[strongSwan] Dual IPSEC SA after re-auth

[Loic Chabert]

Hello Strongswan list,

I have a trouble with an IPSEC site-to-site VPN from a Cisco ASA and
strongswan version 5.5.3, Linux 3.10.0-327.10.1.el7.x86_64.

With Strongwan, i want to send two subnet: 172.16.5.0/24 and 192.168.1.0/24.
When i start strongswan, no error, all ping pass throught ipsec tunnel and
no problem.
After 7h (probably after a re-auth), two tunnels are inserted for the same
subnet. The other subnet continue to work as expected. Only one "crash".
One ping over two has been drop.

Please find below output command of "statusall":













*#strongswan statusallStatus of IKE charon daemon (strongSwan 5.5.3, Linux
3.10.0-327.10.1.el7.x86_64, x86_64):  uptime: 26 hours, since Jan 03
14:53:30 2018  malloc: sbrk 1622016, mmap 0, used 529568, free 1092448
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 8  loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random
nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 xcbc cmac hmac ctr
ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici
updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap
xauth-generic xauth-eap xauth-pam xauth-noauth dhcp unityListening IP
addresses:  185.119.XXX.XXX  172.16.0.0  2a06:8bc0:XXX
10.8.0.1Connections:conn-1:  *
*185.119.XXX.YYY...46.31.ZZ.ZZ  IKEv1**conn-1:   local:  [*
*185.119.XXX.YYY.] uses pre-shared key authentication**conn-1:
remote: [*
*46.31.ZZ.ZZ] uses pre-shared key authentication*
*conn-1:   child:  192.168.1.0/24  === 10.2.1.192/29
 TUNNEL*

*conn-2:   child:  172.16.5.0/24  === 10.2.1.192/29
 TUNNELSecurity Associations (1 up, 0 connecting):
**conn-1[7]: ESTABLISHED 2 hours ago, **185.119.XXX.YYY.[*
*185.119.XXX.YYY.]...**46.31.ZZ.ZZ[*
*46.31.ZZ.ZZ]*
*conn-1[7]: IKEv1 SPIs: f8490bafd768b806_i* 86c5c1b6cb09c905_r, pre-shared
key reauthentication in 5 hours*
*conn-1[7]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536*
*conn-2{817}:  INSTALLED, TUNNEL, reqid 71, ESP SPIs: c70f39e7_i
474d86cc_o*
*conn-2{817}:  AES_CBC_256/HMAC_SHA1_96/MODP_1024, 65021 bytes_i (1413
pkts, 27s ago), 1535741 bytes_o (3046 pkts, 27s ago), rekeying in 6
hours*
*conn-2{817}:   172.16.5.0/24  === 10.2.1.192/29
*
*conn-1{867}:  INSTALLED, TUNNEL, reqid 69, ESP SPIs: cf6a0fee_i
4d77c585_o*
*conn-1{867}:  AES_CBC_256/HMAC_SHA1_96/MODP_1024, 0 bytes_i, 0 bytes_o,
rekeying in 6 hours*
*conn-1{867}:   192.168.1.0/24  === 10.2.1.192/29
*
*conn-1{869}:  INSTALLED, TUNNEL, reqid 69, ESP SPIs: c3e3a651_i
7d5fc4f2_o*
*conn-1{869}:  AES_CBC_256/HMAC_SHA1_96/MODP_1024, 4441746 bytes_i (3181
pkts, 419s ago), 54984 bytes_o (1373 pkts, 419s ago), rekeying in 6
hours*

*conn-1{869}:   192.168.1.0/24  === 10.2.1.192/29
*

Here my configuration:


















































*# ipsec.conf - strongSwan IPsec configuration file# basic
configurationconfig setup# strictcrlpolicy=yes
charondebug="cfg 2, chd 1, dmn 1, ike 1, knl 1, net 1"# uniqueids =
no# Add connections here.# Sample VPN connectionsconn conn--1
auto=startrightsubnet=192.168.1.0/24 
authby=secretcompress=nocloseaction=restartmobike=no
keyexchange=ikev1keyingtries=1rekeymargin=3m
ike=aes256-sha-modp1536esp=aes256-sha-modp1024ikelifetime=28800s
lifetime=28800sleft=46.31.ZZ.ZZright=185.119.XXX.YYY
leftsubnet=10.2.1.192/29 leftid=46.31.ZZ.ZZ
rightid=185.119.XXX.YYYconn conn-2auto=start
rightsubnet=172.16.5.0/24 authby=secret
compress=nocloseaction=restartmobike=norekeymargin=3m
keyexchange=ikev1ike=aes256-sha-modp1536esp=aes256-sha-modp1024
ikelifetime=28800skeyingtries=1lifetime=28800s
left=46.31.ZZ.ZZright=185.119.XXX.YYYleftsubnet=10.2.1.192/29
leftid=46.31.ZZ.ZZ*


If i set rightsubnet, separared by a comma, only one subnet over two is UP.
I have disable cisco_unity plugin (same behaviour if this plugin is
enabled).

Do you have any hint to mount an IPSEC site-to-site, with two subnet,
working even after a rekey or reauth ?
Any logging lines can help me ?

Thanks in advance,
Regards.
-- 

*Loïc CHABERT - Responsable technique*

*Voxity - Libérez vos Télécoms*

85 Rue des Alliés 38100 Grenoble
Tel : 0975181257 - Fax : 04.816.801.14
Email : loic.chab...@voxity.fr 
Restons connectés : Site Web  - Twitter
 - Facebook  - L
inkedIn 
*Nouveau !* Découvrez Voxity en vidéo : Youtube

Re: [strongSwan] OpenWRT. IPSec server

[Luka Logar]

Hi,

I am using OpenWrt + strongSwan + freeradius (password) peap auth on my 
home routers (DIR860 and WNDR3700). It all works quite nicely altough it 
took some time to set up freeradius correctly...







smime.p7s
Description: Kriptografski podpis S/MIME

Re: [strongSwan] How to use swanctl in docker after running charon as entrypoint?

[Glen Huang]

Working flawlessly.

Thank you.

> On 4 Jan 2018, at 9:19 PM, Noel Kuntze 
>  wrote:
> 
> Hi,
> 
> Use charon.start-scripts in strongswan.conf to load the config.
> 
> Kind regards
> 
> Noel
> 
> On 04.01.2018 07:17, Glen Huang wrote:
>> Hi,
>> 
>> I’m trying to put strongswan in docker, but the problem is I use swanctl, 
>> and I have no idea how to run swanctl in dockerfile after I run charon as 
>> entrypoint. Docker doesn’t have something like ExecStartPost that systemd 
>> has.
>> 
>> I searched in docker community and everybody said run command after 
>> entrypoint in dockerfile was the wrong approach, but given the dichotomy 
>> between charon and swanctl, I’m not sure how that can be achieved otherwise.
>> 
>> I wonder if it’s possible to ask swanctl to bring up charon and load-all in 
>> one go?
>> 
>> Regards,
>> Glen
> 

Re: [strongSwan] OpenWRT. IPSec server

[Giuseppe De Marco]

On LDAP or Radius is possibile to auth over a NT-Password and I think LM as
well, yes AD format.
I often use mschap for testing purpose and would be great having an
embedded but configurable strongswan server in a cheap router.

2018-01-04 14:46 GMT+01:00 Noel Kuntze <
noel.kuntze+strongswan-users-ml@thermi.consulting>:

> Not on openwrt. But you need plaintext or AD like passwords in LDAP.
> Otherwise you can't auth with mschap(v2).
>
> On 04.01.2018 14:38, Giuseppe De Marco wrote:
> > Yes Noel and thank you, my question is:
> > Is there any experiences about running strongswan in openwrt as ikev2
> server with mschap,radius,ldap auth backend?
> >
> > 2018-01-04 14:17 GMT+01:00 Noel Kuntze  ml@thermi.consulting  consulting>>:
> >
> > Hi,
> >
> > `ipsec` is just a command line tool. It's not a daemon (or generally
> a service).
> > Are there any open questions?
> >
> > Kind regards
> >
> > Noel
> >
> > On 04.01.2018 14:14, Giuseppe De Marco wrote:
> > > Hi and thank you Noel,
> > > I meant to run ipsec and charon in the embedded openwrt router, I
> use dpd as well
> > >
> > >   # dead-peer detection to clear any "dangling" connections in
> case the client unexpectedly disconnects
> > >   dpdaction=clear
> > >   # If the tunnel has no traffic for this long (default 30 secs),
> Charon will send a dead peer detection packet. The value 0 means to not
> send such packets, relying on ordinary traffic, which will occur at least
> once an hour, which is the default rekeying lifetime.
> > >   dpddelay=33s
> > >   #  DPD Retries : 3
> > >   dpdtimeout=300s
> > >
> > > Running strongswan in a 18-70$ openwrt router is very usefull in
> many way
> >
> >
>
>

Re: [strongSwan] OpenWRT. IPSec server

[Noel Kuntze]

Not on openwrt. But you need plaintext or AD like passwords in LDAP. Otherwise 
you can't auth with mschap(v2).

On 04.01.2018 14:38, Giuseppe De Marco wrote:
> Yes Noel and thank you, my question is:
> Is there any experiences about running strongswan in openwrt as ikev2 server 
> with mschap,radius,ldap auth backend?
> 
> 2018-01-04 14:17 GMT+01:00 Noel Kuntze 
>  >:
> 
> Hi,
> 
> `ipsec` is just a command line tool. It's not a daemon (or generally a 
> service).
> Are there any open questions?
> 
> Kind regards
> 
> Noel
> 
> On 04.01.2018 14:14, Giuseppe De Marco wrote:
> > Hi and thank you Noel,
> > I meant to run ipsec and charon in the embedded openwrt router, I use 
> dpd as well
> >
> >   # dead-peer detection to clear any "dangling" connections in case the 
> client unexpectedly disconnects
> >   dpdaction=clear
> >   # If the tunnel has no traffic for this long (default 30 secs), 
> Charon will send a dead peer detection packet. The value 0 means to not send 
> such packets, relying on ordinary traffic, which will occur at least once an 
> hour, which is the default rekeying lifetime.
> >   dpddelay=33s
> >   #  DPD Retries : 3
> >   dpdtimeout=300s
> >
> > Running strongswan in a 18-70$ openwrt router is very usefull in many 
> way
> 
> 



signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] OpenWRT. IPSec server

[Giuseppe De Marco]

Yes Noel and thank you, my question is:
Is there any experiences about running strongswan in openwrt as ikev2
server with mschap,radius,ldap auth backend?

2018-01-04 14:17 GMT+01:00 Noel Kuntze <
noel.kuntze+strongswan-users-ml@thermi.consulting>:

> Hi,
>
> `ipsec` is just a command line tool. It's not a daemon (or generally a
> service).
> Are there any open questions?
>
> Kind regards
>
> Noel
>
> On 04.01.2018 14:14, Giuseppe De Marco wrote:
> > Hi and thank you Noel,
> > I meant to run ipsec and charon in the embedded openwrt router, I use
> dpd as well
> >
> >   # dead-peer detection to clear any "dangling" connections in case the
> client unexpectedly disconnects
> >   dpdaction=clear
> >   # If the tunnel has no traffic for this long (default 30 secs), Charon
> will send a dead peer detection packet. The value 0 means to not send such
> packets, relying on ordinary traffic, which will occur at least once an
> hour, which is the default rekeying lifetime.
> >   dpddelay=33s
> >   #  DPD Retries : 3
> >   dpdtimeout=300s
> >
> > Running strongswan in a 18-70$ openwrt router is very usefull in many way
>
>

Re: [strongSwan] How to use swanctl in docker after running charon as entrypoint?

[Noel Kuntze]

Hi,

Use charon.start-scripts in strongswan.conf to load the config.

Kind regards

Noel

On 04.01.2018 07:17, Glen Huang wrote:
> Hi,
>
> I’m trying to put strongswan in docker, but the problem is I use swanctl, and 
> I have no idea how to run swanctl in dockerfile after I run charon as 
> entrypoint. Docker doesn’t have something like ExecStartPost that systemd has.
>
> I searched in docker community and everybody said run command after 
> entrypoint in dockerfile was the wrong approach, but given the dichotomy 
> between charon and swanctl, I’m not sure how that can be achieved otherwise.
>
> I wonder if it’s possible to ask swanctl to bring up charon and load-all in 
> one go?
>
> Regards,
> Glen



signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] OpenWRT. IPSec server

[Noel Kuntze]

Hi,

`ipsec` is just a command line tool. It's not a daemon (or generally a service).
Are there any open questions?

Kind regards

Noel

On 04.01.2018 14:14, Giuseppe De Marco wrote:
> Hi and thank you Noel,
> I meant to run ipsec and charon in the embedded openwrt router, I use dpd as 
> well
> 
>   # dead-peer detection to clear any "dangling" connections in case the 
> client unexpectedly disconnects
>   dpdaction=clear
>   # If the tunnel has no traffic for this long (default 30 secs), Charon will 
> send a dead peer detection packet. The value 0 means to not send such 
> packets, relying on ordinary traffic, which will occur at least once an hour, 
> which is the default rekeying lifetime.
>   dpddelay=33s
>   #  DPD Retries : 3
>   dpdtimeout=300s  
> 
> Running strongswan in a 18-70$ openwrt router is very usefull in many way



signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] OpenWRT. IPSec server

[Giuseppe De Marco]

Hi and thank you Noel,
I meant to run ipsec and charon in the embedded openwrt router, I use dpd
as well

  # dead-peer detection to clear any "dangling" connections in case
the client unexpectedly disconnects  dpdaction=clear  # If the tunnel
has no traffic for this long (default 30 secs), Charon will send a
dead peer detection packet. The value 0 means to not send such
packets, relying on ordinary traffic, which will occur at least once
an hour, which is the default rekeying lifetime.  dpddelay=33s  #  DPD
Retries : 3  dpdtimeout=300s

Running strongswan in a 18-70$ openwrt router is very usefull in many way

[strongSwan] [strongswan - 5.3.0] : Generating Multiple resolv.con files

[Sriram]

Hi,
We are using strongswan - 5.3.0 in our linux device, which is a
strongswan client which works in tunnel mode with virtual IP.

It establishes tunnels towards two security gateways.
like for example

eth0.489(10.0.0.1) -- 10.201.100.1(secgw1)
eth0.490(10.0.10.1) -- 10.201.100.2(secgw2)


In strongswan.conf, under plugins sections.
resolve {
file=/etc/resolvtunnel.conf
   }

when both tunnels are established I see that DNS servers pushed by secgw's
are appended in /etc/resolvtunnel.conf.
I want to know If it is possible to generate two resolv.conf files like for
secgw1, /etc/resolvtunnel_secgw1.conf and for secgw2,
/etc/resolvtunnel_secgw2.conf


Regards,
Sriram.

[strongSwan] Fwd: CRL validation failing

[Matthew Winnett]

I am running 5.6.1 and trying to establish a site to site vlan to a F5
bigip using ikev2 and certificates. The tunnel works ok with psk but when
using certificates I get the following in the log:

11[CFG] checking certificate status of "C=gb, ST=anglesey, L=benllech,
O=f5, OU=es, CN=moriarty_k-server_1.winnett.gb"
11[CFG]   fetching crl from
'file:///usr/local/etc/swanctl/x509crl/ca-cacert.crl'
...
11[CFG] issuer of fetched CRL 'C=gb, ST=anglesey, L=benllech, O=f5, OU=es,
CN=moriarty_k-Root_CA.winnett.gb' does not match CRL issuer
'0e:db:41:37:bb:8c:b8:1c:de:9b:35:31:de:4d:6b:67:5a:02:57:22'

I found a previous thread indicating that the "CRL must contain an
authorityKeyIdentifier equal to the subjectKeyIdentifier of the CRL
issuer", which I now have ...

$ openssl crl -in ca-cacert.crl -noout -text | grep -E "CRL extensions:" -A
4
CRL extensions:
X509v3 Authority Key Identifier:
keyid:0E:DB:41:37:BB:8C:B8:1C:DE:9B:35:31:DE:4D:6B:67:5A:02:
57:22
DirName:/C=gb/ST=anglesey/L=benllech/O=f5/OU=es/CN=moriart
y_k-Root_CA.winnett.gb
serial:5A:4D:03:09

$ openssl x509 -in ca-cacert.pem -text | grep -E "X509v3 extensions:" -A 6
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
0E:DB:41:37:BB:8C:B8:1C:DE:9B:35:31:DE:4D:6B:67:5A:02:57:22
X509v3 Authority Key Identifier:
keyid:0E:DB:41:37:BB:8C:B8:1C:DE:9B:35:31:DE:4D:6B:67:5A:02:
57:22

Any idea what is wrong ?

Many thanks ...

Matthew