Re: [strongSwan] Android App - Server IPv6
Hi Tobias, Indeed that was the missing bit. It is working now. Thanks a lot for your quick help. kind regards, Claude On 21/05/2021 14:29, Tobias Brunner wrote: > Hi Claude, > >> I'm trying to force my Android Strongswan app to use IPv6 to connect to >> our VPN server. However it seems that the app is trying to do a DNS >> resolution on the IPv6 address instead of using it as it is. Do I need >> to respect a specific format (quotes,...) if I use an IPv6 address ? > No, any valid IPv6 address should work. However, have you enabled the > "Use IPv6 transport addresses" option in the advanced profile settings? > > Regards, > Tobias > -- Claude Tompers Network and systems engineer Fondation RESTENA 2, avenue de l'Université L-4365 Esch/Alzette OpenPGP_signature Description: OpenPGP digital signature
[strongSwan] Android App - Server IPv6
Hello, I'm trying to force my Android Strongswan app to use IPv6 to connect to our VPN server. However it seems that the app is trying to do a DNS resolution on the IPv6 address instead of using it as it is. Do I need to respect a specific format (quotes,...) if I use an IPv6 address ? kind regards, -- Claude Tompers Network and systems engineer Fondation RESTENA 2, avenue de l'Université L-4365 Esch/Alzette OpenPGP_signature Description: OpenPGP digital signature
Re: [strongSwan] Max OSX client
Hi Tobias, Thanks for your help to clean up my config. Everything works fine now. I had to disable reauth and use rekey only. It seems that after IKE_SA expiration, OSX can not access the client certificate properly anymore to reauthenticate. Have a nice weekend. Claude On 27/03/2020 07:38, Claude Tompers wrote: > Hello Tobias, > > Thanks a lot for you remarks. I will review the config. > > kind regards, > Claude > > > On 26/03/2020 17:11, Tobias Brunner wrote: >> Hi Claude, >> >>> Before diving deeper into logs etc. Do these connection settings look >>> good to you ? Thinking of all sorts of timers. >> There is lots of questionable stuff in that config. >> >>>>> ikelifetime=60m >> That's quite low, in particular since you didn't change margintime and >> rekeyfuzz (see [1] for what that means exactly). >> >>>>> dpdaction=restart >> That doesn't make much sense on a responder as it's unlikely it can >> reach the client to reestablish the connection if it failed to >> retransmit a message several times. >> >>>>> dpddelay=60s >> That's relatively low for mobile clients that might not be reachable for >> a while. If you do that, consider changing the retransmission settings >> so clients can be offline for a while [2]. >> >>>>> dpdtimeout=300s >> Has no effect on IKEv2 SAs. >> >>>>> keyingtries=5 >> Same as dpdaction, makes not much sense on a responder for mobile clients. >> >>>>> inactivity=4h >> This only makes sense if trap policies are used, otherwise no CHILD_SA >> will exist after that (unless the client will reestablish the complete >> connection immediately if the server terminates the CHILD_SA >> unexpectedly, but what would the benefit be of that?). >> >>>>> lifetime=4h >> Why did you set that longer than the IKE_SA lifetime? Also, refer to >> [1] for details. >> >>>>> reauth=yes >> Consider reading up on reauthentication (especially in regards to IKEv2 >> responders) on [1]. >> >>>>> mobike=no >> Why would you disable MOBIKE on a connection for mobile roadwarriors? >> It's exactly the use case this extension was designed for. >> >> Regards, >> Tobias >> >> [1] https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey >> [2] https://wiki.strongswan.org/projects/strongswan/wiki/Retransmission > signature.asc Description: OpenPGP digital signature
Re: [strongSwan] Max OSX client
Hi Noel, Before diving deeper into logs etc. Do these connection settings look good to you ? Thinking of all sorts of timers. kind regards, Claude On 24/03/2020 14:35, Noel Kuntze wrote: > Hi, > > Please make a log as described on the HelpRequests[1] page so we can help you > figure out what's wrong. > > Kind regards > > Noel > > [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests > > Am 24.03.20 um 14:26 schrieb Claude Tompers: >> Hi Tom, >> >> leftsendcert is set. Here are the details of the config : >> >> conn %default >> keyexchange=ikev2 >> ikelifetime=60m >> >> ike=aes256-sha256-modp2048,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! >> esp=aes256-sha1,aes256-sha1,3des-sha1! >> dpdaction=restart >> dpddelay=60s >> dpdtimeout=300s >> keyingtries=5 >> inactivity=4h >> lifetime=4h >> left=strongswan.restena.lu >> leftid=@strongswan.restena.lu >> leftauth=pubkey >> leftsendcert=always >> leftcert=strongswan.restena.lu-cert.pem >> leftsubnet=0.0.0.0/0,::/0 >> right=%any >> rightauth=pubkey >> rightsendcert=always >> rekey=yes >> reauth=yes >> mobike=no >> >> Apart from the default, every user is idenfied by it's certificate CN and is >> assigned to an IP pool >> >> conn IKEv2-tech-ctompers >> rightid="..." >> rightsourceip=%pool-v4,%pool-v6 >> auto=add >> >> We already had this issue in former versions when the native client was >> doing only IKEv1. >> >> kind regards, >> Claude >> >> On 24/03/2020 12:38, Tom Rymes wrote: >>> Claude, >>> >>> Have you followed the suggestions here?: >>> https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients#IKEv2-on-iOS-9-amp-macOS-1011-and-newer >>> >>> leftsendcert=always solves a similar issue for us, I believe. >>> >>> Perhaps you could post some details of your installation? >>> >>> Tom >>> >>> On Mar 24, 2020, at 6:56 AM, Claude Tompers >> <mailto:claude.tomp...@restena.lu>> wrote: >>> >>>> Hi all, >>>> >>>> Our whole team has issues with the native OSX VPN client not being very >>>> stable with our strongswan VPN server. >>>> Connections drop sometimes randomly but certainly after roughly 55 minutes. >>>> I'm wondering if anyone has the same issue and managed to solve it, or >>>> if there's another Mac VPN client that is stable ? >>>> >>>> kind regards, >>>> Claude >>>> >>>> signature.asc Description: OpenPGP digital signature
Re: [strongSwan] Max OSX client
Hi Tom, leftsendcert is set. Here are the details of the config : conn %default keyexchange=ikev2 ikelifetime=60m ike=aes256-sha256-modp2048,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! esp=aes256-sha1,aes256-sha1,3des-sha1! dpdaction=restart dpddelay=60s dpdtimeout=300s keyingtries=5 inactivity=4h lifetime=4h left=strongswan.restena.lu leftid=@strongswan.restena.lu leftauth=pubkey leftsendcert=always leftcert=strongswan.restena.lu-cert.pem leftsubnet=0.0.0.0/0,::/0 right=%any rightauth=pubkey rightsendcert=always rekey=yes reauth=yes mobike=no Apart from the default, every user is idenfied by it's certificate CN and is assigned to an IP pool conn IKEv2-tech-ctompers rightid="..." rightsourceip=%pool-v4,%pool-v6 auto=add We already had this issue in former versions when the native client was doing only IKEv1. kind regards, Claude On 24/03/2020 12:38, Tom Rymes wrote: > Claude, > > Have you followed the suggestions > here?: > https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients#IKEv2-on-iOS-9-amp-macOS-1011-and-newer > > leftsendcert=always solves a similar issue for us, I believe. > > Perhaps you could post some details of your installation? > > Tom > > On Mar 24, 2020, at 6:56 AM, Claude Tompers <mailto:claude.tomp...@restena.lu>> wrote: > >> Hi all, >> >> Our whole team has issues with the native OSX VPN client not being very >> stable with our strongswan VPN server. >> Connections drop sometimes randomly but certainly after roughly 55 >> minutes. >> I'm wondering if anyone has the same issue and managed to solve it, or >> if there's another Mac VPN client that is stable ? >> >> kind regards, >> Claude >> >> signature.asc Description: OpenPGP digital signature
[strongSwan] Max OSX client
Hi all, Our whole team has issues with the native OSX VPN client not being very stable with our strongswan VPN server. Connections drop sometimes randomly but certainly after roughly 55 minutes. I'm wondering if anyone has the same issue and managed to solve it, or if there's another Mac VPN client that is stable ? kind regards, Claude signature.asc Description: OpenPGP digital signature
Re: [strongSwan] IPv6 issues on Mac with Strongswan via Homerew
Hi Tobias, Sorry, I missed that one. Thanks for the info. kind regards, Claude On 06/03/2020 11:21, Tobias Brunner wrote: > Hi Claude, > >> Is this a known issue ? > Yes, see [1]. > > Regards, > Tobias > > [1] https://wiki.strongswan.org/issues/974 -- Claude Tompers Network and systems engineer Fondation RESTENA 2, avenue de l'Université L-4365 Esch/Alzette Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature
[strongSwan] IPv6 issues on Mac with Strongswan via Homerew
Dear Strongswan List, I've installed strongswan with Homebrew and it seems to be working fine with IPv4, however I receive a coredump when I try to set up an IPv6 session. Is this a known issue ? IKE_SA restena6[2] established between 2001:a18:1:10::3[C=LU, L=Esch-sur-Alzette, O=Fondation RESTENA, OU=Technical, CN=nullpointerexcept...@restena.lu, E=nullpointerexcept...@restena.lu]...2001:a18:0:414::2[casarrondo.restena.lu] scheduling reauthentication in 2688s maximum IKE_SA lifetime 3228s installing 158.64.1.25 as DNS server installing 158.64.1.14 as DNS server installing 158.64.1.25 as DNS server installing 158.64.1.14 as DNS server handling INTERNAL_IP6_DNS attribute failed handling UNITY_DEF_DOMAIN attribute failed handling INTERNAL_IP6_DNS attribute failed installing new virtual IP 2001:a18:1:11::1 created TUN device: utun3 thread 6 received 4 dumping 19 stack frame addresses: /usr/local/Cellar/strongswan/5.8.2/libexec/ipsec/charon @ 0x00010562a000 (segv_handler.cold.1+0x0) [0x00010562c57f] -> segv_handler.cold.1 (in charon) + 0 /usr/lib/system/libsystem_platform.dylib @ 0x7fff69f8c000 (_sigtramp+0x1d) [0x7fff69f9042d] -> _sigtramp (in libsystem_platform.dylib) + 29 2 ??? 0x69766564204e5554 0x0 + 7599372901947430228 /usr/lib/system/libsystem_c.dylib @ 0x7fff69de6000 (__chk_fail_overlap+0x0) [0x7fff69e63428] -> __chk_fail_overlap (in libsystem_c.dylib) + 0 /usr/lib/system/libsystem_c.dylib @ 0x7fff69de6000 (__stpncpy_chk+0x0) [0x7fff69e63a5c] -> __stpncpy_chk (in libsystem_c.dylib) + 0 /usr/local/Cellar/strongswan/5.8.2/lib/ipsec/libstrongswan.0.dylib @ 0x000105635000 (set_address+0x73) [0x0001056531c1] -> set_address (in libstrongswan.0.dylib) + 115 /usr/local/Cellar/strongswan/5.8.2/lib/ipsec/plugins/libstrongswan-kernel-pfroute.so @ 0x0001059c (add_ip+0x6d) [0x0001059c3a6f] -> 0x3a6f /usr/local/Cellar/strongswan/5.8.2/lib/ipsec/libcharon.0.dylib @ 0x00010569 (add_virtual_ip+0x79) [0x0001056b5347] -> add_virtual_ip (in libcharon.0.dylib) + 121 /usr/local/Cellar/strongswan/5.8.2/lib/ipsec/libcharon.0.dylib @ 0x00010569 (process_i+0x83) [0x0001056cd627] -> process_i (in libcharon.0.dylib) + 131 /usr/local/Cellar/strongswan/5.8.2/lib/ipsec/libcharon.0.dylib @ 0x00010569 (process_message+0xbf4) [0x0001056bf1be] -> process_message (in libcharon.0.dylib) + 3060 /usr/local/Cellar/strongswan/5.8.2/lib/ipsec/libcharon.0.dylib @ 0x00010569 (process_message+0x48) [0x0001056b3ba1] -> process_message (in libcharon.0.dylib) + 72 /usr/local/Cellar/strongswan/5.8.2/lib/ipsec/libcharon.0.dylib @ 0x00010569 (handle_fragment+0x6b) [0x0001056bfc09] -> handle_fragment (in libcharon.0.dylib) + 107 /usr/local/Cellar/strongswan/5.8.2/lib/ipsec/libcharon.0.dylib @ 0x00010569 (process_message+0x4a2) [0x0001056bea6c] -> process_message (in libcharon.0.dylib) + 1186 /usr/local/Cellar/strongswan/5.8.2/lib/ipsec/libcharon.0.dylib @ 0x00010569 (process_message+0x48) [0x0001056b3ba1] -> process_message (in libcharon.0.dylib) + 72 /usr/local/Cellar/strongswan/5.8.2/lib/ipsec/libcharon.0.dylib @ 0x00010569 (execute+0xa1) [0x0001056ac696] -> execute (in libcharon.0.dylib) + 161 /usr/local/Cellar/strongswan/5.8.2/lib/ipsec/libstrongswan.0.dylib @ 0x000105635000 (process_jobs+0xb3) [0x0001056575a7] -> process_jobs (in libstrongswan.0.dylib) + 179 /usr/local/Cellar/strongswan/5.8.2/lib/ipsec/libstrongswan.0.dylib @ 0x000105635000 (thread_main+0x95) [0x000105667372] -> thread_main (in libstrongswan.0.dylib) + 149 /usr/lib/system/libsystem_pthread.dylib @ 0x7fff69f96000 (_pthread_start+0x94) [0x7fff69f9be65] -> _pthread_start (in libsystem_pthread.dylib) + 148 /usr/lib/system/libsystem_pthread.dylib @ 0x7fff69f96000 (thread_start+0xf) [0x7fff69f9783b] -> thread_start (in libsystem_pthread.dylib) + 15 killing ourself, received critical signal kind regards, Claude -- Claude Tompers Network and systems engineer Fondation RESTENA 2, avenue de l'Université L-4365 Esch/Alzette Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature
[strongSwan] Fwd: strongSwan 1.4.0 Log File
Hello, I suppose my Android phone did update the strongswan app without asking me. Without any changes, it stopped working. I can't see any activity on the vpn server. I attached the clients log file. The phone is an Sony Xperia Z1C with Android 4.4.2. Does anybody else have this issue ? kind regards, Claude Aug 12 13:38:36 00[DMN] Starting IKE charon daemon (strongSwan 5.2.0rc1, Linux 3.4.0-perf-g6f5bf40, armv7l) Aug 12 13:38:37 00[KNL] kernel-netlink plugin might require CAP_NET_ADMIN capability Aug 12 13:38:37 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey pkcs1 pkcs8 pem xcbc hmac socket-default kernel-netlink eap-identity eap-mschapv2 eap-md5 eap-gtc Aug 12 13:38:37 00[LIB] unable to load 9 plugin features (9 due to unmet dependencies) Aug 12 13:38:37 00[JOB] spawning 16 worker threads signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Fwd: strongSwan 1.4.0 Log File
On 08/12/2014 01:49 PM, Tobias Brunner wrote: Hi Claude, The phone is an Sony Xperia Z1C with Android 4.4.2. The app won't work properly on 4.4 before 4.4.3, see [1] and related issues. Aug 12 13:38:37 00[JOB] spawning 16 worker threads Hm, never seen it stop so early. Does that happen every time? What about after a reboot of the phone? Regards, Tobias [1] https://wiki.strongswan.org/issues/462 Yes, I still get the exact same error after reboot. So I have to downgrade strongswan somehow again ? Claude signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] IPv6 + Android
On Mon, 17 Mar 2014 14:34:14 +0100 Mikael Magnusson mikma...@gmail.com wrote: On 03/17/2014 09:35 AM, Claude Tompers wrote: Hello, We have some issues with strongswan on Android phones. The phone gets both IPv4 and IPv6 addresses. When trying to connect to the mail server (only available via VPN), it fails in IPv6 and does not even fall back to IPv4. To get the connection to work we have to put the IPv4 addresses instead of DNS names into the mail client. Both IPv6 and IPv4 are known to work with other clients, for example strongswan on Linux. Is this a known issue with strongswan/Android ? Are there some tweaks to get this to work ? Which Android version do you use? VPN on Android 4.4 has several known issues. One is tunnelling IPv6 over IPv4 on devices without native IPv6 access (i.e. no IPv6 route). /Mikael I have the same issues on 4.3 and 4.4 . The devices have native IPv6 access and it works, but VPN IPv6 does not work. Claude kind regards, Claude ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: PGP signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] IPv6 + Android
Hello, We have some issues with strongswan on Android phones. The phone gets both IPv4 and IPv6 addresses. When trying to connect to the mail server (only available via VPN), it fails in IPv6 and does not even fall back to IPv4. To get the connection to work we have to put the IPv4 addresses instead of DNS names into the mail client. Both IPv6 and IPv4 are known to work with other clients, for example strongswan on Linux. Is this a known issue with strongswan/Android ? Are there some tweaks to get this to work ? kind regards, Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: PGP signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] MTU problems with OSX
Hi, We're experiencing MTU problems with strongswan in an pubkey configuration on networks we don't manage. I read about saving the peers' certificates but it does not work, I still see the cert requests sent from the server to the client in the log files. My ipsec.conf says: rightsendcert=never rightid=client_dn rightcert=path_to_clientcert_file Is this configuration compatible with native OSX (and IOS) VPN clients ? kind regards, Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: PGP signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] OS X strongSwan client
Hi, Seems to work well. :) In fact it even resolves the problem we currently have with the built-in Apple client, that hangs itself after +/- 50 min and we have to restart the VPN connection completely. Our staff uses client certificates though, do you plan to implement that configuration too in the future ? kind regards, Claude On Wed, 18 Sep 2013 15:32:56 +0200 Martin Willi mar...@strongswan.org wrote: Sometimes it works for days, sometimes it does not, might be a bug. Now itconnected without having changed anything. :) It seems that I can reliably reproduce this issue: by rebooting my Mac. On the first attempt it always fails, subsequent attempts are successful. Unfortunately changing the timeout value does not help. But it seems that just the first notification gets lost (kernel bug?). A workaround could be to install a dummy IP on a tun device just to remove it afterwards. I've pushed a new release [1] that adds such a workaround. Even if it is not very elegant, it works fine here. Regards Martin [1]http://download.strongswan.org/osx/strongswan-5.1.0-4.app.zip -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: PGP signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] OS X strongSwan client
Hi Martin, Nice tool !! So far it seems to work, but as always, I have some keychain problems. I have a CA certificate installed in the system store and marked it as Always Trust, but I still get a server authentication failure. The same CA certificate works in Windows 7. Are my settings correct so far or do I need to put the certificate into another store ? kind regards, Claude On Tue, 17 Sep 2013 16:39:42 +0200 Martin Willi mar...@strongswan.org wrote: Hi, I'm happy to announce a first testing release of the strongSwan OS X client App. It is available for download at [1] and features: * An easy to deploy unprivileged strongSwan.app, providing a simple graphical user interface to manage and initiate connections * Automatic installation of a privileged helper tool (IKE daemon) * Gateway/CA certificates get fetched from the OS X Keychain service * Currently supported are IKEv2 connections using EAP-MSCHAPv2 client authentication * Requires a 64-bit Intel processor and OS X 10.7 or 10.8 Even with the currently limited feature-set the client can act as a drop-in replacement for the Windows 7/8 Agile VPN client. Please report any issues you encounter with this first release. The log window for each configuration should have detailed information about connection issues. Best Regards Martin [1]http://download.strongswan.org/osx/strongswan-5.1.0-3.app.zip ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: PGP signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] OS X strongSwan client
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Martin, I'm running OSX 10.8.5. I've installed the server certificate itself into keychain and now that part seems to work. The connection still fails though, I'll paste the client side log because I don't know exactly what it means. EAP method EAP_MSCHAPV2 succeeded, MSK established authentication of 'ctompers' (myself) with EAP generating IKE_AUTH request 5 [ AUTH ] sending packet: from 158.64.1.171[50209] to 158.64.1.53[4500] (92 bytes) received packet: from 158.64.1.53[4500] to 158.64.1.171[50209] (300 bytes) parsed IKE_AUTH response 5 [ AUTH CP(ADDR DNS DNS DNS6 U_DEF_DOMAIN U_BANNER DNS6) SA TSi TSr ] authentication of 'vpn.restena.lu' with EAP successful IKE_SA Test[6] established between 158.64.1.171[ctompers]...158.64.1.53[vpn.restena.lu] scheduling rekeying in 35450s maximum IKE_SA lifetime 36050s installing 158.64.1.25 as DNS server installing 158.64.1.14 as DNS server handling INTERNAL_IP6_DNS attribute failed handling UNITY_DEF_DOMAIN attribute failed handling UNITY_BANNER attribute failed handling INTERNAL_IP6_DNS attribute failed installing new virtual IP 158.64.122.140 created TUN device: utun1 virtual IP 158.64.122.140 did not appear on utun1 installing virtual IP 158.64.122.140 failed no acceptable traffic selectors found closing IKE_SA due CHILD_SA setup failure sending DELETE for ESP CHILD_SA with SPI 31576d8e generating INFORMATIONAL request 6 [ D ] sending packet: from 158.64.1.171[50209] to 158.64.1.53[4500] (76 bytes) received packet: from 158.64.1.53[4500] to 158.64.1.171[50209] (76 bytes) parsed INFORMATIONAL response 6 [ D ] deleting IKE_SA Test[6] between 158.64.1.171[ctompers]...158.64.1.53[vpn.restena.lu] sending DELETE for IKE_SA Test[6] generating INFORMATIONAL request 7 [ D ] sending packet: from 158.64.1.171[50209] to 158.64.1.53[4500] (76 bytes) received packet: from 158.64.1.53[4500] to 158.64.1.171[50209] (76 bytes) parsed INFORMATIONAL response 7 [ ] IKE_SA deleted regards, Claude On 9/18/13 10:58 AM, Martin Willi wrote: Hi Claude, I have some keychain problems. I have a CA certificate installed in the system store and marked it as Always Trust, but I still get a server authentication failure. Both installing end entity and CA certificates to the Keychain as Always Trust works here on 10.8. Some notes: * Certificates should go to the System keychain * CA certificates must have the CA basicConstraint What version of OS X are you running? You might also try to tweak your syslogger to get the daemon startup log and check if there is something suspicious. To do so, for example add: daemon.info /var/log/daemon.log to /etc/syslog.conf and restart the syslogger with launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist During startup or any changes to the Keychain, you should see something like: loaded 209 certificates from /System/Library/Keychains/... loaded 12 certificates from /Library/Keychains/... Regards Martin - -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlI5leIACgkQ3yoZ+Bpc/J4LtgCgx2oIxluHnRJr1qDT85IPs9ls 7XsAn2gkfqK7fUSe5HIeFs+uDNgdwr0H =NgOE -END PGP SIGNATURE- ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] OS X strongSwan client
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ok, Now itconnected without having changed anything. :) Thanksa lot, Claude On 9/18/13 2:31 PM, Martin Willi wrote: virtual IP 158.64.122.140 did not appear on utun1 installing virtual IP 158.64.122.140 failed I've seen this a few times as well. This happens after installing the virtual IP, but the Kernel does not propagate this change back to userland using PF_ROUTE. The daemon can't continue installing the policies if the IP does not appear (at least with PF_KEY). Unfortunately I wasn't able to reproduce it reliably. Sometimes it works for days, sometimes it does not, might be a bug. I'll do some additional testing; maybe just increasing the (hardcoded) timeout helps. Regards Martin - -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlI5nrgACgkQ3yoZ+Bpc/J7YWwCgkex0fAeviELa5Kkih9I7A2yE mOgAmgIfSQN2iAcnZs+IbCtukj+ECWFQ =yspI -END PGP SIGNATURE- ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] strongswan 5.1.0 make error
Hi, I'm trying to install strongswan 5.1.0 and I get the following error : libtool: link: gcc -g -O2 -Wall -Wno-format -Wno-pointer-sign -include /usr/src/strongswan-5.1.0/config.h -o .libs/malloc_speed malloc_speed.o ../src/libstrongswan/.libs/libstrongswan.so -Wl,-rpath -Wl,/usr/local/lib64/ipsec /usr/lib64/gcc/x86_64-suse-linux/4.7/../../../../x86_64-suse-linux/bin/ld: malloc_speed.o: undefined reference to symbol 'clock_gettime@@GLIBC_2.2.5' /usr/lib64/gcc/x86_64-suse-linux/4.7/../../../../x86_64-suse-linux/bin/ld: note: 'clock_gettime@@GLIBC_2.2.5' is defined in DSO /lib64/librt.so.1 so try adding it to the linker command line /lib64/librt.so.1: could not read symbols: Invalid operation collect2: error: ld returned 1 exit status make[2]: *** [malloc_speed] Error 1 make[2]: Leaving directory `/usr/src/strongswan-5.1.0/scripts' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/usr/src/strongswan-5.1.0' make: *** [all] Error 2 Any hint how to fix this ? kind regards, Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] strongswan 5.1.0 make error
On 08/08/2013 02:33 PM, Martin Willi wrote: Hi Claude, malloc_speed.o: undefined reference to symbol 'clock_gettime@@GLIBC_2.2.5' See http://wiki.strongswan.org/issues/373#change-1099 . Regards Martin Hi Martin, Thanks for your quick reply. regards, Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Error with config includes
Hello, I'm using included configuration files and I just discovered some strange behaviour. When I'm performing an 'ipsec start' I'm getting the following error : Starting strongSwan 5.0.3 IPsec [starter]... /etc/ipsec.conf:78: include files aborted due to read error [ipsec.include/*conf] unable to start strongSwan -- fatal errors in config When I'm commenting line 78 (include statement), it starts fine. When started, if I uncomment the include statement and perform a 'ipsec reload', the included files are read and taken into account without a problem. Rights on the files are ok. Am I missing something ? kind regards, -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Windows 7 connection fails
Hello, I have a Windows 7 client that loses its IKEv2 connection with strongswan. Strongswan logs is as follows : May 2 14:31:09 casarrondo charon: 07[IKE] sending DPD request May 2 14:31:09 casarrondo charon: 07[ENC] generating INFORMATIONAL request 0 [ ] May 2 14:31:13 casarrondo charon: 07[IKE] retransmit 1 of request with message ID 0 May 2 14:31:21 casarrondo charon: 07[IKE] retransmit 2 of request with message ID 0 May 2 14:31:34 casarrondo charon: 07[IKE] retransmit 3 of request with message ID 0 May 2 14:31:57 casarrondo charon: 07[IKE] retransmit 4 of request with message ID 0 May 2 14:32:39 casarrondo charon: 07[IKE] retransmit 5 of request with message ID 0 May 2 14:33:55 casarrondo charon: 07[IKE] giving up after 5 retransmits May 2 14:33:55 casarrondo charon: 07[IKE] unable to reestablish IKE_SA due to asymmetric setup The Windows 7 client on the other hand thinks that its VPN connection is still alive but has no more connectivity. Is this a known behaviour ? Is the issue on the server or the client side ? kind regards, Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Dual Stack problems
Hello, My strongswan 5.0.2 installation has some bizarre behaviour with IKEv2 connections that ask both an IPv4 and an IPv6 address. My client ipsec.conf is as follows : conn IKEv2 keyexchange=ikev2 left=%any leftauth=pubkey leftcert=nullpointerexception-cert.pem leftsourceip=%config4,%config6 right=casarrondo.restena.lu rightauth=pubkey rightid=@casarrondo.restena.lu My server ipsec.conf is as follows : conn IKEv2-tech keyexchange=ikev2 rightauth=pubkey rightsendcert=always rightid=C=LU, L=Luxembourg, O=Fondation RESTENA, OU=Technical, CN=*, E=* rightsourceip=%tech-v4,%tech-v6 auto=add Both pools are defined as follows : name start end timeout size online usage tech-v4 158.64.15.193 158.64.15.206 1h 14 0 ( 0%) 2 (14%) tech-v6 2001:a18:1:40::1 2001:a18:1:40::ff 1h255 0 ( 0%) 0 ( 0%) In the server logs, I see the following lines : Mar 26 09:35:47 casarrondo charon: 07[CFG] acquired existing lease for address 158.64.15.193 in pool 'tech-v4' Mar 26 09:35:47 casarrondo charon: 07[IKE] assigning virtual IP 158.64.15.193 to peer 'C=LU ... Mar 26 09:35:47 casarrondo charon: 07[IKE] peer requested virtual IP %any6 Mar 26 09:35:47 casarrondo charon: 07[CFG] acquired existing lease for address 158.64.15.194 in pool 'tech-v4' Mar 26 09:35:47 casarrondo charon: 07[IKE] assigning virtual IP 158.64.15.194 to peer 'C=LU ... The client really ends up with two addresses from tech-v4 pool. I've changed the following line in the server's ipsec.conf : rightsourceip=%tech-v6,%tech-v4 The result was that strongswan distributed 2 addresses from the tech-v6 pool. Is there an error in my configuration ? kind regards, Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Dual Stack problems
Hi Andreas, Thanks for your answer. kind regards, Claude On 03/26/2013 10:22 AM, Andreas Steffen wrote: Hi Claude, this problem with persistent SQL-based pools was fixed with 5.0.3rc1. See also our new example scenario https://www.strongswan.org/uml/testresults5rc/ikev2/ip-two-pools-v4v6-db/ Regards Andreas On 03/26/2013 09:46 AM, Claude Tompers wrote: Hello, My strongswan 5.0.2 installation has some bizarre behaviour with IKEv2 connections that ask both an IPv4 and an IPv6 address. My client ipsec.conf is as follows : conn IKEv2 keyexchange=ikev2 left=%any leftauth=pubkey leftcert=nullpointerexception-cert.pem leftsourceip=%config4,%config6 right=casarrondo.restena.lu rightauth=pubkey rightid=@casarrondo.restena.lu My server ipsec.conf is as follows : conn IKEv2-tech keyexchange=ikev2 rightauth=pubkey rightsendcert=always rightid=C=LU, L=Luxembourg, O=Fondation RESTENA, OU=Technical, CN=*, E=* rightsourceip=%tech-v4,%tech-v6 auto=add Both pools are defined as follows : name start end timeout size online usage tech-v4 158.64.15.193 158.64.15.206 1h 14 0 ( 0%) 2 (14%) tech-v6 2001:a18:1:40::1 2001:a18:1:40::ff 1h 255 0 ( 0%) 0 ( 0%) In the server logs, I see the following lines : Mar 26 09:35:47 casarrondo charon: 07[CFG] acquired existing lease for address 158.64.15.193 in pool 'tech-v4' Mar 26 09:35:47 casarrondo charon: 07[IKE] assigning virtual IP 158.64.15.193 to peer 'C=LU ... Mar 26 09:35:47 casarrondo charon: 07[IKE] peer requested virtual IP %any6 Mar 26 09:35:47 casarrondo charon: 07[CFG] acquired existing lease for address 158.64.15.194 in pool 'tech-v4' Mar 26 09:35:47 casarrondo charon: 07[IKE] assigning virtual IP 158.64.15.194 to peer 'C=LU ... The client really ends up with two addresses from tech-v4 pool. I've changed the following line in the server's ipsec.conf : rightsourceip=%tech-v6,%tech-v4 The result was that strongswan distributed 2 addresses from the tech-v6 pool. Is there an error in my configuration ? kind regards, Claude ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Rightgroups
Hi, Is the rightgroups parameter in ipsec.conf appicable to Certificate DN's ? kind regards, Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Rightgroups
On 01/16/2013 09:23 AM, Martin Willi wrote: Hi Claude, Is the rightgroups parameter in ipsec.conf appicable to Certificate DN's ? No, none of the DN components is interpreted as group. To limit a connection to an O=, OU= or other RDN you can use wildcards in rightid, such as C=CH, O=strongSwan, OU=sales, CN=*. Regards Martin Hi Martin, Thanks for the explanations, it works. :) kind regards, Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] xauth-pam with unprivileged user
Hello,
I'm using the xauth-pam module and strongswan runs as unprivileged user
'vpn'.
This failed.
Doing an strace, I found that charon is not permitted to read
/etc/shadow, even when adding user 'vpn' to the group 'shadow' which is
allowed to read the file.
After a little digging, I found that strongswan only looks up the main
group of user 'vpn', which in my case is the group 'vpn', but not the
other groups.
Together with a colleague, we wrote a small patch which fixed the issue
for us. I don't know if this is your preferred way addressing this
issue. I attached it to this mail.
kind regards,
Claude
--
Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la
Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
--- src/libstrongswan/utils/capabilities.c.orig 2013-01-16 14:43:14.784635907 +0100
+++ src/libstrongswan/utils/capabilities.c 2013-01-16 15:04:18.022753438 +0100
@@ -195,6 +195,33 @@
prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);
#endif
+ int ngroups = 0;
+ gid_t *groups = NULL;
+ struct passwd user, *uret;
+ char buffer[256];
+ if (getpwuid_r(this-uid, user, buffer, sizeof(buffer), uret) != 0) {
+ DBG1(DBG_LIB, failed to lookup UID(%ld): %s\n, this-uid, strerror(errno));
+ return FALSE;
+ }
+
+ if (getgrouplist(user.pw_name, this-gid, groups, ngroups) == -1 ngroups 0) {
+ groups = malloc(sizeof(gid_t) * ngroups);
+ if (getgrouplist(user.pw_name, this-gid, groups, ngroups) == -1) {
+ DBG1(DBG_LIB, failed to determine groups(%ld, %s): %s\n, this-uid, this-gid, strerror(errno));
+ free(groups);
+ return FALSE;
+ }
+ }
+
+ if (ngroups 0) {
+ if (setgroups(ngroups, groups) == -1) {
+ DBG1(DBG_LIB, failed to set groups(%ld, ngroup=%d): %s\n, this-uid, ngroups, strerror(errno));
+ free(groups);
+ return FALSE;
+ }
+ free(groups);
+ }
+
if (this-gid setgid(this-gid) != 0)
{
DBG1(DBG_LIB, change to unprivileged group %u failed: %s,
signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Strongswan + Mac OSX
Hello, Being back on the topic of making Mac OSX work with strongswan using certificates, I found something interesting. It seems that 'ipsec pki' generated certificates work whereas my 'home-grown' certificates do not work, simply because the first ones are much smaller. In fact, up to a client certificate size of 1200 bytes, OSX sends the certificate in one packet and everything works fine. If the client certificate is any bigger, OSX splits it up into two packets and this is where things start to go wrong. Strongswan then logs : Jan 10 13:31:57 vpn charon: 06[ENC] decryption failed, invalid length Jan 10 13:31:57 vpn charon: 06[ENC] could not decrypt payloads Jan 10 13:31:57 vpn charon: 06[IKE] integrity check failed Jan 10 13:31:57 vpn charon: 06[ENC] generating INFORMATIONAL_V1 request 1242058962 [ HASH N(INVAL_HASH) ] Jan 10 13:31:57 vpn charon: 06[IKE] ID_PROT request with message ID 0 processing failed Is this a known issue ? Is there a workaround to this so I can be independent of the certificates size ? kind regards, Claude On 09/10/2012 01:47 PM, Claude Tompers wrote: Hi Martin, I'm still under the impression that Mac OSX does not like my client certificate. Are there any special extensions that need to be set or that can not be set ? I've noticed that my certificate has some more attributes than yours, Here's a copy of my client certificate: Certificate: Data: Version: 3 (0x2) Serial Number: 17 (0x11) Signature Algorithm: sha1WithRSAEncryption Issuer: C=LU, ST=n/a, L=Luxembourg, O=Fondation RESTENA, CN=RESTENA VPN CA/emailAddress=ad...@restena.lu Validity Not Before: Sep 7 07:26:06 2012 GMT Not After : Sep 6 07:26:06 2017 GMT Subject: C=LU, L=Luxembourg, O=Fondation RESTENA, CN=ctompers/emailAddress=claude.tomp...@restena.lu Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:e6:be:81:bd:a6:a4:3a:22:38:e1:11:4d:ef:c6: 04:eb:04:af:9e:4d:0a:c3:d0:0c:3a:02:97:00:92: 82:80:8e:d2:46:e6:3d:36:6e:4a:00:ee:93:d9:30: 92:22:66:ed:68:e8:6f:1d:c0:1c:57:3d:b3:8d:74: c4:27:c2:5e:9a:dd:61:ed:ec:1c:2c:b0:d3:87:9b: 8a:f3:22:a8:34:49:21:f5:a9:7b:78:a9:66:78:d0: a6:ca:a7:16:1e:53:72:34:c0:d5:c6:e2:48:78:41: 40:b5:55:1b:ce:f0:a3:fd:0e:9f:98:1f:36:fc:a2: e1:96:92:d1:7b:db:7a:29:5f:8a:c3:c3:01:54:7e: 48:23:78:85:bb:f0:87:86:3f:2d:f1:a6:fb:1d:0d: d0:29:ba:58:6f:88:4d:3f:7a:f0:25:26:44:b6:c7: e8:b0:17:01:b5:12:d0:d0:8b:58:04:6a:77:da:c5: e9:c0:2d:3b:5e:27:47:19:63:ae:74:8c:e8:b3:9c: d5:88:23:dc:cf:6c:f9:e8:b6:a1:8c:88:ca:1d:10: 8d:fd:80:66:61:20:d0:28:64:ff:e1:2b:07:8b:91: 7a:fb:8f:a1:dc:b7:8c:2e:d2:6a:7c:d8:57:30:8e: 3a:2d:93:ed:6d:e4:6b:91:70:10:ad:82:df:c5:7b: 09:08:0a:6a:64:d5:2c:e8:58:3e:73:31:c5:e0:9c: 6b:33:d1:19:7f:d8:6c:e6:5d:22:d1:ff:ec:3c:7f: 60:9b:1d:ad:91:8e:5d:5e:99:87:4e:60:71:cc:7d: 48:62:38:1f:d0:13:5d:f2:6d:97:91:17:81:fe:fc: a1:85:e1:97:36:a4:7e:b3:8b:42:0b:11:dc:2a:6c: 7a:70:5c:72:f7:cd:57:a1:15:dc:04:f5:26:f3:1f: 59:07:2c:08:da:c2:5c:fb:24:13:85:1b:ba:9f:c2: 98:90:9b:3d:86:6a:e7:65:8d:9d:a9:ed:95:dd:21: 4c:bc:95:7f:1a:af:2e:73:dc:99:73:87:2d:57:5f: 57:35:31:72:09:2f:f2:51:af:92:68:dd:26:b3:73: d9:d8:c2:ab:68:e9:77:13:6b:4b:62:01:3e:e5:b9: 52:05:a3:ff:f1:bc:28:d2:2a:e5:40:78:d4:a4:03: 1e:9f:1f:3b:a1:7f:16:c7:8b:52:c1:45:86:6e:16: 11:34:8c:b7:12:db:4a:94:0f:dc:89:31:73:be:f2: 00:7c:77:ce:a6:08:12:af:32:38:69:35:60:95:82: 82:fd:e4:0c:ee:3c:94:02:e2:05:44:64:c3:eb:6c: 73:2e:78:70:a7:fb:84:69:92:33:b0:11:10:a9:eb: 65:34:0d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME, Object Signing Netscape Comment: RESTENA VPN Client Certificate X509v3 Subject Key Identifier: 57:50:91:24:6B:0F:19:9A:76:78:B1:5E:6F:8B:D0:D4:93:A8:1A:16 X509v3 Authority Key Identifier: keyid:F8:FD:2F:DA:23:BE:EE:8B:B4:FD:2B:D0:98:5C:C1:5F:1E:5B:74:AC DirName:/C=LU/ST=n/a/L=Luxembourg/O=Fondation RESTENA/CN=RESTENA VPN CA/emailAddress=ad
Re: [strongSwan] Strongswan + Mac OSX
On 09/06/2012 03:04 PM, Claude Tompers wrote: On 09/06/2012 12:20 PM, Martin Willi wrote: Claude, The other Mountain Lion had the exact same behaviour as mine (also 10.8.1), Strange, as my 10.8.1 works just fine. the one with Lion installed 'only' complained about not being able to verify the server certificate. Please be aware that Hybrid authentication did not work correctly in Lion, failing with a certificate validation error. You'll have to use a client certificate on Lion. I also found this topic in an Apple Forum [...] I'm wondering if that problem is related. Hard to say. One thing to consider with Mountain Lion is that certificates now need a proper ACL on the private key for authentication (set to racoon). This might be the problem with that L2TP/IPsec issue, but not with Hybrid authenticated clients (and your error, the profile installer sets ACLs just fine). You may try to test against our revobox demo setup [1] that uses strongSwan and works fine here. An iOS / OS X profile is available at [2], after installation you should be able to connect with tester / test. If this works, something is wrong with your setup, if not, something with your Mac. Regards Martin [1]http://demo.revosec.ch/ [2]https://master.revosec.net/device/mobileconfig/62IUAFQH/62IUAFQH.mobileconfig Hi Martin, Thanks for the test. My MacBook says it could not validate the server certificate. At least this shows that my Macbook isn't completely broken. If you want to have a look at the logs, my machine's IP address is 158.64.1.176 or 2001:a18:1:8:. The connection works on my iPhone. The setup on Lion as well as on Mountain Lion uses a client certificate. So this time, I'm not in a hybrid environment. kind regards, Claude Hi, Testwise, I created a new CA with the ipsec pki tool according to your wiki page (Mac + IKEv1). (My old CA is done with TinyCA). With those certificates I get the same result as for the revobox setup, but still no connection on Mountain Lion or Lion. kind regards, Claude ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Strongswan + Mac OSX
On 09/17/2012 01:46 PM, Martin Willi wrote: Hi, Testwise, I created a new CA with the ipsec pki tool according to your wiki page (Mac + IKEv1). (My old CA is done with TinyCA). With those certificates I get the same result as for the revobox setup, but still no connection on Mountain Lion or Lion. It seems that installing .mobileconfig profiles on OS X does not work as intended (or, at least, not exactly the same ways as on iOS). The CA certificate does not get installed properly for some reason. On iOS this seems to work fine. You may try to install the certificates manually, but don't forget to set proper ACLs. For the revobox setup, the official way on OS X uses an installer utility [1], not the .mobileconfig profile. But as your new certificates seem to work better, I'd guest that there was indeed something wrong with your old ones. Regards Martin [1]https://master.revosec.net/installer/revo-installer.app.zip Hi Martin, FINALLY it works. :) It seems that the profile installs the CA certificate in the login store instead of the system store in keychain. At least that's the only difference I see. Thanks a lot for you help and patience. kind regards, Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] %prompt not working
Hi, My ipsec.secrets file contains the following line : : RSA ctompers-key.pem %prompt But instead of prompting me, strongswan-5.0.0 just says that it can't find the private key. Isn't this syntax supported anymore ? kind regards, Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] %prompt not working
Hi Gerald, Thanks for your reply. I've read the yesterday's discussion but I thought you needed something more specific since you were talking about sources etc. I'm not really into writing my own code for strongswan, I just don't want to have cleartext passwords in any files. Is there another way around ? kind regards, Claude On 09/11/2012 02:15 PM, rich...@ecos.de wrote: No it isn't supported anymore in 5.0 (see yesterday discussion about credential plugin) Gerald -Original Message- From: users-bounces+richter=ecos...@lists.strongswan.org [mailto:users- bounces+richter=ecos...@lists.strongswan.org] On Behalf Of Claude Tompers Sent: Tuesday, September 11, 2012 2:13 PM To: Users@lists.strongswan.org Subject: [strongSwan] %prompt not working Hi, My ipsec.secrets file contains the following line : : RSA ctompers-key.pem %prompt But instead of prompting me, strongswan-5.0.0 just says that it can't find the private key. Isn't this syntax supported anymore ? kind regards, Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] %prompt not working
Hi Tobias, Thanks for your reply. This works for me, it's easily scriptable in an init script. Is there a special reason for this ? kind regards, Claude On 09/11/2012 02:35 PM, Tobias Brunner wrote: Hi Claude, Gerald, No it isn't supported anymore in 5.0 (see yesterday discussion about credential plugin) That's not entirely true. %prompt is still supported but not during a simple ipsec start. You have to use ipsec rereadsecrets to get the prompt. Regards, Tobias -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] strongswan 5 IKEv1
On 09/11/2012 03:44 PM, Martin Willi wrote: 2. I have noticed that Charon/IKEv1 does not send radius accounting tickets. Will this work in future releases? Yes, that currently does not work. I'll try to fix this, but I'm not sure yet if this will happen for 5.0.1. Fixed with [1], RADIUS accounting should work in upcoming releases when using IKEv1 with xauth-eap and eap-radius. Regards Martin [1]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=cf85ebbf Awesome. Thanks a lot !! :) regards, Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Strongswan 5 on Mac Mountain Lion
Hi, I've tried to install strongswan on my Macbook using the howto on your homepage : http://wiki.strongswan.org/projects/strongswan/wiki/MacOSX Strongswan complains about not finding any known IPsec stack. Has there something changed with Mac OS ? Do I need to set other configure options ? kind regards, Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Strongswan + Mac OSX
On 09/05/2012 02:33 PM, Claude Tompers wrote: Hi Martin, Hi Martin, Hi Claude, Still the same error. One thing that also appears odd, is that I don't see a config selection line in the log ( ie: selected peer config RESTENA ). The config selection does not happen before the third ID_PROT exchange, but just that message can't be decrypted. Things start to become very odd. I've created an Apple profile with the VPN configuration. I imported it into my Macbook and into my iPhone. The connection works on the iPhone but does not on the Macbook. I really don't know. Mountain Lion works fine here against both 5.0.0 and the latest snapshot. I've tried with two other Macbooks, one also with Mountain Lion (10.8.1), the other one with Lion (10.7.4). The other Mountain Lion had the exact same behaviour as mine (also 10.8.1), the one with Lion installed 'only' complained about not being able to verify the server certificate. The logs here show that the Mac and the VPN server were at least interchanging certificates. Both machines were using the same generated Apple profile. I also found this topic in an Apple Forum : https://discussions.apple.com/thread/4158642?start=0tstart=0 I'm wondering if that problem is related. kind regards, Claude Hmm, my personal certificate is in the system store and marked as Always trust, the CA certificate is in the login store and marked the same way. There is nothing more to do there ? Also, I had installed strongswan on my Macbook to test it. I imagine there should be no interactions between both VPN clients ? kind regards, Claude Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Strongswan + Mac OSX
On 09/06/2012 12:20 PM, Martin Willi wrote: Claude, The other Mountain Lion had the exact same behaviour as mine (also 10.8.1), Strange, as my 10.8.1 works just fine. the one with Lion installed 'only' complained about not being able to verify the server certificate. Please be aware that Hybrid authentication did not work correctly in Lion, failing with a certificate validation error. You'll have to use a client certificate on Lion. I also found this topic in an Apple Forum [...] I'm wondering if that problem is related. Hard to say. One thing to consider with Mountain Lion is that certificates now need a proper ACL on the private key for authentication (set to racoon). This might be the problem with that L2TP/IPsec issue, but not with Hybrid authenticated clients (and your error, the profile installer sets ACLs just fine). You may try to test against our revobox demo setup [1] that uses strongSwan and works fine here. An iOS / OS X profile is available at [2], after installation you should be able to connect with tester / test. If this works, something is wrong with your setup, if not, something with your Mac. Regards Martin [1]http://demo.revosec.ch/ [2]https://master.revosec.net/device/mobileconfig/62IUAFQH/62IUAFQH.mobileconfig Hi Martin, Thanks for the test. My MacBook says it could not validate the server certificate. At least this shows that my Macbook isn't completely broken. If you want to have a look at the logs, my machine's IP address is 158.64.1.176 or 2001:a18:1:8:. The connection works on my iPhone. The setup on Lion as well as on Mountain Lion uses a client certificate. So this time, I'm not in a hybrid environment. kind regards, Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Strongswan + Mac OSX
Hi, Things start to become very odd. I've created an Apple profile with the VPN configuration. I imported it into my Macbook and into my iPhone. The connection works on the iPhone but does not on the Macbook. I'm wondering what I'm missing here. For the Macbook, the logs are still the same as I posted. kind regards, Claude On 09/03/2012 03:25 PM, Claude Tompers wrote: On 09/03/2012 03:09 PM, Martin Willi wrote: I just defined the certificate in the Mac interface but did not enter a username or password. This won't work. If no credentials are given, OS X requests them once XAuth starts. And it sends XAuthInitRSA in all proposals, making plain RSA authentication impossible. I've just tried that. Except I used rightauth2=xauth-eap which shouldn't change anything. The log output is exectly the same. I think that should work with 5.0.0, but you might give the latest snapshot [1] a try. Regards Martin [1]http://download.strongswan.org/strongswan-5.0.1dr3.tar.bz2 Still the same error. One thing that also appears odd, is that I don't see a config selection line in the log ( ie: selected peer config RESTENA ). ipsec.conf is now: conn RESTENA keyexchange=ikev1 rightauth=pubkey rightauth2=xauth-eap rightsourceip=%ikev1 kind regards, Claude ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Strongswan + Mac OSX
Hi Martin, Hi Claude, Still the same error. One thing that also appears odd, is that I don't see a config selection line in the log ( ie: selected peer config RESTENA ). The config selection does not happen before the third ID_PROT exchange, but just that message can't be decrypted. Things start to become very odd. I've created an Apple profile with the VPN configuration. I imported it into my Macbook and into my iPhone. The connection works on the iPhone but does not on the Macbook. I really don't know. Mountain Lion works fine here against both 5.0.0 and the latest snapshot. Hmm, my personal certificate is in the system store and marked as Always trust, the CA certificate is in the login store and marked the same way. There is nothing more to do there ? Also, I had installed strongswan on my Macbook to test it. I imagine there should be no interactions between both VPN clients ? kind regards, Claude Regards Martin -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] CRL issues
Hi, On strongswan 5, I was using certificates with IKEv1 and specifically strictcrlpolicy=yes always worked fine. My config was something like : ca vpnca cacert=VPNCA-cacert.pem crluri=VPNCA-crl.pem auto=add config setup strictcrlpolicy=yes ... Now with strongswan 5.0.0. as well as with 5.0.1dr3, I've got the following error : Sep 5 08:02:26 vpn-test charon: 17[CFG] fetching crl from 'VPNCA-crl.pem' ... Sep 5 08:02:26 vpn-test charon: 17[CFG] crl fetching failed I've changed ipsec.conf to : crluri=file:///usr/local/strongswan/etc/ipsec.d/crls/VPNCA-crl.pem Then the error was : Sep 5 09:38:00 vpn-test charon: 19[CFG] fetching crl from 'file:///usr/local/strongswan/etc/ipsec.d/crls/VPNCA-crl.pem' ... Sep 5 09:38:00 vpn-test charon: 19[CFG] crl fetched successfully but parsing failed I've changed the CRL format to DER. Now the error is : Sep 5 10:27:19 vpn-test charon: 18[CFG] fetching crl from 'file:///usr/local/strongswan/etc/ipsec.d/crls/VPNCA-crl.der' ... Sep 5 10:27:19 vpn-test charon: 18[CFG] issuer of fetched CRL 'C=LU, ST=n/a, L=Luxembourg, O=Fondation RESTENA, CN=RESTENA VPN CA, E=ad...@restena.lu' does not match CRL issuer 'f8:fd:2f:da:23:be:ee:8b:b4:fd:2b:d0:98:5c:c1:5f:1e:5b:74:ac' Sep 5 10:27:19 vpn-test charon: 18[CFG] certificate status is not available Has the behaviour of crluri changed ? Is it normal that PEM formatted CRLs can not be read anymore ? Why does strongswan compare the DN to a fingerprint ? Am I missing an option there ? kind regards, Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] CRL issues
On 09/05/2012 03:11 PM, Martin Willi wrote: Hi Claude, crluri=VPNCA-crl.pem fetching crl from 'VPNCA-crl.pem' ... crl fetching failed crluri takes an URI, not a file name (see ipsec.conf (5)). It might have worked with pluto, but it certainly does not with charon. fetching crl from 'file:///usr/local/strongswan/etc/ipsec.d/crls/VPNCA-crl.pem' ... A X.509 CRL distribution point always points to a DER encoded CRL (see [1]). We tread crluri the exactly same way, hence it must be encoded as DER, too. issuer of fetched CRL 'C=LU,[...]' does not match CRL issuer 'f8:fd:2f:da:23:be:ee:8b:b4:fd:2b:d0:98:5c:c1:5f:1e:5b:74:ac' The relation between CRL and CRL issuer is resolved using the CRL authorityKeyIdentifier. This means that the CRL must contain an authorityKeyIdentifier equal to the subjectKeyIdentifier of the CRL issuer (see [2]). Regards Martin [1]http://tools.ietf.org/html/rfc5280#section-4.2.1.13 [2]http://tools.ietf.org/html/rfc5280#section-5.2.1 Hi Martin, Thanks for the explanations. I don't see an authorityKeyIdentifier in my CRL, but my openssl.cnf contains : [ crl_ext ] authorityKeyIdentifier = keyid:always,issuer:always Isn't this correct ? kind regards, Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] CRL issues
Hi Martin, Thanks for the explanations. I don't see an authorityKeyIdentifier in my CRL, but my openssl.cnf contains : [ crl_ext ] authorityKeyIdentifier = keyid:always,issuer:always I found the problem. I was missing the 'crl_extensions = crl_ext' line in my openssl.cnf. It works now. thanks a lot for your help. kind regards, Claude Isn't this correct ? kind regards, Claude ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Strongswan + Mac OSX
On 09/03/2012 03:09 PM, Martin Willi wrote: I just defined the certificate in the Mac interface but did not enter a username or password. This won't work. If no credentials are given, OS X requests them once XAuth starts. And it sends XAuthInitRSA in all proposals, making plain RSA authentication impossible. I've just tried that. Except I used rightauth2=xauth-eap which shouldn't change anything. The log output is exectly the same. I think that should work with 5.0.0, but you might give the latest snapshot [1] a try. Regards Martin [1]http://download.strongswan.org/strongswan-5.0.1dr3.tar.bz2 Still the same error. One thing that also appears odd, is that I don't see a config selection line in the log ( ie: selected peer config RESTENA ). ipsec.conf is now: conn RESTENA keyexchange=ikev1 rightauth=pubkey rightauth2=xauth-eap rightsourceip=%ikev1 kind regards, Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] strongswan 5 IKEv1
On 08/24/2012 04:26 PM, Tobias Brunner wrote: Hi Claude, Is there a VPN client for Windows XP and Vista (preferably opensource) that's easier to setup than the native Windows client ? Shrew [1] works reasonably well on these systems and at least parts of it are open source [2] (not the Windows frontend apparently). Regards, Tobias [1] http://www.shrew.net/software [2] http://www.shrew.net/download/ike Hi Tobias, This seems to work quite well. Thanks for the tip. kind regards, Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] strongswan 5 IKEv1
On 08/21/2012 02:37 PM, Martin Willi wrote: 1. I have some users that connect via Cisco VPN client. When do you foresee that Cisco quirks work with Charon/IKEv1 ? I myself don't have any plans to add support for those Cisco quirks. I think there are better alternatives (without the legal issues with the Cisco client) on all platforms. Is there a VPN client for Windows XP and Vista (preferably opensource) that's easier to setup than the native Windows client ? 2. I have noticed that Charon/IKEv1 does not send radius accounting tickets. Will this work in future releases? Yes, that currently does not work. I'll try to fix this, but I'm not sure yet if this will happen for 5.0.1. Regards Martin -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] IKEv2 cisco anyconnect app
Hi, I did just stumble over the Cisco Anyconnect App for iPhone and I wondered if (and I may be completely wrong) that app does IKEv2 ? As far as I know, the 'normal' Anyconnect client is capable to connect with IKEv2. If so, is it compatible with strongswan ? kind regards, Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Accounting Tickets
Hello, I've set up a strongswan 4.6.2 test instance to test the new radius accounting feature. It works great an I'm really happy since we've wanted that feature for some time. :) I've noticed though that the tickets do not contain information about the tunnel outer ip address, typically in the Calling-Station-Id field. Is there a precise reason that this field is missing, or would it be possible to add it in a future release ? kind regards, Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Accounting Tickets
Hello Martin, Thanks a lot for the patches, they work great. kind regards, Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Ubuntu NetworkManager Problem ?
Hello, One of our users has problems with his VPN installation. He's using Ubuntu 11.10 with strongswan 4.5.2 an NetworkManager 0.9.1.90 . He claims that while trying to setup, NetworkManager freezes as soon as he selects IPsec/IKEv2. I don't have any further information because I don't have that machine in my hands, so I'm just asking if there's any issue like this known to you ? kind regards, Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Ubuntu NetworkManager Problem ?
Hi Martin, Thanks for your quick response. kind regards, Claude On 02/06/2012 10:02 AM, Martin Willi wrote: Hi Claude, He claims that while trying to setup, NetworkManager freezes as soon as he selects IPsec/IKEv2. Yes, the package is broken with the new NetworkManager release. I have upgraded the package [1] to NM 0.9, but it has not been pushed yet to Debian/Ubuntu. But even with the new package, it doesn't work without patching NM. I've submitted a fix [2], but it seems that more work is required to get NM fixed. Regards Martin [1]http://download.strongswan.org/NetworkManager/NetworkManager-strongswan-1.3.0.tar.bz2 [2]http://mail.gnome.org/archives/networkmanager-list/2011-September/msg00037.html -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Odd leases behaviour
Hello, I just saw something very strange in 'ipsec pool --leases'. I had two users online yesterday from about 15:00 to 19:00. Instead of having assigned one single lease, I see the following output for both : ... ikev2192.168.122.193 validMar 29 16:43:19 2011 Mar 29 16:44:20 2011 username ikev2192.168.122.193 validMar 29 16:44:23 2011 Mar 29 16:45:24 2011 username ikev2192.168.122.193 validMar 29 16:46:06 2011 Mar 29 16:47:08 2011 username ikev2192.168.122.193 validMar 29 16:47:10 2011 Mar 29 16:48:11 2011 username ikev2192.168.122.193 validMar 29 16:48:13 2011 Mar 29 16:49:15 2011 username ikev2192.168.122.193 validMar 29 16:49:17 2011 Mar 29 16:50:18 2011 username ikev2192.168.122.193 validMar 29 16:50:25 2011 Mar 29 16:51:26 2011 username ikev2192.168.122.193 validMar 29 16:51:28 2011 Mar 29 16:52:30 2011 username ikev2192.168.122.193 validMar 29 16:52:33 2011 Mar 29 16:53:34 2011 username ikev2192.168.122.193 validMar 29 16:53:37 2011 Mar 29 16:54:38 2011 username ikev2192.168.122.193 validMar 29 16:54:40 2011 Mar 29 16:55:42 2011 username ikev2192.168.122.193 validMar 29 16:55:44 2011 Mar 29 16:56:43 2011 username ikev2192.168.122.193 validMar 29 17:01:56 2011 Mar 29 17:02:58 2011 username ikev2192.168.122.193 validMar 29 17:03:00 2011 Mar 29 17:04:02 2011 username ikev2192.168.122.193 validMar 29 17:04:05 2011 Mar 29 17:05:06 2011 username ikev2192.168.122.193 validMar 29 17:05:08 2011 Mar 29 17:06:10 2011 username ikev2192.168.122.193 validMar 29 17:06:12 2011 Mar 29 17:07:13 2011 username ikev2192.168.122.193 validMar 29 17:07:15 2011 Mar 29 17:08:17 2011 username ikev2192.168.122.193 validMar 29 17:08:19 2011 Mar 29 17:09:21 2011 username ikev2192.168.122.193 validMar 29 17:09:23 2011 Mar 29 17:10:02 2011 username ikev2192.168.122.193 validMar 29 18:15:43 2011 Mar 29 18:16:44 2011 username ikev2192.168.122.193 validMar 29 18:17:26 2011 Mar 29 18:18:27 2011 username ikev2192.168.122.193 validMar 29 18:18:40 2011 Mar 29 18:18:46 2011 username ikev2192.168.122.193 validMar 29 18:18:57 2011 Mar 29 18:19:15 2011 username ... (Example output for one user) This does not seem to have disturbed their VPN connection but I wonder what could have caused this. kind regards, Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] ipsec pool file with certificates
Thank you for your quick answer. Is there no way to escape such characters ? i.e. ST=n\/a regards, Claude On Friday 29 October 2010 09:14:43 Andreas Steffen wrote: The '/' and ',' characters are reserved for separating the individual Relative Distinguished Names (RDNs). openssl x509 -in carolCert.pem -notext -subject returns subject= /C=CH/O=Linux strongSwan/OU=Research/cn=ca...@strongswan.org and which can be used with right|leftid. Thus ST=n/a will cause a syntax error. Regards Andreas On 29.10.2010 08:10, Claude Tompers wrote: Hello Andreas, I've tried without the double quotes and it makes no difference for me. Could it be that I have an invalid character in my DN ? i.e. ST=n/a The complete DN is C=LU, ST=n/a, L=Luxembourg, O=Fondation RESTENA, CN=Test Certificate kind regards, Claude On Thursday 28 October 2010 23:59:01 Andreas Steffen wrote: Hello Claude, the Distinguished Names must be written in the address file without the double quotes: moon ipsec.d # cat addresses.txt 10.3.0.1 10.3.0.2 10.3.0.3=C=CH, O=Linux strongSwan, OU=Research, cn=ca...@strongswan.org 10.3.0.4=C=CH, O=Linux strongSwan, OU=Accounting, cn=d...@strongswan.org 10.3.0.5 10.3.0.6=al...@strongswan.org 10.3.0.7=venus.strongswan.org 10.3.0.8 ipsec pool --add bigpool --addresses addresses.txt --timeout 0 After setting up a connection each from carol and dave to gateway moon and taking it down again I get: moon ipsec.d # ipsec pool --leases name address status start end identity bigpool 10.3.0.3static Oct 28 23:52:38 2010 Oct 28 23:53:24 2010 C=CH, O=Linux strongSwan, OU=Research, cn=ca...@strongswan.org bigpool 10.3.0.4static Oct 28 23:53:10 2010 Oct 28 23:53:20 2010 C=CH, O=Linux strongSwan, OU=Accounting, cn=d...@strongswan.org Best regards Andreas On 10/28/2010 03:52 PM, Claude Tompers wrote: Hi, I get no error, I just don't get the IP address I reserved. I'm supposed to get 192.168.122.190 (reserved) but I get 192.168.122.129 (the first one in the pool). So I think that the id in the file, does not match the one sent by the client ? regards, Claude On Thursday 28 October 2010 15:48:48 Martin Willi wrote: Hi, ipsec pool --add ikev1 --addresses /path/to/ikev1.addr --timeout 48 I see. Should I write 192.168.122.190=X'302431133011060355040a130a7374726f6e677377616e310d300b0603550403130474657374' into the file ? No, the address file parser does this conversion for you, no need for manual conversion. It does not work for users that authenticate with a certificate What does not work? Do you get an error? Regards Martin == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] ipsec pool file with certificates
Is this something that will be changed in a future release or are these characters not allowed in x509 certificates ? regards, Claude On Friday 29 October 2010 10:50:29 Andreas Steffen wrote: Unfortunately there is currently no workaround. Regards Andreas On 29.10.2010 09:23, Claude Tompers wrote: Thank you for your quick answer. Is there no way to escape such characters ? i.e. ST=n\/a regards, Claude On Friday 29 October 2010 09:14:43 Andreas Steffen wrote: The '/' and ',' characters are reserved for separating the individual Relative Distinguished Names (RDNs). openssl x509 -in carolCert.pem -notext -subject returns subject= /C=CH/O=Linux strongSwan/OU=Research/cn=ca...@strongswan.org and which can be used with right|leftid. Thus ST=n/a will cause a syntax error. Regards Andreas On 29.10.2010 08:10, Claude Tompers wrote: Hello Andreas, I've tried without the double quotes and it makes no difference for me. Could it be that I have an invalid character in my DN ? i.e. ST=n/a The complete DN is C=LU, ST=n/a, L=Luxembourg, O=Fondation RESTENA, CN=Test Certificate kind regards, Claude On Thursday 28 October 2010 23:59:01 Andreas Steffen wrote: Hello Claude, the Distinguished Names must be written in the address file without the double quotes: moon ipsec.d # cat addresses.txt 10.3.0.1 10.3.0.2 10.3.0.3=C=CH, O=Linux strongSwan, OU=Research, cn=ca...@strongswan.org 10.3.0.4=C=CH, O=Linux strongSwan, OU=Accounting, cn=d...@strongswan.org 10.3.0.5 10.3.0.6=al...@strongswan.org 10.3.0.7=venus.strongswan.org 10.3.0.8 ipsec pool --add bigpool --addresses addresses.txt --timeout 0 After setting up a connection each from carol and dave to gateway moon and taking it down again I get: moon ipsec.d # ipsec pool --leases name address status start end identity bigpool 10.3.0.3static Oct 28 23:52:38 2010 Oct 28 23:53:24 2010 C=CH, O=Linux strongSwan, OU=Research, cn=ca...@strongswan.org bigpool 10.3.0.4static Oct 28 23:53:10 2010 Oct 28 23:53:20 2010 C=CH, O=Linux strongSwan, OU=Accounting, cn=d...@strongswan.org Best regards Andreas On 10/28/2010 03:52 PM, Claude Tompers wrote: Hi, I get no error, I just don't get the IP address I reserved. I'm supposed to get 192.168.122.190 (reserved) but I get 192.168.122.129 (the first one in the pool). So I think that the id in the file, does not match the one sent by the client ? regards, Claude == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] ipsec pool file with certificates
Hello Andreas, Thank you very much. kind regards, Claude On Friday 29 October 2010 14:04:13 Andreas Steffen wrote: Hello Claude, it is part of a larger problem. In the near future we should support UTF-8 encoded strings in X.509 certificates, so that we have to extend our RDN parser/generator anyway. As a quick and dirty hack for your problem you could modify the atodn() function http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libstrongswan/utils/identification.c;h=0696c1030d9bb63fdba5a6dcac34665742a6ab0c;hb=HEAD#l339 by removing all checks for the '/' character, leaving only the tests for the ',' separator. Best regards Andreas On 29.10.2010 13:41, Claude Tompers wrote: Is this something that will be changed in a future release or are these characters not allowed in x509 certificates ? regards, Claude On Friday 29 October 2010 10:50:29 Andreas Steffen wrote: Unfortunately there is currently no workaround. Regards Andreas On 29.10.2010 09:23, Claude Tompers wrote: Thank you for your quick answer. Is there no way to escape such characters ? i.e. ST=n\/a regards, Claude On Friday 29 October 2010 09:14:43 Andreas Steffen wrote: The '/' and ',' characters are reserved for separating the individual Relative Distinguished Names (RDNs). openssl x509 -in carolCert.pem -notext -subject returns subject= /C=CH/O=Linux strongSwan/OU=Research/cn=ca...@strongswan.org and which can be used with right|leftid. Thus ST=n/a will cause a syntax error. Regards Andreas On 29.10.2010 08:10, Claude Tompers wrote: Hello Andreas, I've tried without the double quotes and it makes no difference for me. Could it be that I have an invalid character in my DN ? i.e. ST=n/a The complete DN is C=LU, ST=n/a, L=Luxembourg, O=Fondation RESTENA, CN=Test Certificate kind regards, Claude On Thursday 28 October 2010 23:59:01 Andreas Steffen wrote: Hello Claude, the Distinguished Names must be written in the address file without the double quotes: moon ipsec.d # cat addresses.txt 10.3.0.1 10.3.0.2 10.3.0.3=C=CH, O=Linux strongSwan, OU=Research, cn=ca...@strongswan.org 10.3.0.4=C=CH, O=Linux strongSwan, OU=Accounting, cn=d...@strongswan.org 10.3.0.5 10.3.0.6=al...@strongswan.org 10.3.0.7=venus.strongswan.org 10.3.0.8 ipsec pool --add bigpool --addresses addresses.txt --timeout 0 After setting up a connection each from carol and dave to gateway moon and taking it down again I get: moon ipsec.d # ipsec pool --leases name address status start end identity bigpool 10.3.0.3static Oct 28 23:52:38 2010 Oct 28 23:53:24 2010 C=CH, O=Linux strongSwan, OU=Research, cn=ca...@strongswan.org bigpool 10.3.0.4static Oct 28 23:53:10 2010 Oct 28 23:53:20 2010 C=CH, O=Linux strongSwan, OU=Accounting, cn=d...@strongswan.org Best regards Andreas On 10/28/2010 03:52 PM, Claude Tompers wrote: Hi, I get no error, I just don't get the IP address I reserved. I'm supposed to get 192.168.122.190 (reserved) but I get 192.168.122.129 (the first one in the pool). So I think that the id in the file, does not match the one sent by the client ? regards, Claude == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] ipsec pool file with certificates
Hello, I want to statically assign IP addresses to roadwarriors. I'm doing this with an address file that I load into the sqlite database. This works fine for eap authenticated users : * 192.168.122.254=ctompers * ikev2192.168.122.254 expired Oct 26 09:01:17 2010 Oct 26 09:01:44 2010 ctompers It does not work for users that authenticate with a certificate : * 192.168.122.190=C=LU, ST=n/a, L=Luxembourg, O=Fondation RESTENA, CN=Test Certificate OR * 192.168.122.190=C=LU, ST=n/a, L=Luxembourg, O=Fondation RESTENA, CN=Test Certificate * ikev1192.168.122.129 validOct 28 14:48:24 2010 Oct 28 14:48:33 2010 C=LU, ST=n/a, L=Luxembourg, O=Fondation RESTENA, CN=Test Certificate I suppose I use the wrong format for putting the certificate in the file ? How does this work ? kind regards, Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] ipsec pool file with certificates
Hi Martin, * 192.168.122.190=C=LU, ST=n/a, L=Luxembourg, O=Fondation RESTENA, CN=Test Certificate This is the format in my file (ikev2.addr), I imported them into the db with: ipsec pool --add ikev1 --addresses /path/to/ikev1.addr --timeout 48 Should I write 192.168.122.190=X'302431133011060355040a130a7374726f6e677377616e310d300b0603550403130474657374' into the file ? Or do I need to store the identities separately ? regards, Claude On Thursday 28 October 2010 15:28:30 Martin Willi wrote: Hi Claude, * 192.168.122.190=C=LU, ST=n/a, L=Luxembourg, O=Fondation RESTENA, CN=Test Certificate How did you store these identities in the database? strongSwan expects these identities in the encoded ASN1 form. We ship a helper script with our distribution to convert identities to valid SQL code: ./scripts/id2sql O=strongswan, CN=test typeencoding 9, X'302431133011060355040a130a7374726f6e677377616e310d300b0603550403130474657374' Regards Martin -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Split tunneling
Hello Andreas, It works now, the banner as well as the split tunneling. Thank you very much for your help. I suppose the bug will be fixed in version 4.5.0 ? Will it be on time in 6 days ? kind regards, Claude On Monday 25 October 2010 20:02:25 Andreas Steffen wrote: Hello Claude, I think I discovered the bug. In modecfg.c the attributes payload was aligned to a 4-byte boundary but according to RFC 2408 only the overall ISAKMP message should be aligned: http://tools.ietf.org/html/rfc2408#section-3.6 If the SA Attributes are not aligned on 4-byte boundaries, then subsequent payloads will not be aligned and any padding will be added at the end of the message to make the message 4-octet aligned. The patch http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=1f2c32835519b31ac5a30c95de2102086dec3cf8 should fix this. Alternatively you can try the latest release candidate 4.5.0rc3: http://download.strongswan.org/strongswan-4.5.0rc3.tar.bz2 Regards Andreas On 10/25/2010 08:19 AM, Claude Tompers wrote: Hello Andreas, Sorry for not answering last week anymore, I was already off work. For the banner, things start getting very odd. It works if I don't define a banner. (nobanner.log) It works if I redefine the same strongswan banner. (except for a \ that slipped in before the !) (std_banner.log) It does not work if I define my own banner. (Welcome to RESTENA VPN.) (custom_banner.log) kind regards, Claude == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] MacOS 10.7
Hello, Does anybody know if the MacOS built-in VPN client will be able to do IKEv2 in the new MacOS 10.7 Lion ? kind regards, Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Split tunneling
Hello Andreas,
Thank you for your quick reply. Sadly, it does not work, but I think we're on
the right path.
The Cisco client tells me Negotiating security policies before it stops
silently.
On the other side, I don't see much in the pluto logs.
Any ideas ?
kind regards,
Claude
On Thursday 21 October 2010 12:22:56 Andreas Steffen wrote:
Hello Claude,
yes it should be possible with the Cisco_Unity functionality added
to the attr-sql plugin with strongswan-4.4.1:
- Enable the attr-sql and sqlite plugins
./configure ... --enable-sqlite --enable-attr-sql
- Create an SQLite database:
cat strongswan-4.4.1/testing/hosts/default/etc/ipsec.d/tables.sql |
sqlite3 /etc/ipsec.d/ipsec.db
- Define the path to the database in strongswan.conf
libhydra {
plugins {
attr-sql {
database = sqlite:///etc/ipsec.d/ipsec.db
}
}
}
- Create a virtual IP pool in the database using the ipsec pool tool
ipsec pool -add mypool --start 10.3.0.1 --end 10.3.0.254 --timeout 48
- Add internal DNS and WINS servers
ipsec pool --addattr dns --server 10.1.0.10
ipsec pool --addattr dns --server 10.1.1.10
ipsec pool --addattr nbns --server 10.1.0.20
ipsec pool --addattr nbns --server 10.1.1.20
- Add default domain
ipsec pool --addattr unity_def_domain --string strongswan.org
- Add welcome banner
ipsec pool --addattr banner --string The network will be down from
6-8 pm
- Add split tunneling subnets !!!
ipsec pool --addattr unity_split_include --subnet
10.1.0.0/255.255.0.0,10.3.5.0/255.255.255.0
- List all configured attributes
ipsec pool --statusattr
- Configure the pool in ipsec.conf
conn rw-cisco
right=%any
rightsourceip=%mypool
leftsubnet=0.0.0.0/0
I haven't actually tested this with the Cisco VPN Client but it
should work so that only traffic to the 10.1.0.0/16 and 10.3.5.0/24
networks are tunneled.
Regards
Andreas
On 21.10.2010 10:57, Claude Tompers wrote:
Hello,
Is it possible to do split tunneling with CISCO VPN client and pluto
so that a road-warrior is still able to access i.e. printers in his
local network ?
kind regards Claude
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
--
Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la
Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
signature.asc
Description: This is a digitally signed message part.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Split tunneling
Hello Andreas,
They all fail, as soon as I set one of them (unity_def_domain / banner /
unity_split_include). Cisco client says Negotiating security policies and it
fails.
If I don't have any of those attributes set, it immediately passes on to saying
Securing channel communication and succeeds.
kind regards,
Claude
On Friday 22 October 2010 14:06:55 Andreas Steffen wrote:
Hello Claude,
it is not evident from the log which attribute[s]
the Cisco VPN client doesn't like. I recommend to
remove all Cisco_Unity attributes from the SQLite
database keeping only the virtual IP so that the
negotiation goes on to Quick Mode and then add
back the attributes one-by-one until ModeCfg fails
so that the actual error can be identified.
I just know that Astaro got the split tunneling working
since we jointly developed the attr-sql functionality
but I didn't test the interoperability with the Chisco
client myself.
Regards
Andreas
On 22.10.2010 11:40, Claude Tompers wrote:
I attached the Ciso log.
I think the interesting part starts at message 24.
kind regards,
Claude
On Friday 22 October 2010 11:27:24 Andreas Steffen wrote:
Hmmm, it seems that the Cisco client doesn't like
strongSwan's ModeCfg reply containing all these
Cisco Unity attributes because it just keeps
retransmitting the ModeCfg request. Could you
find out what errors occur in the Cisco log?
Regards
Andreas
On 22.10.2010 10:48, Claude Tompers wrote:
Hi Andreas,
Setting the leftsubnet did not work.
You can find the pluto log attached.
thank you
Claude
On Friday 22 October 2010 10:24:24 Andreas Steffen wrote:
Hello Claude,
could you provide some pluto logs with
plutodebug=all
set in ipsec.conf?
Regards
Andreas
BTW On second thought leftsubnet on the strongSwan gateway
should be set to the subnet communicated the Cisco
client via the unity_split_include attribute since
the client will probably used them during Quick Mode.
I don't know if multiple subnets will cause several
Quick Modes to be set up, though.
Regards
Andreas
On 22.10.2010 09:55, Claude Tompers wrote:
Hello Andreas,
Thank you for your quick reply. Sadly, it does not work, but I think
we're on the right path.
The Cisco client tells me Negotiating security policies before it
stops silently.
On the other side, I don't see much in the pluto logs.
Any ideas ?
kind regards,
Claude
On Thursday 21 October 2010 12:22:56 Andreas Steffen wrote:
Hello Claude,
yes it should be possible with the Cisco_Unity functionality added
to the attr-sql plugin with strongswan-4.4.1:
- Enable the attr-sql and sqlite plugins
./configure ... --enable-sqlite --enable-attr-sql
- Create an SQLite database:
cat strongswan-4.4.1/testing/hosts/default/etc/ipsec.d/tables.sql |
sqlite3 /etc/ipsec.d/ipsec.db
- Define the path to the database in strongswan.conf
libhydra {
plugins {
attr-sql {
database = sqlite:///etc/ipsec.d/ipsec.db
}
}
}
- Create a virtual IP pool in the database using the ipsec pool tool
ipsec pool -add mypool --start 10.3.0.1 --end 10.3.0.254 --timeout 48
- Add internal DNS and WINS servers
ipsec pool --addattr dns --server 10.1.0.10
ipsec pool --addattr dns --server 10.1.1.10
ipsec pool --addattr nbns --server 10.1.0.20
ipsec pool --addattr nbns --server 10.1.1.20
- Add default domain
ipsec pool --addattr unity_def_domain --string strongswan.org
- Add welcome banner
ipsec pool --addattr banner --string The network will be down from
6-8 pm
- Add split tunneling subnets !!!
ipsec pool --addattr unity_split_include --subnet
10.1.0.0/255.255.0.0,10.3.5.0/255.255.255.0
- List all configured attributes
ipsec pool --statusattr
- Configure the pool in ipsec.conf
conn rw-cisco
right=%any
rightsourceip=%mypool
leftsubnet=0.0.0.0/0
I haven't actually tested this with the Cisco VPN Client but it
should work so that only traffic to the 10.1.0.0/16 and 10.3.5.0/24
networks are tunneled.
Regards
Andreas
On 21.10.2010 10:57, Claude Tompers wrote:
Hello,
Is it possible to do split tunneling with CISCO VPN client and pluto
so that a road-warrior is still able to access i.e. printers in his
local network ?
kind regards Claude
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
--
Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau
Re: [strongSwan] Split tunneling
So strongswan should send the exact same message, except for the actual string ?
On Friday 22 October 2010 15:37:46 Andreas Steffen wrote:
But if you replace the standard banner by one defined via attr-sql,
it fails? Strange!
On 22.10.2010 15:04, Claude Tompers wrote:
It still does, if I do not set the attribute, I see the standard banner.
regards,
Claude
On Friday 22 October 2010 14:52:36 Andreas Steffen wrote:
I remember that the default banner Welcome to Linux strongSwan
always worked with the Cisco client, though.
Regards
Andreas
On 22.10.2010 14:29, Claude Tompers wrote:
Hello Andreas,
They all fail, as soon as I set one of them (unity_def_domain /
banner / unity_split_include). Cisco client says Negotiating
security policies and it fails. If I don't have any of those
attributes set, it immediately passes on to saying Securing channel
communication and succeeds.
kind regards, Claude
On Friday 22 October 2010 14:06:55 Andreas Steffen wrote:
Hello Claude,
it is not evident from the log which attribute[s] the Cisco VPN
client doesn't like. I recommend to remove all Cisco_Unity
attributes from the SQLite database keeping only the virtual IP so
that the negotiation goes on to Quick Mode and then add back the
attributes one-by-one until ModeCfg fails so that the actual error
can be identified.
I just know that Astaro got the split tunneling working since we
jointly developed the attr-sql functionality but I didn't test the
interoperability with the Chisco client myself.
Regards
Andreas
On 22.10.2010 11:40, Claude Tompers wrote:
I attached the Ciso log. I think the interesting part starts at
message 24.
kind regards, Claude
On Friday 22 October 2010 11:27:24 Andreas Steffen wrote:
Hmmm, it seems that the Cisco client doesn't like strongSwan's
ModeCfg reply containing all these Cisco Unity attributes
because it just keeps retransmitting the ModeCfg request. Could
you find out what errors occur in the Cisco log?
Regards
Andreas
On 22.10.2010 10:48, Claude Tompers wrote:
Hi Andreas,
Setting the leftsubnet did not work. You can find the pluto
log attached.
thank you Claude
On Friday 22 October 2010 10:24:24 Andreas Steffen wrote:
Hello Claude,
could you provide some pluto logs with
plutodebug=all
set in ipsec.conf?
Regards
Andreas
BTW On second thought leftsubnet on the strongSwan gateway
should be set to the subnet communicated the Cisco client
via the unity_split_include attribute since the client will
probably used them during Quick Mode. I don't know if
multiple subnets will cause several Quick Modes to be set
up, though.
Regards
Andreas
On 22.10.2010 09:55, Claude Tompers wrote:
Hello Andreas,
Thank you for your quick reply. Sadly, it does not work,
but I think we're on the right path. The Cisco client
tells me Negotiating security policies before it stops
silently. On the other side, I don't see much in the
pluto logs. Any ideas ?
kind regards, Claude
On Thursday 21 October 2010 12:22:56 Andreas Steffen
wrote:
Hello Claude,
yes it should be possible with the Cisco_Unity
functionality added to the attr-sql plugin with
strongswan-4.4.1:
- Enable the attr-sql and sqlite plugins
./configure ... --enable-sqlite --enable-attr-sql
- Create an SQLite database:
cat
strongswan-4.4.1/testing/hosts/default/etc/ipsec.d/tables.sql
| sqlite3 /etc/ipsec.d/ipsec.db
- Define the path to the database in strongswan.conf
libhydra { plugins { attr-sql { database =
sqlite:///etc/ipsec.d/ipsec.db } } }
- Create a virtual IP pool in the database using the
ipsec pool tool
ipsec pool -add mypool --start 10.3.0.1 --end
10.3.0.254 --timeout 48
- Add internal DNS and WINS servers
ipsec pool --addattr dns --server 10.1.0.10 ipsec pool
--addattr dns --server 10.1.1.10 ipsec pool --addattr
nbns --server 10.1.0.20 ipsec pool --addattr nbns
--server 10.1.1.20
- Add default domain
ipsec pool --addattr unity_def_domain --string
strongswan.org
- Add welcome banner
ipsec pool --addattr banner --string The network will
be down from 6-8 pm
- Add split tunneling subnets !!!
ipsec pool --addattr unity_split_include --subnet
10.1.0.0/255.255.0.0,10.3.5.0/255.255.255.0
- List all configured attributes
ipsec pool --statusattr
- Configure the pool in ipsec.conf
conn rw-cisco right=%any rightsourceip=%mypool
leftsubnet=0.0.0.0/0
I haven't actually tested this with the Cisco VPN
Client but it should work so that only traffic to the
10.1.0.0/16 and 10.3.5.0/24 networks are tunneled.
Regards
Andreas
On 21.10.2010 10:57, Claude Tompers wrote:
Hello,
Is it possible to do split tunneling with CISCO VPN
client and pluto so that a road-warrior is still able
to access i.e. printers in his
Re: [strongSwan] Split tunneling
Is that something you are going to look into ? Maybe a bug ?
Claude
On Friday 22 October 2010 16:08:29 Andreas Steffen wrote:
Yep, I have the suspicion that there might be an issue with either
the attribute or total packet length.
Andreas
On 22.10.2010 15:47, Claude Tompers wrote:
So strongswan should send the exact same message, except for the actual
string ?
On Friday 22 October 2010 15:37:46 Andreas Steffen wrote:
But if you replace the standard banner by one defined via attr-sql,
it fails? Strange!
On 22.10.2010 15:04, Claude Tompers wrote:
It still does, if I do not set the attribute, I see the standard banner.
regards,
Claude
On Friday 22 October 2010 14:52:36 Andreas Steffen wrote:
I remember that the default banner Welcome to Linux strongSwan
always worked with the Cisco client, though.
Regards
Andreas
On 22.10.2010 14:29, Claude Tompers wrote:
Hello Andreas,
They all fail, as soon as I set one of them (unity_def_domain /
banner / unity_split_include). Cisco client says Negotiating
security policies and it fails. If I don't have any of those
attributes set, it immediately passes on to saying Securing channel
communication and succeeds.
kind regards, Claude
On Friday 22 October 2010 14:06:55 Andreas Steffen wrote:
Hello Claude,
it is not evident from the log which attribute[s] the Cisco VPN
client doesn't like. I recommend to remove all Cisco_Unity
attributes from the SQLite database keeping only the virtual IP so
that the negotiation goes on to Quick Mode and then add back the
attributes one-by-one until ModeCfg fails so that the actual error
can be identified.
I just know that Astaro got the split tunneling working since we
jointly developed the attr-sql functionality but I didn't test the
interoperability with the Chisco client myself.
Regards
Andreas
On 22.10.2010 11:40, Claude Tompers wrote:
I attached the Ciso log. I think the interesting part starts at
message 24.
kind regards, Claude
On Friday 22 October 2010 11:27:24 Andreas Steffen wrote:
Hmmm, it seems that the Cisco client doesn't like strongSwan's
ModeCfg reply containing all these Cisco Unity attributes
because it just keeps retransmitting the ModeCfg request. Could
you find out what errors occur in the Cisco log?
Regards
Andreas
On 22.10.2010 10:48, Claude Tompers wrote:
Hi Andreas,
Setting the leftsubnet did not work. You can find the pluto
log attached.
thank you Claude
On Friday 22 October 2010 10:24:24 Andreas Steffen wrote:
Hello Claude,
could you provide some pluto logs with
plutodebug=all
set in ipsec.conf?
Regards
Andreas
BTW On second thought leftsubnet on the strongSwan gateway
should be set to the subnet communicated the Cisco client
via the unity_split_include attribute since the client will
probably used them during Quick Mode. I don't know if
multiple subnets will cause several Quick Modes to be set
up, though.
Regards
Andreas
On 22.10.2010 09:55, Claude Tompers wrote:
Hello Andreas,
Thank you for your quick reply. Sadly, it does not work,
but I think we're on the right path. The Cisco client
tells me Negotiating security policies before it stops
silently. On the other side, I don't see much in the
pluto logs. Any ideas ?
kind regards, Claude
On Thursday 21 October 2010 12:22:56 Andreas Steffen
wrote:
Hello Claude,
yes it should be possible with the Cisco_Unity
functionality added to the attr-sql plugin with
strongswan-4.4.1:
- Enable the attr-sql and sqlite plugins
./configure ... --enable-sqlite --enable-attr-sql
- Create an SQLite database:
cat
strongswan-4.4.1/testing/hosts/default/etc/ipsec.d/tables.sql
| sqlite3 /etc/ipsec.d/ipsec.db
- Define the path to the database in strongswan.conf
libhydra { plugins { attr-sql { database =
sqlite:///etc/ipsec.d/ipsec.db } } }
- Create a virtual IP pool in the database using the
ipsec pool tool
ipsec pool -add mypool --start 10.3.0.1 --end
10.3.0.254 --timeout 48
- Add internal DNS and WINS servers
ipsec pool --addattr dns --server 10.1.0.10 ipsec pool
--addattr dns --server 10.1.1.10 ipsec pool --addattr
nbns --server 10.1.0.20 ipsec pool --addattr nbns
--server 10.1.1.20
- Add default domain
ipsec pool --addattr unity_def_domain --string
strongswan.org
- Add welcome banner
ipsec pool --addattr banner --string The network will
be down from 6-8 pm
- Add split tunneling subnets !!!
ipsec pool --addattr unity_split_include --subnet
10.1.0.0/255.255.0.0,10.3.5.0/255.255.255.0
- List all configured attributes
ipsec pool --statusattr
- Configure the pool in ipsec.conf
conn rw-cisco right=%any rightsourceip=%mypool
leftsubnet=0.0.0.0/0
I haven't actually tested this with the Cisco VPN
Client but it should work so
[strongSwan] Split tunneling
Hello, Is it possible to do split tunneling with CISCO VPN client and pluto so that a road-warrior is still able to access i.e. printers in his local network ? kind regards Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Maximum connection duration
Hi, We are using strongswan in a road warrior configuration and some of our warriors tend to keep their VPN connections going after usage. Is there a way to put a maximum connection duration so that they disconnect anyway after a given time ? kind regards, Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Maximum connection duration
Hello Andreas,
This seems to work. Thanks a lot.
kind regards,
Claude
On Wednesday 20 October 2010 15:52:22 Andreas Steffen wrote:
Hello Claude,
if you do not set both rekey = no and reauth=no then a strongSwan
client will keep on rekeying and reauthenticating, respectively.
There is an option to shut down the CHILD_SA after a certain
interval of inactivity using the following ipsec.conf directive:
conn xyz
inactivity = time
defines the timeout interval, after which a CHILD_SA is closed if it did
not send or receive any traffic.
With the additional strongswan.conf option
charon {
inactivity_close_ike = yes
}
The IKE_SA corresponding to the CHILD_SA will be closed, too.
Best regards
Andreas
On 20.10.2010 15:19, Claude Tompers wrote:
Hi,
We are using strongswan in a road warrior configuration and some of
our warriors tend to keep their VPN connections going after usage. Is
there a way to put a maximum connection duration so that they
disconnect anyway after a given time ?
kind regards, Claude
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
--
Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la
Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
signature.asc
Description: This is a digitally signed message part.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Explicit module loading on charon
Hi Martin, Yes, I'm using IKEv1 too, sorry, I forgot to mention that. Disabling socket-default in configure did the job. thanks a lot for your help. regards, Claude On Monday 09 August 2010 17:15:53 Martin Willi wrote: Hi Claude, [...] socket-default socket-raw It simply seems to ignore connection attempts. Having two socket implementations is problematic and the daemon might ignore the packet completely. --enable-nat-transport \ --enable-cisco-quirks \ Are you using IKEv1, too? These are pluto specific options. --enable-socket-raw What's the reason for enabling the raw socket? Using the default is just fine (socket-default if pluto disabled, socket-raw otherwise). If you enforce socket-raw for some reasons, you should disable socket-default. Regards Martin -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] route-client error
Hi, I'm sorry to bother you again on this topic, but I really would like to get it to work as non-privileged user. Charon on the other hand, works like a charm, sadly pluto doesn't. This is my setup now : strongswan runs as user vpn In ipsec.conf, I added : leftupdown=sudo ipsec _updown In /etc/sudoers, i added : vpn ALL = NOPASSWD: /usr/local/sbin/ipsec Still I get the error below on the interface version. Can you please help me on this ? Any idea is appreciated. thank you very much kind regards, Claude On Friday 09 July 2010 11:32:19 Claude Tompers wrote: Hi, I still get that unknown interface version error if I'm trying to start pluto as non-privileged user, followed by the deletion of the SA. Is there some fix to my issue or do I have to run strongswan as root as long as I use pluto ? thanks a lot for your help kind regards, Claude On Wednesday 07 July 2010 10:11:50 Claude Tompers wrote: Hi, I've had it already compiled with --with-capabilities=libcap . I've tried sudo'ing and it has changed something, but I think there are still missing some bits. Here's the new log error : Jul 2 13:33:56 vpn6-test pluto[3286]: cisco-vpn[6] 192.168.3.18:58180 #6: up-client output: /usr/local/libexec/ipsec/_updown: unknown interface version `' Jul 2 13:33:56 vpn6-test pluto[3286]: cisco-vpn[6] 192.168.3.18:58180 #6: up-client command exited with status 2 Jul 2 13:33:56 vpn6-test pluto[3286]: cisco-vpn[6] 192.168.3.18:58180 #6: ERROR: netlink response for Del SA esp.63e0a...@192.168.1.13 included errno 3: No such process Jul 2 13:33:57 vpn6-test pluto[3286]: cisco-vpn[6] 192.168.3.18:58180 #5: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x919ff160) not found (maybe expired) Jul 2 13:33:57 vpn6-test pluto[3286]: cisco-vpn[6] 192.168.3.18:58180 #5: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x63e0a322) not found (maybe expired) kind regards Claude On Friday 02 July 2010 12:13:21 Martin Willi wrote: Hi, I've compiled strongswan with user vpn and group vpn. If you use non-root users, you'll need support for capability handling too. Add --with-capabilities=libcap to ./configure. route-client output: Not sufficient rights to flush It is not possible to propagate the capabilities to the updown script. Pluto uses the updown script not only for firewalling, but also for route installation. You'll have to run the updown script with root privileges. Never tried it, but file system based capability settings might work. Another alternative is to define leftupdown=sudo ipsec _updown and configure sudo accordingly. Regards Martin -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Windows 7 Bug ?
Hello Martin, Thanks for your quick answer. If a set uniqueids=yes, can this be handled correctly in the previously described scenario ? If I log in with both computers, both are able to communicate. This is the case both in a NAT'ed and not NAT'ed environment. kind regards, Claude On Monday 12 July 2010 14:38:43 Martin Willi wrote: Hi, But where strongswan fills in the EAP username 'ctompers' as ID, which is perfectly logical to me, Windows 7 puts its local IP '10.0.0.101'. It is not a bug, but yes, Windows 7 uses the local IP address as IDi, whereas strongSwan copies the EAP username to the IKE identity. I've heard that SP1 for Windows 7 provides additional options for the IDi, but I don't know any details. Is there maybe a config tweak to see the EAP username for Windows 7 clients as well ? Not at this stage. The configuration selection uses the IKE identities. The EAP-Identity is not known yet, but we need a configuration that says we should use EAP to authenticate the client. The EAP-Identity is shown in ipsec statusall. Regards Martin -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Windows 7 Bug ?
Hello, When using the Windows IKEv2 Client with the strongswan VPN Server, I can observe the following logs : Jul 12 13:52:54 vpn6-pub charon: 17[CFG] looking for peer configs matching 192.168.1.13[%any]...192.168.152.118[10.0.0.101] With the same configuration, using a strongswan client, I get the following logs : Jul 12 13:55:06 vpn6-pub charon: 31[CFG] looking for peer configs matching 192.168.1.13[vpn6-pub.restena.lu]...192.168.152.118[ctompers] Both clients are connected behind the same NAT'ed ADSL connection. They authenticate themselves using EAP-MSCHAPv2. I'm able to see their public IP address 192.168.152.118, so far so good. But where strongswan fills in the EAP username 'ctompers' as ID, which is perfectly logical to me, Windows 7 puts its local IP '10.0.0.101'. Is this a known bug for Windows 7 or is it supposed to do that ? Is there maybe a config tweak to see the EAP username for Windows 7 clients as well ? Here is my ipsec.conf conn %default ike=aes256-sha1-modp2048-modp1536-modp1024! esp=aes256-sha1! dpdaction=clear dpddelay=60s dpdtimeout=300s rekeymargin=3m keyingtries=1 keylife=20m inactivity=300s leftsubnet=0.0.0.0/0 leftcert=vpn6-pub.restena.lu-cert.pem left...@vpn6-pub.restena.lu right=%any auto=add conn ikev2 keyexchange=ikev2 rekey=no left=%any leftauth=pubkey eap_identity=%identity rightauth=eap-radius rightsourceip=192.168.120.192/26 thanks a lot for your answers kind regards Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] route-client error
Hi, I still get that unknown interface version error if I'm trying to start pluto as non-privileged user, followed by the deletion of the SA. Is there some fix to my issue or do I have to run strongswan as root as long as I use pluto ? thanks a lot for your help kind regards, Claude On Wednesday 07 July 2010 10:11:50 Claude Tompers wrote: Hi, I've had it already compiled with --with-capabilities=libcap . I've tried sudo'ing and it has changed something, but I think there are still missing some bits. Here's the new log error : Jul 2 13:33:56 vpn6-test pluto[3286]: cisco-vpn[6] 192.168.3.18:58180 #6: up-client output: /usr/local/libexec/ipsec/_updown: unknown interface version `' Jul 2 13:33:56 vpn6-test pluto[3286]: cisco-vpn[6] 192.168.3.18:58180 #6: up-client command exited with status 2 Jul 2 13:33:56 vpn6-test pluto[3286]: cisco-vpn[6] 192.168.3.18:58180 #6: ERROR: netlink response for Del SA esp.63e0a...@192.168.1.13 included errno 3: No such process Jul 2 13:33:57 vpn6-test pluto[3286]: cisco-vpn[6] 192.168.3.18:58180 #5: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x919ff160) not found (maybe expired) Jul 2 13:33:57 vpn6-test pluto[3286]: cisco-vpn[6] 192.168.3.18:58180 #5: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x63e0a322) not found (maybe expired) kind regards Claude On Friday 02 July 2010 12:13:21 Martin Willi wrote: Hi, I've compiled strongswan with user vpn and group vpn. If you use non-root users, you'll need support for capability handling too. Add --with-capabilities=libcap to ./configure. route-client output: Not sufficient rights to flush It is not possible to propagate the capabilities to the updown script. Pluto uses the updown script not only for firewalling, but also for route installation. You'll have to run the updown script with root privileges. Never tried it, but file system based capability settings might work. Another alternative is to define leftupdown=sudo ipsec _updown and configure sudo accordingly. Regards Martin -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Wildcard certificates
Oops, sometimes I forget the most evident things. I forgot to put the keyfile into the ipsec.secrets. My bad, so sorry. kind regards, Claude On Wednesday 07 July 2010 13:06:11 Claude Tompers wrote: Hello Stefan, Ok, in that case the IKEv2 ID is not that important, but why can't it find the key for the default DN 'C=LU, ST=n/a, L=Luxembourg, O=Fondation RESTENA, CN=*.restena.lu' ? kind regards Claude On Wednesday 07 July 2010 12:43:03 Andreas Steffen wrote: Hello Claude, as far as I know strongSwan does not treat '*' in the subject Distinguished Name as a wildcard in comparisons with an IKEv2 ID. strongSwan rather treats a '*' in an IKEv2 ID as a wildcard in comparisons with IDs contained in a certificate. Regards Andreas On 07.07.2010 10:39, Claude Tompers wrote: Hello, I'm trying to make strongswan work with our wildcard certificate, but I'm getting a strange error. Here's my log : Jul 7 10:34:08 vpn6-test charon: 12[CFG] id 'vpn6-pub.restena.lu' not confirmed by certificate, defaulting to 'C=LU, ST=n/a, L=Luxembourg, O=Fondation RESTENA, CN=*.restena.lu' So far I think this is not a problem, but then : Jul 7 10:34:18 vpn6-test charon: 10[IKE] no private key found for 'C=LU, ST=n/a, L=Luxembourg, O=Fondation RESTENA, CN=*.restena.lu' The wildcard certificate work perfectly on other servers. I installed the certificate exactly the same way as my self-signed before. That one worked perfectly. Is it possible the the / or the * characters make some issues ? thanks a lot in advance kind regards Claude == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] No capable fetcher found
Thanks for your fast answer. I did recompile, the error message is now slightly different, but the outcome is the same. :( Jun 24 12:47:48 vpn6-test pluto[1705]: fetching crl from 'file:///usr/local/etc/ipsec.d/crls/VPNCA-crl.pem' ... Jun 24 12:47:48 vpn6-test pluto[1705]: crl from May 21 08:12:40 2010 is not newer - existing crl from May 21 08:12:40 2010 retained Jun 24 12:47:48 vpn6-test pluto[1705]: fetching crl from 'VPNCA-crl.pem' ... Jun 24 12:47:48 vpn6-test pluto[1705]: unable to fetch from VPNCA-crl.pem, no capable fetcher found Jun 24 12:47:48 vpn6-test pluto[1705]: crl fetching failed Jun 24 12:47:48 vpn6-test pluto[1705]: cisco-vpn[1] 192.168.1.180:64053 #1: X.509 certificate rejected regards, Claude On Thursday 24 June 2010 11:59:03 Andreas Steffen wrote: Hmmm, its seems that the curl plugin is required to refetch CRLs from the local file system. Compile strongSwan with ./configure --enable-curl Regards Andreas On 24.06.2010 11:51, Claude Tompers wrote: Hello, My strongswan server is unable to refetch crls. When the server starts, it reads the crl correctly, but if a client tries to connect, the refetch fails and so the connection fails. Here's the log : Jun 24 11:46:46 vpn6-test pluto[13321]: fetching crl from 'file:///usr/local/etc/ipsec.d/crls/VPNCA-crl.pem' ... Jun 24 11:46:46 vpn6-test pluto[13321]: unable to fetch from file:///usr/local/etc/ipsec.d/crls/VPNCA-crl.pem, no capable fetcher found Jun 24 11:46:46 vpn6-test pluto[13321]: crl fetching failed Jun 24 11:46:46 vpn6-test pluto[13321]: fetching crl from 'VPNCA-crl.pem' ... Jun 24 11:46:46 vpn6-test pluto[13321]: unable to fetch from VPNCA-crl.pem, no capable fetcher found Jun 24 11:46:46 vpn6-test pluto[13321]: crl fetching failed Jun 24 11:46:46 vpn6-test pluto[13321]: cisco-vpn[1] 192.168.1.180:59262 #1: X.509 certificate rejected The permissions on the crl are : -rw--- 1 root root 1064 May 21 08:13 /usr/local/etc/ipsec.d/crls/VPNCA-crl.pem Any ideas ? thanks very much Claude == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] No capable fetcher found
I'm not using an explicit load statement for pluto, but maybe I have to ? Claude On Thursday 24 June 2010 12:54:14 Andreas Steffen wrote: Hi Claude, if you are using an explicit pluto.load statement in strongswan.conf then you must add curl to the plugin list. Andreas On 24.06.2010 12:52, Claude Tompers wrote: Thanks for your fast answer. I did recompile, the error message is now slightly different, but the outcome is the same. :( Jun 24 12:47:48 vpn6-test pluto[1705]: fetching crl from 'file:///usr/local/etc/ipsec.d/crls/VPNCA-crl.pem' ... Jun 24 12:47:48 vpn6-test pluto[1705]: crl from May 21 08:12:40 2010 is not newer - existing crl from May 21 08:12:40 2010 retained Jun 24 12:47:48 vpn6-test pluto[1705]: fetching crl from 'VPNCA-crl.pem' ... Jun 24 12:47:48 vpn6-test pluto[1705]: unable to fetch from VPNCA-crl.pem, no capable fetcher found Jun 24 12:47:48 vpn6-test pluto[1705]: crl fetching failed Jun 24 12:47:48 vpn6-test pluto[1705]: cisco-vpn[1] 192.168.1.180:64053 #1: X.509 certificate rejected regards, Claude On Thursday 24 June 2010 11:59:03 Andreas Steffen wrote: Hmmm, its seems that the curl plugin is required to refetch CRLs from the local file system. Compile strongSwan with ./configure --enable-curl Regards Andreas On 24.06.2010 11:51, Claude Tompers wrote: Hello, My strongswan server is unable to refetch crls. When the server starts, it reads the crl correctly, but if a client tries to connect, the refetch fails and so the connection fails. Here's the log : Jun 24 11:46:46 vpn6-test pluto[13321]: fetching crl from 'file:///usr/local/etc/ipsec.d/crls/VPNCA-crl.pem' ... Jun 24 11:46:46 vpn6-test pluto[13321]: unable to fetch from file:///usr/local/etc/ipsec.d/crls/VPNCA-crl.pem, no capable fetcher found Jun 24 11:46:46 vpn6-test pluto[13321]: crl fetching failed Jun 24 11:46:46 vpn6-test pluto[13321]: fetching crl from 'VPNCA-crl.pem' ... Jun 24 11:46:46 vpn6-test pluto[13321]: unable to fetch from VPNCA-crl.pem, no capable fetcher found Jun 24 11:46:46 vpn6-test pluto[13321]: crl fetching failed Jun 24 11:46:46 vpn6-test pluto[13321]: cisco-vpn[1] 192.168.1.180:59262 #1: X.509 certificate rejected The permissions on the crl are : -rw--- 1 root root 1064 May 21 08:13 /usr/local/etc/ipsec.d/crls/VPNCA-crl.pem Any ideas ? thanks very much Claude == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] No capable fetcher found
Yes, make clean has been executed before recompiling, Explicitly loading the curl module did not help either : Jun 24 13:05:18 vpn6-test pluto[28289]: loaded plugins: curl aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem hmac gmp attr ... Jun 24 13:05:46 vpn6-test pluto[28289]: fetching crl from 'file:///usr/local/etc/ipsec.d/crls/VPNCA-crl.pem' ... Jun 24 13:05:46 vpn6-test pluto[28289]: crl from May 21 08:12:40 2010 is not newer - existing crl from May 21 08:12:40 2010 retained Jun 24 13:05:46 vpn6-test pluto[28289]: fetching crl from 'VPNCA-crl.pem' ... Jun 24 13:05:46 vpn6-test pluto[28289]: unable to fetch from VPNCA-crl.pem, no capable fetcher found Jun 24 13:05:46 vpn6-test pluto[28289]: crl fetching failed Jun 24 13:05:46 vpn6-test pluto[28289]: cisco-vpn[1] 192.168.1.180:59907 #1: X.509 certificate rejected regards, Claude On Thursday 24 June 2010 12:58:17 Andreas Steffen wrote: Here a follow up comment: If you are *not* using an explicit pluto.load statement then do not forget to execute make clean before recompiling strongSwan with --enable-curl, since otherwise the default pluto plugin load list will not be updated. Andreas On 24.06.2010 12:54, Andreas Steffen wrote: Hi Claude, if you are using an explicit pluto.load statement in strongswan.conf then you must add curl to the plugin list. Andreas On 24.06.2010 12:52, Claude Tompers wrote: Thanks for your fast answer. I did recompile, the error message is now slightly different, but the outcome is the same. :( Jun 24 12:47:48 vpn6-test pluto[1705]: fetching crl from 'file:///usr/local/etc/ipsec.d/crls/VPNCA-crl.pem' ... Jun 24 12:47:48 vpn6-test pluto[1705]: crl from May 21 08:12:40 2010 is not newer - existing crl from May 21 08:12:40 2010 retained Jun 24 12:47:48 vpn6-test pluto[1705]: fetching crl from 'VPNCA-crl.pem' ... Jun 24 12:47:48 vpn6-test pluto[1705]: unable to fetch from VPNCA-crl.pem, no capable fetcher found Jun 24 12:47:48 vpn6-test pluto[1705]: crl fetching failed Jun 24 12:47:48 vpn6-test pluto[1705]: cisco-vpn[1] 192.168.1.180:64053 #1: X.509 certificate rejected regards, Claude On Thursday 24 June 2010 11:59:03 Andreas Steffen wrote: Hmmm, its seems that the curl plugin is required to refetch CRLs from the local file system. Compile strongSwan with ./configure --enable-curl Regards Andreas On 24.06.2010 11:51, Claude Tompers wrote: Hello, My strongswan server is unable to refetch crls. When the server starts, it reads the crl correctly, but if a client tries to connect, the refetch fails and so the connection fails. Here's the log : Jun 24 11:46:46 vpn6-test pluto[13321]: fetching crl from 'file:///usr/local/etc/ipsec.d/crls/VPNCA-crl.pem' ... Jun 24 11:46:46 vpn6-test pluto[13321]: unable to fetch from file:///usr/local/etc/ipsec.d/crls/VPNCA-crl.pem, no capable fetcher found Jun 24 11:46:46 vpn6-test pluto[13321]: crl fetching failed Jun 24 11:46:46 vpn6-test pluto[13321]: fetching crl from 'VPNCA-crl.pem' ... Jun 24 11:46:46 vpn6-test pluto[13321]: unable to fetch from VPNCA-crl.pem, no capable fetcher found Jun 24 11:46:46 vpn6-test pluto[13321]: crl fetching failed Jun 24 11:46:46 vpn6-test pluto[13321]: cisco-vpn[1] 192.168.1.180:59262 #1: X.509 certificate rejected The permissions on the crl are : -rw--- 1 root root 1064 May 21 08:13 /usr/local/etc/ipsec.d/crls/VPNCA-crl.pem Any ideas ? thanks very much Claude == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] No capable fetcher found
Shame on me ! I completely forgot that I set the validity period of the crl to 30 days. As I'm only using tinyca for the moment, the crls are not regenerated automatically. My fault, sorry, it works now again. thanks very much for your help kind regards, Claude On Thursday 24 June 2010 13:19:30 Andreas Steffen wrote: On closer inspection I see that the crl has been successfully fetched but that the information is stale: : fetching crl from 'file:///usr/local/etc/ipsec.d/crls/VPNCA-crl.pem' ... : crl from May 21 08:12:40 2010 is not newer - existing crl from May 21 08:12:40 2010 retained pluto then probably tries to evaluate a CRL distribution point (CDP) extracted from the certificate : fetching crl from 'VPNCA-crl.pem' ... : unable to fetch from VPNCA-crl.pem, no capable fetcher found Since 'VPNCA-crl.pem' is not a valid absolute URI the error : unable to fetch from VPNCA-crl.pem, no capable fetcher found is returned. Currently strongSwan supports only CDPs of the form http://server/path/crl file but no relative CDPs of the form crl file where the location is defined in a separate AuthorityInfoAccess certificate extension. If you would like to have this feature supported in a future strongSwan release, please send me your certificate so that I can analyze it. Regards Andreas On 24.06.2010 13:07, Claude Tompers wrote: Yes, make clean has been executed before recompiling, Explicitly loading the curl module did not help either : Jun 24 13:05:18 vpn6-test pluto[28289]: loaded plugins: curl aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem hmac gmp attr ... Jun 24 13:05:46 vpn6-test pluto[28289]: fetching crl from 'file:///usr/local/etc/ipsec.d/crls/VPNCA-crl.pem' ... Jun 24 13:05:46 vpn6-test pluto[28289]: crl from May 21 08:12:40 2010 is not newer - existing crl from May 21 08:12:40 2010 retained Jun 24 13:05:46 vpn6-test pluto[28289]: fetching crl from 'VPNCA-crl.pem' ... Jun 24 13:05:46 vpn6-test pluto[28289]: unable to fetch from VPNCA-crl.pem, no capable fetcher found Jun 24 13:05:46 vpn6-test pluto[28289]: crl fetching failed Jun 24 13:05:46 vpn6-test pluto[28289]: cisco-vpn[1] 192.168.1.180:59907 #1: X.509 certificate rejected regards, Claude On Thursday 24 June 2010 12:58:17 Andreas Steffen wrote: Here a follow up comment: If you are *not* using an explicit pluto.load statement then do not forget to execute make clean before recompiling strongSwan with --enable-curl, since otherwise the default pluto plugin load list will not be updated. Andreas On 24.06.2010 12:54, Andreas Steffen wrote: Hi Claude, if you are using an explicit pluto.load statement in strongswan.conf then you must add curl to the plugin list. Andreas On 24.06.2010 12:52, Claude Tompers wrote: Thanks for your fast answer. I did recompile, the error message is now slightly different, but the outcome is the same. :( Jun 24 12:47:48 vpn6-test pluto[1705]: fetching crl from 'file:///usr/local/etc/ipsec.d/crls/VPNCA-crl.pem' ... Jun 24 12:47:48 vpn6-test pluto[1705]: crl from May 21 08:12:40 2010 is not newer - existing crl from May 21 08:12:40 2010 retained Jun 24 12:47:48 vpn6-test pluto[1705]: fetching crl from 'VPNCA-crl.pem' ... Jun 24 12:47:48 vpn6-test pluto[1705]: unable to fetch from VPNCA-crl.pem, no capable fetcher found Jun 24 12:47:48 vpn6-test pluto[1705]: crl fetching failed Jun 24 12:47:48 vpn6-test pluto[1705]: cisco-vpn[1] 192.168.1.180:64053 #1: X.509 certificate rejected regards, Claude On Thursday 24 June 2010 11:59:03 Andreas Steffen wrote: Hmmm, its seems that the curl plugin is required to refetch CRLs from the local file system. Compile strongSwan with ./configure --enable-curl Regards Andreas On 24.06.2010 11:51, Claude Tompers wrote: Hello, My strongswan server is unable to refetch crls. When the server starts, it reads the crl correctly, but if a client tries to connect, the refetch fails and so the connection fails. Here's the log : Jun 24 11:46:46 vpn6-test pluto[13321]: fetching crl from 'file:///usr/local/etc/ipsec.d/crls/VPNCA-crl.pem' ... Jun 24 11:46:46 vpn6-test pluto[13321]: unable to fetch from file:///usr/local/etc/ipsec.d/crls/VPNCA-crl.pem, no capable fetcher found Jun 24 11:46:46 vpn6-test pluto[13321]: crl fetching failed Jun 24 11:46:46 vpn6-test pluto[13321]: fetching crl from 'VPNCA-crl.pem' ... Jun 24 11:46:46 vpn6-test pluto[13321]: unable to fetch from VPNCA-crl.pem, no capable fetcher found Jun 24 11:46:46 vpn6-test pluto[13321]: crl fetching failed Jun 24 11:46:46 vpn6-test pluto[13321]: cisco-vpn[1] 192.168.1.180:59262 #1: X.509 certificate rejected The permissions on the crl are : -rw--- 1 root root 1064 May 21 08:13 /usr/local/etc/ipsec.d/crls/VPNCA-crl.pem Any ideas ? thanks very much Claude
[strongSwan] DNS servers not pushed to client
Hello,
I'm using strongswan 4.4.0 with ikev2 daemon charon.
The dns server entries from strongswan.conf are not pushed to the clients,
neither Windows 7 nor Ubuntu with strongswan-nm plugin.
strongswan.conf :
charon {
load = aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke
socket-raw kernel-netlink fips-prf eap-radius eap-mschapv2 eap-identity updown
plugins {
eap-radius {
secret = veryverysecret
server = my-freeradius-server
}
}
dns1 = 192.168.1.28
dns2 = 192.168.1.15
}
Any ideas to correct this issue ?
many thanks
Claude
--
Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la
Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
signature.asc
Description: This is a digitally signed message part.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] DNS servers not pushed to client
Hi Andreas,
That did the trick.
Thanks a lot for your quick help.
kind regards,
Claude
On Tuesday 22 June 2010 16:23:36 Andreas Steffen wrote:
Hi Claude,
reading DNS and WINS information from strongswan.conf requires
the attr plugin.
Regards
Andreas
On 22.06.2010 16:16, Claude Tompers wrote:
Hello,
I'm using strongswan 4.4.0 with ikev2 daemon charon.
The dns server entries from strongswan.conf are not pushed to the clients,
neither Windows 7 nor Ubuntu with strongswan-nm plugin.
strongswan.conf :
charon {
load = aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke
socket-raw kernel-netlink fips-prf eap-radius eap-mschapv2 eap-identity
updown
plugins {
eap-radius {
secret = veryverysecret
server = my-freeradius-server
}
}
dns1 = 192.168.1.28
dns2 = 192.168.1.15
}
Any ideas to correct this issue ?
many thanks
Claude
--
Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la
Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
signature.asc
Description: This is a digitally signed message part.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] strongswan network manager client using eap-radius
Hi, There is a patch for freeradius 2.1.9 that makes it work. It now works fine for me with Win7 and Ubuntu NM-plugin. The patch is planned to be included in version 2.1.10. kind regards, Claude On Thursday 03 June 2010 10:08:48 Martin Willi wrote: 16[IKE] EAP method EAP_MSCHAPV2 succeeded, no MSK established 14[IKE] verification of AUTH payload without EAP MSK failed Then I'd assume you are using FreeRADIUS :-). It does not include the MSK in MSCHAPv2 if used over EAP. IKEv2 however requires the MSK to calculate the AUTH payload. In its current form, you can't use FreeRADIUS for your setup, my apologies. One could extend FreeRADIUS to copy over the MPPE keys, but writing such a patch is not something I can do in a few minutes. Regards Martin -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] strongswan network manager client using eap-radius
Hi, I'm trying to connect an Ubuntu client with the strongswan networkmanager-plugin to my strongswan VPN server, using the same configuration as for a Windows 7 client. The server is authenticated via certificate, the client is authenticated via eap-radius module. The Windows 7 client works fine, the Ubuntu not so much. /etc/ipsec.conf : conn %default ike=aes256-sha1-modp1536,aes256-sha1-modp1024! esp=aes256-sha1! dpdaction=clear dpddelay=300s rekeymargin=3m keyingtries=1 leftcert=vpncert.pem leftsubnet=0.0.0.0/0 leftid=C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=vpn6-pub.restena.lu, e=claude.tomp...@restena.lu leftfirewall=yes right=%any auto=add conn ikev2 keyexchange=ikev2 left=%any leftauth=pubkey eap_identity=%any rightauth=eap-radius rightsourceip=192.168.120.192/26 For the Ubuntu client : Address : vpn6-pub.restena.lu Certificate: The server's certificate Authentication : EAP Username : ctompers As options, I checked only Request an inner IP address Error Log : Jun 3 08:21:38 vpn6-test charon: 04[CFG] switching to peer config 'ikev2' Jun 3 08:21:38 vpn6-test charon: 04[IKE] initiating EAP-Identity request Jun 3 08:21:38 vpn6-test charon: 04[IKE] peer supports MOBIKE Jun 3 08:21:38 vpn6-test charon: 04[IKE] authentication of 'C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=vpn6-pub.restena.lu, e=claude.tomp...@restena.lu' (myself) with RSA signature successful Jun 3 08:21:38 vpn6-test charon: 04[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ] Jun 3 08:21:38 vpn6-test charon: 04[NET] sending packet: from 192.168.1.13[4500] to 192.168.3.19[4500] Jun 3 08:21:38 vpn6-test charon: 13[NET] received packet: from 192.168.3.19[4500] to 192.168.1.13[4500] Jun 3 08:21:38 vpn6-test charon: 13[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ] Jun 3 08:21:38 vpn6-test charon: 13[IKE] received EAP identity 'ctompers' Jun 3 08:21:38 vpn6-test charon: 13[IKE] initiating EAP_RADIUS method Jun 3 08:21:38 vpn6-test charon: 13[ENC] generating IKE_AUTH response 2 [ EAP/REQ/(25) ] Jun 3 08:21:38 vpn6-test charon: 13[NET] sending packet: from 192.168.1.13[4500] to 192.168.3.19[4500] Jun 3 08:21:38 vpn6-test charon: 10[NET] received packet: from 192.168.3.19[4500] to 192.168.1.13[4500] Jun 3 08:21:38 vpn6-test charon: 10[ENC] parsed IKE_AUTH request 3 [ EAP/RES/NAK ] Jun 3 08:21:38 vpn6-test charon: 10[IKE] received EAP_NAK, sending EAP_FAILURE Jun 3 08:21:38 vpn6-test charon: 10[ENC] generating IKE_AUTH response 3 [ EAP/FAIL ] Jun 3 08:21:38 vpn6-test charon: 10[NET] sending packet: from 192.168.1.13[4500] to 192.168.3.19[4500] Thanks a lot for all suggestions. kind regards Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] strongswan network manager client using eap-radius
Hi Martin, On Thursday 03 June 2010 09:26:56 you wrote: Hi Clause, Jun 3 08:21:38 vpn6-test charon: 10[IKE] received EAP_NAK, sending EAP_FAILURE Seems that the client does not like the EAP method offered. I assume you're using MSCHAPv2, so double check that the client has the eap-mschapv2 and the eap-identity modules installed and loaded. I changed the configuration in freeradius as well as in Windows 7 (easier to configure anyway ;) ). Now I get the same error for both Windows 7 and Ubuntu : Jun 3 09:47:02 vpn6-test charon: 02[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ] Jun 3 09:47:02 vpn6-test charon: 02[IKE] received EAP identity 'ctompers' Jun 3 09:47:02 vpn6-test charon: 02[IKE] initiating EAP_RADIUS method Jun 3 09:47:02 vpn6-test charon: 02[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ] Jun 3 09:47:02 vpn6-test charon: 02[NET] sending packet: from 192.168.1.13[4500] to 192.168.3.19[4500] Jun 3 09:47:03 vpn6-test charon: 12[NET] received packet: from 192.168.3.19[4500] to 192.168.1.13[4500] Jun 3 09:47:03 vpn6-test charon: 12[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ] Jun 3 09:47:03 vpn6-test charon: 12[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ] Jun 3 09:47:03 vpn6-test charon: 12[NET] sending packet: from 192.168.1.13[4500] to 192.168.3.19[4500] Jun 3 09:47:03 vpn6-test charon: 16[NET] received packet: from 192.168.3.19[4500] to 192.168.1.13[4500] Jun 3 09:47:03 vpn6-test charon: 16[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ] Jun 3 09:47:03 vpn6-test charon: 16[IKE] EAP method EAP_MSCHAPV2 succeeded, no MSK established Jun 3 09:47:03 vpn6-test charon: 16[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ] Jun 3 09:47:03 vpn6-test charon: 16[NET] sending packet: from 192.168.1.13[4500] to 192.168.3.19[4500] Jun 3 09:47:03 vpn6-test charon: 14[NET] received packet: from 192.168.3.19[4500] to 192.168.1.13[4500] Jun 3 09:47:03 vpn6-test charon: 14[ENC] parsed IKE_AUTH request 5 [ AUTH ] Jun 3 09:47:03 vpn6-test charon: 14[IKE] verification of AUTH payload without EAP MSK failed Jun 3 09:47:03 vpn6-test charon: 14[ENC] generating IKE_AUTH response 5 [ N(AUTH_FAILED) ] Jun 3 09:47:03 vpn6-test charon: 14[NET] sending packet: from 192.168.1.13[4500] to 192.168.3.19[4500] The strongswan server configuration is still the same. thanks very much kind regards Claude For more information about the client error, have a look at /var/log/daemon.log. Regards Martin -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] strongswan network manager client using eap-radius
You assumed right. :) Ok I'll try to get it running with a proper ipsec.conf configuration without the network-manager plugin. thanks very much for your help kind regards Claude On Thursday 03 June 2010 10:08:48 Martin Willi wrote: 16[IKE] EAP method EAP_MSCHAPV2 succeeded, no MSK established 14[IKE] verification of AUTH payload without EAP MSK failed Then I'd assume you are using FreeRADIUS :-). It does not include the MSK in MSCHAPv2 if used over EAP. IKEv2 however requires the MSK to calculate the AUTH payload. In its current form, you can't use FreeRADIUS for your setup, my apologies. One could extend FreeRADIUS to copy over the MPPE keys, but writing such a patch is not something I can do in a few minutes. Regards Martin -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Strognswan with Cisco VPN client again
Hello Andreas, It seems to work now. Thank you very much. kind regards, Claude On Friday 21 May 2010 17:28:35 Andreas Steffen wrote: Hello Claude, the relevant error messag ies : cisco-vpn[2] 192.168.3.53:53276 #1: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===192.168.1.13 [C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=vpn6-pub.restena.lu, e=claude.tomp...@restena.lu] ...192.168.3.53:53276 [C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=Group_xyz, e=ad...@restena.lu]===192.168.120.129/32 The client by default wants to tunnel all Internet traffic (no split tunneling), therefore the gateway must define leftsubnet=0.0.0.0/0 Regards Andreas On 21.05.2010 10:14, Claude Tompers wrote: Hello, After my recently solved problem with the Cisco VPN client, I hit another one. Everything seems to work fine, but the connection won't establish. In logs pasted below the text, you can see that the certificate authentication as well as the xauth user authentication work fine. For some reason however, the SA seems to be deleted, and I can't explain why. If anyone has an idea, I'd be grateful. kind regards Claude /etc/ipsec.conf: ca vpnca cacert=VPNCA-cacert.pem crluri=VPNCA-crl.pem auto=add config setup plutostart=yes #plutodebug=control charonstart=no charondebug=net 0 nat_traversal=yes crlcheckinterval=10m strictcrlpolicy=yes # Add connections here. conn %default ike=aes256-sha1-modp1536! esp=aes256-sha1! dpdaction=clear dpddelay=300s rekeymargin=3m keyingtries=1 left=%defaultroute leftcert=vpncert.pem leftid=C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=vpn6-pub.restena.lu, e=claude.tomp...@restena.lu right=%any rightsourceip=192.168.120.128/25 auto=add conn cisco-vpn ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 type=tunnel pfs=no authby=xauthrsasig xauth=server /etc/ipsec.secrets : RSA vpncert-key.pem : XAUTH ctompersverysecretpassword /var/log/ipsec: May 21 09:52:40 vpn6-test pluto[31904]: adding interface lo/lo ::1:500 May 21 09:52:40 vpn6-test pluto[31904]: loading secrets from /usr/local/etc/ipsec.secrets May 21 09:52:40 vpn6-test pluto[31904]: loaded private key from 'vpncert-key.pem' May 21 09:52:40 vpn6-test pluto[31904]: loaded xauth credentials of user 'ctompers' May 21 09:52:40 vpn6-test pluto[31904]: loaded CA certificate from '/usr/local/etc/ipsec.d/cacerts/VPNCA-cacert.pem' May 21 09:52:40 vpn6-test pluto[31904]: added ca description vpnca May 21 09:52:40 vpn6-test pluto[31904]: loaded host certificate from '/usr/local/etc/ipsec.d/certs/vpncert.pem' May 21 09:52:40 vpn6-test pluto[31904]: added connection description cisco-vpn May 21 09:52:40 vpn6-test pluto[31904]: loaded host certificate from '/usr/local/etc/ipsec.d/certs/vpncert.pem' May 21 09:52:40 vpn6-test pluto[31904]: added connection description ikev2 May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: size (1160) differs from size specified in ISAKMP HDR (1144) May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: Cisco VPN client appends 16 surplus NULL bytes May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: received Vendor ID payload [XAUTH] May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: received Vendor ID payload [Dead Peer Detection] May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: ignoring Vendor ID payload [FRAGMENTATION 8000] May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: ignoring Vendor ID payload [Cisco-Unity] May 21 09:52:49 vpn6-test pluto[31904]: cisco-vpn[1] 192.168.3.53:53276 #1: responding to Main Mode from unknown peer 192.168.3.53:53276 May 21 09:52:49 vpn6-test pluto[31904]: cisco-vpn[1] 192.168.3.53:53276 #1: peer requested 2147483 seconds which exceeds our limit 86400 seconds May 21 09:52:49 vpn6-test pluto[31904]: cisco-vpn[1] 192.168.3.53:53276 #1: lifetime reduced to 86400 seconds (todo: IPSEC_RESPONDER_LIFETIME notification) May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: size (352) differs from size specified in ISAKMP HDR (336) May 21 09:52:49 vpn6-test pluto[31904]: packet from 192.168.3.53:53276: Cisco VPN client appends 16 surplus NULL bytes May
[strongSwan] Strognswan with Cisco VPN client again
pluto[31904]: cisco-vpn[2] 192.168.3.53:53276 #1:
sent MR3, ISAKMP SA established
May 21 09:52:49 vpn6-test pluto[31904]: cisco-vpn[2] 192.168.3.53:53276 #1:
sending XAUTH request
May 21 09:53:09 vpn6-test pluto[31904]: cisco-vpn[2] 192.168.3.53:53276 #1:
parsing XAUTH reply
May 21 09:53:09 vpn6-test pluto[31904]: cisco-vpn[2] 192.168.3.53:53276 #1:
extended authentication was successful
May 21 09:53:09 vpn6-test pluto[31904]: cisco-vpn[2] 192.168.3.53:53276 #1:
sending XAUTH status:
May 21 09:53:09 vpn6-test pluto[31904]: cisco-vpn[2] 192.168.3.53:53276 #1:
parsing XAUTH ack
May 21 09:53:09 vpn6-test pluto[31904]: cisco-vpn[2] 192.168.3.53:53276 #1:
received XAUTH ack, established
May 21 09:53:09 vpn6-test pluto[31904]: cisco-vpn[2] 192.168.3.53:53276 #1:
unsupported ModeCfg attribute 28683?? received.
May 21 09:53:09 vpn6-test pluto[31904]: cisco-vpn[2] 192.168.3.53:53276 #1:
unsupported ModeCfg attribute 28684?? received.
May 21 09:53:09 vpn6-test pluto[31904]: cisco-vpn[2] 192.168.3.53:53276 #1:
peer requested virtual IP %any
May 21 09:53:09 vpn6-test pluto[31904]: assigning new lease to 'C=LU,
ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=Group_xyz,
e=ad...@restena.lu'
May 21 09:53:09 vpn6-test pluto[31904]: cisco-vpn[2] 192.168.3.53:53276 #1:
assigning virtual IP 192.168.120.129 to peer
May 21 09:53:09 vpn6-test pluto[31904]: cisco-vpn[2] 192.168.3.53:53276 #1:
sending ModeCfg reply
May 21 09:53:09 vpn6-test pluto[31904]: cisco-vpn[2] 192.168.3.53:53276 #1:
sent ModeCfg reply, established
May 21 09:53:09 vpn6-test pluto[31904]: cisco-vpn[2] 192.168.3.53:53276 #1:
cannot respond to IPsec SA request because no connection is known for
0.0.0.0/0===192.168.1.13[C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation
RESTENA, OU=IT, CN=vpn6-pub.restena.lu,
e=claude.tomp...@restena.lu]...192.168.3.53:53276[C=LU, ST=Luxembourg,
L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=Group_xyz,
e=ad...@restena.lu]===192.168.120.129/32
May 21 09:53:09 vpn6-test pluto[31904]: cisco-vpn[2] 192.168.3.53:53276 #1:
sending encrypted notification INVALID_ID_INFORMATION to 192.168.3.53:53276
May 21 09:53:14 vpn6-test pluto[31904]: cisco-vpn[2] 192.168.3.53:53276 #1:
Quick Mode I1 message is unacceptable because it uses a previously used Message
ID 0x5913d71e (perhaps this is a duplicated packet)
May 21 09:53:14 vpn6-test pluto[31904]: cisco-vpn[2] 192.168.3.53:53276 #1:
sending encrypted notification INVALID_MESSAGE_ID to 192.168.3.53:53276
May 21 09:53:19 vpn6-test pluto[31904]: cisco-vpn[2] 192.168.3.53:53276 #1:
Quick Mode I1 message is unacceptable because it uses a previously used Message
ID 0x5913d71e (perhaps this is a duplicated packet)
May 21 09:53:19 vpn6-test pluto[31904]: cisco-vpn[2] 192.168.3.53:53276 #1:
sending encrypted notification INVALID_MESSAGE_ID to 192.168.3.53:53276
May 21 09:53:24 vpn6-test pluto[31904]: cisco-vpn[2] 192.168.3.53:53276 #1:
Quick Mode I1 message is unacceptable because it uses a previously used Message
ID 0x5913d71e (perhaps this is a duplicated packet)
May 21 09:53:24 vpn6-test pluto[31904]: cisco-vpn[2] 192.168.3.53:53276 #1:
sending encrypted notification INVALID_MESSAGE_ID to 192.168.3.53:53276
May 21 09:53:29 vpn6-test pluto[31904]: cisco-vpn[2] 192.168.3.53:53276 #1:
ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x818764bf) not found (maybe
expired)
May 21 09:53:59 vpn6-test pluto[31904]: cisco-vpn[2] 192.168.3.53:53276 #1:
received Delete SA payload: deleting ISAKMP State #1
May 21 09:53:59 vpn6-test pluto[31904]: cisco-vpn[2] 192.168.3.53:53276:
deleting connection cisco-vpn instance with peer 192.168.3.53
{isakmp=#0/ipsec=#0}
May 21 09:53:59 vpn6-test pluto[31904]: lease 192.168.120.129 by 'C=LU,
ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=Group_xyz,
e=ad...@restena.lu' went offline
--
Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la
Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
signature.asc
Description: This is a digitally signed message part.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Strongswan with Cisco Client
Hello, I'm trying to get a strongswan VPN server running with a Cisco client. I have already tried lots of different configurations on the strongswan side, but I always get the following error : /var/log/messages : May 20 08:26:12 vpn6-test pluto[9572]: packet from 192.168.3.53:54554: initial Main Mode message received on 192.168.1.13:500 but no connection has been authorized with policy=PUBKEY+XAUTHRSASIG+XAUTHSERVER Is there anything special to configure ? Here's my ipsec.conf: # basic configuration ca vpnca cacert=VPNCA-cacert.pem auto=add config setup plutostart=yes charonstart=no charondebug=net 0 nat_traversal=yes # Add connections here. conn %default ike=aes256-sha1-modp1024 esp=aes256-sha1 dpdaction=clear dpddelay=300s rekey=no left=%any leftcert=vpncert.pem leftid=C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=vpn6-pub.restena.lu, e=claude.tomp...@restena.lu leftauth=pubkey right=%any rightsourceip=192.168.120.128/25 auto=add conn cisco-vpn ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 type=tunnel pfs=no modeconfig=push rightauth=xauthrsasig xauth=server --- and my ipsec.secrets: : RSA vpncert-key.pem : XAUTH claudeverysecretpassword --- Thanks in advance for any answers. kind regards, Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Strongswan with Cisco Client
Hello Andreas, I already had 'authby=xauthrsasig' during some previous tests, and I set it now again. Sadly no difference. The 'modeconfig=push' did not change anything either. kind regards, Claude On Thursday 20 May 2010 09:21:13 Andreas Steffen wrote: Dear Claude, I'm not sure if leftauth|rightout works with IKEv1. Better set authby=xauthrsasig as in our example scenario: http://www.strongswan.org/uml/testresults44/ikev1/xauth-rsa-mode-config/moon.ipsec.conf The Cisco VPN client does not expect Mode Config push mode in conjunction with XAUTH, so omit the modeconfig=push statement. Regards Andreas On 05/20/2010 08:32 AM, Claude Tompers wrote: Hello, I'm trying to get a strongswan VPN server running with a Cisco client. I have already tried lots of different configurations on the strongswan side, but I always get the following error : /var/log/messages : May 20 08:26:12 vpn6-test pluto[9572]: packet from 192.168.3.53:54554: initial Main Mode message received on 192.168.1.13:500 but no connection has been authorized with policy=PUBKEY+XAUTHRSASIG+XAUTHSERVER Is there anything special to configure ? Here's my ipsec.conf: # basic configuration ca vpnca cacert=VPNCA-cacert.pem auto=add config setup plutostart=yes charonstart=no charondebug=net 0 nat_traversal=yes # Add connections here. conn %default ike=aes256-sha1-modp1024 esp=aes256-sha1 dpdaction=clear dpddelay=300s rekey=no left=%any leftcert=vpncert.pem leftid=C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=vpn6-pub.restena.lu, e=claude.tomp...@restena.lu leftauth=pubkey right=%any rightsourceip=192.168.120.128/25 auto=add conn cisco-vpn ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 type=tunnel pfs=no modeconfig=push rightauth=xauthrsasig xauth=server --- and my ipsec.secrets: : RSA vpncert-key.pem : XAUTH claudeverysecretpassword --- Thanks in advance for any answers. kind regards, Claude ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Strongswan with Cisco Client
Hello Andreas, Yes, that was it. It's still not working completely, but it now seems to me to be an authenication issue with my generated certificates. I will first try to solve this issue myself before crying for help on the mailing list again. ;) Thanks very much for your help regards, Claude On Thursday 20 May 2010 11:32:33 Andreas Steffen wrote: Hello Claude, I think I found the problem. The IKEv1 pluto daemon does not support left=%any You must set left=%defaultroute since we haven't implemented dynamic determination of the outbound network interface based on the route yet. Regards Andreas On 20.05.2010 09:30, Claude Tompers wrote: Hello Andreas, I already had 'authby=xauthrsasig' during some previous tests, and I set it now again. Sadly no difference. The 'modeconfig=push' did not change anything either. kind regards, Claude On Thursday 20 May 2010 09:21:13 Andreas Steffen wrote: Dear Claude, I'm not sure if leftauth|rightout works with IKEv1. Better set authby=xauthrsasig as in our example scenario: http://www.strongswan.org/uml/testresults44/ikev1/xauth-rsa-mode-config/moon.ipsec.conf The Cisco VPN client does not expect Mode Config push mode in conjunction with XAUTH, so omit the modeconfig=push statement. Regards Andreas On 05/20/2010 08:32 AM, Claude Tompers wrote: Hello, I'm trying to get a strongswan VPN server running with a Cisco client. I have already tried lots of different configurations on the strongswan side, but I always get the following error : /var/log/messages : May 20 08:26:12 vpn6-test pluto[9572]: packet from 192.168.3.53:54554: initial Main Mode message received on 192.168.1.13:500 but no connection has been authorized with policy=PUBKEY+XAUTHRSASIG+XAUTHSERVER Is there anything special to configure ? Here's my ipsec.conf: # basic configuration ca vpnca cacert=VPNCA-cacert.pem auto=add config setup plutostart=yes charonstart=no charondebug=net 0 nat_traversal=yes # Add connections here. conn %default ike=aes256-sha1-modp1024 esp=aes256-sha1 dpdaction=clear dpddelay=300s rekey=no left=%any leftcert=vpncert.pem leftid=C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=vpn6-pub.restena.lu, e=claude.tomp...@restena.lu leftauth=pubkey right=%any rightsourceip=192.168.120.128/25 auto=add conn cisco-vpn ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 type=tunnel pfs=no modeconfig=push rightauth=xauthrsasig xauth=server --- and my ipsec.secrets: : RSA vpncert-key.pem : XAUTH claudeverysecretpassword --- Thanks in advance for any answers. kind regards, Claude == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Charon refuses to start
Hello, I just upgraded strongswan in our testing system from 4.3.6 to 4.4.0. Before it was working just fine, but now I get the following error : May 18 11:45:24 vpn6-test ipsec_starter[26244]: Starting strongSwan 4.4.0 IPsec [starter]... May 18 11:45:24 vpn6-test ipsec_starter[26263]: charon has died -- restart scheduled (5sec) May 18 11:45:24 vpn6-test ipsec_starter[26263]: charon refused to be started ... Any ideas to this error ? thanks a lot in advance for your answers greetings, Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Charon refuses to start
-- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 ---BeginMessage--- On Tuesday 18 May 2010 12:03:22 you wrote: Hello Claude, could you set ulimit -c unlimited ipsec start --nofork Starting strongSwan 4.4.0 IPsec [starter]... /usr/local/libexec/ipsec/charon: error while loading shared libraries: libhydra.so.0: cannot open shared object file: No such file or directory charon has died -- restart scheduled (5sec) charon refused to be started and send the output on the console as well as the information from the core dump: gdb /usr/libexec/ipsec/charon core vpn6-test:~ # gdb /usr/local/libexec/ipsec/charon core GNU gdb (GDB) SUSE (6.8.91.20090930-2.4) Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as i586-suse-linux. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/... Reading symbols from /usr/local/libexec/ipsec/charon...done. /root/core: No such file or directory. (gdb) run Starting program: /usr/local/libexec/ipsec/charon Missing separate debuginfo for /lib/ld-linux.so.2 Try: zypper install -C debuginfo(build-id)=d7706cbaa0ca09319cb645eac789cb8399078797 /usr/local/libexec/ipsec/charon: error while loading shared libraries: libhydra.so.0: cannot open shared object file: No such file or directory Program exited with code 0177. Did I forget some option in the configure ? Here are the these options : ./configure --enable-md4 --enable-eap-mschapv2 --enable-eap-radius --enable-cisco-quirks --enable-eap-identity --enable-eap-md5 --enable-eap-aka --enable-eap-aka-3gpp2 -enable-eap-gtc --enable-eap-sim --enable-eap-sim-file thanks very much regards, Claude where Regards Andreas On 05/18/2010 11:50 AM, Claude Tompers wrote: Hello, I just upgraded strongswan in our testing system from 4.3.6 to 4.4.0. Before it was working just fine, but now I get the following error : May 18 11:45:24 vpn6-test ipsec_starter[26244]: Starting strongSwan 4.4.0 IPsec [starter]... May 18 11:45:24 vpn6-test ipsec_starter[26263]: charon has died -- restart scheduled (5sec) May 18 11:45:24 vpn6-test ipsec_starter[26263]: charon refused to be started ... Any ideas to this error ? thanks a lot in advance for your answers greetings, Claude == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ---End Message--- signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Charon refuses to start
Hi, ldconfig did the trick. thanks a lot Claude On Tuesday 18 May 2010 15:55:16 Martin Willi wrote: Hi, /usr/local/libexec/ipsec/charon: error while loading shared libraries: libhydra.so.0: cannot open shared object file: No such file or directory The linker does not find the new libhydra library for code shared between charon and pluto. Double check that charon, libcharon, libstrongswan and libhyhdra have been installed correctly and you have updated your linker cache by calling ldconfig. Regards Martin -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] IKEv1 + radius
Hello alltogether, Is it possible to do radius authentication with the eap_radius module with IKEv1 ? If not, will this feature be added ? thanks for your answers Claude Tompers -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] IKEv1 + radius
Hello, Thank you for your quick answer. best regards Claude Tompers On Monday 17 May 2010 09:40:32 Andreas Steffen wrote: Hello Claude, the EAP plugins cannot be used with the IKEv1 pluto daemon. Since our development focus is clearly on IKEv2 (RFC 4306 is already 5 years old and should at last replace IKEv1!!!) we would implement RADIUS support for the proprietary IKEv1 XAUTH protocol only if some organization would sponsor the effort. Best regards Andreas On 17.05.2010 09:11, Claude Tompers wrote: Hello alltogether, Is it possible to do radius authentication with the eap_radius module with IKEv1 ? If not, will this feature be added ? thanks for your answers Claude Tompers == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Ikev2 Client for Windows XP / Vista
Hi, Does anyone know a VPN client that supports ikev2 for Windows XP and/or Windows Vista ? Preferably open-source but any suggestion is welcome. ;) thanks a lot Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] IP family mismatch
Hi, I have a Windows 7 client which has both IPv4 and IPv6 enabled in its configuration. The server's ipsec.conf defines two profiles, one for IPv4 and one for IPv6. If I disable the IPv6 profile, the IPv4 profile is chosen, but, because the Windows 7 client already had an IPv6 address once, it is requesting that one again. The log shows the following error : Apr 12 16:03:42 vpn6-test charon: 16[IKE] peer requested virtual IP fec0:a18:2341:3440::1 Apr 12 16:03:42 vpn6-test charon: 16[CFG] IP pool address family mismatch Apr 12 16:03:42 vpn6-test charon: 16[LIB] acquiring address from pool 'ipv4.test' failed Apr 12 16:03:42 vpn6-test charon: 16[IKE] no virtual IP found, sending INTERNAL_ADDRESS_FAILURE Is there any workaround for this issue ? Or is there any way to tell Windows not to make any proposals ? As long as Windows 7 does not ask for an explicit IPv6 address, i.e. %any6 as it asked for before its first IPv6 address was assigned, the connection was created successfully. best regards Claude Tompers -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] IPv6 Addresses
Hi, I fear my email has been overseen, so I repost it again with further details. In an IPv4 VPN, I can assign IP addresses from a given pool to the roadwarriors by using i.e. : rightsourceip=192.168.128/25 Is it possible to do the same with IPv6 ? rightsourceip=fec0:1234:5678::/64 regards Claude Tompers On Thursday 08 April 2010 11:48:38 Claude Tompers wrote: Hi, Is there a way to distribute IPv6 addresses to road warriors ? i.e. : rightsourceip=IPv6-subnet I've tried this but it always distributes the same address to every host. thanks in advance Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] IPv6 Addresses
Hi, Sorry, I must have done something wrong in my configuration. It now works with an /112 subnet. Thanks a lot for the help anyway. regards Claude Tompers On Monday 12 April 2010 13:34:10 Jan Engelhardt wrote: On Monday 2010-04-12 13:06, Andreas Steffen wrote: The real problem is that the Linux kernel does not support routing table entries with the src parameter being an IPv6 address, I would not call it a problem. If I understand right, the src addr, if it has not been explicitly been set or specified using bind(2) or sendto(2), is not determined by looking at the src attribute in IPv6, but at the address list of an interface, and picking one that has an appropriate lifetime. Since reproducing the same lookup logic in strongswan would be sort of an unwanted fork, the kernel does have a way to calculate the routing entry src address, by using `ip route get` or the respective netlink calls. Does that help? so that virtual IPv6 addresses can be checked out by a VPN gateway and are transported via the IKEv2 configuration payload or the IKEv1 Mode Config payload but cannot be installed in the kernel. Thus we cannot force IPv6 packets to leave via a physical interface but assuming a different source address. -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] IPv6 Addresses
Hi, There is another issue now. I have a Windows 7 client which has both IPv4 and IPv6 enabled in its configuration. The server's ipsec.conf defines two profiles, one for IPv4 and one for IPv6. If I disable the IPv6 profile, the IPv4 profile is chosen, but, because the Windows 7 client already had an IPv6 address once, it is requesting that one again. The log shows the following error : Apr 12 16:03:42 vpn6-test charon: 16[IKE] peer requested virtual IP fec0:a18:2341:3440::1 Apr 12 16:03:42 vpn6-test charon: 16[CFG] IP pool address family mismatch Apr 12 16:03:42 vpn6-test charon: 16[LIB] acquiring address from pool 'ipv4.test' failed Apr 12 16:03:42 vpn6-test charon: 16[IKE] no virtual IP found, sending INTERNAL_ADDRESS_FAILURE Is there any workaround for this issue ? Or is there any way to tell Windows not to make any proposals ? best regards Claude Tompers On Monday 12 April 2010 14:33:46 Claude Tompers wrote: Hi, Sorry, I must have done something wrong in my configuration. It now works with an /112 subnet. Thanks a lot for the help anyway. regards Claude Tompers On Monday 12 April 2010 13:34:10 Jan Engelhardt wrote: On Monday 2010-04-12 13:06, Andreas Steffen wrote: The real problem is that the Linux kernel does not support routing table entries with the src parameter being an IPv6 address, I would not call it a problem. If I understand right, the src addr, if it has not been explicitly been set or specified using bind(2) or sendto(2), is not determined by looking at the src attribute in IPv6, but at the address list of an interface, and picking one that has an appropriate lifetime. Since reproducing the same lookup logic in strongswan would be sort of an unwanted fork, the kernel does have a way to calculate the routing entry src address, by using `ip route get` or the respective netlink calls. Does that help? so that virtual IPv6 addresses can be checked out by a VPN gateway and are transported via the IKEv2 configuration payload or the IKEv1 Mode Config payload but cannot be installed in the kernel. Thus we cannot force IPv6 packets to leave via a physical interface but assuming a different source address. -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Ipv4 - Ipv6 Dual-stack
Thanks, I'll try that. Is that sort of configuration planned to be available in the future ? Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] IPv6 Addresses
Hi, Is there a way to distribute IPv6 addresses to road warriors ? i.e. : rightsourceip=IPv6-subnet I've tried this but it always distributes the same address to every host. thanks in advance Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Ipv4 - Ipv6 Dual-stack
Hi, I'm trying to build an IKEv2 based VPN. It all works fine, but I can not find any example configuration using IPv4 and IPv6 inside the tunnel. Is this possible at all ? If so, is it possible to get some hints on how to do so ? :) thanks a lot in advance Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
