3

I have a server hosted on ip <server_ip> I have a personal computer at home, behind a router. The box public ip is <router_ip>. The client has a local ip on the router's subnet which is called <local_ip>.

Server is on ubuntu 18.04, local computer is on ubuntu 20.04. Each are up-to-date and installed strongswan using the following command

apt install strongswan strongswan-swanctl

Server got strongswan 5.6.2 Client got Strongswan 5.8.2

I created a CA, serv and enduser crt, using following commands with package strongswan-pki

ipsec pki --gen --outform pem > ca.key
ipsec pki –self --in ca.key –dn “C=FR, O=Test, CN=Test CA” –ca –outform pe > ca.crt
ipsec pki --self --in ca.key --dn "C=FR,O=Test,CN=Test CA" --ca --outform pem > ca.crt
ipsec pki --gen --outform pem > serv.key
ipsec pki --issue --in serv.key --type priv --cacert ca.crt --cakey ca.key --dn "C=FR,O=Test,CN=serv" --san serv --outform pem > serv.crt
ipsec pki --gen --outform pem > enduser.key
ipsec pki --issue --in enduser.key --type priv --cacert ca.crt --cakey ca.key --dn "C=FR,O=Test,CN=enduser" --san enduser --outform pem > enduser.crt

I modified nothing except /etc/swanctl/swanctl.conf on both sides

Server /etc/swanctl/swanctl.conf

connections {
    server {
        local {
            auth = pubkey
            certs = serv.crt
            id = "serv"
                }
                remote {
                        auth = pubkey
                        id = "enduser"
                }
                children {
                        host {
                                start_action = trap
                        }
                }

    }
}

Client /etc/swanctl/swanctl.conf

connections {
    client-server {
        remote_addrs = <server_ip>

        local {          
            auth = pubkey
            certs = enduser.crt
            id = "enduser"
        }
        remote {
            auth = pubkey
            id = "serv"
        }
        children {
            to-host {
                start_action = trap
            }                           
        }
    }
}

On server, I put certificates on the following places

/etc/swanctl/x509/serv.crt
/etc/swanctl/x509ca/ca.crt
/etc/swanctl/private/serv.key

On client, I got those certificates

/etc/swanctl/x509/enduser.crt
/etc/swanctl/x509ca/ca.crt
/etc/swanctl/private/enduser.key

Then I use the following command on both server and client

swanctl --load-conns && swanctl --load-creds

and on the client

swanctl --initiate --child to-host

But it fails with the following error on client side

[IKE] establishing CHILD_SA to-host{7}
[ENC] generating CREATE_CHILD_SA request 3 [ SA No TSi TSr ]
[NET] sending packet: from <local_ip>[4500] to <server_ip>[4500] (256 bytes)
[NET] received packet: from <server_ip>[4500] to <local_ip>[4500] (80 bytes)
[ENC] parsed CREATE_CHILD_SA response 3 [ N(TS_UNACCEPT) ]
[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built
[IKE] failed to establish CHILD_SA, keeping IKE_SA

Server side logs (using swanctl -T) are below

08[IKE] traffic selectors <server_ip>/32[tcp/ssh] <server_ip>/32 === <local_ip>/32[tcp/55592] <local_ip>/32 inacceptable
08[IKE] failed to establish CHILD_SA, keeping IKE_SA
08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(TS_UNACCEPT) ]
08[NET] sending packet: from <server_ip>[4500] to <routeur_ip>[59527] (1184 bytes)
16[NET] received packet: from 86.234.97.45[59527] to <server_ip>[4500] (256 bytes)
16[ENC] parsed CREATE_CHILD_SA request 2 [ SA No TSi TSr ]
16[IKE] traffic selectors <server_ip>/32 === <local_ip>/32 inacceptable

Can anyone explain to me what I did wrong ? As I thought TS should be automatically negociated

Dazounet
  • 45
  • 1
  • 8
  • You need to check the logs on the server. – Michael Hampton Oct 14 '20 at 16:46
  • Are the changes you made really all of the changes? If so you're neither loading the CA nor providing the remote cert so remote authentication will always fail. – Ginnungagap Oct 15 '20 at 06:25
  • Yeah I added the server side logs. I'm not pro with strongswan so I guess TS negociation is not the one I want... Normally I don't have to provide remote cert as I use the CA to approve of it, no ? CA cert is loaded correctly when using swanctl -s && swanctl -c (it's shown as loaded given the following code when using this command on server (same on end user) successfully loaded 1 connections, 0 unloaded loaded certificate from '/etc/swanctl/x509/serv.crt' loaded certificate from '/etc/swanctl/x509ca/ca.crt' loaded rsa key from '/etc/swanctl/private/serv.key' – Dazounet Oct 15 '20 at 07:54
  • The authentication is not the problem, it's actually the traffic selectors because of the NAT. You might want to assign a [virtual IP address](https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp) to the client (if you don't, you have to configure _remote_ts_ on the server so it includes the client's private IP address). – ecdsa Oct 15 '20 at 08:02

1 Answers1

0

So, thanks to ecdsa I got the answer.

I had to add a remote_ts on server swanctl.conf file.

So now the server swanctl.conf is as below

connections {
    server {
        local {
            auth = pubkey
            certs = serv.crt
            id = "serv"
                }
                remote {
                        auth = pubkey
                        id = "enduser"
                }
                children {
                        host {
                                start_action = trap
                                remote_ts = <local_subnet>/24
                        }
                }

    }
}

But to be honest, I don't know how it was fixed. I rode https://wiki.strongswan.org/projects/strongswan/wiki/NatTraversal and https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp but i'm not 100% sure what I did. I believe It's because the server don't naturally know how to address data to client (because client asks from public ip but wants answer with his local ip) and we have to force him to do as we want. But I'm not sure. Is there any documentation that can help me understanding the concepts inherent to traffic selectors ?

Dazounet
  • 45
  • 1
  • 8
  • The traffic selectors simply specify what traffic is tunneled. If none are specified, the default value is _dynamic_, which gets replaced with the actual IP address of the host (or a virtual IP if one is assigned). Due to the NAT, the local traffic selector proposed by the client (its private IP) won't match the remote traffic selector the server derives from the client's public IP. So you have to explicitly configure the remote TS on the server. The alternative is to assign a virtual IP to the client (via _pools_) that the client can request (via _vips_). – ecdsa Oct 15 '20 at 13:05
  • Thanks for explanations ! – Dazounet Oct 15 '20 at 14:17