[strongSwan] Where to specify -no-undefined?

2020-05-10 Thread Derek Cameron 
I am building strongSwan natively on Windows with MSYS2 and MinGW-w64 following 
the instructions at 
https://wiki.strongswan.org/projects/strongswan/wiki/Windows.

The make terminates with messages:


libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I../../../.. 
-I../../../../src/libstrongswan -I../../../../src/libstrongswan/plugins/pubkey 
-I../../../../src/libcharon -I../../../../src/libcharon/plugins/counters 
-DSWANCTLDIR=\"swanctl\" -DIPSEC_PIDDIR=\"/var/run\" -I/mingw64/include -g -O2 
-Wall -Wno-pointer-sign -Wno-format-security -Wno-format -mno-ms-bitfields 
-D_WIN32 -D_WIN64 -DOPENSSL_SYS_WIN32 -DOPENSSL_SYS_WIN64 
-I/C:/OpenSSL-Win64/include/openssl -include 
/home/IEUser/strongswan-5.8.4/config.h -MT libvici.lo -MD -MP -MF 
.deps/libvici.Tpo -c libvici.c  -DDLL_EXPORT -DPIC -o .libs/libvici.o

/bin/sh ../../../../libtool  --tag=CC   --mode=link gcc  -g -O2 -Wall 
-Wno-pointer-sign -Wno-format-security -Wno-format -mno-ms-bitfields -D_WIN32 
-D_WIN64 -DOPENSSL_SYS_WIN32 -DOPENSSL_SYS_WIN64 
-I/C:/OpenSSL-Win64/include/openssl -include 
/home/IEUser/strongswan-5.8.4/config.h  -L/C:/OpenSSL-Win64/lib -L/mingw64/lib 
-o libvici.la -rpath /mingw64/lib/ipsec vici_message.lo vici_builder.lo 
vici_cert_info.lo libvici.lo ../../../../src/libstrongswan/libstrongswan.la

libtool:   error: can't build x86_64-pc-mingw64 shared library unless 
-no-undefined is specified

make[6]: *** [Makefile:737: libvici.la] Error 1

make[6]: Leaving directory 
'/home/IEUser/strongswan-5.8.4/src/libcharon/plugins/vici'

make[5]: *** [Makefile:975: all-recursive] Error 1

make[5]: Leaving directory 
'/home/IEUser/strongswan-5.8.4/src/libcharon/plugins/vici'

make[4]: *** [Makefile:1983: all-recursive] Error 1

make[4]: Leaving directory '/home/IEUser/strongswan-5.8.4/src/libcharon'

make[3]: *** [Makefile:1279: all] Error 2

make[3]: Leaving directory '/home/IEUser/strongswan-5.8.4/src/libcharon'

make[2]: *** [Makefile:537: all-recursive] Error 1

make[2]: Leaving directory '/home/IEUser/strongswan-5.8.4/src'

make[1]: *** [Makefile:598: all-recursive] Error 1

make[1]: Leaving directory '/home/IEUser/strongswan-5.8.4'

make: *** [Makefile:509: all] Error 2


Where and how do I specify -no-undefined?



Sent with ProtonMail Secure Email.

Re: [strongSwan] Help to diagnose connection problem with Cisco ASA5585X

2020-05-10 Thread Jim Geurts 
Thanks Noel!

On Sat, May 9, 2020 at 12:50 PM Noel Kuntze
 wrote:

> Hi,
>
> The other peer has some problem with it. Review its logs.
> > received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
>
> Kind regards
>
> Noel
>
> Am 09.05.20 um 16:20 schrieb Jim Geurts:
> > Hi,
> >
> > I'm new to the world of strongswan and vpns in general, so I apologize
> if this is answered elsewhere. I inherited a strongSwan box running Linux
> strongSwan U5.7.2/K4.14.177-139.253.amzn2.x86_64. The other end is a Cisco
> ASA5585X. The connection was up and running a few days ago, but I've been
> trying to get auto=route working (it was previously auto=start) and that
> caused the tunnel to go up/down a couple times. Now the tunnel will not
> establish a connection. To me, it seems like it's the phase 2 establishment
> that is failing, but I'm curious if someone could help clear up what is
> going on or which part is failing?
> >
> > My understanding (waiting for verification) is that the
> configured settings for the tunnel from the cisco side are:
> >
> > Phase 1
> >   Encryption algorithm: AES-256
> >   Hash algorithm: SHA-512
> >   DH Group: 14
> >   Lifetime: 28800 (seconds)
> >
> > Phase 2:
> >   Mode: IKE V2 Tunnel
> >   ESP Encryption algorithm: AES-256
> >   ESP Hash algorithm: SHA-512
> >   PFS: DH Group 14
> >   Lifetime: 3600 (seconds)
> >
> > I have the following ipsec.conf file for the tunnel:
> >
> > config setup
> > # strictcrlpolicy=yes
> > # uniqueids = no
> > charondebug="ike 2, knl 2,esp 2, cfg 2, chd 2, lib 2, net 2"
> >
> > conn %default
> > ikelifetime=480m
> > keylife=60m
> > rekeymargin=3m
> > keyingtries=1
> > keyexchange=ikev1
> > authby=secret
> >
> > conn FOO
> > leftid=205.251.242.103
> > left=172.30.101.187
> > leftsubnet=205.251.242.103/32 
> > leftupdown=/tmp/vpn/firewall-rules.sh
> > right=176.32.98.166
> > rightsubnet=104.40.92.107/32 
> > ike=aes256-sha512-modp2048!
> > keyexchange=ikev2
> > esp=aes256-sha2_512-modp2048!
> > rekeymargin=9m
> > type=tunnel
> > compress=no
> > authby=secret
> > auto=route
> > keyingtries=%forever
> > forceencaps=yes
> > mobike=no
> >
> >
> > ipsec statusall gives the following:
> >
> > Status of IKE charon daemon (strongSwan 5.7.2, Linux
> 4.14.177-139.253.amzn2.x86_64, x86_64):
> >   uptime: 19 hours, since May 08 18:56:20 2020
> >   malloc: sbrk 1884160, mmap 0, used 828960, free 1055200
> >   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 0
> >   loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5
> mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7
> pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519
> chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve
> socket-default farp stroke vici updown eap-identity eap-sim eap-aka
> eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic
> eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam
> xauth-noauth dhcp led duplicheck unity counters
> > Listening IP addresses:
> >   172.30.101.187
> > Connections:
> >  FOO:  172.30.101.187...176.32.98.166  IKEv2
> >  FOO:   local:  [205.251.242.103] uses pre-shared key
> authentication
> >  FOO:   remote: [176.32.98.166] uses pre-shared key
> authentication
> >  FOO:   child:  205.251.242.103/32 
> === 104.40.92.107/32  TUNNEL
> > Routed Connections:
> >  FOO{1}:  ROUTED, TUNNEL, reqid 1
> >  FOO{1}:   205.251.242.103/32  ===
> 104.40.92.107/32 
> > Security Associations (0 up, 0 connecting):
> >   none
> >
> >
> > Sending traffic to 104.40.92.107 does not bring the tunnel up. If I try
> to bring the tunnel up manually using ipsec up FOO, I get the following:
> >
> > initiating IKE_SA FOO[1] to 176.32.98.166
> > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> > sending packet: from 172.30.101.187[500] to 176.32.98.166[500] (464
> bytes)
> > received packet: from 176.32.98.166[500] to 172.30.101.187[500] (599
> bytes)
> > parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP)
> CERTREQ N(FRAG_SUP) V ]
> > received Cisco Delete Reason vendor ID
> > received Cisco Copyright (c) 2009 vendor ID
> > received FRAGMENTATION vendor ID
> > selected proposal:
> IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
> > local host is behind NAT, sending keep alives
> > received 1 cert requests for an unknown ca
> > authentication of '205.251.242.103' (myself) with pre-shared key
> > establishing CHILD_SA FOO{2}
> > generating IKE_AUTH request 1 [ IDi

Re: [strongSwan] Help to diagnose connection problem with Cisco ASA5585X

2020-05-10 Thread Jim Geurts 
Gave that a shot and no luck :( I appreciate the suggestion, though!

On Sun, May 10, 2020 at 3:59 AM Alex K  wrote:

>
>
> On Sat, May 9, 2020, 17:19 Jim Geurts  wrote:
>
>> Hi,
>>
>> I'm new to the world of strongswan and vpns in general, so I apologize if
>> this is answered elsewhere. I inherited a strongSwan box running Linux
>> strongSwan U5.7.2/K4.14.177-139.253.amzn2.x86_64. The other end is a Cisco
>> ASA5585X. The connection was up and running a few days ago, but I've been
>> trying to get auto=route working (it was previously auto=start) and that
>> caused the tunnel to go up/down a couple times. Now the tunnel will not
>> establish a connection. To me, it seems like it's the phase 2 establishment
>> that is failing, but I'm curious if someone could help clear up what is
>> going on or which part is failing?
>>
>> My understanding (waiting for verification) is that the
>> configured settings for the tunnel from the cisco side are:
>>
>> Phase 1
>>   Encryption algorithm: AES-256
>>   Hash algorithm: SHA-512
>>   DH Group: 14
>>   Lifetime: 28800 (seconds)
>>
>> Phase 2:
>>   Mode: IKE V2 Tunnel
>>   ESP Encryption algorithm: AES-256
>>   ESP Hash algorithm: SHA-512
>>   PFS: DH Group 14
>>   Lifetime: 3600 (seconds)
>>
>> I have the following ipsec.conf file for the tunnel:
>>
>> config setup
>> # strictcrlpolicy=yes
>> # uniqueids = no
>> charondebug="ike 2, knl 2,esp 2, cfg 2, chd 2, lib 2, net 2"
>>
>> conn %default
>> ikelifetime=480m
>> keylife=60m
>> rekeymargin=3m
>> keyingtries=1
>> keyexchange=ikev1
>> authby=secret
>>
>> conn FOO
>> leftid=205.251.242.103
>> left=172.30.101.187
>> leftsubnet=205.251.242.103/32
>> leftupdown=/tmp/vpn/firewall-rules.sh
>> right=176.32.98.166
>> rightsubnet=104.40.92.107/32
>> ike=aes256-sha512-modp2048!
>> keyexchange=ikev2
>> esp=aes256-sha2_512-modp2048!
>> rekeymargin=9m
>> type=tunnel
>> compress=no
>> authby=secret
>> auto=route
>> keyingtries=%forever
>> forceencaps=yes
>> mobike=no
>>
>>
>> ipsec statusall gives the following:
>>
>> Status of IKE charon daemon (strongSwan 5.7.2, Linux
>> 4.14.177-139.253.amzn2.x86_64, x86_64):
>>   uptime: 19 hours, since May 08 18:56:20 2020
>>   malloc: sbrk 1884160, mmap 0, used 828960, free 1055200
>>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>> scheduled: 0
>>   loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5
>> mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7
>> pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519
>> chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve
>> socket-default farp stroke vici updown eap-identity eap-sim eap-aka
>> eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic
>> eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam
>> xauth-noauth dhcp led duplicheck unity counters
>> Listening IP addresses:
>>   172.30.101.187
>> Connections:
>>  FOO:  172.30.101.187...176.32.98.166  IKEv2
>>  FOO:   local:  [205.251.242.103] uses pre-shared key
>> authentication
>>  FOO:   remote: [176.32.98.166] uses pre-shared key authentication
>>  FOO:   child:  205.251.242.103/32 === 104.40.92.107/32 TUNNEL
>> Routed Connections:
>>  FOO{1}:  ROUTED, TUNNEL, reqid 1
>>  FOO{1}:   205.251.242.103/32 === 104.40.92.107/32
>> Security Associations (0 up, 0 connecting):
>>   none
>>
>>
>> Sending traffic to 104.40.92.107 does not bring the tunnel up. If I try
>> to bring the tunnel up manually using ipsec up FOO, I get the following:
>>
>> initiating IKE_SA FOO[1] to 176.32.98.166
>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
>> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
>> sending packet: from 172.30.101.187[500] to 176.32.98.166[500] (464 bytes)
>> received packet: from 176.32.98.166[500] to 172.30.101.187[500] (599
>> bytes)
>> parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP)
>> CERTREQ N(FRAG_SUP) V ]
>> received Cisco Delete Reason vendor ID
>> received Cisco Copyright (c) 2009 vendor ID
>> received FRAGMENTATION vendor ID
>> selected proposal:
>> IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
>> local host is behind NAT, sending keep alives
>> received 1 cert requests for an unknown ca
>> authentication of '205.251.242.103' (myself) with pre-shared key
>> establishing CHILD_SA FOO{2}
>> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr
>> N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
>> sending packet: from 172.30.101.187[4500] to 176.32.98.166[4500] (304
>> bytes)
>> received packet: from 176.32.98.166[4500] to 172.30.101.187[4500] (208
>> bytes)
>> parsed IKE_AUTH response 1 [ V IDr AUTH N(NO_PROP) ]
>> authentication of '176.32.98.166' with

Re: [strongSwan] Help to diagnose connection problem with Cisco ASA5585X

2020-05-10 Thread Alex K 
On Sat, May 9, 2020, 17:19 Jim Geurts  wrote:

> Hi,
>
> I'm new to the world of strongswan and vpns in general, so I apologize if
> this is answered elsewhere. I inherited a strongSwan box running Linux
> strongSwan U5.7.2/K4.14.177-139.253.amzn2.x86_64. The other end is a Cisco
> ASA5585X. The connection was up and running a few days ago, but I've been
> trying to get auto=route working (it was previously auto=start) and that
> caused the tunnel to go up/down a couple times. Now the tunnel will not
> establish a connection. To me, it seems like it's the phase 2 establishment
> that is failing, but I'm curious if someone could help clear up what is
> going on or which part is failing?
>
> My understanding (waiting for verification) is that the
> configured settings for the tunnel from the cisco side are:
>
> Phase 1
>   Encryption algorithm: AES-256
>   Hash algorithm: SHA-512
>   DH Group: 14
>   Lifetime: 28800 (seconds)
>
> Phase 2:
>   Mode: IKE V2 Tunnel
>   ESP Encryption algorithm: AES-256
>   ESP Hash algorithm: SHA-512
>   PFS: DH Group 14
>   Lifetime: 3600 (seconds)
>
> I have the following ipsec.conf file for the tunnel:
>
> config setup
> # strictcrlpolicy=yes
> # uniqueids = no
> charondebug="ike 2, knl 2,esp 2, cfg 2, chd 2, lib 2, net 2"
>
> conn %default
> ikelifetime=480m
> keylife=60m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev1
> authby=secret
>
> conn FOO
> leftid=205.251.242.103
> left=172.30.101.187
> leftsubnet=205.251.242.103/32
> leftupdown=/tmp/vpn/firewall-rules.sh
> right=176.32.98.166
> rightsubnet=104.40.92.107/32
> ike=aes256-sha512-modp2048!
> keyexchange=ikev2
> esp=aes256-sha2_512-modp2048!
> rekeymargin=9m
> type=tunnel
> compress=no
> authby=secret
> auto=route
> keyingtries=%forever
> forceencaps=yes
> mobike=no
>
>
> ipsec statusall gives the following:
>
> Status of IKE charon daemon (strongSwan 5.7.2, Linux
> 4.14.177-139.253.amzn2.x86_64, x86_64):
>   uptime: 19 hours, since May 08 18:56:20 2020
>   malloc: sbrk 1884160, mmap 0, used 828960, free 1055200
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 0
>   loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5
> mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7
> pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519
> chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve
> socket-default farp stroke vici updown eap-identity eap-sim eap-aka
> eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic
> eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam
> xauth-noauth dhcp led duplicheck unity counters
> Listening IP addresses:
>   172.30.101.187
> Connections:
>  FOO:  172.30.101.187...176.32.98.166  IKEv2
>  FOO:   local:  [205.251.242.103] uses pre-shared key
> authentication
>  FOO:   remote: [176.32.98.166] uses pre-shared key authentication
>  FOO:   child:  205.251.242.103/32 === 104.40.92.107/32 TUNNEL
> Routed Connections:
>  FOO{1}:  ROUTED, TUNNEL, reqid 1
>  FOO{1}:   205.251.242.103/32 === 104.40.92.107/32
> Security Associations (0 up, 0 connecting):
>   none
>
>
> Sending traffic to 104.40.92.107 does not bring the tunnel up. If I try to
> bring the tunnel up manually using ipsec up FOO, I get the following:
>
> initiating IKE_SA FOO[1] to 176.32.98.166
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> sending packet: from 172.30.101.187[500] to 176.32.98.166[500] (464 bytes)
> received packet: from 176.32.98.166[500] to 172.30.101.187[500] (599 bytes)
> parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP)
> CERTREQ N(FRAG_SUP) V ]
> received Cisco Delete Reason vendor ID
> received Cisco Copyright (c) 2009 vendor ID
> received FRAGMENTATION vendor ID
> selected proposal:
> IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
> local host is behind NAT, sending keep alives
> received 1 cert requests for an unknown ca
> authentication of '205.251.242.103' (myself) with pre-shared key
> establishing CHILD_SA FOO{2}
> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr
> N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
> sending packet: from 172.30.101.187[4500] to 176.32.98.166[4500] (304
> bytes)
> received packet: from 176.32.98.166[4500] to 172.30.101.187[4500] (208
> bytes)
> parsed IKE_AUTH response 1 [ V IDr AUTH N(NO_PROP) ]
> authentication of '176.32.98.166' with pre-shared key successful
> IKE_SA FOO[1] established between
> 172.30.101.187[205.251.242.103]...176.32.98.166[176.32.98.166]
> scheduling reauthentication in 28116s
> maximum IKE_SA lifetime 28656s
> received NO_PROPOSAL_CHOSEN notify, no