From houmie at gmail.com Sat Jul 4 10:08:53 2020 From: houmie at gmail.com (Houman) Date: Sat, 4 Jul 2020 09:08:53 +0100 Subject: [strongSwan] StrongSwan 5.8.2 - received netlink error: Invalid argument (22) Message-ID: Hello, I'm seeing a strange error in StrongSwan U5.8.2/K5.4.0-39-generic (Ubuntu 20.04). I don't get this error with StrongSwan U5.7.2/K5.3.0-53-generic (Ubuntu 19.10). received netlink error: Invalid argument (22) Jul 4 04:54:22 de-fsn-6 charon: 05[IKE] authentication of 'de-fsn-6.VPN.net' (myself) with RSA signature successful Jul 4 04:54:22 de-fsn-6 charon: 05[IKE] sending end entity cert "CN= de-fsn-6.VPN.net" Jul 4 04:54:22 de-fsn-6 charon: 05[IKE] sending issuer cert "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" Jul 4 04:54:22 de-fsn-6 charon: 05[ENC] generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ] Jul 4 04:54:22 de-fsn-6 charon: 05[ENC] splitting IKE message (2928 bytes) into 3 fragments Jul 4 04:54:22 de-fsn-6 charon: 05[ENC] generating IKE_AUTH response 1 [ EF(1/3) ] Jul 4 04:54:22 de-fsn-6 charon: 05[ENC] generating IKE_AUTH response 1 [ EF(2/3) ] Jul 4 04:54:22 de-fsn-6 charon: 05[ENC] generating IKE_AUTH response 1 [ EF(3/3) ] Jul 4 04:54:22 de-fsn-6 charon: 05[NET] sending packet: from 144.76.113.xxx[4500] to 31.215.103.xxx[4500] (1236 bytes) Jul 4 04:54:22 de-fsn-6 charon: 05[NET] sending packet: from 144.76.113.xxx[4500] to 31.215.103.xxx[4500] (1236 bytes) Jul 4 04:54:22 de-fsn-6 charon: 05[NET] sending packet: from 144.76.113.xxx[4500] to 31.215.103.xxx[4500] (612 bytes) Jul 4 04:54:22 de-fsn-6 ipsec[706]: 01[NET] received packet: from 39.33.54.xxx[4500] to 144.76.113.xxx[4500] (144 bytes) Jul 4 04:54:22 de-fsn-6 ipsec[706]: 01[ENC] parsed INFORMATIONAL request 409 [ N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP) ] Jul 4 04:54:22 de-fsn-6 ipsec[706]: 01[ENC] generating INFORMATIONAL response 409 [ N(NATD_S_IP) N(NATD_D_IP) ] Jul 4 04:54:22 de-fsn-6 ipsec[706]: 01[NET] sending packet: from 144.76.113.xxx[4500] to 39.33.54.xxx[4500] (128 bytes) Jul 4 04:54:22 de-fsn-6 ipsec[706]: 08[NET] received packet: from xxxx:8f8:112d:ed31:2474:a82d:88cc:544[4500] to xxxx:4f7:192:732c::2[4500] (144 bytes) Jul 4 04:54:22 de-fsn-6 ipsec[706]: 08[ENC] parsed INFORMATIONAL request 12 [ N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP) ] Jul 4 04:54:22 de-fsn-6 ipsec[706]: 08[IKE] remote host is not behind NAT anymore Jul 4 04:54:22 de-fsn-6 ipsec[706]: 08[IKE] faking NAT situation to enforce UDP encapsulation Jul 4 04:54:22 de-fsn-6 ipsec[706]: 08[KNL] received netlink error: Invalid argument (22) Jul 4 04:54:22 de-fsn-6 ipsec[706]: 08[KNL] unable to update SAD entry with SPI c8a1394b Jul 4 04:54:22 de-fsn-6 ipsec[706]: 08[KNL] received netlink error: Invalid argument (22) Jul 4 04:54:22 de-fsn-6 ipsec[706]: 08[KNL] unable to update SAD entry with SPI 0b956c9a Jul 4 04:54:22 de-fsn-6 ipsec[706]: 08[ENC] generating INFORMATIONAL response 12 [ N(NATD_S_IP) N(NATD_D_IP) ] Jul 4 04:54:22 de-fsn-6 ipsec[706]: 08[NET] sending packet: from xxxx:4f7:192:732c::2[4500] to xxxx:8f8:112d:ed31:2474:a82d:88cc:544[4500] (128 bytes) Jul 4 04:54:22 de-fsn-6 ipsec[706]: 13[KNL] creating acquire job for policy xxx.111.251.62/32[tcp/https] === 10.10.34.25/32[tcp/51510] with reqid {31606} Jul 4 04:54:22 de-fsn-6 ipsec[706]: 13[CFG] trap not found, unable to acquire reqid 31606 Jul 4 04:54:22 de-fsn-6 ipsec[706]: 09[NET] received packet: from xxxx:8f8:112d:ed31:2474:a82d:88cc:544[4500] to xxxx:4f7:192:732c::2[4500] (144 bytes) Jul 4 04:54:22 de-fsn-6 ipsec[706]: 09[ENC] parsed INFORMATIONAL request 12 [ N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP) ] Jul 4 04:54:22 de-fsn-6 ipsec[706]: 09[IKE] received retransmit of request with ID 12, retransmitting response */etc/ipsec.conf* config setup strictcrlpolicy=yes uniqueids=never conn Falkenstein-6 auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes ike=aes256gcm16-aes192gcm16-aes128gcm16-prfsha256-ecp521-ecp256-modp4096-modp2048, aes256-sha256-ecp521-ecp256-modp4096-modp2048! esp=aes256gcm16-aes192gcm16-aes128gcm16-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1! dpdaction=clear dpddelay=180s dpdtimeout=3600s rekey=no left=%any leftid=@de-fsn-6.VPN.net leftcert=cert.pem leftsendcert=always leftsubnet=0.0.0.0/0, ::/0 right=%any rightid=%any rightauth=eap-radius eap_identity=%any rightdns=8.8.8.8,8.8.4.4 rightsourceip=10.10.10.0/17,fdd2:54c4:4c90:1::300/113 leftfirewall=no Any idea what this could be? Many Thanks, Houman -------------- next part -------------- An HTML attachment was scrubbed... URL: From winnymthomas at yahoo.com Sat Jul 4 13:23:39 2020 From: winnymthomas at yahoo.com (Winny Thomas) Date: Sat, 4 Jul 2020 11:23:39 +0000 (UTC) Subject: [strongSwan] Windows native client calling on local IKE service charon-svc References: <1851656805.1919452.1593861819898.ref@mail.yahoo.com> Message-ID: <1851656805.1919452.1593861819898@mail.yahoo.com> Hi, I just started using strongswan and I would like to know if its possible for the windows native VPN client (setup using control panel or via a C code using the Rasapi32 API calls or UWP) to call the local IKE service implemented in charon-svc to setup an IPSEC  tunnel with a remote VPN gateway. If yes then any pointers to this information would be very helpful. The osx and android apps in the source code repository, do they talk to a local strongswan IKE service or the IKE implementation of the target platform? Thank you. RegardsWinny -------------- next part -------------- An HTML attachment was scrubbed... URL: From doctor at doctor.nl2k.ab.ca Sat Jul 4 21:50:18 2020 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Sat, 4 Jul 2020 13:50:18 -0600 Subject: [strongSwan] Setting up a "dial in pool" using BSD MPD5 with strongswan 5.8 Message-ID: <20200704195018.GB33154@doctor.nl2k.ab.ca> I am trying to set up an anonymous "dial in pool" using BSD's MPD5. All incoming are anonymous. Any point on how to? -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising! https://www.empire.kred/ROOTNK?t=94a1f39b The highest result of education is tolerance. -Helen Keller From tobias at strongswan.org Mon Jul 6 10:11:58 2020 From: tobias at strongswan.org (Tobias Brunner) Date: Mon, 6 Jul 2020 10:11:58 +0200 Subject: [strongSwan] Setting up a "dial in pool" using BSD MPD5 with strongswan 5.8 In-Reply-To: <20200704195018.GB33154@doctor.nl2k.ab.ca> References: <20200704195018.GB33154@doctor.nl2k.ab.ca> Message-ID: <4641f448-7887-1ef3-fe1f-77425698d026@strongswan.org> Hi, > I am trying to set up an anonymous "dial in pool" > using BSD's MPD5. All incoming are anonymous. What's a "dial in pool"? In what way anonymous? And what's the relation to MPD5, apparently a PPP daemon. Regards, Tobias From tobias at strongswan.org Mon Jul 6 10:20:15 2020 From: tobias at strongswan.org (Tobias Brunner) Date: Mon, 6 Jul 2020 10:20:15 +0200 Subject: [strongSwan] StrongSwan 5.8.2 - received netlink error: Invalid argument (22) In-Reply-To: References: Message-ID: Hi, > I'm seeing a strange error in StrongSwan U5.8.2/K5.4.0-39-generic > (Ubuntu 20.04). > I don't get this error with StrongSwan U5.7.2/K5.3.0-53-generic (Ubuntu > 19.10). In the same situation (i.e. if a client's IP address changes)? Or just in general? Can you replicate this error? > received netlink error: Invalid argument (22) As the error indicates, this is returned by the kernel if it doesn't like the provided data. Either when querying the existing SA or when replacing it with updated IP addresses (increase the log level for knl to 2 to see which operation failed). Also, what kernel version are you using? Regards, Tobias From houmie at gmail.com Mon Jul 6 10:34:04 2020 From: houmie at gmail.com (Houman) Date: Mon, 6 Jul 2020 09:34:04 +0100 Subject: [strongSwan] StrongSwan 5.8.2 - received netlink error: Invalid argument (22) In-Reply-To: References: Message-ID: Hi Tobias, We have two types of servers. Same users are doing ok on servers with StrongSwan 5.7.2 on kernel 5.3.0-53-generic. But on the servers with StrongSwan 5.8.2 with kernel* 5.4.0-39-generic, *the issue arises. (Not for all users, but quite a few) increase the log level for knl to 2 to see which operation failed May you please elaborate a bit more how to change the log level for knl? In which config do I do that? Many Thanks, Houman On Mon, 6 Jul 2020 at 09:20, Tobias Brunner wrote: > Hi, > > > I'm seeing a strange error in StrongSwan U5.8.2/K5.4.0-39-generic > > (Ubuntu 20.04). > > I don't get this error with StrongSwan U5.7.2/K5.3.0-53-generic (Ubuntu > > 19.10). > > In the same situation (i.e. if a client's IP address changes)? Or just > in general? Can you replicate this error? > > > received netlink error: Invalid argument (22) > > As the error indicates, this is returned by the kernel if it doesn't > like the provided data. Either when querying the existing SA or when > replacing it with updated IP addresses (increase the log level for knl > to 2 to see which operation failed). Also, what kernel version are you > using? > > Regards, > Tobias > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tobias at strongswan.org Mon Jul 6 11:08:00 2020 From: tobias at strongswan.org (Tobias Brunner) Date: Mon, 6 Jul 2020 11:08:00 +0200 Subject: [strongSwan] StrongSwan 5.8.2 - received netlink error: Invalid argument (22) In-Reply-To: References: Message-ID: Hi Houman, > We have two types of servers. Same users are doing ok on servers with > StrongSwan 5.7.2 on kernel  5.3.0-53-generic. > > But on the servers with StrongSwan 5.8.2 with kernel* 5.4.0-39-generic, > *the issue arises. (Not for all users, but quite a few) I had a closer look at the log and now saw what the problem is. It has nothing to do with the strongSwan or kernel version. The problem is that the client moves from an IPv4 address to an IPv6 address and you apparently have UDP-encapsulation forced (see the "faking NAT situation to enforce UDP encapsulation"). However, the Linux kernel currently does not support UDP encapsulation for IPv6 (the upcoming 5.8 kernel will be the first one with support for it), so you get that error when the daemon tries to replace the IPv4 SA with an IPv6 SA that has UDP encapsulation enabled. Try without forcing UDP encapsulation (or disable IPv6 in the socket-default plugin if you don't want clients to use it). Regards, Tobias From houmie at gmail.com Mon Jul 6 11:43:42 2020 From: houmie at gmail.com (Houman) Date: Mon, 6 Jul 2020 10:43:42 +0100 Subject: [strongSwan] StrongSwan 5.8.2 - received netlink error: Invalid argument (22) In-Reply-To: References: Message-ID: Hi Tobias, Thank you so much for the detailed explanation. You brought up some interesting points. I could disable *forceencaps=no* but having it enabled helps overcoming restrictive firewalls. So maybe it's better for my users if I disabled IPv6 instead. Do you agree? Or is forcing it not such a big deal after all? What is strange is that I thought I had disabled ipv6, like this: */etc/sysctl.conf* net.ipv4.ip_forward = 1 net.ipv4.ip_no_pmtu_disc = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 Where do I disable it then? Many Thanks, Houman On Mon, 6 Jul 2020 at 10:08, Tobias Brunner wrote: > Hi Houman, > > > We have two types of servers. Same users are doing ok on servers with > > StrongSwan 5.7.2 on kernel 5.3.0-53-generic. > > > > But on the servers with StrongSwan 5.8.2 with kernel* 5.4.0-39-generic, > > *the issue arises. (Not for all users, but quite a few) > > I had a closer look at the log and now saw what the problem is. It has > nothing to do with the strongSwan or kernel version. > > The problem is that the client moves from an IPv4 address to an IPv6 > address and you apparently have UDP-encapsulation forced (see the > "faking NAT situation to enforce UDP encapsulation"). However, the > Linux kernel currently does not support UDP encapsulation for IPv6 (the > upcoming 5.8 kernel will be the first one with support for it), so you > get that error when the daemon tries to replace the IPv4 SA with an IPv6 > SA that has UDP encapsulation enabled. Try without forcing UDP > encapsulation (or disable IPv6 in the socket-default plugin if you don't > want clients to use it). > > Regards, > Tobias > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tobias at strongswan.org Mon Jul 6 12:12:19 2020 From: tobias at strongswan.org (Tobias Brunner) Date: Mon, 6 Jul 2020 12:12:19 +0200 Subject: [strongSwan] StrongSwan 5.8.2 - received netlink error: Invalid argument (22) In-Reply-To: References: Message-ID: <1039d661-63b0-da82-5a7b-0e339eecc45d@strongswan.org> Hi Houman, > I could disable *forceencaps=no* but having it enabled helps overcoming > restrictive firewalls.  So maybe it's better for my users if I > disabled IPv6 instead. Do you agree? > Or is forcing it not such a big deal after all? Depends on the clients. Many will be behind a NAT anyway, others (e.g. our Android client) will also force UDP encapsulation. Only for unnatted clients behind restrictive firewalls that can't force it themselves, will forcing it on the server make a difference. > What is strange is that I thought I had disabled ipv6, like this: > ... > net.ipv6.conf.all.disable_ipv6 = 1 > net.ipv6.conf.default.disable_ipv6 = 1 I don't think that affects interfaces that are already up, so you might have to explicitly set it for the specific interface too. > Where do I disable it then? You may disable charon.plugins.socket-default.use_ipv6 so the plugin won't open an IPv6 socket. Regards, Tobias From vegeta at tuxpowered.net Mon Jul 6 17:52:16 2020 From: vegeta at tuxpowered.net (Kajetan Staszkiewicz) Date: Mon, 6 Jul 2020 17:52:16 +0200 Subject: [strongSwan] IPv6 source address choice of charon-nm In-Reply-To: <12f937bf-7ea6-f939-3a32-45726a631744@strongswan.org> References: <12f937bf-7ea6-f939-3a32-45726a631744@strongswan.org> Message-ID: On 11.06.20 11:44, Tobias Brunner wrote: > Hi Kajetan, > >> So why is charon-nm choosing different source address than every other >> program? Can I somehow influence it? > > Try enabling charon-nm.prefer_temporary_addrs in strongswan.conf. I > guess it could even make sense to change that default for the NM backend. Enabling this option causes no route to be installed in table 220 and thus no traffic routed over VPN for IPv6. The IP address oferred by VPN server gets assigned on primary interface, though. -- | pozdrawiam / greetings | Powered by macOS, Debian and FreeBSD | | Kajetan Staszkiewicz | www: http://vegeta.tuxpowered.net | `------------------------^--------------------------------------' -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: OpenPGP digital signature URL: From tobias at strongswan.org Tue Jul 7 10:11:54 2020 From: tobias at strongswan.org (Tobias Brunner) Date: Tue, 7 Jul 2020 10:11:54 +0200 Subject: [strongSwan] IPv6 source address choice of charon-nm In-Reply-To: References: <12f937bf-7ea6-f939-3a32-45726a631744@strongswan.org> Message-ID: <0fa8a26f-5717-404f-1eb6-39a1a1d95401@strongswan.org> Hi Kajetan, >> Try enabling charon-nm.prefer_temporary_addrs in strongswan.conf. I >> guess it could even make sense to change that default for the NM backend. > Enabling this option causes no route to be installed in table 220 and > thus no traffic routed over VPN for IPv6. The IP address oferred by VPN > server gets assigned on primary interface, though. Interesting. I think I might have an idea why. Can you try the patch in the netlink-ipv6-vip branch [1]? Thanks, Tobias [1] https://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/netlink-ipv6-vip From houmie at gmail.com Tue Jul 7 12:32:48 2020 From: houmie at gmail.com (Houman) Date: Tue, 7 Jul 2020 11:32:48 +0100 Subject: [strongSwan] StrongSwan 5.8.2 - received netlink error: Invalid argument (22) In-Reply-To: <1039d661-63b0-da82-5a7b-0e339eecc45d@strongswan.org> References: <1039d661-63b0-da82-5a7b-0e339eecc45d@strongswan.org> Message-ID: Hi Tobias, Thanks again for your help. I have changed *forceencaps* to *no* in /etc/ipsec.conf, saved and rebooted. I still get the same errors. Although the "faking NAT situation to enforce UDP encapsulation" is not showing anymore. Is this now something else? Jul 7 00:28:58 de-fsn-6 charon: 12[ENC] generating INFORMATIONAL response 24 [ ] Jul 7 00:28:58 de-fsn-6 charon: 12[NET] sending packet: from 144.76.11x.xxx[4500] to 2.50.157.xxx[4500] (80 bytes) Jul 7 00:28:59 de-fsn-6 charon: 11[NET] received packet: from 2001:8f8:xxx:xxx:504c:4f39:258e:8191[4500] to 2a01:4f8:192:xxxx::2[4500] (144 bytes) Jul 7 00:28:59 de-fsn-6 charon: 11[ENC] parsed INFORMATIONAL request 11 [ N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP) ] Jul 7 00:28:59 de-fsn-6 charon: 11[IKE] local host is behind NAT, sending keep alives Jul 7 00:28:59 de-fsn-6 charon: 11[KNL] received netlink error: Invalid argument (22) Jul 7 00:28:59 de-fsn-6 charon: 11[KNL] unable to update SAD entry with SPI cf20af06 Jul 7 00:28:59 de-fsn-6 charon: 11[KNL] received netlink error: Invalid argument (22) Jul 7 00:28:59 de-fsn-6 charon: 11[KNL] unable to update SAD entry with SPI 0b13a954 Jul 7 00:28:59 de-fsn-6 charon: 11[ENC] generating INFORMATIONAL response 11 [ N(NATD_S_IP) N(NATD_D_IP) ] Jul 7 00:28:59 de-fsn-6 charon: 11[NET] sending packet: from 2a01:4f8:xxx:732c::2[4500] to 2001:8f8:xxx:53d3:504c:4f39:xxx:8191[4500] (128 bytes) Jul 7 00:28:59 de-fsn-6 charon: 01[KNL] creating acquire job for policy 128.116.xxx.3/32[tcp/https] === 10.10.18.xxx/32[tcp/56633] with reqid {2595} Jul 7 00:28:59 de-fsn-6 charon: 01[CFG] trap not found, unable to acquire reqid 2595 Jul 7 00:29:00 de-fsn-6 charon: 06[NET] received packet: from 2001:8f8:1163:xxxx:504c:4f39:258e:8191[4500] to 2a01:4f8:xxx:xxxx::2[4500] (144 bytes) Jul 7 00:29:00 de-fsn-6 charon: 06[ENC] parsed INFORMATIONAL request 11 [ N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP) ] Jul 7 00:29:00 de-fsn-6 charon: 06[IKE] received retransmit of request with ID 11, retransmitting response Jul 7 00:29:00 de-fsn-6 charon: 06[NET] sending packet: from 2a01:4f8:192:xxxx::2[4500] to 2001:8f8:1163:53d3:504c:xxxx:258e:8191[4500] (128 bytes) Jul 7 00:29:01 de-fsn-6 charon: 15[IKE] retransmit 5 of request with message ID 0 It is very strange that the same configuration works with StringSwan 5.7.2 but 5.8.2 throws these errors. Something must have changed that I'm missing, I think. If you see no other possibility, I suppose I have no other choice than disabling IPV6 by setting *use_ipv6 = no* in */etc/strongswan.d/charon/socket-default.conf* I was hoping not to do it, as some ISP might only support IPv6 and by doing that I might cause new problems. What do you think? Maybe I should live with that error. After all, it happens only 5 times a day. What is the most sensible thing to do? Many Thanks, Houman On Mon, 6 Jul 2020 at 11:12, Tobias Brunner wrote: > Hi Houman, > > > I could disable *forceencaps=no* but having it enabled helps overcoming > > restrictive firewalls. So maybe it's better for my users if I > > disabled IPv6 instead. Do you agree? > > Or is forcing it not such a big deal after all? > > Depends on the clients. Many will be behind a NAT anyway, others (e.g. > our Android client) will also force UDP encapsulation. Only for > unnatted clients behind restrictive firewalls that can't force it > themselves, will forcing it on the server make a difference. > > > What is strange is that I thought I had disabled ipv6, like this: > > ... > > net.ipv6.conf.all.disable_ipv6 = 1 > > net.ipv6.conf.default.disable_ipv6 = 1 > > I don't think that affects interfaces that are already up, so you might > have to explicitly set it for the specific interface too. > > > Where do I disable it then? > > You may disable charon.plugins.socket-default.use_ipv6 so the plugin > won't open an IPv6 socket. > > Regards, > Tobias > -------------- next part -------------- An HTML attachment was scrubbed... URL: From phillc at gmail.com Tue Jul 7 13:10:14 2020 From: phillc at gmail.com (Phill Corner) Date: Tue, 7 Jul 2020 12:10:14 +0100 Subject: [strongSwan] Proxy ARP psudo-bridge with IPSec Transport In-Reply-To: References: Message-ID: So, I've done more investigating on this. I can get this working between Win10 native Defender Advanced Firewall IPSec and StrongSwan in tunnel mode, using my security appliance IP as the tunnel endpoint, with the protected device IP as the remote_ts. I also realise that the reason my transport mode policy is not working is when StrongSwan tries to reply to the phase 1 packets from the remote device, it cannot send the resulting packet because the source IP doesn't exist on any local interface, hence I get a 'network is unreachable' message. Although it's an unusual use case, it would be preferable to get transport mode working as intermediate firewalls along the path then have visibility over the ultimate destination IP and port, which is actually preferable because we can then have upstream policies restricting what actually makes it's way over the WAN to the security appliance. So I'm wondering if it is possible to force the generation of responses with what is effectively a 'spoofed' source address? Thanks! - Phill On Tue, 30 Jun 2020 at 14:24, Phill Corner wrote: > Good day, > > I'm new to working with StrongSwan and ambitiously trying to do a rather > unusual use case. > I've got an Ubuntu Server 20.04 machine with two network interfaces which > is acting as a security appliance for a protected network of legacy devices. > > One interface is the 'outside' or normal interface and has an IP address > 192.168.8.128. > The other interface is the 'inside' or protected network and has no IP > address, in effect both inside and outside attached networks are using > 192.168.8.0/24. > > I've elected to use a psudo-bridge approach with ARP and ip_forward, > hiding the protected network from outside ARP requests, broadcast, and > multicast by default. I have this working nicely along with nftables rules > on the forward chain to control traffic, I'm also using per-interface > ingress with fwd or dup in netfilter to pass select broadcast and multicast > traffic where required. > > The devices on the protected network do not support IPSec, so the scenario > I want to configure now is for IPSec between Windows 10 and StrongSwan, > decrypt, and then forward the decrypted traffic to the protected device, > and vice versa. Essentially StrongSwan acting as a sort of promiscuous > transparent IPSec proxy, building transport mode SA's on behalf of IP > addresses that aren't local, but exist on another interface. > > [192.168.8.1] <- IPSec (dst .10) -> [StrongSwan Decrypt] <-- Clear > Protocol --> [192.168.8.10] > > Firstly, would this approach even be possible with the capabilities of > StrongSwan? > If so can anyone give a suggestion on where to start? > > The outside clients are running Windows 10 or Server 2019 and what I > really want to do is protect some of the legacy application protocols with > IPSec transport mode using the native Windows Defender Firewall capability. > I've got a test working with transport mode between the native Win10 and > StronSwan on the ubuntu machine itself using the swanctl.conf approach with > PSKs. > > I've looked at the trap-any examples but wasn't able to get the SA to > connect properly. I've also read up a little on xfrm interfaces as a > possible way of doing this, potentially attaching the policy to an xfrm and > forcibly routing traffic to it from ingress (if that's even possible). > Worst case I thought libipsec could present a possible option in userland > but I would rather avoid that. > > I would appreciate thoughts from peers, thank you! > > - Phill > -- --- *Phillip J Corner GICSP EngTech ICTTech MIET* -------------- next part -------------- An HTML attachment was scrubbed... URL: From tobias at strongswan.org Tue Jul 7 14:36:01 2020 From: tobias at strongswan.org (Tobias Brunner) Date: Tue, 7 Jul 2020 14:36:01 +0200 Subject: [strongSwan] StrongSwan 5.8.2 - received netlink error: Invalid argument (22) In-Reply-To: References: <1039d661-63b0-da82-5a7b-0e339eecc45d@strongswan.org> Message-ID: <95b27d4a-f503-a2f1-c4dc-e69b2d547d86@strongswan.org> Hi Houman, > I still get the same errors. Although the "faking NAT situation to > enforce UDP encapsulation" is not showing anymore. Is this now something > else? Yes, as the log tells you, it looks like your server is behind a NAT: > Jul  7 00:28:59 de-fsn-6 charon: 11[IKE] local host is behind NAT, > sending keep alives Is there actually an IPv6 NAT? Or should 2a01:4f8:192:xxxx::2 be the same address the clients see too? If so, the NAT-D payload may have been invalid (e.g. because the client faked a NAT situation - note, though, that strongSwan only modifies the source IP hash to that effect). > It is very strange that the same configuration works with StringSwan > 5.7.2 but 5.8.2 throws these errors. Something must have changed that > I'm missing, I think. I don't think that any change caused this. Did you have IPv6 connectivity with 5.7.2 too? Regards, Tobias From doctor at doctor.nl2k.ab.ca Tue Jul 7 14:36:05 2020 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Tue, 7 Jul 2020 06:36:05 -0600 Subject: [strongSwan] Setting up a "dial in pool" using BSD MPD5 with strongswan 5.8 In-Reply-To: <4641f448-7887-1ef3-fe1f-77425698d026@strongswan.org> References: <20200704195018.GB33154@doctor.nl2k.ab.ca> <4641f448-7887-1ef3-fe1f-77425698d026@strongswan.org> Message-ID: <20200707123605.GA40132@doctor.nl2k.ab.ca> On Mon, Jul 06, 2020 at 10:11:58AM +0200, Tobias Brunner wrote: > Hi, > > > I am trying to set up an anonymous "dial in pool" > > using BSD's MPD5. All incoming are anonymous. > > What's a "dial in pool"? In what way anonymous? And what's the > relation to MPD5, apparently a PPP daemon. > mpd5 handles all the authenication. anonymous as in we have no idea who come on but mpd5 handles the issue of user credentials. > Regards, > Tobias -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising! https://www.empire.kred/ROOTNK?t=94a1f39b A full cup must be carried steadily. -English proverb From tobias at strongswan.org Tue Jul 7 14:39:05 2020 From: tobias at strongswan.org (Tobias Brunner) Date: Tue, 7 Jul 2020 14:39:05 +0200 Subject: [strongSwan] Setting up a "dial in pool" using BSD MPD5 with strongswan 5.8 In-Reply-To: <20200707123605.GA40132@doctor.nl2k.ab.ca> References: <20200704195018.GB33154@doctor.nl2k.ab.ca> <4641f448-7887-1ef3-fe1f-77425698d026@strongswan.org> <20200707123605.GA40132@doctor.nl2k.ab.ca> Message-ID: Hi, >>> I am trying to set up an anonymous "dial in pool" >>> using BSD's MPD5. All incoming are anonymous. >> >> What's a "dial in pool"? In what way anonymous? And what's the >> relation to MPD5, apparently a PPP daemon. >> > > mpd5 handles all the authenication. anonymous as in we have no idea > who come on but mpd5 handles the issue of user credentials. No idea, you'd have to check what, if any, API MPD5 provides for other applications and then (if it's not RADIUS) write a plugin that uses that API to authenticate users via EAP. Regards, Tobias From doctor at doctor.nl2k.ab.ca Tue Jul 7 14:46:49 2020 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Tue, 7 Jul 2020 06:46:49 -0600 Subject: [strongSwan] Setting up a "dial in pool" using BSD MPD5 with strongswan 5.8 In-Reply-To: References: <20200704195018.GB33154@doctor.nl2k.ab.ca> <4641f448-7887-1ef3-fe1f-77425698d026@strongswan.org> <20200707123605.GA40132@doctor.nl2k.ab.ca> Message-ID: <20200707124649.GA12809@doctor.nl2k.ab.ca> On Tue, Jul 07, 2020 at 02:39:05PM +0200, Tobias Brunner wrote: > Hi, > > >>> I am trying to set up an anonymous "dial in pool" > >>> using BSD's MPD5. All incoming are anonymous. > >> > >> What's a "dial in pool"? In what way anonymous? And what's the > >> relation to MPD5, apparently a PPP daemon. > >> > > > > mpd5 handles all the authenication. anonymous as in we have no idea > > who come on but mpd5 handles the issue of user credentials. > > No idea, you'd have to check what, if any, API MPD5 provides for other > applications and then (if it's not RADIUS) write a plugin that uses that > API to authenticate users via EAP. > WEell it has a local secrets and the ability to contact radius. All the current mpd5 does not look at current strongswan google ikev1 strongswan mpd5 . > Regards, > Tobias -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising! https://www.empire.kred/ROOTNK?t=94a1f39b A full cup must be carried steadily. -English proverb From MakarandPradhan at is5com.com Tue Jul 7 19:01:23 2020 From: MakarandPradhan at is5com.com (Makarand Pradhan) Date: Tue, 7 Jul 2020 17:01:23 +0000 Subject: [strongSwan] Tunnel and Transport mode mismatch In-Reply-To: References: Message-ID: Hello All, When one side is set to transport and the other set to Tunnel, the child SA is built in Tunnel mode. Question: Is this the expected behaviour? I was expecting that the SA would be Established but the Child SA would not be installed. Ipsec.conf: conn m1         type=transport         authby=secret and the other side set to tunnel: conn m1         type=tunnel         authby=secret root at t1024rdb:/mnt/shared/b# ipsec status Security Associations (1 up, 0 connecting):           m1[1]: ESTABLISHED 3 seconds ago, 172.16.31.1[172.16.31.1]...172.16.31.2[172.16.31.2]           m1{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c22f3cbb_i cfc827a2_o           m1{1}:   172.16.31.0/24 === 172.16.31.0/24 When both are transport, the child SA is built as transport: root at t1024rdb:/mnt/shared/b# ipsec status Security Associations (1 up, 0 connecting):           m1[1]: ESTABLISHED 2 seconds ago, 172.16.31.1[172.16.31.1]...172.16.31.2[172.16.31.2]           m1{1}:  INSTALLED, TRANSPORT, reqid 1, ESP SPIs: cdd622d2_i cfe1297d_o           m1{1}:   172.16.31.1/32 === 172.16.31.2/32 Thanks for looking at my post. Kind rgds, Makarand Pradhan Senior Software Engineer. iS5 Communications Inc. 5895 Ambler Dr, Mississauga, Ontario L4W 5B7 Main Line: +1-844-520-0588 Ext. 129 Direct Line: +1-289-724-2296 Cell: +1-226-501-5666 Fax:+1-289-401-5206 Email: mailto:makarandpradhan at is5com.com Website: http://www.is5com.com/   Confidentiality Notice:  This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted. From ragami at bluecedar.com Fri Jul 10 23:23:44 2020 From: ragami at bluecedar.com (Roee Agami) Date: Fri, 10 Jul 2020 17:23:44 -0400 Subject: [strongSwan] Mimic inner tunnel traffic Message-ID: Hi, For reachability testing purposes I would like to mimic inner tunnel traffic toward resources beyond the terminating GW. I read that I might be able to achieve that by setting some routing rules (table 220?). When I establish an IPSec tunnel, on the GW I see the following (my VIP pool is 192.168.50.1 to .60 I believe): 192.168.50.9 via 192.168.1.164 dev eth1 table 220 proto static eth1 is the side toward the initiator, eth0 is where the inner traffic usually flows too (behind the GW). 1. Do you think that I should create a virtual interface on top of eth0, then send the traffic from it? Or is there a way to setup routing rules to allow this? Obviously I would like to be able to get the responses back. 2. How does the GW today knows how to route traffic coming from the tunnel into eth0? Here is the rest of the table: ip route show table all default via 192.168.60.2 dev eth0 table 102 192.168.60.0/24 dev eth0 table 102 scope link default via 192.168.1.1 dev eth1 table 103 192.168.1.0/24 dev eth1 table 103 scope link 192.168.50.9 via 192.168.1.164 dev eth1 table 220 proto static default via 192.168.60.2 dev eth0 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 192.168.1.0/24 dev eth1 scope link metric 6 192.168.60.0/24 dev eth0 scope link metric 3 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 broadcast 172.17.0.0 dev docker0 table local proto kernel scope link src 172.17.0.1 local 172.17.0.1 dev docker0 table local proto kernel scope host src 172.17.0.1 broadcast 172.17.255.255 dev docker0 table local proto kernel scope link src 172.17.0.1 broadcast 192.168.1.0 dev eth1 table local proto kernel scope link src 192.168.1.237 local 192.168.1.237 dev eth1 table local proto kernel scope host src 192.168.1.237 broadcast 192.168.1.255 dev eth1 table local proto kernel scope link src 192.168.1.237 broadcast 192.168.60.0 dev eth0 table local proto kernel scope link src 192.168.60.201 local 192.168.60.201 dev eth0 table local proto kernel scope host src 192.168.60.201 broadcast 192.168.60.255 dev eth0 table local proto kernel scope link src 192.168.60.201 broadcast 192.168.122.0 dev virbr0 table local proto kernel scope link src 192.168.122.1 local 192.168.122.1 dev virbr0 table local proto kernel scope host src 192.168.122.1 broadcast 192.168.122.255 dev virbr0 table local proto kernel scope link src 192.168.122.1 Thanks! From ragami at bluecedar.com Mon Jul 13 15:49:51 2020 From: ragami at bluecedar.com (Roee Agami) Date: Mon, 13 Jul 2020 09:49:51 -0400 Subject: [strongSwan] Mimic inner tunnel traffic Message-ID: <50F7AAAA-FD0E-4E14-A780-6992AD093D22@bluecedar.com> Hi, For reachability testing purposes I would like to mimic inner tunnel traffic toward resources beyond the terminating GW. I read that I might be able to achieve that by setting some routing rules (table 220?). When I establish an IPSec tunnel, on the GW I see the following (my VIP pool is 192.168.50.1 to .60 I believe): 192.168.50.9 via 192.168.1.164 dev eth1 table 220 proto static eth1 is the side toward the initiator, eth0 is where the inner traffic usually flows too (behind the GW). 1. Do you think that I should create a virtual interface on top of eth0, then send the traffic from it? Or is there a way to setup routing rules to allow this? Obviously I would like to be able to get the responses back. 2. How does the GW today knows how to route traffic coming from the tunnel into eth0? Here is the rest of the table: ip route show table all default via 192.168.60.2 dev eth0 table 102 192.168.60.0/24 dev eth0 table 102 scope link default via 192.168.1.1 dev eth1 table 103 192.168.1.0/24 dev eth1 table 103 scope link 192.168.50.9 via 192.168.1.164 dev eth1 table 220 proto static default via 192.168.60.2 dev eth0 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 192.168.1.0/24 dev eth1 scope link metric 6 192.168.60.0/24 dev eth0 scope link metric 3 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 broadcast 172.17.0.0 dev docker0 table local proto kernel scope link src 172.17.0.1 local 172.17.0.1 dev docker0 table local proto kernel scope host src 172.17.0.1 broadcast 172.17.255.255 dev docker0 table local proto kernel scope link src 172.17.0.1 broadcast 192.168.1.0 dev eth1 table local proto kernel scope link src 192.168.1.237 local 192.168.1.237 dev eth1 table local proto kernel scope host src 192.168.1.237 broadcast 192.168.1.255 dev eth1 table local proto kernel scope link src 192.168.1.237 broadcast 192.168.60.0 dev eth0 table local proto kernel scope link src 192.168.60.201 local 192.168.60.201 dev eth0 table local proto kernel scope host src 192.168.60.201 broadcast 192.168.60.255 dev eth0 table local proto kernel scope link src 192.168.60.201 broadcast 192.168.122.0 dev virbr0 table local proto kernel scope link src 192.168.122.1 local 192.168.122.1 dev virbr0 table local proto kernel scope host src 192.168.122.1 broadcast 192.168.122.255 dev virbr0 table local proto kernel scope link src 192.168.122.1 Thanks! From malik.chand at hotmail.com Wed Jul 15 14:16:26 2020 From: malik.chand at hotmail.com (Rizwan Saleem) Date: Wed, 15 Jul 2020 12:16:26 +0000 Subject: [strongSwan] Users Digest, Vol 126, Issue 9 In-Reply-To: References: Message-ID: Hi I have stronswan 8.2 Roadwarrior Configurator it worked fine when I disabled SElinux Is there anyway that the Strongswan run without disabling the SElinux. Thanks Rizwan Saleem > On 14 Jul 2020, at 1:00 PM, "users-request at lists.strongswan.org" wrote: > > Send Users mailing list submissions to > users at lists.strongswan.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.strongswan.org/mailman/listinfo/users > or, via email, send a message with subject or body 'help' to > users-request at lists.strongswan.org > > You can reach the person managing the list at > users-owner at lists.strongswan.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Users digest..." > > > Today's Topics: > > 1. Mimic inner tunnel traffic (Roee Agami) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 13 Jul 2020 09:49:51 -0400 > From: Roee Agami > To: users at lists.strongswan.org > Subject: [strongSwan] Mimic inner tunnel traffic > Message-ID: <50F7AAAA-FD0E-4E14-A780-6992AD093D22 at bluecedar.com> > Content-Type: text/plain; charset=us-ascii > > Hi, > > For reachability testing purposes I would like to mimic inner tunnel traffic toward resources beyond the terminating GW. > I read that I might be able to achieve that by setting some routing rules (table 220?). > > When I establish an IPSec tunnel, on the GW I see the following (my VIP pool is 192.168.50.1 to .60 I believe): > > 192.168.50.9 via 192.168.1.164 dev eth1 table 220 proto static > > eth1 is the side toward the initiator, eth0 is where the inner traffic usually flows too (behind the GW). > > 1. Do you think that I should create a virtual interface on top of eth0, then send the traffic from it? Or is there a way to setup routing rules to allow this? Obviously I would like to be able to get the responses back. > 2. How does the GW today knows how to route traffic coming from the tunnel into eth0? > > Here is the rest of the table: > > ip route show table all > default via 192.168.60.2 dev eth0 table 102 > 192.168.60.0/24 dev eth0 table 102 scope link > default via 192.168.1.1 dev eth1 table 103 > 192.168.1.0/24 dev eth1 table 103 scope link > 192.168.50.9 via 192.168.1.164 dev eth1 table 220 proto static > default via 192.168.60.2 dev eth0 > 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 > 192.168.1.0/24 dev eth1 scope link metric 6 > 192.168.60.0/24 dev eth0 scope link metric 3 > 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 > broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 > local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 > local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 > broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 > broadcast 172.17.0.0 dev docker0 table local proto kernel scope link src 172.17.0.1 > local 172.17.0.1 dev docker0 table local proto kernel scope host src 172.17.0.1 > broadcast 172.17.255.255 dev docker0 table local proto kernel scope link src 172.17.0.1 > broadcast 192.168.1.0 dev eth1 table local proto kernel scope link src 192.168.1.237 > local 192.168.1.237 dev eth1 table local proto kernel scope host src 192.168.1.237 > broadcast 192.168.1.255 dev eth1 table local proto kernel scope link src 192.168.1.237 > broadcast 192.168.60.0 dev eth0 table local proto kernel scope link src 192.168.60.201 > local 192.168.60.201 dev eth0 table local proto kernel scope host src 192.168.60.201 > broadcast 192.168.60.255 dev eth0 table local proto kernel scope link src 192.168.60.201 > broadcast 192.168.122.0 dev virbr0 table local proto kernel scope link src 192.168.122.1 > local 192.168.122.1 dev virbr0 table local proto kernel scope host src 192.168.122.1 > broadcast 192.168.122.255 dev virbr0 table local proto kernel scope link src 192.168.122.1 > > > Thanks! > > End of Users Digest, Vol 126, Issue 9 > ************************************* From ragami at bluecedar.com Wed Jul 15 15:55:58 2020 From: ragami at bluecedar.com (Roee Agami) Date: Wed, 15 Jul 2020 09:55:58 -0400 Subject: [strongSwan] Mimic inner tunnel traffic Message-ID: <95837A56-92F6-4F75-8AED-A9430CFF3770@bluecedar.com> Hi, For reachability testing purposes I would like to mimic inner tunnel traffic toward resources beyond the terminating GW. I read that I might be able to achieve that by setting some routing rules (table 220?). When I establish an IPSec tunnel, on the GW I see the following (my VIP pool is 192.168.50.1 to .60 I believe): 192.168.50.9 via 192.168.1.164 dev eth1 table 220 proto static eth1 is the side toward the initiator, eth0 is where the inner traffic usually flows too (behind the GW). 1. Do you think that I should create a virtual interface on top of eth0, then send the traffic from it? Or is there a way to setup routing rules to allow this? Obviously I would like to be able to get the responses back. 2. How does the GW today knows how to route traffic coming from the tunnel into eth0? Here is the rest of the table: ip route show table all default via 192.168.60.2 dev eth0 table 102 192.168.60.0/24 dev eth0 table 102 scope link default via 192.168.1.1 dev eth1 table 103 192.168.1.0/24 dev eth1 table 103 scope link 192.168.50.9 via 192.168.1.164 dev eth1 table 220 proto static default via 192.168.60.2 dev eth0 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 192.168.1.0/24 dev eth1 scope link metric 6 192.168.60.0/24 dev eth0 scope link metric 3 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 broadcast 172.17.0.0 dev docker0 table local proto kernel scope link src 172.17.0.1 local 172.17.0.1 dev docker0 table local proto kernel scope host src 172.17.0.1 broadcast 172.17.255.255 dev docker0 table local proto kernel scope link src 172.17.0.1 broadcast 192.168.1.0 dev eth1 table local proto kernel scope link src 192.168.1.237 local 192.168.1.237 dev eth1 table local proto kernel scope host src 192.168.1.237 broadcast 192.168.1.255 dev eth1 table local proto kernel scope link src 192.168.1.237 broadcast 192.168.60.0 dev eth0 table local proto kernel scope link src 192.168.60.201 local 192.168.60.201 dev eth0 table local proto kernel scope host src 192.168.60.201 broadcast 192.168.60.255 dev eth0 table local proto kernel scope link src 192.168.60.201 broadcast 192.168.122.0 dev virbr0 table local proto kernel scope link src 192.168.122.1 local 192.168.122.1 dev virbr0 table local proto kernel scope host src 192.168.122.1 broadcast 192.168.122.255 dev virbr0 table local proto kernel scope link src 192.168.122.1 Thanks! From MakarandPradhan at is5com.com Wed Jul 15 22:38:50 2020 From: MakarandPradhan at is5com.com (Makarand Pradhan) Date: Wed, 15 Jul 2020 20:38:50 +0000 Subject: [strongSwan] Multiple SAs on Link up. Race condition. Message-ID: Hello All, I'm running strongswan 5.8.2. I'm noticing multiple SAs and Child SAs set up, when both sides try to initiate a connection on link up. Is there a way to avoid multiple SAs being setup on link up? My configuration is as follows: Ipsec.conf: config setup charondebug=@all@ cachecrls=yes uniqueids=yes strictcrlpolicy=no #####IS5##### conn m2 type=tunnel authby=secret auto=start keyexchange=ikev2 ike=aes256-sha512-modp1536! aggressive=no ikelifetime=1h esp=aes256-sha256-modp2048! lifetime=2h right=172.16.32.2 rightid=172.16.32.2 rightsubnet=10.10.10.0/24,192.168.62.0/24 left=172.16.32.1 leftid=172.16.32.1 leftsubnet=192.168.10.0/24,192.168.52.0/24 mobike=no root at t1024rdb:~# ipsec status Security Associations (3 up, 0 connecting): m2[7]: ESTABLISHED 6 minutes ago, 172.16.32.1[172.16.32.1]...172.16.32.2[172.16.32.2] m2{8}: INSTALLED, TUNNEL, reqid 6, ESP SPIs: c7cbf891_i c6e85d39_o m2{8}: 192.168.10.0/24 192.168.52.0/24 === 10.10.10.0/24 192.168.62.0/24 m2[6]: ESTABLISHED 6 minutes ago, 172.16.32.1[172.16.32.1]...172.16.32.2[172.16.32.2] m2{7}: INSTALLED, TUNNEL, reqid 6, ESP SPIs: c5538838_i c69ab573_o m2{7}: 192.168.10.0/24 192.168.52.0/24 === 10.10.10.0/24 192.168.62.0/24 root at t1024rdb:~# swanctl -l m2: #7, ESTABLISHED, IKEv2, a5fc0a9cb8a9bfea_i a931c7d404349242_r* local '172.16.32.1' @ 172.16.32.1[500] remote '172.16.32.2' @ 172.16.32.2[500] AES_CBC-256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536 established 362s ago, reauth in 2527s m2: #8, reqid 6, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128 installed 362s ago, rekeying in 5759s, expires in 6838s in c7cbf891, 0 bytes, 0 packets out c6e85d39, 0 bytes, 0 packets local 192.168.10.0/24 192.168.52.0/24 remote 10.10.10.0/24 192.168.62.0/24 m2: #6, ESTABLISHED, IKEv2, 2a17575859ea9c0f_i* 9409bec89f7dcff2_r local '172.16.32.1' @ 172.16.32.1[500] remote '172.16.32.2' @ 172.16.32.2[500] AES_CBC-256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536 established 362s ago, reauth in 2101s m2: #7, reqid 6, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128 installed 362s ago, rekeying in 5847s, expires in 6838s in c5538838, 0 bytes, 0 packets out c69ab573, 0 bytes, 0 packets local 192.168.10.0/24 192.168.52.0/24 remote 10.10.10.0/24 192.168.62.0/24 Thanks. Kind rgds, Makarand Pradhan Senior Software Engineer. iS5 Communications Inc. 5895 Ambler Dr, Mississauga, Ontario L4W 5B7 Main Line: +1-844-520-0588 Ext. 129 Direct Line: +1-289-724-2296 Cell: +1-226-501-5666 Fax:+1-289-401-5206 Email: makarandpradhan at is5com.com Website: www.iS5Com.com   Confidentiality Notice:  This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted. From yogeshpurohit2 at gmail.com Thu Jul 16 07:02:25 2020 From: yogeshpurohit2 at gmail.com (Yogesh Purohit) Date: Thu, 16 Jul 2020 10:32:25 +0530 Subject: [strongSwan] How to find encryption key for ikev1 Message-ID: Hi, I was intending to decrypt isakmp packets for ike version 1 using wireshark. In wireshark it needs the Initiator cookie and encryption key to decrypt the packets. I have enabled debug logs by adding: enc = 3 in strongswan.conf file. I followed this link https://osqa-ask.wireshark.org/questions/12019/how-can-i-decrypt-ikev1-andor-esp-packets But this was used when strongswan used Pluto daemon but now Charon is being used. So how to identify the initiator cookie and encryption key from logs for ike version 1. Thanks -- Best Regards, Yogesh Purohit -------------- next part -------------- An HTML attachment was scrubbed... URL: From doka.ua at gmx.com Thu Jul 16 11:01:17 2020 From: doka.ua at gmx.com (Volodymyr Litovka) Date: Thu, 16 Jul 2020 12:01:17 +0300 Subject: [strongSwan] insufficient authentication rounds Message-ID: <592C0AB3-91E8-4AE8-8D42-2DB9301C7A61@gmx.com> Hi, colleagues, probably, this is very simple question and I'm just missing something very clear :) I’m trying to use few rounds of auth, like this: connections { ikev2-eap-mschapv2 { version = 2 local_addrs = x.x.x.x remote_addrs = %any pools = radius [ … ] local { auth = pubkey certs = fullchain.pem id = fqdn.my } remote-eap { round = 1 auth = eap-radius id = %any eap_id = %any } remote-psk { round = 2 auth = psk id = %any } children { [ … ] } } } secrets { [ … ] } The basic idea is to give a client chance to authenticate in two ways: try EAP and if it fails, then try PSK. But on the output I see the following error in syslog: Jul 16 11:47:47 test charon-systemd[25937]: authentication of 'doka' with EAP successful Jul 16 11:47:47 test strongswan: 12[IKE] authentication of 'doka' with EAP successful Jul 16 11:47:47 test charon-systemd[25937]: selected peer config 'ikev2-eap-mschapv2' inacceptable: insufficient authentication rounds Jul 16 11:47:47 test strongswan: 12[IKE] IKE_SA ikev2-eap-mschapv2[75] state change: CONNECTING => DESTROYING Jul 16 11:47:47 test charon-systemd[25937]: no alternative config found Jul 16 11:47:47 test charon-systemd[25937]: generating IKE_AUTH response 5 [ N(AUTH_FAILED) ] Also, I tried to create local-c1 {round = 1} and local-c2 {round = 2} in order to conform number of rounds in remote sections, but with the same result. So, the question is - whether my understanding of rounds is correct and, if yes, what I’m missing in this config to get it working as I expect? Thank you. -- Volodymyr Litovka "Vision without Execution is Hallucination." -- Thomas Edison From hakke_007 at gmx.de Thu Jul 16 12:58:01 2020 From: hakke_007 at gmx.de (Thomas Egerer) Date: Thu, 16 Jul 2020 12:58:01 +0200 Subject: [strongSwan] insufficient authentication rounds In-Reply-To: <592C0AB3-91E8-4AE8-8D42-2DB9301C7A61@gmx.com> References: <592C0AB3-91E8-4AE8-8D42-2DB9301C7A61@gmx.com> Message-ID: <1a1102a4-7463-2d42-9462-6690ec5a0fa9@gmx.de> Hi Volodymyr, the authentication rounds are mandatory, not optional. That's why charon expects three rounds of auth and fails since only two were done. You need to split the config into one where you only offer pubkey + eap auth and the other one employing psk only. charon should then be able to select the appropriate config based on the peer's auth. Thomas Note: re-reply to address list On 7/16/20 11:01 AM, Volodymyr Litovka wrote: > Hi, colleagues, > > probably, this is very simple question and I'm just missing something very clear :) > > I’m trying to use few rounds of auth, like this: > > connections { > ikev2-eap-mschapv2 { > version = 2 > local_addrs = x.x.x.x > remote_addrs = %any > pools = radius > [ … ] > local { > auth = pubkey > certs = fullchain.pem > id = fqdn.my > } > remote-eap { > round = 1 > auth = eap-radius > id = %any > eap_id = %any > } > remote-psk { > round = 2 > auth = psk > id = %any > } > children { > [ … ] > } > } > } > secrets { > [ … ] > } > > The basic idea is to give a client chance to authenticate in two ways: try EAP and if it fails, then try PSK. > > But on the output I see the following error in syslog: > > Jul 16 11:47:47 test charon-systemd[25937]: authentication of 'doka' with EAP successful > Jul 16 11:47:47 test strongswan: 12[IKE] authentication of 'doka' with EAP successful > Jul 16 11:47:47 test charon-systemd[25937]: selected peer config 'ikev2-eap-mschapv2' inacceptable: insufficient authentication rounds > Jul 16 11:47:47 test strongswan: 12[IKE] IKE_SA ikev2-eap-mschapv2[75] state change: CONNECTING => DESTROYING > Jul 16 11:47:47 test charon-systemd[25937]: no alternative config found > Jul 16 11:47:47 test charon-systemd[25937]: generating IKE_AUTH response 5 [ N(AUTH_FAILED) ] > > Also, I tried to create local-c1 {round = 1} and local-c2 {round = 2} in order to conform number of rounds in remote sections, but with the same result. > > So, the question is - whether my understanding of rounds is correct and, if yes, what I’m missing in this config to get it working as I expect? > > Thank you. > From hakke_007 at gmx.de Thu Jul 16 13:12:46 2020 From: hakke_007 at gmx.de (Thomas Egerer) Date: Thu, 16 Jul 2020 13:12:46 +0200 Subject: [strongSwan] How to find encryption key for ikev1 In-Reply-To: References: Message-ID: <2e8690ca-e286-c45f-0337-04f1c58e3e03@gmx.de> Hi Yogesh, the loglevel 3 will never reveal any keys to you. You'd need to enable loglevel 4. An easier way is to use the save-keys plugin. It even creates the appropriate output files to use in wireshark. See [1] how to enable and configure it. Thomas [1] https://wiki.strongswan.org/issues/3258 On 7/16/20 7:02 AM, Yogesh Purohit wrote: > Hi, > > I was intending to decrypt isakmp packets for ike version 1 using wireshark. > In wireshark it needs the Initiator cookie and encryption key to decrypt the packets. > > I have enabled debug logs by adding: enc = 3 in strongswan.conf file. > I followed this link https://osqa-ask.wireshark.org/questions/12019/how-can-i-decrypt-ikev1-andor-esp-packets  > But this was used when strongswan used Pluto daemon but now Charon is being used.  > > So how to identify the initiator cookie and encryption key from logs for ike version 1. > > Thanks   > > -- > Best Regards, > > Yogesh Purohit From hakke_007 at gmx.de Thu Jul 16 13:26:24 2020 From: hakke_007 at gmx.de (Thomas Egerer) Date: Thu, 16 Jul 2020 13:26:24 +0200 Subject: [strongSwan] Multiple SAs on Link up. Race condition. In-Reply-To: References: Message-ID: <706b882d-fa2a-9a01-7d66-c9f4ff49cf23@gmx.de> Hi Makarand, the option 'uniqueids=yes' is the preferred way to ensure uniqueness. However, as you've seen there are rare cases in which the detection fails. After all it should not effect your IPsec performance and your tunnels should work. If you do not want this behavior disable autoinit on one side: auto=add This causes the tunnel to be brought up on traffic. Thomas On 7/15/20 10:38 PM, Makarand Pradhan wrote: > Hello All, > > I'm running strongswan 5.8.2. > > I'm noticing multiple SAs and Child SAs set up, when both sides try to initiate a connection on link up. Is there a way to avoid multiple SAs being setup on link up? > > My configuration is as follows: > > Ipsec.conf: > config setup > charondebug=@all@ > cachecrls=yes > uniqueids=yes > strictcrlpolicy=no > > #####IS5##### > conn m2 > type=tunnel > authby=secret > auto=start > keyexchange=ikev2 > ike=aes256-sha512-modp1536! > aggressive=no > ikelifetime=1h > esp=aes256-sha256-modp2048! > lifetime=2h > right=172.16.32.2 > rightid=172.16.32.2 > rightsubnet=10.10.10.0/24,192.168.62.0/24 > left=172.16.32.1 > leftid=172.16.32.1 > leftsubnet=192.168.10.0/24,192.168.52.0/24 > mobike=no > > root at t1024rdb:~# ipsec status > Security Associations (3 up, 0 connecting): > m2[7]: ESTABLISHED 6 minutes ago, 172.16.32.1[172.16.32.1]...172.16.32.2[172.16.32.2] > m2{8}: INSTALLED, TUNNEL, reqid 6, ESP SPIs: c7cbf891_i c6e85d39_o > m2{8}: 192.168.10.0/24 192.168.52.0/24 === 10.10.10.0/24 192.168.62.0/24 > m2[6]: ESTABLISHED 6 minutes ago, 172.16.32.1[172.16.32.1]...172.16.32.2[172.16.32.2] > m2{7}: INSTALLED, TUNNEL, reqid 6, ESP SPIs: c5538838_i c69ab573_o > m2{7}: 192.168.10.0/24 192.168.52.0/24 === 10.10.10.0/24 192.168.62.0/24 > > root at t1024rdb:~# swanctl -l > m2: #7, ESTABLISHED, IKEv2, a5fc0a9cb8a9bfea_i a931c7d404349242_r* > local '172.16.32.1' @ 172.16.32.1[500] > remote '172.16.32.2' @ 172.16.32.2[500] > AES_CBC-256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536 > established 362s ago, reauth in 2527s > m2: #8, reqid 6, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128 > installed 362s ago, rekeying in 5759s, expires in 6838s > in c7cbf891, 0 bytes, 0 packets > out c6e85d39, 0 bytes, 0 packets > local 192.168.10.0/24 192.168.52.0/24 > remote 10.10.10.0/24 192.168.62.0/24 > m2: #6, ESTABLISHED, IKEv2, 2a17575859ea9c0f_i* 9409bec89f7dcff2_r > local '172.16.32.1' @ 172.16.32.1[500] > remote '172.16.32.2' @ 172.16.32.2[500] > AES_CBC-256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536 > established 362s ago, reauth in 2101s > m2: #7, reqid 6, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128 > installed 362s ago, rekeying in 5847s, expires in 6838s > in c5538838, 0 bytes, 0 packets > out c69ab573, 0 bytes, 0 packets > local 192.168.10.0/24 192.168.52.0/24 > remote 10.10.10.0/24 192.168.62.0/24 > > Thanks. > > Kind rgds, > Makarand Pradhan > Senior Software Engineer. > iS5 Communications Inc. > 5895 Ambler Dr, > Mississauga, Ontario > L4W 5B7 > Main Line: +1-844-520-0588 Ext. 129 > Direct Line: +1-289-724-2296 > Cell: +1-226-501-5666 > Fax:+1-289-401-5206 > Email: makarandpradhan at is5com.com > Website: www.iS5Com.com > >   > Confidentiality Notice:  > This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted. > From yogeshpurohit2 at gmail.com Thu Jul 16 13:44:20 2020 From: yogeshpurohit2 at gmail.com (Yogesh Purohit) Date: Thu, 16 Jul 2020 17:14:20 +0530 Subject: [strongSwan] How to find encryption key for ikev1 In-Reply-To: <2e8690ca-e286-c45f-0337-04f1c58e3e03@gmx.de> References: <2e8690ca-e286-c45f-0337-04f1c58e3e03@gmx.de> Message-ID: Hi Thomas, Thanks for the update. Yes I have enabled log level as 4 for ike in strongswan.conf with enc as 3. ike = 4 enc = 3 I am seeing a lot of logs in the log file but I am not sure which one is the encryption key. As per the link https://osqa-ask.wireshark.org/questions/12019/how-can-i-decrypt-ikev1-andor-esp-packets it should be of 16 bytes. But none of them is of 16 bytes. SKEYID => 20 bytes @ 0x7a33d40047d0 0: AE C9 8E BB 0D 18 4B 39 84 E2 6C 4D E6 B9 E8 C1 ......K9..lM.... 16: F7 AD 59 FC ..Y. SKEYID_d => 20 bytes @ 0x7a33d40047b0 0: 8B F3 BF C2 4A 62 B0 F9 08 E8 C1 20 84 FA 12 4B ....Jb..... ...K 16: 2E 64 57 CE .dW. SKEYID_a => 20 bytes @ 0x7a33d4005760 0: 2B 89 D8 AD 2F C3 08 F1 8D FA 4E 17 B6 30 DE C1 +.../.....N..0.. 16: AD 5A B6 AB .Z.. SKEYID_e => 20 bytes @ 0x7a33d4003c30 0: 33 B4 1A 7A 3C 36 C5 9A 6B 6F 77 0A 5D 46 13 8A 3..z<6..kow.]F.. 16: C4 77 89 1B .w.. encryption key Ka => 32 bytes @ 0x7a33c000c320 0: 21 82 8C 59 BC 06 3C 92 58 E6 7E AB D6 0A 85 9F !..Y..<.X.~..... 16: 3E 74 20 54 5F E6 92 46 75 A6 76 E8 E1 96 96 B3 >t T_..Fu.v..... Only this I see as 16 bytes: initial IV => 16 bytes @ 0x7a33d4003c30 0: 7A 5A F1 F8 DA EA 50 C1 D3 83 0E DC A1 C5 A0 8F zZ....P......... So either encryption key is 32 bytes in the versions which uses charon daemon instead of pluto ? Please do let me know if my assumption is correct or I am looking in the wrong place. Since I am using an older version of Strongswan hence I am not sure about the save-keys plugin. Thanks On Thu, Jul 16, 2020 at 4:42 PM Thomas Egerer wrote: > Hi Yogesh, > > the loglevel 3 will never reveal any keys to you. You'd need > to enable loglevel 4. An easier way is to use the save-keys > plugin. It even creates the appropriate output files to use > in wireshark. See [1] how to enable and configure it. > > Thomas > > [1] https://wiki.strongswan.org/issues/3258 > > On 7/16/20 7:02 AM, Yogesh Purohit wrote: > > Hi, > > > > I was intending to decrypt isakmp packets for ike version 1 using > wireshark. > > In wireshark it needs the Initiator cookie and encryption key to decrypt > the packets. > > > > I have enabled debug logs by adding: enc = 3 in strongswan.conf file. > > I followed this link > https://osqa-ask.wireshark.org/questions/12019/how-can-i-decrypt-ikev1-andor-esp-packets > > > But this was used when strongswan used Pluto daemon but now Charon is > being used. > > > > So how to identify the initiator cookie and encryption key from logs for > ike version 1. > > > > Thanks > > > > -- > > Best Regards, > > > > Yogesh Purohit > > -- Best Regards, Yogesh Purohit -------------- next part -------------- An HTML attachment was scrubbed... URL: From hakke_007 at gmx.de Thu Jul 16 14:03:42 2020 From: hakke_007 at gmx.de (Thomas Egerer) Date: Thu, 16 Jul 2020 14:03:42 +0200 Subject: [strongSwan] How to find encryption key for ikev1 In-Reply-To: References: <2e8690ca-e286-c45f-0337-04f1c58e3e03@gmx.de> Message-ID: Hi Yogesh, you should familiarize yourself with the fundamental concepts behind IKE before asking questions. Don't blindly follow an outdated online tutorial. Use the save-keys plugin that's easiest and the documentation is up-to-date. btw. your keysize depends on the negotiated crypto algorithm using the IV instead will decrypt you nothing. Thomas On 7/16/20 1:44 PM, Yogesh Purohit wrote: > Hi Thomas, > > Thanks for the update. > Yes I have enabled log level as 4 for ike in strongswan.conf with enc as 3. > ike = 4 > enc = 3   > > I am seeing a lot of logs in the log file but I am not sure which one is the encryption key. As per the link https://osqa-ask.wireshark.org/questions/12019/how-can-i-decrypt-ikev1-andor-esp-packets  it should be of 16 bytes. > But none of them is of 16 bytes. > > SKEYID => 20 bytes @ 0x7a33d40047d0 >    0: AE C9 8E BB 0D 18 4B 39 84 E2 6C 4D E6 B9 E8 C1  ......K9..lM.... >   16: F7 AD 59 FC                                      ..Y. > SKEYID_d => 20 bytes @ 0x7a33d40047b0 >    0: 8B F3 BF C2 4A 62 B0 F9 08 E8 C1 20 84 FA 12 4B  ....Jb..... ...K >   16: 2E 64 57 CE                                      .dW. > SKEYID_a => 20 bytes @ 0x7a33d4005760 >    0: 2B 89 D8 AD 2F C3 08 F1 8D FA 4E 17 B6 30 DE C1  +.../.....N..0.. >   16: AD 5A B6 AB                                      .Z.. > SKEYID_e => 20 bytes @ 0x7a33d4003c30 >    0: 33 B4 1A 7A 3C 36 C5 9A 6B 6F 77 0A 5D 46 13 8A  3..z<6..kow.]F.. >   16: C4 77 89 1B                                      .w.. > encryption key Ka => 32 bytes @ 0x7a33c000c320 >    0: 21 82 8C 59 BC 06 3C 92 58 E6 7E AB D6 0A 85 9F  !..Y..<.X.~..... >   16: 3E 74 20 54 5F E6 92 46 75 A6 76 E8 E1 96 96 B3  >t T_..Fu.v..... > > Only this I see as 16 bytes: > > initial IV => 16 bytes @ 0x7a33d4003c30 >    0: 7A 5A F1 F8 DA EA 50 C1 D3 83 0E DC A1 C5 A0 8F  zZ....P......... > > So either encryption key is 32 bytes in the versions which uses charon daemon instead of pluto ? Please do let me know if my assumption is correct or I am looking in the wrong place. > > Since I am using an older version of Strongswan hence I am not sure about the save-keys plugin. > > > > Thanks > > > On Thu, Jul 16, 2020 at 4:42 PM Thomas Egerer > wrote: > > Hi Yogesh, > > the loglevel 3 will never reveal any keys to you. You'd need > to enable loglevel 4. An easier way is to use the save-keys > plugin. It even creates the appropriate output files to use > in wireshark. See [1] how to enable and configure it. > > Thomas > > [1] https://wiki.strongswan.org/issues/3258 > > On 7/16/20 7:02 AM, Yogesh Purohit wrote: > > Hi, > > > > I was intending to decrypt isakmp packets for ike version 1 using wireshark. > > In wireshark it needs the Initiator cookie and encryption key to decrypt the packets. > > > > I have enabled debug logs by adding: enc = 3 in strongswan.conf file. > > I followed this link https://osqa-ask.wireshark.org/questions/12019/how-can-i-decrypt-ikev1-andor-esp-packets  > > But this was used when strongswan used Pluto daemon but now Charon is being used.  > > > > So how to identify the initiator cookie and encryption key from logs for ike version 1. > > > > Thanks   > > > > -- > > Best Regards, > > > > Yogesh Purohit > > > > -- > Best Regards, > > Yogesh Purohit From MakarandPradhan at is5com.com Thu Jul 16 14:49:12 2020 From: MakarandPradhan at is5com.com (Makarand Pradhan) Date: Thu, 16 Jul 2020 12:49:12 +0000 Subject: [strongSwan] Multiple SAs on Link up. Race condition. In-Reply-To: <706b882d-fa2a-9a01-7d66-c9f4ff49cf23@gmx.de> References: <706b882d-fa2a-9a01-7d66-c9f4ff49cf23@gmx.de> Message-ID: Good morning Thomas. Thanks for your response. As you mentioned the traffic is not affected so we would not worry about one more connection for now. Kind rgds, Makarand Pradhan Senior Software Engineer. iS5 Communications Inc. 5895 Ambler Dr, Mississauga, Ontario L4W 5B7 Main Line: +1-844-520-0588 Ext. 129 Direct Line: +1-289-724-2296 Cell: +1-226-501-5666 Fax:+1-289-401-5206 Email: makarandpradhan at is5com.com Website: www.iS5Com.com   Confidentiality Notice:  This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted. -----Original Message----- From: Thomas Egerer Sent: July 16, 2020 7:26 AM To: Makarand Pradhan ; users at lists.strongswan.org Subject: Re: [strongSwan] Multiple SAs on Link up. Race condition. Hi Makarand, the option 'uniqueids=yes' is the preferred way to ensure uniqueness. However, as you've seen there are rare cases in which the detection fails. After all it should not effect your IPsec performance and your tunnels should work. If you do not want this behavior disable autoinit on one side: auto=add This causes the tunnel to be brought up on traffic. Thomas On 7/15/20 10:38 PM, Makarand Pradhan wrote: > Hello All, > > I'm running strongswan 5.8.2. > > I'm noticing multiple SAs and Child SAs set up, when both sides try to initiate a connection on link up. Is there a way to avoid multiple SAs being setup on link up? > > My configuration is as follows: > > Ipsec.conf: > config setup > charondebug=@all@ > cachecrls=yes > uniqueids=yes > strictcrlpolicy=no > > #####IS5##### > conn m2 > type=tunnel > authby=secret > auto=start > keyexchange=ikev2 > ike=aes256-sha512-modp1536! > aggressive=no > ikelifetime=1h > esp=aes256-sha256-modp2048! > lifetime=2h > right=172.16.32.2 > rightid=172.16.32.2 > rightsubnet=10.10.10.0/24,192.168.62.0/24 > left=172.16.32.1 > leftid=172.16.32.1 > leftsubnet=192.168.10.0/24,192.168.52.0/24 > mobike=no > > root at t1024rdb:~# ipsec status > Security Associations (3 up, 0 connecting): > m2[7]: ESTABLISHED 6 minutes ago, 172.16.32.1[172.16.32.1]...172.16.32.2[172.16.32.2] > m2{8}: INSTALLED, TUNNEL, reqid 6, ESP SPIs: c7cbf891_i c6e85d39_o > m2{8}: 192.168.10.0/24 192.168.52.0/24 === 10.10.10.0/24 192.168.62.0/24 > m2[6]: ESTABLISHED 6 minutes ago, 172.16.32.1[172.16.32.1]...172.16.32.2[172.16.32.2] > m2{7}: INSTALLED, TUNNEL, reqid 6, ESP SPIs: c5538838_i c69ab573_o > m2{7}: 192.168.10.0/24 192.168.52.0/24 === 10.10.10.0/24 192.168.62.0/24 > > root at t1024rdb:~# swanctl -l > m2: #7, ESTABLISHED, IKEv2, a5fc0a9cb8a9bfea_i a931c7d404349242_r* > local '172.16.32.1' @ 172.16.32.1[500] > remote '172.16.32.2' @ 172.16.32.2[500] > AES_CBC-256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536 > established 362s ago, reauth in 2527s > m2: #8, reqid 6, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128 > installed 362s ago, rekeying in 5759s, expires in 6838s > in c7cbf891, 0 bytes, 0 packets > out c6e85d39, 0 bytes, 0 packets > local 192.168.10.0/24 192.168.52.0/24 > remote 10.10.10.0/24 192.168.62.0/24 > m2: #6, ESTABLISHED, IKEv2, 2a17575859ea9c0f_i* 9409bec89f7dcff2_r > local '172.16.32.1' @ 172.16.32.1[500] > remote '172.16.32.2' @ 172.16.32.2[500] > AES_CBC-256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536 > established 362s ago, reauth in 2101s > m2: #7, reqid 6, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128 > installed 362s ago, rekeying in 5847s, expires in 6838s > in c5538838, 0 bytes, 0 packets > out c69ab573, 0 bytes, 0 packets > local 192.168.10.0/24 192.168.52.0/24 > remote 10.10.10.0/24 192.168.62.0/24 > > Thanks. > > Kind rgds, > Makarand Pradhan > Senior Software Engineer. > iS5 Communications Inc. > 5895 Ambler Dr, > Mississauga, Ontario > L4W 5B7 > Main Line: +1-844-520-0588 Ext. 129 > Direct Line: +1-289-724-2296 > Cell: +1-226-501-5666 > Fax:+1-289-401-5206 > Email: makarandpradhan at is5com.com > Website: www.iS5Com.com > >   > Confidentiality Notice: > This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted. > From doka.ua at gmx.com Thu Jul 16 19:17:00 2020 From: doka.ua at gmx.com (Volodymyr Litovka) Date: Thu, 16 Jul 2020 20:17:00 +0300 Subject: [strongSwan] Cisco ASA and PSK id Message-ID: <882FEFA3-23C2-41FF-A758-FB2687813B5B@gmx.com> Hi colleagues, is there anybody has experience connecting Cisco ASA with Strongswan using PSK? I have the following configuration on SS side: ikev2-psk { version = 2 [ . . . ] local { auth = pubkey certs = fullchain.pem id = myid } remote { auth = psk id = %any } children { psk-child { [ . . . ] } } } secrets { ike-1 { id = ciscoasa secret = q1w2e3 } } and while I use on ASA 'crypto isakmp identity hostname’ (hostname is “ciscoasa"), this connection can be authenticated by SS: charon-systemd[1566]: looking for peer configs matching local[%any]...remote[ciscoasa] charon-systemd[1566]: selected peer config 'ikev2-eap-mschapv2' charon-systemd[1566]: authentication of 'ciscoasa' with pre-shared key successful charon-systemd[1566]: constraint check failed: EAP identity '%any' required charon-systemd[1566]: selected peer config 'ikev2-eap-mschapv2' unacceptable: non-matching authentication done charon-systemd[1566]: switching to peer config 'ikev2-psk' charon-systemd[1566]: IKE_SA ikev2-psk[45] established between local[fqdn]...remote[ciscoasa] but as soon as I switch to 'crypto isakmp identity key-id ciscoasa’, SS says there are no matching keys: charon-systemd[1566]: looking for peer configs matching local[%any]...remote[ciscoasa] charon-systemd[1566]: selected peer config 'ikev2-eap-mschapv2' charon-systemd[1566]: no shared key found for '%any' - 'ciscoasa' charon-systemd[1566]: generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Which of the following choices is my case? - 1) Cisco ASA sends key-id in the wrong way 2) SS treat received key-id in the wrong way 3) I’m missing something Thank you. -- Volodymyr Litovka "Vision without Execution is Hallucination." -- Thomas Edison -------------- next part -------------- An HTML attachment was scrubbed... URL: From doka.ua at gmx.com Fri Jul 17 11:56:33 2020 From: doka.ua at gmx.com (Volodymyr Litovka) Date: Fri, 17 Jul 2020 12:56:33 +0300 Subject: [strongSwan] Use Radius for gateway configuration Message-ID: <51F27D1B-6951-4739-8FBE-EA32BE366B15@gmx.com> Hi, I use route-based VPNs for lot of different clients and, unfortunately, met with Cisco ASA. Can’t say I’m delighted - unlike others, it does not support neither EAP-MSCHAPv2 nor VIP negotiation for route-based VPNs, which makes it impossible to use Radius as authentication/authorization backend and introduces necessity to describe remote_ts and secret per connection, like this: ikev2-psk { [ ... ] remote { auth = psk id = ciscoasa } children { psk-child { local_ts = 0.0.0.0/0 remote_ts = 172.29.24.100/32 } } } secrets { ike-1 { id = ciscoasa secret = q1w2e3 } } I’m just wondering, is it, nevertheless, possible to use Radius for configuring at least Strongswan side in such cases? What I mean: use id/psk to authenticate connection in Radius and get VIP from Radius to provision ‘remote_ts’ parameter and configure xfrm policies (ignoring "expected a virtual IP request, sending FAILED_CP_REQUIRED” and leaving IP configuration on remote side to be configured statically). This approach do not break protocols itself (because applicable to gateway side only), but reduce configuration, keeping PSK config common for all connections, like this: ikev2-psk { [ ... ] pools = radius vip_rq = (yes|no) remote { auth = psk-radius(?) id = %any } children { psk-child { local_ts = 0.0.0.0/0 remote_ts = dynamic } } } Any thoughts on whether can be implemented either internally or using external scripts/hooks upon connection establishing? Thank you. -- Volodymyr Litovka "Vision without Execution is Hallucination." -- Thomas Edison -------------- next part -------------- An HTML attachment was scrubbed... URL: From tobias at strongswan.org Mon Jul 20 17:06:54 2020 From: tobias at strongswan.org (Tobias Brunner) Date: Mon, 20 Jul 2020 17:06:54 +0200 Subject: [strongSwan] Tunnel and Transport mode mismatch In-Reply-To: References: Message-ID: <57160488-1fc6-7fc8-acbb-350633d9d5dc@strongswan.org> Hi Makarand, > When one side is set to transport and the other set to Tunnel, the child SA is built in Tunnel mode. > > Question: Is this the expected behaviour? Yes, see RFC 7296, section 1.3.1: The USE_TRANSPORT_MODE notification MAY be included in a request message that also includes an SA payload requesting a Child SA. It requests that the Child SA use transport mode rather than tunnel mode for the SA created. If the request is accepted, the response MUST also include a notification of type USE_TRANSPORT_MODE. If the responder declines the request, the Child SA will be established in tunnel mode. Regards, Tobias From nirvanet at protonmail.com Tue Jul 21 18:46:02 2020 From: nirvanet at protonmail.com (Nirvanet) Date: Tue, 21 Jul 2020 16:46:02 +0000 Subject: [strongSwan] Strongswan VPN gateway Message-ID: Hi all, I am looking to setup a VPN gateway with Strongswan on my LAN and share my anonymous VPN service. I have 2 nics, the VPN tunnel is up but I am struggling to share this connection with my LAN. What’s the main steps to achieve this? NAT, some routes in table 220, tunnel interface? I tried everything without any success... Is there by chance a “how-to” somewhere? Thanks all for your help -------------- next part -------------- An HTML attachment was scrubbed... URL: From athmane2.dz at gmail.com Wed Jul 22 07:44:22 2020 From: athmane2.dz at gmail.com (Athmane Bouazzouni) Date: Wed, 22 Jul 2020 01:44:22 -0400 Subject: [strongSwan] Strongswan VPN gateway In-Reply-To: References: Message-ID: Hi, How are you sharing your VPN with others? Did you change the routing on your internal network and on the VPN server (it has 2 NICs, right?)? Did you set *net.ipv4.ip_forward=1* and *net.ipv6.conf.all.forwarding=1* on /*etc/sysctl.conf* ? Try to add (in ipsec.conf): installpolicy=yes leftfirewall=yes Did you try to run tcpdump to see if the traffic arrives to the VPN server? Regards, http://devops101.net On Tue, Jul 21, 2020, 12:46 PM Nirvanet wrote: > Hi all, > > I am looking to setup a VPN gateway with Strongswan on my LAN and share my > anonymous VPN service. > > I have 2 nics, the VPN tunnel is up but I am struggling to share this > connection with my LAN. > > What’s the main steps to achieve this? > NAT, some routes in table 220, tunnel interface? I tried everything > without any success... > > Is there by chance a “how-to” somewhere? > > Thanks all for your help > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From guillaume.stritmatter at icecat.com Thu Jul 23 10:12:01 2020 From: guillaume.stritmatter at icecat.com (Guillaume Stritmatter) Date: Thu, 23 Jul 2020 10:12:01 +0200 Subject: [strongSwan] Unable to ping machines on the remote network Message-ID: Hello, I am running strongswan on a machine on an OVH openstack. The goal is to access the network from a TheGreenBow client. I am able to up the tunnel but from a windows terminal, I am not able to ping a machine on the remote network. Gateway Internet NAT WindowsClient [192.168.161.15]<---->[192.168.161.201]<---->[Router]<----------------->[Router]<---->[192.168.1.32] *strongswan configuration :* conn ikev2-vpn auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes leftfirewall=no authby=secret left=%any leftsubnet=192.168.161.0/24 rightsourceip=10.3.0.0/24 right=%any mark=43 *ip address : * 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether fa:16:3e:07:3e:5c brd ff:ff:ff:ff:ff:ff inet 192.168.171.12/24 brd 192.168.171.255 scope global dynamic eth0 valid_lft 252228sec preferred_lft 252228sec inet6 fe80::f816:3eff:fe07:3e5c/64 scope link valid_lft forever preferred_lft forever 3: eth1: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether fa:16:3e:5d:8b:a6 brd ff:ff:ff:ff:ff:ff inet 192.168.161.201/24 brd 192.168.161.255 scope global eth1 valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:fe5d:8ba6/64 scope link valid_lft forever preferred_lft forever *ip route show table all :* 10.3.0.1 via 192.168.171.1 dev eth0 table 220 proto static src 192.168.161.201 192.168.2.0/24 via 192.168.171.1 dev eth0 table 220 proto static src 192.168.161.201 default via 192.168.171.1 dev eth0 169.254.169.254 via 192.168.171.1 dev eth0 proto static 192.168.161.0/24 dev eth1 proto kernel scope link src 192.168.161.201 192.168.171.0/24 dev eth0 proto kernel scope link src 192.168.171.12 broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 broadcast 192.168.161.0 dev eth1 table local proto kernel scope link src 192.168.161.201 local 192.168.161.201 dev eth1 table local proto kernel scope host src 192.168.161.201 broadcast 192.168.161.255 dev eth1 table local proto kernel scope link src 192.168.161.201 broadcast 192.168.171.0 dev eth0 table local proto kernel scope link src 192.168.171.12 local 192.168.171.12 dev eth0 table local proto kernel scope host src 192.168.171.12 broadcast 192.168.171.255 dev eth0 table local proto kernel scope link src 192.168.171.12 unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium unreachable ::/96 dev lo metric 1024 error -113 pref medium unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113 pref medium unreachable 2002:a00::/24 dev lo metric 1024 error -113 pref medium unreachable 2002:7f00::/24 dev lo metric 1024 error -113 pref medium unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 pref medium unreachable 2002:ac10::/28 dev lo metric 1024 error -113 pref medium unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 pref medium unreachable 2002:e000::/19 dev lo metric 1024 error -113 pref medium unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113 pref medium fe80::/64 dev eth0 proto kernel metric 256 pref medium fe80::/64 dev eth1 proto kernel metric 256 pref medium unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium local ::1 dev lo table local proto unspec metric 0 pref medium local fe80:: dev lo table local proto unspec metric 0 pref medium local fe80:: dev lo table local proto unspec metric 0 pref medium local fe80::f816:3eff:fe07:3e5c dev lo table local proto unspec metric 0 pref medium local fe80::f816:3eff:fe5d:8ba6 dev lo table local proto unspec metric 0 pref medium ff00::/8 dev eth0 table local metric 256 pref medium ff00::/8 dev eth1 table local metric 256 pref medium unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium *ip rule :* 0: from all lookup local 220: from all lookup 220 32766: from all lookup main 32767: from all lookup default *sysctl -A | grep -E "ipv4.*(\.forwarding|ip_forward)" : * net.ipv4.conf.default.forwarding = 1 net.ipv4.conf.eth0.forwarding = 1 net.ipv4.conf.eth1.forwarding = 1 net.ipv4.conf.lo.forwarding = 1 net.ipv4.ip_forward = 1 net.ipv4.ip_forward_use_pmtu = 0 Someone has an idea ? Thanks ! Guillaume -------------- next part -------------- An HTML attachment was scrubbed... URL: From pankajrazdan at yahoo.com Tue Jul 28 19:30:33 2020 From: pankajrazdan at yahoo.com (pankaj razdan) Date: Tue, 28 Jul 2020 17:30:33 +0000 (UTC) Subject: [strongSwan] Mobike on strongswan MAC OSX Client References: <1134526221.8436010.1595957433673.ref@mail.yahoo.com> Message-ID: <1134526221.8436010.1595957433673@mail.yahoo.com> Hello, I am facing issue with strongswan MAC OS X client which I have compiled from source.  version--------------Starting IKE charon daemon (strongSwan 5.7.2dr2, Linux 4.15.0-112-generic, x86_64) --------------- I am able to connect to server in road warrior scenario. When I switch wifi on my MAC laptop, source outer IP address (192.168.1.5) does not change for IKE SA. Here is the log what happens after I switch WiFi connectionl 28 19:57:41 03[NET] error writing to socket: Can’t assign requested addressJul 28 19:57:41 10[KNL] ExC: 192.168.1.112 appeared on en0Jul 28 19:57:41 10[KNL] ExC: en0 is up amd changedJul 28 19:57:41 10[IKE] ExC: Schedule Route ReinstallJul 28 19:57:41 09[IKE] ExC: reinstall startJul 28 19:57:41 10[KNL] creating roam job due to address/link changeJul 28 19:57:41 10[IKE] ExC: Roaming startJul 28 19:57:41 10[IKE] ExC: Check current pathJul 28 19:57:41 10[KNL] using 192.168.1.5 as address to reach 32.2.4.18Jul 28 19:57:41 10[IKE] keeping connection path 192.168.1.5 - 32.2.4.18Jul 28 19:57:41 10[IKE] sending address list update using MOBIKEJul 28 19:57:41 10[IKE] queueing IKE_MOBIKE taskJul 28 19:57:41 10[IKE] EXC: task_manager initiateJul 28 19:57:41 10[IKE] activating new tasksJul 28 19:57:41 10[IKE]    activating IKE_MOBIKE taskJul 28 19:57:41 10[IKE] ExC: start msg generation (me 192.168.1.5)Jul 28 19:57:41 10[KNL] using 192.168.1.5 as address to reach 32.2.4.18Jul 28 19:57:41 10[IKE] EER 1: IKE-SA-IDJul 28 19:57:41 10[IKE] EER: SA-ID: 1, My Host 192.168.1.5[4500], Other 32.2.4.18[4500], SPI 000000000ae53452Jul 28 19:57:41 10[IKE] EER: CHILD SA: cnt 2Jul 28 19:57:41 10[ENC] generating INFORMATIONAL request 11 [ N(ADD_4_ADDR) N(ADD_4_ADDR) ]Jul 28 19:57:41 10[KNL] using 192.168.1.5 as address to reach 32.2.4.18Jul 28 19:57:41 10[NET] sending packet: sock: from 192.168.1.5[4500] to 32.2.4.18[4500] (96 bytes)Jul 28 19:57:41 03[NET] error writing to socket: Can’t assign requested addressJul 28 19:57:41 03[NET] error writing to socket: Can’t assign requested addressJul 28 19:57:42 03[NET] error writing to socket: Can’t assign requested addressJul 28 19:57:42 03[NET] error writing to socket: Can’t assign requested addressJul 28 19:57:42 03[NET] error writing to socket: Can’t assign requested address=========================Please note that 192.168.1.5 is the earlier IP address with which IKE could be established. list-sas  output ESTABLISHED, IKEv2, d84a1ea80c9f9b35_i* 84744da70ab07c50_r  local  'pan.r at ex.net’ @ 192.168.1.5[4500] [172.4.0.2]  remote ‘exd.ex.net’ @ 32.2.4.18[4500]  AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519  established 53s ago, rekeying in 13127s, reauth in 84265s  exd: #6, reqid 5, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA2_256_128    installed 55s ago, rekeying in 3302s, expires in 3907s    in  943a60be,    385 bytes,     5 packets,    49s ago    out c504033d,    322 bytes,     5 packets,    49s ago    local  172.4.0.2/32    remote 192.168.124.0/24  exd-0: #7, reqid 6, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA2_256_128    installed 49s ago, rekeying in 3191s, expires in 3911s    in  7072d8c3, 104160 bytes,   160 packets,    16s ago    out c1ba4664,  86131 bytes,   345 packets,     0s ago    local  172.4.0.2/32    remote 192.168.125.100/32 load-conns outputexd: IKEv2, no reauthentication, rekeying every 14400s, dpd delay 200s   local:  %any  remote: exe4oho.exium.net  local EAP_EXPANDED authentication:    id: pan.r at ex.net  remote public key authentication:    id: exd.ex.net  exd-0: TUNNEL, rekeying every 3600s, dpd action is clear    local:  dynamic    remote: 192.168.125.100/32  exd: TUNNEL, rekeying every 3600s, dpd action is clear    local:  dynamic    remote: 192.168.124.0/24 Please let me know if any other information is required Thanks,Pankaj -------------- next part -------------- An HTML attachment was scrubbed... URL: From tobias at strongswan.org Wed Jul 29 09:56:44 2020 From: tobias at strongswan.org (Tobias Brunner) Date: Wed, 29 Jul 2020 09:56:44 +0200 Subject: [strongSwan] Mobike on strongswan MAC OSX Client In-Reply-To: <1134526221.8436010.1595957433673@mail.yahoo.com> References: <1134526221.8436010.1595957433673.ref@mail.yahoo.com> <1134526221.8436010.1595957433673@mail.yahoo.com> Message-ID: Hi Pankaj, > I am facing issue with strongswan MAC OS X client which I have compiled > from source.  > > version > -------------- > Starting IKE charon daemon (strongSwan 5.7.2dr2, Linux > 4.15.0-112-generic, x86_64) That seems to contradict what you wrote above (Linux != macOS). And why use an old developers release? > I am able to connect to server in road warrior scenario. When I switch > wifi on my MAC laptop, source outer IP address (192.168.1.5) does not > change for IKE SA. If the "old" address is still available and a route leads to it, nothing will change unless you force the daemon to ignore the current path by enabling charon.prefer_best_path (depending on the routes, the path might still not change). Regards, Tobias From pankajrazdan at yahoo.com Wed Jul 29 14:52:38 2020 From: pankajrazdan at yahoo.com (pankaj razdan) Date: Wed, 29 Jul 2020 12:52:38 +0000 (UTC) Subject: [strongSwan] Mobike on strongswan MAC OSX Client In-Reply-To: References: <1134526221.8436010.1595957433673.ref@mail.yahoo.com> <1134526221.8436010.1595957433673@mail.yahoo.com> Message-ID: <600298565.8878086.1596027158991@mail.yahoo.com> Hi Tobias, Thanks you for your response.  Please see my response inline below. Thanks,Pankaj > I am facing issue with strongswan MAC OS X client which I have compiled > from source.  >  > version > -------------- > Starting IKE charon daemon (strongSwan 5.7.2dr2, Linux > 4.15.0-112-generic, x86_64) That seems to contradict what you wrote above (Linux != macOS).  And why use an old developers release? Sorry my bad. I copied from linux system rather than from MAC. We have ported this version to both linux and MAC. We are planning to move to latest version in this quarter. There were few vpp plugins which we could leverage from this release. > I am able to connect to server in road warrior scenario. When I switch > wifi on my MAC laptop, source outer IP address (192.168.1.5) does not > change for IKE SA. If the "old" address is still available and a route leads to it, nothing will change unless you force the daemon to ignore the current path by enabling charon.prefer_best_path (depending on the routes, the path might still not change). Thank you. I made this change in strongswan.conf, it still did not work. So I changed route based on "new" address from CLI (route change cmd), then I could see outer IP changed to "new" IP. However, I could not see these packets in wireshark capture. Jul 29 14:33:37 02[NET] error writing to socket: Can’t assign requested addressJul 29 14:33:37 14[IKE] path probing attempt 8Jul 29 14:33:37 14[IKE] ExC: get_source_addr for dst 32.2.4.18, src (null)Jul 29 14:33:37 14[IKE] ExC: get_route,   192.168.1.112 Jul 29 14:33:37 14[KNL] using 192.168.1.112 as address to reach 32.2.4.18Jul 29 14:33:37 14[IKE] checking path 192.168.1.112[4500] - 32.2.4.18[4500]Jul 29 14:33:37 14[NET] sending packet: sock: from 192.168.1.112[4500] to 32.2.4.18[4500] (96 bytes)Jul 29 14:33:37 14[IKE] ExC: get_source_addr for dst 192.168.124.100, src (null)Jul 29 14:33:37 14[IKE] ExC: get_route I was wondering whether my approach is wrong or it is more of the system issue I am facing. All I am doing is switching wifi on my machine to test Mobike. Regards,Pankaj On Wednesday, July 29, 2020, 01:26:47 PM GMT+5:30, Tobias Brunner wrote: Hi Pankaj, > I am facing issue with strongswan MAC OS X client which I have compiled > from source.  > > version > -------------- > Starting IKE charon daemon (strongSwan 5.7.2dr2, Linux > 4.15.0-112-generic, x86_64) That seems to contradict what you wrote above (Linux != macOS).  And why use an old developers release? > I am able to connect to server in road warrior scenario. When I switch > wifi on my MAC laptop, source outer IP address (192.168.1.5) does not > change for IKE SA. If the "old" address is still available and a route leads to it, nothing will change unless you force the daemon to ignore the current path by enabling charon.prefer_best_path (depending on the routes, the path might still not change). Regards, Tobias -------------- next part -------------- An HTML attachment was scrubbed... URL: From yoconono at yoconono.com Wed Jul 29 21:07:09 2020 From: yoconono at yoconono.com (yoconono at yoconono.com) Date: Wed, 29 Jul 2020 21:07:09 +0200 Subject: [strongSwan] swanctl // Traffic not going through the tunnel Message-ID: <06f8a2245cd2116642cfa0106738796f@yoconono.com> Greetings, I have an issue with an VPN i'm building. I need to access to subnets : 10.0.1.0/24 from my local equipment (local IP 10.0.100.0/24 (debian10 server, ip forward activated). I did create an swanctl configuration : connections { sample1 { local_addrs=1.1.1.1 remote_addrs=2.2.2.2 local { auth=psk id=1.1.1.1 } remote { auth=psk id=2.2.2.2 } dpd_delay=5 version=2 dpd_timeout=240 rekey_time=180m proposals=aes256-sha2_512-prfsha512-ecp384 children { sample1_sub { local_ts=10.0.1.0/24 remote_ts=10.0.100.0/24 esp_proposals=aes256-sha2_512-ecp384 rekey_time=8h life_time=3h dpd_action=start start_action=start mode=tunnel } } } } secrets { sample1_psk { id-1=1.1.1.1 id-2=2.2.2.2 secret=thissiasecret } } The tunnel got up with no issue : [E1]root at server1:/etc/swanctl$ swanctl -l sample1: #2, ESTABLISHED, IKEv2, c7915dbccec5c781_i d851ade093b4f8b1_r* local '1.1.1.1' @ 1.1.1.1[500] remote '2.2.2.2' @ 2.2.2.2[500] AES_CBC-256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_384 established 5370s ago, rekeying in 5290s the route to reach target subnet is also added to table 220 when the tunnel gets up : [E1]root at server1:/etc/swanctl$ ip route show table 220 10.0.1.0/24 via 1.1.1.1 dev eth0 proto static src 10.0.100.254 but whenever i try to use the tunnel (like doing a traceroute to 10.0.1.0 -s 10.0.100.254) my traffic goes to the eth0 regular WAN and never gets encapsulated into the tunnel. I looked into it reading docs for a while but i was not able to find the reason. Likely due to my lack of knowledge i bet :/ Can anyone help me tu understand what i missed ? nota: i did not add anything related to FW as i firstly need to have traffic going to the tunnel. As long as is goes to regular internet it's pointlesss setting it up Thanks Stephane