Re: [strongSwan] Listing multiple IP addresses on the rightsubnet
Thanks for your reply. Is there a known workaround around this? Thanks & Best Regards, Mahdy -Original Message- From: Andreas Steffen [mailto:andreas.stef...@strongswan.org] Sent: Monday, March 26, 2012 6:26 PM To: Mohammady Mahdy Cc: users@lists.strongswan.org Subject: Re: [strongSwan] Listing multiple IP addresses on the rightsubnet Hello Mahdy, this notation works with IKEv2 only. Regards Andreas On 26.03.2012 10:53, Mohammady Mahdy wrote: > Hi, > > I've been given multiple IP addresses that are too diverse to fit in > a reasonable sized subnet. I am using the same installation as a > lan-to-lan gateway for multiple connections, and I don't wish to use > an oversized subnet that might make life harder in adding newer > subnets in the future. > > Is there a way to put a list of IP addresses in the rightsubnet? > > I tried something like: > > rightsubnet=10.122.193.172/32,10.124.196.172/32,10.123.105.152/32,10.121.105 .153/32,10.123.158.12/32,10.120.110.14/32 > > It starts up fine but the first address only is recognized. > > Any ideas about the recommended configuration style to use? > > Thanks & Best Regards, > > Mahdy == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Upgrade issue
Hi Tobias, Thanks for getting back to me. I should have mentioned that the different keyids are just an artifact of the automatic process we have for provisioning clients. I've gone back and used the same identity on both servers just to be sure, and see the same results. I've also been trying to clean up anything in the logs that looks like a warning, such as not finding CRLs. I'm attaching the full control+controlmore logs from both versions in case anyone's interested (IP redacted). A diff shows them effectively identical until after the "full match" lines. Perhaps you could interpret the "no match"/"full match" lines for me? Is it significant that 4.5.2 lacks the "offered CA:" line? Is there a document that I haven't found describing the necessary and sufficient conditions for a connection to be considered "suitable" for a peer? (Connection matching looks like a dark art from the outside). I'm trying to think of specific and useful questions to ask so I'm not just dumping logs on someone and hoping for a solution. Thanks, Peter | unref key: 0xb7b9ccf8 0xb7b9dc40 cnt 1 'C=US, ST=Washington, O=Bourgeois Bits LLC, OU=Cloak, CN=t...@example.com, 55:04:2e=285c05bfc6341f1e1c4d65fa3d28d87f' | ref key: 0xb7b9d4f8 0xb7b9daa0 cnt 0 'C=US, ST=Washington, O=Bourgeois Bits LLC, OU=Cloak, CN=t...@example.com, 55:04:2e=285c05bfc6341f1e1c4d65fa3d28d87f' | XAUTHInitRSA check passed with keyid d3:0b:d6:8d:7c:8d:8a:3b:a2:65:63:ef:a1:6a:39:4a:4c:24:88:a3 | ref key: 0xb7b9d4f8 0xb7b9daa0 cnt 1 'C=US, ST=Washington, O=Bourgeois Bits LLC, OU=Cloak, CN=t...@example.com, 55:04:2e=285c05bfc6341f1e1c4d65fa3d28d87f' | peer CA: "C=US, ST=Washington, O=Bourgeois Bits LLC, OU=Cloak, CN=Cloak Public IPSec CA" | requested CA: %any | ipsec: no match (id: no, auth: ok, trust: ok, request: ok, prio: 2048) | ipsec: full match (id: ok, auth: ok, trust: ok, request: ok, prio: 1216) "ipsec"[2] xx.xx.xx.xx:223 #2: no suitable connection for peer 'C=US, ST=Washington, O=Bourgeois Bits LLC, OU=Cloak, CN=t...@example.com, 55:04:2e=285c05bfc6341f1e1c4d65fa3d28d87f' "ipsec"[2] xx.xx.xx.xx:223 #2: sending encrypted notification INVALID_ID_INFORMATION to xx.xx.xx.xx:223 strongSwan-4.4.0.log Description: Binary data strongSwan-4.5.2.log Description: Binary data On Mar 26, 2012, at 9:49 AM, Tobias Brunner wrote: > Hi Peter, > >> With 4.4.0, this works great; here's a relevant snippet from pluto.log >> (after all the certs have checked out): >> >> | XAUTHInitRSA check passed with keyid >> 08:f4:bf:b9:2d:e8:da:89:48:51:70:dc:1a:e8:a8:93:33:02:a1:3c >> ... >> >> Now when I use the same config on 4.5.2, I get a slightly different and less >> encouraging result: >> >> | XAUTHInitRSA check passed with keyid >> d3:ab:cf:e0:aa:0d:4d:c3:9c:19:d0:6c:7f:99:9b:a5:04:b4:d1:75 >> ... > > The logged keyid is different. Did you also change the certificates? > > Try adding 'controlmore' to plutodebug, this should give you more > information when pluto tries to find a suitable connection. > > Regards, > Tobias ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] need to allow ssl restriction
Hello Sanjay, you can define a pass shunt policy for TCP port 443. Just have a look at our example scenario: www.strongswan.org/uml/testresults/ikev2/shunt-policies/ Regards Andreas On 26.03.2012 20:12, Shukla, Sanjay wrote: > I am using 4.6.2 charon with IKEv2. What approaches are suggested to > allow TLS / 443 traffic restriction so that they are not subject to IPSec. > > > > Regards, > > -sanjay == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] need to allow ssl restriction
I am using 4.6.2 charon with IKEv2. What approaches are suggested to allow TLS / 443 traffic restriction so that they are not subject to IPSec. Regards, -sanjay [cid:tree43f6.png]Please consider the environment before printing this email. DISCLAIMER: This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Unintended recipients are prohibited from taking action on the basis of information in this e-mail.E-mail messages may contain computer viruses or other defects, may not be accurately replicated on other systems, or may be intercepted, deleted or interfered with without the knowledge of the sender or the intended recipient. If you are not comfortable with the risks associated with e-mail messages, you may decide not to use e-mail to communicate with IPC. IPC reserves the right, to the extent and under circumstances permitted by applicable law, to retain, monitor and intercept e-mail messages to and from its systems. <>___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] local traffic inspection on strongswan endpoint, how?
Hi Andreas, Have a look at the last question in our FAQs [1]. > i just learned that the tcpdump -E option can do something like what i want. tcmpdump seems quite limited regarding the supported algorithms. You could try to dump the packets with tcmpdump to a file and then analyze them with wireshark (which supports more algorithms) on another host. Regards, Tobias [1] http://wiki.strongswan.org/projects/strongswan/wiki/FAQ#General-Questions ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Upgrade issue
Hi Peter, > With 4.4.0, this works great; here's a relevant snippet from pluto.log (after > all the certs have checked out): > > | XAUTHInitRSA check passed with keyid > 08:f4:bf:b9:2d:e8:da:89:48:51:70:dc:1a:e8:a8:93:33:02:a1:3c > ... > > Now when I use the same config on 4.5.2, I get a slightly different and less > encouraging result: > > | XAUTHInitRSA check passed with keyid > d3:ab:cf:e0:aa:0d:4d:c3:9c:19:d0:6c:7f:99:9b:a5:04:b4:d1:75 > ... The logged keyid is different. Did you also change the certificates? Try adding 'controlmore' to plutodebug, this should give you more information when pluto tries to find a suitable connection. Regards, Tobias ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Listing multiple IP addresses on the rightsubnet
Hello Mahdy, this notation works with IKEv2 only. Regards Andreas On 26.03.2012 10:53, Mohammady Mahdy wrote: > Hi, > > I’ve been given multiple IP addresses that are too diverse to fit in > a reasonable sized subnet. I am using the same installation as a > lan-to-lan gateway for multiple connections, and I don’t wish to use > an oversized subnet that might make life harder in adding newer > subnets in the future. > > Is there a way to put a list of IP addresses in the rightsubnet? > > I tried something like: > > rightsubnet=10.122.193.172/32,10.124.196.172/32,10.123.105.152/32,10.121.105.153/32,10.123.158.12/32,10.120.110.14/32 > > It starts up fine but the first address only is recognized. > > Any ideas about the recommended configuration style to use? > > Thanks & Best Regards, > > Mahdy == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Listing multiple IP addresses on the rightsubnet
Hi, I've been given multiple IP addresses that are too diverse to fit in a reasonable sized subnet. I am using the same installation as a lan-to-lan gateway for multiple connections, and I don't wish to use an oversized subnet that might make life harder in adding newer subnets in the future. Is there a way to put a list of IP addresses in the rightsubnet? I tried something like: rightsubnet=10.122.193.172/32,10.124.196.172/32,10.123.105.152/32,10.121.105 .153/32,10.123.158.12/32,10.120.110.14/32 It starts up fine but the first address only is recognized. Any ideas about the recommended configuration style to use? Thanks & Best Regards, Mahdy ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
