date:20150923

[strongSwan] IKE_SA established despite no corresponding configuration.

2015-09-23 Thread Krishna G, Suhas (Nokia - IN/Bangalore)

Hi,


I am facing a peculiar issue in Strongswan-4.3.6. I have a connection setup 
something like:

  Con1 Con2
Node1-DUT---Node2
77.0.0.1-77.0.0.277.0.0.4

My ipsec configuration on DUT(Device Under Test) is as follows:

# ipsec.conf
# FlexiPlatform: IPsec configuration file

config setup
charonstart=yes
plutostart=no
uniqueids=no
charondebug="knl 0,enc 0,net 0"
conn %default
auto=route
keyexchange=ikev2
reauth=no
ca r1~v1
cacert="/etc/ipsec/certs/ipsec.d//cacerts/defaultCaCertificate.pem"
conn r1~v1
rekeymargin=70
rekeyfuzz=100%
left=77.0.0.2
right=77.0.0.4
leftsubnet=77.0.0.2/32
rightsubnet=0.0.0.0/32
leftprotoport=17/100
rightprotoport=17/20
authby=rsasig
leftcert="/etc/ipsec/certs/ipsec.d//certs/defaultCertificate.pem"
leftid=77.0.0.2
rightid=%any
ike=aes128-sha1-modp1024!
esp=aes128-sha1!
type=tunnel
ikelifetime=1000s
keylife=700s
mobike=no
auto=route
reauth=no
encapdscp=yes
vrfid=0

Note that I have no ipsec for Con1. Even so, if Node1 initiates an IKE_SA 
establishment, DUT obliges it and establishes IKE_SA.
IPSec Conf on Node1 is:

# ipsec.conf
# FlexiPlatform: IPsec configuration file

config setup
charonstart=yes
plutostart=no
uniqueids=no
charondebug="knl 0,enc 0,net 0"
conn %default
auto=route
keyexchange=ikev2
reauth=no
ca r1~v1
cacert="/etc/ipsec/certs/ipsec.d//cacerts/defaultCaCertificate.pem"
conn r1~v1
rekeymargin=70
rekeyfuzz=100%
left=77.0.0.1
right=77.0.0.2
leftsubnet=77.0.0.1/32
rightsubnet=0.0.0.0/32
authby=rsasig
leftcert="/etc/ipsec/certs/ipsec.d//certs/defaultCertificate.pem"
leftid=77.0.0.1
rightid=%any
ike=aes128-sha1-modp1024!
esp=aes128-sha1!
type=tunnel
ikelifetime=1000s
keylife=700s
mobike=no
auto=route
reauth=no
encapdscp=yes
vrfid=0

IPSec status  for Node1(name: EIPU-0) and DUT(name: EIPU-1) are as below:

[root@EIPU-0(BCN126) /root]
# ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.3.6):
  uptime: 6 hours, since Aug 31 09:26:49 2015
  worker threads: 9 idle of 16, job queue load: 0, scheduled events: 2
  loaded plugins: openssl random pem x509 pubkey pkcs1 hmac xcbc stroke 
kernel-netlink sqlite attr-sql
Listening IP addresses:
  169.254.64.5
  169.254.0.6
  169.254.0.41
  77.0.0.1
  66.0.0.1
Connections:
   r1~v1:  77.0.0.1...77.0.0.2, vpn: (null)
   r1~v1:   local:  [C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, 
OU=RTP, CN=ATCA_host, 
E=gianluigi.ong...@nsn.com] uses public key 
authentication
   r1~v1:cert:  "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, 
OU=RTP, CN=ATCA_host, 
E=gianluigi.ong...@nsn.com"
   r1~v1:   remote: [(vr*)%any] uses any authentication
   r1~v1:   child:  77.0.0.1/32 === 0.0.0.0/0
Routed Connections:
   r1~v1{1}:  ROUTED, TUNNEL
   r1~v1{1}:   77.0.0.1/32 === 0.0.0.0/0
Security Associations:
   r1~v1[5]: ESTABLISHED 77.0.0.1[C=de, ST=Bayern, L=Munich, O=Nokia 
Siemens Networks, OU=RTP, CN=ATCA_host, 
E=gianluigi.ong...@nsn.com]...77.0.0.2[C=de,
 ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_host, 
E=gianluigi.ong...@nsn.com]
   r1~v1[5]: IKE SPIs: a901f915e60cee17_i* 36facd6ae173128c_r Creation 
time: 3 minutes ago
, rekeying in 11 minutes
   r1~v1[5]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

[root@EIPU-0(BCN126) /root]
# ip xfrm policy
0.0.0.0/0[0] 77.0.0.1/32[0]
upspec 0 dev (none) uid 0
in  allow index 0x0198 priority 3000 share any flags 0x
tmpl-1:
  77.0.0.2 77.0.0.1
esp spi 0(0x) reqid 1 tunnel
level required share any algo-mask:E=32, A=32, C=32
fpid 0x0014
policy type main
77.0.0.1/32[0] 0.0.0.0/0[0]
upspec 0 dev (none) uid 0
out allow index 0x0191 priority 2680 share any flags 0x
tmpl-1:
  77.0.0.1 77.0.0.2
esp spi 0(0x) reqid 1 tunnel
level required share any algo-mask:E=32, A=32, C=32
fpid 0x0013
policy type main

[root@EIPU-1(BCN126) /root]
# ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.3.6):
  uptime: 29 minutes, since Aug 31 15:37:14 2015
  worker threads: 9 idle of 16, job queue load: 0, scheduled events: 2
  loaded plugins: openssl random pem x509 pubkey pkcs1 hm

[strongSwan] FQDN usage changed.

2015-09-23 Thread Alexis Salinas

Hello,
I recently updated a system from 4.3.5 to 5.3.0 ( I know I have to go to 5.3.2)

One of the things I noticed is a change in the way the new version is using the 
FQDN value I configured for the 'right' parameter ( no 'rightid' configured)

It used to be that the IP address resulting from the name resolution of the 
FQDN was used as 'right' and 'rightid'.

On 5.3.0 the IP address resulting from the name resolution of the FQDN is used 
as 'right' and the FQDN itself is used as 'rightid'.

Is there a reason for this change? Is there a way to make it behave as it used 
to? I would rather not have to ask the server side to change what is currently 
using as ID.

Here is the connection output of 'ipsec statusall' for a IKEv2 VPN on 4.3.5:

 Connections:
VPN1:  192.168.1.1...200.X.X.X
VPN1:   local:  [client] uses pre-shared key authentication
VPN1:   remote: [200.X.X.X] uses any authentication
VPN1:   child:  172.16.1.0/24 === 10.1.1.0/24 



Here is the connection output of 'ipsec statusall' for a IKEv2 VPN on 5.3.0:

Connections:
VPN1:  192.168.1.1...vpn.example.com  IKEv2
VPN1:   local:  [client] uses pre-shared key authentication
VPN1:   remote: [vpn.example.com] uses pre-shared key authentication
VPN1:   child:  172.16.1.0/24 === 10.1.1.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
VPN1[38]: ESTABLISHED 21 minutes ago, 
192.168.1.1[client]...200.X.X.X[vpn.example.com]


Thanks,
Alexis.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Problem when forwarding all traffic to tunnel (site-to-site VPN)

2015-09-23 Thread Noel Kuntze


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

The problem might be related to #1094

- -- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJWAndyAAoJEDg5KY9j7GZYGyYP+gIirSBPrdPIJQVLyQpR30I8
ZzBr7U3Envk1Xpxd4opy1T5G8Cwg8Csbn3F3GdzLGk89ptW3IHrzv9XUrUZfT8r9
5H9SPmNAH8wvM8esdeQ8bHspQMpD98bUk7BegfdTgh94TSxKMO4IOv5QApWuLDje
OHCtQJrQl5mgqjyF66+33tDOj3Il4NOSWTOCIhCaaZjBx9hjDGruDiRjzN4m08J1
u4QrMBrnxQf3WOw5VHIwt9mGFfR8tuhPplXn5oeGEgg1GU2IKWeeV6uhL/5BgB6y
1ibgXFapmCg00wsRrDWeytkFonu+rdy6zqXn8hw54+B1Cf99+DDZl7maSoE6BXGk
lUpjjzP4BVBXPF/yJTqXRuGuPrHU3JQ1Tw9astl35bupbFLtAg+fZOdjTwgPXGjp
zMOyamnD+yfuux+Ujpx/ep2xzMXan8Up7nzfsY4ajEdeF9+HP5WaS9115T/tMYb5
4sJ5X72l8HPQpRuaLXe8RkGNWqyacm0Pvp65+oOtHZyz5ya5aWcFtmb0hctU02KB
jjCUDB2yLU0OeZN+vUGwuFxC3mWEsvfjaI40aRDOQeUL49gE7xm3WqZw1AKF63hw
AEObmFxBxPmry8o9Vv/1YDJqMVbqIikL6KsXY4rEb59iq7Dgdcw8wretq8L4kkFD
FKPMt/DfyYcbCRHqCu1f
=hEdv
-END PGP SIGNATURE-

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] IKE_SA established despite no corresponding configuration.

[strongSwan] FQDN usage changed.

Re: [strongSwan] Problem when forwarding all traffic to tunnel (site-to-site VPN)

3 matches

Site Navigation

Mail list logo

Footer information