Re: [strongSwan] "sending keep alive" seems breaking VPN connection

2018-06-06 Thread Gilles Printemps 
Hi Noel/Tobias,
I've done the modification in the script as highlighted but, unfortunately,
I still have the same problem:
After 2 minutes, when I'm executing the same command, it's failing...
$ sudo -u vpn -i -- curl ipinfo.io
curl: (6) Could not resolve host: ipinfo.io

My routing script:

> export TABLE_ID="vpn"
> export VPN_USER="vpn"
> export VTI_INTERFACE="vti0"
> export LOCAL_IP="192.168.0.30"
> #export LOCAL_IP="10.211.55.3"
>
> # Flush iptables rules
> iptables -F -t nat
> iptables -F -t mangle
> iptables -F -t filter
> # Mark packets from $VPN_USER
> iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
> iptables -t mangle -A OUTPUT ! --dest $LOCAL_IP -m owner --uid-owner
> $VPN_USER -j MARK --set-mark 0x1
> iptables -t mangle -A OUTPUT ! --src $LOCAL_IP -m owner --uid-owner
> $VPN_USER -j MARK --set-mark 0x1
> iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
> # Deny $VPN_USER to access other interfaces than lo
> # iptables -A OUTPUT ! -o lo -m owner --uid-owner $VPN_USER -j DROP
> # Allow $VPN_USER to access lo and VPN interfaces
> iptables -A OUTPUT -o lo -m owner --uid-owner $VPN_USER -j ACCEPT
> iptables -A OUTPUT -o $VTI_INTERFACE -m owner --uid-owner $VPN_USER -j
> ACCEPT
>
> # Allow response from $VPN_INTERFACE
> iptables -A INPUT -i $VTI_INTERFACE -m conntrack --ctstate ESTABLISHED -j
> ACCEPT
> # Masquarade packets on $VPN_INTERFACE
> iptables -t nat -A POSTROUTING -o $VTI_INTERFACE -j MASQUERADE
> # Routing rules
> GATEWAY=$(ifconfig $VTI_INTERFACE |
>   egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' |
>   egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail
> -n1)
> ip route replace default via $GATEWAY table $TABLE_ID
> ip route append default via 127.0.0.1 dev lo table $TABLE_ID
> ip route flush cache


I really don't understand how this issue can be related to a routing table.
Indeed, just after starting the VPN, connection is working fine and command
is returning the right result.

Please find below the routing table status after each steps..
How it will help for finding where this issue is coming from...
BR Gilles

$ sudo ipsec start
$ sudo ipsec statusall

Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.4.0-127-generic,
> x86_64):
>   uptime: 8 seconds,
>   malloc: sbrk 3088384, mmap 0, used 1304704, free 1783680
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 0
>   loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509
> revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl
> fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve
> socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2
> eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
> xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity
> Listening IP addresses:
>   192.168.0.30
> Connections:
>  VPN:  %any...free-nl.hide.me  IKEv2, dpddelay=30s
>  VPN:   local:  uses EAP_MSCHAPV2 authentication with EAP identity
> 'gprintemps'
>  VPN:   remote: uses public key authentication
>  VPN:   child:  dynamic === 0.0.0.0/0 TUNNEL, dpdaction=restart
> Routed Connections:
>  VPN{1}:  ROUTED, TUNNEL, reqid 1
>  VPN{1}:   192.168.0.30/32 === 0.0.0.0/0
> Security Associations (0 up, 0 connecting):
>   none


$ sudo ip route show table all

default via 127.0.0.1 dev lo  table vpn
> default via 192.168.0.1 dev bond0 onlink
> 192.168.0.0/24 dev bond0  proto kernel  scope link  src 192.168.0.30
> broadcast 127.0.0.0 dev lo  table local  proto kernel  scope link  src
> 127.0.0.1
> local 127.0.0.0/8 dev lo  table local  proto kernel  scope host  src
> 127.0.0.1
> local 127.0.0.1 dev lo  table local  proto kernel  scope host  src
> 127.0.0.1
> broadcast 127.255.255.255 dev lo  table local  proto kernel  scope link
>  src 127.0.0.1
> broadcast 192.168.0.0 dev bond0  table local  proto kernel  scope link
>  src 192.168.0.30
> local 192.168.0.30 dev bond0  table local  proto kernel  scope host  src
> 192.168.0.30
> broadcast 192.168.0.255 dev bond0  table local  proto kernel  scope link
>  src 192.168.0.30
> unreachable default dev lo  table unspec  proto kernel  metric 4294967295
>  error -101 pref medium
> fe80::/64 dev bond0  proto kernel  metric 256  pref medium
> unreachable default dev lo  table unspec  proto kernel  metric 4294967295
>  error -101 pref medium
> local ::1 dev lo  table local  proto none  metric 0  pref medium
> local fe80:: dev lo  table local  proto none  metric 0  pref medium
> local fe80::ca1f:66ff:fecb:1faf dev lo  table local  proto none  metric 0
>  pref medium
> ff00::/8 dev bond0  table local  metric 256  pref medium
> unreachable default dev lo  table unspec  proto kernel  metric 4294967295
>  error -101 pref medium


$ sudo ipsec up VPN
   ...
   connection 'VPN' established successfully

$ sudo -u vpn -i -- curl ipinfo.io

{
>   "ip": "95.211.101.229",
>   "city": "",
>   "region": "",
>   "country": "NL",
>

Re: [strongSwan] disable new SA's at a strongSwan instance

2018-06-06 Thread Tobias Brunner 
Hi Mike,

> We have a customer who wants to avoid new SA Connections when the server
> has high processor load.
> 
> Is there a known strategy to realize those requirements?

See [1] for the currently available options to limit new SAs.

Regards,
Tobias

[1]
https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority#IKE_SA_INIT-dropping

Re: [strongSwan] Strongswan 5.6.2: Segfault if charondebug = cfg > 2

2018-06-06 Thread Sven Anders 
Thanks,

with -O2 it works. My previous version (5.5.1) worked with -O3 and the same 
compiler
without problems.
Is this a common problem and are there any recommendations regarding the 
optimization
or compiler flags to use (or not to use)?

Regards
 Sven

Am 05.06.2018 um 22:16 schrieb Noel Kuntze:
> Hi,
> 
> Try with O2, not O3.
> 
> Kind regards
> 
> Noel
> 
> On 05.06.2018 22:11, Sven Anders wrote:
>> Hello!
>>
>> I'm experiencing a segmentation fault, if I set charondebug = cfg to a value 
>> greater than 2.
>> I'm using Strongwan 5.6.2 on Linux kernel 4.1.39 on a 32 bit system.
>>
>> Strongswan was compiled with:
>>
>> ./configure CFLAGS="-g -march=core2 -O3 -fstack-protector" 
>> LDFLAGS="-D_FORTIFY_SOURCE=2 -fPIE -pie -Wl,-z,relro,-z,now" --prefix=/usr
>> --sysconfdir=/etc --enable-aes --enable-bliss --enable-blowfish --enable-ccm 
>> --enable-chapoly --enable-cmac --enable-ctr --enable-des ...



Mit freundlichen Grüßen
 Sven Anders

-- 
 Sven Anders  () UTF-8 Ribbon Campaign
 /\ Support plain text e-mail
 ANDURAS intranet security AG
 Messestraße 3 - 94036 Passau - Germany
 Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55

Rechtsform: Aktiengesellschaft - Sitz: Passau - Amtsgericht: Passau HRB 6032
Mitglieder des Vorstands: Dipl.-Inf. Sven Anders, Dipl.-Inf. Marcus Junker
Vorsitzender des Aufsichtsrats: RA Mark Peters
<>

[strongSwan] disable new SA's at a strongSwan instance

2018-06-06 Thread Ettrich, Mike, NMU-DSJ 
Hi!

We have a customer who wants to avoid new SA Connections when the server has 
high processor load.

Is there a known strategy to realize those requirements?

Kind regards,
Mike.