[strongSwan] IKEv1 and IP pools
I'm working on setting up a strongSwan server to support a large number of clients (including Apple iOS, so I'm stuck with IKEv1). I've crossed a number of hurdles and have individual connections working fine, but I'm currently stuck on virtual IPs. There seems to be contradictory information regarding this, although it's not looking good. The wiki page on virtual IPs[1] is a little coy, but certainly seems to suggest that IP pools are a charon-only feature. This list message from Feb 2009[2] seems to confirm it quite clearly. But then this subsequent message from Sep 2010[3] states "IKEv1 with IP pools: strongSwan is the only choice!". So just to be clear, let's say I want to support a large number of IKEv1 clients (think thousands of iPhones) with XAUTH/RSA. Is there any practical way to do this with strongSwan? The pessimistic interpretation of the available information suggests that I would have to produce a unique RSA identity, regenerate a massive ipsec.conf, and restart the server every time I wanted to add an authorized device. (Note that XAUTH is sufficient for my authorization policies; the RSA identifies have no value in this regard). Is there a better way? I'm currently using strongSwan 4.3.2 on Ubuntu 10.04, although that's not set in stone. Thanks, Peter [1] http://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp [2] https://lists.strongswan.org/pipermail/users/2009-February/003140.html [3] https://lists.strongswan.org/pipermail/users/2010-September/005293.html ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Restarting ipsec on the left requires restart on the right
Hi, I observed this on a pretty vanilla tunnel setup between two servers, using Ubuntu 10.04/StrongSwan 4.3.2 on the left and Ubuntu 11.10/StrongSwan 4.5.2 on the right, with IKEv1. Issuing an "ipsec restart" on the left end of the tunnel seems to kill the connection and it won't come back until I issue an "ipsec restart" on the right end as well. Maybe noteworthy: the right server continuously pings a host in the subnet behind the left tunnel. After restarting ipsec on the right the connection works again. This is obviously not practical. It seems the right server is not aware that the connection has been interrupted. How do I make it aware? It may also be noteworthy that restarting the *right* server does not result in the same problem. In this case the connection is interrupted only for the time it takes "ipsec restart" on the right to complete. Is this behaviour because of the different StrongSwan versions used? Here is what "ipsec status" says on the left after the restart: "left-right": 10.0.0.0/16===10.0.7.47[@left]---10.0.7.1...aa.bb.cc.dd[@right]===192.168.0.0/24; unrouted; eroute owner: #0 "left-right": newest ISAKMP SA: #0; newest IPsec SA: #0; #1: "rz02-daff" STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 37s #1: pending Phase 2 for "left-right" replacing #0 Here is what "ipsec status" says on the right after the restart: #3: "right-left" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 2577s #3: "right-left" esp.ce0a8...@xx.yy.zz.aa (420 bytes) esp.c1425857@192.168.0.20 (420 bytes); tunnel #2: "right-left" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 2s #4: "right-left" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2100s; newest IPSEC; eroute owner #4: "right-left" esp.1efae...@xx.yy.zz.aa (53256 bytes, 0s ago) esp.c6a68d8a@192.168.0.20 (8820 bytes, 533s ago); tunnel #1: "right-left" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 27059s; newest ISAKMP Here is the connection definition on the left (looks identical on the right, except for left/rightid, left/rightsubnet and remote IPSec gateway): conn left-right type= tunnel left= %defaultroute leftid = @left leftsubnet = 10.0.0.0/16 rightid = @right rightsubnet = 192.168.0.0/24 right = aa.bb.cc.dd auth= esp pfs = yes pfsgroup= modp1024 compress= no esp = aes128-sha1! ike = aes128-sha1-modp1024! ikelifetime = 28800s keylife = 3600s keyingtries = %forever keyexchange = ikev1 authby = psk auto= start Any ideas? Any more info I can provide? Thanks, Andreas signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] IKEv2 - IKE_AUTH request problem
Hi, Appreciating anyone willing to suggest possible cause(s) for the below problem found in Test "IKEv2.EN.I.1.1.1.3: Use of CHILD_SA" (TAHI IKEv2 test suite). I am using strongswan version of 4.5.2, for a endnode- endnode test, in RHEL6.2 environment. IKE_SA_INIT is established between NUT (node under test) and TN (test node), but IKE_AUTH request created by NUT is not observed by TN. Some settings used in ipsec.conf are below (and I can share others if needed for more debugging). # Attempt to rekey 5 seconds before the SA expires. rekeymargin=5s # Set the encryption algorithm for the child SA. esp=3des-sha1 # Set the encryption algorithm for the IKE SA. ike=3des-sha1-modp1024 # Set the lifetime for the IKE SA. ikelifetime="64s" # Set the lifetime for the child SA. keylife="128s" # Use perfect forward security on the IKE SA. pfs=no type=transport With debug mode set at level 4, following lines are caught in charon.log (though there are other informations which may not be required here): ... . 05[CFG] added configuration 'tahi_ikev2_test' 10[CFG] stroke message => -2036037751 bytes @ 0xfff80ede300 10[CFG] received stroke: route 'tahi_ikev2_test' . ... 10[KNL] adding policy === out 10[KNL] sending XFRM_MSG_NEWPOLICY: => 252 bytes @ 0xfff80edda28 10[KNL] unable to add policy === out 10[CFG] installing trap failed I am suspecting over stroke message which is shown as negative bytes. Before I dig something more deeper, I just liked to check this up with anyone who has seen this problem earlier. Thanks for the attention, Gowri Shankar ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] strongSwan on a KVM VPS does not work
Hi all, I just set up strongSwan server on a KVM VPS, but the connections have problems. First, show my ipsec.conf config setup strictcrlpolicy=no charonstart=yes uniqueids=yes conn %default authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert left=%defaultroute conn ikev2 keyexchange=ikev2 leftsubnet=0.0.0.0/0 leftcert=strongswan.crt rightca=%same right=%any rightsourceip=192.168.11.0/24 auto=add the client is a roadwarrior and want get a virtual ip, from the log it seems it got the virtual ip, however the ping from server to client does not work. here is the charon.log 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.1) 00[CFG] attr-sql plugin: database URI not set 00[LIB] plugin 'attr-sql': failed to load - attr_sql_plugin_create returned NULL 00[KNL] listening on interfaces: 00[KNL] eth0 00[KNL] 64.62.209.183 00[KNL] fe80::216:3cff:febf:ead9 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' 00[CFG] loaded ca certificate "C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=Lauyu.me CA, E=la...@lauyu.me" from '/etc/ipsec.d/cacerts/ca.crt' 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' 00[CFG] loading crls from '/etc/ipsec.d/crls' 00[CFG] loading secrets from '/etc/ipsec.secrets' 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/strongswan.key' 00[CFG] sql plugin: database URI not set 00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory 00[CFG] loaded 0 RADIUS server configurations 00[CFG] HA config misses local/remote address 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL 00[LIB] feature CUSTOM:sim-card in 'eap-sim-file' plugin has unsatisfied dependency: CUSTOM:eap-sim-file-triplets 00[LIB] feature CUSTOM:sim-provider in 'eap-sim-file' plugin has unsatisfied dependency: CUSTOM:eap-sim-file-triplets 00[DMN] loaded plugins: curl sqlite aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius dhcp 00[JOB] spawning 16 worker threads 16[CFG] received stroke: add connection 'ikev2' 16[CFG] loaded certificate "C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=strongswan, E=la...@lauyu.me" from 'strongswan.crt' 16[CFG] id '64.62.209.183' not confirmed by certificate, defaulting to 'C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=strongswan, E=la...@lauyu.me' 16[CFG] added configuration 'ikev2' 16[CFG] adding virtual IP address pool 'ikev2': 192.168.11.0/24 06[NET] received packet: from 121.63.63.197[500] to 64.62.209.183[500] 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 06[IKE] 121.63.63.197 is initiating an IKE_SA 06[IKE] remote host is behind NAT 06[IKE] sending cert request for "C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=Lauyu.me CA, E=la...@lauyu.me" 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] 06[NET] sending packet: from 64.62.209.183[500] to 121.63.63.197[500] 05[NET] received packet: from 121.63.63.197[4500] to 64.62.209.183[4500] 05[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CP(ADDR DNS) SA TSi TSr ] 05[IKE] received cert request for "C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=Lauyu.me CA, E=la...@lauyu.me" 05[IKE] received end entity cert "C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=e71, E=la...@lauyu.me" 05[CFG] looking for peer configs matching 64.62.209.183[%any]...121.63.63.197[C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=e71, E=la...@lauyu.me] 05[CFG] selected peer config 'ikev2' 05[CFG] using certificate "C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=e71, E= la...@lauyu.me" 05[CFG] using trusted ca certificate "C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=Lauyu.me CA, E=la...@lauyu.me" 05[CFG] checking certificate status of "C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=e71, E=la...@lauyu.me" 05[CFG] certificate status is not available 05[CFG] reached self-signed root ca with a path length of 0 05[IKE] authentication of 'C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=e71, E= la...@lauyu.me' with RSA signature successful 05[IKE] authentication of 'C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=strongswan, E=la...@lauyu.me' (myself) with RSA signature successful 05[IKE] IKE_SA ikev2[1] established between 64.62.209.183[C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=strongswan, E=la...@lauyu.me]...121.63.63.197[C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=e71, E=la...@lauyu.me] 05[IKE] scheduling reauthentication in 10122s 05[IKE] maximum IKE_SA lifetime 10662s 05[IKE] sending end entity cert "C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=st
Re: [strongSwan] 答复: IP range support
Hi Chester, > If I want to add a parameter (like leftiprange,rightiprange) in > ipsec.conf, and I hope the parameters can be accepted by strongswan, > how can I implement it? I'm not sure what you mean by "I hope the parameters can be accepted by strongSwan", but if you want to implement all of this yourselves, you can have a look at the following commits which show the individual steps needed to add a new option to ipsec.conf: 1. Add the new option to keywords.txt|h and parse it in starter: http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=2b26a9c3 Depending on the type of keyword you can't assign it to a member of struct starter_conn directly and you may have to parse it in confread.c manually (but note that many options are actually stored as strings in starter_conn and only parsed later by the IKE daemon). 2. Add the option to struct stroke_msg_t which makes it available to the IKEv2 daemon charon: http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=1f83541d In case of strings you also have to use push_string to actually add the string to the message. 3. Read, parse and use the configured values appropriately in the daemon: http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=277fcf9f The above commit is really just an example, it highly depends on the kind of option you added. IP address ranges could, for instance, directly be converted to traffic selectors and then added to the child_cfg_t object. An alternative (and probably easier) solution would be to change how left|rightsubnet is parsed and allow an alternative syntax there (e.g. leftsubnet=192.168.2.6-192.168.2.20). This has currently not a very high priority for us, but if you need a solution soon and don't want to do this yourselves, you might want to consider our commercial development services. Please contact us directly, if that's an option for you. Regards, Tobias ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
