udp -m multiport --dports 135,445 -m comment --comment SMB -j
DROP
-A Drop -p udp -m udp --dport 137:139 -m comment --comment SMB -j DROP
-A Drop -p udp -m udp --sport 137 --dport 1024:65535 -m comment
--comment SMB -j DROP
-A Drop -p tcp -m multiport --dports 135,139,445 -m comment --comment
SMB -j DROP
-A Drop -p udp -m udp --dport 1900 -m comment --comment UPnP -j DROP
-A Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A Drop -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies"
-j DROP
-A Reject
-A Reject -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed
ICMP types" -j ACCEPT
-A Reject -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed
ICMP types" -j ACCEPT
-A Reject -m addrtype --dst-type BROADCAST -j DROP
-A Reject -m addrtype --dst-type ANYCAST -j DROP
-A Reject -m addrtype --dst-type MULTICAST -j DROP
-A Reject -m conntrack --ctstate INVALID -j DROP
-A Reject -p udp -m multiport --dports 135,445 -m comment --comment SMB
-g reject
-A Reject -p udp -m udp --dport 137:139 -m comment --comment SMB -g reject
-A Reject -p udp -m udp --sport 137 --dport 1024:65535 -m comment
--comment SMB -g reject
-A Reject -p tcp -m multiport --dports 135,139,445 -m comment --comment
SMB -g reject
-A Reject -p udp -m udp --dport 1900 -m comment --comment UPnP -j DROP
-A Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A Reject -p udp -m udp --sport 53 -m comment --comment "Late DNS
Replies" -j DROP
-A ^fw-net -p tcp -m multiport --dports 25,110,843,8080 -m conntrack
--ctstate ESTABLISHED -j DROP
-A ^fw-net -j ACCEPT
-A ^net-fw -p tcp -m multiport --sports 25,110,843,8080 -m conntrack
--ctstate ESTABLISHED -j DROP
-A ^net-fw -j ACCEPT
-A eth0_fwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A eth0_fwd -p tcp -m policy --dir in --pol none -j tcpflags
-A eth0_fwd -m policy --dir in --pol ipsec --mode transport -g vpn_frwd
-A eth0_fwd -m policy --dir in --pol none -j net_frwd
-A eth0_in -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A eth0_in -p udp -m udp --dport 67:68 -j ACCEPT
-A eth0_in -p tcp -m policy --dir in --pol none -j tcpflags
-A eth0_in -m policy --dir in --pol none -j net-fw
-A eth0_in -m policy --dir in --pol ipsec --mode transport -j vpn-fw
-A eth0_out -p udp -m udp --dport 67:68 -j ACCEPT
-A eth0_out -m policy --dir out --pol none -j fw-net
-A eth0_out -m policy --dir out --pol ipsec --mode transport -j fw-vpn
-A fw-net -m conntrack --ctstate ESTABLISHED -j ^fw-net
-A fw-net -m conntrack --ctstate RELATED -j ACCEPT
-A fw-net -d 192.168.1.16/32 -p esp -j ACCEPT
-A fw-net -d 192.168.1.16/32 -p udp -m udp --dport 500 -m conntrack
--ctstate NEW,UNTRACKED -j ACCEPT
-A fw-net -p tcp -m multiport --dports 25,110,843,8080 -g ~log0
-A fw-net -p tcp -m multiport --dports 21,990,9418,11371,80,443 -j ACCEPT
-A fw-net -d 192.168.1.10/32 -p udp -m multiport --dports 53,123 -j ACCEPT
-A fw-net -d 192.168.1.41/32 -p tcp -m tcp --dport 3480 -j ACCEPT
-A fw-net -p tcp -m multiport --dports 2222,22 -j ACCEPT
-A fw-net -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A fw-net -j Reject
-A fw-net -j LOG --log-prefix "Shorewall:fw-net:REJECT:" --log-level 6
--log-uid
-A fw-net -g reject
-A fw-vpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A fw-vpn -d 192.168.1.16/32 -p udp -m udp --dport 500 -m conntrack
--ctstate NEW,UNTRACKED -j ACCEPT
-A fw-vpn -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A fw-vpn -j Reject
-A fw-vpn -j LOG --log-prefix "Shorewall:fw-vpn:REJECT:" --log-level 6
--log-uid
-A fw-vpn -g reject
-A logdrop -j DROP
-A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level 6
--log-ip-options
-A logflags -j DROP
-A logreject -j reject
-A net-fw -m conntrack --ctstate ESTABLISHED -j ^net-fw
-A net-fw -m conntrack --ctstate RELATED -j ACCEPT
-A net-fw -s 192.168.1.16/32 -p esp -j ACCEPT
-A net-fw -s 192.168.1.16/32 -p udp -m udp --dport 500 -m conntrack
--ctstate NEW,UNTRACKED -j ACCEPT
-A net-fw -p tcp -m conntrack --ctstate INVALID -j DROP
-A net-fw -p udp -m conntrack --ctstate INVALID -j DROP
-A net-fw -p udp -m multiport --dports 500,4500 -j ACCEPT
-A net-fw -s 192.168.1.2/32 -p tcp -m tcp --dport 8123 -j ACCEPT
-A net-fw -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A net-fw -p udp -m multiport --dports 500,4500,50500,54500 -j ACCEPT
-A net-fw -s 192.168.1.4/32 -p tcp -m tcp --dport 8734 -j ACCEPT
-A net-fw -s 192.168.1.4/32 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A net-fw -j Drop
-A net-fw -j LOG --log-prefix "Shorewall:net-fw:DROP:" --log-level 6
--log-uid
-A net-fw -j DROP
-A net-vpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A net-vpn -p tcp -m conntrack --ctstate INVALID -j DROP
-A net-vpn -p udp -m conntrack --ctstate INVALID -j DROP
-A net-vpn -j Drop
-A net-vpn -j LOG --log-prefix "Shorewall:net-vpn:DROP:" --log-level 6
--log-uid
-A net-vpn -j DROP
-A net_frwd -o eth0 -m policy --dir out --pol ipsec --mode transport -j
net-vpn
-A reject -m addrtype --src-type BROADCAST -j DROP
-A reject -s 224.0.0.0/4 -j DROP
-A reject -p igmp -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A shorewall -m recent --set --name %CURRENTTIME --mask 255.255.255.255
--rsource
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g
logflags
-A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,PSH,ACK FIN,PSH -g logflags
-A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g
logflags
-A vpn-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A vpn-fw -s 192.168.1.16/32 -p udp -m udp --dport 500 -m conntrack
--ctstate NEW,UNTRACKED -j ACCEPT
-A vpn-fw -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A vpn-fw -j Drop
-A vpn-fw -j LOG --log-prefix "Shorewall:vpn-fw:DROP:" --log-level 6
--log-uid
-A vpn-fw -j DROP
-A vpn-net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A vpn-net -j Drop
-A vpn-net -j LOG --log-prefix "Shorewall:vpn-net:DROP:" --log-level 6
--log-uid
-A vpn-net -j DROP
-A vpn_frwd -o eth0 -m policy --dir out --pol none -j vpn-net
-A ~log0 -j LOG --log-prefix "Shorewall:fw-net:ACCEPT:" --log-level 6
--log-uid
-A ~log0 -j ACCEPT
COMMIT
# Completed on Sun Mar 18 16:16:59 2018


# ip route show table all
default via 192.168.1.1 dev eth0
169.254.0.0/16 dev eth0 scope link metric 1002
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.16
broadcast 127.0.0.0 dev lo table local proto kernel scope link src
127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src
127.0.0.1
broadcast 192.168.1.0 dev eth0 table local proto kernel scope link src
192.168.1.16
local 192.168.1.16 dev eth0 table local proto kernel scope host src
192.168.1.16
broadcast 192.168.1.255 dev eth0 table local proto kernel scope link src
192.168.1.16
unreachable ::/96 dev lo metric 1024 error -113
unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113
unreachable 2002:a00::/24 dev lo metric 1024 error -113
unreachable 2002:7f00::/24 dev lo metric 1024 error -113
unreachable 2002:a9fe::/32 dev lo metric 1024 error -113
unreachable 2002:ac10::/28 dev lo metric 1024 error -113
unreachable 2002:c0a8::/32 dev lo metric 1024 error -113
unreachable 2002:e000::/19 dev lo metric 1024 error -113
unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113
fe80::/64 dev eth0 proto kernel metric 256
fe80::/64 dev ipsec0 proto kernel metric 256
local ::1 dev lo table local proto kernel metric 0
local fe80::22e9:6b12:6b8e:b558 dev lo table local proto kernel metric 0
local fe80::5054:ff:fec0:9330 dev lo table local proto kernel metric 0
ff00::/8 dev eth0 table local metric 256
ff00::/8 dev ipsec0 table local metric 256


# ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen
1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
    link/ether 52:54:00:c0:23:30 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.16/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fec0:9330/64 scope link
       valid_lft forever preferred_lft forever
24: ipsec0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc
pfifo_fast state UNKNOWN qlen 500
    link/none
    inet6 fe80::22e9:6b12:6b8e:b558/64 scope link flags 800
       valid_lft forever preferred_lft forever



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180318/78680bc3/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: charon.tar.bz2
Type: application/x-bzip
Size: 4763 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180318/78680bc3/attachment-0001.bin>


More information about the Users mailing list