Re: [strongSwan] commit 6b57790270fb07c579315c70ecce34f8ad9a4d63 is different when it comes to libcharon

[Tobias Brunner]

Hi Jaehong,

> The logic of get_route  function in  
> /libcharon/plugins/kernel_netlink/kernel_netlink_net.c was ported to 
> differently than it is described above. 

Yes, that was changed with 3f4cc30b19b0d3294bff0a6306c8c5d6fa75e705 [1].

Regards,
Tobias

[1] https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=3f4cc30b

Re: [strongSwan] L2TP/IPSec NAT-T FreeBSD related issue

[Victor Volpe]

Fixed with the patch posted in this topic: https://forums.freebsd.org/threads/49641/#post-280547

Re: [strongSwan] revoke certification with out "ipsec restart"

[Nimo]

Hi Tobias,

>> I don't want to use "ipsec restart" because other IPsec sessions are
>> disconnected.
>> How can I make enabled the revocation without disconnecting other's
>> IPsec session ?
>
> You used the same crlNumber for your second CRL.  So it didn't replace
> the CRL that you loaded before (this is logged as "  crl #01 is not
> newer - existing crl #01 retained", so if you read that you'd have known).

Oh!
I checked my shell-script and I found that your point out.
I fix it and they works fine.

I am sorry I wasted your time. and Thank you very much.
---
takumi kadode


2017-09-07 17:58 GMT+09:00 Tobias Brunner :

> Hi Nimo,
>
> > I don't want to use "ipsec restart" because other IPsec sessions are
> > disconnected.
> > How can I make enabled the revocation without disconnecting other's
> > IPsec session ?
>
> You used the same crlNumber for your second CRL.  So it didn't replace
> the CRL that you loaded before (this is logged as "  crl #01 is not
> newer - existing crl #01 retained", so if you read that you'd have known).
>
> Regards,
> Tobias
>
>

Re: [strongSwan] VICI and multiple threads

[Modster, Anthony]

Hello Tobias

Thanks for the info on VICI.

Note: we spoke with Andreas on our original design, and he did mention the 
possibility for using DAVICI.
The problem at the time was Andreas lost the support person for this module. So 
we decided not to take the risk.

-Original Message-
From: Tobias Brunner [mailto:tob...@strongswan.org] 
Sent: Thursday, September 07, 2017 12:03 AM
To: Modster, Anthony ; users@lists.strongswan.org
Subject: Re: [strongSwan] VICI and multiple threads

Hi Anthony,

> ? is the VICI library considered thread safe
> 
> Can a host use multiple threads to access the library functions.

You can't share VICI connections between threads, but multiple threads can call 
the library functions and operate on separate connections.  For third-party 
tools you might want to consider using davici [1], which has a more permissive 
license (libvici is licensed under GPLv2 like strongSwan, davici under 
LGPLv2.1).

Regards,
Tobias

[1] https://github.com/strongswan/davici

[strongSwan] commit 6b57790270fb07c579315c70ecce34f8ad9a4d63 is different when it comes to libcharon

[Jaehong Park]

Hi Martin.

6b57790270fb07c579315c70ecce34f8ad9a4d63

If a system uses routing metrics, we should honor them when doing (manual)
routing lookups for IKE. When enumerating routes, the kernel reports priorities
with the RTA_PRIORITY attribute, not RTA_METRICS. We prefer routes with a
lower priority value, and fall back to longest prefix match priorities if
the priority value is equal.

The logic of get_route  function in  
/libcharon/plugins/kernel_netlink/kernel_netlink_net.c was ported to 
differently than it is described above.

Re: [strongSwan] Strongswan and TPM

[John Brown]

Hi Andreas,

Sorry for the delay.
Yes, these are very useful information! Now I know I have to try with
TPM2.0 only. Thank you very much.

Can you also confirm that for use with keys stored in TPM i have to use
swanctl.conf instead of ipsec.conf?

Best regards,
John

2017-08-31 12:46 GMT+02:00 Andreas Steffen :

> Hi John,
>
> currently strongSwan supports signature keys residing in the NVRAM
> of the TPM 2.0, only. These can be accessed using the object handle
> range 0x8101. Private keys stored in the NVRAM of the TPM 2.0
> have the big advantage that you can wipe the hard disk or SSD
> without irretrievably losing the keys.
>
> But as you correctly mention in principle an unlimited number of
> keys can be stored in encrypted form outside the TPM. With the TPM 2.0
> you have to load them into NVRAM first, before you can do any
> signature operations. strongSwan does not support external keys, though.
>
> strongSwan does not offer any signature key support for the TPM 1.2.
> The TPM 1.2 can be used for attestation, only (implemented by the
> Attestion IMC dynamic library) where the TPM 1.2 loads an external
> attestation key blob and generates a Quote signature over a certain
> number of PCR registers.
>
> Hope this helps.
>
> Andreas
>
> On 31.08.2017 10:46, John Brown wrote:
> > Hi Tobias/Hi all,
> > After some reading I have a conclusion that TPM 2.0 can only be used
> > with strongswan 5.5.2 or newer.
> > The example that the strongswan wiki provides shows storing the keys
> > inside the tpm (as far as I understand the example correctly). But all
> > the tpm sources I've read states that the keys can also be stored
> > externally but in encrypted form by the tpm. Is this a general rule that
> > can also be used with strongswan?
> > Additionaly, an example shows usage with swanctl.conf. Can ipsec.conf be
> > also used?
> >
> > What about TPM 1.2? I've found that it is mentioned in TNC. But can I
> > use TPM 1.2 only for key storage in strongswan? If yes, which version of
> > strongswan is the oldest that can be used for this?
> >
> > Best regards,
> > John
> >
> >
> > 2017-07-18 12:46 GMT+02:00 John Brown  > >:
> >
> > Hi Tobias,
> > Thank you for your answer. I'm on the first stage of learning TPM
> > but as far as I understand the general rule the private key should
> > not be accessible and that was a reason that aforementioned log
> > message drew my attention. This wiki page I've read is the only way
> > I can learn TPM and strongswan cooperation or there are some more
> > detailed explanations somewhere how the process is going?
> >
> > Best regards,
> > John
> >
> >
> > 2017-07-18 12:05 GMT+02:00 Tobias Brunner  > >:
> >
> > Hi John,
> >
> > > and I conclude from this example, that private key stored in
> TPM is
> > > loaded to program memory the same way as if it was stored in a
> file (log
> > > message: "...charon-systemd[21165]: loaded RSA private key
> from token").
> > > Am I correct?
> >
> > No, that's only the generic log message that you'll see for any
> > private
> > key loaded by the configuration backend, whether that private
> key is
> > actually loaded into memory or it's just a reference to a key
> > (as is the
> > case here).  Private keys on PKCS#11 tokens or in a TPM can't be
> > accessed directly, so they never end up in memory.
> >
> > Regards,
> > Tobias
> >
> >
> >
>
> --
> ==
> Andreas Steffen andreas.stef...@strongswan.org
> strongSwan - the Open Source VPN Solution!  www.strongswan.org
> Institute for Networked Solutions
> HSR University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===[INS-HSR]==
>
>

[strongSwan] debugging Ubuntu network manager vpn establishment

[Alex Sharaz]

Hi,
I'm  trying to establish a VPN connection to our 5.6.0 SSwan server via the
Network Manager in Ubuntu 16.04.3

I'm running an Ubuntu VM over Parallels /OSX. The VM is fully patched and
up to date.

1st step was ot get cli version running and I can establish a VPN using
"ipsec up as1558-mschap"

Which uses eap-peap/mschapv2 to authenticate a user against our server.

I then built the Network manager  plugin ( v 1.4.2 ) as per
https://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager

When creating a vpn I now have an option to create an iopsec/ikev2
(strongswan) vpn.
I've left the general tab, ipv4 and ipv6 settings tabs at their default
settings and only altered the VPN tab.

Gateway address / vpn.york.ac.uk
Certificate / None

Client Authentication / EAP
Username /   [1504784124.0851]
audit: op="connection-activate" uuid="4c98e2da-b95e-49b2-b18d-e8591db70094"
name="VPN connection 1" pid=19612 uid=1000 result="success"
Sep  7 12:35:24 deadpool NetworkManager[693]:   [1504784124.1173]
vpn-connection[0xe7e260,4c98e2da-b95e-49b2-b18d-e8591db70094,"VPN
connection 1",0]: Could not launch the VPN service. error: Failed to
execute child process "/usr/libexec/ipsec/charon-nm" (No such file or
directory).

... and its right ... there's no directory called /usr/libexec

For strongswan I used

./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib \
   --disable-aes --disable-des --disable-md5 --disable-sha1 --disable-sha2 \
   --disable-fips-prf --disable-gmp --enable-openssl --enable-nm
--enable-agent \
   --enable-eap-gtc --enable-eap-md5 --enable-eap-mschapv2
--enable-eap-identity \

   --enable-curl --enable-eap-peap

For NM I originally used

./configure --sysconfdir=/etc --prefix=/usr

which generated the /usr/libexec/ipsec/chron-nm dies not exist error

..so I changed this to

./configure --sysconfdir=/etc --prefix=/usr
--with-charon=/usr/lib/ipsec/charon-nm

Having set the config to prompt for a password I get

Sep  7 12:49:07 deadpool NetworkManager[693]:   [1504784947.9910]
vpn-connection[0xe7e620,ae93fe4c-e311-4ef5-9c70-145323a361c8,"UoY
SSwan",0]: Saw the service appear; activating connection
Sep  7 12:49:08 deadpool NetworkManager[693]:  [1504784948.0145]
vpn-connection[0xe7e620,ae93fe4c-e311-4ef5-9c70-145323a361c8,"UoY
SSwan",0]: Failed to request VPN secrets #3: No agents were available for
this request.

Entered password manually  and still got the same message in kern.log

What have I missed ?

Rgds
Alex



Rgds
Alex

Re: [strongSwan] revoke certification with out "ipsec restart"

[Tobias Brunner]

Hi Nimo,

> I don't want to use "ipsec restart" because other IPsec sessions are
> disconnected.
> How can I make enabled the revocation without disconnecting other's
> IPsec session ?

You used the same crlNumber for your second CRL.  So it didn't replace
the CRL that you loaded before (this is logged as "  crl #01 is not
newer - existing crl #01 retained", so if you read that you'd have known).

Regards,
Tobias

[strongSwan] Help Site-to-Site configuration error installing route with policy

[Olivier CALVANO]

Hi

i have a problems on a new Site-to-Site configuration of Strongswan :


ipsec.conf:

config setup
charondebug="knl 2, cfg 2"

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev1
mobike=no

conn Galioppee
left=192.168.1.254
leftsubnet=192.168.62.0/24
leftfirewall=no
leftid=192.168.1.254
leftauth=psk

right=172.16.1.254
rightsubnet=192.168.163.0/24
rightid=172.16.1.254
rightauth=psk

type=tunnel
auto=start
ikelifetime=28800
keylife=900
aggressive=no
ike=aes256-sha1-modp1536!
esp=aes256-sha1-modp1536!



i have change "auto=start" to "add" or "route" but same problems.
server:

ifconfig
eth1: flags=4163  mtu 1500
inet 192.168.1.254.11  netmask 255.255.255.0  broadcast
192.168.1.255

eth2: flags=4163  mtu 1500
inet 172.20.22.233  netmask 255.255.255.248  broadcast 172.20.22.239

ipsec0: flags=4305  mtu 1400
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen
500  (UNSPEC)
RX packets 0  bytes 0 (0.0 B)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 0  bytes 0 (0.0 B)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

route -n:

Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse
Iface
0.0.0.0 192.168.1.1.10.0.0.0 UG10000
eth1
172.20.22.232   0.0.0.0 255.255.255.248 U 10000 eth2
192.168.62.0172.20.22.238   255.255.255.0   UG0  00 eth2
192.168.62.0172.20.22.238   255.255.254.0   UG0  00 eth2




in logs i have:
Sep  6 17:34:43 irys01 charon: 12[ENC] parsed QUICK_MODE request 2463978021
[ HASH SA No KE ID ID ]
Sep  6 17:34:43 irys01 charon: 12[CFG] looking for a child config for
192.168.62.0/24 === 192.168.163.0/24
Sep  6 17:34:43 irys01 charon: 12[CFG] proposing traffic selectors for us:
Sep  6 17:34:43 irys01 charon: 12[CFG]  192.168.62.0/24
Sep  6 17:34:43 irys01 charon: 12[CFG] proposing traffic selectors for
other:
Sep  6 17:34:43 irys01 charon: 12[CFG]  192.168.163.0/24
Sep  6 17:34:43 irys01 charon: 12[CFG]   candidate "Galioppee" with prio 5+5
Sep  6 17:34:43 irys01 charon: 12[CFG] found matching child config
"Galioppee" with prio 10
Sep  6 17:34:43 irys01 charon: 12[CFG] selecting traffic selectors for
other:
Sep  6 17:34:43 irys01 charon: 12[CFG]  config: 192.168.163.0/24, received:
192.168.163.0/24 => match: 192.168.163.0/24
Sep  6 17:34:43 irys01 charon: 12[CFG] selecting traffic selectors for us:
Sep  6 17:34:43 irys01 charon: 12[CFG]  config: 192.168.62.0/24, received:
192.168.62.0/24 => match: 192.168.62.0/24
Sep  6 17:34:43 irys01 charon: 12[CFG] selecting proposal:
Sep  6 17:34:43 irys01 charon: 12[CFG]   proposal matches
Sep  6 17:34:43 irys01 charon: 12[CFG] received proposals:
ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
Sep  6 17:34:43 irys01 charon: 12[CFG] configured proposals:
ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
Sep  6 17:34:43 irys01 charon: 12[CFG] selected proposal:
ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
Sep  6 17:34:43 irys01 charon: 12[IKE] received 460800 lifebytes,
configured 0
Sep  6 17:34:43 irys01 charon: 12[ENC] generating QUICK_MODE response
2463978021 [ HASH SA No KE ID ID ]
Sep  6 17:34:43 irys01 charon: 12[NET] sending packet: from
192.168.1.254[4500] to 172.16.1.254[4500] (396 bytes)
Sep  6 17:34:43 irys01 charon: 13[NET] received packet: from
172.16.1.254[4500] to 192.168.1.254[4500] (60 bytes)
Sep  6 17:34:43 irys01 charon: 13[ENC] parsed QUICK_MODE request 2463978021
[ HASH ]
Sep  6 17:34:43 irys01 charon: 13[KNL] getting a local address in traffic
selector 192.168.62.0/24
Sep  6 17:34:43 irys01 charon: 13[KNL] no local address found in traffic
selector 192.168.62.0/24
Sep  6 17:34:43 irys01 charon: 13[KNL] error installing route with policy
192.168.62.0/24 === 192.168.163.0/24 out
Sep  6 17:34:43 irys01 charon: 13[KNL] getting a local address in traffic
selector 192.168.62.0/24
Sep  6 17:34:43 irys01 charon: 13[KNL] no local address found in traffic
selector 192.168.62.0/24
Sep  6 17:34:43 irys01 charon: 13[KNL] error installing route with policy
192.168.62.0/24 === 192.168.163.0/24 out
Sep  6 17:34:43 irys01 charon: 13[IKE] unable to install IPsec policies
(SPD) in kernel
Sep  6 17:34:43 irys01 charon: 13[IKE] sending DELETE for ESP CHILD_SA with
SPI 16bcc04d
Sep  6 17:34:43 irys01 charon: 13[ENC] generating INFORMATIONAL_V1 request
4069478722 [ HASH D ]
Sep  6 17:34:43 irys01 charon: 13[NET] sending packet: from
192.168.1.254[4500] to 172.16.1.254[4500] (76 bytes)
Sep  6 17:36:12 irys01 charon: 15[NET] received packet: from
172.16.1.254[4500] to 192.168.1.254[4500] (76 bytes)
Sep  6 17:36:12 irys01 charon: 15[ENC] parsed INFORMATIONAL_V1 request
3827316135 [ HASH D 

Re: [strongSwan] VICI and multiple threads

[Tobias Brunner]

Hi Anthony,

> ? is the VICI library considered thread safe
> 
> Can a host use multiple threads to access the library functions.

You can't share VICI connections between threads, but multiple threads
can call the library functions and operate on separate connections.  For
third-party tools you might want to consider using davici [1], which has
a more permissive license (libvici is licensed under GPLv2 like
strongSwan, davici under LGPLv2.1).

Regards,
Tobias

[1] https://github.com/strongswan/davici