[strongSwan] Users Digest, Vol 125, Issue 29

Rizwan Saleem malik.chand at hotmail.com
Wed Jun 24 22:58:59 CEST 2020 

I was using strongswan 5.7 it was working fine on Center 7 
Now 5.8.x I’m struggling to configure in the stage of start strongswan it gave me error 
Can someone advise necessary 

> On 24 Jun 2020, at 4:20 PM, "users-request at lists.strongswan.org" <users-request at lists.strongswan.org> wrote:
> 
> Send Users mailing list submissions to
>    users at lists.strongswan.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
>    https://lists.strongswan.org/mailman/listinfo/users
> or, via email, send a message with subject or body 'help' to
>    users-request at lists.strongswan.org
> 
> You can reach the person managing the list at
>    users-owner at lists.strongswan.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Users digest..."
> 
> 
> Today's Topics:
> 
>   1. Re: Client to site and freeradius
>      (Клеусов Владимир Сергеевич)
>   2. Re: Client to site and freeradius (Tobias Brunner)
>   3. Re: Client to site and freeradius
>      (Клеусов Владимир Сергеевич)
>   4. Re: Client to site and freeradius (Volodymyr Litovka)
>   5. Re: StrongSwan w/ multiple local subnets. (TomK)
>   6. Re: StrongSwan w/ multiple local subnets. (Tobias Brunner)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Wed, 24 Jun 2020 11:00:01 +0000
> From: Клеусов Владимир Сергеевич
>    <Kleusov.Vladimir at wildberries.ru>
> Cc: "users at lists.strongswan.org" <users at lists.strongswan.org>
> Subject: Re: [strongSwan] Client to site and freeradius
> Message-ID: <83B9AE98-FE03-42FA-856A-F8BFEF996915 at wildberries.ru>
> Content-Type: text/plain; charset="utf-8"
> 
> Hi
> Thanks
> Does the standard Mac os vpn client work via mschapv2 ? On freeradius I have it disabled and why this is so.
> 
>> 24 июня 2020 г., в 12:34, Tobias Brunner <tobias at strongswan.org> написал(а):
>> 
>> Hi,
>> 
>>> Is it possible to configure
>>> strongswan with this configuration ?If so why ? 
>> 
>> Yes, strongSwan is not directly involved in the authentication if you
>> use the eap-radius plugin.  The EAP messages are exchanged between
>> client and RADIUS server, strongSwan only forwards them.  So any EAP
>> method can be used as long as client and RADIUS server can both agree on
>> one.
>> 
>>> Then the authentication error and the logs of the radius 
>>> login incorrect (EAP: no mutually acceptable types)
>> 
>> Apparently, the client doesn't support the EAP method the RADIUS server
>> proposes.
>> 
>> Regards,
>> Tobias
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Wed, 24 Jun 2020 13:11:30 +0200
> From: Tobias Brunner <tobias at strongswan.org>
> To: Клеусов Владимир Сергеевич
>    <Kleusov.Vladimir at wildberries.ru>
> Cc: "users at lists.strongswan.org" <users at lists.strongswan.org>
> Subject: Re: [strongSwan] Client to site and freeradius
> Message-ID: <59554e21-7ad7-95fe-4ee8-77cd2af48efd at strongswan.org>
> Content-Type: text/plain; charset=utf-8
> 
> Hi,
> 
>> Does the standard Mac os vpn client work via mschapv2 ?
> 
> Yes.
> 
> Regards,
> Tobias
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Wed, 24 Jun 2020 11:19:04 +0000
> From: Клеусов Владимир Сергеевич
>    <Kleusov.Vladimir at wildberries.ru>
> Cc: "users at lists.strongswan.org" <users at lists.strongswan.org>
> Subject: Re: [strongSwan] Client to site and freeradius
> Message-ID: <F3239E28-E023-440B-AE4D-ED61094C8F1F at wildberries.ru>
> Content-Type: text/plain; charset="utf-8"
> 
> Thank you again. Then the case is closed.I would be grateful if you could tell me if there are any clients with pap =)
> 
>> 24 июня 2020 г., в 14:11, Tobias Brunner <tobias at strongswan.org> написал(а):
>> 
>> Hi,
>> 
>>> Does the standard Mac os vpn client work via mschapv2 ?
>> 
>> Yes.
>> 
>> Regards,
>> Tobias
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Wed, 24 Jun 2020 15:40:12 +0300
> From: Volodymyr Litovka <doka.ua at gmx.com>
> To: Клеусов Владимир Сергеевич
>    <Kleusov.Vladimir at wildberries.ru>
> Cc: doka.ua at gmx.com, "users at lists.strongswan.org"
>    <users at lists.strongswan.org>
> Subject: Re: [strongSwan] Client to site and freeradius
> Message-ID: <5c68bab9-1555-a076-5ba5-6281865a8cfa at gmx.com>
> Content-Type: text/plain; charset="utf-8"; Format="flowed"
> 
> Hi Vladimir,
> 
> I'm using FreeRadius with EAP-MSCHAPv2 to authenticate Cisco, Mikrotik,
> Windows 10 and MacOS clients. Everything works.
> 
> On 24.06.2020 14:00, Клеусов Владимир Сергеевич wrote:
>> Hi
>> Thanks
>> Does the standard Mac os vpn client work via mschapv2 ? On freeradius I have it disabled and why this is so.
>> 
>>>> 24 июня 2020 г., в 12:34, Tobias Brunner <tobias at strongswan.org> написал(а):
>>> 
>>> Hi,
>>> 
>>>> Is it possible to configure
>>>> strongswan with this configuration ?If so why ?
>>> Yes, strongSwan is not directly involved in the authentication if you
>>> use the eap-radius plugin.  The EAP messages are exchanged between
>>> client and RADIUS server, strongSwan only forwards them.  So any EAP
>>> method can be used as long as client and RADIUS server can both agree on
>>> one.
>>> 
>>>> Then the authentication error and the logs of the radius
>>>> login incorrect (EAP: no mutually acceptable types)
>>> Apparently, the client doesn't support the EAP method the RADIUS server
>>> proposes.
>>> 
>>> Regards,
>>> Tobias
> 
> --
> Volodymyr Litovka
>   "Vision without Execution is Hallucination." -- Thomas Edison
> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.strongswan.org/pipermail/users/attachments/20200624/4ec0666d/attachment-0001.html>
> 
> ------------------------------
> 
> Message: 5
> Date: Wed, 24 Jun 2020 09:00:35 -0400
> From: TomK <tomkcpr at mdevsys.com>
> To: Tobias Brunner <tobias at strongswan.org>, users at lists.strongswan.org
> Subject: Re: [strongSwan] StrongSwan w/ multiple local subnets.
> Message-ID: <63ccfb1a-1a3f-16e4-346f-c6acd82c6cde at mdevsys.com>
> Content-Type: text/plain; charset=utf-8; format=flowed
> 
>> On 6/24/2020 5:48 AM, Tobias Brunner wrote:
>> Hi Tom,
>> 
>>> This is a DD-WRT router. Uses a pre-built kernel I might not have too
>>> much option in customizing it.  But I tried removing it
>> 
>> kernel-libipsec is a userland IPsec implementation (read the wiki page),
>> it has nothing to do with the kernel (except that it has to be able to
>> create TUN devices).
>> 
>> However, to use the kernel's IPsec stack, it is missing an important module:
>> 
>>> Jun 22 08:12:15 DD-WRT daemon.info charon: 00[KNL] unable to create
>>> netlink socket: Protocol not supported (93)
>>> Jun 22 08:12:15 DD-WRT daemon.info charon: 00[NET] could not open
>>> socket: Address family not supported by protocol
>>> Jun 22 08:12:15 DD-WRT daemon.info charon: 00[NET] could not open IPv6
>>> socket, IPv6 disabled
>>> Jun 22 08:12:15 DD-WRT daemon.info charon: 00[NET] installing IKE bypass
>>> policy failed
>>> Jun 22 08:12:15 DD-WRT daemon.info charon: 00[NET] installing IKE bypass
>>> policy failed
>>> Jun 22 08:12:15 DD-WRT daemon.info charon: 00[NET] enabling UDP
>>> decapsulation for IPv4 on port 4500 failed
>>> Jun 22 08:12:15 DD-WRT daemon.info charon: 00[LIB] feature
>>> CUSTOM:libcharon in critical plugin 'charon' has unmet dependency:
>>> CUSTOM:kernel-ipsec
>> 
>>> Interestingly, what I do have is:
>> 
>> What you are definitely missing is xfrm_user, which is required for the
>> daemon to communicate with the kernel.  Without that module all the
>> others are pretty much useless, so no idea why your kernel is configured
>> like that.
> 
> May I ask which exact line above told you I'm missing sfrm_user?  The 
> ones that start with CUSTOM?
> 
> Have a post to try and get one compiled in.
> 
> https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1208983#1208983
> 
> This is DD-WRT so it's a minimized router kernel. I was surprised as the 
> next guy learning that module isn't available. Since I'm trying to get 
> the remote VLAN's mapped over to my VLAN's here, this router is the best 
> spot to do that from.
> 
>> 
>>> I no longer have to run:
>>> 
>>> ip route add 10.10.0.0/24 dev ipsec0
>>> 
>>> for packets to show up on ipsec0:
>> 
>> As I mentioned, strongSwan installs a route automatically if there is a
>> local IP in the local traffic selector.  You can see those in table 220.
>> 
>>> root at DD-WRT:~# tcpdump -i ipsec0 -s 0 -n
>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>>> listening on ipsec0, link-type RAW (Raw IP), snapshot length 262144 bytes
>>> 08:44:28.318516 IP 100.100.100.100  > 10.10.0.4: ICMP echo request, id
>>> 36426, seq 0, length 64
>>> 08:44:29.325741 IP 100.100.100.100  > 10.10.0.4: ICMP echo request, id
>>> 36426, seq 1, length 64
>>> 
>>> but not anymore.
>> 
>> No you won't as these packets don't match the negotiated traffic
>> selectors.  The local TS is 192.168.0.0/24, which obviously doesn't
>> match 100.100.100.100 so libipsec will drop the packet.   If there was a
>> route in table 220 it should list a source IP in the local traffic
>> selector, so it's interesting that a different source IP was selected -
>> or was that IP forced somehow?
> 
> I tinkered around with this at some point.  I had it originating from 
> 192.168.0.6 > 10.10.0.4 but same results.  Based on what you wrote, 
> unless I get xfrm_user module installed, this won't work regardless of 
> what source IP it's coming from?  Here's what I had earlier and retried 
> just now:
> 
> iptables -t nat -I POSTROUTING -d 10.10.0.0/24 -j SNAT --to $(nvram get 
> lan_ipaddr)
> 
> This resulted in:
> 
> # tcpdump -i ipsec0 -s 0 -n
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on ipsec0, link-type RAW (Raw IP), snapshot length 262144 bytes
> 08:48:19.481357 IP 192.168.0.6 > 10.10.0.4: ICMP echo request, id 61506, 
> seq 3, length 64
> 08:48:20.490676 IP 192.168.0.6 > 10.10.0.4: ICMP echo request, id 61506, 
> seq 4, length 64
> 08:48:21.500060 IP 192.168.0.6 > 10.10.0.4: ICMP echo request, id 61506, 
> seq 5, length 64
> 08:48:22.509503 IP 192.168.0.6 > 10.10.0.4: ICMP echo request, id 61506, 
> seq 6, length 64
> 
> instead of originating from the WAN IP. No reply of course.  My routes
> 
> root at DD-WRT:~# ip route
> default via 100.100.100.50 dev vlan2
> 10.0.0.0/24 via 192.168.0.1 dev br0  metric 20
> 10.1.0.0/24 via 192.168.0.1 dev br0  metric 20
> 10.1.1.0/24 dev tun2 scope link  src 10.1.1.1
> 10.2.0.0/24 via 192.168.0.1 dev br0  metric 20
> 10.3.0.0/24 via 192.168.0.1 dev br0  metric 20
> 100.100.100.50/27 dev vlan2 scope link  src 100.100.100.100
> 127.0.0.0/8 dev lo scope link
> 192.168.0.0/24 dev br0 scope link  src 192.168.0.6
> 192.168.45.0/24 dev wl0.1 scope link  src 192.168.45.1
> 192.168.75.0/24 dev wl1.1 scope link  src 192.168.75.1
> 
> 
>> 
>>> Still
>>> looking at Brian's recommendations however:
>>> 
>>> root at DD-WRT:~# ip link add xfrm0 type xfrm dev ipsec0 if_id 42
>>> ip: RTNETLINK answers: Not supported
>>> root at DD-WRT:~# ip link add vti0 type vti dev ipsec0 if_id 42
>>> ip: RTNETLINK answers: Not supported
>>> root at DD-WRT:~#
>>> 
>>> Trying GRE but:
>>> 
>>> root at DD-WRT:~# ip tunnel add ipsec01 local 100.100.100.100 remote
>>> 123.123.123.123 mode gre
>>> ip: ioctl 0x89f1 failed: No such device
>>> root at DD-WRT:~#
>> 
>> None of these will work without kernel IPsec support (and XFRM
>> interfaces are only available in 4.19+ kernels anyway).  But they should
>> also not be necessary for simple site-to-site tunnels.
> 
> So just the xfrm_user module is needed by StrongSwan / IPSec then?
> 
>> 
>> Regards,
>> Tobias
>> 
> 
> 
> -- 
> Thx,
> TK.
> 
> 
> ------------------------------
> 
> Message: 6
> Date: Wed, 24 Jun 2020 15:19:52 +0200
> From: Tobias Brunner <tobias at strongswan.org>
> To: tomkcpr at mdevsys.com, users at lists.strongswan.org
> Subject: Re: [strongSwan] StrongSwan w/ multiple local subnets.
> Message-ID: <c0556d56-ae07-4e21-c9f2-7b96472192ab at strongswan.org>
> Content-Type: text/plain; charset=utf-8
> 
> Hi Tom,
> 
>> May I ask which exact line above told you I'm missing sfrm_user?  The 
>> ones that start with CUSTOM?
> 
> Yes, the first one is logged after the kernel-netlink plugin failed to
> open a Netlink/XFRM socket, plus it is obviously missing in the module
> lists you posted after that.
> 
>> This is DD-WRT so it's a minimized router kernel. I was surprised as the 
>> next guy learning that module isn't available.
> 
> Yeah, makes not much sense to enable the other IPsec-related modules
> without a means to actually use them.  But why did you use the 2.6.23
> kernel sources to build the missing module if your router uses a 4.4.190
> kernel?
> 
>> I tinkered around with this at some point.  I had it originating from 
>> 192.168.0.6 > 10.10.0.4 but same results.  Based on what you wrote, 
>> unless I get xfrm_user module installed, this won't work regardless of 
>> what source IP it's coming from?
> 
> No, that's unrelated.  You need that module to use the IPsec stack in
> the kernel (i.e. to run without kernel-libipsec or ipsec0 interface).
> The whole point of the userland IPsec stack is that it bypasses the
> kernel and can run with reduced privileges (e.g. on Android where apps
> can create TUN devices via VpnService API but can't access the kernel's
> IPsec stack via Netlink/XFRM).
> 
>> instead of originating from the WAN IP. No reply of course.  My routes
> 
> Are ESP packets sent?  If yes, are any returned?  If not, then this
> seems to be an issue on the other end.  So try to follow the traffic there.
> 
>> root at DD-WRT:~# ip route
> 
> Again, strongSwan installs its routes in table 220, that is, use `ip
> route show table 220` (or `all`).
> 
> Regards,
> Tobias
> 
> 
> End of Users Digest, Vol 125, Issue 29
> **************************************

More information about the Users mailing list