[strongSwan] Strongswan 4.5.1 sqlite database passthrough
Hello, I post again the message, i wasn't in the userlist. I've established tunnels between 2 gateway. Gateway A has these subnets behind : 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0.12 Gateway B has these subnets behind : 10.21.11.0/24, 172.16.0.0/24, 10.121.11.0/24 Each gateway B subnets must reach all of gateway A subnets. As you can see, some gateway B subnets address are included in gateway A subnets. If tunnels are all up, station on 10.21.11.0/24 subnet can't ping gateway B interface (10.21.11.1). Security Associations: sphynx test ARV-amon test ARV[3]: ESTABLISHED 36 minutes ago, 192.168.10.10[C=fr, O=gouv, OU=education, OU=ac-dijon, CN=0210066H-15]...192.168.10.5[C=fr, O=gouv, OU=education, OU=ac-dijon, CN=AGRIATES-DIJON-10] admin-reseau172{27}: INSTALLED, TUNNEL, ESP SPIs: c049306f_i c98a1913_o admin-reseau172{27}: 10.21.11.0/24 === 172.16.0.0/12 pedago-reseau192{28}: INSTALLED, TUNNEL, ESP SPIs: cbdea841_i ca1a83c7_o pedago-reseau192{28}: 172.16.0.0/24 === 192.168.0.0/16 dmz-reseau10{22}: INSTALLED, TUNNEL, ESP SPIs: c0a9d3f7_i c0f935f6_o dmz-reseau10{22}: 10.121.11.0/24 === 10.0.0.0/8 pedago-reseau10{29}: INSTALLED, TUNNEL, ESP SPIs: c1ff691f_i ca05cc51_o pedago-reseau10{29}: 172.16.0.0/24 === 10.0.0.0/8 dmz-reseau192{21}: INSTALLED, TUNNEL, ESP SPIs: c06446da_i c1759a05_o dmz-reseau192{21}: 10.121.11.0/24 === 192.168.0.0/16 dmz-reseau172{23}: INSTALLED, TUNNEL, ESP SPIs: cc32c507_i c32a0db0_o dmz-reseau172{23}: 10.121.11.0/24 === 172.16.0.0/12 admin-reseau192{25}: INSTALLED, TUNNEL, ESP SPIs: cf791d67_i ca4fe64e_o admin-reseau192{25}: 10.21.11.0/24 === 192.168.0.0/16 admin-reseau10{26}: INSTALLED, TUNNEL, ESP SPIs: c35751dd_i c99ff1c8_o admin-reseau10{26}: 10.21.11.0/24 === 10.0.0.0/8 pedago-reseau172{30}: INSTALLED, TUNNEL, ESP SPIs: c7c5c075_i cf9f62a0_o pedago-reseau172{30}: 172.16.0.0/24 === 172.16.0.0/12 If i set down admin-reseau10{26} tunnel, station can ping 10.21.11.1. I've configured exceptions as that : #!/usr/sbin/setkey -f #exécute les opérations indiquées jusqu'à EOF spdadd 192.168.10.0/25 192.168.10.0/25 any -P in none; spdadd 192.168.10.0/25 192.168.10.0/25 any -P out none; spdadd 192.168.10.0/25 192.168.10.0/25 any -P fwd none; spdadd 192.168.10.0/25 10.21.11.0/24 any -P in none; spdadd 192.168.10.0/25 10.21.11.0/24 any -P out none; spdadd 192.168.10.0/25 10.21.11.0/24 any -P fwd none; spdadd 192.168.10.0/25 172.16.0.0/24 any -P in none; spdadd 192.168.10.0/25 172.16.0.0/24 any -P out none; spdadd 192.168.10.0/25 172.16.0.0/24 any -P fwd none; spdadd 192.168.10.0/25 10.121.11.0/24 any -P in none; spdadd 192.168.10.0/25 10.121.11.0/24 any -P out none; spdadd 192.168.10.0/25 10.121.11.0/24 any -P fwd none; spdadd 10.21.11.0/24 192.168.10.0/25 any -P in none; spdadd 10.21.11.0/24 192.168.10.0/25 any -P out none; spdadd 10.21.11.0/24 192.168.10.0/25 any -P fwd none; spdadd 10.21.11.0/24 10.21.11.0/24 any -P in none; spdadd 10.21.11.0/24 10.21.11.0/24 any -P out none; spdadd 10.21.11.0/24 10.21.11.0/24 any -P fwd none; spdadd 10.21.11.0/24 172.16.0.0/24 any -P in none; spdadd 10.21.11.0/24 172.16.0.0/24 any -P out none; spdadd 10.21.11.0/24 172.16.0.0/24 any -P fwd none; spdadd 10.21.11.0/24 10.121.11.0/24 any -P in none; spdadd 10.21.11.0/24 10.121.11.0/24 any -P out none; spdadd 10.21.11.0/24 10.121.11.0/24 any -P fwd none; spdadd 172.16.0.0/24 192.168.10.0/25 any -P in none; spdadd 172.16.0.0/24 192.168.10.0/25 any -P out none; spdadd 172.16.0.0/24 192.168.10.0/25 any -P fwd none; spdadd 172.16.0.0/24 10.21.11.0/24 any -P in none; spdadd 172.16.0.0/24 10.21.11.0/24 any -P out none; spdadd 172.16.0.0/24 10.21.11.0/24 any -P fwd none; spdadd 172.16.0.0/24 172.16.0.0/24 any -P in none; spdadd 172.16.0.0/24 172.16.0.0/24 any -P out none; spdadd 172.16.0.0/24 172.16.0.0/24 any -P fwd none; spdadd 172.16.0.0/24 10.121.11.0/24 any -P in none; spdadd 172.16.0.0/24 10.121.11.0/24 any -P out none; spdadd 172.16.0.0/24 10.121.11.0/24 any -P fwd none; spdadd 10.121.11.0/24 192.168.10.0/25 any -P in none; spdadd 10.121.11.0/24 192.168.10.0/25 any -P out none; spdadd 10.121.11.0/24 192.168.10.0/25 any -P fwd none; spdadd 10.121.11.0/24 10.21.11.0/24 any -P in none; spdadd 10.121.11.0/24 10.21.11.0/24 any -P out none; spdadd 10.121.11.0/24 10.21.11.0/24 any -P fwd none; spdadd 10.121.11.0/24 172.16.0.0/24 any -P in none; spdadd 10.121.11.0/24 172.16.0.0/24 any -P out none; spdadd 10.121.11.0/24 172.16.0.0/24 any -P fwd none; spdadd 10.121.11.0/24 10.121.11.0/24 any -P in none; spdadd 10.121.11.0/24 10.121.11.0/24 any -P out none; spdadd 10.121.11.0/24 10.121.11.0/24 any -P fwd none; It doesn't work better even with high priority. Is there another solution or syntax ? Thanks ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] strongswan IKEv2 ikesa rekey
Hi, There are currently two open child_sa's for the IKE_SA as after the last child_sa rekey, the test system did not promptly remove the old child_sa. is that what the message is referring to on the IKE_SA rekey request or is it something else? Yes, the CHILD_SA rekeying is not considered complete, as the old CHILD_SA has not been deleted. And rekeying an IKE_SA that has CHILD_SAs currently rekeying should be rejected (RFC 5996 2.25.1). I don't see a good reason why your other implementation should insert a IKE_SA rekeying in the middle of a CHILD_SA rekeying. That makes the situation just complicated. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Strongswan 4.5.1 sqlite database passthrough
Hi, Each gateway B subnets must reach all of gateway A subnets. Using IKEv2, you can simplify all-to-all subnets and use just a single connection: leftsubnet=10.0.0.0/8,192.168.0.0/16,172.16.0.0.12 rightsubnet=10.21.11.0/24,172.16.0.0/24,10.121.11.0/24 As you can see, some gateway B subnets address are included in gateway A subnets. Unfortunately, we currently don't support IP ranges. Splitting this configuration into the correct subnets should be possible, but would require some dozen subnets. It doesn't work better even with high priority. Please keep in mind that lower priority numbers actually have a higher priority. Have you tried a low priority number (1)? Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Strongswan 4.5.1 sqlite database passthrough
Hi, Le 24/06/2011 11:00, Martin Willi a écrit : Hi, Each gateway B subnets must reach all of gateway A subnets. Using IKEv2, you can simplify all-to-all subnets and use just a single connection: leftsubnet=10.0.0.0/8,192.168.0.0/16,172.16.0.0.12 rightsubnet=10.21.11.0/24,172.16.0.0/24,10.121.11.0/24 I use Strongswan 4.5.1 with SQLite database. Is it possible to do that with traffic_selectors ans peer_configs tables ? As you can see, some gateway B subnets address are included in gateway A subnets. Unfortunately, we currently don't support IP ranges. In traffic_selectors table, fields to be filled are start_address and end_address but you mean it must be network and broadcast addresses ? Splitting this configuration into the correct subnets should be possible, but would require some dozen subnets. Yes, it's a possibility. I hope this is not the only one. It doesn't work better even with high priority. Please keep in mind that lower priority numbers actually have a higher priority. Have you tried a low priority number (1)? I have tried with spdadd . prio high + 1, low + 1, high - 1, low - 1 I have also tried with ip xfrm policy add src 10.21.11.0/24 dst 10.21.11.0/24 priority 1 and 0 dir in (out and fwd) ip xfrm policy returns : src 10.21.11.0/24 dst 10.21.11.0/24 dir fwd priority 0 src 10.21.11.0/24 dst 10.21.11.0/24 dir out priority 0 src 10.21.11.0/24 dst 10.21.11.0/24 dir in priority 0 .. .. src 10.0.0.0/8 dst 10.21.11.0/24 dir fwd priority 1923 tmpl src 192.168.10.5 dst 192.168.10.10 proto esp reqid 6 mode tunnel src 10.0.0.0/8 dst 10.21.11.0/24 dir in priority 1923 tmpl src 192.168.10.5 dst 192.168.10.10 proto esp reqid 6 mode tunnel src 10.21.11.0/24 dst 10.0.0.0/8 dir out priority 1923 tmpl src 192.168.10.10 dst 192.168.10.5 proto esp reqid 6 mode tunnel ip route liste table 220 returns : 192.168.0.0/16 via 192.168.10.5 dev eth0 proto static src 10.121.11.1 172.16.0.0/12 via 192.168.10.5 dev eth0 proto static src 10.121.11.1 10.0.0.0/8 via 192.168.10.5 dev eth0 proto static src 10.121.11.1 After ip route del table 220 10.0.0.0/8 via 192.168.10.5, ping on 10.21.11.1 is possible with a station 10.21.11.5 but it's not the solution. How can we have route exception ? Regards Martin Best regards Fabrice ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Strongswan 4.5.1 sqlite database passthrough
Is it possible to do that with traffic_selectors ans peer_configs tables ? Yes, you can associate as many traffic_selectors using child_config_traffic_selector to child_configs as you need. In traffic_selectors table, fields to be filled are start_address and end_address but you mean it must be network and broadcast addresses ? You can define ranges in the sql backend and negotiate them with IKEv2. Unfortunately, the Linux kernel supports full subnets only. Non-subnet ranges are mapped to the next matching subnet while installing the policies. How can we have route exception ? You can't. But you could install the required routes manually, and disable automatic route installation by charon using strongswan.conf: charon { install_routes = no } Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] VPN from iPad to ubuntu-10.4
found, that certificates can just be sent by email - there is no USB connector, that's why I started with preshared keys. The web also works for certificate distribution .. just use the correct MIME type. The better question is why are you trying to do L2TP when iOS supports IPSEC natively? (unless you also want to support android .. which you can't do with strongswan/crt anyway since android sends a borked id_ipv4 as an identifier) LT2P is triple (and maybe quadruple) encapsulated .. (packet) - ppp - lt2p - ipsec - ipsec-natt - host versus .. (packet) - ipsec - host (or) (packet) - ipsec - ipsec-natt - host Cheers, Michael Holstein Cleveland State University ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Question on sending INTERNAL_IP4_DNS in CFG
Hi, I am testing a SeGW with strongSwan as the client. I am trying to have strongSwan sending multiple attributes (INTERNAL_IP4_ADDRESS and INTERNAL_IP4_DNS) in the Configuration payload to my SeGW, but strongSwan always includes only one attribute (INTERNAL_IP4_ADDRESS), any configuration I am missing here? I remember strongSwan used to be able to send multiple. I am using srtongSwan 4.5.0 Thanks a lot for your help___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users