openswan interview questions
Top openswan frequently asked interview questions
How do I configure raspberry pi as VPN-CLIENT?
i tried to use openVPN/opwnswan/strongswan but failed every time.
can you recommend a SIMPLE method to do that?
my server is a FORTIGATE FW.
Thanx!
Tom.zabari
Source: (StackOverflow)
I am trying to link openswan/pluto statically by adding '-static' option to ld, then I get the following error:
/usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/4.9/crtbeginT.o: relocation
R_X86_64_32 against `TMC_END' can not be used when making a shared
object; recompile with -fPIC
I can not figure out what this means and why it happens, can anyone help?
the link option I used is
-static -Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now
It seems that -static may be incompatible with -pie, see this page.
the program links successfully if -pie is removed.
Source: (StackOverflow)
I'm stuck in ipsec configuration. I have to connect to remote network (client! to site), where is Fortigate firewall. On left side (where I have access, this is my dedicated server), I have a CentOS with public IP (http server). On right site FortiGate and behind that, network that I have to reach. So I have to communicate from my server (with public IP) to server on remote side.
At this moment, I can establish tunnel, so authentication is ok, but the network is unrechable.
I'm using Openswan U2.6.32/K3.10.23-xxxx-std-ipv6-64 (netkey)
My configuration:
version 2.0 # conforms to second version of ipsec.conf specification
config setup
virtual_private=%v4:10.0.0.0/24,%v4:192.168.15.0/24,%v4:172.16.0.0/12
nat_traversal=yes
oe=off
plutostderrlog=/var/log/pluto.log
protostack=netkey
conn connection
aggrmode=no
authby=secret
auto=start
ike=aes256-sha2_256
ikelifetime=86400s
keylife=43200s
left=%my_ip
leftnexthop=%defaultroute
leftsourceip=%my_ip
leftsubnet=192.168.15.0/24
pfs=no
auth=esp
esp=aes256-sha2_256
right=%remote_gw
rightsubnet=10.10.7.0/24
type=tunnel
net.ipv4.ip_forward = 1
Also have this rule
-A POSTROUTING -s 192.168.15.0/24 -d 10.10.7.0/24 -j SNAT --to %my_ip
What I'm missing? Or maybe there is other sollution to connect to remote host using IPSEC?
ip route show this:
10.10.7.0/24 via %my_ip dev eth0 src %my_ip
ipsec verify result:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.32/K3.10.23-xxxx-std-ipv6-64 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
Few years ago, I'm using Openswan to site to site connection, and as far I remember, there was ppp0 interface and that was simple. Now Openswan use NAT-T and it's diabolo complicated.
Maybe I should add MASQUERADE rule to iptables? But I don't know what exacly I should add.
Any idea's?
Source: (StackOverflow)
I have an IPsec VPN connection setup between an RHEL 6.5 using openswan 2.6.32 with a Windows Server 2012 R2 using Windows Firewall VPN.
When there is no existing connections, pinging from RHEL to Windows will not work.
But whenever I started pinging from Windows to RHEL, the connection will establish immediately and ping will then now work both ways.
This will work until the connection time out or until I restart the openswan service.
I found an error in /var/log/secure:
Apr 27 19:11:38 hostname pluto[9482]: packet from 192.168.1.4:500: missing payload(s) (ISAKMP_NEXT_v2SA+ISAKMP_NEXT_v2KE+ISAKMP_NEXT_v2Ni). Message dropped.
Grateful if anyone could shed some light on the matter.
Thanks and Regards.
Source: (StackOverflow)
I use OpenSwan IPSec tunnel on CentOS 6.7.
I can list RSA keys in my NSS database using this command:
ipsec showhostkey --list
ipsec showhostkey nss directory showhostkey: /etc/ipsec.d
1(1): RSA keyid: AQPAhum5U with id: (none)
1(2): RSA keyid: AQPAhum5U with id: (none)
But when I try to execute ipsec showhostkey –rsaid it fail with You must specify some operation:
ipsec showhostkey --rsaid AQPAhum5U
You must specify some operation
Usage: ipsec showhostkey [--ipseckey {gateway}] [--left ] [--right ]
[--dump ] [--list ] [--x509self]
[--x509req ] [--x509cert ]
[ --txt gateway ] [--dhclient ]
[ --file secretfile ]
[ --keynum count ] [ --id identity ]
[ --rsaid keyid ] [--verbose] [--version]
What is interesting that without the argument it fails with correct error option '--rsaid' requires an argument
ipsec showhostkey --rsaid
/usr/libexec/ipsec/showhostkey: option '--rsaid' requires an argument
Usage: ipsec showhostkey [--ipseckey {gateway}] [--left ] [--right ]
[--dump ] [--list ] [--x509self]
[--x509req ] [--x509cert ]
[ --txt gateway ] [--dhclient ]
[ --file secretfile ]
[ --keynum count ] [ --id identity ]
[ --rsaid keyid ] [--verbose] [--version]
How to execute ipsec showhostkey –rsaid?
Answer
The answer is not mine therefore I can not add it as the answer.
The command expects a --left or --right operation
ipsec showhostkey --rsaid AQPAhum5U --left
ipsec showhostkey nss directory showhostkey: /etc/ipsec.d
; picking by rsakeyid=AQPAhum5U
# rsakey AQPAhum5U
leftrsasigkey=
ipsec showhostkey --rsaid AQPAhum5U --right
ipsec showhostkey nss directory showhostkey: /etc/ipsec.d
; picking by rsakeyid=AQPAhum5U
# rsakey AQPAhum5U
Source: (StackOverflow)
I’m having issues with openswan vpn-client. When vpn-tunnel is first established the connection works fine. If the vpn-server reboots, openswan seems to delete the connection from client machine routing tables. After the vpn-server is rebooted, the tunnel is re-established correctly, but nothing goes through it, because openswan doesn’t update the routing table of the client machine. If I manually add the vpn-connection to the routing table with ip route add, the connection works fine again.
I’ve tried different dpd-actions and timeouts, and I’ve removed all the rules from the firewall of the client machine, but nothing seems to work.
What causes openswan not to update routing tables after vpn-connection is re-established?
Here is the /etc/ipsec.conf of the client machine:
ipsec.conf
version 2.0
config setup
plutodebug="control"
nat_traversal=yes
keep_alive=15
force_keepalive=yes
protostack=netkey
conn home
left=%defaultroute
leftsubnet=...
leftsourceip=...
leftcert=client.crt
right=...
rightsubnet=...
rightrsasigkey=%cert
rightcert=server.crt
rightid=%fromcert
authby=rsasig
#Phase 1
keyexchange=ike
ike=aes256-sha1
#Phase 2
phase2alg=aes256-sha1
keylife=28800s
rekeymargin=540s
rekeyfuzz=100%
dpddelay=5
dpdtimeout=10
dpdaction=restart
forceencaps=yes
auto=start
Source: (StackOverflow)
I tried to use the Openswan IPSec connections to build host-host, the words "IPSec.conf" file "phase2alg" option is set to a different encryption methods, such as:
"phase2alg=aes-md5;modp1024"
"phase2alg=3des-md5;modp1024"
Why still can establish IPSec channels?
Use the "service IPSec status" command display:
IPsec running - pluto pid: 5222
pluto pid 5222 2 tunnels up
some eroutes exist
View the "/var/log/secure" file, you can see the ends of the message is different:
host1:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0x77f56195 <0x3307e080 xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none
DPD=none}
host2:
STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xd55b42f0
<0x35f6a0a7 xfrm=AES_256-HMAC_MD5 NATOA=none NATD=none DPD=none}
Have been successful yet?
Source: (StackOverflow)
I have started POC to enable Openswan in our product.
Unfortunately I can see clear text traffic from left to right so it is kind of the critical problem that will prevent me from using of Openswan in the production.
I suppose that any communication from left to right and vice versa will be encrypted by Openswan.
1) I have configured Openswan on CentOS 6 using the following instructions:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/Host-To-Host_VPN_Using_Openswan.html
The final configuration is below:
conn my-tunnel
ike=3des-md5
esp=3des-md5
left=172.16.0.2
leftnexthop=%defaultroute
leftrsasigkey=0...ww==
right=172.16.0.1
rightnexthop=%defaultroute
rightrsasigkey=0s...rQ==
authby=rsasig
keyingtries=10
# load and initiate automatically
compress=no
auto=start
2) I have tested the connection on both sides.
Left side:
tcpdump -n -i eth0 esp or udp port 500 or udp port 4500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:02:00.444491 IP 172.16.0.2 > 172.16.0.1: ESP(spi=0x8204b310,seq=0x26425), length 124
10:02:00.445414 IP 172.16.0.1 > 172.16.0.2: ESP(spi=0xa68b20ef,seq=0x34e1d), length 84
Right side:
tcpdump -n -i eth0 esp or udp port 500 or udp port 4500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:02:33.123685 IP 172.16.0.1 > 172.16.0.2: ESP(spi=0xa68b20ef,seq=0x34e4c), length 156
10:02:33.132466 IP 172.16.0.2 > 172.16.0.1: ESP(spi=0x8204b310,seq=0x26444), length 172
3) I have started the chat server on the left:
nc -vv -l 172.16.0.2 1234
And then connected on the right:
nc 172.16.0.2 1234
Unfortunately, when I capture the traffic using the following command I can see clear text traffic from left to right:
tcpdump -vv -n -s0 -w ipsecchat.cap tcp port 1234
Please note that traffic from write to left is encrypted.
What is wrong?
Please help.
Added
I discovered the following: the plain text appears only if I type on the other side than I capture the traffic (execute tcpdump).
For example, if I capture on the left side and typing on the right side the capture contains the plain text. But if I capture on the left side and typing on the left side produce the capture contains the encrypted text.
Please help me to understand if it is expected behavior or it is the critical security problem of Openswan.
Source: (StackOverflow)