Date: Sat, 11 Jan 2020 10:02:28 -0600 From: Karl Denninger <karl@denninger.net> To: freebsd-net@freebsd.org Subject: Re: replacement of security/ipsec-tools Message-ID: <b7b56621-6632-b811-4bf1-479e43e25678@denninger.net> In-Reply-To: <20200111112307.GA62210@admin.sibptus.ru> References: <50378AC0-0A0A-4E33-961F-3D180987A8C1@ellael.org> <20200110035009.GB67842@admin.sibptus.ru> <20200110065131.GA79879@admin.sibptus.ru> <20200111112307.GA62210@admin.sibptus.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a cryptographically signed message in MIME format. --------------ms090903090805060301070805 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 1/11/2020 05:23, Victor Sudakov wrote: > Victor Sudakov wrote: >>> If you ever find good documentation/howto for strongswan on FreeBSD,= >>> please share with me. >> Really, please! I know there are people present here using strongswan.= >> >> I would like to try and replace racoon with it. > Now thanks to Sergey Matveev and some good docs on > https://wiki.strongswan.org/ , I have some working examples of > strongswan usage. I must admit it is rather elegant. > > But for this bug-or-feature: https://bugs.freebsd.org/bugzilla/show_bug= =2Ecgi?id=3D242744=20 > I could even easily and elegantly secure all communications between my > FreeBSD hosts (I can't of course due to the above bug, but this is not > strongswan's fault). > > However, not the same with Windows. By much experimenting, I once > created a working configuration for IPsec transport mode between FreeBS= D > and Windows with racoon: > > remote "win2012" { > exchange_mode main; > my_identifier address; > peers_identifier address; > remote_address 192.168.246.12; > proposal_check obey; > proposal { > encryption_algorithm 3des; > hash_algorithm sha1; > authentication_method pre_shared_key; > dh_group 2; > } = =20 > } = =20 > sainfo anonymous { > pfs_group 2; > lifetime time 1 hour; > encryption_algorithm aes,3des; > authentication_algorithm hmac_sha512,hmac_sha384,hmac_sha256,hm= ac_sha1; > compression_algorithm deflate ; > } = =20 > > But now when I try to replace racoon with strongswan, the following > configuration does not work: > > conn Win2012 > keyexchange =3D ikev1 > ike=3D3des-sha1-modp1024! > esp=3D3des-sha1-modp1024! > left=3D192.168.246.1 > right=3D192.168.246.12 > type=3Dtransport > compress=3Dyes > authby=3Dpsk > auto=3Droute > > In Wireshark, I see ISAKMP exchange between 192.168.246.1 and > 192.168.246.12. Also "service strongswan status" reports that there is = a SA: > > Security Associations (1 up, 0 connecting): > Win2012[5]: ESTABLISHED 114 seconds ago, 192.168.246.1[192.168.246= =2E1]...192.168.246.12[192.168.246.12] > > but in fact there are none: > > # setkey -D > No SAD entries. Strongswan works fine with Win10 HOWEVER note that Windows 10 until somewhat recently (last summer, I believe) and ALL PREVIOUS VERSIONS (e.g. Win7, 8, etc.) had a SEVERE problem with IkeV2 connections, which you want, in that their fragmentation support was just flat-out broken.=A0= What you'd see is the part of the initial ISKAMP exchange but you never got the full message in both directions. Thus if you had a path that refused UDP frags the connection would never come up.=A0 Once it was connected it was fine but these days due to the abusive potential for frag UDP packets they are often black-holed somewhere between source and destination.=A0 This is now fixed for Win10,= however, I believe there's no fix for Win8 and before.=A0 Allegedly Ikev1= will work with frags correctly in any event but I never got that working well; until Microsoft fixed the IkeV2 frag problem I used to run OpenVPN for Windows clients.=A0 Fortunately that's no longer necessary and the internal IkeV2 client is a LOT faster in terms of performance over the network than OpenVPN. Here's the stanzas I use: ca StrongSwan =A0=A0=A0=A0=A0=A0=A0 cacert=3DCudaSystems.Int.crt =A0=A0=A0=A0=A0=A0=A0 ocspuri=3Dhttp://ocsp.cudasystems.net:8888 =A0=A0=A0=A0=A0=A0=A0 auto=3Dadd conn %default =A0=A0=A0=A0=A0=A0=A0 keyingtries=3D5 =A0=A0=A0=A0=A0=A0=A0 keyexchange=3Dikev2 =A0=A0=A0=A0=A0=A0=A0 fragmentation=3Dyes conn WinUserCert =A0=A0=A0=A0=A0=A0=A0 left=3D%any =A0=A0=A0=A0=A0=A0=A0 leftsubnet=3D0.0.0.0/0 =A0=A0=A0=A0=A0=A0=A0 leftcert=3Dipgw-rsa.denninger.net.crt =A0=A0=A0=A0=A0=A0=A0 leftauth=3Dpubkey =A0=A0=A0=A0=A0=A0=A0 right=3D%any =A0=A0=A0=A0=A0=A0=A0 rightsourceip=3D192.168.2.0/24 =A0=A0=A0=A0=A0=A0=A0 rightauth=3Deap-tls =A0=A0=A0=A0=A0=A0=A0 eap_identity=3D%identity =A0=A0=A0=A0=A0=A0=A0 auto=3Dadd =A0=A0=A0=A0=A0=A0=A0 dpdaction=3Dclear =A0=A0=A0=A0=A0=A0=A0 dpddelay=3D300s =A0=A0=A0=A0=A0=A0=A0 ike=3Daes256-sha2_256-prfsha256-modp1024 This assigns an address out of 192.168.2.0; you need to have your firewall (which ideally is the same machine that's the gateway) handle that properly for NAT out to the "wider world" assuming you want that all to work. Also, make very, very sure you do not publish an IPv6 listener via DNS (e.g. "ipgw.denninger.net" does NOT resolve both an IPv6 and IPv4 address) because by default StrongSwan WILL respond to an IPv6 connection attempt.=A0 You can configure it to run dual-stack but it's a bit tricky because your IPv6 prefix can (does) change dynamically and thus you need to have something to detect that and re-write the source IP and restart the stack if it happens.=A0 In addition Windows doesn't ad= d an IPv6 route when it brings up the VPN so you need to run a router advertisement daemon and do some work on the StrongSwan side, or have some other workaround (like adding a default route manually on the client, which is a five-alarm pain in the butt and violates the "it just works" aspect of IPv6.) Note that this configuration uses a machine certificate (not a user and password) so you need the "ca" stanza to tell the software who can issue certificates it will accept.=A0 You can also use the "secrets" file and eap-mschapv2 if you want for username/password authentication (in "rightauth") but I prefer the machine certificate option.=A0 Note that if= you do the user/password thing you also need "eap_identity=3D%any"=A0 I h= ave my own CA and OCSP responder that issues and answers for the machine certificates in question. There is another issue you may want to take care of dealing with Window's proposals.=A0 The Wiki on StrongSwan's site has details on this and is the reason I have a specific proposal set; it's not the best but is decent. If you don't set anything specific at all Windows' proposal will be laughably weak (try it and then do an "ipsec status" and you'll see what I mean) and StrongSwan will happily allow that.=A0 If you set something even better (e.g. modp2048) and haven't made the registry changes on the client side then a client that hasn't done it with registry changes (whether by Powershell or direct edit) will not be able to connect.=A0 Also be aware that by default Windows (since 1803 I think)= defaults to split routing which for most users of a VPN is NOT what they want.=A0 That's easily set, however, on the Windows client in the connection profile without having to engage in registry hackery (check the "default gateway on remote" box.) https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients --=20 Karl Denninger karl@denninger.net <mailto:karl@denninger.net> /The Market Ticker/ /[S/MIME encrypted email preferred]/ --------------ms090903090805060301070805 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCC DdgwggagMIIEiKADAgECAhMA5EiKghDOXrvfxYxjITXYDdhIMA0GCSqGSIb3DQEBCwUAMIGL MQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UEBwwJTmljZXZpbGxlMRkw FwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5c3RlbXMgQ0ExITAf BgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQTAeFw0xNzA4MTcxNjQyMTdaFw0yNzA4 MTUxNjQyMTdaMHsxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdGbG9yaWRhMRkwFwYDVQQKDBBD dWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5c3RlbXMgQ0ExJTAjBgNVBAMMHEN1 ZGEgU3lzdGVtcyBMTEMgMjAxNyBJbnQgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK AoICAQC1aJotNUI+W4jP7xQDO8L/b4XiF4Rss9O0B+3vMH7Njk85fZ052QhZpMVlpaaO+sCI KqG3oNEbuOHzJB/NDJFnqh7ijBwhdWutdsq23Ux6TvxgakyMPpT6TRNEJzcBVQA0kpby1DVD 0EKSK/FrWWBiFmSxg7qUfmIq/mMzgE6epHktyRM3OGq3dbRdOUgfumWrqHXOrdJz06xE9NzY vc9toqZnd79FUtE/nSZVm1VS3Grq7RKV65onvX3QOW4W1ldEHwggaZxgWGNiR/D4eosAGFxn uYeWlKEC70c99Mp1giWux+7ur6hc2E+AaTGh+fGeijO5q40OGd+dNMgK8Es0nDRw81lRcl24 SWUEky9y8DArgIFlRd6d3ZYwgc1DMTWkTavx3ZpASp5TWih6yI8ACwboTvlUYeooMsPtNa9E 6UQ1nt7VEi5syjxnDltbEFoLYcXBcqhRhFETJe9CdenItAHAtOya3w5+fmC2j/xJz29og1KH YqWHlo3Kswi9G77an+zh6nWkMuHs+03DU8DaOEWzZEav3lVD4u76bKRDTbhh0bMAk4eXriGL h4MUoX3Imfcr6JoyheVrAdHDL/BixbMH1UUspeRuqQMQ5b2T6pabXP0oOB4FqldWiDgJBGRd zWLgCYG8wPGJGYgHibl5rFiI5Ix3FQncipc6SdUzOQIDAQABo4IBCjCCAQYwHQYDVR0OBBYE FF3AXsKnjdPND5+bxVECGKtc047PMIHABgNVHSMEgbgwgbWAFBu1oRhUMNEzjODolDka5k4Q EDBioYGRpIGOMIGLMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UEBwwJ TmljZXZpbGxlMRkwFwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5 c3RlbXMgQ0ExITAfBgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQYIJAKxAy1WBo2kY MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IC AQCB5686UCBVIT52jO3sz9pKuhxuC2npi8ZvoBwt/IH9piPA15/CGF1XeXUdu2qmhOjHkVLN gO7XB1G8CuluxofOIUce0aZGyB+vZ1ylHXlMeB0R82f5dz3/T7RQso55Y2Vog2Zb7PYTC5B9 oNy3ylsnNLzanYlcW3AAfzZcbxYuAdnuq0Im3EpGm8DoItUcf1pDezugKm/yKtNtY6sDyENj tExZ377cYA3IdIwqn1Mh4OAT/Rmh8au2rZAo0+bMYBy9C11Ex0hQ8zWcvPZBDn4v4RtO8g+K uQZQcJnO09LJNtw94W3d2mj4a7XrsKMnZKvm6W9BJIQ4Nmht4wXAtPQ1xA+QpxPTmsGAU0Cv HmqVC7XC3qxFhaOrD2dsvOAK6Sn3MEpH/YrfYCX7a7cz5zW3DsJQ6o3pYfnnQz+hnwLlz4MK 17NIA0WOdAF9IbtQqarf44+PEyUbKtz1r0KGeGLs+VGdd2FLA0e7yuzxJDYcaBTVwqaHhU2/ Fna/jGU7BhrKHtJbb/XlLeFJ24yvuiYKpYWQSSyZu1R/gvZjHeGb344jGBsZdCDrdxtQQcVA 6OxsMAPSUPMrlg9LWELEEYnVulQJerWxpUecGH92O06wwmPgykkz//UmmgjVSh7ErNvL0lUY UMfunYVO/O5hwhW+P4gviCXzBFeTtDZH259O7TCCBzAwggUYoAMCAQICEwCg0WvVwekjGFiO 62SckFwepz0wDQYJKoZIhvcNAQELBQAwezELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3Jp ZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBMTEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBD QTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExMQyAyMDE3IEludCBDQTAeFw0xNzA4MTcyMTIx MjBaFw0yMjA4MTYyMTIxMjBaMFcxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdGbG9yaWRhMRkw FwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRswGQYDVQQDDBJrYXJsQGRlbm5pbmdlci5uZXQw ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC+HVSyxVtJhy3Ohs+PAGRuO//Dha9A 16l5FPATr6wude9zjX5f2lrkRyU8vhCXTZW7WbvWZKpcZ8r0dtZmiK9uF58Ec6hhvfkxJzbg 96WHBw5Fumd5ahZzuCJDtCAWW8R7/KN+zwzQf1+B3MVLmbaXAFBuKzySKhKMcHbK3/wjUYTg y+3UK6v2SBrowvkUBC+jxNg3Wy12GsTXcUS/8FYIXgVVPgfZZrbJJb5HWOQpvvhILpPCD3xs YJFNKEPltXKWHT7Qtc2HNqikgNwj8oqOb+PeZGMiWapsatKm8mxuOOGOEBhAoTVTwUHlMNTg 6QUCJtuWFCK38qOCyk9Haj+86lUU8RG6FkRXWgMbNQm1mWREQhw3axgGLSntjjnznJr5vsvX SYR6c+XKLd5KQZcS6LL8FHYNjqVKHBYM+hDnrTZMqa20JLAF1YagutDiMRURU23iWS7bA9tM cXcqkclTSDtFtxahRifXRI7Epq2GSKuEXe/1Tfb5CE8QsbCpGsfSwv2tZ/SpqVG08MdRiXxN 5tmZiQWo15IyWoeKOXl/hKxA9KPuDHngXX022b1ly+5ZOZbxBAZZMod4y4b4FiRUhRI97r9l CxsP/EPHuuTIZ82BYhrhbtab8HuRo2ofne2TfAWY2BlA7ExM8XShMd9bRPZrNTokPQPUCWCg CdIATQIDAQABo4IBzzCCAcswPAYIKwYBBQUHAQEEMDAuMCwGCCsGAQUFBzABhiBodHRwOi8v b2NzcC5jdWRhc3lzdGVtcy5uZXQ6ODg4ODAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIF oDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMDMGCWCG SAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBDbGllbnQgQ2VydGlmaWNhdGUwHQYDVR0O BBYEFLElmNWeVgsBPe7O8NiBzjvjYnpRMIHKBgNVHSMEgcIwgb+AFF3AXsKnjdPND5+bxVEC GKtc047PoYGRpIGOMIGLMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UE BwwJTmljZXZpbGxlMRkwFwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRh IFN5c3RlbXMgQ0ExITAfBgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQYITAORIioIQ zl6738WMYyE12A3YSDAdBgNVHREEFjAUgRJrYXJsQGRlbm5pbmdlci5uZXQwDQYJKoZIhvcN AQELBQADggIBAJXboPFBMLMtaiUt4KEtJCXlHO/3ZzIUIw/eobWFMdhe7M4+0u3te0sr77QR dcPKR0UeHffvpth2Mb3h28WfN0FmJmLwJk+pOx4u6uO3O0E1jNXoKh8fVcL4KU79oEQyYkbu 2HwbXBU9HbldPOOZDnPLi0whi/sbFHdyd4/w/NmnPgzAsQNZ2BYT9uBNr+jZw4SsluQzXG1X lFL/qCBoi1N2mqKPIepfGYF6drbr1RnXEJJsuD+NILLooTNf7PMgHPZ4VSWQXLNeFfygoOOK FiO0qfxPKpDMA+FHa8yNjAJZAgdJX5Mm1kbqipvb+r/H1UAmrzGMbhmf1gConsT5f8KU4n3Q IM2sOpTQe7BoVKlQM/fpQi6aBzu67M1iF1WtODpa5QUPvj1etaK+R3eYBzi4DIbCIWst8MdA 1+fEeKJFvMEZQONpkCwrJ+tJEuGQmjoQZgK1HeloepF0WDcviiho5FlgtAij+iBPtwMuuLiL shAXA5afMX1hYM4l11JXntle12EQFP1r6wOUkpOdxceCcMVDEJBBCHW2ZmdEaXgAm1VU+fnQ qS/wNw/S0X3RJT1qjr5uVlp2Y0auG/eG0jy6TT0KzTJeR9tLSDXprYkN2l/Qf7/nT6Q03qyE QnnKiBXWAZXveafyU/zYa7t3PTWFQGgWoC4w6XqgPo4KV44OMYIFBzCCBQMCAQEwgZIwezEL MAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBM TEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExM QyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTANBglghkgBZQMEAgMFAKCCAkUw GAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAwMTExMTYwMjI4 WjBPBgkqhkiG9w0BCQQxQgRAvRgFGAsWMbioDNhPrDctmB+YW7MRNvAB/qizDxVqWsOHN9iW Gx+0CzXXVWX4amlRo+BuOypz+SZT6D5114NkRTBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFl AwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3 DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGjBgkrBgEEAYI3EAQxgZUwgZIwezEL MAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBM TEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExM QyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTCBpQYLKoZIhvcNAQkQAgsxgZWg gZIwezELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lz dGVtcyBMTEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0 ZW1zIExMQyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTANBgkqhkiG9w0BAQEF AASCAgB5GL6ZaBzUJUEDSrQQjTILo3WccKY2oMB3KdambmuY3Jr3TULcStYxjBfbEPRl5V3w pkSs4xoHVO5V1/X7PMdKBrBR1LAGaaSeurAdnRU2KEw4n7xluqGNtatm9qJbe4BMblClt8aO cOtU0lb388NYtvaAJ8elzQJoye8tOFROvtjAtJXtX9N9vV+HgDv698MjgUp1eV6nn66NVb3n o/XqdAX12HAecpFnpLqA2Jda2UoCB1ToQ+BbKG3ZORirXqCudxq+jsJYeavmTaK77BiA/ieu n2JuYCxsKG68p9U9wvIYtFmams+yYnFJ7J81YKYZXDeIWNwVEO9xEsA+t7FA2s9yI4BCn0TH LzdRCED6wMLNEPaM1+uB6LimpxiyCsZnSiyWq6adDuEDKtCAKMPYDDUXCtBncdZUY/Y/PAH/ dhLlAEjc1+LLWiLBSjGAK64hIl7oARlh0ndilynoREYjmtzyzRoqmqUg5NpiOGs2Mgtzlbat RZhvZB7WL0rZw2pSBIYrUc5mf1O2f+qJ3hXiC5NCJzMcLKrVKx/SK0ZIcZPnuDO8N6x5kmXj 19xKxKC+CRGh1cNLIIYq2WxL/7DHElxy0LwJtnmZQIQNjyf40u/O3qAKxJyxJ7RUepKdeOGE uZfG2Y4kAa6tPpsSPQpapUo3s9lkoZeg2xi5tMHDnQAAAAAAAA== --------------ms090903090805060301070805--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b7b56621-6632-b811-4bf1-479e43e25678>