Re: [strongSwan] PATCH: Payload order for aggressive mode

2013-09-11 Thread Gerald Richter - ECOS 
Hi Martin,

> 
> While there is no specific text about the payload order, general consensus is
> that the message/payload diagrams in the RFC define the payload order. For
> aggressive mode (RFC 3947, section 4), this is:
> 
> >UDP(4500,4500) HDR*#, [CERT, ],
> >NAT-D, NAT-D,
> >SIG_I -->
> 
> While a signature payload is used here, I take this as a clear indication to
> insert the NAT payloads before the SIG/HASH payload.
> 
> I'm skeptical about changing the payload order to something "less correct",
> as it is likely to break interoperability with other implementations.
> 

Also I can understand your doubts changing the order, I see a huge benefit if 
the interoperability of strongswan to other venders can be enhanced.

So maybe, we can make this an option in strongswan.conf?

Regards

Gerald
 


___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Windows 7 connection dies after a few minutes, but the client never notices

2013-09-11 Thread Micah R Ledbetter 
Hello,

I'm having a problem with Windows 7 clients where the connection dies
after a few minutes. The server notices and drops it, but the client
thinks it's still connected (even though it can no longer talk to the
remote network).

The logs do this:

    20130911-174604 06[KNL] received a XFRM_MSG_MAPPING
    20130911-174604 06[KNL] NAT mappings of ESP CHILD_SA with SPI
c593df3b and reqid {1} changed, queuing update job
    20130911-174604 02[MGR] checkout IKE_SA by ID
    20130911-174604 02[MGR] IKE_SA employees-win7[1] successfully checked out
    20130911-174604 02[MGR] checkin IKE_SA employees-win7[1]
    20130911-174604 02[MGR] check-in of IKE_SA successful.
    20130911-174615 07[JOB] got event, queuing job for execution
    20130911-174615 07[JOB] next event in 7s 144ms, waiting
    20130911-174615 01[MGR] checkout IKE_SA
    20130911-174615 01[MGR] IKE_SA employees-win7[1] successfully checked out
    20130911-174615 01[IKE] giving up after 5 retransmits
    20130911-174615 01[CHD] running updown script: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='down-client'
PLUTO_CONNECTION='employees-win7' PLUTO_INTERFACE='eth0'
PLUTO_REQID='1' PLUTO_ME='172.16.1.15' PLUTO_MY_ID='vpn.doubleline.us'
PLUTO_MY_CLIENT='172.16.0.0/17' PLUTO_MY_CLIENT_NET='172.16.0.0'
PLUTO_MY_CLIENT_MASK='17' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0'
PLUTO_PEER='24.173.214.18' PLUTO_PEER_ID='192.168.1.229'
PLUTO_PEER_CLIENT='10.128.0.1/32' PLUTO_PEER_CLIENT_NET='10.128.0.1'
PLUTO_PEER_CLIENT_MASK='32' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0' PLUTO_UDP_ENC='4500' ipsec _updown iptables
20130911-174616 01[IKE] unable to reestablish IKE_SA due to asymmetric setup
20130911-174616 01[MGR] checkin and destroy IKE_SA employees-win7[1]
20130911-174616 01[IKE] IKE_SA employees-win7[1] state change:
ESTABLISHED => DESTROYING
20130911-174616 01[KNL] deleting SAD entry with SPI c593df3b

So it has a working "checkout" and "checkin" cycle at 17:46:04, but
then by 17:46:15 something has failed, it retransmits the "checkout" 5
times with no response, and ends the connection.

This timing problem is not consistent. I have been connected for
almost an hour before it started happening, but nine times out of ten,
it happens between 8 and 10 minutes in. If the client is constantly
talking to the remote network (even just doing a `ping -t` on
Windows), I don't have this problem.

This is ipsec.conf:

config setup
plutostart=no

conn employees-win7
keyexchange=ikev2
dpdaction=clear
dpddelay=30s
rekey=no
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
left=172.16.1.15
leftsubnet=172.16.0.0/17
leftfirewall=yes
leftauth=pubkey
leftcert=vpn.example.com.crt.pem
leftid=vpn.example.com
right=%any
rightsourceip=10.128.0.0/20
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
auto=add


And this is strongswan.conf:

charon {
threads = 16
dns1 = 172.16.3.246
filelog {
/var/log/charon_debug.log {
append = no
default = 4
flush_line = yes
time_format = %Y%m%d-%H%M%S
}
}
}

The client is configured exactly as recommended on the wiki:
http://wiki.strongswan.org/projects/strongswan/wiki/Win7EapConfig

The client is running Windows 7 Pro with all updates applied. The
server OS is Ubuntu 12.04.3 LTS with all updates applied, and `ipsec
version` reports "Linux strongSwan U4.5.2/K3.2.0-52-virtual".

I've tried changing a couple of things (`dbdaction=restart`,
`reauth=no`, `dpddelay=60m`) without a change in this behavior. I've
also tried making the settings exactly the same as on this page to no
effect: 
http://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultipleConfig

I also found a mailing list post with this same "unable to reestablish
IKE_SA due to asymmetric setup" message from a few months ago, but it
didn't have any replies:
https://lists.strongswan.org/pipermail/users/2013-May/009185.html

I would greatly appreciate any help. Thanks.

- Micah

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Translating Cisco to StrongSwan ikeV1 ESP / IKE Algorithms

2013-09-11 Thread Izz Abdullah 
Hello all:
I know this is a primitive question, but I am looking for general guide on 
converting ipsec transform-set and isakmp encryption / hash from cisco config 
to strongSwan ESP and IKE proposal.  Can anyone point me with a general 
algorithm for making the conversion or to a site that has some examples.  I've 
looked and am not coming up with any luck.

Thanks,
Izz


Izz Abdullah
Senior Systems Engineer
izz.abdul...@wepanow.com
www.wepanow.com




___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users