I am running a strongSwan (U5.3.5/K4.4.0-62-generic) VPN server on Ubuntu 16.04.
Ususally, when I want to examine traffic on a server, I simply run something like the following:
tcpdump -ni eth0 "tcp port 80" -w log.pcap
On the VPN server it doesn't help me too much though. I only catch "regular" traffic, and no IPSEC traffic. I imagine it's because IPSEC operates one layer below TCP. But I would still like to capture some packets for inspection on Wireshark.
How can I accomplish that?
I'm trying to setting a VPN on Linux Mint 19.2.
I'm using the network-manager-strongswan so I added this file named VPN under /etc/NetworkManager/system-connections/
[connection]
id=VPN
uuid=be1d4fd1-bbaa-4aa9-9fdc-e293bf16fe67
type=vpn
autoconnect=false
permissions=
timestamp=1582680217
[vpn]
address=vpn********.it
certificate=
encap=yes
ipcomp=no
method=eap
password-flags=0
proposal=no
user=user
virtual=yes
service-type=org.freedesktop.NetworkManager.strongswan
[vpn-secrets]
password=password
[ipv4]
dns-search=
ignore-auto-dns=true
ignore-auto-routes=true
method=auto
[ipv6]
addr-gen-mode=stable-privacy
dns-search=
ip6-privacy=0
method=ignore
The connection is fine, I can access using ssh on the private network. The big issue is that after the connection I can't surf the internet, connecting to the vpn lock all other addresses.
I added the ignore-auto-routes flag in the config so why my connection is locked?
ip a output*
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:3c:de:1b brd ff:ff:ff:ff:ff:ff
inet yy.16.209.132/24 brd yy.16.209.255 scope global dynamic noprefixroute ens33
valid_lft 1656sec preferred_lft 1656sec
inet yy.26.199.18/32 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::216e:bcc0:3b4f:44b2/64 scope link noprefixroute
valid_lft forever preferred_lft forever
route -n output
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 yy.16.209.2 0.0.0.0 UG 20100 0 0 ens33
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 ens33
yy.16.209.0 0.0.0.0 255.255.255.0 U 100 0 0 ens33
yy.26.199.18 0.0.0.0 255.255.255.255 UH 50 0 0 ens33
yy.26.199.18 0.0.0.0 255.255.255.255 UH 100 0 0 ens33
ip xfrm policy output NO VPN
src yy.16.209.0/24 dst yy.16.209.0/24
dir fwd priority 175423
src yy.16.209.0/24 dst yy.16.209.0/24
dir in priority 175423
src yy.16.209.0/24 dst yy.16.209.0/24
dir out priority 175423
src 169.254.0.0/16 dst 169.254.0.0/16
dir fwd priority 183615
src 169.254.0.0/16 dst 169.254.0.0/16
dir in priority 183615
src 169.254.0.0/16 dst 169.254.0.0/16
dir out priority 183615
src fe80::/64 dst fe80::/64
dir fwd priority 134463
src fe80::/64 dst fe80::/64
dir in priority 134463
src fe80::/64 dst fe80::/64
dir out priority 134463
src yy.26.199.18/32 dst 0.0.0.0/0
dir out priority 383615
tmpl src yy.16.209.132 dst xx.xx.124.58
proto esp spi 0xc57cfb3f reqid 7 mode tunnel
src 0.0.0.0/0 dst yy.26.199.18/32
dir fwd priority 383615
tmpl src xx.xx.124.58 dst yy.16.209.132
proto esp reqid 7 mode tunnel
src 0.0.0.0/0 dst yy.26.199.18/32
dir in priority 383615
tmpl src xx.xx.124.58 dst yy.16.209.132
proto esp reqid 7 mode tunnel
src ::1/128 dst ::1/128
dir fwd priority 68927
src ::1/128 dst ::1/128
dir in priority 68927
src ::1/128 dst ::1/128
dir out priority 68927
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
ip xfrm policy output UNDER VPN
src yy.26.199.18/32 dst 0.0.0.0/0
dir out priority 383615
tmpl src yy.16.209.132 dst xx.xx.124.58
proto esp spi 0xc787ea42 reqid 2 mode tunnel
src 0.0.0.0/0 dst yy.26.199.18/32
dir fwd priority 383615
tmpl src xx.xx.124.58 dst yy.16.209.132
proto esp reqid 2 mode tunnel
src 0.0.0.0/0 dst yy.26.199.18/32
dir in priority 383615
tmpl src xx.xx.124.58 dst yy.16.209.132
proto esp reqid 2 mode tunnel
src fe80::/64 dst fe80::/64
dir fwd priority 134463
src fe80::/64 dst fe80::/64
dir in priority 134463
src fe80::/64 dst fe80::/64
dir out priority 134463
src ::1/128 dst ::1/128
dir fwd priority 68927
src ::1/128 dst ::1/128
dir in priority 68927
src ::1/128 dst ::1/128
dir out priority 68927
src yy.16.209.0/24 dst yy.16.209.0/24
dir fwd priority 175423
src yy.16.209.0/24 dst yy.16.209.0/24
dir in priority 175423
src yy.16.209.0/24 dst yy.16.209.0/24
dir out priority 175423
src 169.254.0.0/16 dst 169.254.0.0/16
dir fwd priority 183615
src 169.254.0.0/16 dst 169.254.0.0/16
dir in priority 183615
src 169.254.0.0/16 dst 169.254.0.0/16
dir out priority 183615
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
Diffing the outputs I can see this piece is added while the VPN is connected:
src yy.26.199.18/32 dst 0.0.0.0/0
dir out priority 383615
tmpl src yy.16.209.132 dst xx.xx.124.58
proto esp spi 0xc787ea42 reqid 2 mode tunnel
src 0.0.0.0/0 dst yy.26.199.18/32
dir fwd priority 383615
tmpl src xx.xx.124.58 dst yy.16.209.132
proto esp reqid 2 mode tunnel
src 0.0.0.0/0 dst yy.26.199.18/32
dir in priority 383615
tmpl src xx.xx.124.58 dst yy.16.209.132
proto esp reqid 2 mode tunnel
I tried a lot of things but with no luck.
Metric for yy.26.199.18 to 1050 and 1100.route del default && ip route add default via yy.26.199.18 dev ens33and a lot of others stupid stuff.
So I want to use my connection for the "normal internet" while routing specific addresses through VPN.
It is possible?
I would like clients to try reconnecting indefinitely if server is down so when it comes back, the client simply reconnects.
Client ipsec.conf
conn %default
ike=aes256gcm16-sha384-modp3072!
esp=aes256gcm16-sha384-modp3072!
conn ikev2
auto=start
[email protected]
leftsourceip=%config
leftauth=eap-tls
leftcert=vpn-client.crt
right=my-vpn.com
rightid=my-vpn.com
rightsubnet=0.0.0.0/0
rightauth=pubkey
I've been asked to deploy an IPSEC server for a project and after doing some research, StrongSwan looks like a good candidate. Since this project requires top security, I decided to install the latest version of StrongSwan (5.6.2) as it seems to fix a few security issues and what-not.
So I've spent the past few days working out how to configure it, which I have been able to do using /etc/ipsec.conf, however, on reading StrongSwan's website, is now a legacy way of setting it up.
The recommended way of configuring strongSwan is via the powerful vici interface and the swanctl command line tool. The swanctl.conf configuration file used by swanctl is stored together with certificates and corresponding private keys in the swanctl directory. Global strongSwan settings as well as plugin-specific configurations are defined in strongswan.conf.
Alternatively the legacy ipsec stroke interface and its ipsec.conf and ipsec.secrets configuration files may be used.
So now I am in the process of trying to change the configuration to use a file stored in /etc/swanctl/conf.d instead...
So my question is this:
Does anyone know how to build StrongSwan from source and have it start with the Server (Ubuntu 16.04) and use the new configuration method?
My configure line looks like this
./configure --prefix=/usr --sysconfdir=/etc \
--enable-systemd --enable-swanctl \
--disable-charon --disable-stroke --disable-scepclient \
--enable-gcm --enable-eap-tls
but this still doesnt start with the Server, nor can I find any strongswan or strongswan-swanctl for startup.
My current ipsec.conf looks like this
conn %default
auto=add
forceencaps=yes
keyexchange=ikev2
keyingtries=1
ike=aes256-sha256-modp2048!
esp=aes256-sha256,aes128-sha256!
dpdaction=clear
inactivity=120s
leftsendcert=always
leftcert=vpn-server-cert.pem
leftsubnet=10.0.0.0/20
leftid=@vpnserver
rightsourceip=172.16.0.0/12
eap_identity=%identity
conn ikev2-cert
rightauth=eap-tls
which 'I think' translates to this
connections {
rw {
version = 2
send_certreq = yes
proposals = aes256-sha256-modp2048!
encap = yes
dpd_delay = 30s
local {
auth = eap-tls
certs = vpn-server-cert.pem
id = vpnserver
}
remote {
auth = eap-tls
}
children {
net {
local_ts = 172.16.0.0/12
esp_proposals = aes256-sha256,aes128-sha256!
inactivity = 120s
}
}
}
}
After many days of searching on Google, through Serverfault, and even on the StrongSwan website, I have been unsuccessful in attempting to get StrongSwan IPSec/IKEv2 VPN working on OS X 10.11.5 and iOS 10. I have been very successful in getting it to work on Windows 10 Pro Insider Preview and Android - neither of which are relevant to my travel arrangements where I will only have a Mac notebook and iOS 10 devices.
I have two StrongSwan VPN Servers setup - one in London and one in San Francisco, both with nearly identical configurations.
Having followed https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_16.04.html I was able to quickly setup both servers and issue a single client certificate for Windows 10 Pro Insider Preview and Android. However, when I copy the p12s of the two servers over to OS X and iOS to create the VPNs I am presented with questions I didn't get what the other two operating systems.
I can seem to find a definitive answer on what is a "Remote ID" and "Local ID" and how does this pertain to me establishing a certificate based authenticated connection to the SwanStrong VPN Server?
From what little I have been able to find I have learned the following:
Local ID must match the CN or SAN specified in the certificate (i.e. [email protected])Remote ID is required by both OS X and iOS but I have no idea what to put in this input fieldThis is one of the StrongSwan server configurations (the one I have been testing against):
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
conn %default
keyexchange=ikev2
ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-s$
esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128$
dpdaction=clear
dpddelay=300s
authby=pubkey
left=%any
leftid=subdomain5.subdomain4.subdomain3.subdomain2.subdomain.domain.net
leftsubnet=0.0.0.0/0
leftcert=vpnHostCert.der
leftsendcert=always
right=%any
rightsourceip=172.11.22.0/24,2002:25f7:7489:3::/112
rightdns=8.8.8.8,2001:4860:4860::8888
conn IPSec-IKEv2
keyexchange=ikev2
auto=add
How can I correctly provision the VPN Tunnel on OS X 10.11.5 and iOS 10 with the same certificates used by Windows and Android?