Re: [strongSwan] Issuse with VTI packet forwarding

[Naveen Neelakanta]

Hi Noel,

Thanks i got the VTI working after i change the vti local and remote
ip to match to the SPD IPs. How ever
Is it possible to configure VTI interface with different Ip other than
the policys.

Working config:

ip tunnel add ipsec0 local 10.24.18.209 remote 10.24.18.35 mode vti okey 32
below is my ipsec configuration:
conn net-net
left=10.24.18.209
leftsubnet=0.0.0.0/0
right=10.24.18.35
rightsubnet=0.0.0.0/0
ike=aes128-sha1-modp1024
esp=null-md5-modp1024
auto=add
mark_out=32

Not working when i change the vti interface IPs to the below and
enable forwarding:
ip tunnel add ipsec0 local 10.24.18.211 remote 0.0.0.0 mode vti okey 32

Appreciate any help on this.

Thanks,
Naveen

On Wed, Nov 29, 2017 at 10:33 AM, Noel Kuntze
 wrote:
> Hi,
>
> Please follow the RouteBasedVPN article[1] to the letter and keep your routes 
> in the main routing table
> to keep it simple. As soon as you have a working setup, THEN you can start 
> making changes.
>
> Kind regards
>
> Noel
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
>
>
> On 29.11.2017 09:16, Naveen Neelakanta wrote:
>> Hi All,
>>
>> Need some guidance and help in getting the traffic routed via VTI (
>> ipsec0 ) interface.I am using the VTI interface to just mark the
>> traffic and forward.
>>
>> I am not able to get the traffic forwarding via VTI( ipsec0) interface
>> and getting the traffic marked, so that it gets protected.
>>
>> i have the ipsec tunnel up with between two device. i see traffic send
>> from client interface reaching VTI interface , however its not getting
>> forwarded to eth3 , so that it gets protected.
>>
>>
>> Unix Device1:
>>
>>
>> eth3<— ipsec0 ( vti )<———vzsi
>>
>>
>> 10.24.18.209   10.24.18.36   10.24.18.203
>>
>>
>>
>> Routing rules on the device :
>>
>>
>> ip tunnel add ipsec0 local 10.24.18.36 remote 0.0.0.0 mode vti okey 32 ikey 
>> 32
>>
>> ip link set ipsec0 up
>>
>> ip route add default dev ipsec0 table zs-flow-table-inet
>>
>> echo 1 > /proc/sys/net/ipv4/conf/ipsec0/disable_policy
>>
>> echo 1 > /proc/sys/net/ipv4/conf/ipsec0/disable_xfrm
>>
>> echo 300 zs-flow-table-inet >> /etc/iproute2/rt_tables
>>
>>
>>
>> ip rule add iif vzsi-p table zs-flow-table-inet
>>
>>
>> ip route add default dev ipsec0 table zs-flow-table-inet
>>
>> ip rule add iif ipsec0 table internet-eth3
>>
>> ip rule add oif ipsec0 table internet-eth3
>>
>> # ip route show table internet-eth3
>>
>>
>>   default via 10.24.18.210 dev eth3
>>
>>
>> The ipsec policy and sa config is present
>>
>> SPD entry :
>>
>>
>> src 0.0.0.0/0 dst 0.0.0.0/0
>>
>> dir fwd priority 3075
>>
>> mark 32/0x
>>
>> tmpl src 10.24.18.35 dst 10.24.18.209
>>
>> proto esp reqid 1 mode tunnel
>>
>> src 0.0.0.0/0 dst 0.0.0.0/0
>>
>> dir in priority 3075
>>
>> mark 32/0x
>>
>> tmpl src 10.24.18.35 dst 10.24.18.209
>>
>> proto esp reqid 1 mode tunnel
>>
>> src 0.0.0.0/0 dst 0.0.0.0/0
>>
>> dir out priority 3075
>>
>> mark 32/0x
>>
>> tmpl src 10.24.18.209 dst 10.24.18.35
>>
>>  proto esp reqid 1 mode tunnel
>>
>> SADB:
>>
>> src 10.24.18.209 dst 10.24.18.35
>>
>> proto esp spi 0xcfe2aa19 reqid 1 mode tunnel
>>
>> replay-window 32 flag af-unspec
>>
>> mark 32/0x
>>
>> auth-trunc hmac(md5) 0x830c26f2a8fdaa2a1d6f82c9663f0bf3 96
>>
>> enc ecb(cipher_null)
>>
>> src 10.24.18.35 dst 10.24.18.209
>>
>> proto esp spi 0xc377e262 reqid 1 mode tunnel
>>
>> replay-window 32 flag af-unspec
>>
>> mark 32/0x
>>
>> auth-trunc hmac(md5) 0x99f7adff411b87cb04a652469b6132fd 96
>>
>> enc ecb(cipher_null)
>>
>> Issue:
>>
>> #ip -s tunnel s ipsec0
>>
>> ipsec0: ip/ip  remote any  local 10.24.18.36  ttl inherit  key 32
>>
>> RX: PacketsBytesErrors CsumErrs OutOfSeq Mcasts
>>
>> 0  00  000
>>
>> TX: PacketsBytesErrors DeadLoop NoRoute  NoBufs
>>
>>
>>0  0 32  0
>> 32   0
>>
>> I see the traffic on the ipsec0 interface
>>
>> #tcpdump -ni ipsec0
>>
>> listening on ipsec0, link-type RAW (Raw IP), capture size 65535 bytes
>>
>> 02:18:03.237031 IP 10.24.18.203.52554 > 10.24.18.35.: Flags [S],
>> seq 3484231614, win 29200, options [mss 1460,sackOK,TS val 4061593203
>> ecr 0,nop,wscale 7], length 0
>>
>> # ifconfig ipsec0
>>
>>   ipsec0Link encap:IPIP Tunnel  HWaddr
>>
>>   UP RUNNING NOARP  MTU:1500  Metric:1
>>
>>   RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>>
>>   TX packets:0 errors:32 dropped:0 overruns:0 carrier:32
>>
>>   collisions:0 txqueuelen:0
>>
>>   RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
>>
>>
>> Thanks,
>>
>> Naveen
>

Re: [strongSwan] Isolate clients and force local network traffic toan interface

[Loc Nguyen]

Hi,

I have 3 interfaces:

WAN, where clients are connecting.

LAN/10.11.0.0/16, this is network where clients get IP address.

FILTER/eth2, where all clients traffic are routed here.

I have 2 clients, client 1 IP 10.11.0.55 and client 2 IP 10.11.0.56.

Here are ip route and iptables rules.
ip rule add from 10.11.0.0/16 table FILTER
ip route add default dev eth2 table FILTER

When client 1 ping 8.8.8.8, I see the traffic go to eth2 interface.

But when client 1 ping client 2, I don’t see the traffic go to eth2 interface. 
How do I force also local network 10.11.0.0/16 traffic to eth2 interface for 
filtering.

Thanks,
Loc

From: Noel Kuntze
Sent: Wednesday, November 29, 2017 10:56 AM
To: Loc Nguyen; users@lists.strongswan.org
Subject: Re: [strongSwan] Isolate clients and force local network traffic toan 
interface

Hi,

I can't tell what exactly you want. You can tell if traffic was protected with 
ipsec by using the iptables policy match module.
You can use a VTI[1], too.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN

On 28.11.2017 20:37, Loc Nguyen wrote:
>
> Hi,
>
>  
>
> I create an IPsec network 10.11.0.0/16 and using dnsmasq to assign IP 
> addresses.
>
>  
>
> I able to route all 10.11.0.0/16 network traffic to an interface. I would 
> like also route local network 10.11.0.0/16 between client to client to that 
> interface too.
>
>  
>
> I can use iptables FORWARD to block client to client. Instead of blocking I 
> want the traffic to the interface.
>
>  
>
> Thanks,
>

Re: [strongSwan] swanctl.conf EAP credential information

[bls s]

Thanks. Here is swanctl –stats (after a service restart). 2 charon_debug 
logfiles attached, one with a successful connection (the userid in question at 
the end of the list) and one with a failed connection (userid in question at 
the front of the list).



Xunil/var/log# swanctl --stats

uptime: 10 seconds, since Nov 29 11:11:07 2017

worker threads: 16 total, 11 idle, working: 4/0/1/0

job queues: 0/0/0/0

jobs scheduled: 0

IKE_SAs: 0 total, 0 half-open

mallinfo: sbrk 2564096, mmap 0, used 401792, free 2162304

loaded plugins: charon-systemd charon-systemd aes des rc2 sha2 sha1 md5 mgf1 
random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp 
dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac attr 
kernel-netlink resolve socket-default vici updown eap-identity eap-md5 
eap-mschapv2 eap-dynamic eap-tls xauth-generic

Xunil/var/log#





From: Noel Kuntze
Sent: Wednesday, November 29, 2017 10:31 AM
To: bls s; 
users@lists.strongswan.org
Subject: Re: [strongSwan] swanctl.conf EAP credential information



Hi,

Please provide a log file created with the logger configuration from the 
HelpRequests[1] page
and the output of `swanctl --stats`.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

On 29.11.2017 19:27, bls s wrote:
>
> Curiously, if eap-user1 is at the end of the list, it authenticates 
> correctly, but not if first or second in the list.
>
>
>
> *From: *bls s 
> *Sent: *Tuesday, November 28, 2017 4:43 PM
> *To: *users@lists.strongswan.org 
> *Subject: *[strongSwan] swanctl.conf EAP credential information
>
>
>
> I’m switching over from using IPsec.conf to charon-systemd. Everything is 
> working for the first user, but I have run into a strange issue (or a dumb 
> user error!) with the ‘secrets’ section when trying to implement multiple eap 
> passwords.
>
>
>
> If my secrets section has only one eap id/password in it, the client 
> authenticates correctly. But, if the secrets section has more than one eap 
> id/password in it, the MSCHAPv2 authentication fails.
>
>
>
> Here’s the failing configuration. If I remove the 2^nd and 3^rd entries, 
> user1 works correctly. However, using the full secrets section below, user1 
> fails to authenticate.
>
>
>
> connections {
>
>
>
> ikev2-eap-mschapv2 {
>
> version = 2
>
> #proposals = 
> aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
>
> proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
>
> rekey_time = 0s
>
> pools = primary-pool-ipv4
>
> fragmentation = yes
>
> dpd_delay = 30s
>
> mobike = yes
>
>
>
>  local-1 {
>
>  certs = strongswanCert.pem
>
>  id = serverid1
>
>  auth = psk
>
>  }
>
>
>
>  remote-1 {
>
>  auth = eap-mschapv2
>
>  id = clientid1
>
>  eap_id = %any
>
> }
>
>
>
> children {
>
> ikev2-eap-mschapv2 {
>
> local_ts = 0.0.0.0/0
>
> rekey_time = 0s
>
> dpd_action = clear
>
> #esp_proposals = 
> aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072,default
>
> esp_proposals = 
> aes256-sha1-modp1024,aes192-sha256-modp3072,default
>
> #   updown = /libexec/ipsec/_updown iptables
>
> }
>
> }
>
> }
>
> ikev2-pubkey {
>
>  version = 2
>
>  proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
>
>  rekey_time = 0s
>
>  pools = primary-pool-ipv4
>
>  fragmentation = yes
>
>  dpd_delay = 30s
>
>
>
>  local-1 {
>
>  certs = vpnHostCert.pem
>
>  id = server1
>
>  }
>
>
>
>  remote-1 {   # defaults are fine
>
>  }
>
>
>
>  children {
>
>  ikev2-pubkey {
>
>  local_ts = 0.0.0.0/0
>
>  rekey_time = 0s
>
>  dpd_action = clear
>
>  esp_proposals = 
> aes256-sha1-modp1024,aes192-sha256-modp3072,default
>
>  }
>
> }
>
> }
>
> }
>
> pools {
>
> primary-pool-ipv4 {
>
> addrs = 10.92.10.0/24
>
> dns = 192.168.92.3, 8.8.8.8
>
> }
>
> }
>
>
>
> secrets {
>
> ike-psk {
>
> secret=somepsk
>
> }
>
> eap-us...@mydomain.com  {
>
> id = us...@mydomain.com
>
> secret=secret1
>
> }
>
> eap-us...@mydomain.com  {
>
> id = us...@mydomain.com
>
> secret=secret2
>
> }

Re: [strongSwan] Isolate clients and force local network traffic to an interface

[Noel Kuntze]

Hi,

I can't tell what exactly you want. You can tell if traffic was protected with 
ipsec by using the iptables policy match module.
You can use a VTI[1], too.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN

On 28.11.2017 20:37, Loc Nguyen wrote:
>
> Hi,
>
>  
>
> I create an IPsec network 10.11.0.0/16 and using dnsmasq to assign IP 
> addresses.
>
>  
>
> I able to route all 10.11.0.0/16 network traffic to an interface. I would 
> like also route local network 10.11.0.0/16 between client to client to that 
> interface too.
>
>  
>
> I can use iptables FORWARD to block client to client. Instead of blocking I 
> want the traffic to the interface.
>
>  
>
> Thanks,
>



signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] "Require" vs "use" levels in StrongSwan-generated policies

[Noel Kuntze]

Hi,

That's not supported. You can maybe use 
connections..children..policies to disable the installation of the 
policies
and manage them outside of charon. IIRC there also was some patch set from 
somebody that implemented exactly what you ask.
I can't find it right now, though.

Kind regards

Noel

On 23.11.2017 20:23, Rich Lafferty wrote:
> Hello,
>
> I currently have a racoon-based full IPsec mesh (i.e., all of our 
> host-to-host traffic is encrypted using trap-based transport policies). 
> Racoon is long in the tooth, and so I’m in the process of planning a 
> migration to StrongSwan.
>
> One thing I foresee in the near future is a need to stop using IPsec between 
> some pairs of hosts in the mesh (specifically, within AWS VPCs).
>
> In our current configuration, I manage the SPD database outside of Racoon, 
> with policy entries like so:
>
> spdadd 192.168.100.101 192.168.100.102 any -P out ipsec 
> esp/transport//require;
> spdadd 192.168.100.102 192.168.100.101 any -P in ipsec esp/transport//require;
>
> (Which get installed with refid 0, which from Racoon’s point of view is just 
> fine, as it doesn’t manage policies by refid).
>
> If I wanted to migrate those hosts to no longer require IPsec, I would first 
> update the policies one host at a time to be “esp/transport//use”, and 
> subsequently I could remove the policies one host at a time.
>
> From what I’ve been able to figure, StrongSwan-installed trap policies are 
> always at the “require” level, which would mean that migrating a pair of 
> hosts to no longer use an IPsec transport would require updating the 
> configuration of both hosts at the same time.
>
> So my question is: Is there a way to tell StrongSwan to generate its policies 
> at “use” level rather than “require” level, so I can do this sort of staged 
> deployment?
>
> I am using StrongSwan 5.5.1 as distributed by Ubuntu, with a 
> swanctl.conf-based configuration. A sample connection entry, in case it’s of 
> use:
>
> connections {
> racoon-west {
> version = 1
> local { auth = psk }
> remote { auth = psk }
> proposals = aes128-sha256-modp3072
> encap = yes
>
> reauth_time=24h
> over_time=0
> rand_time=0
>
> local_addrs = 192.168.100.101
> remote_addrs = 192.168.100.102
>
> children {
> racoon-west {
> mode = transport
> start_action = trap
> esp_proposals = aes128-sha256-modp3072
> rekey_time = 8h
> life_time = 7h
> rand_time = 0
> }
> }
> }
> }
>
> Thanks in advance for your help.
>
>   -Rich



signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] Using xfrm marks to select right tunnels based on uid

[Noel Kuntze]

Hi,

> I have set charon.install_routes = 0 to avoid installing default route to 
> route table 220, so I can actually setup the second tunnel.

Set it to "no".

> So it seems that the kernel's source address selection does not work 
> correctly in my case. I am able to workaround my troubles by specifying SNAT 
> rules like:
> [...]
> This got me thinking that the source ip selection probably happens sooner 
> than marking the packets.

It is exactly like that. Take a look at the flow graph for netfilter[1].

> So I tried  to insert my marking rules based on uid to OUTPUT chain of raw 
> table. When I did this, it did not help and moreover, even the case with 
> manual selection of source ip in curl stopped working.

I never used the uid PBR selector, so I can't tell you if some parts of it are 
broken - or not. Keep it simple and/or test other kernels. Maybe you need to 
disable the return path filter (rp_filter setting for the interface, all or 
default).

You could work around the problem by putting the processes in cgroups, setting 
the mark in the application's socket (maybe using some LD_PRELOAD hack) or 
something else.
If you use cgroups, you again need marking rules.

Kind regards

Noel

[1] inai.de/images/nf-packet-flow.png


On 28.11.2017 07:55, Jiri Horky wrote:
> Hi list,
>
> I am wondering if it is possible to create ~1000 of tunnels from a single 
> linux machine for testing purposes and route the traffic based on UID of the 
> processes. I was trying to do PoC with just two tunnels  using the following 
> setup:
>
> strongswan-5.5.3, kernel 4.12.5-gentoo
>
> hotgeorge horky # cat /etc/ipsec.conf
> conn node13
>   auto=add
>   type=tunnel
>   keyexchange=ikev2
>   ike=aes256-sha1-modp1024!
>   esp=aes256-sha1-noesn!
>   left=%defaultroute
>   leftid="SomeID"
>   leftsourceip=%config4
>   right=node13
>   rightid=myrightid
>   rightsubnet=0.0.0.0/0 
>   authby=psk
>   mark_out=13
>   leftupdown=/usr/bin/sudo -E /etc/ipsec_mark_updown
>
> conn node14
>   auto=add
>   type=tunnel
>   keyexchange=ikev2
>   ike=aes256-sha1-modp1024!
>   esp=aes256-sha1-noesn!
>   left=%defaultroute
>   leftid="SomeID"
>   leftsourceip=%config4
>   right=node14
>   rightid=myrightid
>   rightsubnet=0.0.0.0/0 
>   authby=psk
>   mark_out=14
>   leftupdown=/usr/bin/sudo -E /etc/ipsec_mark_updown
>
> I have set charon.install_routes = 0 to avoid installing default route to 
> route table 220, so I can actually setup the second tunnel.
>
> I use following static iptables rules to mark the traffic based on UID:
> iptables -t mangle -A OUTPUT -m owner --uid 1013 -j MARK --set-xmark 
> 0xd/0x
> iptables -t mangle -A OUTPUT -m owner --uid 1014 -j MARK --set-xmark 
> 0xe/0x
>
> The interesting content of /etc/ipsec_mark_updown script is the following:
> MY_DEFAULT_GW=10.7.65.1
> case $PLUTO_CONNECTION in
>   *node13*)
>   MARK=13
> ;;
>   *node14*)
>   MARK=14
> ;;
> esac
>
> ROUTE_TABLE=$((1000+MARK))
>
> case $PLUTO_VERB in
>   up-client)
> ip route flush table $ROUTE_TABLE
> ip rule del fwmark $MARK table $ROUTE_TABLE 2>/dev/null
> ip rule add priority 10 fwmark $MARK table $ROUTE_TABLE
> ip route add default via $MY_DEFAULT_GW proto static src $PLUTO_MY_SOURCEIP 
> table $ROUTE_TABLE
>         ;;
>
> Now, if I fire up the two tunnels:
> ipsec up node13
> ipsec up node14
>
> I have the following routing rules:
> hotgeorge horky # ip rule list
> 0:from all lookup local 
> 10:from all fwmark 0xd lookup 1013 
> 10:from all fwmark 0xe lookup 1014 
> 220:from all lookup 220 
> 32766:from all lookup main 
> 32767:from all lookup default 
>
> And following routing table:
> hotgeorge horky # ip route list table 1013
> default via 10.7.65.1 dev wlo1  proto static  src 100.111.0.91 
> hotgeorge horky # ip route list table 1014
> default via 10.7.65.1 dev wlo1  proto static  src 100.111.0.167 
> hotgeorge horky # ip route list table 220
>
> Where table 220 is empty.
>
> The trouble is the if I execute curl under user test_1013 (with uid 1013), it 
> times out on sending a DNS query:
> su test_1013 -c "curl http://ip-info.ff.avast.com/v1/info;
>
> When I manually specify the source address, it works:
>
> su test_1013 -c "curl http://ipv4bot.whatismyipaddress.com --interface 
> 100.111.0.91 --dns-ipv4-addr 100.111.0.91"; echo
> 77.234.40.153
>
> su test_1014 -c "curl http://ipv4bot.whatismyipaddress.com --interface 
> 100.111.0.167 --dns-ipv4-addr 100.111.0.167"; echo
> 77.234.40.182
>
> So it seems that the kernel's source address selection does not work 
> correctly in my case. I am able to workaround my troubles by specifying SNAT 
> rules like:
>
> iptables -t nat -A POSTROUTING -m mark --mark $MARK ! -s $PLUTO_MY_SOURCEIP 
> -j SNAT --to-source $PLUTO_MY_SOURCEIP
>
> But I would like to avoid doing that.
>
> Could you please enlighten me what I am doing wrong? It seems that if I let 
> strongwan install the routes to the table 220 (without any restrictions to 
> marks), the 

Re: [strongSwan] Issuse with VTI packet forwarding

[Noel Kuntze]

Hi,

Please follow the RouteBasedVPN article[1] to the letter and keep your routes 
in the main routing table
to keep it simple. As soon as you have a working setup, THEN you can start 
making changes.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN


On 29.11.2017 09:16, Naveen Neelakanta wrote:
> Hi All,
>
> Need some guidance and help in getting the traffic routed via VTI (
> ipsec0 ) interface.I am using the VTI interface to just mark the
> traffic and forward.
>
> I am not able to get the traffic forwarding via VTI( ipsec0) interface
> and getting the traffic marked, so that it gets protected.
>
> i have the ipsec tunnel up with between two device. i see traffic send
> from client interface reaching VTI interface , however its not getting
> forwarded to eth3 , so that it gets protected.
>
>
> Unix Device1:
>
>
> eth3<— ipsec0 ( vti )<———vzsi
>
>
> 10.24.18.209   10.24.18.36   10.24.18.203
>
>
>
> Routing rules on the device :
>
>
> ip tunnel add ipsec0 local 10.24.18.36 remote 0.0.0.0 mode vti okey 32 ikey 32
>
> ip link set ipsec0 up
>
> ip route add default dev ipsec0 table zs-flow-table-inet
>
> echo 1 > /proc/sys/net/ipv4/conf/ipsec0/disable_policy
>
> echo 1 > /proc/sys/net/ipv4/conf/ipsec0/disable_xfrm
>
> echo 300 zs-flow-table-inet >> /etc/iproute2/rt_tables
>
>
>
> ip rule add iif vzsi-p table zs-flow-table-inet
>
>
> ip route add default dev ipsec0 table zs-flow-table-inet
>
> ip rule add iif ipsec0 table internet-eth3
>
> ip rule add oif ipsec0 table internet-eth3
>
> # ip route show table internet-eth3
>
>
>   default via 10.24.18.210 dev eth3
>
>
> The ipsec policy and sa config is present
>
> SPD entry :
>
>
> src 0.0.0.0/0 dst 0.0.0.0/0
>
> dir fwd priority 3075
>
> mark 32/0x
>
> tmpl src 10.24.18.35 dst 10.24.18.209
>
> proto esp reqid 1 mode tunnel
>
> src 0.0.0.0/0 dst 0.0.0.0/0
>
> dir in priority 3075
>
> mark 32/0x
>
> tmpl src 10.24.18.35 dst 10.24.18.209
>
> proto esp reqid 1 mode tunnel
>
> src 0.0.0.0/0 dst 0.0.0.0/0
>
> dir out priority 3075
>
> mark 32/0x
>
> tmpl src 10.24.18.209 dst 10.24.18.35
>
>  proto esp reqid 1 mode tunnel
>
> SADB:
>
> src 10.24.18.209 dst 10.24.18.35
>
> proto esp spi 0xcfe2aa19 reqid 1 mode tunnel
>
> replay-window 32 flag af-unspec
>
> mark 32/0x
>
> auth-trunc hmac(md5) 0x830c26f2a8fdaa2a1d6f82c9663f0bf3 96
>
> enc ecb(cipher_null)
>
> src 10.24.18.35 dst 10.24.18.209
>
> proto esp spi 0xc377e262 reqid 1 mode tunnel
>
> replay-window 32 flag af-unspec
>
> mark 32/0x
>
> auth-trunc hmac(md5) 0x99f7adff411b87cb04a652469b6132fd 96
>
> enc ecb(cipher_null)
>
> Issue:
>
> #ip -s tunnel s ipsec0
>
> ipsec0: ip/ip  remote any  local 10.24.18.36  ttl inherit  key 32
>
> RX: PacketsBytesErrors CsumErrs OutOfSeq Mcasts
>
> 0  00  000
>
> TX: PacketsBytesErrors DeadLoop NoRoute  NoBufs
>
>
>0  0 32  0
> 32   0
>
> I see the traffic on the ipsec0 interface
>
> #tcpdump -ni ipsec0
>
> listening on ipsec0, link-type RAW (Raw IP), capture size 65535 bytes
>
> 02:18:03.237031 IP 10.24.18.203.52554 > 10.24.18.35.: Flags [S],
> seq 3484231614, win 29200, options [mss 1460,sackOK,TS val 4061593203
> ecr 0,nop,wscale 7], length 0
>
> # ifconfig ipsec0
>
>   ipsec0Link encap:IPIP Tunnel  HWaddr
>
>   UP RUNNING NOARP  MTU:1500  Metric:1
>
>   RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>
>   TX packets:0 errors:32 dropped:0 overruns:0 carrier:32
>
>   collisions:0 txqueuelen:0
>
>   RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
>
>
> Thanks,
>
> Naveen



signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] swanctl.conf EAP credential information

[Noel Kuntze]

Hi,

Please provide a log file created with the logger configuration from the 
HelpRequests[1] page
and the output of `swanctl --stats`.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

On 29.11.2017 19:27, bls s wrote:
>
> Curiously, if eap-user1 is at the end of the list, it authenticates 
> correctly, but not if first or second in the list.
>
>  
>
> *From: *bls s 
> *Sent: *Tuesday, November 28, 2017 4:43 PM
> *To: *users@lists.strongswan.org 
> *Subject: *[strongSwan] swanctl.conf EAP credential information
>
>  
>
> I’m switching over from using IPsec.conf to charon-systemd. Everything is 
> working for the first user, but I have run into a strange issue (or a dumb 
> user error!) with the ‘secrets’ section when trying to implement multiple eap 
> passwords.
>
>  
>
> If my secrets section has only one eap id/password in it, the client 
> authenticates correctly. But, if the secrets section has more than one eap 
> id/password in it, the MSCHAPv2 authentication fails.
>
>  
>
> Here’s the failing configuration. If I remove the 2^nd and 3^rd entries, 
> user1 works correctly. However, using the full secrets section below, user1 
> fails to authenticate.
>
>  
>
> connections {
>
>  
>
>     ikev2-eap-mschapv2 {
>
>     version = 2
>
> #    proposals = 
> aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
>
>     proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
>
>     rekey_time = 0s
>
>     pools = primary-pool-ipv4
>
>     fragmentation = yes
>
>     dpd_delay = 30s
>
>     mobike = yes
>
>  
>
>  local-1 {
>
>  certs = strongswanCert.pem
>
>  id = serverid1
>
>  auth = psk
>
>  }
>
>  
>
>  remote-1 {
>
>  auth = eap-mschapv2
>
>  id = clientid1
>
>  eap_id = %any
>
>     }
>
>  
>
>     children {
>
>     ikev2-eap-mschapv2 {
>
>     local_ts = 0.0.0.0/0
>
>     rekey_time = 0s
>
>     dpd_action = clear
>
> #    esp_proposals = 
> aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072,default
>
>     esp_proposals = 
> aes256-sha1-modp1024,aes192-sha256-modp3072,default
>
> #   updown = /libexec/ipsec/_updown iptables
>
>     }
>
>     }
>
>     }
>
>     ikev2-pubkey {
>
>  version = 2
>
>  proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
>
>  rekey_time = 0s
>
>  pools = primary-pool-ipv4
>
>  fragmentation = yes
>
>  dpd_delay = 30s
>
>  
>
>  local-1 {
>
>  certs = vpnHostCert.pem
>
>  id = server1
>
>  }
>
>  
>
>  remote-1 {   # defaults are fine
>
>  }
>
>  
>
>  children {
>
>  ikev2-pubkey {
>
>  local_ts = 0.0.0.0/0
>
>  rekey_time = 0s
>
>  dpd_action = clear
>
>      esp_proposals = 
> aes256-sha1-modp1024,aes192-sha256-modp3072,default
>
>  }
>
>     }
>
>     }
>
> }
>
> pools {
>
>     primary-pool-ipv4 {
>
>     addrs = 10.92.10.0/24
>
>     dns = 192.168.92.3, 8.8.8.8
>
>     }
>
> }
>
>  
>
> secrets {
>
>     ike-psk {
>
>     secret=somepsk
>
>     }
>
>     eap-us...@mydomain.com  {
>
>     id = us...@mydomain.com
>
>     secret=secret1
>
>     }
>
>     eap-us...@mydomain.com  {
>
>     id = us...@mydomain.com
>
>     secret=secret2
>
>     }
>
>     eap-us...@mydomain.com  {
>
>     id = us...@mydomain.com
>
>     secret=secret3
>
>     }
>
>  
>
>  
>


signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] swanctl.conf EAP credential information

[bls s]

Curiously, if eap-user1 is at the end of the list, it authenticates correctly, 
but not if first or second in the list.

From: bls s
Sent: Tuesday, November 28, 2017 4:43 PM
To: users@lists.strongswan.org
Subject: [strongSwan] swanctl.conf EAP credential information

I’m switching over from using IPsec.conf to charon-systemd. Everything is 
working for the first user, but I have run into a strange issue (or a dumb user 
error!) with the ‘secrets’ section when trying to implement multiple eap 
passwords.

If my secrets section has only one eap id/password in it, the client 
authenticates correctly. But, if the secrets section has more than one eap 
id/password in it, the MSCHAPv2 authentication fails.

Here’s the failing configuration. If I remove the 2nd and 3rd entries, user1 
works correctly. However, using the full secrets section below, user1 fails to 
authenticate.

connections {

ikev2-eap-mschapv2 {
version = 2
#proposals = 
aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
rekey_time = 0s
pools = primary-pool-ipv4
fragmentation = yes
dpd_delay = 30s
mobike = yes

 local-1 {
 certs = strongswanCert.pem
 id = serverid1
 auth = psk
 }

 remote-1 {
 auth = eap-mschapv2
 id = clientid1
 eap_id = %any
}

children {
ikev2-eap-mschapv2 {
local_ts = 0.0.0.0/0
rekey_time = 0s
dpd_action = clear
#esp_proposals = 
aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072,default
esp_proposals = 
aes256-sha1-modp1024,aes192-sha256-modp3072,default
#   updown = /libexec/ipsec/_updown iptables
}
}
}
ikev2-pubkey {
 version = 2
 proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
 rekey_time = 0s
 pools = primary-pool-ipv4
 fragmentation = yes
 dpd_delay = 30s

 local-1 {
 certs = vpnHostCert.pem
 id = server1
 }

 remote-1 {   # defaults are fine
 }

 children {
 ikev2-pubkey {
 local_ts = 0.0.0.0/0
 rekey_time = 0s
 dpd_action = clear
 esp_proposals = 
aes256-sha1-modp1024,aes192-sha256-modp3072,default
 }
}
}
}
pools {
primary-pool-ipv4 {
addrs = 10.92.10.0/24
dns = 192.168.92.3, 8.8.8.8
}
}

secrets {
ike-psk {
secret=somepsk
}
eap-us...@mydomain.com {
id = us...@mydomain.com
secret=secret1
}
eap-us...@mydomain.com {
id = us...@mydomain.com
secret=secret2
}
eap-us...@mydomain.com {
id = us...@mydomain.com
secret=secret3
}

Re: [strongSwan] Lots of reconnections for a rekey/reauth, and packet drops

[Hoggins!]

Hello Noel,

Thanks for these insights !

Le 28/11/2017 à 23:30, Noel Kuntze a écrit :
> Hi,
>
>> Nov 28 16:52:29 yomama charon: 06[KNL] creating delete job for
>> CHILD_SA ESP/0xc4bd0735/192.168.1.72
>> Nov 28 16:52:29 yomama charon: 06[JOB] CHILD_SA
>> ESP/0xc4bd0735/192.168.1.72 not found for delete
> Whatever causes these problems is your root cause and needs to be fixed.
I had indeed narrowed down my attention on this but I couldn't find any
litterature or example of other people experiencing this, so I'm kinda
stuck because I don't know why this happens, although I'm aware that
this "needs to be fixed" :)
>
>> Nov 28 16:52:29 yomama charon: 10[CHD] updown: /bin/sh: ipsec:
>> command not found
> Also, what are you doing in the updown script?
Absolutely nothing, I don't have an updown script (or didn't define
any), my guess is that what's happening here is this :
https://wiki.strongswan.org/issues/745. My StrongSwan installation is in
/usr/local, that would explain it, right ?
>
>> Nov 28 16:52:29 yomama charon: 05[IKE] received DELETE for IKE_SA
>> net-net[6]
> What are the logs on the other side?
> I guess this all happens because the two sides disagree in what IKE_SA and 
> CHILD_SA to use.
Yes, that's my guess too, but I can't figure out why considering my
ipsec.conf. And oh by the way I upgraded StrongSwan on NODE 1 and now
they're both 5.6.x.
Just happened again (it does it at every reauth interval), here are the
logs for both nodes :
NODE 1 : https://pastebin.com/hYWL9dBy
NODE 2 : https://pastebin.com/NDbj8MRQ
>
> Kind regards
>
> Noel




signature.asc
Description: OpenPGP digital signature

[strongSwan] Issuse with VTI packet forwarding

[Naveen Neelakanta]

Hi All,

Need some guidance and help in getting the traffic routed via VTI (
ipsec0 ) interface.I am using the VTI interface to just mark the
traffic and forward.

I am not able to get the traffic forwarding via VTI( ipsec0) interface
and getting the traffic marked, so that it gets protected.

i have the ipsec tunnel up with between two device. i see traffic send
from client interface reaching VTI interface , however its not getting
forwarded to eth3 , so that it gets protected.


Unix Device1:


eth3<— ipsec0 ( vti )<———vzsi


10.24.18.209   10.24.18.36   10.24.18.203



Routing rules on the device :


ip tunnel add ipsec0 local 10.24.18.36 remote 0.0.0.0 mode vti okey 32 ikey 32

ip link set ipsec0 up

ip route add default dev ipsec0 table zs-flow-table-inet

echo 1 > /proc/sys/net/ipv4/conf/ipsec0/disable_policy

echo 1 > /proc/sys/net/ipv4/conf/ipsec0/disable_xfrm

echo 300 zs-flow-table-inet >> /etc/iproute2/rt_tables



ip rule add iif vzsi-p table zs-flow-table-inet


ip route add default dev ipsec0 table zs-flow-table-inet

ip rule add iif ipsec0 table internet-eth3

ip rule add oif ipsec0 table internet-eth3

# ip route show table internet-eth3


  default via 10.24.18.210 dev eth3


The ipsec policy and sa config is present

SPD entry :


src 0.0.0.0/0 dst 0.0.0.0/0

dir fwd priority 3075

mark 32/0x

tmpl src 10.24.18.35 dst 10.24.18.209

proto esp reqid 1 mode tunnel

src 0.0.0.0/0 dst 0.0.0.0/0

dir in priority 3075

mark 32/0x

tmpl src 10.24.18.35 dst 10.24.18.209

proto esp reqid 1 mode tunnel

src 0.0.0.0/0 dst 0.0.0.0/0

dir out priority 3075

mark 32/0x

tmpl src 10.24.18.209 dst 10.24.18.35

 proto esp reqid 1 mode tunnel

SADB:

src 10.24.18.209 dst 10.24.18.35

proto esp spi 0xcfe2aa19 reqid 1 mode tunnel

replay-window 32 flag af-unspec

mark 32/0x

auth-trunc hmac(md5) 0x830c26f2a8fdaa2a1d6f82c9663f0bf3 96

enc ecb(cipher_null)

src 10.24.18.35 dst 10.24.18.209

proto esp spi 0xc377e262 reqid 1 mode tunnel

replay-window 32 flag af-unspec

mark 32/0x

auth-trunc hmac(md5) 0x99f7adff411b87cb04a652469b6132fd 96

enc ecb(cipher_null)

Issue:

#ip -s tunnel s ipsec0

ipsec0: ip/ip  remote any  local 10.24.18.36  ttl inherit  key 32

RX: PacketsBytesErrors CsumErrs OutOfSeq Mcasts

0  00  000

TX: PacketsBytesErrors DeadLoop NoRoute  NoBufs


   0  0 32  0
32   0

I see the traffic on the ipsec0 interface

#tcpdump -ni ipsec0

listening on ipsec0, link-type RAW (Raw IP), capture size 65535 bytes

02:18:03.237031 IP 10.24.18.203.52554 > 10.24.18.35.: Flags [S],
seq 3484231614, win 29200, options [mss 1460,sackOK,TS val 4061593203
ecr 0,nop,wscale 7], length 0

# ifconfig ipsec0

  ipsec0Link encap:IPIP Tunnel  HWaddr

  UP RUNNING NOARP  MTU:1500  Metric:1

  RX packets:0 errors:0 dropped:0 overruns:0 frame:0

  TX packets:0 errors:32 dropped:0 overruns:0 carrier:32

  collisions:0 txqueuelen:0

  RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)


Thanks,

Naveen