[strongSwan] Windows ikev2 conn, eap_identity ignored

2017-10-16 Thread Giuseppe De Marco 
Hi all,

I'm using Debian GNU/Linux 9.2 (stretch) with standard strongswan package
from stretch apt repository (5.5.1-4+deb9u1).

The tunnel is a ikev2 with eap-radius authentication.

I'm facing the problem that Windows 10 clients doesn't send their right
identity.
Linux and Android clients works great instead, they always request the
connections with the correct eap_identity as we expect to be.

The problem is that if the Windows client fails its identity it will take a
dinamic virtual ip and not the static one, configured for it.

I also read about attr_sql and the possibility to fix the ip assignment in
a second time, via sql.
I'd like also to play with it but, I installed all of the strongswan/charon
packages, they are all here:

libstrongswan
libstrongswan-extra-plugins
libstrongswan-standard-plugins
network-manager-strongswan
strongswan
strongswan-charon
strongswan-ike
strongswan-ikev1
strongswan-ikev2
strongswan-libcharon
strongswan-nm
strongswan-pki
strongswan-scepclient
strongswan-starter
strongswan-swanctl
charon-cmd
charon-systemd
libcharon-extra-plugins
strongswan-charon
strongswan-libcharon

But I cannot see the attr_plugin loaded and running, with the command:

ipsec listplugins

attr_sql could be a good solution, the goal is to configure a Windows 10
that correctly presents itself with its proper identity, instead of its WAN
IP as 192.168.3.44:

04[CFG] looking for peer configs matching
110.7.6.173[%any]...11.74.200.151[192.168.3.44]
04[CFG] selected peer config 'ike2-eap-radius'

The same account, using nm-strongswan or charon-cmd, works great with
Linux,  the identity (Frank) is there:

15[CFG] looking for peer configs matching
110.7.6.173[%any]...11.74.200.151[Frank]
15[CFG] selected peer config 'ike2-eap-Frank'

I'm also sure that this problem should be well know in Windows 10 clients,
it looks so standard!
Any suggestions would be very appreciated

[strongSwan] attr_sql in Debian 9

2017-10-18 Thread Giuseppe De Marco 
Hi all,

Is there someone that used attr_sql in Debian 9?
I cannot find this plugin into Debian 9 official strongswan packages.

If someone knows some workaround over this it would be very appreciated,
otherwise I think that I have to compile strongswan from sources.

Thank you

Re: [strongSwan] Windows ikev2 conn, eap_identity ignored

2017-10-23 Thread Giuseppe De Marco 
Hi,

I faced that there are no attr_sql support on standard Debian 9 packages.

ipsec statusall also prints all the available plugins, having already
installed all the available strongswan debian packages.
So, on Debian 9 we cannot have more then this:

loaded plugins:
charon test-vectors ldap pkcs11 aesni aes rc2 sha2 sha1 md5 rdrand random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac
ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark farp
stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2
eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam
tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity

This means, to me but every suggestion could be appreciated, that the only
way to get a persistent pool lease system is to compile strongswan with
--enable--attr-sql

Thank you, I'll bring more usefull informations after all this, such the
setup notes
A huge setup migration is gonna to begin!


2017-10-16 22:08 GMT+02:00 Giuseppe De Marco :

> Hi all,
>
> I'm using Debian GNU/Linux 9.2 (stretch) with standard strongswan package
> from stretch apt repository (5.5.1-4+deb9u1).
>
> The tunnel is a ikev2 with eap-radius authentication.
>
> I'm facing the problem that Windows 10 clients doesn't send their right
> identity.
> Linux and Android clients works great instead, they always request the
> connections with the correct eap_identity as we expect to be.
>
> The problem is that if the Windows client fails its identity it will take
> a dinamic virtual ip and not the static one, configured for it.
>
> I also read about attr_sql and the possibility to fix the ip assignment in
> a second time, via sql.
> I'd like also to play with it but, I installed all of the
> strongswan/charon packages, they are all here:
>
> libstrongswan
> libstrongswan-extra-plugins
> libstrongswan-standard-plugins
> network-manager-strongswan
> strongswan
> strongswan-charon
> strongswan-ike
> strongswan-ikev1
> strongswan-ikev2
> strongswan-libcharon
> strongswan-nm
> strongswan-pki
> strongswan-scepclient
> strongswan-starter
> strongswan-swanctl
> charon-cmd
> charon-systemd
> libcharon-extra-plugins
> strongswan-charon
> strongswan-libcharon
>
> But I cannot see the attr_plugin loaded and running, with the command:
>
> ipsec listplugins
>
> attr_sql could be a good solution, the goal is to configure a Windows 10
> that correctly presents itself with its proper identity, instead of its WAN
> IP as 192.168.3.44:
>
> 04[CFG] looking for peer configs matching 110.7.6.173[%any]...11.74.200.
> 151[192.168.3.44]
> 04[CFG] selected peer config 'ike2-eap-radius'
>
> The same account, using nm-strongswan or charon-cmd, works great with
> Linux,  the identity (Frank) is there:
>
> 15[CFG] looking for peer configs matching 110.7.6.173[%any]...11.74.200.
> 151[Frank]
> 15[CFG] selected peer config 'ike2-eap-Frank'
>
> I'm also sure that this problem should be well know in Windows 10 clients,
> it looks so standard!
> Any suggestions would be very appreciated
>
>

Re: [strongSwan] Host-to-Host Windows to Debian (StrongSwan)

2017-10-27 Thread Giuseppe De Marco 
I used Debian as Server and windows as clients in ike2 conn.
working setup can be found here

https://github.com/peppelinux/UniTools/blob/master/IPSec/ipsec.fw.sh

I never used ike1, sorry

2017-10-27 11:13 GMT+02:00 Ben Lavender :

> Anyone think they could assist with this?
>
>
>
> *From:* Ben Lavender
> *Sent:* 24 October 2017 17:23
> *To:* 'users@lists.strongswan.org' 
> *Subject:* Host-to-Host Windows to Debian (StrongSwan)
>
>
>
> Hello,
>
>
>
> Please could anyone assist with this problem?
>
>
>
> We have setup a connection between to servers (right Windows | left
> Debian-StrongSwan) in a host-to-host configure, where the Windows server
> will be establishing the connection using transport mode (IKEv1). The
> authentication is set to use a X.509 certificates.
>
>
>
> The problem we are having seems to be within the two log lines below:
>
>
>
> Oct 24 16:21:45 LAB-DEBCLIENT-01 charon: 07[ENC] parsed INFORMATIONAL_V1
> request 62237808 [ HASH N(AUTH_FAILED) ]
>
> Oct 24 16:21:45 LAB-DEBCLIENT-01 charon: 07[IKE] received
> AUTHENTICATION_FAILED error notify
>
>
>
> Is there any advice given for attempting to resolve this issue? I can
> provide full logs if need be. Thanks.
>
>
>
> /etc/ipsec.conf
>
>
>
> # ipsec.conf - strongSwan IPsec configuration file
>
>
>
> config setup
>
> charondebug="ike 4, knl 4, cfg 4"
>
>
>
> conn %default
>
> ikelifetime=60m
>
> keylife=20m
>
> rekeymargin=3m
>
> keyingtries=1
>
> mobike=no
>
> keyexchange=ike
>
>
>
> conn host-host
>
> left=192.168.2.9
>
> leftcert=deb.crt.pem
>
> leftid="CN=LAB-DEBCLIENT-01.lab.vdcs.local"
>
> leftfirewall=yes
>
> right=192.168.2.5
>
> rightid="CN=LAB-FPSVR-01.lab.vdcs.local"
>
> type=transport
>
> auto=add
>
>
>
> ca strongswan
>
>cacert=rootca.pem
>
>crluri=http://LAB-DC-01.lab.vdcs.local/tempcrl/lab-LAB-DC-
> 01-CA-1.crl
>
>auto=add
>
>
>
>
>
> /etc/ipsec.secrets
>
>
>
> # This file holds shared secrets or RSA private keys for authentication.
>
>
>
> # RSA private key for this host, authenticating it to any other host
>
> # which knows the public part.
>
>
>
> : RSA deb.key.pem
>
>
>
> Regards
>
>
>
> Ben
>
>
>
> Virtual Data Centre Services (virtualDCS) is registered in England and
> Wales under company number 07238621; registered address: The Waterscape,
> 42 Leeds and Bradford Road, LS5 3EG
> .
> This e-mail and any attachments are strictly confidential and intended for
> the addressee only. If you are not the named addressee you must not
> disclose, copy, or take any action in reliance of this transmission, and
> you should notify us as soon as possible. Any views or opinions expressed
> are solely those of the author and do not necessarily represent those of
> virtualDCS. This e-mail and any attachments are believed to be free from
> viruses but it is your responsibility to carry out all necessary virus
> checks, and virtualDCS accepts no liability in connection therewith.
>

[strongSwan] preparing MySQL statement failed: Commands out of sync; you can't run this command now

2017-11-03 Thread Giuseppe De Marco 
Using
Linux strongSwan U5.6.0/K4.9.0-4-amd64

compiled from sources on a Debian9, using mysql as database.
ipsec pool works very well, everything but --replace command that fails:

ipsec pool --replace net1_pool --addresses /etc/ipsec.pools
preparing MySQL statement failed: Commands out of sync; you can't run this
command now
deleting pool failed.

Re: [strongSwan] Windows ikev2 conn, eap_identity ignored

2017-11-03 Thread Giuseppe De Marco 
Compiling strongswan-5.6.0 from sources solved the problem on my Debian9

This is what I done:
 ./configure --enable-test-vectors --enable-ldap --enable-pkcs11
--enable-aesni --enable-aes --enable-rc2 --enable-sha2 --enable-sha1
--enable-md5 --enable-rdrand --enable-random --enable-nonce --enable-x509
--enable-revocation --enable-constraints --enable-pubkey --enable-pkcs1
--enable-pkcs7 --enable-pkcs8 --enable-pkcs12 --enable-pgp --enable-dnskey
--enable-sshkey --enable-pem --enable-openssl --enable-gcrypt
--enable-af-alg --enable-fips-prf --enable-gmp --enable-agent --enable-xcbc
--enable-cmac --enable-hmac --enable-ctr --enable-ccm --enable-gcm
--enable-curl --enable-attr --enable-kernel-netlink --enable-resolve
--enable-socket-default --enable-connmark --enable-farp --enable-stroke
--enable-vici --enable-updown --enable-eap-identity --enable-eap-aka
--enable-eap-md5 --enable-eap-gtc --enable-eap-mschapv2 --enable-eap-radius
--enable-eap-tls --enable-eap-ttls --enable-eap-tnc --enable-xauth-generic
--enable-xauth-eap --enable-xauth-pam --enable-tnc-tnccs --enable-dhcp
--enable-lookip --enable-error-notify --enable-certexpire --enable-led
--enable-addrblock --enable-unity --enable-monolithic --enable-blowfish
-enable-af-alg --enable-acert --enable-bypass-lan --enable-cmd
--enable-eap-dynamic --enable-md4 --enable-sha3 --enable-eap-aka-3gpp2
--enable-blowfish --enable-af-alg --enable-attr-sql --enable-mysql
--prefix=/usr --sysconfdir=/etc

once installed, ipsec pool finally worked and I solved every needs, Windows
10 clients finally takes their static leases.

syslog:
Nov  3 22:46:14 vpn charon[24548]: 14[IKE] peer requested virtual IP %any
Nov  3 22:46:14 vpn charon[24548]: 14[CFG] acquired existing lease for
address 10.9.10.27 in pool 'net1_pool'
Nov  3 22:46:14 vpn charon[24548]: 14[IKE] assigning virtual IP 10.9.10.27
to peer 'giuseppe_dm'




2017-10-23 16:14 GMT+02:00 Simon Deziel :

> Hi Giuseppe,
>
> On 2017-10-23 06:56 AM, Giuseppe De Marco wrote:
> > I faced that there are no attr_sql support on standard Debian 9 packages.
>
> Indeed, Debian doesn't provide the plugin you are looking for. In
> Ubuntu, it is available in the libstrongswan-extra-plugins package.
> There is a bug [1] about unifying the strongswan packaging between
> Ubuntu and Debian. Feel free to voice your interest in such merge to the
> Debian maintainer.
>
> Regards,
> Simon
>
> [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848890
>
>

Re: [strongSwan] preparing MySQL statement failed: Commands out of sync; you can't run this command now

2017-11-06 Thread Giuseppe De Marco 
I just had to tell you these informations,

I do not use mysql but mariadb as Debian9 standard introduces.
So, the development files upon the code was compiled are these:

libmariadbclient-dev-compat/stable,stable,now 10.1.26-0+deb9u1 amd64


2017-11-06 10:32 GMT+01:00 Tobias Brunner :

> Hi Giuseppe,
>
> > ipsec pool --replace net1_pool --addresses /etc/ipsec.pools
> > preparing MySQL statement failed: Commands out of sync; you can't run
> > this command now
> > deleting pool failed.
>
> I think the problem is that there are two commands executed overlapping
> on the same connection (prepared statement to check if the pool exists
> and the deletion of that pool).  Apparently, the MySQL client doesn't
> like that.  I pushed a fix for it to the pool-replace-mysql branch [1].
>
> Regards,
> Tobias
>
> [1]
> https://git.strongswan.org/?p=strongswan.git;a=shortlog;h=
> refs/heads/pool-replace-mysql
>

Re: [strongSwan] preparing MySQL statement failed: Commands out of sync; you can't run this command now

2017-11-06 Thread Giuseppe De Marco 
Thank you Tobias, we really appreciate your time on it.

We are actually in production with stable 5.6.0 and we would also like to
know when next the stable release will have this patch deployed, to decide
when to drive the migration with patched stable release.

At this moment this is not a must-have feature, so time is not a problem
for now, we can wait.
Thank you again

2017-11-06 10:32 GMT+01:00 Tobias Brunner :

> Hi Giuseppe,
>
> > ipsec pool --replace net1_pool --addresses /etc/ipsec.pools
> > preparing MySQL statement failed: Commands out of sync; you can't run
> > this command now
> > deleting pool failed.
>
> I think the problem is that there are two commands executed overlapping
> on the same connection (prepared statement to check if the pool exists
> and the deletion of that pool).  Apparently, the MySQL client doesn't
> like that.  I pushed a fix for it to the pool-replace-mysql branch [1].
>
> Regards,
> Tobias
>
> [1]
> https://git.strongswan.org/?p=strongswan.git;a=shortlog;h=
> refs/heads/pool-replace-mysql
>

Re: [strongSwan] Couldn't establish IKEv2 vpn connection using strongswan, log shows timeout

2017-11-07 Thread Giuseppe De Marco 
Hi Joshua,

from client side you should also read some auth failures.
Probably it means that the ca.crt is not valid or client doesn't understand
the auth-type because of missing plugin dependencies, It could depend by
the client type as well, if Linux with charon-cmd you have to specify the
--cert path. IKE_SA goes in timeout, this is the information and it depends
by the client that cannot understand the incoming packets.

The more important thing is your configuration, you should let us read it.
If your tunnel never worked you could also think to re-configure it from
scratch, I produced this scripts to introduce me in ikev2:

https://github.com/peppelinux/UniTools/tree/master/IPSec

hope this helps, I'm not a strongswan veteran, problably someone could help
you better then me :)

2017-11-07 12:11 GMT+01:00 Joshua Nocturne :

> Hello,
> I got some problems about the configuration of strongswan, no matter
> how I configured the IKEv2 connection just couldn't establish. The
> strongswan's log is like this:
> Nov  7 18:52:21 05[NET] <1> received packet: from 183.131.17.162[380] to
> 47.90.13.129[500] (616 bytes)
> Nov  7 18:52:21 05[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) V V V V ]
> Nov  7 18:52:21 05[IKE] <1> received MS NT5 ISAKMPOAKLEY v9 vendor ID
> Nov  7 18:52:21 05[IKE] <1> received MS-Negotiation Discovery Capable
> vendor ID
> Nov  7 18:52:21 05[IKE] <1> received Vid-Initial-Contact vendor ID
> Nov  7 18:52:21 05[ENC] <1> received unknown vendor ID:
> 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
> Nov  7 18:52:21 05[IKE] <1> 183.131.17.162 is initiating an IKE_SA
> Nov  7 18:52:21 05[IKE] <1> remote host is behind NAT
> Nov  7 18:52:21 05[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
> Nov  7 18:52:21 05[NET] <1> sending packet: from 47.90.13.129[500] to
> 183.131.17.162[380] (312 bytes)
> Nov  7 18:52:22 16[NET] <1> received packet: from 183.131.17.162[380] to
> 47.90.13.129[500] (616 bytes)
> Nov  7 18:52:22 16[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) V V V V ]
> Nov  7 18:52:22 16[IKE] <1> received retransmit of request with ID 0,
> retransmitting response
> Nov  7 18:52:22 16[NET] <1> sending packet: from 47.90.13.129[500] to
> 183.131.17.162[380] (312 bytes)
> Nov  7 18:52:23 11[NET] <1> received packet: from 183.131.17.162[380] to
> 47.90.13.129[500] (616 bytes)
> Nov  7 18:52:23 11[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) V V V V ]
> Nov  7 18:52:23 11[IKE] <1> received retransmit of request with ID 0,
> retransmitting response
> Nov  7 18:52:23 11[NET] <1> sending packet: from 47.90.13.129[500] to
> 183.131.17.162[380] (312 bytes)
> Nov  7 18:52:51 15[JOB] <1> deleting half open IKE_SA after timeout
>
>Need you help, please.
>

Re: [strongSwan] OpenWRT. IPSec server

2017-12-29 Thread Giuseppe De Marco 
Hi,

Do you compile firmware by yourself or install packages in a stable release
using opkg command?
If you open the 4500 port means that you use ikev2/charon, isn't it?

I customize openwrt and lede firmwares for specific purposes, my packages
are here:
https://github.com/peppelinux/pplnx-LEDE-firmwares
https://github.com/peppelinux/openWRT_x86
https://github.com/peppelinux/openWRT_BB_builds

I always use ovpn for embedded purpose but if you have configured all the
dipendencies for a ipsec strongswan ikev2 with mschap in openwrt let me
know which packages you installed, I can do a customized firmware compiling
from scratch all the release (disk space usage will be more efficient)

Ports are 4500 udp and 500 udp

2017-12-28 8:51 GMT+01:00 Sujoy :

> Hi All,
>
>
> We want to implement StrongSwan,with IPsec in OpenWRT. IPSec server will
> be running in CentOS and the OpenWRt router will connect to it using VPN. I
> have configured the server part, struggling to configure the client part.
> Do we need to open port 4500 for this first.
>
> Anyone can suggest any solution for this.
> --
>
> Thanks & Reards
> Sujoy
>

Re: [strongSwan] OpenWRT. IPSec server

2018-01-04 Thread Giuseppe De Marco 
Hi and thank you Noel,
I meant to run ipsec and charon in the embedded openwrt router, I use dpd
as well

  # dead-peer detection to clear any "dangling" connections in case
the client unexpectedly disconnects  dpdaction=clear  # If the tunnel
has no traffic for this long (default 30 secs), Charon will send a
dead peer detection packet. The value 0 means to not send such
packets, relying on ordinary traffic, which will occur at least once
an hour, which is the default rekeying lifetime.  dpddelay=33s  #  DPD
Retries : 3  dpdtimeout=300s

Running strongswan in a 18-70$ openwrt router is very usefull in many way

Re: [strongSwan] OpenWRT. IPSec server

2018-01-04 Thread Giuseppe De Marco 
Yes Noel and thank you, my question is:
Is there any experiences about running strongswan in openwrt as ikev2
server with mschap,radius,ldap auth backend?

2018-01-04 14:17 GMT+01:00 Noel Kuntze <
noel.kuntze+strongswan-users-ml@thermi.consulting>:

> Hi,
>
> `ipsec` is just a command line tool. It's not a daemon (or generally a
> service).
> Are there any open questions?
>
> Kind regards
>
> Noel
>
> On 04.01.2018 14:14, Giuseppe De Marco wrote:
> > Hi and thank you Noel,
> > I meant to run ipsec and charon in the embedded openwrt router, I use
> dpd as well
> >
> >   # dead-peer detection to clear any "dangling" connections in case the
> client unexpectedly disconnects
> >   dpdaction=clear
> >   # If the tunnel has no traffic for this long (default 30 secs), Charon
> will send a dead peer detection packet. The value 0 means to not send such
> packets, relying on ordinary traffic, which will occur at least once an
> hour, which is the default rekeying lifetime.
> >   dpddelay=33s
> >   #  DPD Retries : 3
> >   dpdtimeout=300s
> >
> > Running strongswan in a 18-70$ openwrt router is very usefull in many way
>
>

Re: [strongSwan] OpenWRT. IPSec server

2018-01-04 Thread Giuseppe De Marco 
On LDAP or Radius is possibile to auth over a NT-Password and I think LM as
well, yes AD format.
I often use mschap for testing purpose and would be great having an
embedded but configurable strongswan server in a cheap router.

2018-01-04 14:46 GMT+01:00 Noel Kuntze <
noel.kuntze+strongswan-users-ml@thermi.consulting>:

> Not on openwrt. But you need plaintext or AD like passwords in LDAP.
> Otherwise you can't auth with mschap(v2).
>
> On 04.01.2018 14:38, Giuseppe De Marco wrote:
> > Yes Noel and thank you, my question is:
> > Is there any experiences about running strongswan in openwrt as ikev2
> server with mschap,radius,ldap auth backend?
> >
> > 2018-01-04 14:17 GMT+01:00 Noel Kuntze  ml@thermi.consulting <mailto:noel.kuntze+strongswan-users-ml@thermi.
> consulting>>:
> >
> > Hi,
> >
> > `ipsec` is just a command line tool. It's not a daemon (or generally
> a service).
> > Are there any open questions?
> >
> > Kind regards
> >
> > Noel
> >
> > On 04.01.2018 14:14, Giuseppe De Marco wrote:
> > > Hi and thank you Noel,
> > > I meant to run ipsec and charon in the embedded openwrt router, I
> use dpd as well
> > >
> > >   # dead-peer detection to clear any "dangling" connections in
> case the client unexpectedly disconnects
> > >   dpdaction=clear
> > >   # If the tunnel has no traffic for this long (default 30 secs),
> Charon will send a dead peer detection packet. The value 0 means to not
> send such packets, relying on ordinary traffic, which will occur at least
> once an hour, which is the default rekeying lifetime.
> > >   dpddelay=33s
> > >   #  DPD Retries : 3
> > >   dpdtimeout=300s
> > >
> > > Running strongswan in a 18-70$ openwrt router is very usefull in
> many way
> >
> >
>
>

Re: [strongSwan] roadwarrior ike/esp SA are not dropped after lifetime expiration

2018-01-08 Thread Giuseppe De Marco 
Ciao Marco,

Probably I'm wrong but I think that the Dead Peer Detection feature could
be helpfull for you

  # dead-peer detection to clear any "dangling" connections in case
the client unexpectedly disconnects  dpdaction=clear  # If the tunnel
has no traffic for this long (default 30 secs), Charon will send a
dead peer detection packet. The value 0 means to not send such
packets, relying on ordinary traffic, which will occur at least once
an hour, which is the default rekeying lifetime.  dpddelay=33s  #  DPD
Retries : 3  dpdtimeout=300s


2018-01-08 17:12 GMT+01:00 Marco Berizzi :

> Hello everyone,
>
> I'm running strongswan 5.6.1 on slackware linux 64 bit
> I have found a little problem with my setup. Sometimes
> mobile users main mode and quick mode are not dropped
> after ike/esp lifetime. Here is my config setup:
>
> conn rw-mobile
> right=%any
> compress=yes
> leftcert=osw-cert.pem
> leftupdown=/etc/ipsec.d/updown/_updown.strongswan.X11
> keylife=80m
> ikelifetime=8h
> rekey=no
> keyingtries=1
> leftid=fsw...@aive.it
> ike=aes128-sha1-modp1024,aes128-sha1-modp2048,aes256-sha384-ecp384
> esp=aes128-sha1-modp1024,aes128-sha1-modp2048,aes256-sha256-ecp384
>
> conn mobile
> also=rw-mobile
> auto=add
> leftsubnet=10.180.0.0/16
> rightsubnet=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/10
> left=82.184.99.254
>
> And here is an example of ipsec statusall output:
>
> mobile[393]: ESTABLISHED 3 days ago, 82.184.99.254[CN=Gateway]...
> 195.46.216.198[CN=Jessica]
> mobile[393]: IKEv1 SPIs: 15ae977b997e4475_i 3e72597006e642fe_r*, rekeying
> disabled
> mobile[393]: IKE proposal: AES_CBC_256/HMAC_SHA2_384_192/
> PRF_HMAC_SHA2_384/ECP_384
> mobile{298}:  INSTALLED, TUNNEL, reqid 260, ESP in UDP SPIs: c5a4f249_i
> a21eed36_o
> mobile{298}:  AES_CBC_256/HMAC_SHA2_256_128/ECP_384, 20978 bytes_i (365
> pkts, 268111s ago), 417068 bytes_o (373 pkts, 268111s ago), rekeying
> disabled
> mobile{298}:   10.180.0.0/16 === 10.247.200.180/32
>
> As you can see this IKE/ESP SA is not dropped after more
> than 74 hours.
> The mobile user is defunct but strongswan will not remove
> that IKE/ESP SA till when the user will reconnect.
>
> Is this the expected behaviour?

Re: [strongSwan] Strongswan + Radius + MySQL + Hashed Passwords: Possible?

2018-01-09 Thread Giuseppe De Marco 
Hi RA,
Yes you can, I use NT-Password instead.
I get this working on LDAP and Freeradius

2018-01-09 14:07 GMT+01:00 RA :

> Hi.
>
> I have been able to follow the guides and tutorials online and
> successfully setup a Strongswan IKEv2 server which authenticates with a
> Freeradius server with MySQL back-end. Everywhere I saw instructions like
> these only:
>
> INSERT INTO radcheck (username, attribute, op, VALUE) VALUES ('test',
> 'Cleartext-Password', ':=', 'pass123');
>
> Now this works just fine but I don't want to store plain text passwords in
> database and would prefer the "VALUE" column to be hashed in some way. But
> being new to this, I just don't know how & would be really glad if someone
> can provide pointers. Not sure whether its even possible or not.
>
> Thanks in advance.
>
> Regards.
> Ron
>

Re: [strongSwan] Strongswan + Radius + MySQL + Hashed Passwords: Possible?

2018-01-10 Thread Giuseppe De Marco 
It depends by your configuration
You have to enable eap-radius as well

2018-01-10 4:39 GMT+01:00 RA :

> Hi.
>
> Thanks for your reply. 'NT-Password'  isn't working with Strongswan though
> radtest is checking it just fine:
>
>
> # smbencrypt mypass
> LM Hash NT Hash
> 
> 92315C8B485693A7AAD3B435B51404EEE0C32CDA6F6ECC163F442D002BBA3DAF
>
>
> # INSERT INTO radcheck (username, attribute, op, VALUE) VALUES ('mylogin',
> 'NT-Password', ':=', 'E0C32CDA6F6ECC163F442D002BBA3DAF');
>
>
> # radtest mylogin mypass my.radius.server 10 mysecret
> Sending Access-Request of id 237 to x.x.x.x port 1812
> User-Name = "mylogin"
> User-Password = "mypass"
> NAS-IP-Address = x.x.x.x
> NAS-Port = 10
> Message-Authenticator = 0x
> rad_recv: Access-Accept packet from host x.x.x.x port 1812, id=237,
> length=20
>
> Do I need to make any changes on the radius or Strongswan side to make
> them work with NT-Password?
>
> Thanks & Regards,
> Ron
>
>
> - Original message -
> From: Giuseppe De Marco 
> To: RA 
> Cc: users@lists.strongswan.org
> Subject: Re: [strongSwan] Strongswan + Radius + MySQL + Hashed Passwords:
> Possible?
> Date: Tue, 9 Jan 2018 15:46:04 +0100
>
> Hi RA,
> Yes you can, I use NT-Password instead.
> I get this working on LDAP and Freeradius
>
> 2018-01-09 14:07 GMT+01:00 RA :
>
> Hi.
>
> I have been able to follow the guides and tutorials online and
> successfully setup a Strongswan IKEv2 server which authenticates with a
> Freeradius server with MySQL back-end. Everywhere I saw instructions like
> these only:
>
> INSERT INTO radcheck (username, attribute, op, VALUE) VALUES ('test',
> 'Cleartext-Password', ':=', 'pass123');
>
> Now this works just fine but I don't want to store plain text passwords in
> database and would prefer the "VALUE" column to be hashed in some way. But
> being new to this, I just don't know how & would be really glad if someone
> can provide pointers. Not sure whether its even possible or not.
>
> Thanks in advance.
>
> Regards.
> Ron
>
>
>

[strongSwan] Fwd: Windows native VPN client routing problem

2018-01-11 Thread Giuseppe De Marco 
def gw Route's metric in Windows can be changed runtime.
If you want to fix the def gw from vpn in windows 10 just go in NIC
propriety of the vpn network interface, network, ipv4 -> Propriety,
Advanced, Use default gateway, then apply :)

https://goo.gl/Zj5ktL

2018-01-11 9:35 GMT+01:00 Marian Kechlibar 
:

> Hi all,
>
> this is a description of a problem that I spent a better part of
> yesterday struggling with. I am sending a description of the problem and
> the solution for anyone who might be interested.
>
> I also have the feeling that this might be suited for the StrongSwan
> Wiki. Please let me know whether I should add it there.
>
> So.
>
> The symptoms
> 
> Server: strongswan 5.5.3 on CentOS 7.
> Client: native Windows VPN client, Windows 7 or Windows 10.
>
> Upon connection, the client ignores the traffic selectors sent by the
> server. A "print route" command will reveal that they were not added to
> the routing table. But non-Windows clients (Linux, Android) are routing
> well, so the server is probably correctly set up.
>
> Setting log level of charon to 2 will reveal that the traffic selectors
> are indeed sent correctly.
>
> The cause
> -
> Windows native VPN client ignores the traffic selectors unless your
> client IP address is from the same range. So if you get, say,
> 10.105.107.31 and your local_ts is 10.105.107.0/24, your routing will be
> OK, but if your local_ts is 172.17.1.0/24, it will not.
>
> Whether this is a bug or a weird feature, I do not know. That is how
> things go with Microsoft.
>
> The solution
> 
> AFAIK there is no way how to force the native client into acknowledging
> the traffic selectors sent by the server.
>
> All workarounds require Administrator privileges on the client Windows
> installation, at least for a few minutes.
>
> If your traffic selectors are dynamic, you are better off with another,
> non-native Windows client.
>
> If your traffic selectors are static, you can set up permanent routes on
> your system from Administrator's command line like this.
>
> First, you need to know the interface number of your VPN. Connect the
> VPN (even though the routing is bad) and run "route print". At the
> beginning of the output, list of all the interfaces is given. Each line
> represents one interface and begins with number of the interface. In my
> case, the VPN usually has something like 30.
>
> Disconnect the VPN and run the following command from your
> Administrator's command line:
>
> route -P add (range) mask (mask) (gateway) IF (interface number)
>
> This will create a permanent route tied to your VPN. After that, a
> regular Windows user will be able to connect the VPN with correct routing.
>
> On Windows 10, there is another solution using a PowerShell script. In
> case of interest, I can describe it as well.
>
> Best regards
>
> Marian Kechlibar
> Prague, CZ
>

Re: [strongSwan] mobileconfig file - do i need to install a root CA

2018-01-11 Thread Giuseppe De Marco 
You can even use charon-cmd this way:

charon-cmd --host SERVER_HOSTNAME --profile ikev2-eap --identity LOGIN
--cert /PATH/TO/ca.crt

Using a valid CA lets Windows10 and MacOSX clients run without CA.crt, with
GNU/Linux we have to have ca.crt instead

2018-01-11 13:17 GMT+01:00 Noel Kuntze <
noel.kuntze+strongswan-users-ml@thermi.consulting>:

> Put the root CA and the intermediate CAs into /etc/ipsec.d/cacerts, then
> run `ipsec stroke rereadcacerts` and then retry.
> If that does not help, check the logs of iOS. You can get access to them
> via Apple's SDK.
>
> On 11.01.2018 13:13, Alex Sharaz wrote:
> > Thats what is  confusing, its the QuoVadis root CA which is one we use
> on a whole batch of servers and my osx machine validates those certs just
> fine. ... and I can see them ( root and intermediate)  in the system root
> keystore... but certainly if I remove it from the mobileconfig file I don't
> connect ,if I put it in there I do
> > A
> >
> > On 11 January 2018 at 12:01, Noel Kuntze  ml@thermi.consulting  consulting>> wrote:
> >
> > Hi,
> >
> > You only need to install a root certificate, if the issuer of your
> server certificate or its root certificate are not in the client's
> certificate store.
> > A client needs to be able to verify the server's certificate from
> the root to the server certificate. That includes CRLs and OCSP.
> >
> > That's PKI 101.
> >
> > Kind regards
> >
> > Noel
> >
> > On 10.01.2018 12:44, Alex Sharaz wrote:
> > > Hi,
> > > I've got a .mobileconfig file set up that will allow a macOS/iOS
> user to connect to my SSwan VPN server (5.6.1)
> > > In it I have a cert payload defined containing both the
> intermediate and root cert of the server certificate. This all works just
> fine
> > >
> > > However, our security people are objecting to the fact that I'm
> installing a root CA on the client device.
> > >
> > > Server cert has an intermediate cet between it and the root CA
> > >
> > > server config is
> > >
> > > conn it-services-ikev2
> > >   left=%any
> > >   leftauth=pubkey
> > >   leftcert=vpn.york.ac.uk.pem
> > >   leftid=@vpn.york.ac.uk  <
> http://vpn.york.ac.uk>
> > >   leftsendcert=always
> > >   leftsubnet=0.0.0.0/0,::/0  <
> http://0.0.0.0/0,::/0>
> > >   leftfirewall=yes
> > >   right=%any
> > >   rightauth=eap-radius
> > >   rightsendcert=never
> > >   rightgroups="Cserv"
> > >   eap_identity=%any
> > >   keyexchange=ikev2
> > >   rightsourceip=%itservices
> > >   fragmentation=yes
> > >   auto=add
> > >
> > >
> > > If I remove the root cert from the mobileconfig, connection fails.
> Should I be able to connect without the root CA in the payload?
> > >
> > > Rgds
> > > Alex
> > >
> >
> >
>
>