[strongSwan] no response from port 4500, port 500 is ok

[Modster, Anthony]

Hello

Case 1: no response from port 4500, port 500 is ok

We have a case were charon does not respond to port 4500 (500 is ok).
Charon is our IPSEC client on Linux.
Using strongswan 5.8.2
The IPSEC server is Windows 2012R2

  *   Sending packet on 500
 *   2022 Feb  3 20:04:46+00:00 wglng-2294 charon [info] 03[NET] sending 
packet: from 10.147.180.160[500] to 76.80.106.138[500] (480 bytes)
 *   2022 Feb  3 20:04:48+00:00 wglng-2294 charon [info] 14[NET] received 
packet: from 76.80.106.138[500] to 10.147.180.160[500] (492 bytes)
  *   Sending packet on 4500, but no reply
 *   2022 Feb  3 20:04:49+00:00 wglng-2294 charon [info] 14[NET] sending 
packet: from 10.147.180.160[4500] to 76.80.106.138[4500] (480 bytes)
 *   2022 Feb  3 20:04:53+00:00 wglng-2294 charon [info] 09[IKE] retransmit 
1 of request with message ID 1
Our tcpdump capture does show 4500 being received

  *   See dod-ipsec-error-for-strongswan-edit.csv
This problem does not happen all the time.
When it does happen, it will persist and not clear.



2022 Feb  3 19:58:07+00:00 wglng-2294 charon [info] 00[DMN] Starting IKE charon 
daemon (strongSwan 5.8.2, Linux 2.6.32.46.cge-TDY711999J-3+, mips64)
2022 Feb  3 19:58:07+00:00 wglng-2294 charon [info] 00[NET] could not open 
socket: Address family not supported by protocol
2022 Feb  3 19:58:07+00:00 wglng-2294 charon [info] 00[NET] could not open IPv6 
socket, IPv6 disabled
2022 Feb  3 19:58:07+00:00 wglng-2294 charon [info] 00[KNL] received netlink 
error: Address family not supported by protocol (124)
2022 Feb  3 19:58:07+00:00 wglng-2294 charon [info] 00[KNL] unable to create 
IPv6 routing table rule
2022 Feb  3 19:58:07+00:00 wglng-2294 charon [info] 00[CFG] loaded 0 RADIUS 
server configurations
2022 Feb  3 19:58:07+00:00 wglng-2294 charon [info] 00[CFG] no threshold 
configured for systime-fix, disabled
2022 Feb  3 19:58:07+00:00 wglng-2294 charon [info] 00[LIB] loaded plugins: 
charon ldap aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation 
constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl 
gcrypt fips-prf gmp curve25519 xcbc cmac hmac ntru drbg curl files attr 
kernel-netlink resolve socket-default vici updown eap-identity eap-mschapv2 
eap-dynamic eap-radius eap-tls eap-peap xauth-generic xauth-eap error-notify 
counters
2022 Feb  3 19:58:07+00:00 wglng-2294 charon [info] 00[LIB] dropped 
capabilities, running as uid 0, gid 0
2022 Feb  3 19:58:07+00:00 wglng-2294 charon [info] 00[JOB] spawning 16 worker 
threads
2022 Feb  3 19:58:09+00:00 wglng-2294 charon [info] 14[CFG] vici client 1 
connected
2022 Feb  3 19:58:09+00:00 wglng-2294 charon [info] 04[CFG] vici client 1 
requests: clear-creds
2022 Feb  3 19:58:09+00:00 wglng-2294 charon [info] 09[CFG] vici client 1 
disconnected
2022 Feb  3 19:58:11+00:00 wglng-2294 charon [info] 15[CFG] vici client 2 
connected
2022 Feb  3 19:58:11+00:00 wglng-2294 charon [info] 14[CFG] vici client 2 
registered for: ike-updown
2022 Feb  3 19:58:11+00:00 wglng-2294 charon [info] 06[CFG] vici client 2 
registered for: child-updown
2022 Feb  3 19:58:12+00:00 wglng-2294 charon [info] 11[CFG] vici client 3 
connected
2022 Feb  3 19:58:12+00:00 wglng-2294 charon [info] 04[CFG] vici client 3 
requests: flush-certs
2022 Feb  3 19:58:12+00:00 wglng-2294 charon [info] 10[CFG] vici client 3 
disconnected
2022 Feb  3 19:58:12+00:00 wglng-2294 charon [info] 11[CFG] vici client 4 
connected
2022 Feb  3 19:58:12+00:00 wglng-2294 charon [info] 03[CFG] vici client 4 
requests: get-keys
2022 Feb  3 19:58:12+00:00 wglng-2294 charon [info] 11[CFG] vici client 4 
requests: get-shared
2022 Feb  3 19:58:12+00:00 wglng-2294 charon [info] 06[CFG] vici client 4 
requests: load-cert
2022 Feb  3 19:58:12+00:00 wglng-2294 charon [info] 06[CFG] loaded certificate 
\'C=CA, O=Carillon Information Security Inc., OU=TEST, OU=Aircraft, OU=Teledyne 
Controls, CN=RA02294-219.auth\'
2022 Feb  3 19:58:12+00:00 wglng-2294 charon [info] 14[CFG] vici client 4 
requests: load-cert
2022 Feb  3 19:58:12+00:00 wglng-2294 charon [info] 14[CFG] loaded certificate 
\'C=CA, O=Carillon Information Security Inc., OU=TEST Certification 
Authorities, CN=TEST CIS Signing CA1\'
2022 Feb  3 19:58:12+00:00 wglng-2294 charon [info] 11[CFG] vici client 4 
requests: load-cert
2022 Feb  3 19:58:12+00:00 wglng-2294 charon [info] 11[CFG] loaded certificate 
\'C=CA, O=Carillon Information Security Inc., OU=TEST Certification 
Authorities, CN=TEST cisRCA1\'
2022 Feb  3 19:58:13+00:00 wglng-2294 charon [info] 08[CFG] vici client 4 
requests: load-key
2022 Feb  3 19:58:13+00:00 wglng-2294 charon [info] 08[CFG] loaded RSA private 
key
2022 Feb  3 19:58:14+00:00 wglng-2294 charon [info] 03[CFG] vici client 4 
requests: load-key
2022 Feb  3 19:58:14+00:00 wglng-2294 charon [info] 03[CFG] loaded RSA private 
key
2022 Feb  3 19:58:14+00:00 wglng-2294 charon [info] 10[CFG] vici client 4 
disconnected
2022 Feb  3 19:58:15+00:00 wglng-2294 charon [info] 09[CFG] vici client 5 

Re: [strongSwan] strict crl policy

[Modster, Anthony]

Thanks


Teledyne Confidential; Commercially Sensitive Business Data

-Original Message-
From: Users  On Behalf Of Andreas Steffen
Sent: Sunday, September 26, 2021 12:25 AM
To: Modster, Anthony ; users@lists.strongswan.org
Subject: Re: [strongSwan] strict crl policy

---External Email---

Hi Anthony,

strict CRL policy still works.

The problem with your setup is that you define

   strictcrlpolicy=yes

in ipsec.conf which is loaded via starter and the stroke interface only whereas 
your log shows that you load the configuration via the vici interface:

2021 Sep 24 04:26:47+00:00 wglng-17 charon [info]
   ...
   14[CFG]   remote:
   14[CFG]class = public key
   14[CFG]id = C=CA, O=Carillon Information Security Inc., ...
   14[CFG] added vici connection: sgateway1-radio0

There is no

   revocation = GOOD

entry in the remote authentication section log of the vici transfer, so

   revocation = strict

hasn't been set in the remote section of the configuration definition in 
swanctl.conf and thus no strict CRL policy is enforced

Best regards

Andreas

On 24.09.21 22:14, Modster, Anthony wrote:
> Hello
> 
> Does setting strict CRL policy to yes still work ?
> The CRL's for TA and SCA are removed.
> Was expecting the VPN tunnel not to make a connection.
> 
> strongSwan 5.8.2
> 
> # ipsec.conf - strongSwan IPsec configuration file # basic 
> configuration config setup
>      charondebug="ike 2,cfg 2"
>      strictcrlpolicy=yes
>      # uniqueids = no
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution!  www.strongswan.org
strongSec GmbH, 8952 Schlieren (Switzerland) 
==

[strongSwan] strict crl policy

[Modster, Anthony]

Hello

Does setting strict CRL policy to yes still work ?

The CRL's for TA and SCA are removed.
Was expecting the VPN tunnel not to make a connection.

strongSwan 5.8.2

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
charondebug="ike 2,cfg 2"
strictcrlpolicy=yes
# uniqueids = no


Teledyne Confidential; Commercially Sensitive Business Data


security-env03-charon.log
Description: security-env03-charon.log

[strongSwan] docker strongswan image

[Modster, Anthony]

Hello

Is there information on creating a Docker Strongswan image ?

Thanks




Teledyne Confidential; Commercially Sensitive Business Data

[strongSwan] URL timeout

[Modster, Anthony]

Hello

Is there a way to increase the URL lookup timeout ?

Note: When using OCSP and CDP

Thanks




Teledyne Confidential; Commercially Sensitive Business Data

Re: [strongSwan] OCSP and libcurl

[Modster, Anthony]

Hello

Does strongswan support libcurl curl_easy_setopt() CURLOPT_INTERFACE

curl_easy_setopt - set options for a curl easy handle



Teledyne Confidential; Commercially Sensitive Business Data
From: Modster, Anthony
Sent: Thursday, April 15, 2021 10:36 AM
To: users@lists.strongswan.org
Subject: OCSP and libcurl

Hello

What path does charon libcurl use when sending OCSP protocol ?

The URL is resolved, but the network is not found.

  *   charon [info] 07[CFG]   requesting ocsp status from 
\'http://www.carillon.ca/sha2-ocsp\' ...
  *   charon [info] 07[LIB] libcurl request failed [7]: Failed to connect to 
192.64.30.9: Network is unreachable
  *   charon [info] 07[CFG] ocsp request to http://www.carillon.ca/sha2-ocsp 
failed
  *   charon [info] 07[CFG] ocsp check failed, fallback to crl
  *   charon [info] 07[CFG]   fetching crl from 
\'http://www.carillon.ca/caops/test-signca2-crl.crl\' ...
  *   charon [info] 07[LIB] libcurl request failed [7]: Failed to connect to 
192.64.30.9: Network is unreachable
  *   charon [info] 07[CFG] crl fetching failed
  *   charon [info] 07[CFG] certificate status is not available
  *   charon [info] 07[CFG] ocsp check skipped, no ocsp found
  *   charon [info] 07[CFG]   fetching crl from 
\'http://www.carillon.ca/caops/TEST-cisRCA1.crl\' ...
  *   charon [info] 07[LIB] libcurl request failed [7]: Failed to connect to 
192.64.30.9: Network is unreachable
  *   charon [info] 07[CFG] crl fetching failed
  *   charon [info] 07[CFG] certificate status is not available

The VPN tunnel does come up (so IKE and ESP packets are ok).
Below is some of the configuration information.

  *   2021 Apr 15 17:09:04+00:00 wglng-17 charon [info] 12[CFG] vici client 6 
connected
  *   2021 Apr 15 17:09:04+00:00 wglng-17 charon [info] 10[CFG] vici client 6 
requests: load-conn
  *   2021 Apr 15 17:09:04+00:00 wglng-17 charon [info] 10[CFG]  conn 
sgateway1-radio0:
  *   2021 Apr 15 17:09:04+00:00 wglng-17 charon [info] 10[CFG]   child 
sgateway1-radio0:
  *   ...
  *   2021 Apr 15 17:09:04+00:00 wglng-17 charon [info] 10[CFG]local_ts = 
dynamic
  *   2021 Apr 15 17:09:04+00:00 wglng-17 charon [info] 10[CFG]remote_ts = 
40.40.40.15/32
  *   ...
  *   2021 Apr 15 17:09:05+00:00 wglng-17 charon [info] 10[CFG]   local_addrs = 
10.215.3.133
  *   2021 Apr 15 17:09:05+00:00 wglng-17 charon [info] 10[CFG]   remote_addrs 
= 76.232.248.220
  *   2021 Apr 15 17:09:05+00:00 wglng-17 charon [info] 10[CFG]   local_port = 
500
  *   2021 Apr 15 17:09:05+00:00 wglng-17 charon [info] 10[CFG]   remote_port = 
500
Thanks




Teledyne Confidential; Commercially Sensitive Business Data

[strongSwan] OCSP and libcurl

[Modster, Anthony]

Hello

What path does charon libcurl use when sending OCSP protocol ?

The URL is resolved, but the network is not found.

*charon [info] 07[CFG]   requesting ocsp status from 
\'http://www.carillon.ca/sha2-ocsp\' ...

*charon [info] 07[LIB] libcurl request failed [7]: Failed to connect to 
192.64.30.9: Network is unreachable

*charon [info] 07[CFG] ocsp request to http://www.carillon.ca/sha2-ocsp 
failed

*charon [info] 07[CFG] ocsp check failed, fallback to crl

*charon [info] 07[CFG]   fetching crl from 
\'http://www.carillon.ca/caops/test-signca2-crl.crl\' ...

*charon [info] 07[LIB] libcurl request failed [7]: Failed to connect to 
192.64.30.9: Network is unreachable

*charon [info] 07[CFG] crl fetching failed

*charon [info] 07[CFG] certificate status is not available

*charon [info] 07[CFG] ocsp check skipped, no ocsp found

*charon [info] 07[CFG]   fetching crl from 
\'http://www.carillon.ca/caops/TEST-cisRCA1.crl\' ...

*charon [info] 07[LIB] libcurl request failed [7]: Failed to connect to 
192.64.30.9: Network is unreachable

*charon [info] 07[CFG] crl fetching failed

*charon [info] 07[CFG] certificate status is not available

The VPN tunnel does come up (so IKE and ESP packets are ok).
Below is some of the configuration information.

*2021 Apr 15 17:09:04+00:00 wglng-17 charon [info] 12[CFG] vici client 
6 connected

*2021 Apr 15 17:09:04+00:00 wglng-17 charon [info] 10[CFG] vici client 
6 requests: load-conn

*2021 Apr 15 17:09:04+00:00 wglng-17 charon [info] 10[CFG]  conn 
sgateway1-radio0:

*2021 Apr 15 17:09:04+00:00 wglng-17 charon [info] 10[CFG]   child 
sgateway1-radio0:

*...

*2021 Apr 15 17:09:04+00:00 wglng-17 charon [info] 10[CFG]local_ts 
= dynamic

*2021 Apr 15 17:09:04+00:00 wglng-17 charon [info] 10[CFG]remote_ts 
= 40.40.40.15/32

*...

*2021 Apr 15 17:09:05+00:00 wglng-17 charon [info] 10[CFG]   
local_addrs = 10.215.3.133

*2021 Apr 15 17:09:05+00:00 wglng-17 charon [info] 10[CFG]   
remote_addrs = 76.232.248.220

*2021 Apr 15 17:09:05+00:00 wglng-17 charon [info] 10[CFG]   local_port 
= 500

*2021 Apr 15 17:09:05+00:00 wglng-17 charon [info] 10[CFG]   
remote_port = 500
Thanks




Teledyne Confidential; Commercially Sensitive Business Data

Re: [strongSwan] error notify plugin

[Modster, Anthony]

Thanks

-Original Message-
From: Tobias Brunner  
Sent: Monday, October 19, 2020 4:20 AM
To: Modster, Anthony ; users@lists.strongswan.org
Subject: Re: [strongSwan] error notify plugin

---External Email---

Hi Anthony,

> What causes this error on the peer side ?

Hard to say, could be anything (depends on the authentication method, the 
credentials etc.).  As always, if an error notify is *received*, check the log 
of the other peer.

Regards,
Tobias

[strongSwan] error notify plugin

[Modster, Anthony]

Hello

We are using the strongswan Error Notify plugin.

Charon reported the below error.


2020 Oct  6 23:13:08+00:00 wglng-6957 charon [info] 05[IKE] received 
AUTHENTICATION_FAILED notify error



The Error Notify plugin reported error_notify_msg_t::type = 2.



And the information string was set to error_notify_msg_t:: str = creating local 
authentication data failed


What causes this error on the peer side ?

error_notify_msg.h

/**
* Message type, these are mapped to ALERT_* types.
*/
enum {
   ERROR_NOTIFY_RADIUS_NOT_RESPONDING = 1,
   ERROR_NOTIFY_LOCAL_AUTH_FAILED = 2,
   ERROR_NOTIFY_PEER_AUTH_FAILED = 3,
   ERROR_NOTIFY_PARSE_ERROR_HEADER = 4,
   ERROR_NOTIFY_PARSE_ERROR_BODY = 5,
   ERROR_NOTIFY_RETRANSMIT_SEND_TIMEOUT = 6,
   ERROR_NOTIFY_HALF_OPEN_TIMEOUT = 7,
   ERROR_NOTIFY_PROPOSAL_MISMATCH_IKE = 8,
   ERROR_NOTIFY_PROPOSAL_MISMATCH_CHILD = 9,
   ERROR_NOTIFY_TS_MISMATCH = 10,
   ERROR_NOTIFY_INSTALL_CHILD_SA_FAILED = 11,
   ERROR_NOTIFY_INSTALL_CHILD_POLICY_FAILED = 12,
   ERROR_NOTIFY_UNIQUE_REPLACE = 13,
   ERROR_NOTIFY_UNIQUE_KEEP = 14,
   ERROR_NOTIFY_VIP_FAILURE = 15,
   ERROR_NOTIFY_AUTHORIZATION_FAILED = 16,
   ERROR_NOTIFY_CERT_EXPIRED = 17,
   ERROR_NOTIFY_CERT_REVOKED = 18,
   ERROR_NOTIFY_NO_ISSUER_CERT = 19,
   ERROR_NOTIFY_RETRANSMIT_SEND = 20,
};

/**
* Message to exchange over notify socket, strings are null-terminated.
*/
struct error_notify_msg_t {
   /** message type */
   int type;
   /** string with an error description */
   char str[384];
   /** connection name, if known */
   char name[64];
   /** peer identity, if known */
   char id[256];
   /** peer address and port, if known */
   char ip[60];
} __attribute__((packed));

[strongSwan] creating local authentication data failed

[Modster, Anthony]

Hello

What would cause the below error ?

2020 Oct  6 23:13:08+00:00 wglng-6957 charon [info] 05[IKE] received 
AUTHENTICATION_FAILED notify error
2020 Oct  6 23:13:08+00:00 wglng-6957 IPSecCfgIfManager [notice] bool 
ErrorNotifyMonitor::ProcessEvents() rx message is new or changed type=2 
name=sgateway1-radio1 id=C=CA, O=Carillon Information Security Inc., OU=TEST, 
OU=Devices, OU=Aircraft Operator Ground Stations, OU=Teledyne Controls, 
CN=WGCM220 - ID ip=76.232.248.220[4500] str=creating local authentication data 
failed.

Thanks

[strongSwan] unbound

[Modster, Anthony]

Hello

I am looking to see if strongswan can use unbound for OCSP and CRL requests.

Looking at the plugin files, it seems it can not ( is this true ? ).

   revocation
   
/home/amodster/scitools/ProjectsToAnalysis/strongswan-5.8.2/src/libstrongswan/plugins/revocation/revocation_plugin.c
 .h
   
/home/amodster/scitools/ProjectsToAnalysis/strongswan-5.8.2/src/libstrongswan/plugins/revocation/revocation_validator.c
 .h
   PLUGIN_PROVIDE(CUSTOM, "revocation"),
   PLUGIN_SDEPEND(CERT_ENCODE, CERT_X509_OCSP_REQUEST),
   PLUGIN_SDEPEND(CERT_DECODE, CERT_X509_OCSP_RESPONSE),
   PLUGIN_SDEPEND(CERT_DECODE, CERT_X509_CRL),
   PLUGIN_SDEPEND(CERT_DECODE, CERT_X509),
   PLUGIN_SDEPEND(FETCHER, NULL),
  curl
  
/home/amodster/scitools/ProjectsToAnalysis/strongswan-5.8.2/src/libstrongswan/plugins/curl/curl_plugin.c
 .h
  
/home/amodster/scitools/ProjectsToAnalysis/strongswan-5.8.2/src/libstrongswan/plugins/curl/curl_fetcher.c
 .h
  PLUGIN_REGISTER(FETCHER, curl_fetcher_create)

Thanks

[strongSwan] plugin unbound

[Modster, Anthony]

Hello

Are there examples for using "plugin unbound" ?

We want to use it for OCSP and CRL.

Thanks

Re: [strongSwan] charon and unbound

[Modster, Anthony]

? is there any information on this item

From: Modster, Anthony
Sent: Tuesday, April 21, 2020 10:37 AM
To: users@lists.strongswan.org
Subject: charon and unbound

Hello

I am not seeing unbound being used by charon for OCSP or CRL, the log file does 
not show an attempt to start unbound.

Attached is the log file, and below are configuration and events.

What should I check for ?

I am using the default configuration of charon (which is):
strongswan unbound configuration
charon.plugins.unbound.resolv_conf
/etc/resolv.conf "default path"
Currently this is present and empty on the COMM+
charon.plugins.unbound.trust_anchors
/etc/ipsec.d/dnssec.keys "default path"
copy the keys file from previous tests to the 
COMM+
File to read DNSSEC trust anchors from (usually 
root zone KSK).
The format of the file is the standard DNS Zone 
file format, anchors can be stored as DS or DNSKEY entries in the file.

charon [info] 00[DMN] Starting IKE charon daemon (strongSwan 5.8.2, Linux 
2.6.32.46.cge-TDY711999J-2E.12MAR2020+, mips64)

charon [info] 00[LIB] loaded plugins: charon unbound ldap aes des rc2 sha2 sha1 
md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 
pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 xcbc cmac 
hmac ntru drbg curl files attr kernel-netlink resolve socket-default vici 
updown eap-identity eap-mschapv2 eap-dynamic eap-radius eap-tls eap-peap 
xauth-generic xauth-eap error-notify counters

charon [info] 12[CFG]   requesting ocsp status from 
\'http://www.carillon.ca/sha2-ocsp\' ...
charon [info] 12[LIB] libcurl request failed [6]: Couldn\'t resolve host 
\'www.carillon.ca\'
charon [info] 12[CFG] ocsp request to http://www.carillon.ca/sha2-ocsp failed
charon [info] 12[CFG] ocsp check failed, fallback to crl
charon [info] 12[CFG]   fetching crl from 
\'http://www.carillon.ca/caops/test-signca2-crl.crl\' ...
charon [info] 12[LIB] libcurl request failed [6]: Couldn\'t resolve host 
\'www.carillon.ca\'
charon [info] 12[CFG] crl fetching failed
charon [info] 12[CFG] certificate status is not available
charon [info] 12[CFG]   certificate \"C=US, O=Teledyne Controls Engineering, 
OU=Systems Engineering, CN=TDY Test SCA 2\" key: 2048 bit RSA
charon [info] 12[CFG]   using trusted ca certificate \"C=US, O=Teledyne 
Controls Engineering, OU=Systems Engineering, CN=TDY Test Root CA\"
charon [info] 12[CFG] checking certificate status of \"C=US, O=Teledyne 
Controls Engineering, OU=Systems Engineering, CN=TDY Test SCA 2\"
charon [info] 12[CFG] ocsp check skipped, no ocsp found
charon [info] 12[CFG]   fetching crl from 
\'http://www.carillon.ca/caops/TEST-cisRCA1.crl\' ...
charon [info] 12[LIB] libcurl request failed [6]: Couldn\'t resolve host 
\'www.carillon.ca\'
charon [info] 12[CFG] crl fetching failed

[strongSwan] charon and unbound

[Modster, Anthony]

Hello

I am not seeing unbound being used by charon for OCSP or CRL, the log file does 
not show an attempt to start unbound.

Attached is the log file, and below are configuration and events.

What should I check for ?

I am using the default configuration of charon (which is):
strongswan unbound configuration
charon.plugins.unbound.resolv_conf
/etc/resolv.conf "default path"
Currently this is present and empty on the COMM+
charon.plugins.unbound.trust_anchors
/etc/ipsec.d/dnssec.keys "default path"
copy the keys file from previous tests to the 
COMM+
File to read DNSSEC trust anchors from (usually 
root zone KSK).
The format of the file is the standard DNS Zone 
file format, anchors can be stored as DS or DNSKEY entries in the file.

charon [info] 00[DMN] Starting IKE charon daemon (strongSwan 5.8.2, Linux 
2.6.32.46.cge-TDY711999J-2E.12MAR2020+, mips64)

charon [info] 00[LIB] loaded plugins: charon unbound ldap aes des rc2 sha2 sha1 
md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 
pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 xcbc cmac 
hmac ntru drbg curl files attr kernel-netlink resolve socket-default vici 
updown eap-identity eap-mschapv2 eap-dynamic eap-radius eap-tls eap-peap 
xauth-generic xauth-eap error-notify counters

charon [info] 12[CFG]   requesting ocsp status from 
\'http://www.carillon.ca/sha2-ocsp\' ...
charon [info] 12[LIB] libcurl request failed [6]: Couldn\'t resolve host 
\'www.carillon.ca\'
charon [info] 12[CFG] ocsp request to http://www.carillon.ca/sha2-ocsp failed
charon [info] 12[CFG] ocsp check failed, fallback to crl
charon [info] 12[CFG]   fetching crl from 
\'http://www.carillon.ca/caops/test-signca2-crl.crl\' ...
charon [info] 12[LIB] libcurl request failed [6]: Couldn\'t resolve host 
\'www.carillon.ca\'
charon [info] 12[CFG] crl fetching failed
charon [info] 12[CFG] certificate status is not available
charon [info] 12[CFG]   certificate \"C=US, O=Teledyne Controls Engineering, 
OU=Systems Engineering, CN=TDY Test SCA 2\" key: 2048 bit RSA
charon [info] 12[CFG]   using trusted ca certificate \"C=US, O=Teledyne 
Controls Engineering, OU=Systems Engineering, CN=TDY Test Root CA\"
charon [info] 12[CFG] checking certificate status of \"C=US, O=Teledyne 
Controls Engineering, OU=Systems Engineering, CN=TDY Test SCA 2\"
charon [info] 12[CFG] ocsp check skipped, no ocsp found
charon [info] 12[CFG]   fetching crl from 
\'http://www.carillon.ca/caops/TEST-cisRCA1.crl\' ...
charon [info] 12[LIB] libcurl request failed [6]: Couldn\'t resolve host 
\'www.carillon.ca\'
charon [info] 12[CFG] crl fetching failed




security-charon.log
Description: security-charon.log

[strongSwan] strongswan plugin unbound cant detect ldns

[Modster, Anthony]

Hello

Configure cant detect ldns.
I have the path to the staging lib dir.
Also checked that the symbol configure looks for is in the libldns.a file.


ls -l 
/home/amodster/montavista/workspace/CGE_6_1_711999_J/tmp/staging/mips-mv-linux/usr/lib32/libldns.a
-rw-r--r-- 1 amodster amodster 1650592 2020-04-08 15:05 
/home/amodster/montavista/workspace/CGE_6_1_711999_J/tmp/staging/mips-mv-linux/usr/lib32/libldns.a


nm 
/home/amodster/montavista/workspace/CGE_6_1_711999_J/tmp/staging/mips-mv-linux/usr/lib32/libldns.a
 | grep "ldns_rr_get_type"
 U ldns_rr_get_type
 U ldns_rr_get_type
 U ldns_rr_get_type
 U ldns_rr_get_type
 U ldns_rr_get_type
 U ldns_rr_get_type
 U ldns_rr_get_type
 U ldns_rr_get_type
 U ldns_rr_get_type
 U ldns_rr_get_type
00b0 T ldns_rr_get_type
 U ldns_rr_get_type
 U ldns_rr_get_type
 U ldns_rr_get_type
 U ldns_rr_get_type


./configure --build=i686-linux --host=mips64-mv-linux --target=mips64-mv-linux 
--prefix=/usr --exec_prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin 
--libexecdir=/usr/libexec --datadir=/usr/share --sysconfdir=/etc 
--sharedstatedir=/com --localstatedir=/var 
--libdir=/home/amodster/montavista/workspace/CGE_6_1_711999_J/tmp/staging/mips-mv-linux/usr/lib32
 --includedir=/usr/include --oldincludedir=/usr/include 
--infodir=/usr/share/info --mandir=/usr/share/man 
ss_cv_pthread_condattr_setclock_clock_monotone=yes 
--with-ipsecdir=/usr/lib32/ipsec --with-plugindir=/usr/lib32/ipsec/plugins 
--with-capabilities=libcap --enable-openssl --enable-eap-tls 
--enable-eap-mschapv2 --enable-xauth-eap --enable-gcrypt --enable-eap-identity 
--enable-eap-dynamic --enable-eap-radius --enable-eap-peap 
--enable-error-notify --build=i686-linux --host=mips64-mv-linux 
--target=mips64-mv-linux --without-lib-prefix 
--cache-file=/home/amodster/montavista/workspace/CGE_6_1_711999_J/tmp/work/mips-mv-linux/strongswan-5.8.2-r3/config.cache
 --without-systemdsystemunitdir --disable-systemd --enable-scepclient 
--disable-aesni --disable-soup --enable-stroke --enable-curl --enable-files 
--enable-curve25519 --enable-systime-fix --enable-ntru --enable-ldap 
--enable-gmp --enable-unbound
configure: loading site script 
/home/amodster/montavista/workspace/CGE_6_1_711999_J/tmp/collections/cge60-main-1203161411/cge60-main/site/common
configure: loading site script 
/home/amodster/montavista/workspace/CGE_6_1_711999_J/tmp/collections/cge60-main-1203161411/cge60-main/site/common
configure: loading site script 
/home/amodster/montavista/workspace/CGE_6_1_711999_J/tmp/collections/cge60-main-1203161411/cge60-main/site/mips64-linux
configure: loading site script 
/home/amodster/montavista/workspace/CGE_6_1_711999_J/tmp/collections/cge60-main-1203161411/cge60-main/site/mips64-common
configure: loading site script 
/home/amodster/montavista/workspace/CGE_6_1_711999_J/tmp/collections/cge60-main-1203161411/cge60-main/site/common-glibc
configure: loading site script 
/home/amodster/montavista/workspace/CGE_6_1_711999_J/tmp/collections/cge60-main-1203161411/cge60-main/site/common-linux
configure: loading site script 
/home/amodster/montavista/workspace/CGE_6_1_711999_J/tmp/collections/cge60-main-1203161411/cge60-main/site/endian-big
configure: loading site script 
/home/amodster/montavista/workspace/CGE_6_1_711999_J/tmp/collections/cge60-main-1203161411/cge60-main/site/common
configure: loading site script 
/home/amodster/montavista/workspace/CGE_6_1_711999_J/tmp/collections/cge60-main-1203161411/cge60-main/site/common
configure: loading site script 
/home/amodster/montavista/workspace/CGE_6_1_711999_J/tmp/collections/cge60-main-1203161411/cge60-main/site/mips64-linux
configure: loading site script 
/home/amodster/montavista/workspace/CGE_6_1_711999_J/tmp/collections/cge60-main-1203161411/cge60-main/site/mips64-common
configure: loading site script 
/home/amodster/montavista/workspace/CGE_6_1_711999_J/tmp/collections/cge60-main-1203161411/cge60-main/site/common-glibc
configure: loading site script 
/home/amodster/montavista/workspace/CGE_6_1_711999_J/tmp/collections/cge60-main-1203161411/cge60-main/site/common-linux
configure: loading site script 
/home/amodster/montavista/workspace/CGE_6_1_711999_J/tmp/collections/cge60-main-1203161411/cge60-main/site/endian-big
configure: loading cache 
/home/amodster/montavista/workspace/CGE_6_1_711999_J/tmp/work/mips-mv-linux/strongswan-5.8.2-r3/config.cache
checking for a BSD-compatible install... 
/home/amodster/montavista/workspace/CGE_6_1_711999_J/tmp/staging/i686-linux/usr/bin/install
 -c
checking whether build environment is sane... yes
checking for mips64-mv-linux-strip... mips-montavista-linux-gnu-strip
checking for a thread-safe mkdir -p... 
/home/amodster/montavista/workspace/CGE_6_1_711999_J/tmp/staging/i686-linux/usr/bin/mkdir
 -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... 

[strongSwan] plugin unbound configurations

[Modster, Anthony]

Hello

https://www.strongswan.org/testing/testresults/ikev2/rw-dnssec/

? where can I find the files used for the test above ( strongswan.conf, 
unbound.conf, resolv.conf, dnssec.keys )

Looking at the strongswan.conf for dave and carol, it looks like the defaults 
were used.

Thanks

[strongSwan] plugin unbound

[Modster, Anthony]

Hello

Will charon start another "unbound resolver" if one was already started for 
another task ?

Note: plugin unbound

Re: [strongSwan] DNSSEC

[Modster, Anthony]

Any information on this item.

From: Modster, Anthony
Sent: Monday, February 24, 2020 12:48 PM
To: users@lists.strongswan.org
Subject: DNSSEC

Hello

What plugin and library does strongswan use when doing DNSSEC protocol ?

Thanks

[strongSwan] DNSSEC

[Modster, Anthony]

Hello

What plugin and library does strongswan use when doing DNSSEC protocol ?

Thanks

[strongSwan] plugins

[Modster, Anthony]

Hello

Is "pki tool" needed for curve25519 ?

How to load "pki tool" ?, its not in the plugin list

Note:

  *   https://wiki.strongswan.org/projects/strongswan/wiki/PluginList
  *   The plugin list states curve25519 is loaded by default

Thanks

[strongSwan] botan plugin

[Modster, Anthony]

Hello

How does the "botan plugin" help ?

Note: we are using strongswan client configured for:
VICI
loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation 
constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl 
gcrypt fips-prf xcbc cmac hmac curl files attr kernel-netlink resolve 
socket-default vici updown eap-identity eap-mschapv2 eap-dynamic eap-radius 
eap-tls eap-peap xauth-generic xauth-eap error-notify

[strongSwan] addrblock

[Modster, Anthony]

Hello

If the parameter charon.plugins.addrblock.strict = "no", and address blocks 
exist in the certificates.

Will the addrblock plugin try to set the traffic selectors ?


The pki tool 
gained support for generating certificates with RFC 
3779 addrblock extensions. The charon 
addrblock plugin now dynamically narrows traffic selectors based on the 
certificate's addrblocks instead of rejecting non-matching selectors 
completely. This allows generic connections, where the allowed selectors are 
defined by the used certificates only.

[strongSwan] SHA2 ESP

[Modster, Anthony]

Hello

Can openssl 1.0.2 support ESP SHA2 ?

Or do we need to update openssl to 1.1.

Thanks

Re: [strongSwan] large CRL file

[Modster, Anthony]

Thanks

-Original Message-
From: Users  On Behalf Of Thomas Egerer
Sent: Saturday, January 11, 2020 4:47 AM
To: users@lists.strongswan.org
Subject: Re: [strongSwan] large CRL file

---External Email---

Hello Anthony,


On 1/11/20 12:37 AM, Modster, Anthony wrote:
> Hello
>
>  
>
> Does the latest strongswan 5.8.2 address the problem found when loading large 
> CRL files (not using the authorities section) ?
At least not according to the release notes [1] (which only lists the changes 
from 5.8.1 to 5.8.2).
Diffstat does not indicate any modifications there, either

>  
>
> Thanks
>
>  
>
HTH
Thomas


[1] https://wiki.strongswan.org/versions/75

[strongSwan] large CRL file

[Modster, Anthony]

Hello

Does the latest strongswan 5.8.2 address the problem found when loading large 
CRL files (not using the authorities section) ?

Thanks

[strongSwan] MOBIKE

[Modster, Anthony]

Hello

? where can I find information on MOBIKE routing path selection (descripted in 
this reference)

https://wiki.strongswan.org/projects/strongswan/repository/revisions/597e8c9e009946c994fcba525bacc647f46bae60

[strongSwan] SPI

[Modster, Anthony]

Hello

The range from which SPIs for IPsec SAs are allocated by the kernel is now 
configurable.
(AM), ? is this only for IPSec servers that are using IKEv1

[strongSwan] forecast

[Modster, Anthony]

Hello

? does strongswan generate any traffic using multicast or broadcast ports

https://wiki.strongswan.org/projects/strongswan/repository/revisions/094a4d15cff37b786b9afec2c1cfe834dcd13147

Thanks

Re: [strongSwan] OCSP nonce parameter

[Modster, Anthony]

? is 5.8.2 stable enough for production

-Original Message-
From: Tobias Brunner  
Sent: Thursday, December 19, 2019 10:42 AM
To: Modster, Anthony ; 
users@lists.strongswan.org; Andreas Steffen 
Cc: Amare, Mesfin 
Subject: Re: [strongSwan] OCSP nonce parameter

---External Email---

Hi Anthony,

> ? was the nonce parameter fixed in 5.5.8

If you mean 5.8.2 [1], then yes.

Regards,
Tobias

[1] https://wiki.strongswan.org/versions/75

Re: [strongSwan] OCSP nonce parameter

[Modster, Anthony]

Hello

? was the nonce parameter fixed in 5.5.8

-Original Message-
From: Users  On Behalf Of Tobias Brunner
Sent: Monday, November 25, 2019 4:36 AM
To: Modster, Anthony ; 
users@lists.strongswan.org; Andreas Steffen 
Cc: Amare, Mesfin 
Subject: Re: [strongSwan] OCSP nonce parameter

---External Email---

Hi Anthony,

> Our security department is insisting that strongswan validate the nonce 
> parameter when received.
> 
> Is there a way strongswan can accommodate this request.

I pushed some changes to that effect to the ocsp-nonce branch [1].

> If not we need a way to disable OCSP.

You can do so via charon.plugins.revocation.enable_ocsp.

Regards,
Tobias

[1]
https://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/ocsp-nonce

Re: [strongSwan] OCSP and CDP

[Modster, Anthony]

Thanks

I will take a look, I may write a custom plugin or try python w/openssl

-Original Message-
From: Tobias Brunner  
Sent: Thursday, December 19, 2019 9:25 AM
To: Modster, Anthony ; users@lists.strongswan.org
Subject: Re: [strongSwan] OCSP and CDP

---External Email---

Hi Anthony,

> ? is there a developers guide for writing plugins

[1] has some general information and there are a lot of plugins you could have 
a look at.

> ? what would the plugin do

Process OCSP requests and return responses (probably via HTTP) and/or do the 
same for CRLs.

> ? does (RFC 6960) apply

If you implement an OCSP server, sure.

Also, the x509 plugin does not actually support parsing OCSP requests or 
generating OCSP responses because strongSwan currently only needs the reverse.

Regards,
Tobias

[1]
https://wiki.strongswan.org/projects/strongswan/wiki/DeveloperDocumentation

Re: [strongSwan] OCSP and CDP

[Modster, Anthony]

OK, now I am curious

? is there a developers guide for writing plugins

? what would the plugin do

? does (RFC 6960) apply

Thanks

-Original Message-
From: Tobias Brunner  
Sent: Thursday, December 19, 2019 8:53 AM
To: Modster, Anthony ; users@lists.strongswan.org
Subject: Re: [strongSwan] OCSP and CDP

---External Email---

Hi Anthony,

> ? can strongswan be a OCSP or CDP server

Theoretically yes, but you'd have to program a plugin that does that yourself.

It would theoretically also be possible to transmit CRLs (RFC 7296) and OCSP 
(RFC 4806) via IKEv2 certificate payloads, but strongSwan currently doesn't 
support this.

Regards,
Tobias

[strongSwan] OCSP and CDP

[Modster, Anthony]

Hello

? can strongswan be a OCSP or CDP server

We are using strongswan version:5.5.1

[strongSwan] purge user cert

[Modster, Anthony]

Hello

? is there a way to purge a selected User Cert

If 2 VPN tunnels are up, and each VPN tunnel uses its own User Cert (for its 
organization).

Is there a way to purge and reload the first VPN tunnel User Cert.

Note:

  *   We are using VICI
  *   We have tried the following:

  *   terminate_conn()
  *   unload_conn()
  *   copy new User Cert into /etc/swanctl/x509/my-cert.crt
  *   load_conn()
  *   init_conn()
  *   swanctl --list-certs, User Cert serial number did not change

Thanks

Re: [strongSwan] road warrior MTU issues (IPv4)

[Modster, Anthony]

These are the providers that have MTU issues for us.

- Panasonic 
- BoardConnect/Inmarsat 
- Verizon
- Vodafone

-Original Message-
From: Users  On Behalf Of Harald Dunkel
Sent: Wednesday, December 11, 2019 2:09 PM
To: users@lists.strongswan.org
Subject: Re: [strongSwan] road warrior MTU issues (IPv4)

---External Email---

On 12/11/19 10:39 PM, Harald Dunkel wrote:
> Hi folks,
> 
> apparently the MacOS road warriors have to manually adjust the MTU on
> ipsec0 to 1280 in some networks, e.g. if the IP provider is 
> Unitymedia, or if they travel in an ICE of Deutsche Bahn and use the free 
> Wifi.
> Without *sudo ifconfig ipsec0 mtu 1280* their IPsec connection appears 
> to be broken.
> 
> Problem is, setting the MTU on MacOS is not persistent. On the next 
> IPsec connection MacOS has lost the adjusted MTU and goes with the 
> default 1400 again.
> 
> Since the peer runs Strongswan on Linux, I wonder if there is 
> something that can be done on this side? Is this purely MacOS' fault 
> for not fragmenting payload accordingly?
> 

PS: I found

https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#MTUMSS-issues

after sending this, but AFAIU reducing the mss affects outgoing TCP traffic 
only.


Regards
Harri

Re: [strongSwan] dynamic user cert updates

[Modster, Anthony]

? any thoughts on this item

From: Modster, Anthony
Sent: Tuesday, December 10, 2019 4:00 PM
To: users@lists.strongswan.org
Subject: dynamic user cert updates

Hello

We cant seem to update our user cert dynamically ( without stopping charon ).

Our procedure is

  *   Load User Cert 1 into /etc/swanctl/x509/my-cert.crt
  *   vici_do_load()->load_conn()
  *   vici_do_connect()->init_conn()
  *   VPN tunnel comes up
  *   swanctl --list-certs, User Cert serial number is 0e
  *   vici_do_disconnect()->terminate_conn()
  *   vici_do_unload()->unload_conn()
  *   copy User Cert 2 into /etc/swanctl/x509/my-cert.crt
  *   vici_do_load()->load_conn()
  *   vici_do_connect()->init_conn()
  *   swanctl --list-certs, User Cert serial number is 0e (but it should be 0e)

Thanks

Re: [strongSwan] road warrior MTU issues (IPv4)

[Modster, Anthony]

Let use know the answer to this

We also have the same problem on some networks (were are using an embedded 
system).

-Original Message-
From: Users  On Behalf Of Harald Dunkel
Sent: Wednesday, December 11, 2019 1:39 PM
To: users@lists.strongswan.org
Subject: [strongSwan] road warrior MTU issues (IPv4)

---External Email---

Hi folks,

apparently the MacOS road warriors have to manually adjust the MTU on
ipsec0 to 1280 in some networks, e.g. if the IP provider is Unitymedia, or if 
they travel in an ICE of Deutsche Bahn and use the free Wifi.
Without *sudo ifconfig ipsec0 mtu 1280* their IPsec connection appears to be 
broken.

Problem is, setting the MTU on MacOS is not persistent. On the next IPsec 
connection MacOS has lost the adjusted MTU and goes with the default 1400 again.

Since the peer runs Strongswan on Linux, I wonder if there is something that 
can be done on this side? Is this purely MacOS' fault for not fragmenting 
payload accordingly?


Every helpful comment is highly appreciated.

Harri

[strongSwan] dynamic user cert updates

[Modster, Anthony]

Hello

We cant seem to update our user cert dynamically ( without stopping charon ).

Our procedure is

  *   Load User Cert 1 into /etc/swanctl/x509/my-cert.crt
  *   vici_do_load()->load_conn()
  *   vici_do_connect()->init_conn()
  *   VPN tunnel comes up
  *   swanctl --list-certs, User Cert serial number is 0e
  *   vici_do_disconnect()->terminate_conn()
  *   vici_do_unload()->unload_conn()
  *   copy User Cert 2 into /etc/swanctl/x509/my-cert.crt
  *   vici_do_load()->load_conn()
  *   vici_do_connect()->init_conn()
  *   swanctl --list-certs, User Cert serial number is 0e (but it should be 0e)

Thanks

[strongSwan] CDP enable/disable

[Modster, Anthony]

Hello

? is this the correct parameter for enabling/disabling CDP

charon.plugins.revocation.enable_crl

Re: [strongSwan] OCSP nonce parameter

[Modster, Anthony]

Thanks

-Original Message-
From: Users  On Behalf Of Tobias Brunner
Sent: Monday, November 25, 2019 4:36 AM
To: Modster, Anthony ; 
users@lists.strongswan.org; Andreas Steffen 
Cc: Amare, Mesfin 
Subject: Re: [strongSwan] OCSP nonce parameter

---External Email---

Hi Anthony,

> Our security department is insisting that strongswan validate the nonce 
> parameter when received.
> 
> Is there a way strongswan can accommodate this request.

I pushed some changes to that effect to the ocsp-nonce branch [1].

> If not we need a way to disable OCSP.

You can do so via charon.plugins.revocation.enable_ocsp.

Regards,
Tobias

[1]
https://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/ocsp-nonce

[strongSwan] OCSP network unreachable

[Modster, Anthony]

Hello

Error: Failed to connect to 192.64.30.9: Network is unreachable

? Is there a way to configure VICI to point to an interface.

When charon is using OCSP, libcurl cant find a path to the server.

The VPN it configured to use "swanconf connections..local_addrs".
And were are communicating IKE to the secure gateway.

Thanks

[strongSwan] CDP CRL

[Modster, Anthony]

Hello

When using CDP, ? will strongswan do the following:

  *   check the signature of the CRL to make sure it is signed by the entity 
that we trust
  *   CRL should not be expired as well (i.e., nextupdate is not earlier than 
the system local time)

Thanks

Re: [strongSwan] OCSP nonce parameter

[Modster, Anthony]

Hello Andreas

Our security department is insisting that strongswan validate the nonce 
parameter when received.

Is there a way strongswan can accommodate this request.

If not we need a way to disable OCSP.

Thanks

-Original Message-
From: Modster, Anthony 
Sent: Friday, November 8, 2019 9:50 AM
To: Tobias Brunner ; users@lists.strongswan.org
Subject: RE: [strongSwan] OCSP nonce parameter

? is there a possibility of a patch to allow checking the received nonce

-Original Message-
From: Tobias Brunner  
Sent: Thursday, November 07, 2019 11:27 PM
To: Modster, Anthony ; users@lists.strongswan.org
Subject: Re: [strongSwan] OCSP nonce parameter

---External Email---

Hi Anthony,

> When using OCSP, ? is the nonce parameter always set.

Yes, the x509 plugin always adds a random nonce.  It doesn't seem to be 
used/checked later, though.

Regards,
Tobias

Re: [strongSwan] OCSP nonce parameter

[Modster, Anthony]

Hello Andreas

Our security department is insisting that strongswan validate the nonce 
parameter when received.

Is there a way strongswan can accommodate this request.

If not we need a way to disable OCSP.

Thanks

-Original Message-
From: Modster, Anthony 
Sent: Friday, November 8, 2019 9:50 AM
To: Tobias Brunner ; users@lists.strongswan.org
Subject: RE: [strongSwan] OCSP nonce parameter

? is there a possibility of a patch to allow checking the received nonce

-Original Message-
From: Tobias Brunner  
Sent: Thursday, November 07, 2019 11:27 PM
To: Modster, Anthony ; users@lists.strongswan.org
Subject: Re: [strongSwan] OCSP nonce parameter

---External Email---

Hi Anthony,

> When using OCSP, ? is the nonce parameter always set.

Yes, the x509 plugin always adds a random nonce.  It doesn't seem to be 
used/checked later, though.

Regards,
Tobias

[strongSwan] CDP

[Modster, Anthony]

Hello

When a CRL is uploaded (using CDP):

  *   ? does strongwan validate the trust chain
  *   ? are both CRL's needed ( one for sca and other for ta )
Thanks

[strongSwan] OSCP validation

[Modster, Anthony]

Hello

When strongswan validates the "OCSP signing certificate", ? will it always use 
the stored trust chain (TA and SCA)

Will strongswan, ? always pull the CRL published by the SCA to make sure the 
"OCSP singing certificate" is nor revoked

Thanks

[strongSwan] CRL revoke

[Modster, Anthony]

Hello

? can charon revoke the user cert from a CRL

We are using charon as a client, that has loaded a user cert and a CRL.
strongswan 5.5.1

Sample CRL used to revoke user cert.
root@wglng-17:/etc/swanctl/ourCrl# openssl crl -in Org1.scacrl1 -text -noout
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=US/O=Teledyne Controls Engineering/OU=Systems 
Engineering/CN=TDY Test SCA 1
Last Update: Nov 15 21:50:00 2019 GMT
Next Update: Feb 15 21:50:00 2020 GMT
CRL extensions:
X509v3 Authority Key Identifier:

keyid:92:E1:0F:68:37:91:79:4D:CD:B2:FA:1F:C9:56:39:34:A8:AB:45:EA

X509v3 CRL Number:
7
Revoked Certificates:
Serial Number: 0E
Revocation Date: Nov 15 21:49:53 2019 GMT
CRL entry extensions:
Invalidity Date:
Nov 15 21:49:00 2019 GMT
X509v3 CRL Reason Code:
Certificate Hold
Signature Algorithm: sha256WithRSAEncryption
 90:1d:3c:70:d6:6a:fb:e5:05:2d:13:46:e9:02:21:51:5b:d5:
 41:67:72:15:ce:5c:96:67:cd:ba:fd:0c:fa:87:b8:52:b7:5e:
 90:4d:c6:5f:c9:c6:78:04:f6:6b:34:99:13:a4:60:0b:7f:f4:
 70:30:9d:eb:17:50:20:6d:2d:f1:43:42:82:a1:c3:6d:6e:dd:
 b0:c3:82:6c:27:ca:4c:46:12:8a:d8:7d:bd:b0:9c:fe:35:22:
 bb:38:06:98:61:22:47:db:aa:90:c2:47:ce:fe:cd:df:e4:4b:
 44:ea:cb:45:1a:4f:77:a1:8d:28:eb:d0:92:2f:e7:31:1a:03:
 be:fa:bc:45:1e:69:e0:f4:60:cb:5f:12:2e:07:1c:9d:79:f1:
 9b:05:54:37:a6:83:14:3e:9d:ce:a8:5b:cf:65:19:58:c2:81:
 7f:f8:be:66:cb:3d:80:45:08:aa:73:34:ca:fd:ab:fb:c6:8a:
 51:af:b2:a1:7a:8a:93:e6:c7:9d:ad:df:93:52:fa:db:4c:7e:
 d3:74:37:8e:89:91:59:61:e1:e9:38:87:86:4d:bf:f6:c4:0b:
 1e:92:13:e4:71:d2:05:14:c8:d4:d1:37:b3:2d:9f:1d:52:68:
 fe:36:03:6c:d9:19:11:c7:18:63:fa:c5:2d:b8:39:31:83:3b:
 77:72:07:97

Thanks

[strongSwan] oscp url

[Modster, Anthony]

Hello

? how to specify the protocol types in the URI
Example: file://xxx http://xxx ldap://xxx

authorities..crl_uris

Thanks

Re: [strongSwan] OCSP update dime

[Modster, Anthony]

Hello Noel

? any information on this item

-Original Message-
From: Noel Kuntze  
Sent: Wednesday, November 6, 2019 3:50 PM
To: Modster, Anthony ; users@lists.strongswan.org
Subject: Re: [strongSwan] OCSP update dime

I think it takes all of them and tries them in order or something, I'd need to 
look at the code.

Am 07.11.19 um 00:11 schrieb Modster, Anthony:
> Hello Noel
> 
> If the URLs are not set, ? will strongswan read them from the User Cert
> swanctl: authorities..ocsp_uris “comma-separated list of OCSP URL’s”
> 
> ? would it be the same for CPD
> 
> -Original Message-
> From: Noel Kuntze  
> Sent: Wednesday, November 06, 2019 2:52 PM
> To: Modster, Anthony ; 
> users@lists.strongswan.org
> Subject: Re: [strongSwan] OCSP update dime
> 
> Check the man page for swanctl.conf on the system running strongSwan. Search 
> for authorities or scroll to the bottom of the page.
> The possibility to configure CRL and OCSP URIs was added in 5.3.3.
> 
> Kind regards
> 
> Noel
> 
> Am 06.11.19 um 23:16 schrieb Modster, Anthony:
>> ? were are the configuration parameters for OCSP
>> Note: we are using swanctl (VICI)
>>
>>
>> -Original Message-
>> From: Noel Kuntze  
>> Sent: Wednesday, November 06, 2019 2:13 PM
>> To: Modster, Anthony ; 
>> users@lists.strongswan.org
>> Subject: Re: [strongSwan] OCSP update dime
>>
>> Answers and question as follows:
>>
>> Q: (A.M.) ? are the methods of fetch: CPD and x509 CRL directory
>> A: CRL in ipsec.d/crls or fetched dynamically using configured (in 
>> ipsec.conf ca section or swanctl authority section) CRL URIs or CRL URI 
>> encoded in CA certificate
>>
>> Q: (A.M.) ? can OCSP revoke a cert, even if there is a valid loaded CRL
>> A: Yes.
>>
>> Am 06.11.19 um 22:46 schrieb Modster, Anthony:
>>> Thanks
>>> See below (A.M.)
>>>
>>> -Original Message-
>>> From: Noel Kuntze  
>>> Sent: Wednesday, November 06, 2019 1:35 PM
>>> To: Modster, Anthony ; 
>>> users@lists.strongswan.org
>>> Subject: Re: [strongSwan] OCSP update dime
>>>
>>> Hello Anthony,
>>>
>>> The exact paragraph is
>>>> the strongSwan IKE daemon will not try to fetch a fresh CRL before the 
>>>> nextUpdate time in the CRL has passed. If you want to revoke IPsec 
>>>> endpoints more quickly then you > must either dramatically reduce the 
>>>> lifetime of a CRL e.g. down to an hour or use the Online Certificate 
>>>> Status Protocol (OCSP) which will give you realtime information > on the 
>>>> certificate status.
>>>
>>> The paragraph gives you the following information:
>>> 1) strongSwan will only fetch a new CRL when the nextUpdate time has passed 
>>> (does not pertain OCSP)
>>> (A.M.) ? are the methods of fetch: CPD and x509 CRL directory
>>>
>>> 2) If you need to get new information about revocations sooner than the 
>>> nextUpdate time, then either decrease the nextUpdate time in the next CRL 
>>> file you issue or use OCSP (Online Certificate Status Protocol) instead. 
>>> OCSP works via a HTTP request asking the OCSP responder if a given 
>>> certificate (identified by its hash) is valid at the current time or not.
>>>
>>> (A.M.) ? can OCSP revoke a cert, even if there is a valid loaded CRL
>>>
>>> Kind regards
>>>
>>> Noel
>>>
>>> Am 06.11.19 um 22:31 schrieb Modster, Anthony:
>>>> Hello
>>>> ? then what is Andreas referencing, below is the issue reported
>>>> https://wiki.strongswan.org/issues/568 
>>>>
>>>> Hi Jim,
>>>>
>>>> the strongSwan IKE daemon will not try to fetch a fresh CRL before the 
>>>> nextUpdate time in the CRL has passed. If you want to revoke IPsec 
>>>> endpoints more quickly then you must either dramatically reduce the 
>>>> lifetime of a CRL e.g. down to an hour or use the Online Certificate 
>>>> Status Protocol (OCSP) which will give you realtime information on the 
>>>> certificate status.
>>>>
>>>> Andreas
>>>>
>>>> -Original Message-
>>>> From: Noel Kuntze  
>>>> Sent: Wednesday, November 06, 2019 1:27 PM
>>>> To: Modster, Anthony ; 
>>>> users@lists.strongswan.org
>>>> Subject: Re: [strongSwan] OCSP update dime
>>>>
>>>> Hello,
>>>>
>>>> The request doesn't really make sense.
>>>> There's no OCSP nextUpdate time, that's part of a CRL.
>>>>
>>>> Kind regards
>>>>
>>>> Noel
>>>>
>>>> Am 06.11.19 um 00:03 schrieb Modster, Anthony:
>>>>> Hello
>>>>>
>>>>>  
>>>>>
>>>>> ? what is the nextUpdate time
>>>>>
>>>>> ? is it configurable
>>>>>
>>>>>  
>>>>>
>>>>> https://wiki.strongswan.org/issues/568
>>>>>
>>>>>  
>>>>>
>>>>> Thanks
>>>>>
>>>>>  
>>>>>
>>>>
>>>
>>
> 

Re: [strongSwan] application hook for CPD

[Modster, Anthony]

Thanks

-Original Message-
From: Noel Kuntze  
Sent: Monday, November 11, 2019 11:41 AM
To: Modster, Anthony ; users@lists.strongswan.org
Subject: Re: [strongSwan] application hook for CPD

That's what the first sentence is about.

Am 11.11.19 um 20:39 schrieb Modster, Anthony:
> ? how about the ErrorNotifyPlugin
> 
> 
> -Original Message-
> From: Noel Kuntze  
> Sent: Monday, November 11, 2019 11:14 AM
> To: Modster, Anthony ; 
> users@lists.strongswan.org
> Subject: Re: [strongSwan] application hook for CPD
> 
> Hello Anthony,
> 
> Nope, there is no alert for that in error_notify. I didn't find one in the 
> vici plugin sources for CRLs either.
> 
> Kind regards
> Noel
> 
> Am 11.11.19 um 19:01 schrieb Modster, Anthony:
>> Hello
>>
>>  
>>
>> Is there any information on this item?
>>
>>  
>>
>> Also, ? is there an event notification for CPD loading
>>
>> if a CRL is in cache memory and has not expired, and a CPD is uploaded.
>>
>>  
>>
>> *From:* Modster, Anthony
>> *Sent:* Friday, November 08, 2019 9:41 AM
>> *To:* users@lists.strongswan.org
>> *Subject:* application hook for CPD
>>
>>  
>>
>> Hello
>>
>>  
>>
>> ? does VICI or “error notify plugin” provide a callback when CPD has loaded 
>> a CRL
>>
>>  
>>
>> CDP enabled
>>
>> There is a loaded CRL in memory, and has expired
>>
>> CPD loads a new CRL
>>
>>  
>>
>> Note: In this case charon will only load to memory the new CRL, if expired, 
>> or the cache has been flushed manually.
>>
>>  
>>
>> Thanks
>>
>>  
>>
>>  
>>
> 

Re: [strongSwan] application hook for CPD

[Modster, Anthony]

? how about the ErrorNotifyPlugin


-Original Message-
From: Noel Kuntze  
Sent: Monday, November 11, 2019 11:14 AM
To: Modster, Anthony ; users@lists.strongswan.org
Subject: Re: [strongSwan] application hook for CPD

Hello Anthony,

Nope, there is no alert for that in error_notify. I didn't find one in the vici 
plugin sources for CRLs either.

Kind regards
Noel

Am 11.11.19 um 19:01 schrieb Modster, Anthony:
> Hello
> 
>  
> 
> Is there any information on this item?
> 
>  
> 
> Also, ? is there an event notification for CPD loading
> 
> if a CRL is in cache memory and has not expired, and a CPD is uploaded.
> 
>  
> 
> *From:* Modster, Anthony
> *Sent:* Friday, November 08, 2019 9:41 AM
> *To:* users@lists.strongswan.org
> *Subject:* application hook for CPD
> 
>  
> 
> Hello
> 
>  
> 
> ? does VICI or “error notify plugin” provide a callback when CPD has loaded a 
> CRL
> 
>  
> 
> CDP enabled
> 
> There is a loaded CRL in memory, and has expired
> 
> CPD loads a new CRL
> 
>  
> 
> Note: In this case charon will only load to memory the new CRL, if expired, 
> or the cache has been flushed manually.
> 
>  
> 
> Thanks
> 
>  
> 
>  
> 

Re: [strongSwan] application hook for CPD

[Modster, Anthony]

Hello

Is there any information on this item?

Also, ? is there an event notification for CPD loading
if a CRL is in cache memory and has not expired, and a CPD is uploaded.

From: Modster, Anthony
Sent: Friday, November 08, 2019 9:41 AM
To: users@lists.strongswan.org
Subject: application hook for CPD

Hello

? does VICI or "error notify plugin" provide a callback when CPD has loaded a 
CRL

CDP enabled
There is a loaded CRL in memory, and has expired
CPD loads a new CRL

Note: In this case charon will only load to memory the new CRL, if expired, or 
the cache has been flushed manually.

Thanks

Re: [strongSwan] vici functions thread safe

[Modster, Anthony]

Sorry, I found the answer, forgot I already asked this question

https://lists.strongswan.org/pipermail/users/2017-September/011496.html


From: Modster, Anthony
Sent: Friday, November 08, 2019 2:07 PM
To: users@lists.strongswan.org
Subject: vici functions thread safe

Hello

? are the following VICI functions thread safe

vici_connect()
vici_disconnect()
terminate_conn()
load_conn()
init_conn()

Thanks

[strongSwan] vici functions thread safe

[Modster, Anthony]

Hello

? are the following VICI functions thread safe

vici_connect()
vici_disconnect()
terminate_conn()
load_conn()
init_conn()

Thanks

Re: [strongSwan] OCSP nonce parameter

[Modster, Anthony]

? is there a possibility of a patch to allow checking the received nonce

-Original Message-
From: Tobias Brunner  
Sent: Thursday, November 07, 2019 11:27 PM
To: Modster, Anthony ; users@lists.strongswan.org
Subject: Re: [strongSwan] OCSP nonce parameter

---External Email---

Hi Anthony,

> When using OCSP, ? is the nonce parameter always set.

Yes, the x509 plugin always adds a random nonce.  It doesn't seem to be 
used/checked later, though.

Regards,
Tobias

[strongSwan] application hook for CPD

[Modster, Anthony]

Hello

? does VICI or "error notify plugin" provide a callback when CPD has loaded a 
CRL

CDP enabled
There is a loaded CRL in memory, and has expired
CPD loads a new CRL

Note: In this case charon will only load to memory the new CRL, if expired, or 
the cache has been flushed manually.

Thanks

[strongSwan] OCSP nonce parameter

[Modster, Anthony]

Hello

When using OCSP, ? is the nonce parameter always set.

Re: [strongSwan] OCSP update dime

[Modster, Anthony]

Hello Noel

If the URLs are not set, ? will strongswan read them from the User Cert
swanctl: authorities..ocsp_uris “comma-separated list of OCSP URL’s”

? would it be the same for CPD

-Original Message-
From: Noel Kuntze  
Sent: Wednesday, November 06, 2019 2:52 PM
To: Modster, Anthony ; users@lists.strongswan.org
Subject: Re: [strongSwan] OCSP update dime

Check the man page for swanctl.conf on the system running strongSwan. Search 
for authorities or scroll to the bottom of the page.
The possibility to configure CRL and OCSP URIs was added in 5.3.3.

Kind regards

Noel

Am 06.11.19 um 23:16 schrieb Modster, Anthony:
> ? were are the configuration parameters for OCSP
> Note: we are using swanctl (VICI)
> 
> 
> -Original Message-
> From: Noel Kuntze  
> Sent: Wednesday, November 06, 2019 2:13 PM
> To: Modster, Anthony ; 
> users@lists.strongswan.org
> Subject: Re: [strongSwan] OCSP update dime
> 
> Answers and question as follows:
> 
> Q: (A.M.) ? are the methods of fetch: CPD and x509 CRL directory
> A: CRL in ipsec.d/crls or fetched dynamically using configured (in ipsec.conf 
> ca section or swanctl authority section) CRL URIs or CRL URI encoded in CA 
> certificate
> 
> Q: (A.M.) ? can OCSP revoke a cert, even if there is a valid loaded CRL
> A: Yes.
> 
> Am 06.11.19 um 22:46 schrieb Modster, Anthony:
>> Thanks
>> See below (A.M.)
>>
>> -Original Message-
>> From: Noel Kuntze  
>> Sent: Wednesday, November 06, 2019 1:35 PM
>> To: Modster, Anthony ; 
>> users@lists.strongswan.org
>> Subject: Re: [strongSwan] OCSP update dime
>>
>> Hello Anthony,
>>
>> The exact paragraph is
>>> the strongSwan IKE daemon will not try to fetch a fresh CRL before the 
>>> nextUpdate time in the CRL has passed. If you want to revoke IPsec 
>>> endpoints more quickly then you > must either dramatically reduce the 
>>> lifetime of a CRL e.g. down to an hour or use the Online Certificate Status 
>>> Protocol (OCSP) which will give you realtime information > on the 
>>> certificate status.
>>
>> The paragraph gives you the following information:
>> 1) strongSwan will only fetch a new CRL when the nextUpdate time has passed 
>> (does not pertain OCSP)
>> (A.M.) ? are the methods of fetch: CPD and x509 CRL directory
>>
>> 2) If you need to get new information about revocations sooner than the 
>> nextUpdate time, then either decrease the nextUpdate time in the next CRL 
>> file you issue or use OCSP (Online Certificate Status Protocol) instead. 
>> OCSP works via a HTTP request asking the OCSP responder if a given 
>> certificate (identified by its hash) is valid at the current time or not.
>>
>> (A.M.) ? can OCSP revoke a cert, even if there is a valid loaded CRL
>>
>> Kind regards
>>
>> Noel
>>
>> Am 06.11.19 um 22:31 schrieb Modster, Anthony:
>>> Hello
>>> ? then what is Andreas referencing, below is the issue reported
>>> https://wiki.strongswan.org/issues/568 
>>>
>>> Hi Jim,
>>>
>>> the strongSwan IKE daemon will not try to fetch a fresh CRL before the 
>>> nextUpdate time in the CRL has passed. If you want to revoke IPsec 
>>> endpoints more quickly then you must either dramatically reduce the 
>>> lifetime of a CRL e.g. down to an hour or use the Online Certificate Status 
>>> Protocol (OCSP) which will give you realtime information on the certificate 
>>> status.
>>>
>>> Andreas
>>>
>>> -Original Message-
>>> From: Noel Kuntze  
>>> Sent: Wednesday, November 06, 2019 1:27 PM
>>> To: Modster, Anthony ; 
>>> users@lists.strongswan.org
>>> Subject: Re: [strongSwan] OCSP update dime
>>>
>>> Hello,
>>>
>>> The request doesn't really make sense.
>>> There's no OCSP nextUpdate time, that's part of a CRL.
>>>
>>> Kind regards
>>>
>>> Noel
>>>
>>> Am 06.11.19 um 00:03 schrieb Modster, Anthony:
>>>> Hello
>>>>
>>>>  
>>>>
>>>> ? what is the nextUpdate time
>>>>
>>>> ? is it configurable
>>>>
>>>>  
>>>>
>>>> https://wiki.strongswan.org/issues/568
>>>>
>>>>  
>>>>
>>>> Thanks
>>>>
>>>>  
>>>>
>>>
>>
> 

Re: [strongSwan] OCSP update dime

[Modster, Anthony]

thanks

-Original Message-
From: Noel Kuntze  
Sent: Wednesday, November 06, 2019 2:52 PM
To: Modster, Anthony ; users@lists.strongswan.org
Subject: Re: [strongSwan] OCSP update dime

Check the man page for swanctl.conf on the system running strongSwan. Search 
for authorities or scroll to the bottom of the page.
The possibility to configure CRL and OCSP URIs was added in 5.3.3.

Kind regards

Noel

Am 06.11.19 um 23:16 schrieb Modster, Anthony:
> ? were are the configuration parameters for OCSP
> Note: we are using swanctl (VICI)
> 
> 
> -Original Message-
> From: Noel Kuntze  
> Sent: Wednesday, November 06, 2019 2:13 PM
> To: Modster, Anthony ; 
> users@lists.strongswan.org
> Subject: Re: [strongSwan] OCSP update dime
> 
> Answers and question as follows:
> 
> Q: (A.M.) ? are the methods of fetch: CPD and x509 CRL directory
> A: CRL in ipsec.d/crls or fetched dynamically using configured (in ipsec.conf 
> ca section or swanctl authority section) CRL URIs or CRL URI encoded in CA 
> certificate
> 
> Q: (A.M.) ? can OCSP revoke a cert, even if there is a valid loaded CRL
> A: Yes.
> 
> Am 06.11.19 um 22:46 schrieb Modster, Anthony:
>> Thanks
>> See below (A.M.)
>>
>> -Original Message-
>> From: Noel Kuntze  
>> Sent: Wednesday, November 06, 2019 1:35 PM
>> To: Modster, Anthony ; 
>> users@lists.strongswan.org
>> Subject: Re: [strongSwan] OCSP update dime
>>
>> Hello Anthony,
>>
>> The exact paragraph is
>>> the strongSwan IKE daemon will not try to fetch a fresh CRL before the 
>>> nextUpdate time in the CRL has passed. If you want to revoke IPsec 
>>> endpoints more quickly then you > must either dramatically reduce the 
>>> lifetime of a CRL e.g. down to an hour or use the Online Certificate Status 
>>> Protocol (OCSP) which will give you realtime information > on the 
>>> certificate status.
>>
>> The paragraph gives you the following information:
>> 1) strongSwan will only fetch a new CRL when the nextUpdate time has passed 
>> (does not pertain OCSP)
>> (A.M.) ? are the methods of fetch: CPD and x509 CRL directory
>>
>> 2) If you need to get new information about revocations sooner than the 
>> nextUpdate time, then either decrease the nextUpdate time in the next CRL 
>> file you issue or use OCSP (Online Certificate Status Protocol) instead. 
>> OCSP works via a HTTP request asking the OCSP responder if a given 
>> certificate (identified by its hash) is valid at the current time or not.
>>
>> (A.M.) ? can OCSP revoke a cert, even if there is a valid loaded CRL
>>
>> Kind regards
>>
>> Noel
>>
>> Am 06.11.19 um 22:31 schrieb Modster, Anthony:
>>> Hello
>>> ? then what is Andreas referencing, below is the issue reported
>>> https://wiki.strongswan.org/issues/568 
>>>
>>> Hi Jim,
>>>
>>> the strongSwan IKE daemon will not try to fetch a fresh CRL before the 
>>> nextUpdate time in the CRL has passed. If you want to revoke IPsec 
>>> endpoints more quickly then you must either dramatically reduce the 
>>> lifetime of a CRL e.g. down to an hour or use the Online Certificate Status 
>>> Protocol (OCSP) which will give you realtime information on the certificate 
>>> status.
>>>
>>> Andreas
>>>
>>> -Original Message-
>>> From: Noel Kuntze  
>>> Sent: Wednesday, November 06, 2019 1:27 PM
>>> To: Modster, Anthony ; 
>>> users@lists.strongswan.org
>>> Subject: Re: [strongSwan] OCSP update dime
>>>
>>> Hello,
>>>
>>> The request doesn't really make sense.
>>> There's no OCSP nextUpdate time, that's part of a CRL.
>>>
>>> Kind regards
>>>
>>> Noel
>>>
>>> Am 06.11.19 um 00:03 schrieb Modster, Anthony:
>>>> Hello
>>>>
>>>>  
>>>>
>>>> ? what is the nextUpdate time
>>>>
>>>> ? is it configurable
>>>>
>>>>  
>>>>
>>>> https://wiki.strongswan.org/issues/568
>>>>
>>>>  
>>>>
>>>> Thanks
>>>>
>>>>  
>>>>
>>>
>>
> 

Re: [strongSwan] OCSP update dime

[Modster, Anthony]

? were are the configuration parameters for OCSP
Note: we are using swanctl (VICI)


-Original Message-
From: Noel Kuntze  
Sent: Wednesday, November 06, 2019 2:13 PM
To: Modster, Anthony ; users@lists.strongswan.org
Subject: Re: [strongSwan] OCSP update dime

Answers and question as follows:

Q: (A.M.) ? are the methods of fetch: CPD and x509 CRL directory
A: CRL in ipsec.d/crls or fetched dynamically using configured (in ipsec.conf 
ca section or swanctl authority section) CRL URIs or CRL URI encoded in CA 
certificate

Q: (A.M.) ? can OCSP revoke a cert, even if there is a valid loaded CRL
A: Yes.

Am 06.11.19 um 22:46 schrieb Modster, Anthony:
> Thanks
> See below (A.M.)
> 
> -Original Message-
> From: Noel Kuntze  
> Sent: Wednesday, November 06, 2019 1:35 PM
> To: Modster, Anthony ; 
> users@lists.strongswan.org
> Subject: Re: [strongSwan] OCSP update dime
> 
> Hello Anthony,
> 
> The exact paragraph is
>> the strongSwan IKE daemon will not try to fetch a fresh CRL before the 
>> nextUpdate time in the CRL has passed. If you want to revoke IPsec endpoints 
>> more quickly then you > must either dramatically reduce the lifetime of a 
>> CRL e.g. down to an hour or use the Online Certificate Status Protocol 
>> (OCSP) which will give you realtime information > on the certificate status.
> 
> The paragraph gives you the following information:
> 1) strongSwan will only fetch a new CRL when the nextUpdate time has passed 
> (does not pertain OCSP)
> (A.M.) ? are the methods of fetch: CPD and x509 CRL directory
> 
> 2) If you need to get new information about revocations sooner than the 
> nextUpdate time, then either decrease the nextUpdate time in the next CRL 
> file you issue or use OCSP (Online Certificate Status Protocol) instead. OCSP 
> works via a HTTP request asking the OCSP responder if a given certificate 
> (identified by its hash) is valid at the current time or not.
> 
> (A.M.) ? can OCSP revoke a cert, even if there is a valid loaded CRL
> 
> Kind regards
> 
> Noel
> 
> Am 06.11.19 um 22:31 schrieb Modster, Anthony:
>> Hello
>> ? then what is Andreas referencing, below is the issue reported
>> https://wiki.strongswan.org/issues/568 
>>
>> Hi Jim,
>>
>> the strongSwan IKE daemon will not try to fetch a fresh CRL before the 
>> nextUpdate time in the CRL has passed. If you want to revoke IPsec endpoints 
>> more quickly then you must either dramatically reduce the lifetime of a CRL 
>> e.g. down to an hour or use the Online Certificate Status Protocol (OCSP) 
>> which will give you realtime information on the certificate status.
>>
>> Andreas
>>
>> -Original Message-
>> From: Noel Kuntze  
>> Sent: Wednesday, November 06, 2019 1:27 PM
>> To: Modster, Anthony ; 
>> users@lists.strongswan.org
>> Subject: Re: [strongSwan] OCSP update dime
>>
>> Hello,
>>
>> The request doesn't really make sense.
>> There's no OCSP nextUpdate time, that's part of a CRL.
>>
>> Kind regards
>>
>> Noel
>>
>> Am 06.11.19 um 00:03 schrieb Modster, Anthony:
>>> Hello
>>>
>>>  
>>>
>>> ? what is the nextUpdate time
>>>
>>> ? is it configurable
>>>
>>>  
>>>
>>> https://wiki.strongswan.org/issues/568
>>>
>>>  
>>>
>>> Thanks
>>>
>>>  
>>>
>>
> 

Re: [strongSwan] OCSP update dime

[Modster, Anthony]

Thanks
See below (A.M.)

-Original Message-
From: Noel Kuntze  
Sent: Wednesday, November 06, 2019 1:35 PM
To: Modster, Anthony ; users@lists.strongswan.org
Subject: Re: [strongSwan] OCSP update dime

Hello Anthony,

The exact paragraph is
> the strongSwan IKE daemon will not try to fetch a fresh CRL before the 
> nextUpdate time in the CRL has passed. If you want to revoke IPsec endpoints 
> more quickly then you > must either dramatically reduce the lifetime of a CRL 
> e.g. down to an hour or use the Online Certificate Status Protocol (OCSP) 
> which will give you realtime information > on the certificate status.

The paragraph gives you the following information:
1) strongSwan will only fetch a new CRL when the nextUpdate time has passed 
(does not pertain OCSP)
(A.M.) ? are the methods of fetch: CPD and x509 CRL directory

2) If you need to get new information about revocations sooner than the 
nextUpdate time, then either decrease the nextUpdate time in the next CRL file 
you issue or use OCSP (Online Certificate Status Protocol) instead. OCSP works 
via a HTTP request asking the OCSP responder if a given certificate (identified 
by its hash) is valid at the current time or not.

(A.M.) ? can OCSP revoke a cert, even if there is a valid loaded CRL

Kind regards

Noel

Am 06.11.19 um 22:31 schrieb Modster, Anthony:
> Hello
> ? then what is Andreas referencing, below is the issue reported
> https://wiki.strongswan.org/issues/568 
> 
> Hi Jim,
> 
> the strongSwan IKE daemon will not try to fetch a fresh CRL before the 
> nextUpdate time in the CRL has passed. If you want to revoke IPsec endpoints 
> more quickly then you must either dramatically reduce the lifetime of a CRL 
> e.g. down to an hour or use the Online Certificate Status Protocol (OCSP) 
> which will give you realtime information on the certificate status.
> 
> Andreas
> 
> -Original Message-
> From: Noel Kuntze  
> Sent: Wednesday, November 06, 2019 1:27 PM
> To: Modster, Anthony ; 
> users@lists.strongswan.org
> Subject: Re: [strongSwan] OCSP update dime
> 
> Hello,
> 
> The request doesn't really make sense.
> There's no OCSP nextUpdate time, that's part of a CRL.
> 
> Kind regards
> 
> Noel
> 
> Am 06.11.19 um 00:03 schrieb Modster, Anthony:
>> Hello
>>
>>  
>>
>> ? what is the nextUpdate time
>>
>> ? is it configurable
>>
>>  
>>
>> https://wiki.strongswan.org/issues/568
>>
>>  
>>
>> Thanks
>>
>>  
>>
> 

Re: [strongSwan] OCSP update dime

[Modster, Anthony]

Hello
? then what is Andreas referencing, below is the issue reported
https://wiki.strongswan.org/issues/568 

Hi Jim,

the strongSwan IKE daemon will not try to fetch a fresh CRL before the 
nextUpdate time in the CRL has passed. If you want to revoke IPsec endpoints 
more quickly then you must either dramatically reduce the lifetime of a CRL 
e.g. down to an hour or use the Online Certificate Status Protocol (OCSP) which 
will give you realtime information on the certificate status.

Andreas

-Original Message-
From: Noel Kuntze  
Sent: Wednesday, November 06, 2019 1:27 PM
To: Modster, Anthony ; users@lists.strongswan.org
Subject: Re: [strongSwan] OCSP update dime

Hello,

The request doesn't really make sense.
There's no OCSP nextUpdate time, that's part of a CRL.

Kind regards

Noel

Am 06.11.19 um 00:03 schrieb Modster, Anthony:
> Hello
> 
>  
> 
> ? what is the nextUpdate time
> 
> ? is it configurable
> 
>  
> 
> https://wiki.strongswan.org/issues/568
> 
>  
> 
> Thanks
> 
>  
> 

[strongSwan] OCSP update dime

[Modster, Anthony]

Hello

? what is the nextUpdate time
? is it configurable

https://wiki.strongswan.org/issues/568

Thanks

[strongSwan] CRL loading

[Modster, Anthony]

Hello

? does this item effect our version of strongswan 5.5.1

https://wiki.strongswan.org/issues/354

If so, ? was there a CRL already loaded before the connection attempt was made

? are there any other issues when using OCSP for strongswan 5.5.1

Thanks

Re: [strongSwan] DNS support

[Modster, Anthony]

Hello Tobias

? what are the possible fetcher plugins for CRLs and OCSP

-Original Message-
From: Tobias Brunner  
Sent: Monday, September 16, 2019 1:33 AM
To: Modster, Anthony ; users@lists.strongswan.org
Subject: Re: [strongSwan] DNS support

---External Email---

Hi Anthony,

> ? does strongswan support “HTTPS DNS”
> 
> Will be using it for: OCSP, CRL and “VICI struct 
> s_connection_parameters:remote_address”

strongSwan doesn't resolve hostnames itself but uses getaddrinfo(3).  So it 
depends on how resolvers are configured on the local machine (and the abilities 
of the involved resolver(s)).  And when using CRLs and OCSP it depends on the 
fetcher plugin and the external library it uses (e.g.
libcurl) how the respective hostnames are resolved (might also be getaddrinfo, 
though).

Regards,
Tobias

[strongSwan] DNS support

[Modster, Anthony]

Hello

? does strongswan support "HTTPS DNS"

Will be using it for: OCSP, CRL and "VICI struct 
s_connection_parameters:remote_address"

Re: [strongSwan] error handling

[Modster, Anthony]

Hello Tobias

? will the below error cause the ErrorNotifyPlugin to generate an error

13[ENC] parsed IKE_AUTH response 8 [ EAP/REQ/TLS ]
13[IKE] reinitiating already active tasks
13[IKE]   IKE_AUTH task
13[ENC] generating IKE_AUTH request 9 [ EAP/RES/TLS ]
13[NET] sending packet: from 192.168.29.129[4500] to 76.232.248.219[4500] (1104 
bytes)
08[NET] received packet: from 76.232.248.219[4500] to 192.168.29.129[4500] (80 
bytes)
08[ENC] parsed IKE_AUTH response 9 [ EAP/REQ/TLS ]
08[IKE] reinitiating already active tasks
08[IKE]   IKE_AUTH task
08[ENC] generating IKE_AUTH request 10 [ EAP/RES/TLS ]
08[NET] sending packet: from 192.168.29.129[4500] to 76.232.248.219[4500] (528 
bytes)
11[IKE] retransmit 1 of request with message ID 10
11[NET] sending packet: from 192.168.29.129[4500] to 76.232.248.219[4500] (528 
bytes)
12[NET] received packet: from 76.232.248.219[4500] to 192.168.29.129[4500] (96 
bytes)
12[ENC] parsed IKE_AUTH response 10 [ EAP/REQ/TLS ]
12[TLS] received fatal TLS alert 'access denied'
12[IKE] EAP_TLS method failed
12[ENC] generating INFORMATIONAL request 11 [ N(AUTH_FAILED) ]
12[NET] sending packet: from 192.168.29.129[4500] to 76.232.248.219[4500] (80 
bytes)
12[IKE] IKE_SA ELS-VPAPP-WGL08[1] state change: CONNECTING => DESTROYING


-Original Message-
From: Modster, Anthony 
Sent: Wednesday, June 26, 2019 9:19 AM
To: 'Tobias Brunner' ; users@lists.strongswan.org
Cc: Mesfin Amare 
Subject: RE: [strongSwan] error handling

Thanks

Our systems group will be testing most (if not all the errors).

But it takes them a while to create all the test cases (we need to test CISCO 
and Windows gateways).

-Original Message-
From: Tobias Brunner 
Sent: Wednesday, June 26, 2019 1:22 AM
To: Modster, Anthony ; users@lists.strongswan.org
Subject: Re: [strongSwan] error handling

---External Email---

Hi Anthony,

> ? will our application be able to detect them using ether: VICI “event 
> callbacks” or “ErrorNotifyPlugin”

Why not just try it?

> Inacceptable Constraint check failed

You can't detect that specific error but ERROR_NOTIFY_PEER_AUTH_FAILED will be 
triggered.

> IKE AUTH response errors

This triggers ERROR_NOTIFY_LOCAL_AUTH_FAILED.

Regards,
Tobias

Re: [strongSwan] error handling

[Modster, Anthony]

Thanks

Our systems group will be testing most (if not all the errors).

But it takes them a while to create all the test cases (we need to test CISCO 
and Windows gateways).

-Original Message-
From: Tobias Brunner  
Sent: Wednesday, June 26, 2019 1:22 AM
To: Modster, Anthony ; users@lists.strongswan.org
Subject: Re: [strongSwan] error handling

---External Email---

Hi Anthony,

> ? will our application be able to detect them using ether: VICI “event 
> callbacks” or “ErrorNotifyPlugin”

Why not just try it?

> Inacceptable Constraint check failed

You can't detect that specific error but ERROR_NOTIFY_PEER_AUTH_FAILED will be 
triggered.

> IKE AUTH response errors

This triggers ERROR_NOTIFY_LOCAL_AUTH_FAILED.

Regards,
Tobias

[strongSwan] error handling

[Modster, Anthony]

Hello

When the errors below occur.
? will our application be able to detect them using ether: VICI "event 
callbacks" or "ErrorNotifyPlugin"
If so, which error flags should be monitored.

Inacceptable Constraint check failed
charon [info] 13[CFG] constraint check failed: identity \'C=US, O=Teledyne 
Controls Engineering, OU=Systems Engineering, CN=ELS-VPAPP-WGL08 - ID, 
OU=Devices, OU=Aircraft Operator Ground Stations, OU=Teledyne Controls, 
CN=ELS-VPAPP-WGL08 - ID\' required
charon [info] 13[CFG] selected peer config \'sgateway2-radio2\' inacceptable: 
constraint checking failed

IKE AUTH response errors
10[ENC] parsed IKE_AUTH response 1 [ N(MS_STATUS(13819)) ]
10[IKE] received MS_NOTIFY_STATUS notify error
or
12[ENC] parsed IKE_AUTH response 1 [ N(MS_STATUS(13806)) ]
12[IKE] received MS_NOTIFY_STATUS notify error

Thanks

Re: [strongSwan] ErrorNotifyPlugin error code

[Modster, Anthony]

Hello

? any information on the below

From: Modster, Anthony
Sent: Thursday, June 20, 2019 8:03 AM
To: users@lists.strongswan.org
Subject: ErrorNotifyPlugin error code

Hello

?  is there a detailed description on the causes for the ErrorNotifyPlugins 
error codes below

ERROR_NOTIFY_RADIUS_NOT_RESPONDING = 1
ERROR_NOTIFY_LOCAL_AUTH_FAILED = 2 -
ERROR_NOTIFY_PEER_AUTH_FAILED = 3   -
ERROR_NOTIFY_PARSE_ERROR_HEADER = 4
ERROR_NOTIFY_PARSE_ERROR_BODY = 5
ERROR_NOTIFY_RETRANSMIT_SEND_TIMEOUT = 6
ERROR_NOTIFY_HALF_OPEN_TIMEOUT = 7
ERROR_NOTIFY_PROPOSAL_MISMATCH_IKE = 8
ERROR_NOTIFY_PROPOSAL_MISMATCH_CHILD = 9
ERROR_NOTIFY_TS_MISMATCH = 10
ERROR_NOTIFY_INSTALL_CHILD_SA_FAILED = 11
ERROR_NOTIFY_INSTALL_CHILD_POLICY_FAILED = 12
ERROR_NOTIFY_UNIQUE_REPLACE = 13
ERROR_NOTIFY_UNIQUE_KEEP = 14
ERROR_NOTIFY_VIP_FAILURE = 15
ERROR_NOTIFY_AUTHORIZATION_FAILED = 16
ERROR_NOTIFY_CERT_EXPIRED = 17
ERROR_NOTIFY_CERT_REVOKED = 18
ERROR_NOTIFY_NO_ISSUER_CERT = 19
ERROR_NOTIFY_RETRANSMIT_SEND = 20

Thanks

[strongSwan] ErrorNotify plugin

[Modster, Anthony]

Hello

We started using the ErrorNotifyPlugin.

I have noticed that sometimes the charon.enfy does not get created.
Note: the VPN tunnel is up and running

Prototyping strongswan ErrorNotifyPlugin
   Location of information files:
  /var/volatile/run/charon.enfy
  /var/volatile/run/charon.pid

int EventMonitor::MakeConnection()  sun_path=/var/volatile/run/charon.enfy.
int EventMonitor::MakeConnection() connecting failed: No such file or directory.
static void* EventMonitor::EventMonitorHandler(void*) not connected to charon.

Note: the pid file is ok
root@wglng-17:~# more /var/volatile/run/charon.pid
8212

Thanks

Re: [strongSwan] expired CRL

[Modster, Anthony]

Tobias
If we have a CRL the revoked a "secure gateway", and later the CRL expired.

? will strongswan still use the expired CRL

We still want strongswan to use the CRL to revoke.

-Original Message-
From: Tobias Brunner  
Sent: Thursday, June 13, 2019 1:28 AM
To: Modster, Anthony ; users@lists.strongswan.org
Subject: Re: [strongSwan] expired CRL

---External Email---

Hi Anthony,

> ? is there a swanctl configuration setting, that if enable will allow 
> an expired CRL to be used

In what way?

Regards,
Tobias

[strongSwan] expired CRL

[Modster, Anthony]

Hello

? is there a swanctl configuration setting, that if enable will allow an 
expired CRL to be used

Thanks

Re: [strongSwan] VICI event callbacks

[Modster, Anthony]

Tobias

? does this replace VICI, “event callbacks”

This is what we are currently using.

-Original Message-
From: Tobias Brunner  
Sent: Wednesday, June 12, 2019 1:35 AM
To: Modster, Anthony ; users@lists.strongswan.org
Subject: Re: [strongSwan] VICI event callbacks

---External Email---

Hi Anthony,

> 1. Gateway rejected the connection attempt due to authentication failure

You need to use the error-notify plugin [1] for this.

> 2. COMM+ rejected the connection attempt due the following errors:

Same as above.

> 3. No response from gateway

Same as above.

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/ErrorNotifyPlugin

[strongSwan] VICI event callbacks

[Modster, Anthony]

Hello

Are application is using strongswan VICI, event callbacks for VPN status.

The following events we want to detect using the "event callbacks".

? is the below possible, and what parameters in the "event callback" should we 
monitor.

Itemized list of conditions that trigger switching from VPN mode to non-VPN 
mode:

1. Gateway rejected the connection attempt due to authentication failure
   UPN not approved client in gateway configuration
   COMM+ cert revoked

2. COMM+ rejected the connection attempt due the following errors:
   algorithm mismatch?
   right id mismatch with received certificate DN
   gateway certificate revoked

3. No response from gateway
   initial VPN connection attempt (no response to IKE_INIT, no response to 
subsequent packets)

Note:

  *   current version is: strongswan swanctl 5.5.1

Thanks

Re: [strongSwan] EU and EKU

[Modster, Anthony]

Hello Tobias

? is this true, that the StrongSwan does not check the peer certificate KU and 
EKU during the initial IPsec VPN connection (i.e., the "IPSec client" only 
checks the Subject Distinguish Name (SDN) of the peer certificate).

We want to see if the "IPSec client" can be altered to check KU and EKU fields 
of the peer certificate (in addition to SDN). 

NOTE: Current "IPSec gateway" certificate key usage is "digitalSignature and 
key encipherment" and EKU is "id-kp-clientAuth {1.3.6.1.5.5.7.3.2}; 
id-kp-serverAuth {1.3.6.1.5.5.7.3.1}; iKEIntermediate {1.3.6.1.5.5.8.2.2}; 
id-kp-ipsecIKE {1.3.6.1.5.5.7.3.17}".  And we want to make sure that during the 
VPN connection initiation, the "IPSec gateway" certificate has the right KU and 
EKU set in the certificate field.

Thanks

-Original Message-
From: Tobias Brunner  
Sent: Wednesday, June 05, 2019 1:10 AM
To: Modster, Anthony ; users@lists.strongswan.org
Subject: Re: [strongSwan] EU and EKU

---External Email---

Hi Anthony,

> ? does the latest version of strongswan provide better “checking of 
> the peer certificate EU and EKU”

I guess you mean KU not EU.  But what exactly do you mean with "better"?

The cRLSign KU bit is used in revocation checking (if a CRL is not signed by 
the CA).  And since 5.6.3, in compliance with RFC 4945, section 5.1.3.2, 
certificates either must not contain a KU extension (like the ones generated by 
pki), or have at least one of the digitalSignature or nonRepudiation bits set.

The only EKU that's used is OCSPSigning for revocation checking (analogous to 
the cRLSign KU).

Regards,
Tobias

[strongSwan] VPN tunnel firewall rules

[Modster, Anthony]

Hello

? can strongswan set firewall policies

Looking for a way to set the firewall to block all traffic inside the VPN 
tunnel, except for what is expected.

I could use swanctlconf "connections.,children.updown scripts and 
add iptables rules there.

Thanks

[strongSwan] EU and EKU

[Modster, Anthony]

Hello

? does the latest version of strongswan provide better "checking of the peer 
certificate EU and EKU"

Our current version is: strongswan swanctl 5.5.1

Re: [strongSwan] charon and CRL loading

[Modster, Anthony]

Thanks

-Original Message-
From: Tobias Brunner  
Sent: Thursday, May 09, 2019 9:26 AM
To: Modster, Anthony ; users@lists.strongswan.org
Cc: Amare, Mesfin 
Subject: Re: [strongSwan] charon and CRL loading

---External Email---

Hi Anthony,
> If a CRL comes in, then I think we would need to do the following:
> 1. create "authorities section" "crl_uirs = fill:///xxx" in 
> swanctl.conf 2. --load-authorities 3. --load-creds

You don't need step 3 if you use file URIs, the CRL is fetched dynamically 
during authentication (if you update the CRL, while the old one is still valid 
for a while, you need to flush the cache, as pointed out before).  And if you, 
alternatively, store the CRL in x509crl then you only need step 3 (and, again, 
perhaps flush the cache).

Regards,
Tobias

Re: [strongSwan] charon and CRL loading

[Modster, Anthony]

Tobias
Sorry (round 2)

Item 2, using "authorities section" "crl_uirs = fill:///xxx"
If the host does not have a CRL, then the "authorities section" will not be 
loaded by our host.

If a CRL comes in, then I think we would need to do the following:
1. create "authorities section" "crl_uirs = fill:///xxx" in swanctl.conf
2. --load-authorities 
3. --load-creds

-Original Message-
From: Users  On Behalf Of Tobias Brunner
Sent: Thursday, May 09, 2019 8:09 AM
To: Modster, Anthony ; users@lists.strongswan.org
Cc: Amare, Mesfin 
Subject: Re: [strongSwan] charon and CRL loading

---External Email---

Hi Anthony,

> Item 1, if a new CRL is copied to the x509crl directory, "authorities 
> section" not configured, ? will charon automatically re-load the CRL

No, swanctl --load-creds has to be called explicitly.

> Item 2, if a new CRL is copied to the "assigned location", and 
> "authorities section" "crl_uirs = fill:///xxx", ? will charon 
> automatically re-load the CRL

Only if a previously fetched and cached version expired, or the cache has been 
flushed manually.

Regards,
Tobias

Re: [strongSwan] charon and CRL loading

[Modster, Anthony]

Thanks

-Original Message-
From: Tobias Brunner  
Sent: Thursday, May 09, 2019 8:32 AM
To: Modster, Anthony ; users@lists.strongswan.org
Cc: Amare, Mesfin 
Subject: Re: [strongSwan] charon and CRL loading

---External Email---

Hi Anthony,

> ? for the CRL cases below, does the host need to "drop the connection" 
> for the CRL updates

The new CRL will currently only have an effect on new connections.  So if the 
certificate of a peer who currently is connected is revoked, this will not have 
an effect until that peer re-authenticates (i.e. until it creates a new IKE_SA).

Regards,
Tobias

Re: [strongSwan] charon and CRL loading

[Modster, Anthony]

Tobias
Sorry one other question.

? for the CRL cases below, does the host need to "drop the connection" for the 
CRL updates

-Original Message-
From: Users  On Behalf Of Tobias Brunner
Sent: Thursday, May 09, 2019 8:09 AM
To: Modster, Anthony ; users@lists.strongswan.org
Cc: Amare, Mesfin 
Subject: Re: [strongSwan] charon and CRL loading

---External Email---

Hi Anthony,

> Item 1, if a new CRL is copied to the x509crl directory, "authorities 
> section" not configured, ? will charon automatically re-load the CRL

No, swanctl --load-creds has to be called explicitly.

> Item 2, if a new CRL is copied to the "assigned location", and 
> "authorities section" "crl_uirs = fill:///xxx", ? will charon 
> automatically re-load the CRL

Only if a previously fetched and cached version expired, or the cache has been 
flushed manually.

Regards,
Tobias

Re: [strongSwan] charon and CRL loading

[Modster, Anthony]

Thanks

-Original Message-
From: Users  On Behalf Of Tobias Brunner
Sent: Thursday, May 09, 2019 8:09 AM
To: Modster, Anthony ; users@lists.strongswan.org
Cc: Amare, Mesfin 
Subject: Re: [strongSwan] charon and CRL loading

---External Email---

Hi Anthony,

> Item 1, if a new CRL is copied to the x509crl directory, "authorities 
> section" not configured, ? will charon automatically re-load the CRL

No, swanctl --load-creds has to be called explicitly.

> Item 2, if a new CRL is copied to the "assigned location", and 
> "authorities section" "crl_uirs = fill:///xxx", ? will charon 
> automatically re-load the CRL

Only if a previously fetched and cached version expired, or the cache has been 
flushed manually.

Regards,
Tobias

Re: [strongSwan] charon and CRL loading

[Modster, Anthony]

Tobias
Item 1, if a new CRL is copied to the x509crl directory, "authorities section" 
not configured, ? will charon automatically re-load the CRL

Item 2, if a new CRL is copied to the "assigned location", and "authorities 
section" "crl_uirs = fill:///xxx", ? will charon automatically re-load the CRL

-Original Message-
From: Tobias Brunner  
Sent: Thursday, May 09, 2019 12:59 AM
To: Modster, Anthony ; users@lists.strongswan.org
Subject: Re: [strongSwan] charon and CRL loading

---External Email---

Hi Anthony,

> ? does charon reload the CRL during ( re-authentication and 
> re-connection )

Not if a valid CRL is still stored in the in-memory cache (which can be cleared 
via `ipsec purgecrls` or `swanctl --flush-certs -t x509_crl`).

> If new CRL’s arrive, ? will charon use them during ( re-authentication 
> and re-connection ).

Arrive how?

Regards,
Tobias

[strongSwan] charon and CRL loading

[Modster, Anthony]

Hello

? does charon reload the CRL during ( re-authentication and re-connection )

VPN tunnels are up, and initial CRL's are loaded.

If new CRL's arrive, ? will charon use them during ( re-authentication and 
re-connection ).

Thanks

Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

[Modster, Anthony]

Thanks

-Original Message-
From: Tobias Brunner  
Sent: Thursday, November 29, 2018 5:12 AM
To: Modster, Anthony ; users@lists.strongswan.org
Cc: Wong, Richard 
Subject: Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

Hi Anthony,

> ? can VICI be configured to load a specific SCA cert per VPN (would 
> this help)

That doesn't make a difference.  As mentioned, only the identity is relevant on 
the client.  So unless you can get the server to send a TLS certificate request 
only for a specific intermediate CA you can't control the client's certificate 
selection if you use the same identity for both end-entity certificates.  
Similarly, on the server side, where strongSwan sends TLS certificate requests 
for all available CA certificates (i.e. like the certs option, the cacerts 
option is only relevant for IKE, not for EAP-TLS).

Regards,
Tobias

Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

[Modster, Anthony]

Hello Tobias

? can VICI be configured to load a specific SCA cert per VPN (would this help)

-Original Message-
From: Tobias Brunner  
Sent: Wednesday, November 28, 2018 2:21 AM
To: Modster, Anthony ; users@lists.strongswan.org
Subject: Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

Hi Anthony,

As I suspected, you use the same identity for the two end-entity certificates 
that are signed by different intermediate CAs:

> ipsec pki –-print –i /etc/swanctl/x509/Org1.crt> subject:  "CN=RA00017.auth, 
> ..."
> issuer:   "..., CN=TDY Test SCA 1"
> ...
> altNames:  ra00...@teledyne.com
> ...

> ipsec pki –-print –i /etc/swanctl/x509/Org2.crt
> subject:  "CN=RA00017.auth, ..."
> issuer:   "..., CN=TDY Test SCA 4"
> ...
> altNames:  ra00...@teledyne.com
> ...

The configured identity is ra00...@teledyne.com in both configs, that you also 
configure a different certificate explicitly doesn't matter because EAP-TLS 
currently doesn't use that setting (the lookup is done based on the configured 
identity only).  Certificate requests should be considered, but if the cert 
request is for the root CA that won't help (it might even depend on the order 
of the certificate requests if multiple are received).

Regards,
Tobias

Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

[Modster, Anthony]

Hello Tobias
? did you get my last email with attachments

-Original Message-
From: Modster, Anthony 
Sent: Monday, November 26, 2018 3:46 PM
To: 'Tobias Brunner' ; users@lists.strongswan.org
Subject: RE: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

Hello Tobias
Sorry for the late reply, I was on vacation.
Let me know if you get this email and all attachments.

Attached are the credentials in both locations on the target ".tar".

Also attached is the credentials dumped using "ipsec pki --print".

Provide certificates to strongswan
•   swanctl.tar ipsecd.tar
More cert information
•   ipsec pki –-print –i /etc/swanctl/x509/Org1.crt
•   ipsec pki –-print –i /etc/swanctl/x509ca/Org1.sca1
•   ipsec pki –-print –i /etc/swanctl/x509ca/Org1.ta
•   ipsec pki –-print –i /etc/swanctl/x509/Org2.crt
•   ipsec pki –-print –i /etc/swanctl/x509ca/Org2.sca1
•   ipsec pki –-print –i /etc/swanctl/x509ca/Org2.ta
•   https://wiki.strongswan.org/projects/strongswan/wiki/IpsecPkiPrint
Debug for configured certificates/identities in struct s_connectin_parameters
•   vici_do_connect() conn_name=sgateway1-radio2 ike_version=2 
local_addrs=10.20.64.145 remote_addrs=76.232.248.196 eap_id= 
proposals=aes256-sha512-sha384-ecp256-sha256-modp2048-prfsha1 
ike_reauth_time=240m ike_rekey_time=0 local_cert=/etc/swanctl/x509/Org1.crt 
local_id=ra00...@teledyne.com remote_id=C=US, O=Teledyne Controls Engineering, 
OU=Systems Engineering, CN=WGL196 - ID, OU=Devices, OU=Aircraft Operator Ground 
Stations, OU=Teledyne Controls esp_proposals=aes256-sha1 child_local_ts= 
child_remote_ts=80.80.80.15 child_rekey_time=0 left_auth=pubkey mobike=no 
dpd_delay=20s child_dpd_action=restart dpd_timeout= keying_tries=0
•   vici_do_connect() conn_name=sgateway2-radio2 ike_version=2 
local_addrs=10.20.64.145 remote_addrs=76.232.248.211 eap_id= 
proposals=aes256-sha384-modp2048 ike_reauth_time=240m ike_rekey_time=0 
local_cert=/etc/swanctl/x509/Org2.crt local_id=ra00...@teledyne.com 
remote_id=C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, 
CN=ELS-VPAPP-WGL08 - ID, OU=Devices, OU=Aircraft Operator Ground Stations, 
OU=Teledyne Controls esp_proposals=aes256-sha256-sha1 child_local_ts= 
child_remote_ts=172.16.207.140 child_rekey_time=0 left_auth=eap mobike=no 
dpd_delay=20s child_dpd_action=restart dpd_timeout= keying_tries=0

Thanks

-Original Message-
From: Tobias Brunner  
Sent: Monday, November 19, 2018 3:00 AM
To: Modster, Anthony ; users@lists.strongswan.org
Subject: Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

Hi Anthony,

> For this setup are credential directory looks like this
> /media/sde1/certs/Org1:
> Org1.chain  Org1.crt  Org1.keyOrg1.sca1  Org1.ta
> /media/sde1/certs/Org2:
> Org2.chain  Org2.crt  Org2.keyOrg2.sca2  Org2.ta
> 
> So we only load the "user cert" using VICI, were letting charon select the 
> correct key and sca.

Could you please provide more information on these certificate chains 
(preferably the files themselves, but output from `pki --print` might help too) 
and the configured certificates/identities (the code you added is itself 
configured via `struct s_connection_parameters`).

Regards,
Tobias

Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

[Modster, Anthony]

Hello Tobias
Sorry for the late reply, I was on vacation.
Let me know if you get this email and all attachments.

Attached are the credentials in both locations on the target ".tar".

Also attached is the credentials dumped using "ipsec pki --print".

Provide certificates to strongswan
•   swanctl.tar ipsecd.tar
More cert information
•   ipsec pki –-print –i /etc/swanctl/x509/Org1.crt
•   ipsec pki –-print –i /etc/swanctl/x509ca/Org1.sca1
•   ipsec pki –-print –i /etc/swanctl/x509ca/Org1.ta
•   ipsec pki –-print –i /etc/swanctl/x509/Org2.crt
•   ipsec pki –-print –i /etc/swanctl/x509ca/Org2.sca1
•   ipsec pki –-print –i /etc/swanctl/x509ca/Org2.ta
•   https://wiki.strongswan.org/projects/strongswan/wiki/IpsecPkiPrint
Debug for configured certificates/identities in struct s_connectin_parameters
•   vici_do_connect() conn_name=sgateway1-radio2 ike_version=2 
local_addrs=10.20.64.145 remote_addrs=76.232.248.196 eap_id= 
proposals=aes256-sha512-sha384-ecp256-sha256-modp2048-prfsha1 
ike_reauth_time=240m ike_rekey_time=0 local_cert=/etc/swanctl/x509/Org1.crt 
local_id=ra00...@teledyne.com remote_id=C=US, O=Teledyne Controls Engineering, 
OU=Systems Engineering, CN=WGL196 - ID, OU=Devices, OU=Aircraft Operator Ground 
Stations, OU=Teledyne Controls esp_proposals=aes256-sha1 child_local_ts= 
child_remote_ts=80.80.80.15 child_rekey_time=0 left_auth=pubkey mobike=no 
dpd_delay=20s child_dpd_action=restart dpd_timeout= keying_tries=0
•   vici_do_connect() conn_name=sgateway2-radio2 ike_version=2 
local_addrs=10.20.64.145 remote_addrs=76.232.248.211 eap_id= 
proposals=aes256-sha384-modp2048 ike_reauth_time=240m ike_rekey_time=0 
local_cert=/etc/swanctl/x509/Org2.crt local_id=ra00...@teledyne.com 
remote_id=C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, 
CN=ELS-VPAPP-WGL08 - ID, OU=Devices, OU=Aircraft Operator Ground Stations, 
OU=Teledyne Controls esp_proposals=aes256-sha256-sha1 child_local_ts= 
child_remote_ts=172.16.207.140 child_rekey_time=0 left_auth=eap mobike=no 
dpd_delay=20s child_dpd_action=restart dpd_timeout= keying_tries=0

Thanks

-Original Message-
From: Tobias Brunner  
Sent: Monday, November 19, 2018 3:00 AM
To: Modster, Anthony ; users@lists.strongswan.org
Subject: Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

Hi Anthony,

> For this setup are credential directory looks like this
> /media/sde1/certs/Org1:
> Org1.chain  Org1.crt  Org1.keyOrg1.sca1  Org1.ta
> /media/sde1/certs/Org2:
> Org2.chain  Org2.crt  Org2.keyOrg2.sca2  Org2.ta
> 
> So we only load the "user cert" using VICI, were letting charon select the 
> correct key and sca.

Could you please provide more information on these certificate chains 
(preferably the files themselves, but output from `pki --print` might help too) 
and the configured certificates/identities (the code you added is itself 
configured via `struct s_connection_parameters`).

Regards,
Tobias


ipsecd.tar
Description: ipsecd.tar


swanctl.tar
Description: swanctl.tar
  subject:  "CN=RA00017.auth, O=Teledyne Controls Engineering, OU=Systems 
Engineering, C=US"
  issuer:   "C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, 
CN=TDY Test SCA 4"
  validity:  not before Nov 14 22:21:00 2018, ok
 not after  Nov 14 22:21:00 2021, ok (expires in 1084 days)
  serial:0e
  altNames:  ra00...@teledyne.com
  flags: clientAuth ikeIntermediate 
  CRL URIs:  http://www.carillon.ca/caops/test-signca2-crl.crl
  OCSP URIs: http://www.carillon.ca/sha2-ocsp
  certificatePolicies:
 1.3.6.1.4.1.25054.3.1.113
  authkeyId: 39:7f:86:a5:6d:e9:b4:bd:0c:ce:62:30:f1:d9:2f:a2:c3:9a:65:5b
  subjkeyId: 81:09:51:c6:65:d0:f6:93:c0:4c:d0:0a:c6:07:fc:21:a7:1c:19:d3
  pubkey:RSA 2048 bits
  keyid: 5f:c2:79:51:0b:84:fb:1d:fa:ff:ec:42:f6:7b:30:83:e7:d8:62:41
  subjkey:   81:09:51:c6:65:d0:f6:93:c0:4c:d0:0a:c6:07:fc:21:a7:1c:19:d3
  subject:  "C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, 
CN=TDY Test SCA 4"
  issuer:   "C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, 
CN=TDY Test Root CA"
  validity:  not before Nov 01 17:00:00 2018, ok
 not after  Nov 01 17:00:00 2024, ok (expires in 2166 days)
  serial:09
  flags: CA CRLSign 
  CRL URIs:  http://www.carillon.ca/caops/TEST-cisRCA1.crl
  pathlen:   0
  certificatePolicies:
 1.3.6.1.4.1.25054.3.1.103
 1.3.6.1.4.1.25054.3.1.104
 1.3.6.1.4.1.25054.3.1.105
 1.3.6.1.4.1.25054.3.1.106
 1.3.6.1.4.1.25054.3.1.107
 1.3.6.1.4.1.25054.3.1.108
 1.3.6.1.4.1.25054.3.1.109
 1.3.6.1.4.1.25054.3.1.110
 1.3.6.1.4.1.25054.3.1.130
 1.3.6.1.4.1.25054.3.1.111
 1.3.6.1.4.1.25054.3.1.131
 1.3.6.1.4.1.25054.3.1.112
 1.3.6.1.4

Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

[Modster, Anthony]

2 
EAP
 //vici_add_key_valuef(req,"auth","%s","pubkey");
 vici_add_key_valuef(req,"auth","%s",param->left_auth);

 //connections..local.id
 vici_add_key_valuef(req,"id","%s",param->local_id);

 //connections..local.eap_id
 if( strlen( param->eap_id ) )
 {//eap_id is available
vici_add_key_valuef(req,"eap_id","%s",param->eap_id);
 }

 //connections..local.aaa_id
 //connections..local.xauth_id

  vici_end_section(req); //section end for local

  //Section for a remote authentication round ( remote, the 
 is optional )
  vici_begin_section(req,"remote");

 //connections..remote.round

 //connections..remote.id
 vici_add_key_valuef(req,"id","%s",param->remote_id);

 //connections..remote.groups
 //connections..remote.certs
 //connections..remote.cacerts
 //connections..remote.pubkeys

 //connections..remote.revocation
 vici_add_key_valuef(req,"revocation","%s","relaxed");

 //connections..remote.auth
 vici_add_key_valuef(req,"auth","%s","pubkey"); 

  vici_end_section(req); //section end for remote

  //CHILD_SA configuration sub-section (  = , for now )
  vici_begin_section(req,"children");

 vici_begin_section(req,param->conn_name);

//connections..children..ah_proposals

//connections..children..esp_proposals
create_list_for_proposals( req, "esp_proposals", 
param->esp_proposals );

//connections..children..local_ts
//note: allow peer to set IP address and mask
vici_begin_list(req,"local_ts");
//   vici_add_list_itemf(req,"%s","172.16.207.251");
   vici_add_list_itemf(req,"%s","dynamic");
vici_end_list(req);

//connections..children..remote_ts
//note: allow peer to set IP address and mask
vici_begin_list(req,"remote_ts");
//???tony, need to change because it could be a list (comma seperated) 
child_remote_ts[BUF_LEN]
   if( strlen( param->child_remote_ts ) )
  vici_add_list_itemf(req,"%s",param->child_remote_ts);
   else
  vici_add_list_itemf(req,"%s","dynamic");
//   vici_add_list_itemf(req,"%s","172.16.207.150");
//   vici_add_list_itemf(req,"%s","0.0.0.0/0"); //for IPv4
//   vici_add_list_itemf(req,"%s","0.0.0.0/0,0::0"); //for IPv6
//   vici_add_list_itemf(req,"%s","dynamic");
vici_end_list(req);

//connections..children..rekey_time
vici_add_key_valuef(req,"rekey_time","%s",param->child_rekey_time); 

//connections..children..life_time
//connections..children..rand_time
//connections..children..rekey_bytes
//connections..children..life_bytes
//connections..children..rand_bytes
//connections..children..rekey_packets
//connections..children..life_packets
//connections..children..rand_packets

//connections..children..updown

vici_add_key_valuef(req,"updown","%s","/usr/lib32/ipsec/_updown_tdy.py");

//connections..children..hostaccess

//connections..children..mode
vici_add_key_valuef(req,"mode","%s","tunnel"); 

//connections..children..dpd_action
//vici_add_key_valuef(req,"dpd_action","%s","clear");
//vici_add_key_valuef(req,"dpd_action","%s","restart");
vici_add_key_valuef(req,"dpd_action","%s",param->child_dpd_action);

//connections..children..policies
//connections..children..dpd_action
//connections..children..ipcomp
//connections..children..inactivity
//connections..children..reqid
        //connections..children..mark_in
//connections..children..mark_out
//connections..children..tfc_padding
//connections..children..replay_window
//connections..children..start_action
//connections..children..close_action

 vici_end_section(req); //section end for child / connection

  vici_end_section(req); //section end for child

   vici_end_section(req);  //section end for connection

   res = vici_submit(req, conn);
   if( !res)
   {
  p

[strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

[Modster, Anthony]

Hello



If VPN tunnel 1 is started before VPN tunnel 2.

Then VPN tunnel 2 does not select the correct SCA cert during TLS EAP.

It does show the correct SCA cert during configuration.

VPN tunnel 1 is ok



If VPN tunnel 2 is started before VPN tunnel 1.

Then both VPN tunnels are ok.



VPN tunnel 1: "user cert 1"->SCA 1->TA

VPN tunnel 2: "user cert 2"->SCA 4->TA

Note: TA is same for both VPN tunnels



VPN tunnel 1: left auth = pubkey

VPN tunnel 2: left auth = eap



Strongswan version: 5.5.1

VICI interface



Note: VPN tunnel 1 is up and ok



!!!Selected user cert is CN=TDY Test SCA 4

2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG]   certificate \"C=US, 
O=Teledyne Controls Engineering, OU=Systems Engineering, CN=TDY Test SCA 4\" 
key: 2048 bit RSA
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG]   using trusted ca 
certificate \"C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, 
CN=TDY Test Root CA\"
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG] checking certificate 
status of \"C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, 
CN=TDY Test SCA 4\"
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG] ocsp check skipped, 
no ocsp found
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG]   fetching crl from 
\'http://www.carillon.ca/caops/TEST-cisRCA1.crl\' ...
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[LIB] unable to fetch from 
http://www.carillon.ca/caops/TEST-cisRCA1.crl, no capable fetcher found
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG] crl fetching failed
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG] certificate status is 
not available
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG] certificate policy 
1.3.6.1.4.1.25054.3.1.113 for \'C=US, O=Teledyne Controls Engineering, 
OU=Systems Engineering, CN=ELS-VPAPP-WGL08 - ID, OU=Devices, OU=Aircraft 
Operator Ground Stations, OU=Teledyne Controls\' not allowed by trustchain, 
ignored
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG]   certificate \"C=US, 
O=Teledyne Controls Engineering, OU=Systems Engineering, CN=TDY Test Root CA\" 
key: 2048 bit RSA
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG]   reached self-signed 
root ca with a path length of 1
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[TLS] sending TLS peer 
certificate \'CN=RA00017.auth, O=Teledyne Controls Engineering, OU=Systems 
Engineering, C=US\'
!!! ? why did TLS send SCA 1 cert

2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[TLS] sending TLS 
intermediate certificate \'C=US, O=Teledyne Controls Engineering, OU=Systems 
Engineering, CN=TDY Test SCA 1\'
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[IKE] reinitiating already 
active tasks
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[IKE]   IKE_AUTH task
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[ENC] generating IKE_AUTH 
request 6 [ EAP/RES/TLS ]
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[NET] sending packet: from 
10.29.232.184[4500] to 76.232.248.211[4500] (1112 bytes)
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 15[NET] received packet: from 
76.232.248.211[4500] to 10.29.232.184[4500] (88 bytes)
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 15[ENC] parsed IKE_AUTH 
response 6 [ EAP/REQ/TLS ]
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 15[IKE] reinitiating already 
active tasks
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 15[IKE]   IKE_AUTH task
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 15[ENC] generating IKE_AUTH 
request 7 [ EAP/RES/TLS ]
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 15[NET] sending packet: from 
10.29.232.184[4500] to 76.232.248.211[4500] (1112 bytes)
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 08[NET] received packet: from 
76.232.248.211[4500] to 10.29.232.184[4500] (88 bytes)
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 08[ENC] parsed IKE_AUTH 
response 7 [ EAP/REQ/TLS ]
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 08[IKE] reinitiating already 
active tasks
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 08[IKE]   IKE_AUTH task
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 08[ENC] generating IKE_AUTH 
request 8 [ EAP/RES/TLS ]
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 08[NET] sending packet: from 
10.29.232.184[4500] to 76.232.248.211[4500] (1112 bytes)
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[NET] received packet: from 
76.232.248.211[4500] to 10.29.232.184[4500] (88 bytes)
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[ENC] parsed IKE_AUTH 
response 8 [ EAP/REQ/TLS ]
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[IKE] reinitiating already 
active tasks
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[IKE]   IKE_AUTH task
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[ENC] generating IKE_AUTH 
request 9 [ EAP/RES/TLS ]
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[NET] sending packet: from 
10.29.232.184[4500] to 

[strongSwan] VICI and PSK

[Modster, Anthony]

Hello

? how to configure VICI for PSK

Thanks

[strongSwan] routing and firewall policy

[Modster, Anthony]

Hello

? How to setup routing and firewall policy, when using VICI

Thanks

Re: [strongSwan] OSCP

[Modster, Anthony]

Hello Andreas

If the OCSP URI is included in the authorityInfoAccess extension:

? How does strongswan obtain the IP address

? Does it need to have a DNS client installed on the host

? Can it support secure DNS

Thanks

-Original Message-
From: Users [mailto:users-boun...@lists.strongswan.org] On Behalf Of Andreas 
Steffen
Sent: Saturday, December 16, 2017 2:23 AM
To: Modster, Anthony <anthony.mods...@teledyne.com>; users@lists.strongswan.org
Subject: Re: [strongSwan] OSCP

Hello Anthony,

if the OCSP URI is not included via an authorityInfoAccess extension in
the end entity certificate itself then an authority section defining an
OCSP URI can be added to swanctl.conf as shown in the link below


https://www.strongswan.net/testing/testresults/swanctl/ocsp-signer-cert/carol.swanctl.conf

Regards

Andreas

On 16.12.2017 00:56, Modster, Anthony wrote:
> Hello
> 
>  
> 
> ? how do we setup OSCP, when using VICI
> 
>  
> 
> Is there a writeup for this item.
> 
>  
> 
> ? what support tools are needed on the host
> 
>  
> 
> Thanks
> 
>  
> 

-- 
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution!  www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[INS-HSR]==

[strongSwan] OSCP

[Modster, Anthony]

Hello

? how do we setup OSCP, when using VICI

Is there a writeup for this item.

? what support tools are needed on the host

Thanks

Re: [strongSwan] VICI and multiple threads

[Modster, Anthony]

Hello Martin

That’s good to know, were currently using VICI, if we run into issues and need 
to switch to DAVICI, it should be easy.

-Original Message-
From: Martin Willi [mailto:mar...@strongswan.org] 
Sent: Friday, September 08, 2017 12:02 AM
To: Modster, Anthony <anthony.mods...@teledyne.com>
Cc: users@lists.strongswan.org
Subject: Re: [strongSwan] VICI and multiple threads

Hi Anthony,

> [...] and he didmention the possibility for using DAVICI.
> mention the possibility for using DAVICI. The problem at the time was 
> Andreas lost the support person for this module. So we decided not to 
> take the risk.

I don't think there is much of an issue here. I definitely will take care of 
maintaining davici, as we use that in production extensively.
There is not much going on in this repo [1], but this is mostly because it is a 
rather simple library (and mostly complete to do what it should).

Regards
Martin

[1]https://github.com/strongswan/davici

[strongSwan] VICI and multiple threads

[Modster, Anthony]

Hello

? is the VICI library considered thread safe

Can a host use multiple threads to access the library functions.

Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tun

[Modster, Anthony]

Hello Noel

With routing disabled, then creating the routes manually adding a metric to 
each route seems to work

Thanks

? any other suggestions

-Original Message-
From: Modster, Anthony 
Sent: Thursday, May 04, 2017 8:47 AM
To: 'Noel Kuntze' <noel.kuntze+strongswan-users-ml@thermi.consulting>; 
users@lists.strongswan.org
Subject: RE: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] 
Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: 
[SUSPECT EMAIL: No Reputation] multiple tunnels

ok

-Original Message-
From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting]
Sent: Thursday, May 04, 2017 8:46 AM
To: Modster, Anthony <anthony.mods...@teledyne.com>; users@lists.strongswan.org
Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: 
[SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT 
EMAIL: No Reputation] multiple tunnels

2. But you should check what event is it. And you obviously should tear down 
the routes when the CHILD_SAs go down.

On 04.05.2017 17:44, Modster, Anthony wrote:
> Hello Noel
> Just to be clear
> 
> If using VICI, (1) do I attach the script during VICI config, or (2) 
> run the script on the "event monitor" callback (when its called)
> 
> -Original Message-
> From: Noel Kuntze
> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting]
> Sent: Thursday, May 04, 2017 8:40 AM
> To: Modster, Anthony <anthony.mods...@teledyne.com>; 
> users@lists.strongswan.org
> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
> Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
> Reputation] multiple tunnels
> 
> 
> 
> On 04.05.2017 17:27, Modster, Anthony wrote:
>> Hello Noel
>>
>> If I disable route installation.
>>
>> ? can a custom _updown script be used to set the route for each 
>> tunnel
> 
> Phew. I think you can, but you have to take care not to install duplicate 
> routes. The hook you need to put your commands into, is called with each 
> combination of subnets.
> 
>>
>> ? or can the "event monitor" callback be used to set the route for 
>> each tunnel
> 
> Yes, if you use VICI. You can script something with Python using the vici egg.
> 
>>
>> -Original Message-
>> From: Noel Kuntze
>> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting]
>> Sent: Thursday, May 04, 2017 8:22 AM
>> To: Modster, Anthony <anthony.mods...@teledyne.com>; 
>> users@lists.strongswan.org
>> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
>> Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels
>>
>> Nope. But you can disable the route installation from charon by setting 
>> charon.install_routes to no.
>> You can't use the _updown script to manage routes.
>>
>> On 04.05.2017 17:17, Modster, Anthony wrote:
>>> Hello Noel
>>>
>>> ? is there a way to  use _updown to set both routes (disabling 
>>> Charon from setting the current route)
>>>
>>> -Original Message-
>>> From: Noel Kuntze
>>> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting]
>>> Sent: Thursday, May 04, 2017 4:12 AM
>>> To: Modster, Anthony <anthony.mods...@teledyne.com>; 
>>> users@lists.strongswan.org
>>> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
>>> Reputation] multiple tunnels
>>>
>>> Hello Anthony,
>>>
>>> I don't understand what you mean with that, but you could add a route to 
>>> the remote peer with a higher MTU, if you can actually communicate over the 
>>> other link with the IP on the other interface (the IP of another provider). 
>>> If you can't do that, then this is not solvable.
>>>
>>> On 04.05.2017 02:02, Modster, Anthony wrote:
>>>> Hello Noel
>>>> We were thinking of changing the created via for eth1.13 (adding matric 
>>>> info).
>>>> Then when ppp0 tunnel comes up, create another via for it.
>>>>
>>>> I think Charon does try to create a via for ppp0, but can't.
>>>>
>>>> -Original Message-
>>>> From: Noel Kuntze
>>>> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting]
>>>> Sent: Wednesday, May 03, 2017 4:45 PM
>>>> To: Modster, Anthony <anthony.mods...@teledyne.com>; 
>>>> users@lists.strongswan.org
>>>> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
>>>> Reputation] Re: [strongSwan] [SUSPECT EMAIL: No Reputat

Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT

[Modster, Anthony]

Hello Noel

OK

-Original Message-
From: Users [mailto:users-boun...@lists.strongswan.org] On Behalf Of Noel Kuntze
Sent: Saturday, May 06, 2017 8:52 AM
To: Modster, Anthony <anthony.mods...@teledyne.com>; users@lists.strongswan.org
Subject: Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
Reputation] multiple tunnels



On 06.05.2017 03:02, Modster, Anthony wrote:
> ? can the gateway IP address be added to the list of variables, to be passed 
> to the _updown script

No, you can not do that.

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT

[Modster, Anthony]

Hello Noel

? can the gateway IP address be added to the list of variables, to be passed to 
the _updown script

-Original Message-
From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] 
Sent: Thursday, May 04, 2017 8:59 AM
To: Modster, Anthony <anthony.mods...@teledyne.com>; users@lists.strongswan.org
Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: 
[SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT 
EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels

Look for the list of variables in the large comments in the beginning of the 
updown script

On 04.05.2017 17:48, Modster, Anthony wrote:
> Hello Noel
> ? can you provide the parameters I need to parse for up and down
> 
> -Original Message-----
> From: Modster, Anthony
> Sent: Thursday, May 04, 2017 8:47 AM
> To: 'Noel Kuntze' <noel.kuntze+strongswan-users-ml@thermi.consulting>; 
> users@lists.strongswan.org
> Subject: RE: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
> Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
> Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels
> 
> ok
> 
> -Original Message-
> From: Noel Kuntze 
> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting]
> Sent: Thursday, May 04, 2017 8:46 AM
> To: Modster, Anthony <anthony.mods...@teledyne.com>; 
> users@lists.strongswan.org
> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
> Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
> Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels
> 
> 2. But you should check what event is it. And you obviously should tear down 
> the routes when the CHILD_SAs go down.
> 
> On 04.05.2017 17:44, Modster, Anthony wrote:
>> Hello Noel
>> Just to be clear
>>
>> If using VICI, (1) do I attach the script during VICI config, or (2) 
>> run the script on the "event monitor" callback (when its called)
>>
>> -----Original Message-
>> From: Noel Kuntze
>> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting]
>> Sent: Thursday, May 04, 2017 8:40 AM
>> To: Modster, Anthony <anthony.mods...@teledyne.com>; 
>> users@lists.strongswan.org
>> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
>> Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
>> Reputation] multiple tunnels
>>
>>
>>
>> On 04.05.2017 17:27, Modster, Anthony wrote:
>>> Hello Noel
>>>
>>> If I disable route installation.
>>>
>>> ? can a custom _updown script be used to set the route for each 
>>> tunnel
>> Phew. I think you can, but you have to take care not to install duplicate 
>> routes. The hook you need to put your commands into, is called with each 
>> combination of subnets.
>>
>>> ? or can the "event monitor" callback be used to set the route for 
>>> each tunnel
>> Yes, if you use VICI. You can script something with Python using the vici 
>> egg.
>>
>>> -Original Message-
>>> From: Noel Kuntze
>>> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting]
>>> Sent: Thursday, May 04, 2017 8:22 AM
>>> To: Modster, Anthony <anthony.mods...@teledyne.com>; 
>>> users@lists.strongswan.org
>>> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
>>> Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels
>>>
>>> Nope. But you can disable the route installation from charon by setting 
>>> charon.install_routes to no.
>>> You can't use the _updown script to manage routes.
>>>
>>> On 04.05.2017 17:17, Modster, Anthony wrote:
>>>> Hello Noel
>>>>
>>>> ? is there a way to  use _updown to set both routes (disabling 
>>>> Charon from setting the current route)
>>>>
>>>> -Original Message-
>>>> From: Noel Kuntze
>>>> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting]
>>>> Sent: Thursday, May 04, 2017 4:12 AM
>>>> To: Modster, Anthony <anthony.mods...@teledyne.com>; 
>>>> users@lists.strongswan.org
>>>> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No 
>>>> Reputation] multiple tunnels
>>>>
>>>> Hello Anthony,
>>>>
>>>> I don't understand what you mean with that, but you could add a route to 
>>>> the remote peer with a higher MTU, if you can actually communicate over 
>>>> the other