Re: [strongSwan] vici initiator only or responder per connection
Hi Tobias, Thank you for taking the time to reply to my request, How can I get the same behavior for Per connection via vici. I believe dropping the connection when global initiator_only is marked as yes is done in Charon code and not via iptables . Please guide me on the per-connection option if it's configurable. Thanks, Naveen On Tue, Apr 7, 2020 at 1:05 AM Tobias Brunner wrote: > Hi Naveen, > > > I see that we have a global " *initiator_only = yes/no* " configuration > > in charon.conf, is it possible to configure this for per connection via > > vici, so that the initiator is only responsible for initiating the > > connection. > > That option is global because it causes any initial IKE message to get > dropped very early. But if you don't configure a single remote IP > address, a connection can't be used for initiation. > > Regards, > Tobias >
Re: [strongSwan] ikeV1 tunnel established but packets are not routed. V2 works.
Hi,
Nope, that's wrong.
You need to enumerate all combinations of subnets so you have a specific
CHILD_SA for each pair.
IKEv1 can only handle one subnet per side in a single CHILD_SA.
Kind regards
Noel
Am 07.04.20 um 16:38 schrieb Makarand Pradhan:
> Good morning All,
>
> Following up on the issue. We need to manually add the route for ikev1.
>
> Would very much appreciate any pointers. Am kind of stuck on ikev1.
>
> Kind rgds,
> Makarand Pradhan
> Senior Software Engineer.
> iS5 Communications Inc.
> 5895 Ambler Dr,
> Mississauga, Ontario
> L4W 5B7
> Main Line: +1-844-520-0588 Ext. 129
> Direct Line: +1-289-724-2296
> Cell: +1-226-501-5666
> Fax:+1-289-401-5206
> Email: makarandprad...@is5com.com
> Website: www.iS5Com.com
>
>
> Confidentiality Notice:
> This message is intended only for the named recipients. This message may
> contain information that is confidential and/or exempt from disclosure under
> applicable law. Any dissemination or copying of this message by anyone other
> than a named recipient is strictly prohibited. If you are not a named
> recipient or an employee or agent responsible for delivering this message to
> a named recipient, please notify us immediately, and permanently destroy this
> message and any copies you may have. Warning: Email may not be secure unless
> properly encrypted.
>
> -Original Message-
> From: Makarand Pradhan
> Sent: March 20, 2020 1:50 PM
> To: Noel Kuntze ;
> users@lists.strongswan.org
> Subject: RE: [strongSwan] ikeV1 tunnel established but packets are not
> routed. V2 works.
>
> Tx for the clarification. All information per the wiki is attached.
>
> Kind rgds,
> Makarand Pradhan
> Senior Software Engineer.
> iS5 Communications Inc.
> 5895 Ambler Dr,
> Mississauga, Ontario
> L4W 5B7
> Main Line: +1-844-520-0588 Ext. 129
> Direct Line: +1-289-724-2296
> Cell: +1-226-501-5666
> Fax:+1-289-401-5206
> Email: makarandprad...@is5com.com
> Website: www.iS5Com.com
>
>
> Confidentiality Notice:
> This message is intended only for the named recipients. This message may
> contain information that is confidential and/or exempt from disclosure under
> applicable law. Any dissemination or copying of this message by anyone other
> than a named recipient is strictly prohibited. If you are not a named
> recipient or an employee or agent responsible for delivering this message to
> a named recipient, please notify us immediately, and permanently destroy this
> message and any copies you may have. Warning: Email may not be secure unless
> properly encrypted.
>
> -Original Message-
> From: Noel Kuntze
> Sent: March 20, 2020 1:21 PM
> To: Makarand Pradhan ; users@lists.strongswan.org
> Subject: Re: [strongSwan] ikeV1 tunnel established but packets are not
> routed. V2 works.
>
> Please send all the data I asked for.
> And especially the output of `ipsec statusall`.
> strongSwan installs all required routes by default.
>
> Am 20.03.20 um 18:17 schrieb Makarand Pradhan:
>> One quick question before I send all the logs. Maybe the tunnel is working
>> as expected. Can you pl go through the set up below to confirm that, there
>> is indeed an issue here:
>>
>> Scenario:
>> PC1 - Router1 - Router2 - Tunnel - Router3 - Router4 - PC2
>> PC1 IP: 10.10.9.3, Network: 10.10.9.0/24
>> PC2 IP: 192.168.9.3, Network: 192.168.9.0/24
>> Tunnel: Raptor2(91.0.0.3) to (91.0.0.2)Raptor3 Tunnel is established:
m1[6]: ESTABLISHED 13 minutes ago,
91.0.0.3[91.0.0.3]...91.0.0.2[91.0.0.2]
m1{7}: 10.10.9.0/24 === 192.168.9.0/24
>> Routing table on Router 2:
>> root@t1024rdb:~# ip ro
>> 91.0.0.0/8 dev fm1-mac1.0555 proto kernel scope link src 91.0.0.3
>> 192.168.9.0/24 via 91.0.0.2 dev fm1-mac1.0555
>>
>> With this the packets are encrypted as they pass the tunnel:
>> 22:41:05.941919 IP 10.10.9.3 > 192.168.9.3: ICMP echo request, id
>> 1278, seq 3, length 64
>> 22:41:05.942123 IP 91.0.0.3 > 91.0.0.2: ESP(spi=0xc1442109,seq=0x3),
>> length 132
>> 22:41:05.943440 IP 91.0.0.2 > 91.0.0.3: ESP(spi=0xc468b8a2,seq=0x3),
>> length 132
>> 22:41:05.943612 IP 192.168.9.3 > 10.10.9.3: ICMP echo reply, id 1278,
>> seq 3, length 64
>>
>> Question:
>> Do I need to have the route "192.168.9.0/24 via 91.0.0.2" when I am running
>> v1?
>> With this route, the packets get encrypted.
>>
>> If this is the desired behaviour then we do not have an issue.
>>
>> Would appreciate if someone can confirm if v1 needs the route addition. V2
>> does work without the explicit route addition.
>>
>> Kind rgds,
>> Makarand Pradhan
>> Senior Software Engineer.
>> iS5 Communications Inc.
>> 5895 Ambler Dr,
>> Mississauga, Ontario
>> L4W 5B7
>> Main Line: +1-844-520-0588 Ext. 129
>> Direct Line: +1-289-724-2296
>> Cell: +1-226-501-5666
>> Fax:+1-289-401-5206
>> Email: makarandprad...@is5com.com
>> Website: www.iS5Com.com
>>
>>
>> Confidentiality Notice:
>> This message is intended only for the named recipients. This message may
>> contain
Re: [strongSwan] ikeV1 tunnel established but packets are not routed. V2 works.
Good morning All,
Following up on the issue. We need to manually add the route for ikev1.
Would very much appreciate any pointers. Am kind of stuck on ikev1.
Kind rgds,
Makarand Pradhan
Senior Software Engineer.
iS5 Communications Inc.
5895 Ambler Dr,
Mississauga, Ontario
L4W 5B7
Main Line: +1-844-520-0588 Ext. 129
Direct Line: +1-289-724-2296
Cell: +1-226-501-5666
Fax:+1-289-401-5206
Email: makarandprad...@is5com.com
Website: www.iS5Com.com
Confidentiality Notice:
This message is intended only for the named recipients. This message may
contain information that is confidential and/or exempt from disclosure under
applicable law. Any dissemination or copying of this message by anyone other
than a named recipient is strictly prohibited. If you are not a named recipient
or an employee or agent responsible for delivering this message to a named
recipient, please notify us immediately, and permanently destroy this message
and any copies you may have. Warning: Email may not be secure unless properly
encrypted.
-Original Message-
From: Makarand Pradhan
Sent: March 20, 2020 1:50 PM
To: Noel Kuntze ;
users@lists.strongswan.org
Subject: RE: [strongSwan] ikeV1 tunnel established but packets are not routed.
V2 works.
Tx for the clarification. All information per the wiki is attached.
Kind rgds,
Makarand Pradhan
Senior Software Engineer.
iS5 Communications Inc.
5895 Ambler Dr,
Mississauga, Ontario
L4W 5B7
Main Line: +1-844-520-0588 Ext. 129
Direct Line: +1-289-724-2296
Cell: +1-226-501-5666
Fax:+1-289-401-5206
Email: makarandprad...@is5com.com
Website: www.iS5Com.com
Confidentiality Notice:
This message is intended only for the named recipients. This message may
contain information that is confidential and/or exempt from disclosure under
applicable law. Any dissemination or copying of this message by anyone other
than a named recipient is strictly prohibited. If you are not a named recipient
or an employee or agent responsible for delivering this message to a named
recipient, please notify us immediately, and permanently destroy this message
and any copies you may have. Warning: Email may not be secure unless properly
encrypted.
-Original Message-
From: Noel Kuntze
Sent: March 20, 2020 1:21 PM
To: Makarand Pradhan ; users@lists.strongswan.org
Subject: Re: [strongSwan] ikeV1 tunnel established but packets are not routed.
V2 works.
Please send all the data I asked for.
And especially the output of `ipsec statusall`.
strongSwan installs all required routes by default.
Am 20.03.20 um 18:17 schrieb Makarand Pradhan:
> One quick question before I send all the logs. Maybe the tunnel is working as
> expected. Can you pl go through the set up below to confirm that, there is
> indeed an issue here:
>
> Scenario:
> PC1 - Router1 - Router2 - Tunnel - Router3 - Router4 - PC2
> PC1 IP: 10.10.9.3, Network: 10.10.9.0/24
> PC2 IP: 192.168.9.3, Network: 192.168.9.0/24
> Tunnel: Raptor2(91.0.0.3) to (91.0.0.2)Raptor3 Tunnel is established:
>>> m1[6]: ESTABLISHED 13 minutes ago,
>>> 91.0.0.3[91.0.0.3]...91.0.0.2[91.0.0.2]
>>> m1{7}: 10.10.9.0/24 === 192.168.9.0/24
> Routing table on Router 2:
> root@t1024rdb:~# ip ro
> 91.0.0.0/8 dev fm1-mac1.0555 proto kernel scope link src 91.0.0.3
> 192.168.9.0/24 via 91.0.0.2 dev fm1-mac1.0555
>
> With this the packets are encrypted as they pass the tunnel:
> 22:41:05.941919 IP 10.10.9.3 > 192.168.9.3: ICMP echo request, id
> 1278, seq 3, length 64
> 22:41:05.942123 IP 91.0.0.3 > 91.0.0.2: ESP(spi=0xc1442109,seq=0x3),
> length 132
> 22:41:05.943440 IP 91.0.0.2 > 91.0.0.3: ESP(spi=0xc468b8a2,seq=0x3),
> length 132
> 22:41:05.943612 IP 192.168.9.3 > 10.10.9.3: ICMP echo reply, id 1278,
> seq 3, length 64
>
> Question:
> Do I need to have the route "192.168.9.0/24 via 91.0.0.2" when I am running
> v1?
> With this route, the packets get encrypted.
>
> If this is the desired behaviour then we do not have an issue.
>
> Would appreciate if someone can confirm if v1 needs the route addition. V2
> does work without the explicit route addition.
>
> Kind rgds,
> Makarand Pradhan
> Senior Software Engineer.
> iS5 Communications Inc.
> 5895 Ambler Dr,
> Mississauga, Ontario
> L4W 5B7
> Main Line: +1-844-520-0588 Ext. 129
> Direct Line: +1-289-724-2296
> Cell: +1-226-501-5666
> Fax:+1-289-401-5206
> Email: makarandprad...@is5com.com
> Website: www.iS5Com.com
>
>
> Confidentiality Notice:
> This message is intended only for the named recipients. This message may
> contain information that is confidential and/or exempt from disclosure under
> applicable law. Any dissemination or copying of this message by anyone other
> than a named recipient is strictly prohibited. If you are not a named
> recipient or an employee or agent responsible for delivering this message to
> a named recipient, please notify us immediately, and permanently destroy this
> message and any copies you may have. Warning: Email may not be secure un
[strongSwan] Any examples for route-based vti-ip4-in-ip6 ?
Hello, I'll try to setup net2net connection ip4-in-ip6. I have already working setup ip4-in-ip6 policy based, without vti interfaces. And also working setups with vti interface, ipv4-in-ipv4. But now I need any hints/examples to use vti interface for ipv4-in-ipv6. I looked at https://www.strongswan.org/testing/testresults/route-based/index.html but there are no examples ip4-in-ip6. Can someone please help ? Kind regards, Thomas
Re: [strongSwan] received retransmit of response with ID 0, but next request already sent
Hi Matt, > I've been trying to make a connection between my home PC and the > Watchguard XTM330 we have at the office. It seems that box supports IKEv2 (at least the GUI has a version dropdown field). If possible, switch to that version. > could anyone shed some light on this one for me ? would greatly > appreciate any help I could get The most likely reason for your current problem is a mismatched PSK. Regards, Tobias
Re: [strongSwan] vici initiator only or responder per connection
Hi Naveen, > I see that we have a global " *initiator_only = yes/no* " configuration > in charon.conf, is it possible to configure this for per connection via > vici, so that the initiator is only responsible for initiating the > connection. That option is global because it causes any initial IKE message to get dropped very early. But if you don't configure a single remote IP address, a connection can't be used for initiation. Regards, Tobias
