[strongSwan] IPSec tunnel for port based TS not working
Hello All, I'm trying to create an IPSec tunnel if the traffic is destined for a particular protocol/port combination towards the serverf(in my case , it is 6/22 where 6 corresponds to tcp and 22 corresponds to the default port for SSH). I'm using the rightprotoport = 6/22 combination on the client side. Once the tunnel is established, SSH packet is getting encrypted and is working fine. But if I try to reach the server via any other proto like ICMP (ping), I'm not getting the reply on the client side.Ideally it should be a clear text packet reply from server. Please suggest if any other configuration is required on the client/server side apart from 'rightprotoport' as well. Thanks Deepika P.S: My IPSec client is behind a router and NAT-T is being for creating a tunnel to server. -- If you think you can or if you think you can't, you are right. -Henry Ford ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] strongSwan RSA signature vulnerability
We have been informed about a security vulnerability in strongSwan. If the strongSwan "gmp" plugin is used for RSA signature verification, an empty or zeroed signature is handled as a legitimate one. CVE-2012-2388 has been reserved for this vulnerability. To exploit the vulnerability, a connection definition using RSA authentication is required. An attacker presenting a forged signature and/or certificate can authenticate as any legitimate user. strongSwan version back to 4.2.0 and up to 4.6.3 are affected, using both IKEv1 and IKEv2. Injecting code is not possible by such an attack. The patch at [1] fixes the vulnerability and should apply to all affected versions. Please update your installations as soon as possible. strongSwan 4.6.4 including the fix is available at [2], the release announcement will follow soon. Our apologies for having such a serious vulnerability in the strongSwan codebase. Kind Regards Martin [1]http://download.strongswan.org/patches/09_gmp_rsa_signature_patch/strongswan-4.2.0-4.6.3_gmp_rsa_signature.patch [2]http://download.strongswan.org/strongswan-4.6.4.tar.bz2 ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Dynamic control of enabling/disabling plugins at run time?
Hi, We were trying to work with "revocation" plugin. In our current system requirement, it is necessary to control the activation of this plugins. The compilation of two separate images are not possible because of the flesh memory device limitation. The only way we could do was to manually use 'load=' to control which plugins to load and proper order. This creates a tremendous upgrade problem. So, it would be ideal to have some sort of 'dynamic control at run time' in strongswan.conf to indicate which plugin is to be 'enabled/disabled'. Could it be possible for enhancement? Thanks Much in advance, -Yong Choo ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] configuration error when trying to use --enable-curl
Thank You. Unfortunately, our linux version is for running real-time sw and we do not have all kernel modules. Looking at ours now, we do not have "ldconfig"... The libexec/ipsec/plugins have all strongswan-*.so plugins and they are being loaded properly. I'm a bit confused why these strongswan-*.so can be loaded but not the libcurl.so? On 5/31/2012 2:52 AM, Martin Willi wrote: Hi, I have libcurl.so in the libexec/ipsec/plugins directory. Your dynamic linker probably doesn't look for libraries, there. All the libstrongswan-* plugins are not loaded implicitly by the linker, but by dlopen(). Any reason why it is failing to load? I tried to put libcurl.so in /usr/lib, /lib but no difference in the error. Have you upgraded your ld cache using ldconfig? man ldconfig for details... Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] HA cluster IP works for a limited period of time
Hi all, For the moment we are trying to build a cluster IP using 2 virtual machines runing on a desktop that later on will serve as Gateways. The Linux box that we use has this configuration: DESKTOP__ | |Virtual Machine 1: |OS: Ubuntu 10.04 (With Strongswan patched kernel 2.6.32.59) |NIC1: eth0 with IP xx.xx.xx.14/24 connected to a local switch |eth0:0 with IP xx.xx.xx.161/24 <- Address selected for the cluster | |Virtual Machine 2: |OS: Ubuntu 10.04 (With Strongswan patched kernel 2.6.32.59) |NIC1: eth0 with IP xx.xx.xx.75/24 connected to a local switch |eth0:0 with IP xx.xx.xx.161/24 <- Address selected for the cluster LAPTOP___ |OS: Ubuntu 10.04 |NIC1: eth0 with IP xx.xx.xx.176/24 connected to a local switch Once the setting of the virtual IP's on each virtual machine is done (eth0:0), We can actually ping that address from the laptop. Problem is that it stops a few seconds after adding the rule to Iptables, which is done by runing the command: iptables -A INPUT -i eth0 -d xx.xx.xx.161 -j CLUSTERIP --new \ --hashmode sourceip --clustermac 01:00:5e:00:00:20 \ --total-nodes 2 --local-node 1 While functioning we can see on Wireshark the ESP packets. If VM2 is switched off we can also see the fail-over from PASSIVE to ESTABLISHED on VM1 ect etc. But as I said it only last a few seconds maybe a minute at the most. So, anyone has an idea of why this might be happening?? Best regards and thank you for your reading ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
