Re: [strongSwan] Users Digest, Vol 96, Issue 2

[Noel Kuntze]

It's not.

local and remote authentication always defaults to pubkey. By specifying one 
side to use PSK authentication does not imply that the other does the same.

On 03.01.2018 06:00, Glen Huang wrote:
> Thanks for the help and happy new year.
>
> IIUC, ipsec.conf is used by starter, but I execute charon directly and then 
> use swanctl to load swanctl.conf. So I’m not sure if ipsec.conf is relevant 
> here. The secret is specified in swanctl.conf already, I’m also not sure if 
> ipsec.secret is consulted since it’s also only used by starter.
>
> Regards
> Glen
>
>> On 3 Jan 2018, at 10:23 AM, Quaker > > wrote:
>>
>> 1. peer config is related to ipsec.conf
>> 2. As your log, AUTH_FAILED might also caused by ipsec.conf, when finished 
>> ipsec.conf, you should config ipsec.secret also
>>
>>
>> Regards
>> Quaker
>>
>> On Tue, Jan 2, 2018 at 7:00 PM, > > wrote:
>>
>> Send Users mailing list submissions to
>>         users@lists.strongswan.org 
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>>         https://lists.strongswan.org/mailman/listinfo/users 
>> 
>> or, via email, send a message with subject or body 'help' to
>>         users-requ...@lists.strongswan.org 
>> 
>>
>> You can reach the person managing the list at
>>         users-ow...@lists.strongswan.org 
>> 
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Users digest..."
>>
>>
>> Today's Topics:
>>
>>    1. Help needed for a basic swanctl config (Glen Huang)
>>
>>
>> --
>>
>> Message: 1
>> Date: Tue, 2 Jan 2018 18:54:27 +0800
>> From: Glen Huang mailto:hey...@gmail.com>>
>> To: users@lists.strongswan.org 
>> Subject: [strongSwan] Help needed for a basic swanctl config
>> Message-ID: > >
>> Content-Type: text/plain;       charset=utf-8
>>
>> Hi,
>>
>> I’m trying to set up an IKEv2 VPN server using swanctl for iOS clients.
>>
>> I have this very simple config:
>>
>> connections {
>>     ios {
>>         version = 2
>>         pools = ios_pool
>>         remote {
>>             id = foobar
>>             auth = psk
>>         }
>>     }
>> }
>>
>> pools {
>>    ios_pool {
>>       addrs = 192.168.37.0/24 
>>       dns = 8.8.8.8
>>    }
>> }
>>
>> secrets {
>>    ike-ios {
>>       secret = abc
>>    }
>> }
>>
>> But when connect from an iOS client using the following connection 
>> settings:
>>
>> Remote ID: foobar
>> Local ID: [empty]
>> Authentication Settings: None
>> Shared Secret: abc
>>
>> It fails to connect, and the log shows it fails at an pretty early stage:
>>
>> 12[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (604 bytes)
>> 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) 
>> N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
>> 12[IKE] 2.2.2.2 is initiating an IKE_SA
>> 12[IKE] remote host is behind NAT
>> 12[IKE] sending cert request for "C=com, O=myvpn, CN=VPN CA"
>> 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) 
>> N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
>> 12[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (473 bytes)
>> 15[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (604 bytes)
>> 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) 
>> N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
>> 15[IKE] received retransmit of request with ID 0, retransmitting response
>> 15[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (473 bytes)
>> 05[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (544 bytes)
>> 05[ENC] unknown attribute type (25)
>> 05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) 
>> IDr AUTH CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) 
>> N(NON_FIRST_FRAG) SA TSi TSr ]
>> 05[CFG] looking for peer configs matching 
>> 1.1.1.1[foobar]...2.2.2.2[192.168.1.251]
>> 05[CFG] no matching peer config found
>> 05[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC 
>> padding
>> 05[IKE] peer supports MOBIKE
>> 05[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>> 05[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (80 bytes)
>>
>> I’m trying to have a firm grasp of strongswan (I have some basic 
>> understanding of ikev2 & IPsec), so a few questions:
>>
>> 1. What constitutes a "peer config” in swanctl.conf?
>> 2. The AUTH_FAILED m

[strongSwan] Unspecified dns added when using swanctl

[Glen Huang]

Hi,

I have this simple swanctl.conf

connections {
vpn {
version = 2
pools = ios_pool
local-psk {
auth = psk
}
local-pubkey {
auth = pubkey
pubkeys = vpn.pem
}
children {
home {
local_ts = 0.0.0.0/0
}
}
}
}

pools {
ios_pool {
addrs = 192.168.37.0/24
dns = 8.8.8.8,8.8.4.4
}
}

secrets {
ike-ios {
secret = aaa
}
}

I expect a connected client to have 8.8.8.8 and 8.8.4.4 as dns, but it actually 
also contains 127.0.0.1 in addition to the two. I wonder if it’s by design? How 
can I ask charon not to send the unspecified 127.0.0.1 dns?

Regards
Glen

Re: [strongSwan] Unspecified dns added when using swanctl

[Noel Kuntze]

Hi,

It doesn't do that. That's caused by something else.
How do you test this?

Kind regards

Noel

On 03.01.2018 14:53, Glen Huang wrote:
> Hi,
>
> I have this simple swanctl.conf
>
> connections {
> vpn {
> version = 2
> pools = ios_pool
> local-psk {
> auth = psk
> }
> local-pubkey {
> auth = pubkey
> pubkeys = vpn.pem
> }
> children {
> home {
> local_ts = 0.0.0.0/0
> }
> }
> }
> }
>
> pools {
> ios_pool {
> addrs = 192.168.37.0/24
> dns = 8.8.8.8,8.8.4.4
> }
> }
>
> secrets {
> ike-ios {
> secret = aaa
> }
> }
>
> I expect a connected client to have 8.8.8.8 and 8.8.4.4 as dns, but it 
> actually also contains 127.0.0.1 in addition to the two. I wonder if it’s by 
> design? How can I ask charon not to send the unspecified 127.0.0.1 dns?
>
> Regards
> Glen
>



signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] Unspecified dns added when using swanctl

[Glen Huang]

Your reply reminded me that I added a dns to strongswan.conf. After removing 
it, it’s gone.

Thank you very much and happy new year.

> On 3 Jan 2018, at 9:55 PM, Noel Kuntze 
>  wrote:
> 
> Hi,
> 
> It doesn't do that. That's caused by something else.
> How do you test this?
> 
> Kind regards
> 
> Noel
> 
> On 03.01.2018 14:53, Glen Huang wrote:
>> Hi,
>> 
>> I have this simple swanctl.conf
>> 
>> connections {
>>vpn {
>>version = 2
>>pools = ios_pool
>>local-psk {
>>auth = psk
>>}
>>local-pubkey {
>>auth = pubkey
>>pubkeys = vpn.pem
>>}
>>children {
>>home {
>>local_ts = 0.0.0.0/0
>>}
>>}
>>}
>> }
>> 
>> pools {
>>ios_pool {
>>addrs = 192.168.37.0/24
>>dns = 8.8.8.8,8.8.4.4
>>}
>> }
>> 
>> secrets {
>>ike-ios {
>>secret = aaa
>>}
>> }
>> 
>> I expect a connected client to have 8.8.8.8 and 8.8.4.4 as dns, but it 
>> actually also contains 127.0.0.1 in addition to the two. I wonder if it’s by 
>> design? How can I ask charon not to send the unspecified 127.0.0.1 dns?
>> 
>> Regards
>> Glen
>> 
> 

[strongSwan] CRL validation failing

[Matthew Winnett]

I am running 5.6.1 and trying to establish a site to site vlan to a F5
bigip using ikev2 and certificates. The tunnel works ok with psk but when
using certificates I get the following in the log:

11[CFG] checking certificate status of "C=gb, ST=anglesey, L=benllech,
O=f5, OU=es, CN=moriarty_k-server_1.winnett.gb"
11[CFG]   fetching crl from
'file:///usr/local/etc/swanctl/x509crl/ca-cacert.crl' ...
11[CFG] issuer of fetched CRL 'C=gb, ST=anglesey, L=benllech, O=f5, OU=es,
CN=moriarty_k-Root_CA.winnett.gb' does not match CRL issuer
'0e:db:41:37:bb:8c:b8:1c:de:9b:35:31:de:4d:6b:67:5a:02:57:22'

I found a previous thread indicating that the "CRL must contain an
authorityKeyIdentifier equal to the subjectKeyIdentifier of the CRL
issuer", which I now have ...

$ openssl crl -in ca-cacert.crl -noout -text | grep -E "CRL extensions:" -A
4
CRL extensions:
X509v3 Authority Key Identifier:

keyid:0E:DB:41:37:BB:8C:B8:1C:DE:9B:35:31:DE:4D:6B:67:5A:02:57:22
DirName:/C=gb/ST=anglesey/L=benllech/O=f5/OU=es/CN=
moriarty_k-Root_CA.winnett.gb
serial:5A:4D:03:09

$ openssl x509 -in ca-cacert.pem -text | grep -E "X509v3 extensions:" -A 6
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
0E:DB:41:37:BB:8C:B8:1C:DE:9B:35:31:DE:4D:6B:67:5A:02:57:22
X509v3 Authority Key Identifier:

keyid:0E:DB:41:37:BB:8C:B8:1C:DE:9B:35:31:DE:4D:6B:67:5A:02:57:22

Any idea what is wrong ?

Many thanks ...

Matthew

[strongSwan] Strongswan equivalent of openvpn push-peer-info

[flyingrhino]

Hi,

Do we have an equivalent of the --push-peer-info command that openvpn 
has?
Of most interest to me is the initiator pushing environment values to 
the responder when it connects so that I can program the up/down script 
to act upon this information.


Here are the useful bits from the openvpn man page:
  Push additional information about the client to server.
  UV_= -- client environment variables whose names start 
with "UV_"


Thanks.

Re: [strongSwan] Strongswan equivalent of openvpn push-peer-info

[Noel Kuntze]

Hi,

You do that on the responder side via the attr/attr-sql plugins (possibly by 
using `ipsec pool`, too).
On the initiator side, you need a plugin for charon to process the custom 
attributes. They aren't available
in the updown script.

Kind regards

Noel

On 03.01.2018 22:51, flyingrhino wrote:
> Hi,
>
> Do we have an equivalent of the --push-peer-info command that openvpn has?
> Of most interest to me is the initiator pushing environment values to the 
> responder when it connects so that I can program the up/down script to act 
> upon this information.
>
> Here are the useful bits from the openvpn man page:
>   Push additional information about the client to server.
>   UV_= -- client environment variables whose names start with 
> "UV_"
>
> Thanks.
>



signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] OpenWRT. IPSec server

[Noel Kuntze]

Hi,

Only on the responder.
If you use dpd and enforce UDP encapsulation, you do not need to open any ports 
on the initiator side.
Refer to the UsableExamples wiki page[1] for example configurations that are 
usable in the real world.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples

On 28.12.2017 08:51, Sujoy wrote:
> Hi All,
>
>
> We want to implement StrongSwan,with IPsec in OpenWRT. IPSec server will be 
> running in CentOS and the OpenWRt router will connect to it using VPN. I have 
> configured the server part, struggling to configure the client part. Do we 
> need to open port 4500 for this first.
>
> Anyone can suggest any solution for this.



signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] duplicate IPSec SAs

[Noel Kuntze]

Hi,

Please provide the output of `ipsec statusall` and logs that show the issue.

Kind regards

Noel

On 02.01.2018 16:36, Jeff wrote:
> My ikev2 VPNs are accumulating duplicate IPSec SAs.
>
> Here are some of my high level requirements:
> * "star" architecture: single central responder, multiple initiators.
> * Initiators may have dynamic or NAT'ed IPs.
> * Exactly one VPN between responder and each initiator.
> * Each VPN is "always up" to allow access from responder to any
> initiator at any time.
> * Periodic IKEv2 reauthentication is required to enforce X.509 CRLs.
> * Small outages during rekey, reauth are permissible.
>
> My config:
> responder: CentOS Linux strongswan-5.5.3-1.el7.x86_64 EPEL RPM. Config 
> attached.
> initiators: CentOS Linux strongswan-5.5.3-1.el7.x86_64 EPEL RPM.
> Config attached.
>
> The issue: As time passes, I see multiple IPsec SAs accumulate between
> responder and some initiators.
>
> Question: How to configure for exactly one VPN between responder and
> each initiator?
>
> I suspect that adding a combination of
> connections..unique
>     and
> charon.make_before_break
>
> settings will fix my issue. Currently I am using the default values for each.
>
> Advice on a config change to fix duplicate IPSec SAs is requested.
>
>
> thanks,
> Jeff



signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] How to use sqlcounter to disconnect a user after reaching the daily quota?

[Noel Kuntze]

Hi,

That's a freeRadius problem, too. Please take it to its community.

Kind regards

Noel

On 25.12.2017 18:45, Houman wrote:
> Hello & Merry Christmas.
>
>
> I have managed to enable accounting after all and it seems that the module 
> sqlcounter is loaded too.
>
> Looking at the documentation here 
> 
> The  rlm_counter  module  provides  a general framework to measure total data 
> transferred in a given period. This is very useful in a 'Prepaid Service' 
> situation, where a user has paid for a  finite  amount  of  usage and should 
> not be allowed to use more than that service. 
> This is perfect as I need exactly that.
>
> It seems I have to change count_attribute to data usage in order to measure 
> the usage instead of time.
> Nonetheless, I'm very confused how I'm supposed to utilise this module.
> I can see the module is loaded when I run it as freeradius -X.
> But how do I set it up to allow each user only 3 GB of data usage within a 
> month?
> Or even for testing purposes 100KB on daily basis?
> When the month or day has passed, then the user should be allowed access 
> again.
> Which config file do I have to edit?
> Many Thanks for your advice,
> Houman



signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] Enabled eap-radius doesn't log session information

[Noel Kuntze]

Hi,

That's a freeRadius problem, not a strongSwan one. Please take it to the 
freeRadius community.

Kind regards

Noel

On 25.12.2017 11:46, Houman wrote:
> Hello,
>
> I have setup StrongSwan successfully with FreeRadius.  I can create a new 
> user in the radcheck table inside radius DB and authenticate with the VPN 
> with that user afterwards.
>
> However, there is no information saved inside the radacct table. I was 
> expecting to see the session time of a connected user and find out a way to 
> count the traffic a user has been utilising.
>
> But why is the table empty?
>
> I install StrongSwan like this, I don't specifically compile it with 
> /./configure --enable-eap-radius/
>
> Instead, I install it like this, is that ok?
>
> add-apt-repository ppa:freeradius/stable-3.0 -y
> apt-get install -y language-pack-en strongswan strongswan-ikev2 
> libstrongswan-standard-plugins strongswan-libcharon libcharon-extra-plugins 
> freeradius freeradius-utils freeradius-mysql
>
>
> *# vim /etc/strongswan.conf*
>
> charon {
>         load_modular = yes
>         plugins {
>                 include strongswan.d/charon/*.conf
>         }
> }
>
> include strongswan.d/*.conf
>
>
> *# vim /etc/strongswan.d/charon/eap-radius.conf*
>
> servers {
> server-a {
>             accounting = yes
>             secret = ${CLIENT_SECRET}
>             address = 127.0.0.1
>             auth_port = 1812
>             acct_port = 1813
> }
> }
>
>
> *# vim /etc/ipsec.conf*
>
> config setup
>   strictcrlpolicy=yes
>   uniqueids=never
> conn roadwarrior
>   auto=add
>   compress=no
>   type=tunnel
>   keyexchange=ikev2
>   fragmentation=yes
>   forceencaps=yes
>   
> ike=aes256gcm16-sha256-ecp521,aes256-sha256-ecp384,aes256-3des-sha1-modp1024!
>   esp=aes256gcm16-sha256,aes256-3des-sha256-sha1!
>   dpdaction=clear
>   dpddelay=180s
>   rekey=no
>   left=%any
>   leftid=@${VPNHOST}
>   leftcert=cert.pem
>   leftsendcert=always
>   leftsubnet=0.0.0.0/0 
>   right=%any
>   rightid=%any
>   rightauth=eap-radius
>   eap_identity=%any
>   rightdns=208.67.222.222,208.67.220.220
>   rightsourceip=${VPNIPPOOL}
>   rightsendcert=never
>
>
> Merry Christmas and thank you,
> Houman



signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] Performance (latency) in a Hub and Spoke setup

[Noel Kuntze]

Hi,

If you used tracepath -T, then that message you posted earlier could indeed be 
caused by tracepath and not be the actual problem.

Did you actually test that? What is the upload speed of the router? I strongly 
doubt the problem with the HTTP latency is caused by a throughput problem.
Could you possibly provide a tcpdump of traffic when the problem occurs?

Kind regards

Noel

On 01.01.2018 16:21, Martin Sand wrote:
> Thanks Noel and Thomas.
>
> I did a lot of investigation over the weekend and it seems like these error 
> messages are traceroute and tracepath specific issues.
> There was a post on serverfault explaining the background [1]. So I will not 
> further invest into this.
>
> So I think I cannot further improve the performance. It is limited by the 
> upload speed of the spoke routers.
>
> Happy New Year and best regards
> Martin
>
>
> [1] 
> https://serverfault.com/questions/623996/how-to-enable-traceroute-in-linux-machine
>
>
>
> On 30.12.2017 23:03, Noel Kuntze wrote:
>> Hi Martin,
>>
>> That can be relevant.
>>
>> That is an ICMP message of the router or recipient 210.211.212.213 to 
>> 192.168.2.135 complaining that the TTL [ of the TCP packet from 
>> 192.168.2.135 to 192.168.1.130 with the ID 63979 ] reached 0. Under the 
>> strong assumption
>> that a standard TTL is used (meaning you didn't change it to some low 
>> value), that means that you have a routing loop somewhere in your network, 
>> that the complained about packet got into.
>>
>> TL;DR: You likely got a routing loop. You need to find and fix it.
>>
>> Kind regards
>>
>> Noel
>>
>> On 30.12.2017 22:47, Martin Sand wrote:
>>> Hi Noel
>>>
>>> Thanks for the advice. I installed tcpdump and wireshark and added a rule 
>>> to log ICMP errors.
>>> This is an excerpt from the log file. I assume this line shows something is 
>>> sent to port 80 but I cannot find the corresponding iptables entry.
>>>
>>> Dec 30 21:42:11 localhost kernel: [1423944.393321] IN= OUT=eth0 
>>> SRC=210.211.212.213 DST=192.168.2.135 LEN=88 TOS=0x00 PREC=0xC0 TTL=64 
>>> ID=38805 PROTO=ICMP TYPE=11 CODE=0 [SRC=192.168.2.135 DST=192.168.1.130 
>>> LEN=60 TOS=0x00 PREC=0x00 TTL=1 ID=63979 DF PROTO=TCP SPT=47511 DPT=80 
>>> WINDOW=5840 RES=0x00 SYN URGP=0 ]
>>>
>>> Best regards
>>> Martin
>>>
>>>
>>> On 28.12.2017 01:43, Noel Kuntze wrote:
 Hi,

 Looks like your firewall rules on the hub are broken and cause the 
 problems or you need to configure an additional CHILD_SA to tunnel ICMP 
 errors from the hub, because it has no IP in the local TS.
 Check both those suspicions.

 Kind regards

 Noel

 On 27.12.2017 23:00, Martin Sand wrote:
> Thanks again Noel.
>
> I have executed `traceroute -T --mtu ` and `mtr -rw 
> ` on machines at both locations.
> I did not do further investigation on the MSS yet since I have this 
> strange packet loss.
> Based on the route, I assume this happens at the hub which is in between 
> the two routers?
> Could this be the root cause I need to further investigate?
>
> Kind regards
> Martin
>
> traceroute -T --mtu pi-frankfurt
> traceroute to pi-frankfurt (192.168.2.135), 30 hops max, 60 byte packets
>    1  router-freiburg (192.168.1.1)  0.263 ms  0.179 ms  0.172 ms
>    2  * * *
>    3  router-frankfurt (192.168.2.1)  41.762 ms  41.182 ms  36.716 ms
>    4  pi-frankfurt (192.168.2.135)  36.693 ms  43.629 ms  37.051 ms
>
> traceroute -T --mtu pi-freiburg
> traceroute to pi-freiburg (192.168.1.130), 30 hops max, 60 byte packets
>    1  router-frankfurt (192.168.2.1)  0.489 ms  0.381 ms  0.287 ms
>    2  * * *
>    3  router-freiburg (192.168.1.1)  38.368 ms  47.673 ms  35.441 ms
>    4  pi-freiburg (192.168.1.130)  39.456 ms  54.566 ms  36.117 ms
>
> mtr -rw pi-frankfurt
> Start: 2017-12-27T22:57:40+0100
> HOST: workstation  Loss%   Snt   Last   Avg  Best Wrst StDev
>     1.|-- router-freiburg     0.0%    10    0.2   0.2   0.2 0.3   0.0
>     2.|-- ???  100.0    10    0.0   0.0   0.0 0.0   
> 0.0
>     3.|-- router-frankfurt    0.0%    10   33.3  35.5  32.5 42.0   2.7
>     4.|-- pi-frankfurt              0.0%    10   33.5  34.4  32.7 36.7   
> 1.5
>
>
> On 27.12.2017 21:08, Noel Kuntze wrote:
>> Hi,
>>
>> You can test the convergence speed using `traceroute -T --mtu 
>> `, but that only gives you the MTU. You need to manually 
>> discover the MSS
>> using `traceroute -T -O mss= `.
>>
>> The best way to check if the problem continues is to just run 
>> tcpdump/wireshark and check for ICMP Fragmenation needed packets and TCP 
>> errors or timeouts.
>>
>> Kind regards
>>
>> Noel
>>
>> On 27.12.2017 17:12, Martin Sand wrote:
>>> Thanks Noel. Sorry, I had to travel to the other location (350 km).
>>>
>>> I adapted the

Re: [strongSwan] Strongswan equivalent of openvpn push-peer-info

[flyingrhino]

Thanks Noel for the quick response.
I do have a question though -


You do that on the responder side via the attr/attr-sql plugins
(possibly by using `ipsec pool`, too).


The initiator has several variables that I need to pass to the responder 
at connection time. The variables don't change AFTER connection, but MAY 
change AT THE NEXT connection. The responder needs to do firewall stuff 
based upon these variables.


Does your advice below also relate to the responder - that these 
variables are NOT AVAILABLE to the updown script env ?


Either way, what is your advice on getting the variables to the updown 
script?
A really dirty solution is the initiator uploads a variables file to 
some location and the responder updown script accesses and parses it for 
the values. Is there a better way?



Thanks.


On the initiator side, you need a plugin for charon to process the
custom attributes. They aren't available
in the updown script.

Kind regards

Noel

On 03.01.2018 22:51, flyingrhino wrote:

Hi,

Do we have an equivalent of the --push-peer-info command that openvpn 
has?
Of most interest to me is the initiator pushing environment values to 
the responder when it connects so that I can program the up/down 
script to act upon this information.


Here are the useful bits from the openvpn man page:
  Push additional information about the client to server.
  UV_= -- client environment variables whose names start 
with "UV_"


Thanks.

Re: [strongSwan] Strongswan equivalent of openvpn push-peer-info

[Noel Kuntze]

It also relates to the responder.
You could patch strongSwan to do that.

On 04.01.2018 03:56, flyingrhino wrote:
> Thanks Noel for the quick response.
> I do have a question though -
> 
>> You do that on the responder side via the attr/attr-sql plugins
>> (possibly by using `ipsec pool`, too).
> 
> The initiator has several variables that I need to pass to the responder at 
> connection time. The variables don't change AFTER connection, but MAY change 
> AT THE NEXT connection. The responder needs to do firewall stuff based upon 
> these variables.
> 
> Does your advice below also relate to the responder - that these variables 
> are NOT AVAILABLE to the updown script env ?
> 
> Either way, what is your advice on getting the variables to the updown script?
> A really dirty solution is the initiator uploads a variables file to some 
> location and the responder updown script accesses and parses it for the 
> values. Is there a better way?
> 
> 
> Thanks.
> 
>> On the initiator side, you need a plugin for charon to process the
>> custom attributes. They aren't available
>> in the updown script.
>>
>> Kind regards
>>
>> Noel
>>
>> On 03.01.2018 22:51, flyingrhino wrote:
>>> Hi,
>>>
>>> Do we have an equivalent of the --push-peer-info command that openvpn has?
>>> Of most interest to me is the initiator pushing environment values to the 
>>> responder when it connects so that I can program the up/down script to act 
>>> upon this information.
>>>
>>> Here are the useful bits from the openvpn man page:
>>>   Push additional information about the client to server.
>>>   UV_= -- client environment variables whose names start with 
>>> "UV_"
>>>
>>> Thanks.
>>>
> 



signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] Strongswan equivalent of openvpn push-peer-info

[flyingrhino]

Thank Noel.

BTW, how does the attr/attr-sql plugin work? I tried to configure it and 
failed.
A few days ago I sent the email "[strongSwan] Struggling to send custom 
configuration payload	between peers" and I quoted the ipsec.conf and 
strongswan.conf files I was using.
I got messages "Dec 29 15:16:37 asus303 charon: 10[CFG] handling (2) 
attribute failed"


Am I missing something there ?

Regards.

On 2018-01-04 16:10, Noel Kuntze wrote:

It also relates to the responder.
You could patch strongSwan to do that.

On 04.01.2018 03:56, flyingrhino wrote:

Thanks Noel for the quick response.
I do have a question though -


You do that on the responder side via the attr/attr-sql plugins
(possibly by using `ipsec pool`, too).


The initiator has several variables that I need to pass to the 
responder at connection time. The variables don't change AFTER 
connection, but MAY change AT THE NEXT connection. The responder needs 
to do firewall stuff based upon these variables.


Does your advice below also relate to the responder - that these 
variables are NOT AVAILABLE to the updown script env ?


Either way, what is your advice on getting the variables to the updown 
script?
A really dirty solution is the initiator uploads a variables file to 
some location and the responder updown script accesses and parses it 
for the values. Is there a better way?



Thanks.


On the initiator side, you need a plugin for charon to process the
custom attributes. They aren't available
in the updown script.

Kind regards

Noel

On 03.01.2018 22:51, flyingrhino wrote:

Hi,

Do we have an equivalent of the --push-peer-info command that 
openvpn has?
Of most interest to me is the initiator pushing environment values 
to the responder when it connects so that I can program the up/down 
script to act upon this information.


Here are the useful bits from the openvpn man page:
  Push additional information about the client to server.
  UV_= -- client environment variables whose names 
start with "UV_"


Thanks.

[strongSwan] How to use swanctl in docker after running charon as entrypoint?

[Glen Huang]

Hi,

I’m trying to put strongswan in docker, but the problem is I use swanctl, and I 
have no idea how to run swanctl in dockerfile after I run charon as entrypoint. 
Docker doesn’t have something like ExecStartPost that systemd has.

I searched in docker community and everybody said run command after entrypoint 
in dockerfile was the wrong approach, but given the dichotomy between charon 
and swanctl, I’m not sure how that can be achieved otherwise.

I wonder if it’s possible to ask swanctl to bring up charon and load-all in one 
go?

Regards,
Glen