Re: [strongSwan] left ID, right ID and no matching peer config

[Piyush Agarwal]

That worked, thank you very much.

On Tue, Apr 25, 2017 at 7:53 AM, Tobias Brunner 
wrote:

> Hi Piyush,
>
> > while the rightID on server would be %any.
>
> If you set `rightcert` this will cause `rightid` to default to the
> subject DN of the certificate, which in turn won't match "client".  So
> either set `rightid=client` or don't set `leftid` on the client so the
> client's own identity defaults to the subject DN of the certificate.
>
> Regards,
> Tobias
>



-- 
Piyush Agarwal
Life can only be understood backwards; but it must be lived forwards.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Yet another: charon[1749]: 14[KNL] received netlink error: Protocol not supported (93)

[Rodrigo Stuffs]

Ok, I found out and everything is working flawlessly.

The WD's GPL toolchain for the MyCloud device fooled me.

While the .config had CONFIG_INET_ESP=m, after LOTS of tinkering, I've
found that in the source code it has:

[rfreire@rf ipv4]$ grep esp Makefile
#obj-$(CONFIG_INET_ESP) += esp4.o

YES: The GPL source had it disabled in the Makefile level.

After uncommenting it (and from ipv6 too) and recompiling, everything
just.works(TM).

A hint for someone else hitting the very same problem:

1. Try to add a test connection using ip xfrm, like:

xfrm state add src 172.16.8.3 dst 172.16.8.158 proto esp spi 1234 reqid
16380  mode transport auth sha1 0x27b12f61fdc46b0f545256a405ac29fc8c137514
enc aes 0x5f5fb739d41eee7a5fe793917d18cadd

If it fails at this stage, it means that the kernel backend is flawed.

2. A working (considering that most of your ipsec stack is modular) lsmod
output:

root@MyCloud:~# lsmod
Module  Size  Used by
xfrm4_mode_tunnel   1586  4
xfrm4_mode_transport 1136  0
pfe   428717  0
xfrm_user  24068  2
xfrm4_tunnel1443  0
tunnel4 2043  1 xfrm4_tunnel
ipcomp  1770  0
xfrm_ipcomp 4059  1 ipcomp
esp46415  2
ah4 4666  0
af_key 30346  0
cryptosoft 13291  0
cryptodev  11075  0
ocf23776  2 cryptodev,cryptosoft

Hope that helps other users.


On Sun, Apr 23, 2017 at 8:38 PM, Rodrigo Stuffs  wrote:

> Hi there list,
>
> Yes, you have saw $SUBJECT. But I promise, no need to roll eyes: I *think*
> I did my homework properly.
>
> Here's the scenario; I have rebuilt a kernel of a WD My Cloud box in order
> to extend it.
>
> The Kernel config is available at https://pastebin.com/mYGiK3eN
>
> Prior to posting here I really tried to do my homework, doing extensive
> mailing list research. But it seems that the kernel build side is
> apparently OK.
>
> The Strongswan output is the following:
> ---
> Apr 23 23:28:36 MyCloud systemd[1]: Starting Cleanup of Temporary
> Directories...
> Apr 23 23:28:36 MyCloud systemd[1]: Starting strongSwan IPsec IKEv1/IKEv2
> daemon using ipsec.conf...
> Apr 23 23:28:36 MyCloud systemd[1]: Started strongSwan IPsec IKEv1/IKEv2
> daemon using ipsec.conf.
> Apr 23 23:28:36 MyCloud ipsec[1734]: Starting strongSwan 5.2.1 IPsec
> [starter]...
> Apr 23 23:28:36 MyCloud ipsec_starter[1734]: Starting strongSwan 5.2.1
> IPsec [starter]...
> Apr 23 23:28:36 MyCloud systemd[1]: Started Cleanup of Temporary
> Directories.
> Apr 23 23:28:36 MyCloud charon[1749]: 00[DMN] Starting IKE charon daemon
> (strongSwan 5.2.1, Linux 3.2.26, armv7l)
> Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loading ca certificates from
> '/etc/ipsec.d/cacerts'
> Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loading aa certificates from
> '/etc/ipsec.d/aacerts'
> Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loading ocsp signer
> certificates from '/etc/ipsec.d/ocspcerts'
> Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loading attribute
> certificates from '/etc/ipsec.d/acerts'
> Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loading crls from
> '/etc/ipsec.d/crls'
> Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loading secrets from
> '/etc/ipsec.secrets'
> Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loading secrets from
> '/etc/ipsec.d/mfrf.secrets'
> Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG]   loaded IKE secret for
> 172.16.8.3
> Apr 23 23:28:36 MyCloud charon[1749]: 00[LIB] loaded plugins: charon aes
> rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1
> pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc
> hmac gcm attr kernel-netlink resolve socket-default stroke updown
> Apr 23 23:28:36 MyCloud charon[1749]: 00[LIB] unable to load 3 plugin
> features (3 due to unmet dependencies)
> Apr 23 23:28:36 MyCloud charon[1749]: 00[LIB] dropped capabilities,
> running as uid 0, gid 0
> Apr 23 23:28:36 MyCloud charon[1749]: 00[JOB] spawning 16 worker threads
> Apr 23 23:28:36 MyCloud ipsec_starter[1734]: charon (1749) started after
> 80 ms
> Apr 23 23:28:36 MyCloud charon[1749]: 15[CFG] received stroke: add
> connection 'teste'
> Apr 23 23:28:36 MyCloud charon[1749]: 15[CFG] added configuration 'teste'
> Apr 23 23:28:36 MyCloud charon[1749]: 09[CFG] received stroke: initiate
> 'teste'
> Apr 23 23:28:36 MyCloud charon[1749]: 09[IKE] initiating IKE_SA teste[1]
> to 172.16.8.3
> Apr 23 23:28:36 MyCloud charon[1749]: 09[IKE] initiating IKE_SA teste[1]
> to 172.16.8.3
> Apr 23 23:28:36 MyCloud ipsec[1734]: charon (1749) started after 80 ms
> Apr 23 23:28:37 MyCloud charon[1749]: 09[ENC] generating IKE_SA_INIT
> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Apr 23 23:28:37 MyCloud charon[1749]: 09[NET] sending packet: from
> 172.16.8.158[500] to 172.16.8.3[500] (1108 bytes)
> Apr 23 23:28:37 MyCloud charon[1749]: 16[NET] received packet: from
> 

Re: [strongSwan] Don't know where to start

[Noel Kuntze]

Hello René,

On 25.04.2017 20:04, Rene Maurer wrote:
> Meanwhile I have looked at the time stamps and IMHO they are a little bit 
> strange:
> 
>>> Apr 25 16:32:28 daemon.info syslog: 05[NET] sending packet: from 
>>> 10.64.33.100[4500] to xxx.137.25.195[4500] (1120 bytes)
>>> 16:32:32.802620 IP 10.64.33.100.4500 > xxx.137.25.195.4500: NONESP-encap: 
>>> isakmp: child_sa  ikev2_auth[I]
>>> Apr 25 16:32:32 daemon.info syslog: 03[IKE] retransmit 1 of request with 
>>> message ID 1
> strongSwan[NET] is sending the package 16:32:28.
> The package is visible on ppp0 16:32:32.
> 4 seconds... this seams to be charons retransmit_timeout (which we can see as 
> well).
> 
> Is there an explanation for this behavior?

As you wrote, the link is a GPRS link, so it's anything but fast or responsive.
It probably just takes four seconds to write the packet to the link, or you 
have a serious problem 
with the queueing discipline of the output interface (or the driver for the 
interface, or the whole kernel, or ...).
It's definitively not something that's caused by strongSwan.

Kind regards,

Noel

-- 
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658



signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Don't know where to start

[Rene Maurer]

Hello Noel

Noel Kuntze  wrote :

> (I'm answering this from my original email account now.)

And I see your email now in my email account.

>> But when I look at the log on my site together with
>> "tcpdump -i ppp0", I have the impression that ikev2_auth
>> is sent (once).  
> 
> This looks good. Check if that packet makes it there. Some IKE implementations
> just drop all packets from other peers when authentication fails and report a 
> local
> error instead of sending a noficication back.

Ok.

Meanwhile I have looked at the time stamps and IMHO they are a little bit 
strange:

>> Apr 25 16:32:28 daemon.info syslog: 05[NET] sending packet: from 
>> 10.64.33.100[4500] to xxx.137.25.195[4500] (1120 bytes)
>> 16:32:32.802620 IP 10.64.33.100.4500 > xxx.137.25.195.4500: NONESP-encap: 
>> isakmp: child_sa  ikev2_auth[I]
>> Apr 25 16:32:32 daemon.info syslog: 03[IKE] retransmit 1 of request with 
>> message ID 1

strongSwan[NET] is sending the package 16:32:28.
The package is visible on ppp0 16:32:32.
4 seconds... this seams to be charons retransmit_timeout (which we can see as 
well).

Is there an explanation for this behavior?

Kind regards,
René
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Don't know where to start

[Noel Kuntze]

Hello René,

(I'm answering this from my original email account now.)

On 25.04.2017 19:05, Rene Maurer wrote:
> Routing is as follows:
> 
> # ip route show table 220
> 10.4.30.0/24 via xxx.137.25.195 dev ppp0  proto static src 10.4.48.1

> 
> # route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric RefUse Iface
> 0.0.0.0 0.0.0.0 0.0.0.0 U 0  00 ppp0
> 10.4.48.0   0.0.0.0 255.255.240.0   U 0  00 eth0
> 
> And as already said:
>>> # net.ipv4.ip_forward = 1
>>> # iptables -t nat -A POSTROUTING -o ppp0 -j ACCEPT
>>> # iptables -A FORWARD -i eth0 -j ACCEPT
>> Make sure you use the right IKE version.
> Ok. Switch uses "IKEv2 only mode" and I use "keyexchange=ikev2".
> 
>> Check if the packets arrive at the switch.
> My partner (at remote site) can do this tomorrow.
> 
> But when I look at the log on my site together with
> "tcpdump -i ppp0", I have the impression that ikev2_auth
> is sent (once).

This looks good. Check if that packet makes it there. Some IKE implementations
just drop all packets from other peers when authentication fails and report a 
local
error instead of sending a noficication back.

> 
> --
> Apr 25 16:32:28 daemon.info syslog: 05[IKE] establishing CHILD_SA home{1}
> Apr 25 16:32:28 authpriv.info syslog: 05[IKE] establishing CHILD_SA home{1}
> Apr 25 16:32:28 daemon.info syslog: 05[ENC] generating IKE_AUTH request 1 [ 
> IDi CERT N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) 
> N(EAP_ONLY) ]
> Apr 25 16:32:28 daemon.info syslog: 05[NET] sending packet: from 
> 10.64.33.100[4500] to xxx.137.25.195[4500] (1120 bytes)
> 16:32:32.802620 IP 10.64.33.100.4500 > xxx.137.25.195.4500: NONESP-encap: 
> isakmp: child_sa  ikev2_auth[I]
> Apr 25 16:32:32 daemon.info syslog: 03[IKE] retransmit 1 of request with 
> message ID 1
> Apr 25 16:32:32 daemon.info syslog: 03[NET] sending packet: from 
> 10.64.33.100[4500] to xxx.137.25.195[4500] (1120 bytes)
> 16:32:33.888422 IP xxx.137.25.195.4500 > 10.64.33.100.4500: NONESP-encap: 
> isakmp: parent_sa inf2
> 16:32:33.898140 IP 10.64.33.100.4500 > xxx.137.25.195.4500: NONESP-encap: 
> isakmp: parent_sa inf2[IR]
> Apr 25 16:32:33 daemon.info syslog: 02[NET] received packet: from 
> xxx.137.25.195[4500] to 10.64.33.100[4500] (80 bytes)
> Apr 25 16:32:33 daemon.info syslog: 02[ENC] parsed INFORMATIONAL request 0 [ ]
> Apr 25 16:32:33 daemon.info syslog: 02[ENC] generating INFORMATIONAL response 
> 0 [ ]
> Apr 25 16:32:33 daemon.info syslog: 02[NET] sending packet: from 
> 10.64.33.100[4500] to xxx.137.25.195[4500] (80 bytes)
> 16:32:38.947424 IP xxx.137.25.195.4500 > 10.64.33.100.4500: NONESP-encap: 
> isakmp: child_sa  inf2
> 16:32:38.964954 IP 10.64.33.100.4500 > xxx.137.25.195.4500: NONESP-encap: 
> isakmp: child_sa  inf2[IR]
> --
> 
> NB: Any idea why I have seen your answer only on the mail-archive website?
> 

My other domain is too new (probably blacklisted for a while until there's 
enough mail from it and it's a bit older)
and maybe the DKIM settings are too strict. I'll set up DMARC to check and see 
what reports I get, if any.

Kind regards,
Noel

-- 
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658



signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] roadwarrior client on macOS?

[Zachary Cutlip]

Apple Configurator 2 
(https://itunes.apple.com/us/app/apple-configurator-2/id1037126344) works well 
for building IKEv2 VPN profiles for macOS and iOS. You can even edit the 
profile later (they’re just XML plist format) to configure options that aren’t 
exposed in the GUI, such as on-demand connection rules.

I created a profile in Configurator that I use as a template for scripts. That 
way I can programmatically generate and sign profiles that work on macOS and 
iOS devices. Be sure to regenerate guids if you do this.

If you want to sign your profiles, you can use Configurator to add your CA 
(assuming your org has its own) to the device. Then profiles signed with that 
cert will be trusted. You can sign with:
openssl smime -sign -signer /path/to/ca_cert -inkey /path/to/ca_key -outform 
DER -in ./MyProfile.mobileconfig -out ./MyProfile_signed.mobileconfig  -nodetach


Cheers,
Zach

> On Apr 24, 2017, at 8:42 AM, Paul Harrison  
> wrote:
> 
> Hi all,
> 
> We have a Strongswan IKEv2 (client cert) based service that works
> extremely well on our Windows laptop clients. But I've now been tasked
> with getting our MacBooks connecting to it and have very little
> experience of Apple kit
> 
> I'm afraid I'm struggling with the wiki documentation and would like
> to use the roadwarrior app - however it asks for a username whereas I
> want to use the certificate already installed on the machine (which is
> used for Active Directory integration), what can I do here?
> 
> Thanks a lot for any advice,
> 
> Paul
> ___
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] left ID, right ID and no matching peer config

[Tobias Brunner]

Hi Piyush,

> while the rightID on server would be %any.

If you set `rightcert` this will cause `rightid` to default to the
subject DN of the certificate, which in turn won't match "client".  So
either set `rightid=client` or don't set `leftid` on the client so the
client's own identity defaults to the subject DN of the certificate.

Regards,
Tobias
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Tunnels with dynamic IP and another route issue

[Tobias Brunner]

Hi Dusan,

> default
>  nexthop via 90.225.x.x  dev vlan845 weight 1
>  nexthop via 10.248.x.x  dev ppp0 weight 256
>  nexthop via 85.24.x.x  dev vlan847 weight 1
>  nexthop via 46.195.x.x  dev ppp1 weight 1
>
> My gateway is configured to use 10.248.0.x as "default route" (highest 
> weight/priority), but when Strongswan tried to initiate the tunnel it 
> seems to always default too the last route, 46.195.x.x, and this wont 
> work as the remote peer is expecting 85.24.x.x.

These kinds of multipath routes (via RTA_MULTIPATH) are currently not
supported by strongSwan when looking up source addresses/nexthops.  The
kernel-netlink plugin only sees one of these via RTA_GATEWAY and
RTA_OIF.  You could try to switch to the kernel's default route lookup
by setting either charon.install_routes=no (disables route installation
by strongSwan altogether, only works with 5.5.2), or by setting
charon.plugins.kernel-netlink.fwmark to an arbitrary number not used yet
as firewall mark (this works since 5.3.3).  However, I'm not sure if
that will return different values in RTA_GATEWAY/RTA_OIF or if it would
still be necessary to parse RTA_MULTIPATH.  How exactly do these kind of
kind of multipath routes compare to multiple routes with different
priorities/metrics?  In your case you have multiple paths with the same
weight, how is the actual nexthop/interface chosen by the kernel?
Round-robin?  Random?

Regards,
Tobias

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Commercial support?

[Turbo Fredriksson]

I’m having some trouble with my VPN connections, and I’d like to
get some commercial support.

Anyone feel up to helping me out?
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Don't know where to start

[Noel Kuntze]

Hello René,

On 25.04.2017 12:42, Rene Maurer wrote:
> conn home
> keyexchange=ikev2
> ike=aes128-sha256-modp1024!
> esp=aes128-sha256!
> left=%config
"left=%config" doesn't make sense. %config is neither a known keyword nor a 
valid resolvable hostname.
If your routing table is sane and specifies the source IPs for the routes, you 
don't need to set this at all.

> --
> Apr 25 10:04:25 Metering daemon.info syslog: 10[CFG] added configuration 
> 'home'
> Apr 25 10:04:25 Metering daemon.info syslog: 13[CFG] received stroke: route 
> 'home'
> Apr 25 10:04:25 Metering daemon.info syslog: 17[LIB] resolving 'config' 
> failed: Name or service not known
> Apr 25 10:04:25 Metering authpriv.info ipsec_starter[818]: 'home' routed
> --
>
> My first question: What does the following line mean?
> 17[LIB] resolving 'config' failed: Name or service not known
> Can it be ignored?

Explained above.

> Can anybody help me. I don't where to start to find the failure.
> I assume that IKE does not work?
Check if the packets arrive at the switch. Check the switch's log.
Make sure you use the right IKE version.
> Or is it the cert requests for an *unknown* ca?
No.

Kind regards,
Noel

-- 
Noel Kuntze
IT security consultant

GPG Key ID: 0x0739AD6C
Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C




0x0739AD6C.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Don't know where to start

[Rene Maurer]

Hello

I am new to strongSwan and I try to establish a connection between an
embedded Linux box (using Linux strongSwan U5.3.0/K3.14.43) and a MOXA
switch located on remote site.

On the embedded Linux box I have two interfaces:
ppp0 connects to the internet (using GPRS).
eth0 (10.4.48.1) connects to a local network.

For a first test, everything is routed between the two interfaces:
# net.ipv4.ip_forward = 1
# iptables -t nat -A POSTROUTING -o ppp0 -j ACCEPT
# iptables -A FORWARD -i eth0 -j ACCEPT

The configuration looks like this:

# /etc/ipsec.conf
config setup
charondebug="mgr 0, net 1, enc 1, asn 1, job 1, knl 1"

conn home
keyexchange=ikev2
ike=aes128-sha256-modp1024!
esp=aes128-sha256!
left=%config
leftcert=xxx.pem
right=xxx.137.25.195
leftid="CN=ebmt...@xxx.ch"
rightid="CN=xxx.137.25.195"
rightsubnet=10.4.30.0/24
leftsubnet=10.4.48.0/20
auto=route

# /etc/ipsec.secrets
: RSA xxx.key "blabla"

Here is the log after ipsec start:

--
ipsec start
Starting strongSwan 5.3.0 IPsec [starter]...
NET: Registered protocol family 15
modprobe: module ah4 not found in modules.dep
modprobe: module esp4 not found in modules.dep
modprobe: module ipcomp not found in modules.dep
modprobe: module xfrm4_tunnel not found in modules.dep
10:04:24 Metering authpriv.info ipsec_starter[801]: Starting strongSwan 5.3.0 
IPsec [starter]...
Apr 25 10:04:24 Initializing XFRM netlink socket
artesysMetering kern.info kernel: NET: Registered protocol family 15
Apr 25 10:04:25 Metering kern.info kernel: Initializing XFRM netlink socket
Apr 25 10:04:25 Metering daemon.info syslog: 00[DMN] Starting IKE charon daemon 
(strongSwan 5.3.0, Linux 3.14.43, armv5tejl)
Apr 25 10:04:25 Metering daemon.info syslog: 00[KNL] received netlink error: 
Address family not supported by protocol (97)
Apr 25 10:04:25 Metering daemon.info syslog: 00[KNL] unable to create IPv6 
routing table rule
Apr 25 10:04:25 Metering daemon.info syslog: 00[NET] using forecast interface 
eth0
Apr 25 10:04:25 Metering daemon.info syslog: 00[CFG] joining forecast multicast 
groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
Apr 25 10:04:25 Metering daemon.info syslog: 00[CFG] loading ca certificates 
from '/etc/ipsec.d/cacerts'
Apr 25 10:04:25 Metering daemon.info syslog: 00[CFG] loading aa certificates 
from '/etc/ipsec.d/aacerts'
Apr 25 10:04:25 Metering daemon.info syslog: 00[CFG] loading ocsp signer 
certificates from '/etc/ipsec.d/ocspcerts'
Apr 25 10:04:25 Metering daemon.info syslog: 00[CFG] loading attribute 
certificates from '/etc/ipsec.d/acerts'
Apr 25 10:04:25 Metering daemon.info syslog: 00[CFG] loading crls from 
'/etc/ipsec.d/crls'
Apr 25 10:04:25 Metering daemon.info syslog: 00[CFG] loading secrets from 
'/etc/ipsec.secrets'
Apr 25 10:04:25 Metering daemon.info syslog: 00[CFG]   loaded RSA private key 
from '/etc/ipsec.d/private/xxx.key'
Apr 25 10:04:25 Metering daemon.info syslog: 00[LIB] loaded plugins: charon 
pkcs11 aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints 
pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac 
hmac attr kernel-netlink resolve socket-defau
Apr 25 10:04:25 Metering daemon.info syslog: 00[JOB] spawning 16 worker threads
Apr 25 10:04:25 Metering authpriv.info ipsec_starter[818]: charon (819) started 
after 500 ms
Apr 25 10:04:25 Metering daemon.info syslog: 10[CFG] received stroke: add 
connection 'home'
Apr 25 10:04:25 Metering daemon.info syslog: 17[LIB] resolving 'config' failed: 
Name or service not known
Apr 25 10:04:25 Metering daemon.info syslog: 10[CFG]   loaded certificate 
"CN=ebmtest@.ch" from 'xxx.pem'
Apr 25 10:04:25 Metering daemon.info syslog: 10[CFG] added configuration 'home'
Apr 25 10:04:25 Metering daemon.info syslog: 13[CFG] received stroke: route 
'home'
Apr 25 10:04:25 Metering daemon.info syslog: 17[LIB] resolving 'config' failed: 
Name or service not known
Apr 25 10:04:25 Metering authpriv.info ipsec_starter[818]: 'home' routed
--

My first question: What does the following line mean?
17[LIB] resolving 'config' failed: Name or service not known
Can it be ignored?


Here is the log after a ping
from 10.4.48.5 (eth0 local) to 10.4.30.11 (remote):

--
Apr 25 10:12:57 Metering daemon.info syslog: 04[KNL] creating acquire job for 
policy 10.4.48.5/32[icmp/8] === 10.4.30.11/32[icmp/8] with reqid {1}
Apr 25 10:12:57 Metering daemon.info syslog: 18[LIB] resolving 'config' failed: 
Name or service not known
Apr 25 10:12:57 Metering daemon.info syslog: 03[IKE] initiating IKE_SA home[1] 
to xxx.137.25.195
Apr 25 10:12:57 Metering authpriv.info syslog: 03[IKE] initiating IKE_SA 
home[1] to xxx.137.25.195
Apr 25 10:12:57 Metering daemon.info syslog: 03[ENC] generating IKE_SA_INIT 
request 0 [ SA KE No 

Re: [strongSwan] client virtual ip address assignment issue with dhcp

[Noel Kuntze]

Hello Alex,

On 25.04.2017 10:48, Alex Sharaz wrote:
> ens1f0Link encap:Ethernet  HWaddr 00:14:4f:0d:d0:c8
>   inet addr:144.32.128.198  Bcast:144.32.129.255  Mask:255.255.254.0
>   inet6 addr: 2001:630:61:180::1:c6/64 Scope:Global
>   inet6 addr: fe80::214:4fff:fe0d:d0c8/64 Scope:Link
>   UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>   RX packets:5882984 errors:0 dropped:5307 overruns:0 frame:0
>   TX packets:995070 errors:0 dropped:0 overruns:0 carrier:0
>   collisions:0 txqueuelen:1000
>   RX bytes:1009471362 (1.0 GB)  TX bytes:264680178 (264.6 MB)
>   Interrupt:30 Memory:b3d8-b3da
> 
> ens1f1Link encap:Ethernet  HWaddr 00:14:4f:0d:d0:c9
>   inet addr:10.16.35.121  Bcast:10.16.35.127  Mask:255.255.255.248
>   inet6 addr: fe80::214:4fff:fe0d:d0c9/64 Scope:Link
>   UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>   RX packets:21887 errors:0 dropped:0 overruns:0 frame:0
>   TX packets:1313 errors:0 dropped:0 overruns:0 carrier:0
>   collisions:0 txqueuelen:1000
>   RX bytes:1428333 (1.4 MB)  TX bytes:216885 (216.8 KB)
>   Interrupt:32 Memory:b3de-b3e0
> 

It that's Linux, please stop using ifconfig. It's part of the net-tools family 
that's been deprecated
and unmaintained since the early 2000s. Use iproute2 instead.

> The 3rd one however fails as the dhcp server sees a request from interface 
> ends1f1 and tells me there isn't an ip address pool defined for address space 
> 10.16.35/x, which is correct, there isn't. 
> 
> Do I have to create another interface on the von server in address space 
> 172.18.64.0/24  and tell dhcp to send reqyuestout via 
> that?

No, you don't need another interface. You can either do some DHCP relay 
chaining or make your DHCP server serve the subnet on the network ends1f1 is 
connected to.

-- 
Noel Kuntze
IT security consultant

GPG Key ID: 0x0739AD6C
Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C





signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] client virtual ip address assignment issue with dhcp

[Alex Sharaz]

Hi,
 Seem to  have a problem assigning an IP address to a client from our
campus dhcp server

Running strongswan 5.5.2

loaded plugins: charon unbound pkcs11 aes des rc2 sha2 sha1 md5 random
nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp
curve25519 xcbc cmac hmac soup mysql attr attr-sql kernel-netlink resolve
socket-default bypass-lan farp stroke vici sql updown eap-identity eap-md5
eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic
xauth-eap xauth-pam dhcp radattr addrblock unity

Configuration is

outside world -> interface ens1f0 - StrongSwanVPN - interface ens1f1 ->
Checkpoint firewall -> internal network

Where
ens1f0Link encap:Ethernet  HWaddr 00:14:4f:0d:d0:c8
  inet addr:144.32.128.198  Bcast:144.32.129.255  Mask:255.255.254.0
  inet6 addr: 2001:630:61:180::1:c6/64 Scope:Global
  inet6 addr: fe80::214:4fff:fe0d:d0c8/64 Scope:Link
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:5882984 errors:0 dropped:5307 overruns:0 frame:0
  TX packets:995070 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:1009471362 (1.0 GB)  TX bytes:264680178 (264.6 MB)
  Interrupt:30 Memory:b3d8-b3da

ens1f1Link encap:Ethernet  HWaddr 00:14:4f:0d:d0:c9
  inet addr:10.16.35.121  Bcast:10.16.35.127  Mask:255.255.255.248
  inet6 addr: fe80::214:4fff:fe0d:d0c9/64 Scope:Link
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:21887 errors:0 dropped:0 overruns:0 frame:0
  TX packets:1313 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:1428333 (1.4 MB)  TX bytes:216885 (216.8 KB)
  Interrupt:32 Memory:b3de-b3e0


User connects to SSwan via ens1f0 - outside world address, and traffic gets
into our network via ens1f1/checkpoint firewall. End systems see an IP
address in range 172.18.64.0/24.

In my server config I can use one of the following
  #rightsourceip=172.18.64.0/24
  #rightsourceip=%itservices
 #rightsourceip=%dhcp

The first one works fine.
The second one also works (pulling ip address from mysql database table)

The 3rd one however fails as the dhcp server sees a request from interface
ends1f1 and tells me there isn't an ip address pool defined for address
space 10.16.35/x, which is correct, there isn't.

Do I have to create another interface on the von server in address space
172.18.64.0/24 and tell dhcp to send reqyuestout via that?

Rgds
Alex






In my .../strongswan.d/charon/dhcp.conf I've got

dhcp {

# Always use the configured server address.
# force_server_address = no

# Derive user-defined MAC address from hash of IKE identity.
# identity_lease = no

# Interface name the plugin uses for address allocation.
interface = ens1f1

# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes

# DHCP server unicast or broadcast IP address.
# server = 255.255.255.255

}
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] roadwarrior client on macOS?

[Tobias Brunner]

Hi Paul,

> I'm afraid I'm struggling with the wiki documentation and would like
> to use the roadwarrior app - however it asks for a username whereas I
> want to use the certificate already installed on the machine (which is
> used for Active Directory integration), what can I do here?

Use the client built into macOS [1].  The strongSwan app only supports
EAP authentication with username/password, no client certificates.

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users