[strongSwan] ANNOUNCE: strongswan-4.5.1 released
Hello, we are proud to release strongSwan 4.5.1 which comes with a lot of new features: Trusted Network Connect (TNC) - - Sansar Choinyambuu implemented the RFC 5793 Posture Broker Protocol (PB) compatible with Trusted Network Connect (TNC). The TNCCS 2.0 protocol requires the tnccs_20, tnc_imc and tnc_imv plugins but does not depend on the libtnc library. Any available IMV/IMC pairs conforming to the Trusted Computing Group's TNC-IF-IMV/IMC 1.2 interface specification can be loaded via /etc/tnc_config. http://www.strongswan.org/uml/testresults/ikev2/rw-eap-tnc-20/ - Re-implemented the TNCCS 1.1 protocol by using the tnc_imc and tnc_imv plugins in place of the external libtnc library. http://www.strongswan.org/uml/testresults/ikev2/rw-eap-tnc-11-radius/ - The tnccs_dynamic plugin loaded on a TNC server in addition to the tnccs_11 and tnccs_20 plugins, dynamically detects the IF-TNCCS protocol version used by a TNC client and invokes an instance of the corresponding protocol stack. http://www.strongswan.org/uml/testresults/ikev2/rw-eap-tnc-dynamic/ SQL Configuration Backend Extensions - IKE and ESP proposals can now be stored in an SQL database using a new proposals table. The start_action field in the child_configs tables allows the automatic starting or routing of connections stored in an SQL database. http://www.strongswan.org/uml/testresults/sql/net2net-start-pem/ http://www.strongswan.org/uml/testresults/sql/net2net-route-pem/ - The new certificate_authorities and certificate_distribution_points tables make it possible to store CRL and OCSP Certificate Distribution points in an SQL database. http://www.strongswan.org/uml/testresults/sql/multi-level-ca/ Include statements in strongswan.conf - - The new 'include' statement allows to recursively include other files in strongswan.conf. Existing sections and values are thereby extended and replaced, respectively. - Due to the changes in the parser for strongswan.conf, the configuration syntax for the attr plugin has changed. Previously, it was possible to specify multiple values of a specific attribute type by adding multiple key/value pairs with the same key (e.g. dns) to the plugins.attr section. Because values with the same key now replace previously defined values this is not possible anymore. As an alternative, multiple values can be specified by separating them with a comma (e.g. dns = 1.2.3.4, 2.3.4.5). Traffic Flow Confidentiality - Traffic Flow Confidentiality padding supported with Linux 2.6.38 can be used by the IKEv2 daemon. The ipsec.conf 'tfc' keyword pads all packets to a given boundary, the special value '%mtu' pads all packets to the path MTU. Use of Linux Crypto API for IKE and other Userland Applications --- - The new af-alg plugin can use various crypto primitives of the Linux Crypto API using the AF_ALG interface introduced with 2.6.38. This removes the need for additional userland implementations of symmetric cipher, hash, hmac and xcbc algorithms. INITIAL_CONTACT Notification - The IKEv2 daemon supports the INITIAL_CONTACT notify as initiator and responder. The notify is sent when initiating configurations with a unique policy, set in ipsec.conf via the global 'uniqueids' option. Conftest IKEv2 Conformance Testing Framework - The conftest conformance testing framework enables the IKEv2 stack to performmany tests using a distinct tool and configuration frontend. Various hooks can alter reserved bits, flags, add custom notifies and proposals, reorder or drop messages and much more. It is enabled using the --enable-conftest ./configure switch. X.509 Certificate Constraints - - The new libstrongswan constraints plugin provides advanced X.509 constraint checking. In additon to X.509 pathLen constraints, the plugin checks for nameConstraints and certificatePolicies, including policyMappings and policyConstraints. The x509 certificate plugin and the pki tool have been enhanced to support these extensions. The new left/rightcertpolicy ipsec.conf connection keywords take OIDs a peer certificate must have. - The left/rightauth ipsec.conf keywords accept values with a minimum strength for trustchain public keys in bits, such as rsa-2048 or ecdsa-256. Support for Delta CRLs -- - The revocation and x509 libstrongswan plugins and the pki tool gained basic support for delta CRLs. Enjoy the new release and report any problems you may encounter! Best regards Tobias Brunner, Martin Willi Andreas Steffen The strongSwan Team == Andreas Steffen
[strongSwan] ANNOUNCE: strongSwan packages for Maemo (Nokia N900)
Hello, despite the recent news about Nokia's plans to partner with Microsoft, we are happy to announce that packages for strongSwan 4.5.1 are now available in the maemo.org Extras repository, which provides software for Maemo based devices such as the Nokia N900. Package: strongswan-applet [1] -- This package provides a settings applet and a status bar widget which allow to easily configure and control IKEv2 connections with EAP authentication (username/password). Package: strongswan [2] --- This package contains the key exchange daemons, starter and the ipsec script for use on the mobile device. To configure strongSwan via /etc/ipsec.conf the 'rootsh' package is required to gain root access. You'll find more information about both packages on our wiki [3]. Because strongSwan depends on the native IPsec implementation of the Linux kernel, the enhanced 'Kernel Power' [4] kernel is required, which provides the required modules disabled in the default kernel. Both packages are currently available in the Extras-testing [5] repository. So, in order for them to become available in the main Extras repository, we'd like to invite fellow Nokia N900 owners to test the two packages and vote for them accordingly on the respective maemo.org pages ([1], [2]). Thanks in advance! Best regards Tobias Brunner, Martin Willi Andreas Steffen The strongSwan Team [1]http://maemo.org/packages/package_instance/view/fremantle_extras-testing_free_armel/strongswan-applet/1.0.1-2/ [2]http://maemo.org/packages/package_instance/view/fremantle_extras-testing_free_armel/strongswan/4.5.1-1/ [3]http://wiki.strongswan.org/projects/strongswan/wiki/Maemo [4]http://wiki.maemo.org/Kernel_Power [5]http://wiki.maemo.org/Extras-testing -- == Tobias Brunner tob...@strongswan.org strongSwan - The Linux VPN Solution! http://www.strongswan.org == ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] ANNOUNCE: strongSwan packages for Maemo (Nokia N900)
I want to thank you for that wonderful gift! A long wanted feature :) I'll test the package and give feed back. Is it fine to write bug reports here or else? I tested initial package v.4.5.0-*rc.. but had some problems with strongswan-applet ( after reboot, was blocking normal load and work of hildon-desktop, only way to uninstall it was to start terminal with hw keyboard and deinstall strongswan-applet, and reboot ) still ipsec was working fine, but all attempt to establish connection failed. I did not have time to dig in to the problem, but will upload now the new package and test again... Great work! Martin On 02/12/2011 08:37 PM, Tobias Brunner wrote: Hello, despite the recent news about Nokia's plans to partner with Microsoft, we are happy to announce that packages for strongSwan 4.5.1 are now available in the maemo.org Extras repository, which provides software for Maemo based devices such as the Nokia N900. Package: strongswan-applet [1] -- This package provides a settings applet and a status bar widget which allow to easily configure and control IKEv2 connections with EAP authentication (username/password). Package: strongswan [2] --- This package contains the key exchange daemons, starter and the ipsec script for use on the mobile device. To configure strongSwan via /etc/ipsec.conf the 'rootsh' package is required to gain root access. You'll find more information about both packages on our wiki [3]. Because strongSwan depends on the native IPsec implementation of the Linux kernel, the enhanced 'Kernel Power' [4] kernel is required, which provides the required modules disabled in the default kernel. Both packages are currently available in the Extras-testing [5] repository. So, in order for them to become available in the main Extras repository, we'd like to invite fellow Nokia N900 owners to test the two packages and vote for them accordingly on the respective maemo.org pages ([1], [2]). Thanks in advance! Best regards Tobias Brunner, Martin Willi Andreas Steffen The strongSwan Team [1]http://maemo.org/packages/package_instance/view/fremantle_extras-testing_free_armel/strongswan-applet/1.0.1-2/ [2]http://maemo.org/packages/package_instance/view/fremantle_extras-testing_free_armel/strongswan/4.5.1-1/ [3]http://wiki.strongswan.org/projects/strongswan/wiki/Maemo [4]http://wiki.maemo.org/Kernel_Power [5]http://wiki.maemo.org/Extras-testing -- == Tobias Brunner tob...@strongswan.org strongSwan - The Linux VPN Solution! http://www.strongswan.org == ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] StrongSWAN and AVM Fritzbox - Help!
Hi, I'm new to IPSec and StrongSWAN, so a Hello to all list members! ;-) Setting up a VPN tunnel between two Fritzboxes and a Ubuntu server drives me crazy. Packets from the private subnet of the Ubuntu server lead to a VPN tunnel creation and everything working fine, but packets from the subnets of the Fritzboxes do not cause Strongswan to create a connection. Maybe someone can help me out here. Setup: 1x Ubuntu 10.04 LTS server, fixed public IP and Hostname, 192.168.176.0/24 private Subnet, StrongSWAN 4.3.2-1.1ubuntu1, IPTables firewall with DROP default policy for INPUT and FORWARD chains and ACCEPT for OUTPUT 1x AVM Fritzbox 7390, one dynamic public IP, ISP-forced DSL disconnection every 24 hours, DDNS-Hostname, 192.168.177.0/24 private Subnet, Internet via NAT 1x AVM Fritzbox 7170, one dynamic public IP, ISP-forced DSL disconnection every 24 hours, DDNS-Hostname, 192.168.178.0/24 private Subnet, Internet via NAT - all hosts on the private subnets shall be able to connect to each other - hosts on the Fritzboxes are able to reach public internet via NAT and local DSL - hosts in 192.168.176.0/24 shall not have any connection to public internet. Fritzbox VPN config: vpncfg { connections { enabled = yes; conn_type = conntype_lan; name = xxx.xxx.xxx.xxx; always_renew = no; reject_not_encrypted = no; dont_filter_netbios = yes; localip = 0.0.0.0; local_virtualip = 0.0.0.0; remoteip = xxx.xxx.xxx.xxx; remote_virtualip = 0.0.0.0; localid { fqdn = xxx.dnsalias.net; } remoteid { ipaddr = xxx.xxx.xxx.xxx; } mode = phase1_mode_idp; phase1ss = all/all/all; keytype = connkeytype_pre_shared; key = xx; cert_do_server_auth = no; use_nat_t = no; use_xauth = no; use_cfgmode = no; phase2localid { ipnet { ipaddr = 192.168.177.0; mask = 255.255.255.0; } } phase2remoteid { ipnet { ipaddr = 192.168.176.0; mask = 255.255.255.0; } } phase2ss = esp-all-all/ah-none/comp-all/pfs; accesslist = permit ip any 192.168.176.0 255.255.255.0; } ike_forward_rules = udp 0.0.0.0:500 0.0.0.0:500, udp 0.0.0.0:4500 0.0.0.0:4500; } StrongSWAN config: # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # plutodebug=all # crlcheckinterval=600 # strictcrlpolicy=yes # cachecrls=yes nat_traversal=no charonstart=yes plutostart=yes # Add connections here. # Sample VPN connections conn frankfurt-giessen left=xxx.xxx.xxx.xxx leftsubnet=192.168.176.0/24 leftfirewall=yes # ike=aes128-sha-modp1024 esp=aes128-sha1 # right=xxx.dnsalias.net rightid=@xxx.dnsalias.net rightsubnet=192.168.177.0/24 # ikelifetime=4h keylife=1h # authby=secret auto=route ipsec.secrets: # This file holds shared secrets or RSA private keys for inter-Pluto # authentication. See ipsec_pluto(8) manpage, and HTML documentation. # RSA private key for this host, authenticating it to any other host # which knows the public part. Suitable public keys, for ipsec.conf, DNS, # or configuration of other implementations, can be extracted conveniently # with ipsec showhostkey. # this file is managed with debconf and will contain the automatically created private key xxx.xxx.xxx.xxx @xxx.dnsalias.net: PSK xx #include /var/lib/strongswan/ipsec.secrets.incroot AVM provides Information about IPSec VPN: Security strategies for IKE1: http://www.avm.de/de/Service/Service-Portale/Service-Portal/images/Redaktionelle_Grafiken/vpn/ike_1.pdf Security strategies for IKE2: http://www.avm.de/de/Service/Service-Portale/Service-Portal/images/Redaktionelle_Grafiken/vpn/ike_2.pdf Best regards, Renne ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] StrongSWAN and AVM Fritzbox - Help!
Hello Rene, strongSwan never sets up a tunnel based on incoming plaintext packets. With auto=route only outgoing plaintext trigger the setup of an IPsec tunnel. Packets from a subnet behind the Fritzbox should cause the Fritzbox to initiate an IKE negotiation. In any case a tcpdump or wireshark log and a strongSwan log with plutodebug=control would help to check if any IKE packets are leaving the Fritzbox and arriving at the strongSwan box. Best regards Andreas On 02/12/2011 05:02 PM, Rene Bartsch wrote: Hi, I'm new to IPSec and StrongSWAN, so a Hello to all list members! ;-) Setting up a VPN tunnel between two Fritzboxes and a Ubuntu server drives me crazy. Packets from the private subnet of the Ubuntu server lead to a VPN tunnel creation and everything working fine, but packets from the subnets of the Fritzboxes do not cause Strongswan to create a connection. Maybe someone can help me out here. Setup: 1x Ubuntu 10.04 LTS server, fixed public IP and Hostname, 192.168.176.0/24 private Subnet, StrongSWAN 4.3.2-1.1ubuntu1, IPTables firewall with DROP default policy for INPUT and FORWARD chains and ACCEPT for OUTPUT 1x AVM Fritzbox 7390, one dynamic public IP, ISP-forced DSL disconnection every 24 hours, DDNS-Hostname, 192.168.177.0/24 private Subnet, Internet via NAT 1x AVM Fritzbox 7170, one dynamic public IP, ISP-forced DSL disconnection every 24 hours, DDNS-Hostname, 192.168.178.0/24 private Subnet, Internet via NAT - all hosts on the private subnets shall be able to connect to each other - hosts on the Fritzboxes are able to reach public internet via NAT and local DSL - hosts in 192.168.176.0/24 shall not have any connection to public internet. Fritzbox VPN config: vpncfg { connections { enabled = yes; conn_type = conntype_lan; name = xxx.xxx.xxx.xxx; always_renew = no; reject_not_encrypted = no; dont_filter_netbios = yes; localip = 0.0.0.0; local_virtualip = 0.0.0.0; remoteip = xxx.xxx.xxx.xxx; remote_virtualip = 0.0.0.0; localid { fqdn = xxx.dnsalias.net; } remoteid { ipaddr = xxx.xxx.xxx.xxx; } mode = phase1_mode_idp; phase1ss = all/all/all; keytype = connkeytype_pre_shared; key = xx; cert_do_server_auth = no; use_nat_t = no; use_xauth = no; use_cfgmode = no; phase2localid { ipnet { ipaddr = 192.168.177.0; mask = 255.255.255.0; } } phase2remoteid { ipnet { ipaddr = 192.168.176.0; mask = 255.255.255.0; } } phase2ss = esp-all-all/ah-none/comp-all/pfs; accesslist = permit ip any 192.168.176.0 255.255.255.0; } ike_forward_rules = udp 0.0.0.0:500 0.0.0.0:500, udp 0.0.0.0:4500 0.0.0.0:4500; } StrongSWAN config: # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # plutodebug=all # crlcheckinterval=600 # strictcrlpolicy=yes # cachecrls=yes nat_traversal=no charonstart=yes plutostart=yes # Add connections here. # Sample VPN connections conn frankfurt-giessen left=xxx.xxx.xxx.xxx leftsubnet=192.168.176.0/24 leftfirewall=yes # ike=aes128-sha-modp1024 esp=aes128-sha1 # right=xxx.dnsalias.net rightid=@xxx.dnsalias.net rightsubnet=192.168.177.0/24 # ikelifetime=4h keylife=1h # authby=secret auto=route ipsec.secrets: # This file holds shared secrets or RSA private keys for inter-Pluto # authentication. See ipsec_pluto(8) manpage, and HTML documentation. # RSA private key for this host, authenticating it to any other host # which knows the public part. Suitable public keys, for ipsec.conf, DNS, # or configuration of other implementations, can be extracted conveniently # with ipsec showhostkey. # this file is managed with debconf and will contain the automatically created private key xxx.xxx.xxx.xxx @xxx.dnsalias.net: PSK xx #include /var/lib/strongswan/ipsec.secrets.incroot AVM provides Information about IPSec VPN: Security strategies for IKE1:
Re: [strongSwan] StrongSWAN and AVM Fritzbox - Help!
Hello Rene, you must open UDP port 500 for IKE and UDP port 4500 if you have a NAT situation. In order to pass encrypted IPsec packets you must open IP protocol 50 (ESP). Regards Andreas On 02/12/2011 08:15 PM, Rene Bartsch wrote: Hello Andreas, After using tcpdump I set all IPTables policies to ACCEPT and doing a flush of all rules lead to a working VPN. Which IPtables rules do I have to set to allow IPSec connection handshake? Best regards, Renne == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] StrongSWAN and AVM Fritzbox - Help!
Hello Andreas, I've added the rules iptables -t filter -A INPUT -d public IP -p esp -m comment --comment ACCEPT IPSec ESP -j ACCEPT iptables -t filter -A INPUT -d public IP -p udp -m udp --dport 500 -m comment --comment ACCEPT IPSec IKE -j ACCEPT iptables -t filter -A INPUT -d public IP -p udp -m udp --dport 4500 -m comment --comment ACCEPT IPSec NAT-T -j ACCEPT and StrongSWAN added the rules Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- 192.168.177.0/24 192.168.176.0/24policy match dir in pol ipsec reqid 16385 proto esp ACCEPT all -- 192.168.176.0/24 192.168.177.0/24policy match dir out pol ipsec reqid 16385 proto esp The IPSec association is created (even Fritzbox shows a active IPSec connection), but no data passes between the subnets. Do I use the right IPTables chains? Do I need port 4500 (NAT-T is disabled on Fritzbox and StrongSWAN box)? Regards, Renne On Sat, 12 Feb 2011 20:20:46 +0100, Andreas Steffen andreas.stef...@strongswan.org wrote: Hello Rene, you must open UDP port 500 for IKE and UDP port 4500 if you have a NAT situation. In order to pass encrypted IPsec packets you must open IP protocol 50 (ESP). Regards Andreas ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] StrongSWAN and AVM Fritzbox - Help!
On Sat, 12 Feb 2011 21:10:41 +0100, Andreas Steffen andreas.stef...@strongswan.org wrote: On 02/12/2011 08:58 PM, Rene Bartsch wrote: Hello Andreas, I've added the rules iptables -t filter -A INPUT -dpublic IP -p esp -m comment --comment ACCEPT IPSec ESP -j ACCEPT iptables -t filter -A INPUT -dpublic IP -p udp -m udp --dport 500 -m comment --comment ACCEPT IPSec IKE -j ACCEPT iptables -t filter -A INPUT -dpublic IP -p udp -m udp --dport 4500 -m comment --comment ACCEPT IPSec NAT-T -j ACCEPT You also need corresponding OUTPUT rules Default policy for OUTPUT is ACCEPT. I usually allow any outgoing connections, drop any incoming connections and allow only necessary incoming connections. and StrongSWAN added the rules Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- 192.168.177.0/24 192.168.176.0/24policy match dir in pol ipsec reqid 16385 proto esp ACCEPT all -- 192.168.176.0/24 192.168.177.0/24policy match dir out pol ipsec reqid 16385 proto esp These rules are inserted automatically by the _updown script. Make sure that IP forwarding is enabled (echo 1 /proc/sys/net/ipv4/ip_forward). It is via sysctl.conf And it's more weird that nmap -PN -p 500 public ip shows the port in filtered state from a host on the fritzbox and closed state on the StrongSWAN box itself. My IPTables rules: *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [86:9176] -A INPUT -i lo -m comment --comment ACCEPT loopback device -j ACCEPT -A INPUT -i dummy0 -m comment --comment ACCEPT dummy0 device-j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment ACCEPT existing connections -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type echo-reply -m comment --comment ACCEPT ICMP echo-reply -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type echo-request -m comment --comment ACCEPT ICMP echo-request-j ACCEPT -A INPUT -p icmp -m icmp --icmp-type time-exceeded -m comment --comment ACCEPT ICMP time-exceeded -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type source-quench -m comment --comment ACCEPT ICMP source-quench -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type port-unreachable -m comment --comment ACCEPT ICMP port-unreachable-j ACCEPT -A INPUT -p icmp -m icmp --icmp-type parameter-problem -m comment --comment ACCEPT ICMP parameter-problem -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type fragmentation-needed -m comment --comment ACCEPT ICMP fragmentation-needed-j ACCEPT -A INPUT -p icmp -m icmp --icmp-type destination-unreachable -m comment --comment ACCEPT ICMP destination-unreachable -j ACCEPT -A INPUT -d xxx.xxx.xxx.102 -p esp -m comment --comment ACCEPT IPSec ESP-j ACCEPT -A INPUT -d xxx.xxx.xxx.102 -p udp -m udp --dport 500 -m comment --comment ACCEPT IPSec IKE-j ACCEPT -A INPUT -d xxx.xxx.xxx.102 -p udp -m udp --dport 4500 -m comment --comment ACCEPT IPSec NAT-T -j ACCEPT -A INPUT -m state --state NEW -m recent --set --name DEFAULT --rsource -m comment --comment Store connection requests -A INPUT -d xxx.xxx.xxx.102 -p tcp -m tcp --dport 22 -m state --state NEW-m recent --update --seconds 240 --hitcount 10 --name DEFAULT --rsource -m comment --comment DROP SSH Brute-Force-Attacks -j DROP -A INPUT -d xxx.xxx.xxx.102 -p tcp -m tcp --dport 22 -m state --state NEW-m comment --comment ACCEPT SSH connections -j ACCEPT -A INPUT -d xxx.xxx.xxx.20 -p tcp -m tcp --dport 21 -m state --state NEW-m comment --comment ACCEPT FTP connections -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 -m state --state NEW-m comment --comment ACCEPT SMTP connections -j ACCEPT -A INPUT -d xxx.xxx.xxx.20 -p udp -m udp --dport 53 -m state --state NEW-m comment --comment ACCEPT DNS UDP connections -j ACCEPT -A INPUT -d xxx.xxx.xxx.20 -p tcp -m tcp --dport 53 -m state --state NEW-m comment --comment ACCEPT DNS TCP connections -j ACCEPT -A INPUT -d xxx.xxx.xxx.20 -p tcp -m tcp --dport 80 -m state --state NEW-m comment --comment ACCEPT HTTP connections -j ACCEPT -A INPUT -d xxx.xxx.xxx.20 -p tcp -m tcp --dport 443 -m state --state NEW-m comment --comment ACCEPT HTTPS connections-j ACCEPT COMMIT Regards, Renne