Re: [strongSwan] strongswan pki command error

[anand rao]

Hi Andreas,

>> Did you activate or insert any debug statements writing
>> to stdout either in the strongSwan or OpenSSL code?


Yes. It was my mistake, I added a debug message in openSSL rsa_gen.c in 
function RSA_generate_key_ex().
Now I removed the print statement, and command "openssl rsa -inform der -in 
caKey.der -noout -text" was successful.

But when I try to Generate a self-signed certificate for RSA public key I am 
getting below errors.

ipsec pki --self --in caKey.der --dn "C=IN, O=strongSwan, CN=strongSwanCA" > 
caCert.der
building CRED_PRIVATE_KEY - RSA failed, tried 6 builders
parsing private key failed

I have attached caKey.der.
Please help.

Regards,
Anand


- Original Message -
From: Andreas Steffen 
To: anand rao 
Cc: "users@lists.strongswan.org" 
Sent: Friday, November 11, 2011 6:29 PM
Subject: Re: [strongSwan] strongswan pki command error

Hmmm, very strange. The first couple of characters as ASCII Text are

od -t a caKey.der

000   r   s   a   -   >   m   e   t   h   -   >   r   s   a   _   k
020   e   y   g   e   n  nl

rsa->meth->rsa_keygen\n

The ensuing characters are then the correct binary ASN.1 DER encoding
of the private key

od -t x1 caKey.der

000 72 73 61 2d 3e 6d 65 74 68 2d 3e 72 73 61 5f 6b
020 65 79 67 65 6e 0a
                          30 82 05 a7 02 01 00 02 82 01
040 01 00 ee 75 b8 c4 cc a1 97 b1 fa c6 2d 7a 24 f2
060 d3 0d 80 e2 a5 2b d6 f7 b1 e3 82 c1 e9 68 80 cb
100 8a a6 2c 02 ca 1c c2 7f c8 e5 a2 9d b2 2f 1c ab
120 7c 4d 40 ae 3a 88 8e 8e 95 cd 46 b6 36 4e 3f 6b
140 3a 86 d9 d3 f5 b0 21 d5 fb 23 d8 15 5a da 91 30

30 82 05 a7      # RSA Private key, length 1447 bytes
   02 01         # Version: 0
      00         #
   02 82 01 01   # Modulus n, length 257 bytes
      00 ee 75 ..

Size of caKey.der file                       1473 bytes.
Size of debug string                          -22 bytes
Size of ASN.1 sequence tag and length field    -4 bytes
                                             --
Encoded RSA private key length               1447 bytes

I grepped our whole source code for "rsa_keygen" but there was
no hit. Did you activate or insert any debug statements writing
to stdout either in the strongSwan or OpenSSL code?

Regards

Andreas

On 11/11/2011 01:13 PM, anand rao wrote:
> Hi Andreas,
> 
>    Please find the caKey.der attached. It was unreadable using cat command.
> 
> Regards
> Anand
> 
> 
> 
> - Original Message -
> From: Andreas Steffen 
> To: anand rao 
> Cc: "users@lists.strongswan.org" 
> Sent: Friday, November 11, 2011 5:39 PM
> Subject: Re: [strongSwan] strongswan pki command error
> 
> Could you send me that private key file?
> 
> Regards
> 
> Andreas
> 
> On 11/11/2011 12:00 PM, anand rao wrote:
>> Hi Andreas,
>>
>> when I execute openssl rsa -inform der -in caKey.der -noout -text
>> I am getting below errors.
>>
>>
>> root@OpenWrt:/# openssl rsa -inform der -in caKey.der -noout -text
>> unable to load Private Key
>> 8193:error:0D094065:lib(13):func(148):reason(101):NA:0:
>> 8193:error:0D0680A8:lib(13):func(104):reason(168):NA:0:
>> 8193:error:0D07803A:lib(13):func(120):reason(58):NA:0:Type=RSA
>> 8193:error:0D09A00D:lib(13):func(154):reason(13):NA:0:
>>
>>
>> BR's
>> Anand
>>
>>
>> - Original Message -
>> From: Andreas Steffen 
>> To: anand rao 
>> Cc: "users@lists.strongswan.org" 
>> Sent: Thursday, November 10, 2011 7:28 PM
>> Subject: Re: [strongSwan] strongswan pki command error
>>
>> Hi Anand,
>>
>> If I execute the same commands then the ca cert generation works.
>>
>> - Verify if openssl rsa -inform der -in caKey.der -noout -text works
>>
>> Regards
>>
>> Andreas
>>
>> On 10.11.2011 14:49, anand rao wrote:
>>> Hi,
>>>
>>>     I am using strongswan 4.3.6
>>>
>>> I have tried generate certificates using strongswan PKI gen tool to 
>>> generate RSA certificate.
>>> I am getting below errors.
>>>
>>> root@evm1gw:/etc/cert# ipsec pki --gen>  caKey.der
>>> root@evm1gw:/etc/cert#
>>> root@evm1gw:/etc/cert# ipsec pki --self --in caKey.der --dn 
>>> "C=IN,O=strongSwan, CN=strongSwan CA" --ca>  caCert.der
>>> file coded in unknown format, discarded
>>> building CRED_PRIVATE_KEY - RSA failed, tried 6 builders
>>> parsing private key failed
>>>
>>> I have used the default load so all the plugins are loaded. Please help.
>>>
>>> Thanks,
>>> Anand
> 
> ==
> Andreas Steffen                        andreas.stef...@strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===[ITA-HSR]==


-- 
==
Andreas Steffen                        andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.o

Re: [strongSwan] "unable to add pseudo IPIP SA with SPI c1bb6ffe: Invalid argument"

[Tobias Brunner]

Hi,

> strongswan4-mod-kernel-klips - 4.5.2-1

Please try to remove this module from your build.  The kernel-klips
plugin was done for a very specific (and rather old) KLIPS release.  And
depending on whether your kernel actually includes the KLIPS patch or
not might never work.  So, do you actually use KLIPS?  If so, you might
have to go back to a 2.x strongSwan release that supported KLIPS.  If
not, then just use the kernel-netlink plugin.

Regards,
Tobias

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Strongswan on android gingerbread

[nitin]

 writes:

> 
> YES! It was the algorithms! I finally got a tunnel!
> I have no idea which specific algorithm it was that was missing, I just
enabled a bunch of them, but most
> likely AES, which I guess
> is the de facto standard for symmetric cryptography rather than DES. 
> By the way, where do I see which algorithms are being negotiated?
> I could see them only after the connection succeeded by using ipsec statusall,
in the security association
> section, that was empty before when it failed.
> 
> Thanks again for all your prompt and clear replies!
> 
> Next I guess I will see if something can be done to make this work with IPv6
and with certificates rather than
> username and password. 
> So I am sorry, but you will probably hear a lot from me again :)
> 
> Federico 
> 
> -Opprinnelig melding-
> Fra: Tobias Brunner [mailto:tobias@...] 
> Sendt: 26. oktober 2011 16:04
> Til: Mancini, Federico
> Kopi: users@...
> Emne: Re: [strongSwan] Strongswan on android gingerbread
> 
> Hi Federico,
> 
> > What else could it be? (just as a note I have note enabled anything
> > extra with the cryptographic API modules. )
> 
> It could very well be a problem with the algorithms.  Which algorithms 
> are negotiated between the two hosts?  Did you configure anything 
> special on the responder?
> 
> Regards,
> Tobias
> 


Hi Federico and Tobias,
You have been successful to make the tunnel with froyo or gingerbread? I have
been successful to make the tunnel between 2.2 device and a ubuntu machine but
when I ported everything on gingerbread (using Nexus S), I could not get charon
running on it.
@Tobias: please help.

Regards,
Nitin



___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File

[Rajiv Kulkarni]

Hi Tobias

Thank you so much for all the help in solving this issue iam facing.

You are right iam getting the same error when i use the -check option for
the priv key files. I will try to see why its so? Will get back to you with
any updates/info.

The surprising thing is that when i use the same certificate and
corresponding private key file with Racoon (ikev1), they work perfectly and
iam able to establish ike/ipsec tunnels successfully using these certs.

Also when i try to verify whether the cert and the corresponding
private-key match, using the following:

openssl rsa -in  -noout -modulus | openssl sha1
openssl x509 -in  -noout -modulus | openssl sha1

they match perfectly as they should. But then again the private key file
does seem to have consistency check error though?

thanks & regards
rajiv



On Thu, Nov 10, 2011 at 11:56 PM, Tobias Brunner wrote:

> Hi Rajiv,
>
> When I use
>
>openssl rsa -in mfcgw1key2.pem -check -noout
>
> on my x86_64 machine with OpenSSL 0.9.8o I get
>
>RSA key error: dmp1 not congruent to d
>RSA key error: dmq1 not congruent to d
>
> which is also the reason why our libgmp based plugin doesn't like the
> keys, i.e.
>
> > 00[LIB] key integrity tests failed
>
> is logged.  Actually, OpenSSL reports this error for all the keys you
> sent.  So it sure looks like your keys got corrupted somehow (or never
> were valid in the first place).
>
> Regards,
> Tobias
>
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] NAT-T and StrongSwan conf

[Alex Lucas]

Thank you for your help and suggestions guys, got it working with OpenSwan.

On 09/11/11 10:55, Alex Lucas wrote:
> Dears,
> No ideas? I've tried a lot of combinations of config, including
> specifying very specific IPs for "left", "leftsubnet", "right",
> "rightsubnet", "rightid" etc. The docs are not too helpful for NAT or
> especially double-NAT (which seems to be the case here) scenarios.
>
> BR,
> Alex
>
> On 02/11/11 10:07, Alex Lucas wrote:
>> Hi,
>>
>> The NAT-T stuff is very complicated. My VPN server is behind a router
>> and I enabled port forwarding for ports 500/udp, 4500/udp.
>> Now when I connect via Internet, I get the following log:
>>
>> Nov  2 09:58:09 vpntest.local pluto[3745]: "L2TP"[1] 10.100.30.1:15541
>> #1: responding to Main Mode from unknown peer 10.100.30.1:15541
>> Nov  2 09:58:09 vpntest.local pluto[3745]: "L2TP"[1] 10.100.30.1:15541
>> #1: NAT-Traversal: Result using RFC 3947: both are NATed
>> Nov  2 09:58:09 vpntest.local pluto[3745]: "L2TP"[1] 10.100.30.1:15541
>> #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
>> Nov  2 09:58:09 vpntest.local pluto[3745]: "L2TP"[1] 10.100.30.1:15541
>> #1: Peer ID is ID_IPV4_ADDR: '172.28.209.17'
>> Nov  2 09:58:09 vpntest.local pluto[3745]: "L2TP"[2] 10.100.30.1:15541
>> #1: deleting connection "L2TP" instance with peer 10.100.30.1
>> {isakmp=#0/ipsec=#0}
>> Nov  2 09:58:09 vpntest.local pluto[3745]: | NAT-T: new mapping
>> 10.100.30.1:15541/14510)
>> Nov  2 09:58:09 vpntest.local pluto[3745]: "L2TP"[2] 10.100.30.1:14510
>> #1: sent MR3, ISAKMP SA established
>> Nov  2 09:58:11 vpntest.local pluto[3745]: "L2TP"[2] 10.100.30.1:14510
>> #1: cannot respond to IPsec SA request because no connection is known
>> for
>> 202.96.4.106/32===10.100.30.121:4500[10.100.30.121]:17/1701...10.100.30.1:14510[172.28.209.47]:17/%any==={172.28.209.47/32}
>> Nov  2 09:58:11 vpntest.local pluto[3745]: "L2TP"[2] 10.100.30.1:14510
>> #1: sending encrypted notification INVALID_ID_INFORMATION to
>> 10.100.30.1:14510
>> Nov  2 09:58:14 vpntest.local pluto[3745]: "L2TP"[2] 10.100.30.1:14510
>> #1: Quick Mode I1 message is unacceptable because it uses a previously
>> used Message ID 0xd45e9bf4 (perhaps this is a duplicated packet)
>>
>> How should I configure StrongSwan for it to be able to respond to the
>> IPsec SA request.
>>
>> Regards,
>> Alex
>>
>> ___
>> Users mailing list
>> Users@lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
> ___
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] strongswan pki command error

[Andreas Steffen]

Hello Anand,

your private key is not well formed. The OpenSSL command

openssl rsa -inform der -in caKey.der -noout -check

RSA key error: dmp1 not congruent to d
RSA key error: dmq1 not congruent to d

shows this. If I execute

ipsec pki --gen >  caKey1.der

on my system, my key is ok. You somehow modified your openssl library
so that it generates corrupt keys.

Regards

Andreas

On 11/14/2011 10:37 AM, anand rao wrote:
> Hi Andreas,
> 
>>> Did you activate or insert any debug statements writing
>>> to stdout either in the strongSwan or OpenSSL code?
> 
> 
> Yes. It was my mistake, I added a debug message in openSSL rsa_gen.c in 
> function RSA_generate_key_ex().
> Now I removed the print statement, and command "openssl rsa -inform der -in 
> caKey.der -noout -text" was successful.
> 
> But when I try to Generate a self-signed certificate for RSA public key I am 
> getting below errors.
> 
> ipsec pki --self --in caKey.der --dn "C=IN, O=strongSwan, CN=strongSwanCA" > 
> caCert.der
> building CRED_PRIVATE_KEY - RSA failed, tried 6 builders
> parsing private key failed
> 
> I have attached caKey.der.
> Please help.
> 
> Regards,
> Anand
> 
> 
> - Original Message -
> From: Andreas Steffen 
> To: anand rao 
> Cc: "users@lists.strongswan.org" 
> Sent: Friday, November 11, 2011 6:29 PM
> Subject: Re: [strongSwan] strongswan pki command error
> 
> Hmmm, very strange. The first couple of characters as ASCII Text are
> 
> od -t a caKey.der
> 
> 000   r   s   a   -   >   m   e   t   h   -   >   r   s   a   _   k
> 020   e   y   g   e   n  nl
> 
> rsa->meth->rsa_keygen\n
> 
> The ensuing characters are then the correct binary ASN.1 DER encoding
> of the private key
> 
> od -t x1 caKey.der
> 
> 000 72 73 61 2d 3e 6d 65 74 68 2d 3e 72 73 61 5f 6b
> 020 65 79 67 65 6e 0a
>   30 82 05 a7 02 01 00 02 82 01
> 040 01 00 ee 75 b8 c4 cc a1 97 b1 fa c6 2d 7a 24 f2
> 060 d3 0d 80 e2 a5 2b d6 f7 b1 e3 82 c1 e9 68 80 cb
> 100 8a a6 2c 02 ca 1c c2 7f c8 e5 a2 9d b2 2f 1c ab
> 120 7c 4d 40 ae 3a 88 8e 8e 95 cd 46 b6 36 4e 3f 6b
> 140 3a 86 d9 d3 f5 b0 21 d5 fb 23 d8 15 5a da 91 30
> 
> 30 82 05 a7  # RSA Private key, length 1447 bytes
>02 01 # Version: 0
>   00 #
>02 82 01 01   # Modulus n, length 257 bytes
>   00 ee 75 ..
> 
> Size of caKey.der file   1473 bytes.
> Size of debug string  -22 bytes
> Size of ASN.1 sequence tag and length field-4 bytes
>  --
> Encoded RSA private key length   1447 bytes
> 
> I grepped our whole source code for "rsa_keygen" but there was
> no hit. Did you activate or insert any debug statements writing
> to stdout either in the strongSwan or OpenSSL code?
> 
> Regards
> 
> Andreas
> 
> On 11/11/2011 01:13 PM, anand rao wrote:
>> Hi Andreas,
>>
>> Please find the caKey.der attached. It was unreadable using cat command.
>>
>> Regards
>> Anand
>>
>>
>>
>> - Original Message -
>> From: Andreas Steffen 
>> To: anand rao 
>> Cc: "users@lists.strongswan.org" 
>> Sent: Friday, November 11, 2011 5:39 PM
>> Subject: Re: [strongSwan] strongswan pki command error
>>
>> Could you send me that private key file?
>>
>> Regards
>>
>> Andreas
>>
>> On 11/11/2011 12:00 PM, anand rao wrote:
>>> Hi Andreas,
>>>
>>> when I execute openssl rsa -inform der -in caKey.der -noout -text
>>> I am getting below errors.
>>>
>>>
>>> root@OpenWrt:/# openssl rsa -inform der -in caKey.der -noout -text
>>> unable to load Private Key
>>> 8193:error:0D094065:lib(13):func(148):reason(101):NA:0:
>>> 8193:error:0D0680A8:lib(13):func(104):reason(168):NA:0:
>>> 8193:error:0D07803A:lib(13):func(120):reason(58):NA:0:Type=RSA
>>> 8193:error:0D09A00D:lib(13):func(154):reason(13):NA:0:
>>>
>>>
>>> BR's
>>> Anand
>>>
>>>
>>> - Original Message -
>>> From: Andreas Steffen 
>>> To: anand rao 
>>> Cc: "users@lists.strongswan.org" 
>>> Sent: Thursday, November 10, 2011 7:28 PM
>>> Subject: Re: [strongSwan] strongswan pki command error
>>>
>>> Hi Anand,
>>>
>>> If I execute the same commands then the ca cert generation works.
>>>
>>> - Verify if openssl rsa -inform der -in caKey.der -noout -text works
>>>
>>> Regards
>>>
>>> Andreas
>>>
>>> On 10.11.2011 14:49, anand rao wrote:
 Hi,

  I am using strongswan 4.3.6

 I have tried generate certificates using strongswan PKI gen tool to 
 generate RSA certificate.
 I am getting below errors.

 root@evm1gw:/etc/cert# ipsec pki --gen>  caKey.der
 root@evm1gw:/etc/cert#
 root@evm1gw:/etc/cert# ipsec pki --self --in caKey.der --dn 
 "C=IN,O=strongSwan, CN=strongSwan CA" --ca>  caCert.der
 file coded in unknown format, discarded
 building CRED_PRIVATE_KEY - RSA failed, tried 6 builders
 parsing private key failed

 I have used the default load so all the plugins are loaded. Please help.

 Thanks,

Re: [strongSwan] Traffic with dscp marking (other than BE) not going through IPsec tunnel

[Andreas Steffen]

Hello,

you define only mark 10 but not mark 20. No traffic will go through
the tunnel without a mark (either 10 or 20) set.

Regards

Andreas

On 11/14/2011 08:46 AM, Meera Sudhakar wrote:
> Hi,
>  
> My aim is to create two IPsec tunnels using strongSwan between two
> end-points, each having a different dscp marking (like say EF, BE, AF31
> etc). Right now, I see that when I set the dscp marking as BE (default),
> the traffic goes through the designated IPsec tunnel. When I use
> anything else, the traffic reaches the other end-point in plain-text
> (there is no encryption). I tried refering to your example in
> http://www2.strongswan.org/uml/testresults46rc/ikev2/net2net-psk-dscp/index.html.
> I see that you are able to send encrypted traffic with dscp marking EF
> and BE. I believe that the reason dscp-marked traffic does not flow
> through a tunnel could be because the tunnel does not have the
> 'capability' to handle that particular dscp-marking. Could you please
> let me know if this is the case, and also if there is anything I need to
> change (kernel version, strongSwan version, config file) to get this
> working. I have pasted the details of my end-points below, with dscp set
> to EF:
>  
> linux kernel version on both end-points: 2.6.35
> strongSwan version on both end-points: 4.5.2-1
>  
> _End-point1:_
> # cat /etc/ipsec.conf
> # ipsec.conf - strongSwan IPsec configuration file
> # basic configuration
> config setup
> #plutostderrlog=/var/log/syslog
> # plutodebug=control
> # crlcheckinterval=600
> strictcrlpolicy=no
> # cachecrls=yes
> # nat_traversal=yes
> charonstart=yes
> charondebug=control
> plutostart=no
> # Add connections here.
> 
> ca strongswan
> cacert=caCert.der
> auto=add
> conn %default
> type=tunnel
> left=169.254.0.70
> leftcert=VC1Cert.der
> right=169.254.1.70
> #rightid="C=CH, O=strongSwan, CN=169.254.1.70"
> keyexchange=ikev2
> auto=start
> conn tunnel1
> leftid=@VC1-tunnel1 
> rightid=@VC2-tunnel1 
> leftsubnet=169.254.0.0/24 
> rightsubnet=169.254.1.0/24 
> mark=10
> conn tunnel2
> leftid=@VC1-tunnel2 
> rightid=@VC2-tunnel2 
> leftsubnet=169.254.0.0/24 
> rightsubnet=169.254.1.0/24 
> mark=20
> 
> # ipsec status
> Security Associations:
>  tunnel1[1]: ESTABLISHED 37 seconds ago,
> 169.254.0.70[VC1-tunnel1]...169.254.1.70[VC2-tunnel1]
>  tunnel1{3}:  INSTALLED, TUNNEL, ESP SPIs: c4b5ea2d_i c7cc7624_o
>  tunnel1{3}:   169.254.0.0/24  ===
> 169.254.1.0/24 
>  tunnel2[2]: ESTABLISHED 37 seconds ago,
> 169.254.0.70[VC1-tunnel2]...169.254.1.70[VC2-tunnel2]
>  tunnel2{4}:  INSTALLED, TUNNEL, ESP SPIs: c9c8850e_i c7b5d498_o
>  tunnel2{4}:   169.254.0.0/24  ===
> 169.254.1.0/24 
> 
> # iptables -L -t mangle
> Chain PREROUTING (policy ACCEPT)
> target prot opt source   destination
> MARK   all  --  anywhere anywhereDSCP match
> 0x2eMARK set 0xa
> Chain INPUT (policy ACCEPT)
> target prot opt source   destination
> Chain FORWARD (policy ACCEPT)
> target prot opt source   destination
> Chain OUTPUT (policy ACCEPT)
> target prot opt source   destination
> MARK   all  --  anywhere anywhereDSCP match
> 0x2eMARK set 0xa
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source   destination
> 
> # ping 169.254.1.70
> PING 169.254.1.70 (169.254.1.70) 56(84) bytes of data.
> 64 bytes from 169.254.1.70 : icmp_req=1 ttl=63
> time=0.192 ms
> 64 bytes from 169.254.1.70 : icmp_req=2 ttl=63
> time=0.129 ms
> ^C
> --- 169.254.1.70 ping statistics ---
> 2 packets transmitted, 2 received, 0% packet loss, time 999ms
> rtt min/avg/max/mdev = 0.129/0.160/0.192/0.033 ms
>  
> _End-point 2:_
> # cat /etc/ipsec.conf
> # ipsec.conf - strongSwan IPsec configuration file
> # basic configuration
> config setup
> # plutodebug=control
> # crlcheckinterval=600
>  strictcrlpolicy=no
> # cachecrls=yes
> # nat_traversal=yes
> charonstart=yes
> plutostart=no
> charondebug=control
> # Add connections here.
> 
> ca strongswan
> cacert=caCert.der
> auto=add
> conn %default
> type=tunnel
> left=169.254.1.70
> leftcert=VC2Cert.der
> right=169.254.0.70
> #rightid="C=CH, O=strongSwan, CN=169.254.0.70"
> keyexchange=ikev2
> auto=start
> conn tunnel1
> leftid=@VC2-tunn

Re: [strongSwan] Traffic with dscp marking (other than BE) not going through IPsec tunnel

[Meera Sudhakar]

Hello Andreas,

Yes, I agree with you.

I have first set the following rules in the mangle table on both endpoints:
iptables -t mangle -A OUTPUT -j MARK --set-mark 10 -m dscp --dscp-class EF
iptables -t mangle -A PREROUTING -j MARK --set-mark 10 -m dscp --dscp-class
EF

So with these rules, all traffic passing between the endpoints will be
marked with 10, and will have dscp EF. Since one of my tunnels has been
configured with mark=10 (in ipsec.conf), that means all these packets
should travel through this tunnel. In other words, I am only trying to set
dscp=EF for my first tunnel which has mark=10. I am not using the second
tunnel with mark=20 now. This worked fine when only the marking was given
in the iptables rules, without the dscp. So my understanding is that I can
use any one of the created tunnels at a time. Please correct me if this is
wrong.

Thanks,
Meera


On Tue, Nov 15, 2011 at 11:07 AM, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:

> Hello,
>
> you define only mark 10 but not mark 20. No traffic will go through
> the tunnel without a mark (either 10 or 20) set.
>
> Regards
>
> Andreas
>
> On 11/14/2011 08:46 AM, Meera Sudhakar wrote:
> > Hi,
> >
> > My aim is to create two IPsec tunnels using strongSwan between two
> > end-points, each having a different dscp marking (like say EF, BE, AF31
> > etc). Right now, I see that when I set the dscp marking as BE (default),
> > the traffic goes through the designated IPsec tunnel. When I use
> > anything else, the traffic reaches the other end-point in plain-text
> > (there is no encryption). I tried refering to your example in
> >
> http://www2.strongswan.org/uml/testresults46rc/ikev2/net2net-psk-dscp/index.html
> .
> > I see that you are able to send encrypted traffic with dscp marking EF
> > and BE. I believe that the reason dscp-marked traffic does not flow
> > through a tunnel could be because the tunnel does not have the
> > 'capability' to handle that particular dscp-marking. Could you please
> > let me know if this is the case, and also if there is anything I need to
> > change (kernel version, strongSwan version, config file) to get this
> > working. I have pasted the details of my end-points below, with dscp set
> > to EF:
> >
> > linux kernel version on both end-points: 2.6.35
> > strongSwan version on both end-points: 4.5.2-1
> >
> > _End-point1:_
>  > # cat /etc/ipsec.conf
> > # ipsec.conf - strongSwan IPsec configuration file
> > # basic configuration
> > config setup
> > #plutostderrlog=/var/log/syslog
> > # plutodebug=control
> > # crlcheckinterval=600
> > strictcrlpolicy=no
> > # cachecrls=yes
> > # nat_traversal=yes
> > charonstart=yes
> > charondebug=control
> > plutostart=no
> > # Add connections here.
> >
> > ca strongswan
> > cacert=caCert.der
> > auto=add
> > conn %default
> > type=tunnel
> > left=169.254.0.70
> > leftcert=VC1Cert.der
> > right=169.254.1.70
> > #rightid="C=CH, O=strongSwan, CN=169.254.1.70"
> > keyexchange=ikev2
> > auto=start
> > conn tunnel1
> > leftid=@VC1-tunnel1 
> > rightid=@VC2-tunnel1 
> > leftsubnet=169.254.0.0/24 
> > rightsubnet=169.254.1.0/24 
> > mark=10
> > conn tunnel2
> > leftid=@VC1-tunnel2 
> > rightid=@VC2-tunnel2 
> > leftsubnet=169.254.0.0/24 
> > rightsubnet=169.254.1.0/24 
> > mark=20
> >
> > # ipsec status
> > Security Associations:
> >  tunnel1[1]: ESTABLISHED 37 seconds ago,
> > 169.254.0.70[VC1-tunnel1]...169.254.1.70[VC2-tunnel1]
> >  tunnel1{3}:  INSTALLED, TUNNEL, ESP SPIs: c4b5ea2d_i c7cc7624_o
> >  tunnel1{3}:   169.254.0.0/24  ===
> > 169.254.1.0/24 
> >  tunnel2[2]: ESTABLISHED 37 seconds ago,
> > 169.254.0.70[VC1-tunnel2]...169.254.1.70[VC2-tunnel2]
> >  tunnel2{4}:  INSTALLED, TUNNEL, ESP SPIs: c9c8850e_i c7b5d498_o
> >  tunnel2{4}:   169.254.0.0/24  ===
> > 169.254.1.0/24 
> >
> > # iptables -L -t mangle
> > Chain PREROUTING (policy ACCEPT)
> > target prot opt source   destination
> > MARK   all  --  anywhere anywhereDSCP match
> > 0x2eMARK set 0xa
> > Chain INPUT (policy ACCEPT)
> > target prot opt source   destination
> > Chain FORWARD (policy ACCEPT)
> > target prot opt source   destination
> > Chain OUTPUT (policy ACCEPT)
> > target prot opt source   destination
> > MARK   all  --  anywhere anywhereDSCP match
> > 0x2eMARK set 0xa
> > Chain POSTROUTING (policy ACCEPT)
> > target prot opt source  

Re: [strongSwan] NAT-T and StrongSwan conf

[Tobias Brunner]

Hi Alex,

> Thank you for your help and suggestions guys, got it working with
> OpenSwan.

Interesting.  Would you care to share the config that enabled you to do
this with OpenSwan?  Because I'm pretty sure L2TP/IPsec with destination
NAT (i.e. the responder behind a NAT) is currently not possible with
strongSwan.

Thanks,
Tobias

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] NAT-T and StrongSwan conf

[Alex Lucas]

Hi Tobias,

OpenSwan ipsec.conf:

config setup
 nat_traversal=yes
 protostack=netkey

conn psk-nat
 rightsubnet=vhost:%priv
 also=psk-nonat

conn psk-nonat
 authby=secret
 pfs=no
 auto=add
 keyingtries=3
 rekey=no
 dpddelay=5
 dpdtimeout=10
 dpdaction=clear
 ikelifetime=8h
 keylife=1h
 type=transport
 left=10.0.0.5 # vpn server ip
 leftprotoport=17/1701
 right=%any
 rightprotoport=17/%any

conn passthrough-for-non-l2tp
 type=passthrough
 left=10.0.0.5 # vpn server ip
 leftnexthop=10.0.0.1 # router in front of vpn server
 right=0.0.0.0
 rightsubnet=0.0.0.0/0
 auto=route



On 15/11/11 14:44, Tobias Brunner wrote:
> Hi Alex,
>
>> Thank you for your help and suggestions guys, got it working with
>> OpenSwan.
> Interesting.  Would you care to share the config that enabled you to do
> this with OpenSwan?  Because I'm pretty sure L2TP/IPsec with destination
> NAT (i.e. the responder behind a NAT) is currently not possible with
> strongSwan.
>
> Thanks,
> Tobias

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users