date:20191030

Re: [strongSwan] local_ts based on user/group

2019-10-30 Thread Christian Salway

One possible way I can see this working is by using the _updown script to set 
firewall rules and set the local_ts with all private networks addresses...


up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here. 
;;  
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
;;


https://wiki.strongswan.org/projects/strongswan/repository/revisions/master/entry/src/_updown/_updown.in#L224
 



> On 30 Oct 2019, at 23:20, Christian Salway  
> wrote:
> 
> Hello,
> 
> 
> Is it possible to dynamically set the local_ts based on the group the user is 
> a member of?
> 
> 
> I have 3 private networks and 1 public network that holds the strongSwan VPN 
> server.  From the public network, I can access each private network.
> 
> When Carol connects to the VPN, I only want her to be able to access private 
> networks 1 and 2.
> When David connects to the VPN, I only want him to be able to access private 
> networks 2 and 3.
> When Anna connects, she can access all networks.
> 
> Can you think of how this can be done in anyway using strongSwan?  The 
> problem I am facing is dynamically setting the local_ts before SS sends the 
> routes to the client.
> 
> This is my configuration so far:
> 
> 
> echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/ip_forward.conf
> sysctl -p /etc/sysctl.d/ip_forward.conf
> 
> iptables -t nat -A POSTROUTING -s ${CLIENT_ADDR_POOL} -o eth0 -j MASQUERADE
> iptables-save > /etc/sysconfig/iptables
> 
> sed -i "s|# \(install_routes\).*$|\1 = no|" 
> /etc/strongswan/strongswan.d/charon.conf
> 
> cat < /etc/strongswan/swanctl/swanctl.conf
> connections {
> conn {
> version = 2
> send_cert = always
> unique = replace
> rekey_time = 10h
> dpd_delay = 1m
> local {
> auth = pubkey
> certs = vpnserver.crt
> id = ${SERVER_FQDNAME}
> }
> remote {
> auth = eap-mschapv2
> eap_id = %any
> # groups = ${AAA_GROUP}
> }
> children {
> child {
> local_ts = ${CIDR_A}, ${CIDR_B}, ${CIDR_C}
> # updown = /usr/libexec/strongswan/_updown iptables
> }
> }
> pools = pool
> }
> }
> pools {
> pool {
> addrs = ${CLIENT_ADDR_POOL}
> }
> }
> secrets {
> eap-test {
>   id = test
>   secret = Test123
> }
> }
> include conf.d/*.conf
> EOF
> 
> systemctl start strongswan-swanctl
> systemctl enable strongswan-swanctl
> 
>

[strongSwan] local_ts based on user/group

2019-10-30 Thread Christian Salway

Hello,


Is it possible to dynamically set the local_ts based on the group the user is a 
member of?


I have 3 private networks and 1 public network that holds the strongSwan VPN 
server.  From the public network, I can access each private network.

When Carol connects to the VPN, I only want her to be able to access private 
networks 1 and 2.
When David connects to the VPN, I only want him to be able to access private 
networks 2 and 3.
When Anna connects, she can access all networks.

Can you think of how this can be done in anyway using strongSwan?  The problem 
I am facing is dynamically setting the local_ts before SS sends the routes to 
the client.

This is my configuration so far:


echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/ip_forward.conf
sysctl -p /etc/sysctl.d/ip_forward.conf

iptables -t nat -A POSTROUTING -s ${CLIENT_ADDR_POOL} -o eth0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables

sed -i "s|# \(install_routes\).*$|\1 = no|" 
/etc/strongswan/strongswan.d/charon.conf

cat < /etc/strongswan/swanctl/swanctl.conf
connections {
conn {
version = 2
send_cert = always
unique = replace
rekey_time = 10h
dpd_delay = 1m
local {
auth = pubkey
certs = vpnserver.crt
id = ${SERVER_FQDNAME}
}
remote {
auth = eap-mschapv2
eap_id = %any
# groups = ${AAA_GROUP}
}
children {
child {
local_ts = ${CIDR_A}, ${CIDR_B}, ${CIDR_C}
# updown = /usr/libexec/strongswan/_updown iptables
}
}
pools = pool
}
}
pools {
pool {
addrs = ${CLIENT_ADDR_POOL}
}
}
secrets {
eap-test {
  id = test
  secret = Test123
}
}
include conf.d/*.conf
EOF

systemctl start strongswan-swanctl
systemctl enable strongswan-swanctl

[strongSwan] Problem with tunnel half-working

2019-10-30 Thread Bertucci Roberto

Hello, i have a problem with a s2s VPN between StrongSwan and Cisco ASA.
Site A is the one with StrongSwan server and Site B is the one with ASA.
Site A is Ubuntu 19.10

Ipsec tunnel raises up and stays up nicely.

Site A internal network is 10.0.1.0/24 – external network is 10.0.0.0/24 adn 
the gateway router nats with YYY.YYY.YYY.YYY address.
Site B internal network is 192.168.0.0/23

This ping works:
192.168.1.XXX ---> 10.0.1.

This ping does not work:
10.0.1. ---> 192.168.1.XXX

If i try a traceroute from 10.0.1 to 192.168.1, it seems that packets are 
routed through internet connection and not through tunnel.

These are configuration and system status of StrongSwan server.

 sysctl.conf 
net.ipv4.ip_forward=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

 strongswan.conf 

charon {

   load_modular = yes

   #install_routes = no

   plugins {

 include strongswan.d/charon/*.conf

   }

}

 ipsec.conf 

config setup

#charondebug="all 2"

charondebug="cfg 2"

uniqueids=yes

strictcrlpolicy=no



conn %default

ikelifetime=1440m

keylife=60m

rekeymargin=3m

keyingtries=1

keyexchange=ikev1

authby=secret



conn spc-to-varazze

   left=10.0.0.100

   #leftfirewall=yes

   leftsubnet=10.0.1.0/24

   right=XXX.XXX.XXX.XXX

   rightsubnet=192.168.0.0/23

   auto=start

   ike=aes256-sha1-modp1024

   esp=aes256-sha1-modp1024

 xfrm status 

root@router:/etc# ip -s xfrm state

src 10.0.0.100 dst XXX.XXX.XXX.XXX

   proto esp spi 0x6a05615e(1778737502) reqid 1(0x0001) mode tunnel

   replay-window 0 seq 0x flag af-unspec (0x0010)

   auth-trunc hmac(sha1) 0x687fd2cdd4dcf0bf14ef6c1655fb04af70010257 (160 
bits) 96

   enc cbc(aes) 0x270e6c31e071a3771eb0508e1805fd0e (128 bits)

   encap type espinudp sport 4500 dport 4500 addr 0.0.0.0

   anti-replay context: seq 0x0, oseq 0x529, bitmap 0x

   lifetime config:

 limit: soft (INF)(bytes), hard (INF)(bytes)

 limit: soft (INF)(packets), hard (INF)(packets)

 expire add: soft 3414(sec), hard 3600(sec)

 expire use: soft 0(sec), hard 0(sec)

   lifetime current:

 79260(bytes), 1321(packets)

 add 2019-10-30 22:15:10 use 2019-10-30 22:15:15

   stats:

 replay-window 0 replay 0 failed 0

src XXX.XXX.XXX.XXX dst 10.0.0.100

   proto esp spi 0xcf6665c0(3479594432) reqid 1(0x0001) mode tunnel

   replay-window 32 seq 0x flag af-unspec (0x0010)

   auth-trunc hmac(sha1) 0xa9c698de75653b442199eed162b8f653bbe159ca (160 
bits) 96

   enc cbc(aes) 0xfd9ef251dcaff2853e89cac211b53d19 (128 bits)

   encap type espinudp sport 4500 dport 4500 addr 0.0.0.0

   anti-replay context: seq 0x529, oseq 0x0, bitmap 0x

   lifetime config:

 limit: soft (INF)(bytes), hard (INF)(bytes)

 limit: soft (INF)(packets), hard (INF)(packets)

 expire add: soft 3407(sec), hard 3600(sec)

 expire use: soft 0(sec), hard 0(sec)

   lifetime current:

 79260(bytes), 1321(packets)

 add 2019-10-30 22:15:10 use 2019-10-30 22:15:15

   stats:

 replay-window 0 replay 0 failed 0

 iptables and ufw status 

root@router:/etc# iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source   destination

ACCEPT all  --  anywhere anywhere

ACCEPT all  --  anywhere anywhere

ACCEPT all  --  anywhere anywhere ctstate 
RELATED,ESTABLISHED



Chain FORWARD (policy ACCEPT)

target prot opt source   destination

ACCEPT all  --  anywhere anywhere

ACCEPT all  --  anywhere anywhere ctstate 
RELATED,ESTABLISHED



Chain OUTPUT (policy ACCEPT)

target prot opt source   destination

root@router:/etc# ufw status

Status: inactive

r

I’ve done a lot of searches but no one of the aswers i found was useful.

Any help/suggestion will be welcome.

RB

Re: [strongSwan] rejecting certificate without digitalSignature or nonRepudiation, keyUsage flags

2019-10-30 Thread Tobias Brunner

Hi,

> but when I do:
> 
> $ strongswan pki --issue  --flag nonRepudiation

That's not a flag value supported by strongSwan (it will just be ignored).

> and then:
> 
> $ strongswan pki --print --in ipsec.d/certs/suc...@openstack.der.new
> 
> ...
> 
>   flags: 
> ..
> 
> nothing gets there?

With the pki tool you don't have to do anything special as it doesn't
encode keyUsage flags (except for CA certificates and CRL signer
certificates, which you both don't want to use as end-entity
certificates for IKE authentication).

Regards,
Tobias

Re: [strongSwan] rejecting certificate without digitalSignature or nonRepudiation, keyUsage flags

2019-10-30 Thread lejeczek

On 30/10/2019 16:37, Tobias Brunner wrote:
> Hi,
>
>> Is the problem caused be my certificates being crafted in a way which
>> did not comply with what Strongswan requires?
> Yep.
>
>> Or this can be resolved with configuration?
> No.  Either don't add any keyUsage flags to the certificate, or include
> at least one of the mentioned flags.
>
> Regards,
> Tobias

but when I do:

$ strongswan pki --issue  --flag nonRepudiation

and then:

$ strongswan pki --print --in ipsec.d/certs/suc...@openstack.der.new

...

  flags: 
..

nothing gets there?



pEpkey.asc
Description: application/pgp-keys

Re: [strongSwan] rejecting certificate without digitalSignature or nonRepudiation, keyUsage flags

2019-10-30 Thread Tobias Brunner

Hi,

> Is the problem caused be my certificates being crafted in a way which
> did not comply with what Strongswan requires?

Yep.

> Or this can be resolved with configuration?

No.  Either don't add any keyUsage flags to the certificate, or include
at least one of the mentioned flags.

Regards,
Tobias

Re: [strongSwan] no IDr configured, fall back on IP address - revisit

2019-10-30 Thread lejeczek

On 30/10/2019 16:05, Noel Kuntze wrote:
>> Or might be some peculiar case when subjects of both CA and server's
>> cert subjects are identical then something brakes??
> Probably be that, too.
>
> You should stop trying to hit so many corner cases. And if you want actual 
> help, provide what I asked.
>
>
>
> Am 30.10.19 um 16:27 schrieb lejeczek:
>> On 30/10/2019 15:08, Noel Kuntze wrote:
>>> Hello L.,
>>>
>>> You're probably doing it wrong.
>>>
>>> Please provide your complete config and output of ipsec listcerts.
>>>
>>> Kind regards
>>>
>>> Noel
>>>
>>> Am 30.10.19 um 16:06 schrieb lejeczek:
 On 30/10/2019 13:22, Noel Kuntze wrote:
> Hello L.,
>
> Make sure you have the private key for your certificate registered in 
> ipsec.secrets.
> Your config has a couple of problems:
> 1) rightid="C=Shire, O=NRR, CN=*": Wildcards are not supported. Put the 
> actual SAN or DN in the rightid field.
> 2) No configured leftid on the responder: Set leftid to the value that 
> the remote peer expects. E.g. what you configured in rightid.
>It has to be authenticated by the certificate.
>
> Kind regards
>
> Noel
>
> Am 29.10.19 um 19:18 schrieb lejeczek:
>> hi everyone,
>>
>> I've asked a long time ago, was not urgent and I did put it off.
>>
>> I have a relatively simple config, on the server:
>>
>> conn to_NRR
>>  
>> ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
>>
>>  
>> esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
>>
>>  
>>   dpdaction=clear
>>   dpddelay=300s
>>   rekey=no
>>  
>>   left=%any
>>   #leftsubnet=0.0.0.0/0
>>   leftsubnet=10.5.8.0/24
>>   leftcert="NRR-vpn-clusterserver.cert.der"
>>  
>>   right=%any
>>   rightdns=10.5.8.204
>>   rightsourceip=10.5.8.220,10.5.8.221
>>  
>> conn IPSec-IKEv2
>>     keyexchange=ikev2
>>     auto=add
>>  
>> conn IPSec-IKEv2-EAP
>>     also="IPSec-IKEv2"
>>     #rightauth=eap-mschapv2
>>     #rightauthby2=pubkey
>>     rightauth=pubkey
>>     #rightauthby2=eap-mschapv2
>>     rightsendcert=never
>>     eap_identity=%any
>>  
>> conn CiscoIPSec
>>     keyexchange=ikev1
>>     forceencaps=yes
>>     authby=xauthrsasig
>>     xauth=server
>>     auto=add
>>
>> and when roadwarrior connects then server logs shows:
>>
>> ...
>>
>> 2[IKE] received cert request for "C=Shire, O=NRR,
>> CN=private.private.tam.cos"
>> 12[IKE] received 1 cert requests for an unknown ca
>> 12[IKE] received end entity cert "C=Shire, O=NRR,
>> CN=suc...@private.private.tam.cos"
>> 12[CFG] looking for peer configs matching
>> 192.168.2.202[%any]...10.4.4.21[C=Shire, O=NRR,
>> CN=suc...@private.private.tam.cos]
>> 12[CFG]   candidate "IPSec-IKEv2", match: 1/1/28 (me/other/ike)
>> 12[CFG]   candidate "IPSec-IKEv2-EAP", match: 1/1/28 (me/other/ike)
>> 12[CFG] selected peer config 'IPSec-IKEv2'
>> 12[CFG]   using certificate "C=Shire, O=NRR,
>> CN=suc...@private.private.tam.cos"
>> 12[CFG]   certificate "C=Shire, O=NRR,
>> CN=suc...@private.private.tam.cos" key: 2048 bit RSA
>> 12[CFG]   using trusted ca certificate "C=Shire, O=NRR,
>> CN=private.private.tam.cos"
>> 12[CFG] checking certificate status of "C=Shire, O=NRR,
>> CN=suc...@private.private.tam.cos"
>> 12[CFG] ocsp check skipped, no ocsp found
>> 12[CFG] certificate status is not available
>> 12[CFG]   certificate "C=Shire, O=NRR, CN=private.private.tam.cos" key:
>> 2048 bit RSA
>> 12[CFG]   reached self-signed root ca with a path length of 0
>> 12[IKE] authentication of 'C=Shire, O=NRR,
>> CN=suc...@private.private.tam.cos' with RSA_EMSA_PKCS1_SHA2_256 
>> successful
>> 12[IKE] processing INTERNAL_IP4_ADDRESS attribute
>> 12[IKE] processing INTERNAL_IP4_DNS attribute
>> 12[IKE] peer supports MOBIKE
>> 12[IKE] got additional MOBIKE peer

[strongSwan] rejecting certificate without digitalSignature or nonRepudiation, keyUsage flags

2019-10-30 Thread lejeczek

hi eveyone,

I found this - https://wiki.strongswan.org/issues/3139 - but how to make
a good use of it I'm not sure.

I hit such a problem, roadwarrior side of the logs:

...

 
06[MGR] checkin of IKE_SA successful
04[NET] sending packet: from 10.0.0.5[4500] to 10.5.154.202[4500]
04[NET] sending packet: from 10.0.0.5[4500] to 10.5.154.202[4500]
03[NET] received packet: from 10.5.154.202[4500] to 10.0.0.5[4500]
03[NET] waiting for data on sockets
08[MGR] checkout IKEv2 SA by message with SPIs aac5dbe33ca0241f_i
f1e1d0956f4da4b5_r
08[MGR] IKE_SA TO-NRR[4] successfully checked out
08[NET] received packet: from 10.5.154.202[4500] to 10.0.0.5[4500] (576
bytes)
08[ENC] parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP)
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR)
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(INT_ADDR_FAIL) N(TS_UNACCEPT) ]
08[CFG]   using trusted certificate "C=Shire, O=NRR,
CN=private.NRR.tam.cos"
08[IKE] rejecting certificate without digitalSignature or nonRepudiation
keyUsage flags
08[IKE] signature validation failed, looking for another key
08[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
08[NET] sending packet: from 10.0.0.5[4500] to 10.5.154.202[4500] (80
bytes)
08[KNL] deleting SAD entry with SPI cfa253fc
08[KNL] deleted SAD entry with SPI cfa253fc
08[MGR] checkin and destroy IKE_SA TO-NRR[4]
08[IKE] IKE_SA TO-NRR[4] state change: CONNECTING => DESTROYING


Is the problem caused be my certificates being crafted in a way which
did not comply with what Strongswan requires?

Or this can be resolved with configuration?

many thanks, L.



pEpkey.asc
Description: application/pgp-keys

Re: [strongSwan] no IDr configured, fall back on IP address - revisit

2019-10-30 Thread lejeczek

On 30/10/2019 15:08, Noel Kuntze wrote:
> Hello L.,
>
> You're probably doing it wrong.
>
> Please provide your complete config and output of ipsec listcerts.
>
> Kind regards
>
> Noel
>
> Am 30.10.19 um 16:06 schrieb lejeczek:
>> On 30/10/2019 13:22, Noel Kuntze wrote:
>>> Hello L.,
>>>
>>> Make sure you have the private key for your certificate registered in 
>>> ipsec.secrets.
>>> Your config has a couple of problems:
>>> 1) rightid="C=Shire, O=NRR, CN=*": Wildcards are not supported. Put the 
>>> actual SAN or DN in the rightid field.
>>> 2) No configured leftid on the responder: Set leftid to the value that the 
>>> remote peer expects. E.g. what you configured in rightid.
>>>It has to be authenticated by the certificate.
>>>
>>> Kind regards
>>>
>>> Noel
>>>
>>> Am 29.10.19 um 19:18 schrieb lejeczek:
 hi everyone,

 I've asked a long time ago, was not urgent and I did put it off.

 I have a relatively simple config, on the server:

 conn to_NRR
  
 ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!

  
 esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!

  
   dpdaction=clear
   dpddelay=300s
   rekey=no
  
   left=%any
   #leftsubnet=0.0.0.0/0
   leftsubnet=10.5.8.0/24
   leftcert="NRR-vpn-clusterserver.cert.der"
  
   right=%any
   rightdns=10.5.8.204
   rightsourceip=10.5.8.220,10.5.8.221
  
 conn IPSec-IKEv2
     keyexchange=ikev2
     auto=add
  
 conn IPSec-IKEv2-EAP
     also="IPSec-IKEv2"
     #rightauth=eap-mschapv2
     #rightauthby2=pubkey
     rightauth=pubkey
     #rightauthby2=eap-mschapv2
     rightsendcert=never
     eap_identity=%any
  
 conn CiscoIPSec
     keyexchange=ikev1
     forceencaps=yes
     authby=xauthrsasig
     xauth=server
     auto=add

 and when roadwarrior connects then server logs shows:

 ...

 2[IKE] received cert request for "C=Shire, O=NRR,
 CN=private.private.tam.cos"
 12[IKE] received 1 cert requests for an unknown ca
 12[IKE] received end entity cert "C=Shire, O=NRR,
 CN=suc...@private.private.tam.cos"
 12[CFG] looking for peer configs matching
 192.168.2.202[%any]...10.4.4.21[C=Shire, O=NRR,
 CN=suc...@private.private.tam.cos]
 12[CFG]   candidate "IPSec-IKEv2", match: 1/1/28 (me/other/ike)
 12[CFG]   candidate "IPSec-IKEv2-EAP", match: 1/1/28 (me/other/ike)
 12[CFG] selected peer config 'IPSec-IKEv2'
 12[CFG]   using certificate "C=Shire, O=NRR,
 CN=suc...@private.private.tam.cos"
 12[CFG]   certificate "C=Shire, O=NRR,
 CN=suc...@private.private.tam.cos" key: 2048 bit RSA
 12[CFG]   using trusted ca certificate "C=Shire, O=NRR,
 CN=private.private.tam.cos"
 12[CFG] checking certificate status of "C=Shire, O=NRR,
 CN=suc...@private.private.tam.cos"
 12[CFG] ocsp check skipped, no ocsp found
 12[CFG] certificate status is not available
 12[CFG]   certificate "C=Shire, O=NRR, CN=private.private.tam.cos" key:
 2048 bit RSA
 12[CFG]   reached self-signed root ca with a path length of 0
 12[IKE] authentication of 'C=Shire, O=NRR,
 CN=suc...@private.private.tam.cos' with RSA_EMSA_PKCS1_SHA2_256 successful
 12[IKE] processing INTERNAL_IP4_ADDRESS attribute
 12[IKE] processing INTERNAL_IP4_DNS attribute
 12[IKE] peer supports MOBIKE
 12[IKE] got additional MOBIKE peer address: 10.0.16.6
 12[IKE] got additional MOBIKE peer address: 10.5.10.49
 12[CFG] no IDr configured, fall back on IP address
 12[IKE] no private key found for '192.168.2.202'
 12[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
 12[NET] sending packet: from 192.168.2.202[4500] to 10.4.4.21[4500] (80
 bytes)
 12[MGR] checkin and destroy IKE_SA IPSec-IKEv2[2]
 12[IKE] IKE_SA IPSec-IKEv2[2] state change: CONNECTING => DESTROYING
 03[NET] sending packet: from 192.168.2.202[4500] to 10.4.4.21[4500]
 12[MGR] checkin and destroy of

Re: [strongSwan] no IDr configured, fall back on IP address - revisit

2019-10-30 Thread Noel Kuntze

Hello L.,

You're probably doing it wrong.

Please provide your complete config and output of ipsec listcerts.

Kind regards

Noel

Am 30.10.19 um 16:06 schrieb lejeczek:
> On 30/10/2019 13:22, Noel Kuntze wrote:
>> Hello L.,
>>
>> Make sure you have the private key for your certificate registered in 
>> ipsec.secrets.
>> Your config has a couple of problems:
>> 1) rightid="C=Shire, O=NRR, CN=*": Wildcards are not supported. Put the 
>> actual SAN or DN in the rightid field.
>> 2) No configured leftid on the responder: Set leftid to the value that the 
>> remote peer expects. E.g. what you configured in rightid.
>>It has to be authenticated by the certificate.
>>
>> Kind regards
>>
>> Noel
>>
>> Am 29.10.19 um 19:18 schrieb lejeczek:
>>> hi everyone,
>>>
>>> I've asked a long time ago, was not urgent and I did put it off.
>>>
>>> I have a relatively simple config, on the server:
>>>
>>> conn to_NRR
>>>  
>>> ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
>>>
>>>  
>>> esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
>>>
>>>  
>>>   dpdaction=clear
>>>   dpddelay=300s
>>>   rekey=no
>>>  
>>>   left=%any
>>>   #leftsubnet=0.0.0.0/0
>>>   leftsubnet=10.5.8.0/24
>>>   leftcert="NRR-vpn-clusterserver.cert.der"
>>>  
>>>   right=%any
>>>   rightdns=10.5.8.204
>>>   rightsourceip=10.5.8.220,10.5.8.221
>>>  
>>> conn IPSec-IKEv2
>>>     keyexchange=ikev2
>>>     auto=add
>>>  
>>> conn IPSec-IKEv2-EAP
>>>     also="IPSec-IKEv2"
>>>     #rightauth=eap-mschapv2
>>>     #rightauthby2=pubkey
>>>     rightauth=pubkey
>>>     #rightauthby2=eap-mschapv2
>>>     rightsendcert=never
>>>     eap_identity=%any
>>>  
>>> conn CiscoIPSec
>>>     keyexchange=ikev1
>>>     forceencaps=yes
>>>     authby=xauthrsasig
>>>     xauth=server
>>>     auto=add
>>>
>>> and when roadwarrior connects then server logs shows:
>>>
>>> ...
>>>
>>> 2[IKE] received cert request for "C=Shire, O=NRR,
>>> CN=private.private.tam.cos"
>>> 12[IKE] received 1 cert requests for an unknown ca
>>> 12[IKE] received end entity cert "C=Shire, O=NRR,
>>> CN=suc...@private.private.tam.cos"
>>> 12[CFG] looking for peer configs matching
>>> 192.168.2.202[%any]...10.4.4.21[C=Shire, O=NRR,
>>> CN=suc...@private.private.tam.cos]
>>> 12[CFG]   candidate "IPSec-IKEv2", match: 1/1/28 (me/other/ike)
>>> 12[CFG]   candidate "IPSec-IKEv2-EAP", match: 1/1/28 (me/other/ike)
>>> 12[CFG] selected peer config 'IPSec-IKEv2'
>>> 12[CFG]   using certificate "C=Shire, O=NRR,
>>> CN=suc...@private.private.tam.cos"
>>> 12[CFG]   certificate "C=Shire, O=NRR,
>>> CN=suc...@private.private.tam.cos" key: 2048 bit RSA
>>> 12[CFG]   using trusted ca certificate "C=Shire, O=NRR,
>>> CN=private.private.tam.cos"
>>> 12[CFG] checking certificate status of "C=Shire, O=NRR,
>>> CN=suc...@private.private.tam.cos"
>>> 12[CFG] ocsp check skipped, no ocsp found
>>> 12[CFG] certificate status is not available
>>> 12[CFG]   certificate "C=Shire, O=NRR, CN=private.private.tam.cos" key:
>>> 2048 bit RSA
>>> 12[CFG]   reached self-signed root ca with a path length of 0
>>> 12[IKE] authentication of 'C=Shire, O=NRR,
>>> CN=suc...@private.private.tam.cos' with RSA_EMSA_PKCS1_SHA2_256 successful
>>> 12[IKE] processing INTERNAL_IP4_ADDRESS attribute
>>> 12[IKE] processing INTERNAL_IP4_DNS attribute
>>> 12[IKE] peer supports MOBIKE
>>> 12[IKE] got additional MOBIKE peer address: 10.0.16.6
>>> 12[IKE] got additional MOBIKE peer address: 10.5.10.49
>>> 12[CFG] no IDr configured, fall back on IP address
>>> 12[IKE] no private key found for '192.168.2.202'
>>> 12[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>>> 12[NET] sending packet: from 192.168.2.202[4500] to 10.4.4.21[4500] (80
>>> bytes)
>>> 12[MGR] checkin and destroy IKE_SA IPSec-IKEv2[2]
>>> 12[IKE] IKE_SA IPSec-IKEv2[2] state change: CONNECTING => DESTROYING
>>> 03[NET] sending packet: from 192.168.2.202[4500] to 10.4.4.21[4500]
>>> 12[MGR] checkin and destroy of IKE_SA successful
>>> 07[MGR] checkout IKEv2 SA with SPIs a1791cef0af46d08_i f11cc222ffacd5bf_r
>>> 07[MGR] IKE_SA checkout not successful
>>>
>>> and the roadwarrior's

Re: [strongSwan] * Spam * Re: allow multiple EAP identities but not %any

2019-10-30 Thread Noel Kuntze

Hello Christoph,

I do not know how to set groups to an empty value. However, you do not need to 
inherit anything either.
Just making different connections (IKE_SA configurations) with identical 
setting (besides eap_id and groups)
is enough.

Kind regards

Noel

Am 30.10.19 um 15:57 schrieb Christoph Harder:
> Hello Noel,
> 
> thank you.
> 
> So each identity gets it's own config and inherits all settings from the base 
> config except
> connections..remote.eap_id
> is set to one of the EAP identities
> and
> connections..remote.groups
> is overwritten with "")?
> 
> Best regards,
> Christoph Harder
> 
> TELCO TECH GmbH
> Niederlassung Berlin
> Mädewalder Weg 2
> 12621 Berlin
> Tel.: +49 30 565862610
> Web: www.telco-tech.de
> Amtsgericht Potsdam-Stadt HRB 55 79
> Geschäftsführung:
> Bernd Schulz
> Silke Schirmer
> 
> Am 30.10.19 um 15:24 schrieb Noel Kuntze:
>> Hello list,
>>
>> Yes, you can do that.
>> Create a base config that has eap_identity=%any but 
>> rightgroups=thisdoesnotexist.
>> Then create specific configs for your other eap_identities that do not have 
>> rightgroups set.
>> Make sure the base config is earlier in the config file than the others.
>>
>> Kind regards
>>
>> Noel
>>
>> Am 30.10.19 um 15:07 schrieb Michael Schwartzkopff:
>>> On 30.10.19 14:53, Christoph Harder wrote:
 Hello everybody,

 is it possible to define multiple EAP identities per connection,
 without using %any ?

 For example in the swanctl.conf I define two connections and in the
 secrets section I define multiple EAP secrets/identities.
 Is there any way to specify connections..remote.eap_id
 so that only certain (but more than one) identities will be accepted?
 Or is there only the option to allow either all known identities or
 only a single one when using the swanctl.conf (and EAP identities
 stored in the secrets section)?

 Best regards,
 Christoph Harder

>>>
>>> Hi,
>>>
>>>
>>> I do not know if strongswan is flexible enough for your purpose. But if
>>> you have a RADIUS server as  backend authentication, you could
>>> accomplish your task in RADIUS.
>>>
>>>
>>> Mit freundlichen Grüßen,
>>>
>>

signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] no IDr configured, fall back on IP address - revisit

2019-10-30 Thread lejeczek

On 30/10/2019 13:22, Noel Kuntze wrote:
> Hello L.,
>
> Make sure you have the private key for your certificate registered in 
> ipsec.secrets.
> Your config has a couple of problems:
> 1) rightid="C=Shire, O=NRR, CN=*": Wildcards are not supported. Put the 
> actual SAN or DN in the rightid field.
> 2) No configured leftid on the responder: Set leftid to the value that the 
> remote peer expects. E.g. what you configured in rightid.
>It has to be authenticated by the certificate.
>
> Kind regards
>
> Noel
>
> Am 29.10.19 um 19:18 schrieb lejeczek:
>> hi everyone,
>>
>> I've asked a long time ago, was not urgent and I did put it off.
>>
>> I have a relatively simple config, on the server:
>>
>> conn to_NRR
>>  
>> ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
>>
>>  
>> esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
>>
>>  
>>   dpdaction=clear
>>   dpddelay=300s
>>   rekey=no
>>  
>>   left=%any
>>   #leftsubnet=0.0.0.0/0
>>   leftsubnet=10.5.8.0/24
>>   leftcert="NRR-vpn-clusterserver.cert.der"
>>  
>>   right=%any
>>   rightdns=10.5.8.204
>>   rightsourceip=10.5.8.220,10.5.8.221
>>  
>> conn IPSec-IKEv2
>>     keyexchange=ikev2
>>     auto=add
>>  
>> conn IPSec-IKEv2-EAP
>>     also="IPSec-IKEv2"
>>     #rightauth=eap-mschapv2
>>     #rightauthby2=pubkey
>>     rightauth=pubkey
>>     #rightauthby2=eap-mschapv2
>>     rightsendcert=never
>>     eap_identity=%any
>>  
>> conn CiscoIPSec
>>     keyexchange=ikev1
>>     forceencaps=yes
>>     authby=xauthrsasig
>>     xauth=server
>>     auto=add
>>
>> and when roadwarrior connects then server logs shows:
>>
>> ...
>>
>> 2[IKE] received cert request for "C=Shire, O=NRR,
>> CN=private.private.tam.cos"
>> 12[IKE] received 1 cert requests for an unknown ca
>> 12[IKE] received end entity cert "C=Shire, O=NRR,
>> CN=suc...@private.private.tam.cos"
>> 12[CFG] looking for peer configs matching
>> 192.168.2.202[%any]...10.4.4.21[C=Shire, O=NRR,
>> CN=suc...@private.private.tam.cos]
>> 12[CFG]   candidate "IPSec-IKEv2", match: 1/1/28 (me/other/ike)
>> 12[CFG]   candidate "IPSec-IKEv2-EAP", match: 1/1/28 (me/other/ike)
>> 12[CFG] selected peer config 'IPSec-IKEv2'
>> 12[CFG]   using certificate "C=Shire, O=NRR,
>> CN=suc...@private.private.tam.cos"
>> 12[CFG]   certificate "C=Shire, O=NRR,
>> CN=suc...@private.private.tam.cos" key: 2048 bit RSA
>> 12[CFG]   using trusted ca certificate "C=Shire, O=NRR,
>> CN=private.private.tam.cos"
>> 12[CFG] checking certificate status of "C=Shire, O=NRR,
>> CN=suc...@private.private.tam.cos"
>> 12[CFG] ocsp check skipped, no ocsp found
>> 12[CFG] certificate status is not available
>> 12[CFG]   certificate "C=Shire, O=NRR, CN=private.private.tam.cos" key:
>> 2048 bit RSA
>> 12[CFG]   reached self-signed root ca with a path length of 0
>> 12[IKE] authentication of 'C=Shire, O=NRR,
>> CN=suc...@private.private.tam.cos' with RSA_EMSA_PKCS1_SHA2_256 successful
>> 12[IKE] processing INTERNAL_IP4_ADDRESS attribute
>> 12[IKE] processing INTERNAL_IP4_DNS attribute
>> 12[IKE] peer supports MOBIKE
>> 12[IKE] got additional MOBIKE peer address: 10.0.16.6
>> 12[IKE] got additional MOBIKE peer address: 10.5.10.49
>> 12[CFG] no IDr configured, fall back on IP address
>> 12[IKE] no private key found for '192.168.2.202'
>> 12[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>> 12[NET] sending packet: from 192.168.2.202[4500] to 10.4.4.21[4500] (80
>> bytes)
>> 12[MGR] checkin and destroy IKE_SA IPSec-IKEv2[2]
>> 12[IKE] IKE_SA IPSec-IKEv2[2] state change: CONNECTING => DESTROYING
>> 03[NET] sending packet: from 192.168.2.202[4500] to 10.4.4.21[4500]
>> 12[MGR] checkin and destroy of IKE_SA successful
>> 07[MGR] checkout IKEv2 SA with SPIs a1791cef0af46d08_i f11cc222ffacd5bf_r
>> 07[MGR] IKE_SA checkout not successful
>>
>> and the roadwarrior's config is:
>>
>> conn to_NRR
>>   leftsourceip=%config    # This will take an IP from the ip
>> pool on server
>>   leftcert="suc...@openstack.der"    # The user cert we copied in
>>   leftfirewall=yes
>>  
>>   right=192.168.2.202    # The location of

Re: [strongSwan] * Spam * Re: allow multiple EAP identities but not %any

2019-10-30 Thread Christoph Harder


Hello Noel,

thank you.

So each identity gets it's own config and inherits all settings from the 
base config except

connections..remote.eap_id
is set to one of the EAP identities
and
connections..remote.groups
is overwritten with "")?

Best regards,
Christoph Harder

TELCO TECH GmbH
Niederlassung Berlin
Mädewalder Weg 2
12621 Berlin
Tel.: +49 30 565862610
Web: www.telco-tech.de
Amtsgericht Potsdam-Stadt HRB 55 79
Geschäftsführung:
Bernd Schulz
Silke Schirmer

Am 30.10.19 um 15:24 schrieb Noel Kuntze:

Hello list,

Yes, you can do that.
Create a base config that has eap_identity=%any but 
rightgroups=thisdoesnotexist.
Then create specific configs for your other eap_identities that do not have 
rightgroups set.
Make sure the base config is earlier in the config file than the others.

Kind regards

Noel

Am 30.10.19 um 15:07 schrieb Michael Schwartzkopff:

On 30.10.19 14:53, Christoph Harder wrote:

Hello everybody,

is it possible to define multiple EAP identities per connection,
without using %any ?

For example in the swanctl.conf I define two connections and in the
secrets section I define multiple EAP secrets/identities.
Is there any way to specify connections..remote.eap_id
so that only certain (but more than one) identities will be accepted?
Or is there only the option to allow either all known identities or
only a single one when using the swanctl.conf (and EAP identities
stored in the secrets section)?

Best regards,
Christoph Harder



Hi,


I do not know if strongswan is flexible enough for your purpose. But if
you have a RADIUS server as  backend authentication, you could
accomplish your task in RADIUS.


Mit freundlichen Grüßen,

Re: [strongSwan] allow multiple EAP identities but not %any

2019-10-30 Thread Noel Kuntze

Hello list,

Yes, you can do that.
Create a base config that has eap_identity=%any but 
rightgroups=thisdoesnotexist.
Then create specific configs for your other eap_identities that do not have 
rightgroups set.
Make sure the base config is earlier in the config file than the others.

Kind regards

Noel

Am 30.10.19 um 15:07 schrieb Michael Schwartzkopff:
> On 30.10.19 14:53, Christoph Harder wrote:
>> Hello everybody,
>>
>> is it possible to define multiple EAP identities per connection,
>> without using %any ?
>>
>> For example in the swanctl.conf I define two connections and in the
>> secrets section I define multiple EAP secrets/identities.
>> Is there any way to specify connections..remote.eap_id
>> so that only certain (but more than one) identities will be accepted?
>> Or is there only the option to allow either all known identities or
>> only a single one when using the swanctl.conf (and EAP identities
>> stored in the secrets section)?
>>
>> Best regards,
>> Christoph Harder
>>
> 
> Hi,
> 
> 
> I do not know if strongswan is flexible enough for your purpose. But if
> you have a RADIUS server as  backend authentication, you could
> accomplish your task in RADIUS.
> 
> 
> Mit freundlichen Grüßen,
> 



signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] allow multiple EAP identities but not %any

2019-10-30 Thread Michael Schwartzkopff

On 30.10.19 14:53, Christoph Harder wrote:
> Hello everybody,
>
> is it possible to define multiple EAP identities per connection,
> without using %any ?
>
> For example in the swanctl.conf I define two connections and in the
> secrets section I define multiple EAP secrets/identities.
> Is there any way to specify connections..remote.eap_id
> so that only certain (but more than one) identities will be accepted?
> Or is there only the option to allow either all known identities or
> only a single one when using the swanctl.conf (and EAP identities
> stored in the secrets section)?
>
> Best regards,
> Christoph Harder
>

Hi,


I do not know if strongswan is flexible enough for your purpose. But if
you have a RADIUS server as  backend authentication, you could
accomplish your task in RADIUS.


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

[strongSwan] allow multiple EAP identities but not %any

2019-10-30 Thread Christoph Harder


Hello everybody,

is it possible to define multiple EAP identities per connection, without 
using %any ?


For example in the swanctl.conf I define two connections and in the 
secrets section I define multiple EAP secrets/identities.
Is there any way to specify connections..remote.eap_id so 
that only certain (but more than one) identities will be accepted? Or is 
there only the option to allow either all known identities or only a 
single one when using the swanctl.conf (and EAP identities stored in the 
secrets section)?


Best regards,
Christoph Harder

--
TELCO TECH GmbH
Niederlassung Berlin
Mädewalder Weg 2
12621 Berlin
Tel.: +49 30 565862610
Web: www.telco-tech.de
Amtsgericht Potsdam-Stadt HRB 55 79
Geschäftsführung:
Bernd Schulz
Silke Schirmer

Re: [strongSwan] centos 8

2019-10-30 Thread Noel Kuntze

Hello,

The package should be in the EPEL repo, like for CentOS 7.
I didn't check that though.

Kind regards

Noel

Am 30.10.19 um 11:17 schrieb lejeczek:
> On 17/10/2019 18:52, jacek burghardt wrote:
>> Where I can find strongswan package for centos 8 
> 
> they seem to have libreswan 3.27 available in default repos
> 



signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] no IDr configured, fall back on IP address - revisit

2019-10-30 Thread Noel Kuntze

Hello L.,

Make sure you have the private key for your certificate registered in 
ipsec.secrets.
Your config has a couple of problems:
1) rightid="C=Shire, O=NRR, CN=*": Wildcards are not supported. Put the actual 
SAN or DN in the rightid field.
2) No configured leftid on the responder: Set leftid to the value that the 
remote peer expects. E.g. what you configured in rightid.
   It has to be authenticated by the certificate.

Kind regards

Noel

Am 29.10.19 um 19:18 schrieb lejeczek:
> hi everyone,
> 
> I've asked a long time ago, was not urgent and I did put it off.
> 
> I have a relatively simple config, on the server:
> 
> conn to_NRR
>  
> ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
> 
>  
> esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
> 
>  
>   dpdaction=clear
>   dpddelay=300s
>   rekey=no
>  
>   left=%any
>   #leftsubnet=0.0.0.0/0
>   leftsubnet=10.5.8.0/24
>   leftcert="NRR-vpn-clusterserver.cert.der"
>  
>   right=%any
>   rightdns=10.5.8.204
>   rightsourceip=10.5.8.220,10.5.8.221
>  
> conn IPSec-IKEv2
>     keyexchange=ikev2
>     auto=add
>  
> conn IPSec-IKEv2-EAP
>     also="IPSec-IKEv2"
>     #rightauth=eap-mschapv2
>     #rightauthby2=pubkey
>     rightauth=pubkey
>     #rightauthby2=eap-mschapv2
>     rightsendcert=never
>     eap_identity=%any
>  
> conn CiscoIPSec
>     keyexchange=ikev1
>     forceencaps=yes
>     authby=xauthrsasig
>     xauth=server
>     auto=add
> 
> and when roadwarrior connects then server logs shows:
> 
> ...
> 
> 2[IKE] received cert request for "C=Shire, O=NRR,
> CN=private.private.tam.cos"
> 12[IKE] received 1 cert requests for an unknown ca
> 12[IKE] received end entity cert "C=Shire, O=NRR,
> CN=suc...@private.private.tam.cos"
> 12[CFG] looking for peer configs matching
> 192.168.2.202[%any]...10.4.4.21[C=Shire, O=NRR,
> CN=suc...@private.private.tam.cos]
> 12[CFG]   candidate "IPSec-IKEv2", match: 1/1/28 (me/other/ike)
> 12[CFG]   candidate "IPSec-IKEv2-EAP", match: 1/1/28 (me/other/ike)
> 12[CFG] selected peer config 'IPSec-IKEv2'
> 12[CFG]   using certificate "C=Shire, O=NRR,
> CN=suc...@private.private.tam.cos"
> 12[CFG]   certificate "C=Shire, O=NRR,
> CN=suc...@private.private.tam.cos" key: 2048 bit RSA
> 12[CFG]   using trusted ca certificate "C=Shire, O=NRR,
> CN=private.private.tam.cos"
> 12[CFG] checking certificate status of "C=Shire, O=NRR,
> CN=suc...@private.private.tam.cos"
> 12[CFG] ocsp check skipped, no ocsp found
> 12[CFG] certificate status is not available
> 12[CFG]   certificate "C=Shire, O=NRR, CN=private.private.tam.cos" key:
> 2048 bit RSA
> 12[CFG]   reached self-signed root ca with a path length of 0
> 12[IKE] authentication of 'C=Shire, O=NRR,
> CN=suc...@private.private.tam.cos' with RSA_EMSA_PKCS1_SHA2_256 successful
> 12[IKE] processing INTERNAL_IP4_ADDRESS attribute
> 12[IKE] processing INTERNAL_IP4_DNS attribute
> 12[IKE] peer supports MOBIKE
> 12[IKE] got additional MOBIKE peer address: 10.0.16.6
> 12[IKE] got additional MOBIKE peer address: 10.5.10.49
> 12[CFG] no IDr configured, fall back on IP address
> 12[IKE] no private key found for '192.168.2.202'
> 12[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> 12[NET] sending packet: from 192.168.2.202[4500] to 10.4.4.21[4500] (80
> bytes)
> 12[MGR] checkin and destroy IKE_SA IPSec-IKEv2[2]
> 12[IKE] IKE_SA IPSec-IKEv2[2] state change: CONNECTING => DESTROYING
> 03[NET] sending packet: from 192.168.2.202[4500] to 10.4.4.21[4500]
> 12[MGR] checkin and destroy of IKE_SA successful
> 07[MGR] checkout IKEv2 SA with SPIs a1791cef0af46d08_i f11cc222ffacd5bf_r
> 07[MGR] IKE_SA checkout not successful
> 
> and the roadwarrior's config is:
> 
> conn to_NRR
>   leftsourceip=%config    # This will take an IP from the ip
> pool on server
>   leftcert="suc...@openstack.der"    # The user cert we copied in
>   leftfirewall=yes
>  
>   right=192.168.2.202    # The location of the host, FQDN or
> IP 
>   rightid="C=Shire, O=NRR, CN=*"  # the Altname used by the
> ipsec host
>   rightsubnet=10.5.8.0/24  # the subnet on

Re: [strongSwan] Problem authentication strongswan5.7.2-1.el7 x509

2019-10-30 Thread Noel Kuntze

Hello Fatcharly,

Please follow the instructions on the HelpRequests[1] page on the wiki.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

Am 30.10.19 um 10:27 schrieb fatcha...@gmx.de:
> Hi,
> 
> I´m using a strongswan-5.7.2-1.el7.x86_64 on a CentOS 7.7.1908 (Core) to 
> build up a vpn tunnel to a partner site. We are using certificates for the 
> authentication, but I'm running into a problem here and I think it's on my 
> side so I need some help from you.
> 
> This is the informationm I get when I start the connection:
> 
>>> strongswan up game_cmp_test
> initiating IKE_SA game_cmp_test[18] to 82.xxx.xxx.44
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> sending packet: from 217.xxx.xxx.20[500] to 82.xxx.xxx.44[500] (464 bytes)
> received packet: from 82.xxx.xxx.44[500] to 217.xxx.xxx.20[500] (489 bytes)
> parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ N(HTTP_CERT_LOOK) ]
> selected proposal: 
> IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
> received cert request for "C=de, O=Game Company, CN=GMP-Short CA 2015"
> received 4 cert requests for an unknown ca
> sending cert request for "C=de, O=Game Company, CN=GMP-Short CA 2015"
> authentication of '217.xxx.xxx.20' (myself) with RSA signature successful
> sending end entity cert "C=DE, ST=Hamburg, L=Hamburg, O=ourCompany OU=section 
> , CN=ourhost.tld"
> establishing CHILD_SA game_cmp_test{21}
> generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA 
> TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
> sending packet: from 217.xxx.xxx.20[500] to 82.xxx.xxx.44[500] (1648 bytes)
> received packet: from 82.xxx.xxx.44[500] to 217.xxx.xxx.20[500] (1520 bytes)
> parsed IKE_AUTH response 1 [ IDr CERT AUTH N(ESP_TFC_PAD_N) SA TSi TSr ]
> received end entity cert "CN=pa-otun-xx-xx.GMP-name.tld"
>   using certificate "CN=pa-otun-xx-xx.GMP-name.tld"
>   using trusted ca certificate "C=de, O=Game Company, CN=GMP-Short CA 2015"
> checking certificate status of "CN=pa-otun-xx-xx.GMP-name.tld"
> certificate status is not available
>   reached self-signed root ca with a path length of 0
> signature validation failed, looking for another key
>   using certificate "CN=pa-otun-xx-xx.GMP-name.tld"
>   using trusted ca certificate "C=de, O=Game Company, CN=GMP-Short CA 2015"
> checking certificate status of "CN=pa-otun-xx-xx.GMP-name.tld"
> certificate status is not available
>   reached self-signed root ca with a path length of 0
> signature validation failed, looking for another key
> generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
> sending packet: from 217.xxx.xxx.20[500] to 82.xxx.xxx.44[500] (96 bytes)
> establishing connection 'game_cmp_test' failed
> 
> this is the configuration:
> conn game_cmp_test
> left=217.xxx.xxx.20
> leftsubnet=192.168.170.0/24
> leftcert=/etc/strongswan/ipsec.d/certs/GMP-name-cert.pem
> right=82.xxx.xxx.44
> #rightsubnet=192.168.180.0/24
> rightsubnet=192.168.14.0/24
> rightid="pa-otun-xx-xx.GMP-name.tld"
> authby=pubkey
> auto=start
> ikelifetime=28800s
> keylife=3600s
> keyexchange=ikev2
> ike=aes256-sha512-modp2048!
> esp=aes256-sha512-modp2048!
> 
> Is there something wrong with the certificate ?
> 
> Any suggestions are really really welcome 
> 
> Kind regards
> 
> fatcharly
> 
> 



signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] centos 8

2019-10-30 Thread lejeczek

On 17/10/2019 18:52, jacek burghardt wrote:
> Where I can find strongswan package for centos 8 

they seem to have libreswan 3.27 available in default repos



pEpkey.asc
Description: application/pgp-keys

[strongSwan] Problem authentication strongswan5.7.2-1.el7 x509

2019-10-30 Thread fatcharly

Hi,

I´m using a strongswan-5.7.2-1.el7.x86_64 on a CentOS 7.7.1908 (Core) to build 
up a vpn tunnel to a partner site. We are using certificates for the 
authentication, but I'm running into a problem here and I think it's on my side 
so I need some help from you.

This is the informationm I get when I start the connection:

>>strongswan up game_cmp_test
initiating IKE_SA game_cmp_test[18] to 82.xxx.xxx.44
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 217.xxx.xxx.20[500] to 82.xxx.xxx.44[500] (464 bytes)
received packet: from 82.xxx.xxx.44[500] to 217.xxx.xxx.20[500] (489 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ N(HTTP_CERT_LOOK) ]
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
received cert request for "C=de, O=Game Company, CN=GMP-Short CA 2015"
received 4 cert requests for an unknown ca
sending cert request for "C=de, O=Game Company, CN=GMP-Short CA 2015"
authentication of '217.xxx.xxx.20' (myself) with RSA signature successful
sending end entity cert "C=DE, ST=Hamburg, L=Hamburg, O=ourCompany OU=section , 
CN=ourhost.tld"
establishing CHILD_SA game_cmp_test{21}
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA 
TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 217.xxx.xxx.20[500] to 82.xxx.xxx.44[500] (1648 bytes)
received packet: from 82.xxx.xxx.44[500] to 217.xxx.xxx.20[500] (1520 bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH N(ESP_TFC_PAD_N) SA TSi TSr ]
received end entity cert "CN=pa-otun-xx-xx.GMP-name.tld"
  using certificate "CN=pa-otun-xx-xx.GMP-name.tld"
  using trusted ca certificate "C=de, O=Game Company, CN=GMP-Short CA 2015"
checking certificate status of "CN=pa-otun-xx-xx.GMP-name.tld"
certificate status is not available
  reached self-signed root ca with a path length of 0
signature validation failed, looking for another key
  using certificate "CN=pa-otun-xx-xx.GMP-name.tld"
  using trusted ca certificate "C=de, O=Game Company, CN=GMP-Short CA 2015"
checking certificate status of "CN=pa-otun-xx-xx.GMP-name.tld"
certificate status is not available
  reached self-signed root ca with a path length of 0
signature validation failed, looking for another key
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
sending packet: from 217.xxx.xxx.20[500] to 82.xxx.xxx.44[500] (96 bytes)
establishing connection 'game_cmp_test' failed

this is the configuration:
conn game_cmp_test
left=217.xxx.xxx.20
leftsubnet=192.168.170.0/24
leftcert=/etc/strongswan/ipsec.d/certs/GMP-name-cert.pem
right=82.xxx.xxx.44
#rightsubnet=192.168.180.0/24
rightsubnet=192.168.14.0/24
rightid="pa-otun-xx-xx.GMP-name.tld"
authby=pubkey
auto=start
ikelifetime=28800s
keylife=3600s
keyexchange=ikev2
ike=aes256-sha512-modp2048!
esp=aes256-sha512-modp2048!

Is there something wrong with the certificate ?

Any suggestions are really really welcome 

Kind regards

fatcharly

Re: [strongSwan] local_ts based on user/group

[strongSwan] local_ts based on user/group

[strongSwan] Problem with tunnel half-working

Re: [strongSwan] rejecting certificate without digitalSignature or nonRepudiation, keyUsage flags

Re: [strongSwan] rejecting certificate without digitalSignature or nonRepudiation, keyUsage flags

Re: [strongSwan] rejecting certificate without digitalSignature or nonRepudiation, keyUsage flags

Re: [strongSwan] no IDr configured, fall back on IP address - revisit

[strongSwan] rejecting certificate without digitalSignature or nonRepudiation, keyUsage flags

Re: [strongSwan] no IDr configured, fall back on IP address - revisit

Re: [strongSwan] no IDr configured, fall back on IP address - revisit

Re: [strongSwan] * Spam * Re: allow multiple EAP identities but not %any

Re: [strongSwan] no IDr configured, fall back on IP address - revisit

Re: [strongSwan] * Spam * Re: allow multiple EAP identities but not %any

Re: [strongSwan] allow multiple EAP identities but not %any

Re: [strongSwan] allow multiple EAP identities but not %any

[strongSwan] allow multiple EAP identities but not %any

Re: [strongSwan] centos 8

Re: [strongSwan] no IDr configured, fall back on IP address - revisit

Re: [strongSwan] Problem authentication strongswan5.7.2-1.el7 x509

Re: [strongSwan] centos 8

[strongSwan] Problem authentication strongswan5.7.2-1.el7 x509

21 matches

Site Navigation

Mail list logo

Footer information