[strongSwan] Strange things when policy routing is in use.
I have problem with ipsec an openvpn tunnel. I have to have source based routing. assume we have configuration below, after openvpn tunnel (tun0) is up: #ip route --8<---cut here---start->8--- default via 172.20.10.1 dev wlan0 10.0.0.0/16 via 10.8.17.5 dev tun0 [...some other routes, important thing is that there are is some subnets not whole 0.0.0.0/0 ...] --8<---cut here---end--->8--- #ip route show table 1000 --8<---cut here---start->8--- 0.0.0.0/1 dev tun0 scope link 128.0.0.0/1 dev tun0 scope link --8<---cut here---end--->8--- (I tried not to use "default" route in this table, but with "default" result was the same) #ip rule show --8<---cut here---start->8--- 0: from all lookup local 220:from all lookup 220 1000: from 10.8.17.6 lookup 1000 32766: from all lookup main 32767: from all lookup default --8<---cut here---end--->8--- then I try to establish ipsec connection: I got error message like: --8<---cut here---start->8--- [...] [IKE] IKE_SA alfa[30] established between 10.8.17.6[]...[] [IKE] scheduling rekeying in 13679s [IKE] maximum IKE_SA lifetime 15119s [CFG] selected proposal: ESP:AES_GCM_16_128/NO_EXT_SEQ [KNL] received netlink error: Network is unreachable (101) [KNL] unable to install source route for 192.168.200.244 --8<---cut here---end--->8--- and 192.168.200.244 is attached to tun0 interface instead of wlan0 as I would expect #ip route show table 220 is empty When I start ipsec connection before openvpn - everything works also everything works when I resign from using rule 1000 and table 1000. (i.e. source based routing) Am I doing something wrong? KJ -- http://wolnelektury.pl/wesprzyj/teraz/
Re: [strongSwan] iphone-to-strongswan configuration - working example.
[...] > When I manually created p12 (private cert) I always got information > about wrong password - no matter if embedded or entered manually. > I created "certificate" profile with "Apple Configurator" and use it in > my profile. For now I do not know what matters: key order? uppercase? > payload identifier? For those (anyone reads me?) , who might be interested (maybe annotation at https://docs.strongswan.org/docs/5.9/interop/appleIkev2Profile.html ?) when I created p12 file with: --8<---cut here---start->8--- openssl pkcs12 -export -inkey private/key -in cert -out cert.p12 --8<---cut here---end--->8--- i got message about "Wrong certificate password" during profile install. It has to be: --8<---cut here---start->8--- openssl pkcs12 -export -legacy -inkey private/key -in cert -out cert.p12 --8<---cut here---end--->8--- and then profile was installed correctly. KJ -- http://stopstopnop.pl/stop_stopnop.pl_o_nas.html
Re: [strongSwan] iphone-to-strongswan configuration - working example.
Kamil Jońca writes: > Hello. > I tried to use my old iphone with strongswan. > I created profile [1] > installed on iphone and tried to connect: > But on I phone I got "User Authentication failed" and I do not how to > debug this. Any hints? > sorry for bothering you: it seems that: --8<---cut here---start->8--- ServerCertificateIssuerCommonName .. --8<---cut here---end--->8--- Is REALLY important. Now my configuration works. KJ [1] - I missed in previous mail. When I manually created p12 (private cert) I always got information about wrong password - no matter if embedded or entered manually. I created "certificate" profile with "Apple Configurator" and use it in my profile. For now I do not know what matters: key order? uppercase? payload identifier? -- http://stopstopnop.pl/stop_stopnop.pl_o_nas.html
[strongSwan] iphone-to-strongswan configuration - working example.
Hello. I tried to use my old iphone with strongswan. I created profile [1] installed on iphone and tried to connect: But on I phone I got "User Authentication failed" and I do not how to debug this. Any hints? >From strongswan side everything seems to be ok. 2022-06-21T06:19:06.545474+02:00 alfa charon-systemd: 12[NET] received packet: from 5.172.255.70[4651] to 192.168.22.200[500] (432 bytes) 2022-06-21T06:19:06.546008+02:00 alfa charon-systemd: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] 2022-06-21T06:19:06.546483+02:00 alfa charon-systemd: 12[IKE] 5.172.255.70 is initiating an IKE_SA 2022-06-21T06:19:06.546818+02:00 alfa charon-systemd: 12[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 2022-06-21T06:19:06.552315+02:00 alfa charon-systemd: 12[IKE] local host is behind NAT, sending keep alives 2022-06-21T06:19:06.552676+02:00 alfa charon-systemd: 12[IKE] remote host is behind NAT 2022-06-21T06:19:06.562881+02:00 alfa charon-systemd: 12[IKE] sending cert request for "C=PL, ST=Mazowieckie, L=Warszawa, O=kjonca.kjonca, OU=ipsec, CN=openswan--kjonca.kjonca" 2022-06-21T06:19:06.563275+02:00 alfa charon-systemd: 12[IKE] sending cert request for "C=PL, ST=Mazowieckie, L=Warszawa, O=alfa, OU=ipsec, CN=alfa-ipsec-client-ca" 2022-06-21T06:19:06.563724+02:00 alfa charon-systemd: 12[IKE] sending cert request for "C=PL, ST=Mazowieckie, L=Warszawa, O=alfa, OU=ipsec, CN=alfa-ipsec-ca" 2022-06-21T06:19:06.564174+02:00 alfa charon-systemd: 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ] 2022-06-21T06:19:06.564382+02:00 alfa charon-systemd: 12[NET] sending packet: from 192.168.22.200[500] to 5.172.255.70[4651] (521 bytes) 2022-06-21T06:19:06.825283+02:00 alfa charon-systemd: 11[NET] received packet: from 5.172.255.70[4646] to 192.168.22.200[4500] (532 bytes) 2022-06-21T06:19:06.825839+02:00 alfa charon-systemd: 11[ENC] parsed IKE_AUTH request 1 [ EF(1/7) ] 2022-06-21T06:19:06.826287+02:00 alfa charon-systemd: 11[ENC] received fragment #1 of 7, waiting for complete IKE message 2022-06-21T06:19:06.826730+02:00 alfa charon-systemd: 13[NET] received packet: from 5.172.255.70[4646] to 192.168.22.200[4500] (532 bytes) 2022-06-21T06:19:06.827181+02:00 alfa charon-systemd: 13[ENC] parsed IKE_AUTH request 1 [ EF(2/7) ] 2022-06-21T06:19:06.827660+02:00 alfa charon-systemd: 13[ENC] received fragment #2 of 7, waiting for complete IKE message 2022-06-21T06:19:06.828198+02:00 alfa charon-systemd: 14[NET] received packet: from 5.172.255.70[4646] to 192.168.22.200[4500] (532 bytes) 2022-06-21T06:19:06.828666+02:00 alfa charon-systemd: 14[ENC] parsed IKE_AUTH request 1 [ EF(3/7) ] 2022-06-21T06:19:06.829262+02:00 alfa charon-systemd: 14[ENC] received fragment #3 of 7, waiting for complete IKE message 2022-06-21T06:19:06.829817+02:00 alfa charon-systemd: 09[NET] received packet: from 5.172.255.70[4646] to 192.168.22.200[4500] (532 bytes) 2022-06-21T06:19:06.830394+02:00 alfa charon-systemd: 09[ENC] parsed IKE_AUTH request 1 [ EF(4/7) ] 2022-06-21T06:19:06.831010+02:00 alfa charon-systemd: 09[ENC] received fragment #4 of 7, waiting for complete IKE message 2022-06-21T06:19:06.831574+02:00 alfa charon-systemd: 07[NET] received packet: from 5.172.255.70[4646] to 192.168.22.200[4500] (532 bytes) 2022-06-21T06:19:06.832188+02:00 alfa charon-systemd: 07[ENC] parsed IKE_AUTH request 1 [ EF(5/7) ] 2022-06-21T06:19:06.832697+02:00 alfa charon-systemd: 07[ENC] received fragment #5 of 7, waiting for complete IKE message 2022-06-21T06:19:06.833227+02:00 alfa charon-systemd: 05[NET] received packet: from 5.172.255.70[4646] to 192.168.22.200[4500] (532 bytes) 2022-06-21T06:19:06.833731+02:00 alfa charon-systemd: 05[ENC] parsed IKE_AUTH request 1 [ EF(6/7) ] 2022-06-21T06:19:06.834266+02:00 alfa charon-systemd: 05[ENC] received fragment #6 of 7, waiting for complete IKE message 2022-06-21T06:19:06.834804+02:00 alfa charon-systemd: 06[NET] received packet: from 5.172.255.70[4646] to 192.168.22.200[4500] (148 bytes) 2022-06-21T06:19:06.835059+02:00 alfa charon-systemd: 06[ENC] parsed IKE_AUTH request 1 [ EF(7/7) ] 2022-06-21T06:19:06.835318+02:00 alfa charon-systemd: 06[ENC] received fragment #7 of 7, reassembled fragmented IKE message (2912 bytes) 2022-06-21T06:19:06.835581+02:00 alfa charon-systemd: 06[ENC] unknown attribute type INTERNAL_DNS_DOMAIN 2022-06-21T06:19:06.835861+02:00 alfa charon-systemd: 06[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) IDr AUTH CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ] 2022-06-21T06:19:06.836124+02:00 alfa charon-systemd: 06[IKE] received end entity cert "C=PL, ST=Mazowieckie, O=alfa, OU=ipsec, OU=Iphone 8, CN=jaszczurka" 2022-06-21T06:19:06.836370+02:00 alfa charon-systemd: 06[CFG] looking for peer configs matching 192.168
Re: [strongSwan] DHCP plugin + freeradius - strange behavior when no proposals
Tobias Brunner writes: >> only something like (I have had no debug): >> 2018-10-14T19:27:57.322435+02:00 alfa charon-systemd[6721]: sending DHCP >> DISCOVER to 192.168.200.200 >> 2018-10-14T19:27:57.322643+02:00 alfa charon-systemd[6721]: received DHCP >> OFFER %any from 192.168.200.200 >> 2018-10-14T19:27:57.324271+02:00 alfa charon-systemd: 13[IKE] peer requested >> virtual IP %any >> 2018-10-14T19:27:57.324465+02:00 alfa charon-systemd: 13[CFG] sending DHCP >> DISCOVER to 192.168.200.200 >> 2018-10-14T19:27:57.324653+02:00 alfa charon-systemd: 06[CFG] received DHCP >> OFFER %any from 192.168.200.200 >> 2018-10-14T19:27:57.325632+02:00 alfa charon-systemd[6721]: sending DHCP >> REQUEST for %any to 192.168.200.200 >> 2018-10-14T19:27:57.325731+02:00 alfa charon-systemd: 13[CFG] sending DHCP >> REQUEST for %any to 192.168.200.200 >> 2018-10-14T19:27:57.325846+02:00 alfa charon-systemd[6721]: sending DHCP >> REQUEST for %any to 192.168.200.200 >> 2018-10-14T19:27:57.326035+02:00 alfa charon-systemd: 13[CFG] sending DHCP >> REQUEST for %any to 192.168.200.200 >> 2018-10-14T19:27:57.332313+02:00 alfa charon-systemd[6721]: received DHCP >> ACK for %any >> 2018-10-14T19:27:57.334059+02:00 alfa charon-systemd: 12[CFG] received DHCP >> ACK for %any > > Where do you see a loop here? (The duplicate messages are due to your In freeradius logs :), are repeating dhcp-request/dhcp-ack pairs. This is the situation where relay agent and dhcp server uses the same address and reply from dhcp server (freeradius) is sent to port 67 instead of 68. So I am not sure if strongswan repaeatedly ask for address (but no log this) or not. It is possible for me that something makes "echo" of original strongswan request infinitely . As I said: I do not know where the problem is. [...] > >> So I can safely keep my freeradius config? > > What doubts do you have? If it is 'good practice'™ :) KJ -- http://wolnelektury.pl/wesprzyj/teraz/ Hmmm ... an arrogant bouquet with a subtle suggestion of POLYVINYL CHLORIDE ...
Re: [strongSwan] DHCP plugin + freeradius - strange behavior when no proposals
Tobias Brunner writes: > Hi Kamil, > >> and received dhcp-ack. >> And ... again send dhcp-request, received dhcp-ack, and we end with >> infinite loop. > > Do you have the strongSwan log that goes with this? And what strongSwan > and FreeRADIUS versions are you using? only something like (I have had no debug): 2018-10-14T19:27:57.322435+02:00 alfa charon-systemd[6721]: sending DHCP DISCOVER to 192.168.200.200 2018-10-14T19:27:57.322643+02:00 alfa charon-systemd[6721]: received DHCP OFFER %any from 192.168.200.200 2018-10-14T19:27:57.324271+02:00 alfa charon-systemd: 13[IKE] peer requested virtual IP %any 2018-10-14T19:27:57.324465+02:00 alfa charon-systemd: 13[CFG] sending DHCP DISCOVER to 192.168.200.200 2018-10-14T19:27:57.324653+02:00 alfa charon-systemd: 06[CFG] received DHCP OFFER %any from 192.168.200.200 2018-10-14T19:27:57.325632+02:00 alfa charon-systemd[6721]: sending DHCP REQUEST for %any to 192.168.200.200 2018-10-14T19:27:57.325731+02:00 alfa charon-systemd: 13[CFG] sending DHCP REQUEST for %any to 192.168.200.200 2018-10-14T19:27:57.325846+02:00 alfa charon-systemd[6721]: sending DHCP REQUEST for %any to 192.168.200.200 2018-10-14T19:27:57.326035+02:00 alfa charon-systemd: 13[CFG] sending DHCP REQUEST for %any to 192.168.200.200 2018-10-14T19:27:57.332313+02:00 alfa charon-systemd[6721]: received DHCP ACK for %any 2018-10-14T19:27:57.334059+02:00 alfa charon-systemd: 12[CFG] received DHCP ACK for %any strongswan and freeradius packaged by debian: strongswan: Version: 5.7.1-1 freeradius: Version: 3.0.16+dfsg-4.1+b1 > >> Now I (temporarily) configure dhcp server not to send offer for unknown >> client but I am not sure if it is proper solution. > > It should probably either offer a valid address or not send an offer > at all. > >> 1. what should do dhcp server when receives dhcp-discover via gateway, relay agent ^^^ >> when there is no proposals? should it send any answer? > > No, why should it send an offer if it has no addresses to offer? I was afraid I overlooked something when read DHCP spec. (And there is DHCP message informs relay that this server cannot serve request) So I can safely keep my freeradius config? KJ -- http://stopstopnop.pl/stop_stopnop.pl_o_nas.html Life is a healthy respect for mother nature laced with greed.
[strongSwan] DHCP plugin + freeradius - strange behavior when no proposals
Disclaimer: I do not know if it is bug or feature, and what should be
changed: freeradius or dhcp plugin.
I have configured dhcp plugin:
--8<---cut here---start->8---
dhcp {
force_server_address = yes
identity_lease = yes
interface = eth0
load = yes
server=192.168.200.200
}
--8<---cut here---end--->8---
as a DHCP server act freeradius.
Adresses are statically asigned.
strange thing happen when plugin asks for unknown mac, freeradius send
this message:
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-Relay-IP-Address = 192.168.200.200
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-Message-Type = DHCP-Offer
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-Domain-Name-Server =
192.168.200.200
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-Subnet-Mask = 255.255.255.0
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-Router-Address = 192.168.200.218
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-IP-Address-Lease-Time = 86400
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-DHCP-Server-Identifier =
192.168.200.200
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-Domain-Name = "kjonca"
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-Server-IP-Address =
192.168.200.200
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-Time-Server = 192.168.200.200
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-Opcode = Server-Message
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-Hardware-Type = Ethernet
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-Hardware-Address-Length = 6
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-Hop-Count = 0
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-Transaction-Id = 1809418123
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-Flags = 0
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-Client-IP-Address = 0.0.0.0
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-Gateway-IP-Address =
192.168.200.200
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-Client-Hardware-Address =
7a:a7:86:29:f1:72
so dhcp servers offer 0.0.0.0 as address
dhcp plugins requests this address:
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Opcode = Client-Message
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Hardware-Type = Ethernet
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Hardware-Address-Length = 6
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Hop-Count = 0
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Transaction-Id = 1809418123
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Number-of-Seconds = 0
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Flags = 0
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Client-IP-Address = 0.0.0.0
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Your-IP-Address = 0.0.0.0
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Server-IP-Address = 0.0.0.0
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Gateway-IP-Address =
192.168.200.200
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Client-Hardware-Address =
7a:a7:86:29:f1:72
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Message-Type = DHCP-Request
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Hostname = "sikorka.kjonca"
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Client-Identifier =
0x73696b6f726b612e6b6a6f6e6361
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Requested-IP-Address = 0.0.0.0
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-DHCP-Server-Identifier =
192.168.200.200
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Parameter-Request-List =
DHCP-Domain-Name-Server
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Parameter-Request-List =
DHCP-NETBIOS-Name-Servers
and received dhcp-ack.
And ... again send dhcp-request, received dhcp-ack, and we end with
infinite loop.
Now I (temporarily) configure dhcp server not to send offer for unknown
client but I am not sure if it is proper solution.
1. what should do dhcp server when receives dhcp-discover via gateway,
when there is no proposals? should it send any answer?
2. what should do dhcp-plugin when receives dhcp-offer with address like
0.0.0.0?
KJ
--
http://wolnelektury.pl/wesprzyj/teraz/
Work expands to fill the time available.
-- Cyril Northcote Parkinson, "The Economist", 1955
Re: [strongSwan] strongswan 5.6.3 and addresses from dhcp
Tobias Brunner writes: > Hi Kamil, [..] > > Please see the thread at [1]. > > Regards, > Tobias > > [1] https://lists.strongswan.org/pipermail//dev/2018-June/001918.html > It looks like freeradius folks does not agree to your arguments [1] I am not sure who is right, but recently my configuration (strongswan takes address from dhcp, served by freeradius-dhcp) stopped to work :( And I have no idea how to assign static addresses in road warriors without copying whole configs. KJ [1]http://lists.freeradius.org/pipermail/freeradius-users/2018-July/092170.html -- http://stopstopnop.pl/stop_stopnop.pl_o_nas.html Most people in this society who aren't actively mad are, at best, reformed or potential lunatics. -- Susan Sontag
Re: [strongSwan] strongswan 5.6.3 and addresses from dhcp
Tobias Brunner writes:
> Hi Kamil,
>
>> I have pool of addresses taken from dhcp server.
>> This server is running at the same machine as strongswan.
>> my dhcp plugin configuration.
>>
>> --8<---cut here---start->8---
>> dhcp {
>> force_server_address = no
>> identity_lease = yes
>> load = yes
>> server=192.168.200.200
>> }
>> --8<---cut here---end--->8---
>>
>> and this configuration worked for a long time.
>> Recently I upgraded to 5.6.3 and it stops working.
>> Logs shows that strongswan does not get dhcp responses. How should I
>> configured strongswan to work?
>
> Please see the thread at [1].
>
> Regards,
> Tobias
>
> [1] https://lists.strongswan.org/pipermail//dev/2018-June/001918.html
>
Well. Unfortunately I cannot make work this configuration reliably (with
freeradius as dhcp server).
What is the best option to statically assing IPs?
radius?
KJ
--
http://wolnelektury.pl/wesprzyj/teraz/
A man's best friend is his dogma.
[strongSwan] strange iptables behavior
In my updown script I have this rule:
(1) iptables -I INPUT -i ${PLUTO_INTERFACE} -s ${PLUTO_PEER} -d ${PLUTO_ME} -m
policy --strict --dir in --pol ipsec --reqid $PLUTO_REQID -j ACCEPT
(2) iptables -I INPUT -i ${PLUTO_INTERFACE} -s ${PLUTO_PEER_CLIENT} -d
${PLUTO_MY_CLIENT} -m policy --strict --pol ipsec --dir in --mode tunnel
--tunnel-dst ${PLUTO_ME} --next --mode tunnel --tunnel-src ${PLUTO_PEER} -j
ACCEPT
First rule works as expected, but second does not match any packet and
there is no traffic
Strange thing is: if I set second rule manually later - packet match
and traffic goes on.
WTF?
KJ
--
http://wolnelektury.pl/wesprzyj/teraz/
grep me no patterns and I'll tell you no lines.
[strongSwan] strongswan 5.6.3 and addresses from dhcp
I have pool of addresses taken from dhcp server.
This server is running at the same machine as strongswan.
my dhcp plugin configuration.
--8<---cut here---start->8---
dhcp {
force_server_address = no
identity_lease = yes
load = yes
server=192.168.200.200
}
--8<---cut here---end--->8---
and this configuration worked for a long time.
Recently I upgraded to 5.6.3 and it stops working.
Logs shows that strongswan does not get dhcp responses. How should I
configured strongswan to work?
KJ
--
http://wolnelektury.pl/wesprzyj/teraz/
It's very inconvenient to be mortal -- you never know when everything may
suddenly stop happening.
Re: [strongSwan] Setting routes via dhcp option for win10 clients
Roger Skjetlein writes: > Hi, > > noticed in the documentation that it is possible to set routes on the win10 > clients via dhcp options. This seems like a awesome feature and we could > avoid pushing static configs to the users. > > https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#Split-routing-on-Windows-10-and-Windows-10-Mobile Firstly: how do I understand. When windows set up its interface (any interface) it can use DHCP. An windows doing this by send DHCP-Request or DHCP-Inform messages. And it works this way when I configure physical interfaces. (end "how do I understand") But I cannot force windows to send DHCP-Inform messages over ipsec interface. (I cannot se any queries, when debug DHCPserver) I googling a lot, but without success.. KJ -- http://wolnelektury.pl/wesprzyj/teraz/ Disc space -- the final frontier!
Re: [strongSwan] Fwd: Windows native VPN client routing problem
Giuseppe De Marco writes: > def gw Route's metric in Windows can be changed runtime. > If you want to fix the def gw from vpn in windows 10 just go in NIC propriety > of the vpn network interface, network, ipv4 -> Propriety, Advanced, Use > default gateway, then apply :) > But, sometimes, I want route ONLY to subnetwork (eg. work) via vpn, and default rotue unchanged. And I did not found other resoultion than OP. KJ -- http://wolnelektury.pl/wesprzyj/teraz/ New Hampshire law forbids you to tap your feet, nod your head, or in any way keep time to the music in a tavern, restaurant, or cafe.
Re: [strongSwan] swanctt + dhcp + dns
(sorry for premtaure send) kjonca-h7QdYz1kt/q...@public.gmane.org (Kamil Jońca) writes: > Noel Kuntze > > writes: > >> 1. Did you test it? > Yes. >> 2. I wrote before that you can not pass the assigned DNS server you >> get via DHCP. > Yes, I mixed-up two things, and was innacurate. My fault, sorry. > > >> You can use a pool though to pass it as an >> attribute. Read the manual for swanctl.conf. The syntax is mentioned >> there. Finally I think I found the problem. Basically I want to have configuration like https://www.strongswan.org/testing/testresults/swanctl/dhcp-dynamic/index.html and as we can see in this test case DNS are passed to client and installed via resolvconf. But in my configuration I have "resolve" plugin turned off, and make changes regarding DNS with updown script. But with swanctl config DNS environment (PLUTO_DNS4_1) variables are not passed to updown script :( and this made problem in my configuration. These variables are removed intentionally in swanctl? KJ -- http://stopstopnop.pl/stop_stopnop.pl_o_nas.html No yak too dirty; no dumpster too hollow.
Re: [strongSwan] swanctt + dhcp + dns
(sorry for premtaure send, and then send from different address) kjonca-h7QdYz1kt/q...@public.gmane.org (Kamil Jońca) writes: > Noel Kuntze > > writes: > >> 1. Did you test it? > Yes. >> 2. I wrote before that you can not pass the assigned DNS server you >> get via DHCP. > Yes, I mixed-up two things, and was innacurate. My fault, sorry. > > >> You can use a pool though to pass it as an >> attribute. Read the manual for swanctl.conf. The syntax is mentioned >> there. Finally I think I found the problem. Basically I want to have configuration like https://www.strongswan.org/testing/testresults/swanctl/dhcp-dynamic/index.html and as we can see in this test case DNS are passed to client and installed via resolvconf. But in my configuration I have "resolve" plugin turned off, and make changes regarding DNS with updown script. But with swanctl config DNS environment (PLUTO_DNS4_1) variables are not passed to updown script :( and this made problem in my configuration. These variables are removed intentionally in swanctl ? KJ -- http://stopstopnop.pl/stop_stopnop.pl_o_nas.html No yak too dirty; no dumpster too hollow.
Re: [strongSwan] swanctt + dhcp + dns
kjonca-h7QdYz1kt/q...@public.gmane.org (Kamil Jońca) writes: > Noel Kuntze > > writes: > >> 1. Did you test it? > Yes. >> 2. I wrote before that you can not pass the assigned DNS server you >> get via DHCP. > Yes, I mixed-up two things, and was innacurate. My fault, sorry. > > >> You can use a pool though to pass it as an >> attribute. Read the manual for swanctl.conf. The syntax is mentioned >> there. Finally I think I found the problem. Basically I want to have configuration like https://www.strongswan.org/testing/testresults/swanctl/dhcp -- http://stopstopnop.pl/stop_stopnop.pl_o_nas.html If you didn't get caught, did you really do it?
Re: [strongSwan] swanctt + dhcp + dns
Noel Kuntze
writes:
> 1. Did you test it?
Yes.
> 2. I wrote before that you can not pass the assigned DNS server you
> get via DHCP.
Yes, I mixed-up two things, and was innacurate. My fault, sorry.
> You can use a pool though to pass it as an
> attribute. Read the manual for swanctl.conf. The syntax is mentioned
> there.
But how to define such pool?
Below my config:
server:
--8<---cut here---start->8---
secrets {
[...]
}
connections {
rw {
local_addrs = 192.168.200.200
pools = dhcp,a
local {
auth = pubkey
cacerts=/etc/swanctl/x509ca/ipsec--kaczka--ca.pem
certs = alfa.kjonca.5.pem
id = "C = PL, ST = Mazowieckie, O = kjonca.kjonca, OU = ipsec, CN =
x"
}
remote {
auth = pubkey
}
children {
net-alfa-server {
local_ts = 192.168.200.200/24
ipcomp=yes
}
}
}
}
authorities {
[...]
}
pools {
a {
addrs = 192.168.200.0/24
dns = 192.168.200.200
}
}
--8<---cut here---end--->8---
client:
--8<---cut here---start->8---
connections {
alfa {
vips = 0.0.0.0
remote_addrs = circinus.ddns.net
local {
auth = pubkey
cacerts= /etc/swanctl/x509ca/ipsec--kaczka--ca.pem
certs = bambus.kjonca.pem
}
remote {
cacerts= /etc/swanctl/x509ca/ipsec--kaczka--ca.pem
auth = pubkey
id="C = PL, ST = Mazowieckie, O = kjonca.kjonca, OU = ipsec, CN = "
}
children {
net-alfa-server {
remote_ts=0.0.0.0/0
updown=/home/kjonca/wd/ipsec/test.sh iptables
ipcomp=yes
}
}
}
}
--8<---cut here---end--->8---
But with this config. remote addres is taken from pool "a" - not from
dhcp as expected.
Moreover it looks like, dns is not pass to client. (I cannot see
PLUTO_DNS4_1 in script on client side)
What do I wrong?
--
http://stopstopnop.pl/stop_stopnop.pl_o_nas.html
I've been on a diet for two weeks and all I've lost is two weeks.
-- Totie Fields
Re: [strongSwan] swanctt + dhcp + dns
Noel Kuntze writes: > 1. Never did that with swanctl. You have to play around with the pools or dig > around. Maybe it's as simple as "connections..pools = dhcp" or > "connections..pools = %dhcp". Maybe it's not. Well, this can be done by simply pools = dhcp and alone is not a problem, but ... > 2. You can't. So there is no an equivalent of "rightdns=192.168.200.200" in swanctl, and the only way to send DNS server is to return to old starter-based approach? Am I wrong? KJ > On 18.12.2017 15:21, Kamil Jońca wrote: >> Noel Kuntze >> >> writes: >> >>> Use a pool. Look at the UsableExamples[1] page. >>> You can't pass dns servers from DHCP at all. It has nothing to do with >>> the configuration backend you're using. >> I was not too clear probably. >> >> I want to do with swanctl: >> 1. have client addres taken from dhcp >> 2. somehow configure dns to pass (how? ) >> >> ie. how to translate from old config: >> >> >> conn xxx >> left=192.168.200.200 >> leftsubnet=192.168.200.0/24 >> leftid=xxx >> leftca=yyy >> leftcert= >> rightdns=192.168.200.200 >> right=%any >> compress=yes >> rightsourceip=%dhcp >> >> >> >> KJ >> > -- http://stopstopnop.pl/stop_stopnop.pl_o_nas.html Mencken and Nathan's Fifteenth Law of The Average American: The worst actress in the company is always the manager's wife.
Re: [strongSwan] swanctt + dhcp + dns
Noel Kuntze writes: > Use a pool. Look at the UsableExamples[1] page. > You can't pass dns servers from DHCP at all. It has nothing to do with > the configuration backend you're using. I was not too clear probably. I want to do with swanctl: 1. have client addres taken from dhcp 2. somehow configure dns to pass (how? ) ie. how to translate from old config: conn xxx left=192.168.200.200 leftsubnet=192.168.200.0/24 leftid=xxx leftca=yyy leftcert= rightdns=192.168.200.200 right=%any compress=yes rightsourceip=%dhcp KJ -- http://stopstopnop.pl/stop_stopnop.pl_o_nas.html One can never consent to creep when one feels an impulse to soar. -- Helen Keller
[strongSwan] swanctt + dhcp + dns
I am testing migration from starter config to swanctlt config, and have
issue that cannot resolve.
my config below:
--8<---cut here---start->8---
secrets {
private {
file=
secret= []
}
}
connections {
rw {
local_addrs = 192.168.200.200
pools = dhcp
local {
auth = pubkey
cacerts= [...]
certs = [...]
id = "C = PL, ST = Mazowieckie, O = kjonca.kjonca, OU = ipsec, CN =
xx"
}
remote {
auth = pubkey
}
children {
net-alfa-server {
local_ts = 192.168.200.200/24
ipcomp=yes
}
}
}
}
authorities {
kaczka{
crl_uris = file:///etc/swanctl/x509crl/kaczka.pem
cacert = /etc/swanctl/x509ca/ipsec--kaczka--ca.pem
}
}
--8<---cut here---end--->8---
1.How with this config I can pass dns server to client?
2. Is it possible to take DNS server from dhcp (and others possible
options too)?
KJ
--
http://stopstopnop.pl/stop_stopnop.pl_o_nas.html
There's no time like the pleasant.
Re: [strongSwan] strongswan on kernel 4.14
"Tom Rymes" writes: > Kamil, > > The IPFire project is working with an upgraded 4.14 kernel in testing and > noticed that IPSec traffic does not flow if compression is enabled. Disabling > compression restores normal operation. > Thanks for pointing direction. > I don't know what causes it, but you might try disabling compression and see > if that solves your problem. > Hm. I think I still be used 4.13 KJ -- http://stopstopnop.pl/stop_stopnop.pl_o_nas.html All men are mortal. Socrates was mortal. Therefore, all men are Socrates. -- Woody Allen
[strongSwan] strongswan on kernel 4.14
Recently I upgrade kernel on my debian box from 4.13 to 4.14, and strongswan stops working - log show that everyhing is established ok, but no ping between hosts. What should I check? KJ -- http://wolnelektury.pl/wesprzyj/teraz/ Three o'clock in the afternoon is always just a little too late or a little too early for anything you want to do. -- Jean-Paul Sartre
Re: [strongSwan] Windows 8.1 - no proposal chosen
kjonca-h7QdYz1kt/q...@public.gmane.org (Kamil Jońca) writes: [...] > > and what can I do about this? > KJ Sorry for noise. Avice from https://wiki.strongswan.org/projects/strongswan/wiki/Windows7 about HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\NegotiateDH2048_AES256 works KJ -- http://wolnelektury.pl/wesprzyj/teraz/ "I'm really enjoying not talking to you ... Let's not talk again REAL soon ..."
[strongSwan] Windows 8.1 - no proposal chosen
Recently I upgrade my debian strogswan package, and my windows 8.1 box stopped working with message "no proposals chosen" in logs: charon-systemd[8848]: received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024 configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048 What changes between: [UPGRADE] strongswan-libcharon:amd64 5.6.0-2 -> 5.6.1-2 [UPGRADE] strongswan-swanctl:amd64 5.6.0-2 -> 5.6.1-2 and what can I do about this? KJ -- http://wolnelektury.pl/wesprzyj/teraz/ You don't become a failure until you're satisfied with being one.
[strongSwan] migration to charon-systemd
Recently I found that I can use strongswan as systemd integrated service. I tried to move my config to swanctl-like file and I have partial success. But I have some questions how to migrate some thigs. --8<---cut here---start->8--- config setup strictcrlpolicy=ifuri ca kaczka cacert=/etc/ipsec.d/cacerts/ipsec--kaczka--ca.pem auto=add conn %default left=192.168.2.2 leftsubnet=192.168.2.0/24 leftid="C = PL, ST = xxx, O = kjonca.kjonca, OU = ipsec, CN = bla.bla" leftca="C = PL, ST = xxx, L = , O = kjonca.kjonca, OU = ipsec, CN = openswan--kjonca.kjonca" rightca=%same leftcert="alfa.kjonca.5.pem" rightdns=192.168.2.2 right=%any compress=yes keyexchange=ikev2 auto=add rightsourceip=%dhcp #rekey=no conn w8-kjonca also=alfa-server rightid="C=PL, ST=xxx, O=kjonca.kjonca, OU=ipsec, CN=w8-kjonca.kjonca" rekey=no conn alfa-server include /var/lib/strongswan/ipsec.conf.inc --8<---cut here---end--->8--- 1. How to "translate" "rightdns=" to swanctl? 2. How to have dedicate conection which behaves as "alfa-server" except "rekey" feature? 3. Is it possible to use ids from certificates (as in leftid/leftca)? 4. How to translate "rightca=%same" KJ -- http://wolnelektury.pl/wesprzyj/teraz/ "If I do not return to the pulpit this weekend, millions of people will go to hell." -- Jimmy Swaggart, 5/20/88
[strongSwan] Windows split routing & DHCP-info message
(My apologies for offtopic as it no strictly strongswan issue, but rather windows issue) At https://wiki.strongswan.org/projects/strongswan/wiki/Windows7 we have: "Fortunately, Windows sends DHCP request upon connection and add routes supplied in option 249 of DHCP reply." I cannot force my windows 7/8/10 machines to send DHCP-INFO messge upon connection via ikev2. I can't see any option in connection parameters, and cannot find any relevant registry entry. Does someone can help about this? KJ -- http://wolnelektury.pl/wesprzyj/teraz/ If you knew what to say next, would you say it?
[strongSwan] IPComp - what this message mean?
I try to set up strongswan on my openwrt router, and it is almost done. The only thing I want to do is compression. I got: --8<---cut here---start->8--- daemon.info syslog: 04[IKE] unable to allocate a CPI from kernel, IPComp disabled --8<---cut here---end--->8--- What can it be, and is it possible to do? KJ -- http://stopstopnop.pl/stop_stopnop.pl_o_nas.html Van Roy's Law: Honesty is the best policy - there's less competition. Van Roy's Truism: Life is a whole series of circumstances beyond your control. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] [SOLVED] Error 13801 in windows
kjo...@o2.pl (Kamil Jońca) writes: > Andreas Steffen > writes: > >> Czesc Kamil, >> >> strongSwan uses ',' and '/' as reserved characters to separate >> Relative Distinguished Names in an X.509 Distinguished Name. >> Therefore CN=host/bambus@KJONCA will be incorrectly encoded. >> Could you generate another certificate not containing a '/' >> character? > > I have generated, and Win says that is connected but I cannot ping > "other peer" > In debian amd64 last available version were 4.5.0. After compiling and installing 4.5.2 everything works ok. Sorry for false alarm. KJ -- http://blogdebart.pl/2009/12/22/mamy-chorych-dzieci/ kondensator - kondensatorych - kondensatoremu (odmiana słowa "kondensator" według MS Word 6.0) ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Error 13801 in windows
kjo...@o2.pl (Kamil Jońca) writes: > Andreas Steffen > writes: > >> Czesc Kamil, >> >> strongSwan uses ',' and '/' as reserved characters to separate >> Relative Distinguished Names in an X.509 Distinguished Name. >> Therefore CN=host/bambus@KJONCA will be incorrectly encoded. >> Could you generate another certificate not containing a '/' >> character? > > I have generated, and Win says that is connected but I cannot ping > "other peer" My suspect: strongswan sends packets --8<---cut here---start->8--- 2011-06-09T15:05:04+02:00 alfa charon: 15[IKE] sending keep alive 2011-06-09T15:05:04+02:00 alfa charon: 15[NET] sending packet: from 192.168.200.200[4500] to 80.50.55.206[500] --8<---cut here---end--->8--- (from port 4500 to 500) But according to my knowledge these packets are blocked at client side. pakctes (4500 -> 4500) passed. KJ -- http://modnebzdury.wordpress.com/2009/10/01/niewiarygodny-list-prof-majewskiej-wprowadzenie/ "Nie można wlecieć w trzecie tysiaclecie na drzwiach od stodoły" - biskup polowy WP Sławoj Leszek Głódź. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Error 13801 in windows
Andreas Steffen writes: > Could you run tcpdump or wireshark on the strongSwan host and > check if any ESP packets are arriving from the Windows client. > You should also be able to the inbound decrypted ICMP requests. > In the outbound direction only ESP packets are visible but > they are probably missing. > I'm not sure if I understood you correctly but: --8<---cut here---start->8--- sudo tcpdump -vv -i lan 'esp or udp port 4500 or udp port 500' tcpdump: listening on lan, link-type EN10MB (Ethernet), capture size 65535 bytes 17:23:10.103351 IP (tos 0x0, ttl 239, id 943, offset 0, flags [none], proto UDP (17), length 128) 178.180.71.169.nat.umts.dynamic.t-mobile.pl.4500 > alfa.kjonca.4500: [no cksum] UDP-encap: ESP(spi=0xc81acd1d,seq=0x11), length 100 17:23:10.105285 IP (tos 0x0, ttl 64, id 40604, offset 0, flags [none], proto UDP (17), length 176) alfa.kjonca.4500 > 178.180.71.169.nat.umts.dynamic.t-mobile.pl.isakmp: [no cksum] isakmp 10.10 msgid 409aaffc cookie 4c8878770011->6f7aa7ebed0be088: 17:23:10.223247 IP (tos 0x0, ttl 239, id 946, offset 0, flags [none], proto UDP (17), length 120) 178.180.71.169.nat.umts.dynamic.t-mobile.pl.4500 > alfa.kjonca.4500: [no cksum] UDP-encap: ESP(spi=0xc81acd1d,seq=0x12), length 92 17:23:10.223389 IP (tos 0x0, ttl 64, id 40605, offset 0, flags [none], proto UDP (17), length 120) alfa.kjonca.4500 > 178.180.71.169.nat.umts.dynamic.t-mobile.pl.isakmp: [no cksum] isakmp 10.3 msgid 1abd275f cookie 4c8878770012->174b7bd54f6d754f: 17:23:10.443372 IP (tos 0x0, ttl 239, id 947, offset 0, flags [none], proto UDP (17), length 120) 178.180.71.169.nat.umts.dynamic.t-mobile.pl.4500 > alfa.kjonca.4500: [no cksum] UDP-encap: ESP(spi=0xc81acd1d,seq=0x13), length 92 17:23:10.444083 IP (tos 0x0, ttl 64, id 40606, offset 0, flags [none], proto UDP (17), length 168) alfa.kjonca.4500 > 178.180.71.169.nat.umts.dynamic.t-mobile.pl.isakmp: [no cksum] isakmp 13.0 msgid 79fbc08d cookie 4c8878770013->d64ec9ffda629afb: 17:23:10.464147 IP (tos 0x0, ttl 239, id 948, offset 0, flags [none], proto UDP (17), length 120) 178.180.71.169.nat.umts.dynamic.t-mobile.pl.4500 > alfa.kjonca.4500: [no cksum] UDP-encap: ESP(spi=0xc81acd1d,seq=0x14), length 92 17:23:10.465201 IP (tos 0x0, ttl 64, id 40607, offset 0, flags [none], proto UDP (17), length 168) alfa.kjonca.4500 > 178.180.71.169.nat.umts.dynamic.t-mobile.pl.isakmp: [no cksum] isakmp 8.1 msgid 9672ee56 cookie 4c8878770014->c42845423907698e: 17:23:14.863744 IP (tos 0x0, ttl 239, id 956, offset 0, flags [none], proto UDP (17), length 120) 178.180.71.169.nat.umts.dynamic.t-mobile.pl.4500 > alfa.kjonca.4500: [no cksum] UDP-encap: ESP(spi=0xc81acd1d,seq=0x15), length 92 17:23:14.863884 IP (tos 0x0, ttl 64, id 40608, offset 0, flags [none], proto UDP (17), length 120) alfa.kjonca.4500 > 178.180.71.169.nat.umts.dynamic.t-mobile.pl.isakmp: [no cksum] isakmp 5.6 msgid 18d5d909 cookie 4c8878770015->2ae24001cb76a6db: 17:23:18.664527 IP (tos 0x0, ttl 239, id 960, offset 0, flags [none], proto UDP (17), length 128) 178.180.71.169.nat.umts.dynamic.t-mobile.pl.4500 > alfa.kjonca.4500: [no cksum] UDP-encap: ESP(spi=0xc81acd1d,seq=0x16), length 100 17:23:18.665505 IP (tos 0x0, ttl 64, id 40609, offset 0, flags [none], proto UDP (17), length 176) alfa.kjonca.4500 > 178.180.71.169.nat.umts.dynamic.t-mobile.pl.isakmp: [no cksum] isakmp 1.15 msgid 7926d194 cookie 4c8878770016->3c4ed056dfc932a7: phase 2/others ? #124[C]: [|#182] (len mismatch: isakmp 1806220945/ip 148) --8<---cut here---end--->8--- (now I try from another address) BTW. I have read and applied http://support.microsoft.com/?kbid=947234 KJ -- http://blogdebart.pl/2009/12/22/mamy-chorych-dzieci/ kondensator - kondensatorych - kondensatoremu (odmiana słowa "kondensator" według MS Word 6.0) ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Error 13801 in windows
Andreas Steffen
writes:
> Czesc Kamil,
>
> strongSwan uses ',' and '/' as reserved characters to separate
> Relative Distinguished Names in an X.509 Distinguished Name.
> Therefore CN=host/bambus@KJONCA will be incorrectly encoded.
> Could you generate another certificate not containing a '/'
> character?
I have generated, and Win says that is connected but I cannot ping
"other peer"
--8<---cut here---start->8---
2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] received cert request for
unknown ca with keyid
07:15:28:6d:70:73:aa:b2:8a:7c:0f:86:ce:38:93:00:38:05:8a:b1
2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] received end entity cert "C=PL,
ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=bambus.kjonca"
2011-06-08T13:55:47+02:00 alfa charon: 15[CFG] looking for peer configs
matching 192.168.200.200[%any]...80.50.55.206[C=PL, ST=Mazowieckie,
O=kjonca.kjonca, OU=ipsec, CN=bambus.kjonca]
2011-06-08T13:55:47+02:00 alfa charon: 15[CFG] selected peer config 'bambus'
2011-06-08T13:55:47+02:00 alfa charon: 15[CFG] using certificate "C=PL,
ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=bambus.kjonca"
2011-06-08T13:55:47+02:00 alfa charon: 15[CFG] using trusted ca certificate
"C=PL, ST=Mazowieckie, L=Warszawa, O=kjonca.kjonca, OU=ipsec,
CN=openswan--kjonca.kjonca"
2011-06-08T13:55:47+02:00 alfa charon: 15[CFG] checking certificate status of
"C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=bambus.kjonca"
2011-06-08T13:55:47+02:00 alfa charon: 15[CFG] certificate status is not
available
2011-06-08T13:55:47+02:00 alfa charon: 15[CFG] reached self-signed root ca
with a path length of 0
2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] authentication of 'C=PL,
ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=bambus.kjonca' with RSA signature
successful
2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] peer supports MOBIKE
2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] authentication of 'C=PL,
ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=alfa.kjonca' (myself) with RSA
signature successful
2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] IKE_SA bambus[16] established
between 192.168.200.200[C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec,
CN=alfa.kjonca]...80.50.55.206[C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec,
CN=bambus.kjonca]
2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] scheduling reauthentication in
9941s
2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] maximum IKE_SA lifetime 10481s
2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] sending end entity cert "C=PL,
ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=alfa.kjonca"
2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] peer requested virtual IP %any6
2011-06-08T13:55:47+02:00 alfa charon: 15[CFG] reassigning offline lease to
'C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=bambus.kjonca'
2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] assigning virtual IP
192.168.200.211 to peer 'C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec,
CN=bambus.kjonca'
2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] CHILD_SA bambus{3} established
with SPIs c1dbbfcc_i ca8b9d08_o and TS 192.168.200.0/24 === 192.168.200.211/32
2011-06-08T13:55:47+02:00 alfa charon: 15[ENC] generating IKE_AUTH response 1 [
IDr CERT AUTH CP(ADDR DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
2011-06-08T13:55:47+02:00 alfa charon: 15[NET] sending packet: from
192.168.200.200[4500] to 80.50.55.206[4500]
2011-06-08T13:55:47+02:00 alfa charon: 08[KNL] NAT mappings of ESP CHILD_SA
with SPI c1dbbfcc and reqid {3} changed, queuing update job
2011-06-08T13:55:47+02:00 alfa charon: 08[KNL] NAT mappings of ESP CHILD_SA
with SPI c1dbbfcc and reqid {3} changed, queuing update job
2011-06-08T13:55:48+02:00 alfa charon: 08[KNL] NAT mappings of ESP CHILD_SA
with SPI c1dbbfcc and reqid {3} changed, queuing update job
--8<---cut here---end--->8---
KJ
--
http://blogdebart.pl/2010/03/17/dalsze-przygody-swinki-w-new-jersey/
Linux jest w stanie przeżyc wyjęcie procesora - resztę doliczy w pamięci.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Error 13801 in windows
My /etc/ipsec.conf --8<---cut here---start->8--- config setup nat_traversal=yes charonstart=yes plutostart=no conn bambus left=%defaultroute leftsubnet=192.168.200.0/24 leftcert=alfa.kjonca.1.pem leftid="C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=alfa.kjonca" right=%any rightid="C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=host/bambus@KJONCA" rightsourceip=192.168.200.211 keyexchange=ikev2 auto=add rightca="C=PL, ST=Mazowieckie, L=Warszawa, O=kjonca.kjonca, OU=ipsec, CN=openswan--kjonca.kjonca" leftca="C=PL, ST=Mazowieckie, L=Warszawa, O=kjonca.kjonca, OU=ipsec, CN=openswan--kjonca.kjonca" include /var/lib/strongswan/ipsec.conf.inc --8<---cut here---end--->8--- Server box is behind nat. Client laptop also is behind nat. And I cannot create connection windows shows error 13801. In syslog I have: [...] 2011-06-08T13:12:18+02:00 alfa charon: 00[JOB] spawning 16 worker threads 2011-06-08T13:12:18+02:00 alfa charon: 10[CFG] received stroke: add connection 'bambus' 2011-06-08T13:12:18+02:00 alfa charon: 10[CFG] loaded certificate "C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=alfa.kjonca" from 'alfa.kjonca.1.pem' 2011-06-08T13:12:18+02:00 alfa charon: 10[CFG] added configuration 'bambus' 2011-06-08T13:12:18+02:00 alfa charon: 10[CFG] adding virtual IP address pool 'bambus': 192.168.200.211/32 2011-06-08T13:12:21+02:00 alfa charon: 15[NET] received packet: from 80.50.55.206[500] to 192.168.200.200[500] 2011-06-08T13:12:21+02:00 alfa charon: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 2011-06-08T13:12:21+02:00 alfa charon: 15[IKE] 80.50.55.206 is initiating an IKE_SA 2011-06-08T13:12:21+02:00 alfa charon: 15[IKE] local host is behind NAT, sending keep alives 2011-06-08T13:12:21+02:00 alfa charon: 15[IKE] remote host is behind NAT 2011-06-08T13:12:21+02:00 alfa charon: 15[IKE] sending cert request for "C=PL, ST=Mazowieckie, L=Warszawa, O=kjonca.kjonca, OU=ipsec, CN=openswan--kjonca.kjonca" 2011-06-08T13:12:21+02:00 alfa charon: 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] 2011-06-08T13:12:21+02:00 alfa charon: 15[NET] sending packet: from 192.168.200.200[500] to 80.50.55.206[500] 2011-06-08T13:12:21+02:00 alfa charon: 16[NET] received packet: from 80.50.55.206[4500] to 192.168.200.200[4500] 2011-06-08T13:12:21+02:00 alfa charon: 16[ENC] unknown attribute type INTERNAL_IP4_SERVER 2011-06-08T13:12:21+02:00 alfa charon: 16[ENC] unknown attribute type INTERNAL_IP6_SERVER 2011-06-08T13:12:21+02:00 alfa charon: 16[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] 2011-06-08T13:12:21+02:00 alfa charon: 16[IKE] received cert request for unknown ca with keyid [some unknown certs ] 2011-06-08T13:12:21+02:00 alfa charon: 16[IKE] received cert request for "C=PL, ST=Mazowieckie, L=Warszawa, O=kjonca.kjonca, OU=ipsec, CN=openswan--kjonca.kjonca" 2011-06-08T13:12:21+02:00 alfa charon: 16[IKE] received end entity cert "C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=host/bambus@KJONCA" 2011-06-08T13:12:21+02:00 alfa charon: 16[CFG] looking for peer configs matching 192.168.200.200[%any]...80.50.55.206[C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=host/bambus@KJONCA] 2011-06-08T13:12:21+02:00 alfa charon: 16[CFG] no matching peer config found 2011-06-08T13:12:21+02:00 alfa charon: 16[IKE] peer supports MOBIKE 2011-06-08T13:12:21+02:00 alfa charon: 16[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] 2011-06-08T13:12:21+02:00 alfa charon: 16[NET] sending packet: from 192.168.200.200[4500] to 80.50.55.206[4500] [...] Any ideas? KJ -- http://sporothrix.wordpress.com/2011/01/16/usa-sie-krztusza-kto-nastepny/ Nie przerywaj mi, kiedy ja przerywam --W.Churchill ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Compression - how to check it?
Andreas Steffen writes: --8<---cut here---start->8--- > > src 192.168.0.1 dst 192.168.0.100 > proto comp spi 0xbdf9(48633) reqid 1(0x0001) mode tunnel > replay-window 0 seq 0x flag af-unspec (0x0010) > comp deflate 0x (0 bits) > lifetime config: --8<---cut here---end--->8--- [...] So, the key line is "comp deflate 0x (0 bits)", right? How can I check why compression is turned off? config: --8<---cut here---start->8--- version 2.0 # conforms to second version of ipsec.conf specification ca alfa cacert=ca-kaczka.kjonca.pem config setup charonstart=yes plutostart=no interfaces="%defaultroute" plutodebug="all" charondebug="all" nat_traversal=yes conn %default left=%defaultroute leftsubnet=192.168.200.0/24 leftcert=/etc/ipsec.d/certs/circinus.aster.net.pl.1.pem leftca=" C=PL, ST=Mazowieckie, L=Warszawa, O=kjonca.kjonca, OU=ipsec, CN=openswan--kjonca.kjonca" keyexchange=ikev2 leftsourceip=192.168.200.200 auto=add compress=yes conn bambus.kjonca right=%any rightsourceip=192.168.200.211 rekey=no include /var/lib/strongswan/ipsec.conf.inc --8<---cut here---end--->8--- Client is windows7 laptop configured as described at http://wiki.strongswan.org/projects/strongswan/wiki/Win7Config KJ -- http://modnebzdury.wordpress.com/2009/10/01/niewiarygodny-list-prof-majewskiej-wprowadzenie/ Biologia poucza, ze jeśli cię coś ugryzło, to niemal pewne, ze była to samica. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Compression - how to check it?
How can I check if compression directive works? KJ -- http://modnebzdury.wordpress.com/2009/10/01/niewiarygodny-list-prof-majewskiej-wprowadzenie/ Jak ktoś ma pecha, to złamie ząb podczas seksu oralnego (S.Sokół) ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
