[strongSwan] Looking for a strongSwan contractor / consultant with AWS experience

2018-04-04 Thread F Rafi 
Hello folks,

We're an NYC based health-tech company looking for a strongSwan contractor
/ consultant with AWS experience. We want to establish ipsec tunnels
originating at  multiple customers environments and terminating at our
strongSwan EC2 instances hosted inside our AWS VPC.

We want this person to be able to sanity-check our existing architecture,
recommend configuration best-practices, do hands-on configuration to create
the tunnels, and potentially participate in customer calls in order to
gather / negotiate requirements.

Please reply off-list.

Thanks,
Farhan

[strongSwan] VICI: Stale SA's found even after unloading the connection.

2018-04-04 Thread Vignesh Kesavan 
Hi,

We are using Strongswan 5.5.3 and VICI python library to program IPSEC tunnels.

We use load_conn/unload_conn api's to configure/delete a tunnel from strongswan 
respectively.

This problem arises when we try to unload a tunnel which is in CONNECTING 
state. On issuing unload_conn, connection is getting deleted(verified using 
swanctl -list-conns). But SA continue to exist and charon retries to establish 
the tunnel(verified using swanctl -list-sas). Ideally we expect the SA to get 
deleted after unload.

Please find attached python script that we used to simulated the problem. The 
destination used in the script(10.10.10.1) is not a reachable host. So tunnel 
is in connecting state. In this sate, after calling unload_conn, connection is 
getting deleted. But SA exists.

Please suggest a  way to overcome from this problem.

Note:
1. We tried calling Terminate api before calling unload. Even that didnt help. 
We ended in the same behavior(Can be seen from the logs attached 
(python_output.txt))
2. This problem is not seen on tunnels which are in established state. 
Unload_conn delete's  connection and  SA's properly.

Thanks
Vignesh


load.py
Description: load.py
Apr 04 00:50:52   charon[920]: 08[CFG] added vici connection: vv
Apr 04 00:50:52   charon[920]: 08[CFG] initiating 'vv'
Apr 04 00:50:52   charon[920]: 08[IKE] initiating Aggressive Mode IKE_SA vv[1] 
to 10.10.10.1
Apr 04 00:50:52   charon[920]: 08[IKE] initiating Aggressive Mode IKE_SA vv[1] 
to 10.10.10.1
Apr 04 00:50:52   charon[920]: 08[ENC] generating AGGRESSIVE request 0 [ SA KE 
No ID V V V V V ]
Apr 04 00:50:52   charon[920]: 08[NET] sending packet: from 10.155.3.2[500] to 
10.10.10.1[500] (368 bytes)
Apr 04 00:50:52   charon[920]: 04[NET] error writing to socket: Invalid argument
Apr 04 00:50:56   charon[920]: 13[IKE] sending retransmit 1 of request message 
ID 0, seq 1
Apr 04 00:50:56   charon[920]: 13[NET] sending packet: from 10.155.3.2[500] to 
10.10.10.1[500] (368 bytes)
Apr 04 00:50:56   charon[920]: 04[NET] error writing to socket: Invalid argument
Apr 04 00:51:03   charon[920]: 07[IKE] sending retransmit 2 of request message 
ID 0, seq 1
Apr 04 00:51:03   charon[920]: 07[NET] sending packet: from 10.155.3.2[500] to 
10.10.10.1[500] (368 bytes)
Apr 04 00:51:03   charon[920]: 04[NET] error writing to socket: Invalid argument
pod#strongswan start
Starting weakSwan 5.5.3 IPsec [starter]...
pod#>python2.7 load.py 
===Load start =
List of conn after loading:
OrderedDict([(u'vv', OrderedDict([(u'local_addrs', ['10.155.3.2']), 
(u'remote_addrs', ['10.10.10.1']), (u'version', 'IKEv1'), (u'reauth_time', 
'0'), (u'rekey_time', '14400'), (u'unique', 'UNIQUE_NO'), (u'local-1', 
OrderedDict([(u'class', 'pre-shared key'), (u'id', 'priyank+site'), (u'groups', 
[]), (u'certs', []), (u'cacerts', [])])), (u'remote-1', OrderedDict([(u'class', 
'pre-shared key'), (u'id', '10.10.10.1'), (u'groups', []), (u'certs', []), 
(u'cacerts', [])])), (u'children', OrderedDict([(u'vv', OrderedDict([(u'mode', 
'TUNNEL'), (u'rekey_time', '14400'), (u'rekey_bytes', '0'), (u'rekey_packets', 
'0'), (u'local-ts', ['dynamic']), (u'remote-ts', ['dynamic'])]))]))]))])
List of valid sas after loading:
OrderedDict([(u'vv', OrderedDict([(u'uniqueid', '1'), (u'version', '1'), 
(u'state', 'CONNECTING'), (u'local-host', '10.155.3.2'), (u'local-port', 
'500'), (u'local-id', 'priyank+site'), (u'remote-host', '10.10.10.1'), 
(u'remote-port', '500'), (u'remote-id', '%any'), (u'initiator', 'yes'), 
(u'initiator-spi', '7cd4247ef787618d'), (u'responder-spi', ''), 
(u'tasks-queued', ['QUICK_MODE']), (u'tasks-active', ['ISAKMP_VENDOR', 
'ISAKMP_CERT_PRE', 'AGGRESSIVE_MODE', 'ISAKMP_CERT_POST', 'ISAKMP_NATD']), 
(u'child-sas', OrderedDict())]))])
===Load end ===
===Terminate Start =
List of conn after unload:
List of sas after unload:
OrderedDict([(u'vv', OrderedDict([(u'uniqueid', '1'), (u'version', '1'), 
(u'state', 'CONNECTING'), (u'local-host', '10.155.3.2'), (u'local-port', 
'500'), (u'local-id', 'priyank+site'), (u'remote-host', '10.10.10.1'), 
(u'remote-port', '500'), (u'remote-id', '%any'), (u'initiator', 'yes'), 
(u'initiator-spi', '7cd4247ef787618d'), (u'responder-spi', ''), 
(u'tasks-queued', ['QUICK_MODE']), (u'tasks-active', ['ISAKMP_VENDOR', 
'ISAKMP_CERT_PRE', 'AGGRESSIVE_MODE', 'ISAKMP_CERT_POST', 'ISAKMP_NATD']), 
(u'child-sas', OrderedDict())]))])
===Terminate End =

[strongSwan] Cannot pass the traffic through the established tunnel.

2018-04-04 Thread Sujoy 

Hi list members,

 I am facing one issue with Strongswan for quite long time. I want to 
block all the traffic(http) and pass only the traffic of connected 
network. But after so many try, still I cannot do so. Bellow is the 
configuration status of the Server which is having multiple connection. 
It will be a big help if someone can provide any solution to this. 
Thanks for the support provide till now from the members.




root@cloud:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.4.0-116-generic, 
x86_64):

  uptime: 19 hours, since Apr 03 18:02:13 2018
  malloc: sbrk 2703360, mmap 0, used 570192, free 2133168
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
scheduled: 12
  loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce 
x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey 
sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac curl attr 
kernel-netlink resolve socket-default stroke vici updown xauth-generic 
counters

Listening IP addresses:
  172.25.12.42
Connections:
  tunnel:  %any...%any  IKEv2, dpddelay=30s
  tunnel:   local:  uses pre-shared key authentication
  tunnel:   remote: uses pre-shared key authentication
  tunnel:   child:  0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=clear
Security Associations (2 up, 0 connecting):
  tunnel[6]: ESTABLISHED 66 minutes ago, 
172.25.12.42[X.X.X.X]...223.227.10.138[192.168.1.100]
  tunnel[6]: IKEv2 SPIs: 1e596ccc27d7939a_i c459f660671c3952_r*, 
pre-shared key reauthentication in 101 minutes
  tunnel[6]: IKE proposal: 
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
  tunnel{16}:  INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: 
cc167350_i c722bb0f_o
  tunnel{16}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, 
rekeying in 35 minutes

  tunnel{16}:   X.X.X.X/32 === 192.168.10.1/32
  tunnel[5]: ESTABLISHED 76 minutes ago, 
172.25.12.42[X.X.X.X]...27.59.17.206[192.168.2.100]
  tunnel[5]: IKEv2 SPIs: 6bac8f644b19cf85_i 07c5f9254cda6720_r*, 
pre-shared key reauthentication in 90 minutes
  tunnel[5]: IKE proposal: 
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
  tunnel{17}:  INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: 
c3015f13_i ce6ea6b8_o
  tunnel{17}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, 
rekeying in 36 minutes

  tunnel{17}:   X.X.X.X/32 === 192.168.10.1/32
--

Thanks
Sujoy

Re: [strongSwan] Calculating the generated MAC address when identity_lease is enabled

2018-04-04 Thread Tobias Brunner 
Hi Micah,

> However, I became confused here, because the MAC address I am seeing on my 
> DHCP server is 7a:a7:bc:8b:b5:ec. After the hardcoded 0x7A and 0xA7 bytes, 
> there are only four bytes, but the SipHash-2-4 documentation I'm reading, as 
> well as the commit message for commit 
> 1255de5a2076dc591dfa1ffefffea077bd218319 which appears to have added this 
> functionality, claims that SipHash-2-4 returns 64 bits / 8 bytes.

A MAC address is 48 bits, so the 32 bits after the first two bytes are
taken from the 64-bit SipHash-2-4 value (just by casting to an uint32_t)
which is then run through htonl() and copied to the address buffer.  To
calculate the value the 128-bit key 0x000102030405060708090a0b0c0d0e0f
is used.

> Have I missed something? And more importantly, is there a better way to do 
> this?

If you use FQDNs as client identities they will be sent in a hostname
option (12) in the DHCP request, which you might be able to use directly.

Regards,
Tobias