[strongSwan] Ubuntu and openswan migration to strongswan

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Sat Feb 16 23:35:21 CET 2019


> Security Associations (1 up, 0 connecting):
>  Conn1[3]: ESTABLISHED 2 seconds ago, 196.y.y.y[52.x.x.x]...196.y.y.y[196.y.y.y]
>  Conn1:[3]: IKEv1 SPIs: 003afabcd1191ddf_i f84ca9def5333a82_r*, rekeying disabled
>  Conn1:[3]: IKE proposal: 3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024

That is only an IKE SA, not a CHILD SA. The CHILD SA is the actual tunnel. The IKE SA is only used to manage the CHILD_SAs and to generally communicate between the IKE daemons on the different hosts.

2) You provide no logs so it's impossible to tell what exactly goes wrong.

Your configuration with
>         rightsubnet=a.a.a.a/b.b.b.b/32

a.a.a.a/b.b.b.b/32 does NOT represent a valid subnet.

3) Your configuration by default does not permit several several different subnets because only one pair of subnets is listed
   In order to configure a site-to-site tunnel with several subnets and IKEv1, you have to follow the scheme shown in the UsableExamples[1] article or
   (try to) apply the information shown in the specific article in the FAQ[2].

4) All of your configured cryptographic algorithms are deprecated and vulnerable. Every. Single. One. And the way you're using it makes the VPN slow.
   Transition to secure ones as shown in the UsableExamples article's Site-to-SIte section[3] or pick a secure pair from the IKEv1CipherList[4].

5) The Unity plugin is only used when you have a roadwarrior style configuration in which you request a virtual IP from the peer.
   This is documented on the wiki[5].

6) Your logging settings will not write much useful information into any log file or syslog. Always use the the configuration[6] shown in the HelpRequests article.

7) The way you configured the tunnel makes it NOT recover on failures. Apply the information from the SecurityRecommendations[7] article.
> # Add connections here.
> conn Conn1
>         auto=start

8) There's an article[8] in the FAQ regarding configuration compatibility with FreeS/WAN, Openswan and Libreswan.
> They are not compatible. Although the format of /ipsec.conf/ is identical between the different swans, they files are not compatible, because several options have different meanings and a variety of different
> options are absent from some versions and others exist. Do not attempt to reuse configuration files between different swans.

Please use the wiki. It exists for a reason. There's even an article regarding getting help[9]. Use it.

Kind regards


[1] https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples
[2] https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#Multiple-subnets-per-SA
[3] https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples#Site-To-Site-Scenario
[4] https://wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites
[5] https://wiki.strongswan.org/projects/strongswan/wiki/UnityPlugin#Configuration
[6] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests#Configuration-snippets
[7] https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations#Tunnel-Shunting
[8] https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#configuration-compatibility-with-FreeSWAN-Openswan-and-Libreswan
[9] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

Am 16.02.19 um 20:59 schrieb Rudi Barnard:
> Issue seems to do with the Cisco Unity plugin as we are trying to connect to multiple right subnets... All the VPNs we are connecting to is Cisco.
> Have updated charon.conf and strongswan.conf with cisco_unity=yes but still same issue. Only 1 tunnel comes up bu ip xfrm policy shows no entry.
> On Sat, Feb 16, 2019 at 5:04 PM Kostya Vasilyev <kman at fastmail.com <mailto:kman at fastmail.com>> wrote:
>     On Sat, Feb 16, 2019, at 10:09 AM, Rudi Barnard wrote:
>>     Hi,
>>     Have been using openswan on Ubuntu 14.04 on AWS EC2 for site to site connections (Ikev1 + PSK).
>>     Recently upgraded an image of the Ubuntu EC2 instance from 14.04 to 18.04.
>>     Result is that openswan gets replaced with Strongswan. I eventually did a scratch install of strongswan and also installed the Cisco plugin for multiple subnet support.
>>     Now testing one of the MANY VPNs we have previously setup on openswan.
>>     Tunnels are up but ip xfrm policy / state shows no entry and therefore I assume that there is config issue.
>>     Very new with Strongswan so not sure where to start troubleshooting.
>>     Thanks.
>>     [snip]
>     I'm a newbie too, but ... anything interesting in the logs?
>     journalctl -f -u strongswan
>     And then force a reconnect from a client.
>     ---
>     By the way, this is like a plague that gets copied from tutorial to tutorial:
>             charondebug="ike 1, knl 1, cfg 0"
>     You may want to set "cfg" log level to 1 or even 2 (and the others too) for troubleshooting.
>     -- K
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xF54EE40B0739AD6C.asc
Type: application/pgp-keys
Size: 8489 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190216/6af43cdc/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190216/6af43cdc/attachment-0001.sig>

More information about the Users mailing list