[strongSwan] strongSwan site-to-site VPN on DMZ host with single interface

2018-11-23 Thread tom 
Hello,

how it be possible to run a strongSwan site-to-site VPN placed in a
DMZ with only a single NIC?
The strongSwan server is placed in my DMZ  with a routable public IP
1.1.1.1 Public LAN 1.1.1.0/24.
My local IP, where all outgoing traffic through the tunnel should bei
NAT to is 10.0.0.1.

local site:
 leftsubnet=10.0.0.1/32

Remote site:
 rightsubnet=10.0.0.0/24
 right=2.2.2.2


Do I've to bind 10.0.0.1 as alias ip on the same NIC as 1.1.1.1?
How do I've to setup the NAT?

It would be very glad, if you can bring me on the right way.I hope I
made a clear explanation.

Kind regards
tom

[strongSwan] Problem: "unable to install policy -the same policy for reqid XXXX exists "

2018-11-23 Thread Sven Anders 
Hello!

We are using strongSwan 5.6.2 on a Linux kernel 4.1.39.

Our problem is, that after some uptime the strongswan rejects connections with
the following message:

  charon: 23422[CFG] unable to install policy 10.0.0.0/8 === 192.168.3.67/32 
out for reqid 14832, the same policy for reqid 4388 exists

If we restart strongswan, the connections begin to work correctly again.

The installed policy (in this case) is the following:

src 10.0.0.0/8 dst 192.168.3.67/32
dir out priority 379519 ptype main
tmpl src 217.6.20.66 dst 84.160.101.118
proto esp spi 0x0f95ddf2 reqid 4388 mode tunnel

The connections are mainly from iPhones and are using IKEv2.

Any ideas what causes this?
Is there an option to force the replacement of an policy?

I already tried to change "auto=add" to "auto=route", which I found in a 
description
of a similar problem, but that changed nothing...

Regards
 Sven Anders

---8X-

Here is the configuration:

ipsec.conf:
---

config setup
  uniqueids=never
  charondebug = ike 2, net 2, pts 2, lib 2, tls 2, cfg 3, knl 2

conn rw-base
fragmentation=yes
dpdtimeout=90s
dpddelay=30s
dpdaction=clear

conn rw-config
also=rw-base
reauth=no
rekey=no

ike=aes256-sha2_256-prfsha256-modp1024-modp2048,aes256gcm16-prfsha384-modp3072!
esp=aes256-sha2_256-prfsha256,aes256-sha1,aes256gcm16-modp3072!
leftsubnet=10.0.0.0/8   # Split tunnel config
leftid="vpn.company.net"
leftcert=server.crt
leftsendcert=always  # not "never"
left=217.6.20.66
lefthostaccess=yes
rightdns=10.1.3.10, 10.1.3.11
rightsourceip=%static, %dynamic

conn ikev2-pubkey
also=rw-config
keyexchange=ikev2
auto=route

strongswan.conf
---
charon { load_modular = yes  plugins { include strongswan.d/charon/*.conf } }
include strongswan.d/*.conf

charon {
install_routes = no
install_virtual_ip = no
crypto_test { bench = yes }
plugins {
attr-sql {
database = sqlite:///var/lib/ipsec/ippool.sqlite3
}
attr {
dns = 10.1.3.10, 10.1.3.11
25 = company.local
split-include = 10.0.0.0/8
split-exclude = 0.0.0.0/0
28675 = company.local
   }
}


Here is the log file:
-

Nov 23 10:11:39 2101120420063 charon: 23422[IKE] received 
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] peer supports MOBIKE
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] authentication of 
'vpn.company.net' (myself) with RSA signature successful
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] IKE_SA ikev2-pubkey[18259] 
established between 217.6.20.66[vpn.company.net]...188.238.227
.128[joko.cl...@company.fi]
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] IKE_SA ikev2-pubkey[18259] 
state change: CONNECTING => ESTABLISHED
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] sending end entity cert "C=DE, 
ST=BY, O=Company, CN=vpn.company.net"
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] peer requested virtual IP %any
Nov 23 10:11:39 2101120420063 charon: 23422[CFG] no available address found in 
pool 'static'
Nov 23 10:11:39 2101120420063 charon: 23422[CFG] acquired new lease for address 
192.168.3.67 in pool 'dynamic'
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] assigning virtual IP 
192.168.3.67 to peer 'joko.cl...@company.fi'
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] peer requested virtual IP %any6
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] no virtual IP found for %any6 
requested by 'joko.cl...@company.fi'
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] building INTERNAL_IP4_DNS 
attribute
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] building INTERNAL_IP4_DNS 
attribute
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] building (25) attribute
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] building UNITY_SPLITDNS_NAME 
attribute
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] building INTERNAL_IP4_DNS 
attribute
Nov 23 10:11:39 2101120420063 charon: 23422[IKE] building INTERNAL_IP4_DNS 
attribute
Nov 23 10:11:39 2101120420063 charon: 23422[CFG] looking for a child config for 
0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0
Nov 23 10:11:39 2101120420063 charon: 23422[CFG] proposing traffic selectors 
for us:
Nov 23 10:11:39 2101120420063 charon: 23422[CFG]  10.0.0.0/8
Nov 23 10:11:39 2101120420063 charon: 23422[CFG] proposing traffic selectors 
for other:
Nov 23 10:11:39 2101120420063 charon: 23422[CFG]  192.168.3.67/32
Nov 23 10:11:39 2101120420063 charon: 23422[CFG]   candidate "ikev2-pubkey" 
with prio 2+2
Nov 23 10:11:39 2101120420063 charon: 23422[CFG] found matching child config 
"ikev2-pubkey" with prio 4
Nov 23 10:11:39 2101120420063 charon: 23422[CFG] selecting proposal:
Nov 23 10:11:39 2101120420063 charon: 23422[CFG]   proposal matches
Nov

Re: [strongSwan] Problem: "unable to install policy -the same policy for reqid XXXX exists "

2018-11-23 Thread Tobias Brunner 
Hi Sven,

> We are using strongSwan 5.6.2 on a Linux kernel 4.1.39.

Try using a newer strongSwan version.

> The installed policy (in this case) is the following:
> 
> src 10.0.0.0/8 dst 192.168.3.67/32
> dir out priority 379519 ptype main
> tmpl src 217.6.20.66 dst 84.160.101.118
> proto esp spi 0x0f95ddf2 reqid 4388 mode tunnel

Use the full log to see why it may have been left there.  That log
snippet you added is not really useful.

> I already tried to change "auto=add" to "auto=route", which I found in a 
> description
> of a similar problem, but that changed nothing...

auto=route makes no sense on a gateway for roadwarriors.

Regards,
Tobias

Re: [strongSwan] Problem: "unable to install policy -the same policy for reqid XXXX exists "

2018-11-23 Thread Sven Anders 
Am 23.11.18 um 11:11 schrieb Tobias Brunner:
> Hi Sven,
> 
>> We are using strongSwan 5.6.2 on a Linux kernel 4.1.39.
> 
> Try using a newer strongSwan version.

So the problem is known?
Which version should I use at least. Will 5.6.3 be enough or
should I use 5.7.1 instead?

>> The installed policy (in this case) is the following:
>>
>> src 10.0.0.0/8 dst 192.168.3.67/32
>> dir out priority 379519 ptype main
>> tmpl src 217.6.20.66 dst 84.160.101.118
>> proto esp spi 0x0f95ddf2 reqid 4388 mode tunnel
> 
> Use the full log to see why it may have been left there.  That log
> snippet you added is not really useful.

There are many request and the log file is very long.
What kind of message do you expect or what should I search for?

>> I already tried to change "auto=add" to "auto=route", which I found in a 
>> description
>> of a similar problem, but that changed nothing...
> 
> auto=route makes no sense on a gateway for roadwarriors.

Ok, just read about it in another similar problem and this was one idea
to solve it (the race condition?)...


Regards
 Sven Anders

-- 
 Sven Anders  () UTF-8 Ribbon Campaign
 /\ Support plain text e-mail
 ANDURAS intranet security AG
 Messestrasse 3 - 94036 Passau - Germany
 Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55

Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety.
  - Benjamin Franklin
<>