[strongSwan] Up to date macOS native app builds

ccsalway ccsalway at yahoo.co.uk
Thu May 3 08:13:05 CEST 2018


** THIS MESSAGE DOES NOT ANSWER YOUR QUESTION BUT STRENGTHENS YOUR OBSERVATION **


In the strongSwan logs, when the reauth time has expired, I get the following

May  3 05:29:14 ip-10-0-5-202 charon-systemd[3125]: initiator did not reauthenticate as requested
May  3 05:29:14 ip-10-0-5-202 charon-systemd[3125]: IKE_SA rsa[1] will timeout in 48 seconds

And then the connection dies.

It seems that OSX doesn’t respond to AUTH_LIFETIME notify defined by RFC 4478 <https://tools.ietf.org/html/rfc4478>.  So setting reauth_time = 0s is the safe option

https://wiki.strongswan.org/projects/strongswan/wiki/expiryrekey <https://wiki.strongswan.org/projects/strongswan/wiki/expiryrekey>

———

My OSX 10.13.4 offers the following when connecting which do seem weak with todays availability.  I couldn’t see any way to enable GCM.

IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ

——

With regards to logging, have you seen the logging help page [1]?

I have my logging configured as

$ /etc/strongswan.d/charon-systemd.conf
charon-systemd {
  filelog {
    /var/log/strongswan.log {
        time_format = %b %e %T
        flush_line = yes
        default = -1
        cfg = 4
    }
  }
}

[1] https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration <https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration>



> On 3 May 2018, at 04:42, Darren S. <phatbuckett at gmail.com> wrote:
> 
> The built-in VPN client has been a comedy of errors for my deployment... I don't have faith in the current iteration of Apple's IKEv2 implementation. I'm hoping to get around what appears to be a bug in the (rekeying? re-auth?) that happens every 8 minutes that currently drops the tunnel, and to be able to configure robust algorithms (I understand it also lacks support for things like AES-GCM, defaults to weak DH groups, etc.). I can't figure out the magic sauce required to get logging/debugging with IKEv2 (the common advice I see to enable Racoon logging appears to apply to IKEv1 keying). It appears that the only way of having granular control over settings is to use a configuration profile and deal with a config utility or the plist format. There are plenty of blog and forum posts and wiki pages in various places that talk about how to make things work, but there's also an equivalent amount of variance in what they recommend doing (including many that are wrong or recommend insecure configurations).
> 
> I'm hoping the next version of the OS brings significant improvements to the IPsec framework but at this point I was hoping to use a more robust and configurable (and easier to diagnose) client. I can roll with the Homebrew build but I was looking forward to trying out the graphical interface too.
> 
> - Darren
> 
> On Wed, May 2, 2018 at 12:30 PM, ccsalway <ccsalway at yahoo.co.uk <mailto:ccsalway at yahoo.co.uk>> wrote:
> The built in VPN client is able to connect using Certificate and Username/Password, so I’m curious what you hope to gain from a native app?
> 
> - C
> 
>> On 2 May 2018, at 19:28, Darren S. <phatbuckett at gmail.com <mailto:phatbuckett at gmail.com>> wrote:
>> 
>> Hi,
>> 
>> Just noting that https://download.strongswan.org/osx/ <https://download.strongswan.org/osx/> shows no current Mac native app builds. It's not mentioned at https://wiki.strongswan.org/projects/strongswan/wiki/MacOSX <https://wiki.strongswan.org/projects/strongswan/wiki/MacOSX> so I'm curious if these builds are no longer being done. Is the current guidance for macOS to use Homebrew or do a manual build? (And if the .app bundle build is no longer occurring, is there currently no supported macOS native app option)? 
>> 
>> -- 
>> Darren Spruell
>> phatbuckett at gmail.com <mailto:phatbuckett at gmail.com>
> 
> 
> 
> -- 
> Darren Spruell
> phatbuckett at gmail.com <mailto:phatbuckett at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180503/bc172dc1/attachment-0001.html>


More information about the Users mailing list