Hello Noel ? can you provide the parameters I need to parse for up and down
-----Original Message----- From: Modster, Anthony Sent: Thursday, May 04, 2017 8:47 AM To: 'Noel Kuntze' <noel.kuntze+strongswan-users-ml@thermi.consulting>; users@lists.strongswan.org Subject: RE: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels ok -----Original Message----- From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] Sent: Thursday, May 04, 2017 8:46 AM To: Modster, Anthony <anthony.mods...@teledyne.com>; users@lists.strongswan.org Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels 2. But you should check what event is it. And you obviously should tear down the routes when the CHILD_SAs go down. On 04.05.2017 17:44, Modster, Anthony wrote: > Hello Noel > Just to be clear > > If using VICI, (1) do I attach the script during VICI config, or (2) > run the script on the "event monitor" callback (when its called) > > -----Original Message----- > From: Noel Kuntze > [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] > Sent: Thursday, May 04, 2017 8:40 AM > To: Modster, Anthony <anthony.mods...@teledyne.com>; > users@lists.strongswan.org > Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No > Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No > Reputation] multiple tunnels > > > > On 04.05.2017 17:27, Modster, Anthony wrote: >> Hello Noel >> >> If I disable route installation. >> >> ? can a custom _updown script be used to set the route for each >> tunnel > > Phew. I think you can, but you have to take care not to install duplicate > routes. The hook you need to put your commands into, is called with each > combination of subnets. > >> >> ? or can the "event monitor" callback be used to set the route for >> each tunnel > > Yes, if you use VICI. You can script something with Python using the vici egg. > >> >> -----Original Message----- >> From: Noel Kuntze >> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] >> Sent: Thursday, May 04, 2017 8:22 AM >> To: Modster, Anthony <anthony.mods...@teledyne.com>; >> users@lists.strongswan.org >> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No >> Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels >> >> Nope. But you can disable the route installation from charon by setting >> charon.install_routes to no. >> You can't use the _updown script to manage routes. >> >> On 04.05.2017 17:17, Modster, Anthony wrote: >>> Hello Noel >>> >>> ? is there a way to use _updown to set both routes (disabling >>> Charon from setting the current route) >>> >>> -----Original Message----- >>> From: Noel Kuntze >>> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] >>> Sent: Thursday, May 04, 2017 4:12 AM >>> To: Modster, Anthony <anthony.mods...@teledyne.com>; >>> users@lists.strongswan.org >>> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No >>> Reputation] multiple tunnels >>> >>> Hello Anthony, >>> >>> I don't understand what you mean with that, but you could add a route to >>> the remote peer with a higher MTU, if you can actually communicate over the >>> other link with the IP on the other interface (the IP of another provider). >>> If you can't do that, then this is not solvable. >>> >>> On 04.05.2017 02:02, Modster, Anthony wrote: >>>> Hello Noel >>>> We were thinking of changing the created via for eth1.13 (adding matric >>>> info). >>>> Then when ppp0 tunnel comes up, create another via for it. >>>> >>>> I think Charon does try to create a via for ppp0, but can't. >>>> >>>> -----Original Message----- >>>> From: Noel Kuntze >>>> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] >>>> Sent: Wednesday, May 03, 2017 4:45 PM >>>> To: Modster, Anthony <anthony.mods...@teledyne.com>; >>>> users@lists.strongswan.org >>>> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No >>>> Reputation] Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: >>>> [SUSPECT EMAIL: No Reputation] multiple tunnels >>>> >>>> Hello Anthony, >>>> >>>> As predicted, charon can't find an alternative network path: >>>> >>>> 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 12[KNL] interface >>>> eth1.13 deactivated >>>> 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 05[KNL] >>>> 192.168.1.134 disappeared from eth1.13 >>>> 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] old path >>>> is not available anymore, try to find another >>>> 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] looking for a >>>> route to 76.232.248.210 ... >>>> 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] >>>> reauthenticating IKE_SA due to address change >>>> 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] >>>> reauthenticating IKE_SA sgateway1-gldl[1] >>>> 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] >>>> reauthenticating IKE_SA sgateway1-gldl[1] >>>> 2017 May 3 21:50:29+00:00 wglng-6 charon [info] 05[IKE] sending >>>> DPD request >>>> 2017 May 3 21:50:29+00:00 wglng-6 charon [info] 05[ENC] generating >>>> INFORMATIONAL request 23 [ ] >>>> 2017 May 3 21:50:29+00:00 wglng-6 charon [info] 05[NET] sending >>>> packet: from 166.204.98.165[4500] to 76.232.248.210[4500] (96 >>>> bytes) >>>> 2017 May 3 21:50:29+00:00 wglng-6 charon [info] 13[NET] received >>>> packet: from 76.232.248.210[4500] to 166.204.98.165[4500] (96 >>>> bytes) >>>> 2017 May 3 21:50:29+00:00 wglng-6 charon [info] 13[ENC] parsed >>>> INFORMATIONAL response 23 [ ] >>>> 2017 May 3 21:50:31+00:00 wglng-6 charon [info] 15[IKE] retransmit >>>> 1 of request with message ID 95 >>>> 2017 May 3 21:50:31+00:00 wglng-6 charon [info] 15[NET] sending >>>> packet: from 192.168.1.134[500] to 76.232.248.210[500] (96 bytes) >>>> 2017 May 3 21:50:31+00:00 wglng-6 charon [info] 04[NET] error >>>> writing to socket: Invalid argument >>>> >>>> It can't send any packets though, because the address 192.168.1.134 isn't >>>> bound to any active interface. >>>> >>>> That ends with this: >>>> >>>> 2017 May 3 21:50:50+00:00 wglng-6 charon [info] 07[ENC] parsed >>>> INFORMATIONAL response 33 [ ] >>>> 2017 May 3 21:50:51+00:00 wglng-6 charon [info] 12[IKE] giving up >>>> after 5 retransmits >>>> 2017 May 3 21:50:51+00:00 wglng-6 charon [info] 12[IKE] looking up >>>> interface for virtual IP 20.20.20.6 failed >>>> 2017 May 3 21:50:51+00:00 wglng-6 charon [info] 12[IKE] restarting >>>> CHILD_SA sgateway1-gldl >>>> 2017 May 3 21:50:51+00:00 wglng-6 charon [info] 12[IKE] initiating >>>> IKE_SA sgateway1-gldl[3] to 76.232.248.210 >>>> 2017 May 3 21:50:51+00:00 wglng-6 charon [info] 12[IKE] initiating >>>> IKE_SA sgateway1-gldl[3] to 76.232.248.210 >>>> 2017 May 3 21:50:51+00:00 wglng-6 charon [info] 13[IKE] sending >>>> DPD request >>>> >>>> This continues until the end of the log. The interface eth1.13 doesn't >>>> come up in the logs after it was deactivated. >>>> >>>> The PCAPs are pretty useless, because they don't show the problem. But ESP >>>> traffic indeed flows through the different network interfaces. >>>> Hmh. Curious! I wonder why that is. >>>> >>>> On 04.05.2017 01:25, Modster, Anthony wrote: >>>>> Hello Noel >>>>> >>>>> I am resending the message and for files are compressed. >>>>> >>>>> -----Original Message----- >>>>> From: Modster, Anthony >>>>> Sent: Wednesday, May 03, 2017 2:55 PM >>>>> To: 'Noel Kuntze' >>>>> <noel.kuntze+strongswan-users-ml@thermi.consulting>; >>>>> users@lists.strongswan.org >>>>> Subject: RE: [SUSPECT EMAIL: No Reputation] Re: [strongSwan] >>>>> [SUSPECT >>>>> EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple >>>>> tunnels >>>>> >>>>> Hello Noel >>>>> >>>>> 1. let me know if any of the files are missing (s/b 3) 2. let me >>>>> know if the log levels are ok (our settings were more than support >>>>> required) >>>>> >>>>> The following test and its results will be sent to strongswan for >>>>> eveluation. >>>>> >>>>> bring up ethernet eth1.13 >>>>> when interface comes up start, tcpdump -i eth1.13 -w >>>>> test_restart_eth113.dat >>>>> note: ipsec tunnel will start >>>>> wait for tunnel >>>>> bring up ppp0 >>>>> when interface comes up start, tcpdump -i ppp0 -w >>>>> test_restart_ppp0.dat wait for tunnel disconnect ethernet >>>>> note: ppp0 will stop communicating wait for ppp0 to recover (about >>>>> 9 mins) >>>>> >>>>> log files: >>>>> test_restart_eth113.dat >>>>> test_restart_ppp0.dat >>>>> test_restart_security_edit.log >>>>> >>>>> >>>>> -----Original Message----- >>>>> From: Noel Kuntze >>>>> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] >>>>> Sent: Wednesday, May 03, 2017 1:37 PM >>>>> To: Modster, Anthony <anthony.mods...@teledyne.com>; >>>>> users@lists.strongswan.org >>>>> Subject: [SUSPECT EMAIL: No Reputation] Re: [strongSwan] [SUSPECT >>>>> EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple >>>>> tunnels >>>>> >>>>> For each interface. >>>>> >>>>> On 03.05.2017 22:24, Modster, Anthony wrote: >>>>>> Hello Noel >>>>>> >>>>>> Quick question, do you want the tcpdump capture for each interface, or >>>>>> capture at the secure gateway side. >>>>>> >>>>>> -----Original Message----- >>>>>> From: Noel Kuntze >>>>>> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] >>>>>> Sent: Wednesday, May 03, 2017 12:08 PM >>>>>> To: Modster, Anthony <anthony.mods...@teledyne.com>; >>>>>> users@lists.strongswan.org >>>>>> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No >>>>>> Reputation] multiple tunnels >>>>>> >>>>>> Hello Anthony, >>>>>> >>>>>> On 03.05.2017 20:36, Modster, Anthony wrote: >>>>>>> Each tunnel would be bound to a separate interface (eth1.13 and ppp0). >>>>>>> Our application would open a socket for each tunnel end point, and bind >>>>>>> to it (so there is no routing needed). >>>>>> What kind of socket? Raw IP? >>>>>> >>>>>>> We verified that ESP packets are being sent from each application >>>>>>> socket to the assigned interface. >>>>>> Huh? Don't you mean "We verified that ESP packets are sent for each >>>>>> packet that is emitted from the application socket to the assigned >>>>>> interface"? >>>>>> >>>>>>> We verified that IKE packets are being sent to each interface from >>>>>>> Charon. >>>>>> This is very curious. Please verify that they are indeed sent out from >>>>>> two different interfaces. >>>>>> As I previously mentioned, routing decisions are made based on the >>>>>> destination address, not the source address, so IKE packets for either >>>>>> IKE_SA would traverse the same interface and use the same route, except >>>>>> if you used policy based routing. >>>>>> >>>>>> Anyway, I require logs to figure out what happens exactly. Please create >>>>>> them using the file logger definition from the HelpRequests[1] page. >>>>>> >>>>>> Kind regards, >>>>>> Noel >>>>>> >>>>>> [1] >>>>>> https://secure-web.cisco.com/1j3GkDWiMC47CUy7JEZrTMFVOcm1wcAG1qjU >>>>>> D >>>>>> 4 >>>>>> e >>>>>> j >>>>>> w >>>>>> TAGcl7Ie8pH_oYW3ermSmwJCHgfvbtGVlYFEBP8roXNFVxQH5MyW5aLMsU9pDAUSx >>>>>> y >>>>>> z >>>>>> C >>>>>> A >>>>>> s >>>>>> lioVIyuREQoLk_-CP9Gus-3GQRkuDUOYzov0N5ZPq6tsv_2mW9NGMkRK-O3WZpWye >>>>>> u >>>>>> W >>>>>> - >>>>>> W >>>>>> H >>>>>> B5bGM1JBQu1w0xtwPy7ehB2hEZcy-cCyXQ/https%3A%2F%2Fwiki.strongswan. >>>>>> o >>>>>> r >>>>>> g >>>>>> % >>>>>> 2 Fprojects%2Fstrongswan%2Fwiki%2FHelpRequests >>>>>> >>>>>>> ? does this sound ok >>>>>>> I will send more after your response. >>>>>>> >>>>>>> -----Original Message----- >>>>>>> From: Noel Kuntze >>>>>>> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] >>>>>>> Sent: Wednesday, May 03, 2017 10:38 AM >>>>>>> To: Modster, Anthony <anthony.mods...@teledyne.com>; >>>>>>> users@lists.strongswan.org >>>>>>> Subject: [SUSPECT EMAIL: No Reputation] Re: [strongSwan] >>>>>>> [SUSPECT >>>>>>> EMAIL: No Reputation] Re: multiple tunnels >>>>>>> >>>>>>> Hello Anthony, >>>>>>> >>>>>>> On 03.05.2017 19:24, Modster, Anthony wrote: >>>>>>>> We are using two interfaces at once from same host to the same secure >>>>>>>> gateway. >>>>>>> Why? >>>>>>> Why even two IKE_SAs? Just use one IKE_SA and have the two CHILD_SAs be >>>>>>> managed under one. >>>>>>> >>>>>>>> root@wglng-6:~# ip route show >>>>>>>> 10.64.64.64 dev ppp0 proto kernel scope link src >>>>>>>> 166.204.4.61 >>>>>>>> 192.168.1.0/24 dev eth1.13 proto kernel scope link src >>>>>>>> 192.168.1.134 >>>>>>>> Note: I did not show interfaces that are not applicable >>>>>>>> >>>>>>>> Both tunnels are up and were able to ping and send data thru the >>>>>>>> tunnels. >>>>>>>> root@wglng-6:~# swanctl --list-sas >>>>>>>> sgateway1-radio0: #2, ESTABLISHED, IKEv2, 08173d8797a410eb_i* >>>>>>>> 5fa1f29dce075fd4_r >>>>>>>> local 'ra00...@teledyne.com' @ 166.204.4.61[4500] [20.20.20.9] >>>>>>>> remote 'C=CA, O=Carillon Information Security Inc., OU=TEST, >>>>>>>> OU=Devices, OU=Aircraft Operator Ground Stations, OU=Teledyne >>>>>>>> Controls, CN=ELS-VPAPP-WGL08 - ID' @ 76.232.248.210[4500] >>>>>>>> AES_CBC-256/HMAC_SHA2_512_256/PRF_HMAC_SHA1/ECP_256 >>>>>>>> established 922s ago, rekeying in 43s, reauth in 2455s >>>>>>>> sgateway1-radio0: #4, reqid 2, INSTALLED, TUNNEL-in-UDP, >>>>>>>> ESP:AES_CBC-256/HMAC_SHA1_96 >>>>>>>> installed 336s ago, rekeying in 211s, expires in 325s >>>>>>>> in c2e01069, 1320 bytes, 33 packets, 6s ago >>>>>>>> out e1c27d5f, 1452 bytes, 33 packets, 6s ago >>>>>>>> local 20.20.20.9/32 >>>>>>>> remote 10.100.20.15/32 >>>>>>>> sgateway1-gldl: #1, ESTABLISHED, IKEv2, 00989cc440834937_i* >>>>>>>> 5e3c5e4b5c1ec4cf_r >>>>>>>> local 'ra00...@teledyne.com' @ 192.168.1.134[4500] [20.20.20.8] >>>>>>>> remote 'C=CA, O=Carillon Information Security Inc., OU=TEST, >>>>>>>> OU=Devices, OU=Aircraft Operator Ground Stations, OU=Teledyne >>>>>>>> Controls, CN=ELS-VPAPP-WGL08 - ID' @ 76.232.248.210[4500] >>>>>>>> AES_CBC-256/HMAC_SHA2_512_256/PRF_HMAC_SHA1/ECP_256 >>>>>>>> established 1049s ago, rekeying in 150s, reauth in 2257s >>>>>>>> sgateway1-gldl: #3, reqid 1, INSTALLED, TUNNEL-in-UDP, >>>>>>>> ESP:AES_CBC-256/HMAC_SHA1_96 >>>>>>>> installed 469s ago, rekeying in 104s, expires in 191s >>>>>>>> in c45db512, 1880 bytes, 47 packets, 6s ago >>>>>>>> out 77309eef, 2068 bytes, 47 packets, 6s ago >>>>>>>> local 20.20.20.8/32 >>>>>>>> remote 10.100.20.15/32 >>>>>>>> >>>>>>>> strongswan creates the following in table 220 root@wglng-6:~# >>>>>>>> ip route show table 220 >>>>>>>> 10.100.20.15 via 192.168.1.1 dev eth1.13 proto static src >>>>>>>> 20.20.20.8 >>>>>>>> >>>>>>>> When we bring down eth1.13, the tunnel for ppp0 becomes unusable. >>>>>>> What do you mean with "the tunnel for ppp0"? The interface is >>>>>>> irrelevant. >>>>>>> Packets are routed based on their destination. Charon does not pick two >>>>>>> different paths for two different IKE_SAs to the same peer. >>>>>>> >>>>>>> Are you aware that charon uses one path for all the IKE_SAs to one peer? >>>>>>> Charon should choose another path to the remote peer, if there is one >>>>>>> (and the "src" parameter of the corresponding route allows that). I >>>>>>> guess your routing table doesn't allow that. >>>>>>> >>>>>>> Please provide logs that show the problem. >>>>>>> >>>>>>>> We think the problem is that ppp0 does not have a via in table 220. >>>>>>> Irrelevant. See above. >>>>>>> >>>>>>>> If you need more information, let me know. >>>>>>>> >>>>>>>> Thanks >>>>>>>> >>>>>>>> -----Original Message----- >>>>>>>> From: Noel Kuntze >>>>>>>> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] >>>>>>>> Sent: Wednesday, May 03, 2017 7:33 AM >>>>>>>> To: Modster, Anthony <anthony.mods...@teledyne.com>; >>>>>>>> users@lists.strongswan.org >>>>>>>> Subject: [SUSPECT EMAIL: No Reputation] Re: [strongSwan] >>>>>>>> multiple tunnels >>>>>>>> >>>>>>>> Hello Anthony, >>>>>>>> >>>>>>>> On 03.05.2017 06:57, Modster, Anthony wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> ? how to setup ipsec policy >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> We want to use multiple tunnels on separate interfaces on the same >>>>>>>>> host to one secure gateway. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> The secure gateway only has one external IP address. >>>>>>>>> >>>>>>>> Depends on your exact requirements. You need to elaborate on this. >>>>>>>> >>>>>>>> Kind regards, >>>>>>>> Noel >>>>>>>> >>>>>>>> -- Noel Kuntze IT security consultant GPG Key ID: 0x0739AD6C >>>>>>>> Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C >>>>>>>> _______________________________________________ Users mailing >>>>>>>> list Users@lists.strongswan.org >>>>>>>> https://secure-web.cisco.com/1umLFBujqnWj6QpzkmjOs5N9U3Ek-8bie0 >>>>>>>> M >>>>>>>> X >>>>>>>> p >>>>>>>> B >>>>>>>> 6 >>>>>>>> w >>>>>>>> Z >>>>>>>> 9ss1vhilBrSfF13tKoWL6NTRe0CPd1SRvuy2CT2LgFRD1gjLQ21atsRzKU836Zb >>>>>>>> h >>>>>>>> i >>>>>>>> g >>>>>>>> A >>>>>>>> z >>>>>>>> 4 >>>>>>>> k >>>>>>>> 14W-T9yeoOC4t2-xDiwbecTeWHYlRtlO1w7TQmXEEzPLgNH25aPblOjUYxnVk3l >>>>>>>> l >>>>>>>> k >>>>>>>> Y >>>>>>>> q >>>>>>>> 0 >>>>>>>> W >>>>>>>> l >>>>>>>> d7pEH7cKab9tMboT6476CmpbjuM8HztzzA/https%3A%2F%2Flists.strongswan. >>>>>>>> o >>>>>>>> r >>>>>>>> g >>>>>>>> % >>>>>>>> 2Fmailman%2Flistinfo%2Fusers >>>>>>>> >>>>>> _______________________________________________ >>>>>> Users mailing list >>>>>> Users@lists.strongswan.org >>>>>> https://secure-web.cisco.com/1ZUqhowo0_mv9V5kD25oaNH8gLBZLx66slK6 >>>>>> F >>>>>> f >>>>>> 2 >>>>>> 1 >>>>>> L >>>>>> c9NCBKfl3Gs-GcDc9rITZdgrJ-gm4T7JliTiQ8tSyQ00Yvr4q_dP85oAHK-y6amf1 >>>>>> l >>>>>> w >>>>>> g >>>>>> W >>>>>> 4 >>>>>> AgyJ5jvH2M04bEqEFcCxg6lss3F2tKV0s2k6RGOVF2-XjR0apCbvx4RxQkwAj2uGq >>>>>> S >>>>>> X >>>>>> z >>>>>> j >>>>>> f >>>>>> ZJzz0AqTsW6cseBSHwc-jMy4lczBfcy-Zg/https%3A%2F%2Flists.strongswan. >>>>>> o >>>>>> r >>>>>> g >>>>>> % >>>>>> 2Fmailman%2Flistinfo%2Fusers >>>>>> > _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users