[strongSwan] Unsubscribe

Sam Boman sam at samb.se
Sun Nov 11 18:21:40 CET 2018


Den sön 11 nov. 2018 kl 10:10 skrev Gilles Printemps <gprintemps at gmail.com>:

> Hi,
> Several months ago, I tried to setup Strongswan as client for a connection
> to a VPN server using VTI without any success (unlike with OpenVPN). I'm
> now restarting again this task from the beginning in order to use only
> Strongswan as client and server.
>
> My first questions are related to the keyword "mark". What's the behaviour
> of Strongswan if the conn mark plugin is enabled, but the is not set to
> transport?
>
> Is it normal that the flag is only set in one way?
> Thanks for help...
>
> result of sudo ip xfrm state:
> src 10.211.55.26 dst 46.166.179.50
>         proto esp spi 0xce5f4fa3 reqid 1 mode tunnel
>         replay-window 0 flag af-unspec
>         mark 0x2/0xffffffff
>         auth-trunc hmac(sha512)
> 0x935928d1affa6c98af5f81d2aba45614cb6ee966bcb75fe51eb1f8110886fd7315ea9ac1c6b621e1deb20ee81b08b23a63870085364e6ad8c29f3d1fcdc79abf
> 256
>         enc cbc(aes)
> 0xac8aa7382eb1278c2e5cdaf04ca1850716859ed23e3bed87f410d78013d76949
>         encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
>         anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
> src 46.166.179.50 dst 10.211.55.26
>         proto esp spi 0xc592d4be reqid 1 mode tunnel
>         replay-window 32 flag af-unspec
>         auth-trunc hmac(sha512)
> 0x117520099367715a781b88662055f1151b5b4ffb319b6d5d986c442f1fadcc7f93a83a54324ba4c01b13101440464adc159b44e4c32968aa7480763503ad1a2f
> 256
>         enc cbc(aes)
> 0x6eeb81a67c539685af3216523615a940aa756b76ffbd57434a573d3ac838b3e4
>         encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
>         anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
>
> etc/ipsec.conf
> config setup
>         charondebug="ike 2, knl 3, cfg 0"
>
> conn VPNInterface
>         mark=2
>         keyexchange=ike
>         dpdaction=clear
>         dpddelay=300s
>         eap_identity=<username>
>         leftupdown=/etc/ipsec.vti.sh
>         leftauth=eap-mschapv2
>         left=%defaultroute
>         leftsourceip=%config
>         right=<VPN server name>
>         rightauth=pubkey
>         rightsubnet=0.0.0.0/0
>         rightid=%any
>         auto=add
>
> /etc/ipsec.vti.sh
> #!/bin/bash
>
> set -o nounset
> set -o errexit
>
> STD_IF="enp0s5"
> VTI_IF="vpn${PLUTO_UNIQUEID}"
>
> case "${PLUTO_VERB}" in
>     up-client)
>         ip tunnel add "${VTI_IF}" local "${PLUTO_ME}" remote
> "${PLUTO_PEER}" mode vti \
>             okey "${PLUTO_MARK_OUT%%/*}" ikey "${PLUTO_MARK_IN%%/*}"
>         ip addr add "${PLUTO_MY_SOURCEIP}" dev "${VTI_IF}"
>         sysctl -w "net.ipv4.conf.${VTI_IF}.disable_policy=1"
>         ip link set "${VTI_IF}" up
>
>         sysctl -w "net.ipv4.conf.all.rp_filter=2"
>         sysctl -w "net.ipv4.conf.default.rp_filter=2"
>         sysctl -w "net.ipv4.conf.${STD_IF}.rp_filter=2"
>         ;;
>     down-client)
>         ip tunnel del "${VTI_IF}"
>         ;;
> esac
>
> Extract after starting the interface...
> sending packet: from 10.211.55.26[4500] to 46.166.179.50[4500] (160 bytes)
> received packet: from 46.166.179.50[4500] to 10.211.55.26[4500] (336 bytes)
> parsed IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr
> N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
> authentication of 'C=MY, ST=Wilayah Persekutuan, L=Labuan, O=eVenture
> Limited, CN=*.hide.me' with EAP successful
> IKE_SA VPNInterface[1] established between
> 10.211.55.26[10.211.55.26]...46.166.179.50[C=MY, ST=Wilayah Persekutuan,
> L=Labuan, O=eVenture Limited, CN=*.hide.me]
> scheduling reauthentication in 9773s
> maximum IKE_SA lifetime 10313s
> installing DNS server 46.166.179.49 via resolvconf
> installing DNS server 46.166.179.51 via resolvconf
> installing new virtual IP 10.3.142.180
> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ
> CHILD_SA VPNInterface{1} established with SPIs c592d4be_i ce5f4fa3_o and
> TS 10.3.142.180/32 === 0.0.0.0/0
> updown: net.ipv4.conf.vpn1.disable_policy = 1
> updown: net.ipv4.conf.all.rp_filter = 2
> updown: net.ipv4.conf.default.rp_filter = 2
> updown: net.ipv4.conf.enp0s5.rp_filter = 2
> received AUTH_LIFETIME of 86400s, reauthentication already scheduled in
> 9773s
> peer supports MOBIKE
> connection 'VPNInterface' established successfully
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181111/4df20ee6/attachment.html>


More information about the Users mailing list