Re: [strongSwan] Strongswan + Radius + MySQL + Hashed Passwords: Possible?

[Giuseppe De Marco]

It depends by your configuration
You have to enable eap-radius as well

2018-01-10 4:39 GMT+01:00 RA :

> Hi.
>
> Thanks for your reply. 'NT-Password'  isn't working with Strongswan though
> radtest is checking it just fine:
>
>
> # smbencrypt mypass
> LM Hash NT Hash
> 
> 92315C8B485693A7AAD3B435B51404EEE0C32CDA6F6ECC163F442D002BBA3DAF
>
>
> # INSERT INTO radcheck (username, attribute, op, VALUE) VALUES ('mylogin',
> 'NT-Password', ':=', 'E0C32CDA6F6ECC163F442D002BBA3DAF');
>
>
> # radtest mylogin mypass my.radius.server 10 mysecret
> Sending Access-Request of id 237 to x.x.x.x port 1812
> User-Name = "mylogin"
> User-Password = "mypass"
> NAS-IP-Address = x.x.x.x
> NAS-Port = 10
> Message-Authenticator = 0x
> rad_recv: Access-Accept packet from host x.x.x.x port 1812, id=237,
> length=20
>
> Do I need to make any changes on the radius or Strongswan side to make
> them work with NT-Password?
>
> Thanks & Regards,
> Ron
>
>
> - Original message -
> From: Giuseppe De Marco 
> To: RA 
> Cc: users@lists.strongswan.org
> Subject: Re: [strongSwan] Strongswan + Radius + MySQL + Hashed Passwords:
> Possible?
> Date: Tue, 9 Jan 2018 15:46:04 +0100
>
> Hi RA,
> Yes you can, I use NT-Password instead.
> I get this working on LDAP and Freeradius
>
> 2018-01-09 14:07 GMT+01:00 RA :
>
> Hi.
>
> I have been able to follow the guides and tutorials online and
> successfully setup a Strongswan IKEv2 server which authenticates with a
> Freeradius server with MySQL back-end. Everywhere I saw instructions like
> these only:
>
> INSERT INTO radcheck (username, attribute, op, VALUE) VALUES ('test',
> 'Cleartext-Password', ':=', 'pass123');
>
> Now this works just fine but I don't want to store plain text passwords in
> database and would prefer the "VALUE" column to be hashed in some way. But
> being new to this, I just don't know how & would be really glad if someone
> can provide pointers. Not sure whether its even possible or not.
>
> Thanks in advance.
>
> Regards.
> Ron
>
>
>

Re: [strongSwan] IPSec Tunnel IP

[Yusuf Güngör]

Hi Noel,

We have APs which located at various locations. APs get ip from strongswan.

We have to add the "rightsubnet=0.0.0.0/0" to let APs connect. (We do not
know the APs private-public ip addreses)

We have to add the "rightsourceip=10.254.0.0/24" to give APs tunnel ip.

APs can get ip from the "righsourceip" pool successfully:

ipsec primary tunnel ap tunnel ip   :10.254.0.1


But why peer tunnel ip is "1.1.1.127"

ipsec primary tunnel peer tunnel ip :1.1.1.127


We can establish vpn connections from APs to Aruba Controllers and that
time APs get ip addresses as expected:

ipsec primary tunnel ap tunnel ip   :10.254.0.1

ipsec primary tunnel peer tunnel ip :

We are missing something?

Also, VPN connection to strongswan restarts about every 3 hours. AP
disconnect and reconnect because of packet loss. This should be subject of
another topic, i wrote if something is related with that.

Thanks for help.


2017-12-28 16:12 GMT+03:00 Noel Kuntze <
noel.kuntze+strongswan-users-ml@thermi.consulting>:

> Hello,
>
> It's because you set "rightsubnet=0.0.0.0/0" and evidently the AP
> proposes "1.1.1.127" as its local TS, so it gets narrowed to that. I
> propose you delete those two lines.
>
> Kind regards
>
> Noel
>
> On 27.12.2017 11:01, Yusuf Güngör wrote:
> > Hi,
> >
> > I have a configuration like below and VPN connection successfully
> established but client side get "1.1.1.127" as tunnel IP. Can we change
> this tunnel IP? I can not find any clue about why StrongSwan assign
> "1.1.1.127" as tunnel IP to clients?
> >
> > Thanks.
> >
> >
> > *StrongSwan Config (Left)*
> >
> > conn vpn-test
> >   left=%defaultroute
> >   leftsubnet=172.30.1.1/25 
> >   leftauth=psk
> >   leftfirewall=no
> >   right=%any
> >   rightsubnet=0.0.0.0/0 
> >   rightsourceip=10.254.0.0/24 
> >   auto=add
> >   keyexchange=ikev1
> >   rightauth=psk
> >   rightauth2=xauth
> >   type=tunnel
> >   mobike=yes
> >   rightid=%any
> >
> >
> > *Client VPN Status: (Aruba Instant AP - Right)*
> >
> > current using tunnel:primary tunnel
> > current tunnel using time   :1 hour 43 minutes
> 31 seconds
> > ipsec is preempt status :disable
> > ipsec is fast failover status   :disable
> > ipsec hold on period:0s
> > ipsec tunnel monitor frequency (seconds/packet) :5
> > ipsec tunnel monitor timeout by lost packet cnt :6
> >
> > ipsec primary tunnel crypto type:PSK
> > ipsec primary tunnel peer address   :52.55.49.104
> > ipsec primary tunnel peer tunnel ip :1.1.1.127
> > ipsec primary tunnel ap tunnel ip   :10.254.0.1
> > ipsec primary tunnel using interface:tun0
> > ipsec primary tunnel using MTU  :1230
> > ipsec primary tunnel current sm status  :Up
> > ipsec primary tunnel tunnel status  :Up
> > ipsec primary tunnel tunnel retry times :6
> > ipsec primary tunnel tunnel uptime  :1 hour 43 minutes
> 31 seconds
> >
> > ipsec  backup tunnel crypto type:PSK
> > ipsec  backup tunnel peer address   :N/A
> > ipsec  backup tunnel peer tunnel ip :N/A
> > ipsec  backup tunnel ap tunnel ip   :N/A
> > ipsec  backup tunnel using interface:N/A
> > ipsec  backup tunnel using MTU  :N/A
> > ipsec  backup tunnel current sm status  :Init
> > ipsec  backup tunnel tunnel status  :Down
> > ipsec  backup tunnel tunnel retry times :0
> > ipsec  backup tunnel tunnel
> >
> >
>

[strongSwan] mobileconfig file - do i need to install a root CA

[Alex Sharaz]

Hi,
I've got a .mobileconfig file set up that will allow a macOS/iOS user to
connect to my SSwan VPN server (5.6.1)
In it I have a cert payload defined containing both the intermediate and
root cert of the server certificate. This all works just fine

However, our security people are objecting to the fact that I'm installing
a root CA on the client device.

Server cert has an intermediate cet between it and the root CA

server config is

conn it-services-ikev2
  left=%any
  leftauth=pubkey
  leftcert=vpn.york.ac.uk.pem
  leftid=@vpn.york.ac.uk
  leftsendcert=always
  leftsubnet=0.0.0.0/0,::/0
  leftfirewall=yes
  right=%any
  rightauth=eap-radius
  rightsendcert=never
  rightgroups="Cserv"
  eap_identity=%any
  keyexchange=ikev2
  rightsourceip=%itservices
  fragmentation=yes
  auto=add


If I remove the root cert from the mobileconfig, connection fails. Should I
be able to connect without the root CA in the payload?

Rgds
Alex

[strongSwan] Reconnect failed with android phone

[JWD]

I'm using a android phone.
After upgrade to strongswan-5.6.1, I connect to strongswan, then disconnect, 
then reconnect, but failed.
Config and log is blow.
Can anyone help me, thanks.

conn XAuth-PSK
keyexchange=ikev1
ike=aes256-sha1-modp1024,aes256-sha256-modp1024,3des-sha1-modp1024!
esp=aes256-sha1,aes256-sha256,3des-sha1!
left=%any
leftauth=psk
leftsubnet=0.0.0.0/0
#leftfirewall=yes
right=%any
rightauth=psk
rightauth2=xauth
#rightauth2=xauth-radius | xauth-generic | xauth-pam | xauth-eap
rightsourceip=172.31.254.0/24
auto=add

Jan 10 22:22:37 09[NET] <3> received packet: from 117.100.110.176[500] to 
172.31.2.1[500] (476 bytes)
Jan 10 22:22:37 09[ENC] <3> parsed ID_PROT request 0 [ SA V V V V V V V V ]
Jan 10 22:22:37 09[IKE] <3> received NAT-T (RFC 3947) vendor ID
Jan 10 22:22:37 09[IKE] <3> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jan 10 22:22:37 09[IKE] <3> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jan 10 22:22:37 09[IKE] <3> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Jan 10 22:22:37 09[IKE] <3> received XAuth vendor ID
Jan 10 22:22:37 09[IKE] <3> received Cisco Unity vendor ID
Jan 10 22:22:37 09[IKE] <3> received FRAGMENTATION vendor ID
Jan 10 22:22:37 09[IKE] <3> received DPD vendor ID
Jan 10 22:22:37 09[IKE] <3> 117.100.110.176 is initiating a Main Mode IKE_SA
Jan 10 22:22:37 09[ENC] <3> generating ID_PROT response 0 [ SA V V V V ]
Jan 10 22:22:37 09[NET] <3> sending packet: from 172.31.2.1[500] to 
117.100.110.176[500] (160 bytes)
Jan 10 22:22:37 10[NET] <3> received packet: from 117.100.110.176[500] to 
172.31.2.1[500] (228 bytes)
Jan 10 22:22:37 10[ENC] <3> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jan 10 22:22:37 10[IKE] <3> local host is behind NAT, sending keep alives
Jan 10 22:22:37 10[IKE] <3> remote host is behind NAT
Jan 10 22:22:37 10[ENC] <3> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Jan 10 22:22:37 10[NET] <3> sending packet: from 172.31.2.1[500] to 
117.100.110.176[500] (244 bytes)
Jan 10 22:22:37 11[NET] <3> received packet: from 117.100.110.176[4500] to 
172.31.2.1[4500] (92 bytes)
Jan 10 22:22:37 11[ENC] <3> parsed ID_PROT request 0 [ ID HASH ]
Jan 10 22:22:37 11[CFG] <3> looking for XAuthInitPSK peer configs matching 
172.31.2.1...117.100.110.176[192.168.99.102]
Jan 10 22:22:37 11[CFG] <3> selected peer config "XAuth-PSK"
Jan 10 22:22:37 11[ENC]  generating ID_PROT response 0 [ ID HASH ]
Jan 10 22:22:37 11[NET]  sending packet: from 172.31.2.1[4500] to 
117.100.110.176[4500] (76 bytes)
Jan 10 22:22:37 11[ENC]  generating TRANSACTION request 3859775034 
[ HASH CPRQ(X_USER X_PWD) ]
Jan 10 22:22:37 11[NET]  sending packet: from 172.31.2.1[4500] to 
117.100.110.176[4500] (76 bytes)
Jan 10 22:22:37 12[NET]  received packet: from 
117.100.110.176[4500] to 172.31.2.1[4500] (108 bytes)
Jan 10 22:22:37 12[ENC]  parsed INFORMATIONAL_V1 request 
3696968083 [ HASH N(INITIAL_CONTACT) ]
Jan 10 22:22:37 16[NET]  received packet: from 
117.100.110.176[4500] to 172.31.2.1[4500] (108 bytes)
Jan 10 22:22:37 16[ENC]  parsed TRANSACTION response 3859775034 [ 
HASH CPRP(X_USER X_PWD) ]
Jan 10 22:22:37 16[CFG]  sending RADIUS Access-Request to server 
'127.0.0.1'
Jan 10 22:22:37 16[CFG]  received RADIUS Access-Accept from server 
'127.0.0.1'
Jan 10 22:22:37 16[IKE]  XAuth authentication of 'vpnuser1' 
successful
Jan 10 22:22:37 16[ENC]  generating TRANSACTION request 4237587337 
[ HASH CPS(X_STATUS) ]
Jan 10 22:22:37 16[NET]  sending packet: from 172.31.2.1[4500] to 
117.100.110.176[4500] (76 bytes)
Jan 10 22:22:37 03[NET]  received packet: from 
117.100.110.176[4500] to 172.31.2.1[4500] (92 bytes)
Jan 10 22:22:37 03[ENC]  parsed TRANSACTION response 4237587337 [ 
HASH CPA(X_STATUS) ]
Jan 10 22:22:37 03[IKE]  IKE_SA XAuth-PSK[3] established between 
172.31.2.1[172.31.2.1]...117.100.110.176[192.168.99.102]
Jan 10 22:22:37 03[IKE]  scheduling reauthentication in 10239s
Jan 10 22:22:37 03[IKE]  maximum IKE_SA lifetime 10779s
Jan 10 22:22:37 04[NET]  received packet: from 
117.100.110.176[4500] to 172.31.2.1[4500] (124 bytes)
Jan 10 22:22:37 04[ENC]  parsed TRANSACTION request 3008611662 [ 
HASH CPRQ(ADDR MASK DNS NBNS U_BANNER U_DEFDOM U_SPLITDNS U_SPLITINC U_LOCALLAN 
VER) ]
Jan 10 22:22:37 04[IKE]  peer requested virtual IP %any
Jan 10 22:22:37 04[CFG]  assigning new lease to 'vpnuser1'
Jan 10 22:22:37 04[IKE]  assigning virtual IP 172.31.254.1 to peer 
'vpnuser1'
Jan 10 22:22:37 04[ENC]  generating TRANSACTION response 
3008611662 [ HASH CPRP(ADDR DNS NBNS DNS NBNS) ]
Jan 10 22:22:37 04[NET]  sending packet: from 172.31.2.1[4500] to 
117.100.110.176[4500] (108 bytes)

Jan 10 22:22:55 15[NET] <4> received packet: from 117.100.110.176[500] to 
172.31.2.1[500] (476 bytes)
Jan 10 22:22:55 15[ENC] <4> parsed ID_PROT request 0 [ SA V V V V V V V V ]
Jan 10 22:22:55 15[IKE] <4> received NAT-T (RFC 3947) vendor ID
Jan 10 22:22:55 15[IKE] <4> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jan 10 22:22:55 15[IKE] <4> rec

[strongSwan] Question related to ESP_TFC_PADDING_NOT_SUPPORTED

[rajeev nohria]

I am trying to understand if ESP_TFC_PADDING_NOT_SUPPORTED means Local is
using the TFC.

I am getting ESP_TFC_PADDING_NOT_SUPPORTED msg from remote. Is that means
local is using the TFC.
On local I have to configured tfc_padding and by default it is disabled.
If by default it is disabled why local side is sending packet with TFC.





12[CFG] certificate status is not available

12[CFG]   reached self-signed root ca with a path length of 1

12[IKE] authentication of 'C=US, O=CableLabs, CN=00:01:5c:96:16:00' with
RSA signature successful

12[IKE] IKE_SA rpdfc00:cada:c406::200[1] established between
fc00:cada:c406:607::1001[C=US, O=ARRIS, OU=LOWELL,
CN=00:33:5f:ab:8c:9e]...fc00:cada:c406::200[C=US, O=CableLabs,
CN=00:01:5c:96:16:00]

12[IKE] scheduling rekeying in 13218s

12[IKE] maximum IKE_SA lifetime 14658s

12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding

[  274.326216] alg: No test for authenc(hmac(sha256),ecb(cipher_null))
(authenc(hmac(sha256-generic),ecb-cipher_null))

12[IKE] CHILD_SA gcpfc00:cada:c406::200{3} established with SPIs c2b4f3ce_i
2bcba3d9_o and TS fc00:cada:c406:607::1001/128[tcp] ===
fc00:cada:c406::200/128[tcp/8190]



Thanks,

Rajeev

Re: [strongSwan] Question related to ESP_TFC_PADDING_NOT_SUPPORTED

[rajeev nohria]

Let me ask question again..

On local I did not configure TFC and by default it should be disabled.
>From remote I am receiving following message

12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding

What exactly it mean  "not using ESPv3 TFC padding"  does it means  local
is also not using TFC padding?

Why would local would send msg with TFC when TFC disabled by default. I
have tried tfc_padding = 0 in configuration and get the same message.  Just
trying to understand..





On Wed, Jan 10, 2018 at 10:51 AM, rajeev nohria  wrote:

> I am trying to understand if ESP_TFC_PADDING_NOT_SUPPORTED means Local is
> using the TFC.
>
> I am getting ESP_TFC_PADDING_NOT_SUPPORTED msg from remote. Is that means
> local is using the TFC.
> On local I have to configured tfc_padding and by default it is disabled.
> If by default it is disabled why local side is sending packet with TFC.
>
>
>
>
>
> 12[CFG] certificate status is not available
>
> 12[CFG]   reached self-signed root ca with a path length of 1
>
> 12[IKE] authentication of 'C=US, O=CableLabs, CN=00:01:5c:96:16:00' with
> RSA signature successful
>
> 12[IKE] IKE_SA rpdfc00:cada:c406::200[1] established between
> fc00:cada:c406:607::1001[C=US, O=ARRIS, OU=LOWELL,
> CN=00:33:5f:ab:8c:9e]...fc00:cada:c406::200[C=US, O=CableLabs,
> CN=00:01:5c:96:16:00]
>
> 12[IKE] scheduling rekeying in 13218s
>
> 12[IKE] maximum IKE_SA lifetime 14658s
>
> 12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
>
> [  274.326216] alg: No test for authenc(hmac(sha256),ecb(cipher_null))
> (authenc(hmac(sha256-generic),ecb-cipher_null))
>
> 12[IKE] CHILD_SA gcpfc00:cada:c406::200{3} established with SPIs
> c2b4f3ce_i 2bcba3d9_o and TS fc00:cada:c406:607::1001/128[tcp] ===
> fc00:cada:c406::200/128[tcp/8190]
>
>
>
> Thanks,
>
> Rajeev
>

Re: [strongSwan] Strongswan + Radius + MySQL + Hashed Passwords: Possible?

[Michael Schwartzkopff]

Am 10.01.2018 um 04:39 schrieb RA:
> Hi.
>
> Thanks for your reply.  'NT-Password'  isn't working with Strongswan
> though radtest is checking it just fine:
>
> # smbencrypt mypass
> LM Hash NT Hash
> 
> 92315C8B485693A7AAD3B435B51404EE
> E0C32CDA6F6ECC163F442D002BBA3DAF
>
> # INSERT INTO radcheck (username, attribute, op, VALUE) VALUES
> # ('mylogin', 'NT-Password', ':=', 'E0C32CDA6F6ECC163F442D002BBA3DAF');
>
> # radtest mylogin mypass my.radius.server 10 mysecret
> Sending Access-Request of id 237 to x.x.x.x port 1812
> User-Name = "mylogin"
> User-Password = "mypass"
> NAS-IP-Address = x.x.x.x
> NAS-Port = 10
> Message-Authenticator = 0x
> rad_recv: Access-Accept packet from host x.x.x.x port 1812, id=237, length=20
> Do I need to make any changes on the radius or Strongswan side to make
> them work with NT-Password?
> Thanks & Regards,
> Ron

Hi,

this depends on your config. Does your client offer "ms-chapv2" as auth
mech? Perhaps it is better to use EAP (eap-radius in strongswan).

For debugging please look at the output of radiusd -X. Or paste the
output here.


> - Original message -
> From: Giuseppe De Marco 
> To: RA 
> Cc: users@lists.strongswan.org
> Subject: Re: [strongSwan] Strongswan + Radius + MySQL + Hashed Passwords: 
> Possible?Date: Tue, 9 Jan 2018 15:46:04 +0100
>
> Hi RA,
> Yes you can, I use NT-Password instead.
> I get this working on LDAP and Freeradius 
>
> 2018-01-09 14:07 GMT+01:00 RA :
>> Hi.
>>
>>  I have been able to follow the guides and tutorials online and
>>  successfully setup a Strongswan IKEv2 server which authenticates with
>>  a Freeradius server with MySQL back-end. Everywhere I saw
>>  instructions like these only:> 
>>  INSERT INTO radcheck (username, attribute, op, VALUE) VALUES ('test',
>>  'Cleartext-Password', ':=', 'pass123');> 
>>  Now this works just fine but I don't want to store plain text
>>  passwords in database and would prefer the "VALUE" column to be
>>  hashed in some way. But being new to this, I just don't know how &
>>  would be really glad if someone can provide pointers. Not sure
>>  whether its even possible or not.> 
>>  Thanks in advance.
>>
>>  Regards.
>>  Ron
>

Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] IPSec Tunnel IP

[Jafar Al-Gharaibeh]

Yusuf,

  Have you tried deleting "rightsubnet=0.0.0.0/0 " as 
Noel suggested below?


  In a dynamic address setup like this I usually do (Which has the same 
effect of deleting it):


  rightsubnet=%dynamic


--Jafar

On 1/10/2018 4:28 AM, Yusuf Güngör wrote:

Hi Noel,

We have APs which located at various locations. APs get ip from 
strongswan.


We have to add the "rightsubnet=0.0.0.0/0 " to let 
APs connect. (We do not know the APs private-public ip addreses)


We have to add the "rightsourceip=10.254.0.0/24 
" to give APs tunnel ip.


APs can get ip from the "righsourceip" pool successfully:

ipsec     primary tunnel ap tunnel ip           :10.254.0.1


But why peer tunnel ip is "1.1.1.127"

ipsec     primary tunnel peer tunnel ip         :1.1.1.127


We can establish vpn connections from APs to Aruba Controllers and 
that time APs get ip addresses as expected:


ipsec     primary tunnel ap tunnel ip           :10.254.0.1

ipsec     primary tunnel peer tunnel ip         :
*
*

We are missing something?

Also, VPN connection to strongswan restarts about every 3 hours. AP 
disconnect and reconnect because of packet loss. This should be 
subject of another topic, i wrote if something is related with that.


Thanks for help.

2017-12-28 16:12 GMT+03:00 Noel Kuntze 
>:


Hello,

It's because you set "rightsubnet=0.0.0.0/0 "
and evidently the AP proposes "1.1.1.127" as its local TS, so it
gets narrowed to that. I propose you delete those two lines.

Kind regards

Noel

On 27.12.2017 11:01, Yusuf Güngör wrote:
> Hi,
>
> I have a configuration like below and VPN connection
successfully established but client side get "1.1.1.127" as tunnel
IP. Can we change this tunnel IP? I can not find any clue about
why StrongSwan assign "1.1.1.127" as tunnel IP to clients?
>
> Thanks.
>
>
> *StrongSwan Config (Left)*
>
>     conn vpn-test
>       left=%defaultroute
>       leftsubnet=172.30.1.1/25 

>       leftauth=psk
>       leftfirewall=no
>       right=%any
>       rightsubnet=0.0.0.0/0  
>       rightsourceip=10.254.0.0/24 

>       auto=add
>       keyexchange=ikev1
>       rightauth=psk
>       rightauth2=xauth
>       type=tunnel
>       mobike=yes
>       rightid=%any
>
>
> *Client VPN Status: (Aruba Instant AP - Right)*
>
>     current using tunnel :primary tunnel
>     current tunnel using time  :1 hour 43 minutes 31 seconds
>     ipsec is preempt status  :disable
>     ipsec is fast failover status  :disable
>     ipsec hold on period :0s
>     ipsec tunnel monitor frequency (seconds/packet) :5
>     ipsec tunnel monitor timeout by lost packet cnt :6
>
>     ipsec     primary tunnel crypto type :PSK
>     ipsec     primary tunnel peer address  :52.55.49.104
>     ipsec     primary tunnel peer tunnel ip  :1.1.1.127
>     ipsec     primary tunnel ap tunnel ip  :10.254.0.1
>     ipsec     primary tunnel using interface :tun0
>     ipsec     primary tunnel using MTU :1230
>     ipsec     primary tunnel current sm status :Up
>     ipsec     primary tunnel tunnel status :Up
>     ipsec     primary tunnel tunnel retry times  :6
>     ipsec     primary tunnel tunnel uptime :1 hour 43 minutes 31
seconds
>
>     ipsec      backup tunnel crypto type :PSK
>     ipsec      backup tunnel peer address  :N/A
>     ipsec      backup tunnel peer tunnel ip  :N/A
>     ipsec      backup tunnel ap tunnel ip  :N/A
>     ipsec      backup tunnel using interface :N/A
>     ipsec      backup tunnel using MTU :N/A
>     ipsec      backup tunnel current sm status :Init
>     ipsec      backup tunnel tunnel status :Down
>     ipsec      backup tunnel tunnel retry times  :0
>     ipsec      backup tunnel tunnel
>
>

[strongSwan] Issue with IKE_SA rekey towards Cisco

[Henrik Juul Pedersen]

Hi StrongSwan community,

I'm implementing a VPN based on StrongSwan for the client side (an
embedded linux board) for a customer. Currently we are testing against
a Cisco ASA5506.

Our requirements:
 - Clients must be able to uniquely identify themselves
 - Clients has unique passwords generated from secrets known in both ends.
 - Clients must get IP and DNS information from the concentrator
 - Clients must function behind NAT

We have implemented it with IKEv1 and XAUTH, we use a secret shared
between all clients for the first stage IKE_SA, and we use a generated
password and a unique username for XAUTH.

The clients connect and are able to rekey CHILD_SA on expiry every
hour, but when reauthenticating IKE_SA after 4 hours, some
miscommunication result in loss of connection.

I can't disclose the customer, or their application, but I've supplied
sanitized configuration- and log-files, which should show the setup
and the runtime results. If I've removed some important context please
let me know, and I'll try and present the needed information.

We have enabled 'cisco_unity' in charon.conf, and for testing we have
enabled 'i_dont_care_about_security_and_use_aggressive_mode_psk', so
this shouldn't be the thing stopping us.

We have tested the setup with a Shrew Soft client on a Windows
machine, which seems to be able to keep the connection alive
indefinitely (possibly with minor interruptions - we haven't been able
to test with a long-running connection on Windows).

These logs are made from a Linux PC with newest available StrongSwan client:
 - IKE charon daemon (strongSwan 5.6.1, Linux 4.14.10-1-ARCH, x86_64)

We are not using swanctl as that isn't the default for our embedded
target. We control StrongSwan using the ipsec script.

I've tried to follow
"https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests";,
and have supplied full (sanitized) log files as MIME attachments.
Please let me know if you prefer them externally hosted, or supplied
inline in future communication.

I hope some of you have an idea of what the issue might be. I'm sure
we've just made some misconfiguration.

Thank you in advance,
Best regards
Henrik Juul Pedersen
LIAB ApS


cisco-config-clean.out
Description: Binary data
Thu, 2018-01-04 17:36 00[DMN] Starting IKE charon daemon (strongSwan 5.6.1, Linux 4.14.10-1-ARCH, x86_64)
Thu, 2018-01-04 17:36 00[LIB] plugin 'ldap': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'aesni': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'aes': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'des': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'rc2': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'sha2': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'sha3': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'sha1': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'md5': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'mgf1': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'random': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'nonce': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'x509': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'revocation': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'constraints': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'pubkey': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'pkcs1': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'pkcs7': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'pkcs8': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'pkcs12': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'pgp': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'dnskey': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'sshkey': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'dnscert': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'pem': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'openssl': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'fips-prf': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'gmp': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'curve25519': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'agent': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'chapoly': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'xcbc': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'cmac': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'hmac': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'ntru': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'newhope': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'bliss': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'curl': loaded successfully
Thu, 2018-01-04 17:36 00[LIB] plugin 'mysql' failed to load: libmysqlclient.so.18: cannot open shared object file: No such file or di

Re: [strongSwan] OpenWRT. IPSec server

[Sujoy]

Hi Neon,

when I run "IPSec up tunnel". I get the below message.

scheduling reauthentication in 2905s
maximum IKE_SA lifetime 3445s
received TS_UNACCEPTABLE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
establishing connection 'tunnel' failed


Following is my client config file

    config setup
   charondebug="all"
    uniqueids=yes
    strictcrlpolicy=no
conn %default
conn tunnel #
    left=192.168.10.1
    right=X.X.X.X
    ike=aes256-sha1-modp2048
    #ike=aes256-sha384-prfsha384-ecp384!
    esp=aes256!
    keyingtries=0
    ikelifetime=1h
    lifetime=8h
    dpddelay=30
    dpdtimeout=1h
    dpdaction=restart
    authby=psk
    auto=start

Thanks Sujoy





On Thursday 04 January 2018 03:38 AM, Noel Kuntze wrote:

Hi,

Only on the responder.
If you use dpd and enforce UDP encapsulation, you do not need to open any ports 
on the initiator side.
Refer to the UsableExamples wiki page[1] for example configurations that are 
usable in the real world.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples

On 28.12.2017 08:51, Sujoy wrote:

Hi All,


We want to implement StrongSwan,with IPsec in OpenWRT. IPSec server will be 
running in CentOS and the OpenWRt router will connect to it using VPN. I have 
configured the server part, struggling to configure the client part. Do we need 
to open port 4500 for this first.

Anyone can suggest any solution for this.