[strongSwan] Apple IOS 10 VPN

[Derek Cameron]

Jim,

Here is a configuration that works for iOS 10: http://xpu.ca/strongswan-ubuntu/

Derek.

> Can anyone share a working configuration between Strongswan and
> Apple IOS 10?
>
> ___
>
>
> Jim Buttafuoco
> jim at contacttelecom.com
> 603-647-7170
> 603-490-3409 - Cell
> jimbuttafuoco - Skype
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] StrongSwan not responding to DPD messages when modeconfig=push.

[chaitanya vinnakota]

Hi All Stalwarts out there ,

Based on the strongswan logs , it is evident that the Strongswan server is
waiting for the acknowledgement for the below request from the ShrewSoft
VPN Client.

Sep 24 12:58:15 router6654A1 charon: 15[ENC] generating TRANSACTION
request 1589939411 [ HASH CPS(ADDR DNS) ]

The ShrewSoft VPN Client is not responding to the messages and therefore
Strongswan is  indefinitely waiting for the response , subsequently queuing
all the new requests [DPD Requests] and the client finally tearing down the
connection as DPD response is not received.

We've the following questions .

1. Why does strongswan wait for the response in spite of assigning the
IP requested by client ?
2. Sometimes , shrew soft client is reporting "Invalid message from the
gateway" for this transaction request  HASH CPS(ADDR DNS)  and closing the
connection ?
3. Is this an interoperability issue ? Is Shrew soft client not
interoperable with Mode-Config standard  ?

Awaiting the response badly.

Thanks
Chaitanya

On Fri, Oct 21, 2016 at 4:05 PM, chaitanya vinnakota <
chaitanya.sa...@gmail.com> wrote:

> Hi Tobias,
>
> The mode configured in strongswan is "push"  and the IP assignment to the
> VPN client happened after activating MODE_CONFIG task . I'm also sorry to
> confuse you with incorrect configuration.   The below is the configuration
> running in the current scenario.
>
>
> conn c2s_ShrewSoftSrv
> auto=add
> left=44.44.44.1
> right=44.44.44.2
> aggressive=yes
> leftauth=psk
> rightauth=psk
> leftid=44.44.44.1
> rightid=44.44.44.2
> ike=3des-sha1-modp1024!
> ikelifetime=28800s
> esp=3des-sha1!
> lifetime=3600s
> rekeymargin=180s
> dpddelay=40
> dpdtimeout=120
> dpdaction=clear
> rightsourceip=%config
> modeconfig=push
> leftsubnet=0.0.0.0/0
> rightauth2=xauth
> xauth=server
> rightdns=192.168.1.1
>
> Below is the excerpt from the logs, where IP assignment [10.0.0.1]
> proposed by the VPN client happened after activating MODE_CONFIG task.
>
> Sep 24 12:58:15 router6654A1 charon: 16[ENC] parsed TRANSACTION
> request 3221496499 [ HASH CPRQ(U_SPLITINC U_LOCALLAN U_BANNER U_SAVEPWD
> U_NATTPORT VER U_FWTYPE) ]
> Sep 24 12:58:15 router6654A1 charon: 16[IKE] processing
> UNITY_SPLIT_INCLUDE attribute
> Sep 24 12:58:15 router6654A1 charon: 16[IKE] processing
> UNITY_LOCAL_LAN attribute
> Sep 24 12:58:15 router6654A1 charon: 16[IKE] processing UNITY_BANNER
> attribute
> Sep 24 12:58:15 router6654A1 charon: 16[IKE] processing
> UNITY_SAVE_PASSWD attribute
> Sep 24 12:58:15 router6654A1 charon: 16[IKE] processing
> UNITY_NATT_PORT attribute
> Sep 24 12:58:15 router6654A1 charon: 16[IKE] processing
> APPLICATION_VERSION attribute
> Sep 24 12:58:15 router6654A1 charon: 16[IKE] processing
> UNITY_FW_TYPE attribute
> Sep 24 12:58:15 router6654A1 charon: 16[ENC] generating TRANSACTION
> response 3221496499 [ HASH CPRP(DNS) ]
> Sep 24 12:58:15 router6654A1 charon: 16[NET] sending packet: from
> 44.44.44.1[500] to 44.44.44.2[500] (76 bytes)
> Sep 24 12:58:15 router6654A1 charon: 15[IKE] queueing MODE_CONFIG
> task
> Sep 24 12:58:15 router6654A1 charon: 15[IKE] activating new tasks
> Sep 24 12:58:15 router6654A1 charon: 15[IKE]   activating
> MODE_CONFIG task
> Sep 24 12:58:15 router6654A1 charon: 15[IKE] assigning virtual IP
> %any to peer 'cisco'
> Sep 24 12:58:15 router6654A1 charon: 15[CFG] proposing traffic
> selectors for us:
> Sep 24 12:58:15 router6654A1 charon: 15[CFG]  0.0.0.0/0
> Sep 24 12:58:15 router6654A1 charon: 15[ENC] generating TRANSACTION
> request 1589939411 [ HASH CPS(ADDR DNS) ]
> Sep 24 12:58:15 router6654A1 charon: 15[NET] sending packet: from
> 44.44.44.1[500] to 44.44.44.2[500] (76 bytes)
> Sep 24 12:58:15 router6654A1 charon: 15[IKE] delaying task
> initiation, TRANSACTION exchange in progress
> Sep 24 12:58:17 router6654A1 charon: 10[NET] received packet: from
> 44.44.44.2[500] to 44.44.44.1[500] (156 bytes)
> Sep 24 12:58:17 router6654A1 charon: 10[ENC] parsed QUICK_MODE
> request 1840906332 [ HASH SA No ID ID ]
> Sep 24 12:58:17 router6654A1 charon: 10[CFG] looking for a child
> config for 0.0.0.0/0 === 10.0.0.1/32
> Sep 24 12:58:17 router6654A1 charon: 10[CFG] proposing traffic
> selectors for us:
> Sep 24 12:58:17 router6654A1 charon: 10[CFG]  0.0.0.0/0
> Sep 24 12:58:17 router6654A1 charon: 10[CFG] proposing traffic
> selectors for other:
> Sep 24 12:58:17 router6654A1 charon: 10[CFG]  0.0.0.0/0
> Sep 24 12:58:17 router6654A1 charon: 10[CFG]   candidate
> "c2s_ShrewSoftSrv" with prio 5+1
> Sep 24 12:58:17 router6654A1 charon: 10[CFG] found matching child
> config "c2s_ShrewSoftSrv" with prio 6
> Sep 24 12:58:17 router6654A1 charon: 10[CFG] selecting traffic
> selectors for other:
> Sep 24 12:58:17 router6654A1 charon: 10[CFG]  config: 0.0.0.0/0,
> received: 10.0.0.1/32 => match: 10.0.0.1/32
>
>
> After initiation 

Re: [strongSwan] StrongSwan IPSEC/L2TP VPN Client to Zyxel USG-20W

[Tom Jackson]

I got past this issue by switching from strongswan to openswan.  I never 
figured out what's wrong with the strongswan connection, but openswan worked 
more or less "out of the box" on the Linux box as did the Windows 10 native 
client in my earlier trials.


From: Users  on behalf of Tom Jackson 

Sent: Monday, October 24, 2016 8:19:22 PM
To: users@lists.strongswan.org
Subject: [strongSwan] StrongSwan IPSEC/L2TP VPN Client to Zyxel USG-20W


I've configured a Zyxel USG-20W at the office as a IPsec/L2TP VPN server.  I 
can successfully connect to this from multiple Windows 10 machines using the 
built-in client, and have tested this on multiple remote networks.  This setup 
uses a pre-shared key, and "Type of sign-in info" in the Windows configuration 
is "User name and password."  The pre-shared key, user name, and password are 
all correspondingly entered into the configuration of the Zyxel.


I'm trying now to configure a Linux client, running StrongSwan on the Debian 
Linux machine.  This is not working.


In the configuration info that follows, office-public-ip is a place holder for 
the actual IP in W.X.Y.Z format, home-public-ip is the IP (same format) that I 
get from the home location where I'm running the test, and home-lan-ip is the 
IP for the Linux box as assigned via DHCP from my home router, e.g. a number in 
the range 192.168.A.B.


I think this doesn't matter, but... I am accessing the Zyxel from home during 
the testing via an IPsec/L2TP VPN session from a Windows 10 machine.  That 
Windows 10 machine then has the same public IP as the Linux box that I'm trying 
to test, but, of course, a different local number at home 192.168.A.C, and also 
a IP address representing it on the work network ala the VPN connection as 
192.168.D.1.  The Zyxel's local IP address is 192.168.E.1, where A, D, and E 
are all different numbers corresponding to different subnets.


Setup on the Linux machine in ipsec.conf:


---

config setup

charondebug="ike 5"


conn Conn

authby=secret

keyexchange=ikev1

esp=aes256-sha256

ike=aes256-sha256-modp1024!

auto=add

type=transport

left=%defaultroute

right=office-public-ip




The IKE and ESP match protocols configured on the Zyxel. (If I change them to 
something that doesn't match, I get a different error than what I'm going to 
show below.)


I restarted ipsec after changing the file with


sudo /etc/init.d/ipsec restart


and then I try to bring up the connection with


sudo ipsec up Conn


In the terminal on the Debian box, I get these messages:


initiating Main Mode IKE_SA Conn[1] to office-public-ip
generating ID_PROT request 0 [SA V V V V]
sending packet: from home-lan-ip[500] to office-public-ip[500] (156 bytes)
received packet from office-public-ip[500] to home-lan-ip[500] (84 bytes)
parsed ID_PROT response 0 [ SA ]
generating ID_PROT request 0 [ KE No ]
sending packet: from home-lan-ip[500] to office-public-ip[500] (196 bytes)
received packet from office-public-ip[500] to home-lan-ip[500] (91 bytes)
parsed INFORMATIONAL_V1 request 3824697940 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED error notify
establishing connection ‘Conn’ failed




The log messages on the Zyxel are (abbreviating the various cookie values):


Recv Main Mode request from [home-public-ip]
The cookie pair is : 0x027... / 0x074…
Recv: [SA] [VID][VID] [VID][VID]
Recv: IKE sa: SA([0] protocol = IKE(1), AES CBC key len = 256, HMAC-SHA256 PRF, 
HMAC-SHA265-128, 1024 bit MODP;).
The cookie pair is 0x074… / 0x027…
[SA] : No proposal chosen
Send:[SA]
Recv:[KE][NONCE]
Send:[NOTIFY:AUTHENTICATION_FAILED]
The cookie pair is : 0x074… / 0x027…
ISAKMP SA [] is disconnected




In contrast, the Phase 1 log messages from a successful session initiated by 
one of the Windows clients are


Recv Main Mode request from [home-public-ip]
The cookie pair is : 0xe099… / 0xe98…
Recv: [SA] [VID][VID] [VID][VID] [VID][VID] [VID][VID]
Recv IKE sa: SA([0] protocol = IKE(1), AES CBC key len = 256, HMAC-SHA1 PRF, 
HMAC-SHA1-96, 384 bin ECP, AES CBC key len = 128, 256 bit ECP, 2048 bit MODP, 
3DES, 1024 bit MODP;).
The cookie pair is 0x099… / 0xe098…
Send: [SA] [VID][VID] [VID][VID] [VID][VID] [VID][VID]
Recv: [KE][NONCE][PRV][PRV]
Send: [KE][NONCE][PRV][PRV]
Recv: [ID][HASH]
The cookie pair is : 0x099… / 0xe098
Send: [ID][HASH]
The cookie pair is : 0x099… / 0xe098
Phase 1 IKE SA process done




(From this point, the successful session has another sequences of log messages 
corresponding to Phase 2.  Also, the Windows machine must be accepted using 
3DES-SHA1-DH2 since that's the apparent overlap between the Windows proposal 
and what's allowed by the Zyxel's current configuration.)


It would seem that the StrongSwan client is sending less information for 
authentication, but I have not figured out exactly what's not being sent and 
how to make it go.