date:20150720

[strongSwan] CentOS 7.1 yum install strongswan [IOS8]

2015-07-20 Thread jinquan deng

Hi,

IOS8 VPN Connection: Could not validate the server certificate.

Windows connected properly.


---Error
Messages--###


LOG

Jul 21 10:07:28 localhost charon: 04[ENC] parsed ID_PROT request 0 [ SA V V
V V V V V V V V V V V V ]
Jul 21 10:07:28 localhost charon: 04[CFG] looking for an ike config for
112.91.xx.209...112.96.173.55
Jul 21 10:07:28 localhost charon: 04[CFG]   candidate: %any...%any, prio 28
Jul 21 10:07:28 localhost charon: 04[CFG]   candidate: %any...%any, prio 28
Jul 21 10:07:28 localhost charon: 04[CFG] found matching ike config:
%any...%any with prio 28
Jul 21 10:07:28 localhost charon: 04[IKE] received NAT-T (RFC 3947) vendor
ID
Jul 21 10:07:28 localhost charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike vendor ID
Jul 21 10:07:28 localhost charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-08 vendor ID
Jul 21 10:07:28 localhost charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-07 vendor ID
Jul 21 10:07:28 localhost charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-06 vendor ID
Jul 21 10:07:28 localhost charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-05 vendor ID
Jul 21 10:07:28 localhost charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-04 vendor ID
Jul 21 10:07:28 localhost charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-03 vendor ID
Jul 21 10:07:28 localhost charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jul 21 10:07:28 localhost charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jul 21 10:07:28 localhost charon: 04[IKE] received XAuth vendor ID
Jul 21 10:07:28 localhost charon: 04[IKE] received Cisco Unity vendor ID
Jul 21 10:07:28 localhost charon: 04[IKE] received FRAGMENTATION vendor ID
Jul 21 10:07:28 localhost charon: 04[IKE] received DPD vendor ID
Jul 21 10:07:28 localhost charon: 04[IKE] 112.96.173.55 is initiating a
Main Mode IKE_SA
Jul 21 10:07:28 localhost charon: 04[IKE] IKE_SA (unnamed)[11] state
change: CREATED => CONNECTING
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG]   no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG]   no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG]   no acceptable
DIFFIE_HELLMAN_GROUP found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG]   no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG]   no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG]   no acceptable
PSEUDO_RANDOM_FUNCTION found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG]   no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG]   no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG]   no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG]   no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG]   no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG]   no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG]   no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG]   no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG]   no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG]   no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG]   no acceptable
DIFFIE_HELLMAN_GROUP found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG]   no acceptable
PSEUDO_RANDOM_FUNCTION found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG]   no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:28 localhost charon: 04[CFG] selecting proposal:
Jul 21 10:07:28 localhost charon: 04[CFG]   no acceptable
ENCRYPTION_ALGORITHM found
Jul 21 10:07:28 localhost charon: 0

Re: [strongSwan] Using just charon

2015-07-20 Thread Mohammad Ahmad

Thanks for the responses guys. This helps clarify things and I am now
able to run charon (yay!).

I do have a couple of followups.

1- When I run /usr/lib/charon it loads the /etc/strongswan.conf which
has the plugins to be loaded. For me this does not load the vici
plugin. I found something here
https://wiki.strongswan.org/projects/strongswan/wiki/Vici about
--enable-vici but I installed strongswan using apt-get so how can I
enable it?

2- From here 
https://www.strongswan.org/uml/testresults/ikev2/net2net-psk/moon.ipsec.conf
if see that config options of keylife, authby are defined in
ipsec.conf. Can these options be configured using vici? Can a default
proposal for each host be defined which lists the algorithms and the
DH group to be used.

Sorry for the excessive questions and thanks for the help.

Ahmad

On Sun, Jul 19, 2015 at 1:34 PM, Noel Kuntze  wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Hello Ryan,
>
> ipsec starter loads the configuration into charon using stroke socket.
> If you don't use ipsec starter, that doesn't happen, so you need to
> load the config manually, using ipsec reload/update.
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 18.07.2015 um 13:44 schrieb Ruel, Ryan:
>> Anreas,
>>
>> Are there any limitations to just starting the charon daemon directly 
>> (versus using the “ipsec” script)?
>>
>> /Ryan
>>
>>
>>
>>
>> On 7/18/15, 6:26 AM, "Andreas Steffen"  
>> wrote:
>>
>>> Hi Ahmand,
>>>
>>> no, just start charon itself:
>>>
>>>  /usr/libexec/ipsec/charon &
>>>
>>> If you have an Ubuntu or Debian platform you can use the attached
>>> /etc/init.d/charon runlevel script and start and stop the daemon
>>> with
>>>
>>>  sudo service charon start
>>>
>>>  sudo service charon stop
>>>
>>> If you have Fedora or some other OS supporting systemd then you
>>> can use the charon-systemd daemon variant.
>>>
>>> Best regards
>>>
>>> Andreas
>>>
>>> On 07/18/2015 12:12 PM, Mohammad Ahmad wrote:
 Hey Andreas,

 Thank you for response. Quick followup,  I need to run 'ipsec start'
 with the sample configuration file you have shared to start charon in
 the background?

 I apologize for asking very basic questions. I'm just getting started
 with strongswan.


 On Sat, Jul 18, 2015, 2:46 AM Andreas Steffen
 mailto:andreas.stef...@strongswan.org>>
 wrote:

 Hi Ahmad,

 if you intend to use the vici plugin then you need neither
 starter nor stroke. Just start the charon daemon in the
 background. The minimum of plugins you need are e.g.

 
 https://www.strongswan.org/uml/testresults/swanctl/rw-cert/moon.strongswan.conf

 Best regards

 Andreas

 On 07/18/2015 04:26 AM, Mohammad Ahmad wrote:
 > Hi,
 >
 > I want to run charon and plan to speak to it using a vici plugin I am
 > developing.
 > With racoon, I run racoon -f /path/to/config but with charon, I see a
 > number of tools that can be used to achieve this, stroke, starter,
 > ipsec but am unsure which one will require the minimum number of
 > packages to be installed (I want to keep that to a minimum).
 >
 > More infomation
 > I will be adding the ipsec policies manually and am using ipsec in
 > tunnel mode. I have two sites behind each of which is a subnet.
 >
 > Looking forward to hearing from you guys.
 >
 > Ahmad

 ==
 Andreas Steffen
  andreas.stef...@strongswan.org 
 strongSwan - the Open Source VPN Solution!
 www.strongswan.org 
 Institute for Internet Technologies and Applications
 University of Applied Sciences Rapperswil
 CH-8640 Rapperswil (Switzerland)
 ===[ITA-HSR]==

>>>
>>> --
>>> ==
>>> Andreas Steffen andreas.stef...@strongswan.org
>>> strongSwan - the Open Source VPN Solution!  www.strongswan.org
>>> Institute for Internet Technologies and Applications
>>> University of Applied Sciences Rapperswil
>>> CH-8640 Rapperswil (Switzerland)
>>> ===[ITA-HSR]==
>> ___
>> Users mailing list
>> Users@lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJVrAnQAAoJEDg5KY9j7GZYVTsP/1AbUfJzwr0M4/P0TiBKCZeW
> H00avc4OAQJb4UN4kx+cPvffiekIdLLm/3AWk5MTqMytkpziDZ/EVHsekpXDvnTy
> PCbDdDH/5dtn3bCQUTMu3DCsH

Re: [strongSwan] payload of type AUTH more than 1 times (2) occurred in current message

2015-07-20 Thread Alexis Salinas



From: Alexis Salinas
Sent: July 14, 2015 12:05
To: Andreas Steffen
Subject: RE: [strongSwan] payload of type AUTH more than 1 times (2) occurred 
in current message

Thanks for the reply Andreas.

That is what I thought too, but I was wondering if that was allowed. So, thank 
you  for the strong clarification.

Do you know if this was allowed in IKEv1 and perhaps these guys just re-use 
part of their code?

As per your request, here are 2 files. One with ike=3 enabled, which didn't 
show much more detail around the error. On the second fiIe I also enable enc=2 
in case that is more useful (you can see the parsing and verification of the 
message)

Let me know if you need anything else.

Cheers,
Alexis.


From: Andreas Steffen [andreas.stef...@strongswan.org]
Sent: July 14, 2015 03:12
To: Alexis Salinas; users@lists.strongswan.org
Subject: Re: [strongSwan] payload of type AUTH more than 1 times (2) occurred 
in current message

Hi Alexis,

it looks as if the 3rd party VPN client sends two AUTH payloads in its
IKE_AUTH request. This does not conform with the IKEv2 RFC. Could you
send me a strongSwan log file with the log level set to

  charondebug="ike 3"

in ipsec.conf.

Best regards

Andreas

On 07/13/2015 09:23 PM, Alexis Salinas wrote:
> Hello All,
> I'm testing strongSwan as a VPN gateway for a 3rd party VPN client.  PSK and 
> certificate authentication works fine, but when testing EAP-TLS and I get 
> this error message on the strongSwan side, after the EAP authentication 
> succeeds.
>
> Jul 10 16:42:11 debian-vm1-alexis charon: 14[ENC] payload of type AUTH more 
> than 1 times (2) occurred in current message
> Jul 10 16:42:11 debian-vm1-alexis charon: 14[IKE] message verification failed
>
> See attachment for full  logs.
>
> Here is my strongSwan configuration:
>
> # ipsec.conf - strongSwan IPsec configuration file
>
> config setup
>   # strictcrlpolicy=yes
>   # uniqueids = no
>
> conn %default
>   ikelifetime=60m
>   keylife=20m
>   rekeymargin=3m
>   keyingtries=1
>   keyexchange=ikev2
>
> conn rw-eap-tls
> left=10.1.65.147
>   leftid=o...@test.org
> leftsubnet=10.99.0.0/24
>   leftcert=ocmCert.pem
>   leftauth=pubkey
>   leftfirewall=yes
>   rightsourceip=172.22.0.0/24
>   rightauth=eap-radius
>   rightsendcert=never
>   right=%any
>   auto=add
>   eap_identity=%identity
>
> Does any of you know what this is about?
>
> what is strongSwan expecting at this point? Looking at the RFC [1] there 
> should be a message type AUTH (message 7).
>
> I can enable more logging if needed.
>
> Thanks.
> Alexis.
>
>
>
> [1] : https://tools.ietf.org/html/rfc7296#section-2.16
>
>
>
>
> ___
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>

--
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution!  www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] interact with strongswan in c++

2015-07-20 Thread Jacques Monin

Indeed, it seems to be exactly what I am looking for.

However, when I'm trying to compile the example program :

#include 
#include 
#include 

#include 

int main(int argc, char *argv[])
{
vici_conn_t *conn;
int ret = 0;

vici_init();
conn = vici_connect(NULL);
if (conn)
{
// do stuff
vici_disconnect(conn);
}
else
{
ret = errno;
fprintf(stderr, "connecting failed: %s\n", strerror(errno));
}
vici_deinit();
return ret;
}


I have an error : "fatal error: libvici.h: unknown file". Am I supposed to
edit my own Makefile to compile it ?

Thanks



2015-07-20 15:05 GMT+02:00 Tobias Brunner :

> Hi Jacques,
>
> > I wanted to know if there is a way to open, close connection with out
> > using the command "ipsec up connection", "ipsec down connection" but by
> > using an API.
>
> Please have a look at the VICI interface [1] and its C API.
>
> Regards,
> Tobias
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/Vici
>
>
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] IPsec - between TL-ER6120 and OpenWRT with strongSwan [beginner]

2015-07-20 Thread Noel Kuntze


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hello Tomek,

Read the introduction to strongswan and the article
about forwarding and split tunneling on the wiki.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 20.07.2015 um 16:13 schrieb tomek_...@tlen.pl:
> Hello!
>
> I have a lot of progress. IPsec connection set up properly.
> Unfortunately ping does not work between networks. In OpenVPN I had
> tunnels in interfaces with their own addresses. I set up routing
> between them. Now I don't see the ends of the IPsec tunnel in
> interfaces and don't know how to set routing.
>
> root@SomeWRT:~# ipsec statusall
> no files found matching '/etc/strongswan.d/*.conf'
> Status of IKE charon daemon (strongSwan 5.3.2, Linux 3.10.49, mips):
>   uptime: 11 seconds, since Jul 20 15:58:34 2015
>   malloc: sbrk 122880, mmap 0, used 116464, free 6416
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 1
>   loaded plugins: charon aes des sha1 sha2 md5 random nonce x509
> revocation constraints pubkey pkcs1 pgp dnskey pem fips-prf gmp xcbc
> hmac attr kernel-netlink resolve socket-default stroke updown
> xauth-generic
> Listening IP addresses:
>   192.168.2.1
> Connections:
> somename:  B.B.B.B...A.A.A.A  IKEv1
> somename:   local:  [B.B.B.B] uses pre-shared key authentication
> somename:   remote: [A.A.A.A] uses pre-shared key authentication
> somename:   child:  192.168.2.0/24 === 192.168.1.0/24 TUNNEL
> Security Associations (1 up, 0 connecting):
> somename[2]: ESTABLISHED 10 seconds ago, B.B.B.B[B.B.B.B]...A.A.A.A[A.A.A.A]
> somename[2]: IKEv1 SPIs: _i _r*,
> rekeying disabled
> somename[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> somename{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: _i _o
> somename{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying 
> disabled
> somename{1}:   192.168.2.0/24 === 192.168.1.0/24
>
> 2015-07-20 14:19 GMT+02:00 Noel Kuntze :
> Hello Tomek,
>
> I can tell from "Exchange Mode: Main" that it uses IKEv1.
> Append an @ to the IDs  on the strongSwan side
> to force charon to send the ID as type FQDN,
> which the other side expects (you set ID type to FQDN).
> Use AES-128 instead of 3DES. You should also
> use SHA1, not MD5. Furthermore, you enabled PFS in
> the configuration on the TP link, but not in strongSwan.
> Append the correct dh group to your ESP cipher settings.
>
> Look at the logs in the webinterface to find out what the TP link
> side doesn't like.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 20.07.2015 um 13:58 schrieb tomek_...@tlen.pl:
> >>> Hello!
> >>>
> >>> After the change from IKEv1 to IKEv2 I have errors as shown below. In
> >>> the settings TP-Link I don't see the possibility to change IKEv1/v2. I
> >>> don't know what is even set in TP-Link. A sample panel is visible on
> >>> http://www.tp-link.com.pl/resources/simulator/TL-ER6120(UN)/userRpm/Index.htm.
> >>> What is best to change 3DES?
> >>>
> >>> root@SomeWRT:~# ipsec up somename
> >>> no files found matching '/etc/strongswan.d/*.conf'
> >>> initiating Main Mode IKE_SA somename[1] to A.A.A.A
> >>> generating ID_PROT request 0 [ SA V V V V ]
> >>> sending packet: from B.B.B.B[500] to A.A.A.A[500] (152 bytes)
> >>> received packet: from A.A.A.A[500] to B.B.B.B[500] (56 bytes)
> >>> parsed INFORMATIONAL_V1 request 1324794912 [ N(NO_PROP) ]
> >>> received NO_PROPOSAL_CHOSEN error notify
> >>> establishing connection 'somename' failed
> >>>
> >>> 2015-07-19 22:32 GMT+02:00 Noel Kuntze :
> 
> >>> Hello Tomek,
> >>>
> >>> Try using IKEv1, not IKEv2. And use a different cipher than 3DES. It is 
> >>> very slow.
> >>>
> >>> Mit freundlichen Grüßen/Kind Regards,
> >>> Noel Kuntze
> >>>
> >>> GPG Key ID: 0x63EC6658
> >>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >>>
> >>> Am 19.07.2015 um 13:34 schrieb tomek_byd:
> >> I don't know how to write the correct config file for the connection. 
> >> My config is a conglomeration of many examples from the Internet. So 
> >> far I havn't had contact with IPsec. I'm under the control of 
> >> TL-ER6120 and OpenWRT so I can make changes on both devices. I see the 
> >> error "IDr payload missing" but parameter "leftid" is set in the 
> >> config file.
> >>
> >> LAN A (192.168.1.0/24) <-> TL-ER6120 (IP: A.A.A.A) <-> INTERNET <-> 
> >> OpenWRT with strongSwan (IP: B.B.B.B) <-> LAN B (192.168.2.0/24)
> >>
> >> TL-ER6120 configuration:
> >> IKE Proposal: MD5, 3DES, DH2
> >> IKE Policy:
> >>   Exchange Mode: main,
> >>   Local ID Type: FQDN,
> >>   Local ID: A.A.A.A
> >>   Remote ID Type: FQDN
> >>   Remote ID: B.B.B.B
> >>   Pre-shared Key: XX
> >>   SA Lifetime: 28800
> >>   DPD: Disable
> >

Re: [strongSwan] IPsec - between TL-ER6120 and OpenWRT with strongSwan [beginner]

2015-07-20 Thread tomek_...@tlen.pl

Hello!

I have a lot of progress. IPsec connection set up properly.
Unfortunately ping does not work between networks. In OpenVPN I had
tunnels in interfaces with their own addresses. I set up routing
between them. Now I don't see the ends of the IPsec tunnel in
interfaces and don't know how to set routing.

root@SomeWRT:~# ipsec statusall
no files found matching '/etc/strongswan.d/*.conf'
Status of IKE charon daemon (strongSwan 5.3.2, Linux 3.10.49, mips):
  uptime: 11 seconds, since Jul 20 15:58:34 2015
  malloc: sbrk 122880, mmap 0, used 116464, free 6416
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 1
  loaded plugins: charon aes des sha1 sha2 md5 random nonce x509
revocation constraints pubkey pkcs1 pgp dnskey pem fips-prf gmp xcbc
hmac attr kernel-netlink resolve socket-default stroke updown
xauth-generic
Listening IP addresses:
  192.168.2.1
Connections:
somename:  B.B.B.B...A.A.A.A  IKEv1
somename:   local:  [B.B.B.B] uses pre-shared key authentication
somename:   remote: [A.A.A.A] uses pre-shared key authentication
somename:   child:  192.168.2.0/24 === 192.168.1.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
somename[2]: ESTABLISHED 10 seconds ago, B.B.B.B[B.B.B.B]...A.A.A.A[A.A.A.A]
somename[2]: IKEv1 SPIs: _i _r*,
rekeying disabled
somename[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
somename{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: _i _o
somename{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying disabled
somename{1}:   192.168.2.0/24 === 192.168.1.0/24

2015-07-20 14:19 GMT+02:00 Noel Kuntze :
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Hello Tomek,
>
> I can tell from "Exchange Mode: Main" that it uses IKEv1.
> Append an @ to the IDs  on the strongSwan side
> to force charon to send the ID as type FQDN,
> which the other side expects (you set ID type to FQDN).
> Use AES-128 instead of 3DES. You should also
> use SHA1, not MD5. Furthermore, you enabled PFS in
> the configuration on the TP link, but not in strongSwan.
> Append the correct dh group to your ESP cipher settings.
>
> Look at the logs in the webinterface to find out what the TP link
> side doesn't like.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 20.07.2015 um 13:58 schrieb tomek_...@tlen.pl:
>> Hello!
>>
>> After the change from IKEv1 to IKEv2 I have errors as shown below. In
>> the settings TP-Link I don't see the possibility to change IKEv1/v2. I
>> don't know what is even set in TP-Link. A sample panel is visible on
>> http://www.tp-link.com.pl/resources/simulator/TL-ER6120(UN)/userRpm/Index.htm.
>> What is best to change 3DES?
>>
>> root@SomeWRT:~# ipsec up somename
>> no files found matching '/etc/strongswan.d/*.conf'
>> initiating Main Mode IKE_SA somename[1] to A.A.A.A
>> generating ID_PROT request 0 [ SA V V V V ]
>> sending packet: from B.B.B.B[500] to A.A.A.A[500] (152 bytes)
>> received packet: from A.A.A.A[500] to B.B.B.B[500] (56 bytes)
>> parsed INFORMATIONAL_V1 request 1324794912 [ N(NO_PROP) ]
>> received NO_PROPOSAL_CHOSEN error notify
>> establishing connection 'somename' failed
>>
>> 2015-07-19 22:32 GMT+02:00 Noel Kuntze :
>>>
>> Hello Tomek,
>>
>> Try using IKEv1, not IKEv2. And use a different cipher than 3DES. It is very 
>> slow.
>>
>> Mit freundlichen Grüßen/Kind Regards,
>> Noel Kuntze
>>
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>> Am 19.07.2015 um 13:34 schrieb tomek_byd:
> I don't know how to write the correct config file for the connection. My 
> config is a conglomeration of many examples from the Internet. So far I 
> havn't had contact with IPsec. I'm under the control of TL-ER6120 and 
> OpenWRT so I can make changes on both devices. I see the error "IDr 
> payload missing" but parameter "leftid" is set in the config file.
>
> LAN A (192.168.1.0/24) <-> TL-ER6120 (IP: A.A.A.A) <-> INTERNET <-> 
> OpenWRT with strongSwan (IP: B.B.B.B) <-> LAN B (192.168.2.0/24)
>
> TL-ER6120 configuration:
> IKE Proposal: MD5, 3DES, DH2
> IKE Policy:
>   Exchange Mode: main,
>   Local ID Type: FQDN,
>   Local ID: A.A.A.A
>   Remote ID Type: FQDN
>   Remote ID: B.B.B.B
>   Pre-shared Key: XX
>   SA Lifetime: 28800
>   DPD: Disable
> IPsec Proposal: ESP, MD5, 3DES
> IPsec Policy:
>   Mode: LAN-to-LAN
>   Local Subnet: 192.168.1.0/24
>   Remote Subnet: 192.168.2.0/24
>   WAN: WAN1
>   Remote Gateway: B.B.B.B
>   Policy Mode: IKE
>   PFS: DH2
>   SA Lifetime: 28800
>
> OpenWRT configuration:
> /etc/ipsec.conf:
> config setup
> # strictcrlpolicy = no
> # uniqueids = no
> conn somename
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexc

Re: [strongSwan] interact with strongswan in c++

2015-07-20 Thread Tobias Brunner

Hi Jacques,

> I wanted to know if there is a way to open, close connection with out
> using the command "ipsec up connection", "ipsec down connection" but by
> using an API.

Please have a look at the VICI interface [1] and its C API.

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/Vici

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] interact with strongswan in c++

2015-07-20 Thread Jacques Monin

Hello,

I'm writing an application in c++ which is supposed to interact with
strongswan.

I wanted to know if there is a way to open, close connection with out using
the command "ipsec up connection", "ipsec down connection" but by using an
API.

Thanks
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] IPsec - between TL-ER6120 and OpenWRT with strongSwan [beginner]

2015-07-20 Thread Noel Kuntze

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hello Tomek,

I can tell from "Exchange Mode: Main" that it uses IKEv1.
Append an @ to the IDs  on the strongSwan side
to force charon to send the ID as type FQDN,
which the other side expects (you set ID type to FQDN).
Use AES-128 instead of 3DES. You should also
use SHA1, not MD5. Furthermore, you enabled PFS in
the configuration on the TP link, but not in strongSwan.
Append the correct dh group to your ESP cipher settings.

Look at the logs in the webinterface to find out what the TP link
side doesn't like.

Mit freundlichen Grüßen/Regards,
Noel Kuntze
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 20.07.2015 um 13:58 schrieb tomek_...@tlen.pl:
> Hello!
> 
> After the change from IKEv1 to IKEv2 I have errors as shown below. In
> the settings TP-Link I don't see the possibility to change IKEv1/v2. I
> don't know what is even set in TP-Link. A sample panel is visible on
> http://www.tp-link.com.pl/resources/simulator/TL-ER6120(UN)/userRpm/Index.htm.
> What is best to change 3DES?
> 
> root@SomeWRT:~# ipsec up somename
> no files found matching '/etc/strongswan.d/*.conf'
> initiating Main Mode IKE_SA somename[1] to A.A.A.A
> generating ID_PROT request 0 [ SA V V V V ]
> sending packet: from B.B.B.B[500] to A.A.A.A[500] (152 bytes)
> received packet: from A.A.A.A[500] to B.B.B.B[500] (56 bytes)
> parsed INFORMATIONAL_V1 request 1324794912 [ N(NO_PROP) ]
> received NO_PROPOSAL_CHOSEN error notify
> establishing connection 'somename' failed
> 
> 2015-07-19 22:32 GMT+02:00 Noel Kuntze :
>>
> Hello Tomek,
> 
> Try using IKEv1, not IKEv2. And use a different cipher than 3DES. It is very 
> slow.
> 
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
> 
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> 
> Am 19.07.2015 um 13:34 schrieb tomek_byd:
 I don't know how to write the correct config file for the connection. My 
 config is a conglomeration of many examples from the Internet. So far I 
 havn't had contact with IPsec. I'm under the control of TL-ER6120 and 
 OpenWRT so I can make changes on both devices. I see the error "IDr 
 payload missing" but parameter "leftid" is set in the config file.

 LAN A (192.168.1.0/24) <-> TL-ER6120 (IP: A.A.A.A) <-> INTERNET <-> 
 OpenWRT with strongSwan (IP: B.B.B.B) <-> LAN B (192.168.2.0/24)

 TL-ER6120 configuration:
 IKE Proposal: MD5, 3DES, DH2
 IKE Policy:
   Exchange Mode: main,
   Local ID Type: FQDN,
   Local ID: A.A.A.A
   Remote ID Type: FQDN
   Remote ID: B.B.B.B
   Pre-shared Key: XX
   SA Lifetime: 28800
   DPD: Disable
 IPsec Proposal: ESP, MD5, 3DES
 IPsec Policy:
   Mode: LAN-to-LAN
   Local Subnet: 192.168.1.0/24
   Remote Subnet: 192.168.2.0/24
   WAN: WAN1
   Remote Gateway: B.B.B.B
   Policy Mode: IKE
   PFS: DH2
   SA Lifetime: 28800

 OpenWRT configuration:
 /etc/ipsec.conf:
 config setup
 # strictcrlpolicy = no
 # uniqueids = no
 conn somename
 ikelifetime=60m
 keylife=20m
 rekeymargin=3m
 keyingtries=1
 keyexchange=ikev2
 type=tunnel
 authby=secret
 ike=3des-md5-modp1024!
 esp=3des-md5!
 rekey=no
 left=B.B.B.B
 leftid=B.B.B.B
 leftsubnet=192.168.2.0/24
 leftauth=psk
 right=A.A.A.A
 rightid=A.A.A.A
 rightsubnet=192.168.1.0/24
 rightauth=psk
 dpdaction=none
 auto=add
 mobike=no
 /etc/ipsec.secrets
 A.A.A.A : PSK "XX"
 B.B.B.B : PSK "XX"

 Output:
 root@SomeWRT:~# ipsec up somename
 no files found matching '/etc/strongswan.d/*.conf'
 initiating IKE_SA somename[1] to A.A.A.A
 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
 N(HASH_ALG) ]
 sending packet: from B.B.B.B[500] to A.A.A.A[500] (316 bytes)
 received packet: from A.A.A.A[500] to B.B.B.B[500] (332 bytes)
 parsed IKE_SA_INIT response 0 [ N(NATD_S_IP) N(NATD_D_IP) SA KE No ]
 local host is behind NAT, sending keep alives
 remote host is behind NAT
 authentication of 'B.B.B.B' (myself) with pre-shared key
 establishing CHILD_SA somename
 generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr 
 N(EAP_ONLY) ]
 sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (212 bytes)
 received packet: from A.A.A.A[4500] to B.B.B.B[4500] (68 bytes)
 parsed IKE_AUTH response 1 [ N(TS_UNACCEPT) ]
 IDr payload missing
 generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
 sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (68 bytes)
 establishing connection 'somename' failed

 ___
 Users mailing list
 Users@lists.strongswan.org
 https://lists.strongswan.org/mailman/lis

Re: [strongSwan] IPsec - between TL-ER6120 and OpenWRT with strongSwan [beginner]

2015-07-20 Thread tomek_...@tlen.pl

Hello!

After the change from IKEv1 to IKEv2 I have errors as shown below. In
the settings TP-Link I don't see the possibility to change IKEv1/v2. I
don't know what is even set in TP-Link. A sample panel is visible on
http://www.tp-link.com.pl/resources/simulator/TL-ER6120(UN)/userRpm/Index.htm.
What is best to change 3DES?

root@SomeWRT:~# ipsec up somename
no files found matching '/etc/strongswan.d/*.conf'
initiating Main Mode IKE_SA somename[1] to A.A.A.A
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from B.B.B.B[500] to A.A.A.A[500] (152 bytes)
received packet: from A.A.A.A[500] to B.B.B.B[500] (56 bytes)
parsed INFORMATIONAL_V1 request 1324794912 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'somename' failed

2015-07-19 22:32 GMT+02:00 Noel Kuntze :
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Hello Tomek,
>
> Try using IKEv1, not IKEv2. And use a different cipher than 3DES. It is very 
> slow.
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 19.07.2015 um 13:34 schrieb tomek_byd:
>> I don't know how to write the correct config file for the connection. My 
>> config is a conglomeration of many examples from the Internet. So far I 
>> havn't had contact with IPsec. I'm under the control of TL-ER6120 and 
>> OpenWRT so I can make changes on both devices. I see the error "IDr payload 
>> missing" but parameter "leftid" is set in the config file.
>>
>> LAN A (192.168.1.0/24) <-> TL-ER6120 (IP: A.A.A.A) <-> INTERNET <-> OpenWRT 
>> with strongSwan (IP: B.B.B.B) <-> LAN B (192.168.2.0/24)
>>
>> TL-ER6120 configuration:
>> IKE Proposal: MD5, 3DES, DH2
>> IKE Policy:
>>   Exchange Mode: main,
>>   Local ID Type: FQDN,
>>   Local ID: A.A.A.A
>>   Remote ID Type: FQDN
>>   Remote ID: B.B.B.B
>>   Pre-shared Key: XX
>>   SA Lifetime: 28800
>>   DPD: Disable
>> IPsec Proposal: ESP, MD5, 3DES
>> IPsec Policy:
>>   Mode: LAN-to-LAN
>>   Local Subnet: 192.168.1.0/24
>>   Remote Subnet: 192.168.2.0/24
>>   WAN: WAN1
>>   Remote Gateway: B.B.B.B
>>   Policy Mode: IKE
>>   PFS: DH2
>>   SA Lifetime: 28800
>>
>> OpenWRT configuration:
>> /etc/ipsec.conf:
>> config setup
>> # strictcrlpolicy = no
>> # uniqueids = no
>> conn somename
>> ikelifetime=60m
>> keylife=20m
>> rekeymargin=3m
>> keyingtries=1
>> keyexchange=ikev2
>> type=tunnel
>> authby=secret
>> ike=3des-md5-modp1024!
>> esp=3des-md5!
>> rekey=no
>> left=B.B.B.B
>> leftid=B.B.B.B
>> leftsubnet=192.168.2.0/24
>> leftauth=psk
>> right=A.A.A.A
>> rightid=A.A.A.A
>> rightsubnet=192.168.1.0/24
>> rightauth=psk
>> dpdaction=none
>> auto=add
>> mobike=no
>> /etc/ipsec.secrets
>> A.A.A.A : PSK "XX"
>> B.B.B.B : PSK "XX"
>>
>> Output:
>> root@SomeWRT:~# ipsec up somename
>> no files found matching '/etc/strongswan.d/*.conf'
>> initiating IKE_SA somename[1] to A.A.A.A
>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
>> N(HASH_ALG) ]
>> sending packet: from B.B.B.B[500] to A.A.A.A[500] (316 bytes)
>> received packet: from A.A.A.A[500] to B.B.B.B[500] (332 bytes)
>> parsed IKE_SA_INIT response 0 [ N(NATD_S_IP) N(NATD_D_IP) SA KE No ]
>> local host is behind NAT, sending keep alives
>> remote host is behind NAT
>> authentication of 'B.B.B.B' (myself) with pre-shared key
>> establishing CHILD_SA somename
>> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr 
>> N(EAP_ONLY) ]
>> sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (212 bytes)
>> received packet: from A.A.A.A[4500] to B.B.B.B[4500] (68 bytes)
>> parsed IKE_AUTH response 1 [ N(TS_UNACCEPT) ]
>> IDr payload missing
>> generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
>> sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (68 bytes)
>> establishing connection 'somename' failed
>>
>> ___
>> Users mailing list
>> Users@lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJVrAl0AAoJEDg5KY9j7GZYzA4QAJaMsDMGmUTy3zw26s+3UBbg
> t8HUb4PeqkVOcAPN6eoKD7cElOfltyEFVeQzkPo3zfFUFAwxMQV/rHpy34YByU9X
> uFHVTxmYcxeWQKHewajIsahhD2ks05fu31agczOzWqpunZT/X0tGECI4rFG/dUFa
> wKkKf030C92e80PSQMnirNHVVQKreCc1B+gXCBGkkyFaSsTN+gNd8rae7VRAaJdw
> 88XyaI1Xkfk+59rKcnXBdLl071es12Dj36CTCWHQx3styN9VAxXFvoBBJGR3gTwU
> pDaG283ZEB+Dg7hEDWy0Q2ZEKPw5c8Ln20eY6KongDIF01L3FH4LJT0dxNkt5R3I
> 9xTa/apQeCASTNFHMNCSkANmvSOu6JbcaNUB4jlm90gLMOBXx7q17I9M23jaAoHL
> 7CJuSZudAfNPzUFgAngww4AIF2Fl3EdtcJv3En47IWcx2dMhd07eghTpqaZb8pzI
> Kcwz0IuQbGGTWw1R7czvheKkOz9JZQGmtz+Hdh+mSJynpgkzz7SSzRqAH6MV0Dmk
> 0Nem+FJpow5bVDVP96jRKWdgdf+obZ2ppjuxlTeS3j+CfPdOOOi6e6iYKo7RFjOL
> qUUPvGwnQtO3H+U55CEkG14Bfg96MQqxQ8kxNztuoSf59aCoYKu4kmBps0mCwFmI
> 7QiHscwnx9SV7O05feeH
> =B9Uu
> -END PGP SIGNATURE-
>

Re: [strongSwan] CentOS 7.1 yum install strongswan

2015-07-20 Thread jinquan deng

Hi,

COOL..

Thank you Jacques

Cheers

2015-07-20 17:35 GMT+08:00 Jacques Henry :

> Hi,
>
> In ipsec.secrets instead of
>
>> : RSA server.crt
>
> try
>
>> : RSA server.key
>>
>
> Cheers
>
>
> 2015-07-20 11:12 GMT+02:00 jinquan deng :
>
>> hi all,
>>
>> ##---Error
>> Messages--##
>>
>>
>> windows 2008 R2 Connection ERROR：13801
>>
>>
>>
>> LOG：
>>
>> Jul 20 15:08:09 localhost charon: 06[ENC] parsed IKE_SA_INIT request 0 [
>> SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> Jul 20 15:08:09 localhost charon: 06[CFG] looking for an ike config for
>> 112.91.xx.209...121.11.xx.203
>> Jul 20 15:08:09 localhost charon: 06[CFG]   candidate: %any...%any, prio
>> 28
>> Jul 20 15:08:09 localhost charon: 06[CFG]   candidate: %any...%any, prio
>> 28
>> Jul 20 15:08:09 localhost charon: 06[CFG] found matching ike config:
>> %any...%any with prio 28
>> Jul 20 15:08:09 localhost charon: 06[IKE] 121.11.xx.203 is initiating an
>> IKE_SA
>> Jul 20 15:08:09 localhost charon: 06[IKE] IKE_SA (unnamed)[9] state
>> change: CREATED => CONNECTING
>> Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
>> Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
>> ENCRYPTION_ALGORITHM found
>> Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
>> Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
>> ENCRYPTION_ALGORITHM found
>> Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
>> Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
>> ENCRYPTION_ALGORITHM found
>> Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
>> Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
>> ENCRYPTION_ALGORITHM found
>> Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
>> Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
>> ENCRYPTION_ALGORITHM found
>> Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
>> Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
>> ENCRYPTION_ALGORITHM found
>> Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
>> Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
>> DIFFIE_HELLMAN_GROUP found
>> Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
>> Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
>> ENCRYPTION_ALGORITHM found
>> Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
>> Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
>> PSEUDO_RANDOM_FUNCTION found
>> Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
>> Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
>> ENCRYPTION_ALGORITHM found
>> Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
>> Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
>> PSEUDO_RANDOM_FUNCTION found
>> Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
>> Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
>> ENCRYPTION_ALGORITHM found
>> Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
>> Jul 20 15:08:09 localhost charon: 06[CFG]   proposal matches
>> Jul 20 15:08:09 localhost charon: 06[CFG] received proposals:
>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
>> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
>> IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
>> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
>> IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024,
>> IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
>> Jul 20 15:08:09 localhost charon: 06[CFG] configured proposals:
>> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
>> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP,
>> IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP
>> Jul 20 15:08:09 localhost charon: 06[CFG] selected proposal:
>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>> Jul 20 15:08:09 localhost charon: 06[IKE] remote host is behind NAT
>> Jul 20 15:08:09 localhost charon: 06[IKE] sending cert request for "C=CH,
>> O=strongSwan, CN=strongSwan CA"
>>

[strongSwan] IKEv2 VPN: Maintaining source IP of most traffic

2015-07-20 Thread Siddharth Mathur

Hello, 
A newbie question on routing.
I am prototyping a VPN configuration where smartphones send their traffic to a 
StrongSwan v5.1.2 VPN gateway. I wish to process the HTTP (non-secure traffic) 
through a user land HTTP proxy software. I do not intend to do anything with 
the HTTPS traffic. 
Is there a way to make the HTTPS traffic appear to come from the original 
client IP address, and not from my VPN gw/internet gateway's IP address? For 
HTTP traffic, I could conceivably use the X-Forwarded-For header which is 
widely adopted.
Any pointers appreciated. 
Thanks,Siddharth




___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] CentOS 7.1 yum install strongswan

2015-07-20 Thread Jacques Henry

Hi,

In ipsec.secrets instead of

> : RSA server.crt

try

> : RSA server.key
>

Cheers


2015-07-20 11:12 GMT+02:00 jinquan deng :

> hi all,
>
> ##---Error
> Messages--##
>
>
> windows 2008 R2 Connection ERROR：13801
>
>
>
> LOG：
>
> Jul 20 15:08:09 localhost charon: 06[ENC] parsed IKE_SA_INIT request 0 [
> SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Jul 20 15:08:09 localhost charon: 06[CFG] looking for an ike config for
> 112.91.xx.209...121.11.xx.203
> Jul 20 15:08:09 localhost charon: 06[CFG]   candidate: %any...%any, prio 28
> Jul 20 15:08:09 localhost charon: 06[CFG]   candidate: %any...%any, prio 28
> Jul 20 15:08:09 localhost charon: 06[CFG] found matching ike config:
> %any...%any with prio 28
> Jul 20 15:08:09 localhost charon: 06[IKE] 121.11.xx.203 is initiating an
> IKE_SA
> Jul 20 15:08:09 localhost charon: 06[IKE] IKE_SA (unnamed)[9] state
> change: CREATED => CONNECTING
> Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
> Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
> ENCRYPTION_ALGORITHM found
> Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
> Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
> ENCRYPTION_ALGORITHM found
> Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
> Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
> ENCRYPTION_ALGORITHM found
> Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
> Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
> ENCRYPTION_ALGORITHM found
> Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
> Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
> ENCRYPTION_ALGORITHM found
> Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
> Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
> ENCRYPTION_ALGORITHM found
> Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
> Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
> DIFFIE_HELLMAN_GROUP found
> Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
> Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
> ENCRYPTION_ALGORITHM found
> Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
> Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
> PSEUDO_RANDOM_FUNCTION found
> Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
> Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
> ENCRYPTION_ALGORITHM found
> Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
> Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
> PSEUDO_RANDOM_FUNCTION found
> Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
> Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
> ENCRYPTION_ALGORITHM found
> Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
> Jul 20 15:08:09 localhost charon: 06[CFG]   proposal matches
> Jul 20 15:08:09 localhost charon: 06[CFG] received proposals:
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
> IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024,
> IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
> Jul 20 15:08:09 localhost charon: 06[CFG] configured proposals:
> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP,
> IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP
> Jul 20 15:08:09 localhost charon: 06[CFG] selected proposal:
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> Jul 20 15:08:09 localhost charon: 06[IKE] remote host is behind NAT
> Jul 20 15:08:09 localhost charon: 06[IKE] sending cert request for "C=CH,
> O=strongSwan, CN=strongSwan CA"
> Jul 20 15:08:09 localhost charon: 06[ENC] generating IKE_SA_INIT response
> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> Jul 20 15:08:09 localhost strongswan: 04[CFG] selec

[strongSwan] CentOS 7.1 yum install strongswan

2015-07-20 Thread jinquan deng

hi all,

##---Error
Messages--##


windows 2008 R2 Connection ERROR：13801



LOG：

Jul 20 15:08:09 localhost charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jul 20 15:08:09 localhost charon: 06[CFG] looking for an ike config for
112.91.xx.209...121.11.xx.203
Jul 20 15:08:09 localhost charon: 06[CFG]   candidate: %any...%any, prio 28
Jul 20 15:08:09 localhost charon: 06[CFG]   candidate: %any...%any, prio 28
Jul 20 15:08:09 localhost charon: 06[CFG] found matching ike config:
%any...%any with prio 28
Jul 20 15:08:09 localhost charon: 06[IKE] 121.11.xx.203 is initiating an
IKE_SA
Jul 20 15:08:09 localhost charon: 06[IKE] IKE_SA (unnamed)[9] state change:
CREATED => CONNECTING
Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
ENCRYPTION_ALGORITHM found
Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
ENCRYPTION_ALGORITHM found
Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
ENCRYPTION_ALGORITHM found
Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
ENCRYPTION_ALGORITHM found
Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
ENCRYPTION_ALGORITHM found
Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
ENCRYPTION_ALGORITHM found
Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
DIFFIE_HELLMAN_GROUP found
Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
ENCRYPTION_ALGORITHM found
Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
PSEUDO_RANDOM_FUNCTION found
Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
ENCRYPTION_ALGORITHM found
Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
PSEUDO_RANDOM_FUNCTION found
Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
Jul 20 15:08:09 localhost charon: 06[CFG]   no acceptable
ENCRYPTION_ALGORITHM found
Jul 20 15:08:09 localhost charon: 06[CFG] selecting proposal:
Jul 20 15:08:09 localhost charon: 06[CFG]   proposal matches
Jul 20 15:08:09 localhost charon: 06[CFG] received proposals:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024,
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
Jul 20 15:08:09 localhost charon: 06[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP,
IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP
Jul 20 15:08:09 localhost charon: 06[CFG] selected proposal:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 20 15:08:09 localhost charon: 06[IKE] remote host is behind NAT
Jul 20 15:08:09 localhost charon: 06[IKE] sending cert request for "C=CH,
O=strongSwan, CN=strongSwan CA"
Jul 20 15:08:09 localhost charon: 06[ENC] generating IKE_SA_INIT response 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jul 20 15:08:09 localhost strongswan: 04[CFG] selected proposal:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 20 15:08:09 localhost strongswan: 04[IKE] remote host is behind NAT
Jul 20 15:08:09 localhost strongswan: 04[IKE] sending cert request for
"C=CH, O=strongSwan, CN=strongSwan CA"
Jul 20 15:08:09 localhost strongswan: 04[ENC

[strongSwan] CentOS 7.1 yum install strongswan [IOS8]

Re: [strongSwan] Using just charon

Re: [strongSwan] payload of type AUTH more than 1 times (2) occurred in current message

Re: [strongSwan] interact with strongswan in c++

Re: [strongSwan] IPsec - between TL-ER6120 and OpenWRT with strongSwan [beginner]

Re: [strongSwan] IPsec - between TL-ER6120 and OpenWRT with strongSwan [beginner]

Re: [strongSwan] interact with strongswan in c++

[strongSwan] interact with strongswan in c++

Re: [strongSwan] IPsec - between TL-ER6120 and OpenWRT with strongSwan [beginner]

Re: [strongSwan] IPsec - between TL-ER6120 and OpenWRT with strongSwan [beginner]

Re: [strongSwan] CentOS 7.1 yum install strongswan

[strongSwan] IKEv2 VPN: Maintaining source IP of most traffic

Re: [strongSwan] CentOS 7.1 yum install strongswan

[strongSwan] CentOS 7.1 yum install strongswan

14 matches

Site Navigation

Mail list logo

Footer information