[strongSwan] Manual SA using strongswan

2018-01-19 Thread manimuthu m a 
HI All,

My sincere apology for my ignorance.

I just started to work on strongswan and ipsec in linux. My need is very
simple for now, I tried googling it for more than a week. Most probably I
didn't use the right term.

Can we establish manual SA using strongswan? if so can someone help me with
an example?

Once again sorry for my ignorance.

Regards,
Manimuthu.

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

2018-01-19 Thread Noel Kuntze 
Hi,

Why did you remove the integrity algorithm from the proposal?
Use a a known integrity algorithm in the proposal and it will work.

Kind regards

Noel

On 19.01.2018 15:35, Sujoy wrote:
> Hi Noel and lists,
> 
> I am getting the following error while trying to connect from OpwnWRT, the 
> same server with other Linux clients are connected. There are no logs 
> available in the device. The device connected but failed to establish 
> *tunnel.*
> 
> it will be a big help for me, if anyone can help in solving this issue. 
> Thanks a lot once again for the support.
> 
> 
> 
> Server screen
> 
> 
> 
> Thanks
> 
> On Tuesday 16 January 2018 11:23 PM, Noel Kuntze wrote:
>> Hi,
>>
>> Check the logs of the remote side.
>> It means the remote peer did not like the proposed traffic selector. It was 
>> probably outside of the network range that its own configuration allows, 
>> meaning narrowing failed.
>>
>> Kind regards
>>
>> Noel
>>
>>
>> On 16.01.2018 07:25, Sujoy wrote:
>>> Hi Noel,
>>>
>>> Same strongswan 5.3.3 configuration working in my VM(client) to desktop 
>>> server. But not working from my OpenWRT to Global IP used nated Linux 
>>> server. Can you help me to solve this. 
>>>
>>> what means "received TS_UNACCEPTABLE notify, no CHILD_SA built"
>>>
>>> Server config file.
>>>
>>>
>>>
>>>
>>> Thanks & Regards
>>>
>>> Sujoy
>>>
>>> On Thursday 04 January 2018 03:38 AM, Noel Kuntze wrote:
 Hi,

 Only on the responder.
 If you use dpd and enforce UDP encapsulation, you do not need to open any 
 ports on the initiator side.
 Refer to the UsableExamples wiki page[1] for example configurations that 
 are usable in the real world.

 Kind regards

 Noel

 [1] https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples

 On 28.12.2017 08:51, Sujoy wrote:
> Hi All,
>
>
> We want to implement StrongSwan,with IPsec in OpenWRT. IPSec server will 
> be running in CentOS and the OpenWRt router will connect to it using VPN. 
> I have configured the server part, struggling to configure the client 
> part. Do we need to open port 4500 for this first.
>
> Anyone can suggest any solution for this.
> 



signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] Manual SA using strongswan

2018-01-19 Thread manimuthu m a 
Hi Noel,

Thank you for the clarification.

Regards,
Manimuthu.

On Fri, Jan 19, 2018 at 7:37 PM Noel Kuntze
 wrote:

> Hi,
>
> strongSwan is an IKE daemon. Its purpose is to negotiate dynamic SAs. As
> soon as you have an IKE daemon, you do not need any static SAs anymore.
> It therefore does not support static SAs. If you want that, you need to
> use your system's tools (e.g. iproute2 (ip xfrm ...)).
>
> Kind regards
>
> Noel
>
> On 19.01.2018 12:35, manimuthu m a wrote:
> >
> >
> > On Fri, Jan 19, 2018 at 4:38 PM manimuthu m a  > wrote:
> >
> > HI All,
> >
> > My sincere apology for my ignorance.
> >
> > I just started to work on strongswan and ipsec in linux. My need is
> very simple for now, I tried googling it for more than a week. Most
> probably I didn't use the right term.
> >
> > Can we establish manual SA using strongswan? if so can someone help
> me with an example?
> >
> > Once again sorry for my ignorance.
> >
> > Regards,
> > Manimuthu.
> >
>
>

Re: [strongSwan] Restrict reachable IP address space (IKEv2-EAP VPN)

2018-01-19 Thread Noel Kuntze 
Hi,

The proper solution is to use either ...
1) attribute certificates that certifify group membership for the client
2) Use a AAA service (RADIUS!) to get group memberships from the user directory

Then use rightgroups to switch conns based on the user's group membership.

Kind regards

Noel

On 17.01.2018 16:14, Peter Benko wrote:
> Hi all,
>
> I have a working strongswan IKEv2-EAP VPN setup, where remote (windows) 
> clients connect to a corporate LAN.
>
> Now I'd like to select certain 'restricted' users that are only able to 
> access a single IP address on the corporate network. My initial idea is to 
> use iptables rules for that on the VPN server. For this to work, I'd need a 
> separate client IP address range allocated for these 'restricted' users. How 
> can I do this? Is it possible to define a separate connection in ipsec.conf 
> based on e.g., server DNS name (e.g., vpn-resticted.domain.com instead of 
> vpn.domain.com)? In this 'restricted' connection, I could define a different 
> rightsourceip range, which I could use in the iptables rules... But how could 
> I prevent clients connecting to the unrestricted vpn.domain.com?
>
> Or am I completely wrong here? Is there maybe a more straightforward way to 
> achive my high level goal?
>
> Thanks,
>
> Peter
>
>
>



signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] failing install tunnel due to Operation not supported error

2018-01-19 Thread Noel Kuntze 
Hi,

Looks like your current running kernel does not support XFRM anymore. Install 
one that does. If that's not the problem, reboot the box.

Kind regards

Noel

On 19.01.2018 01:39, Jaehong Park wrote:
> Hi Tobias and Martin.
>
> I started to see following message all of sudden and it is totally disaster.
>
> I would like to know what causing the following issue.
>
>
> 2018-01-18T02:14:13-0500 00[KNL] getting SPD hash threshold failed: Operation 
> not supported (95)
> 2018-01-18T02:14:13-0500 00[KNL] getting SPD hash threshold failed: Operation 
> not supported (95)
> 2018-01-18T02:14:13-0500 00[KNL] unable to set IPSEC_POLICY on socket: 
> Operation not supported (95)
> 2018-01-18T02:14:13-0500 00[NET] installing IKE bypass policy failed
> 2018-01-18T02:14:13-0500 00[KNL] unable to set IPSEC_POLICY on socket: 
> Operation not supported (95)
> 2018-01-18T02:14:13-0500 00[NET] installing IKE bypass policy failed
> 2018-01-18T02:14:13-0500 00[KNL] unable to set IPSEC_POLICY on socket: 
> Operation not supported (95)
> 2018-01-18T02:14:13-0500 00[NET] installing IKE bypass policy failed
> 2018-01-18T02:14:13-0500 00[KNL] unable to set IPSEC_POLICY on socket: 
> Operation not supported (95)
> 2018-01-18T02:14:13-0500 00[NET] installing IKE bypass policy failed
>
> 2018-01-18T02:14:13-0500 09[CFG] received stroke: route ’test'
> 2018-01-18T02:14:13-0500 09[KNL] received netlink error: Operation not 
> supported (95)
> 2018-01-18T02:14:13-0500 09[KNL] unable to add policy 66.228.32.94/32 === 
> 198.58.116.210/32 out
> 2018-01-18T02:14:13-0500 09[KNL] received netlink error: Operation not 
> supported (95)
> 2018-01-18T02:14:13-0500 09[KNL] unable to add policy 198.58.116.210/32 === 
> 66.228.32.94/32 in
> 2018-01-18T02:14:13-0500 09[CFG] installing trap failed
>
> Thanks



signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] Manual SA using strongswan

2018-01-19 Thread Noel Kuntze 
Hi,

strongSwan is an IKE daemon. Its purpose is to negotiate dynamic SAs. As soon 
as you have an IKE daemon, you do not need any static SAs anymore.
It therefore does not support static SAs. If you want that, you need to use 
your system's tools (e.g. iproute2 (ip xfrm ...)).

Kind regards

Noel

On 19.01.2018 12:35, manimuthu m a wrote:
>
>
> On Fri, Jan 19, 2018 at 4:38 PM manimuthu m a  > wrote:
>
> HI All,
>
> My sincere apology for my ignorance.
>
> I just started to work on strongswan and ipsec in linux. My need is very 
> simple for now, I tried googling it for more than a week. Most probably I 
> didn't use the right term. 
>
> Can we establish manual SA using strongswan? if so can someone help me 
> with an example?
>
> Once again sorry for my ignorance.
>
> Regards,
> Manimuthu.
>



signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] Manual SA using strongswan

2018-01-19 Thread manimuthu m a 
On Fri, Jan 19, 2018 at 4:38 PM manimuthu m a 
wrote:

> HI All,
>
> My sincere apology for my ignorance.
>
> I just started to work on strongswan and ipsec in linux. My need is very
> simple for now, I tried googling it for more than a week. Most probably I
> didn't use the right term.
>
> Can we establish manual SA using strongswan? if so can someone help me
> with an example?
>
> Once again sorry for my ignorance.
>
> Regards,
> Manimuthu.
>