NEO2 strongswan ipsec ikev2 tunnel
Posted: Sun Jun 04, 2017 11:07 am
I'm failing to get this fully working on a NEO2 with a tunnel brought up to an AWS hosted Algo VPN server. It does partially work in so far as I've verified that ICMP ping traffic from the NEO2 is 100% successful. In addition my remote AWS hosted VPN is verified as 100% working fine with other strongswan VPN clients, it's just the NEO2 that I'm having difficulty with.
Incidentally I've also tried getting this working with the latest armbian experimental firmware for the NEO2 and I see exactly the same behavior there too - a partially working tunnel.
I've raised an issue with strongswan and there's some more information and wireshark traffic captures over there: https://wiki.strongswan.org/issues/2351 ... ue_id=2352
I'm not convinced this is an issue with strongswan and I'd appreciate some support verifying whether there's a NEO2 platform problem, kernel bug or some other low level problem here or not.
The steps to get this setup for testing are:
1. Create an Algo VPN hosted in AWS (free tier is good enough) with the ad block local DNS resolver enabled. Instructions for creating an Algo VPN are here: https://github.com/trailofbits/algo
2. Download the debian image for the NEO2: https://www.mediafire.com/folder/ah4i6w ... anoPi-NEO2 and prepare an sd card with the debian image as described here: http://wiki.friendlyarm.com/wiki/index. ... on_TF_Card
3. Insert the SD card and boot the device
4. SSH into the device and install one strongswan build dependency - the openssl dev tool headers: apt install libssl-dev
5. Download, build and install strongswan on the NEO2. These shell commands can be used for this part:
6. Configure a new ipsec tunnel - see the Linux strongSwan Clients example in the Algo page: https://github.com/trailofbits/algo. This example works well to get the tunnel configured. This is basically a case of copying some Algo created certificates from step 1 onto the NEO2 and modifying a few ipsec specific /etc config files
7. Modify the MSS for the tunnel on the NEO2 by adjusting the MSS via /etc/strongswan.d/charon/kernel-netlink.conf and set mss = 1280
8. Bring the tunnel up i.e. ipsec up <conection_name>
9. Perform a ping down the tunnel and verify it works i.e. ping google.com
10. Install curl i.e. apt install curl
11. Attempt to perform a curl call down the tunnel and verify it hangs and fails i.e. curl google.com
Steps to setup tcpdump for ipsec traffic capture for analysis in wireshark and further information is included in the strongswan issue: https://wiki.strongswan.org/issues/2351 ... ue_id=2352
Thanks for any help
Joe
Incidentally I've also tried getting this working with the latest armbian experimental firmware for the NEO2 and I see exactly the same behavior there too - a partially working tunnel.
I've raised an issue with strongswan and there's some more information and wireshark traffic captures over there: https://wiki.strongswan.org/issues/2351 ... ue_id=2352
I'm not convinced this is an issue with strongswan and I'd appreciate some support verifying whether there's a NEO2 platform problem, kernel bug or some other low level problem here or not.
The steps to get this setup for testing are:
1. Create an Algo VPN hosted in AWS (free tier is good enough) with the ad block local DNS resolver enabled. Instructions for creating an Algo VPN are here: https://github.com/trailofbits/algo
2. Download the debian image for the NEO2: https://www.mediafire.com/folder/ah4i6w ... anoPi-NEO2 and prepare an sd card with the debian image as described here: http://wiki.friendlyarm.com/wiki/index. ... on_TF_Card
3. Insert the SD card and boot the device
4. SSH into the device and install one strongswan build dependency - the openssl dev tool headers: apt install libssl-dev
5. Download, build and install strongswan on the NEO2. These shell commands can be used for this part:
Code: Select all
# get the strongSwan tarball
wget http://download.strongswan.org/strongswan-5.5.3.tar.bz2
# extract
tar xjf strongswan-5.5.3.tar.bz2
cd strongswan-5.5.3
# build strongswan with all required options to match algo
./configure -sysconfdir=/etc -prefix=/usr -libexecdir=/usr/lib \
-disable-aes -disable-des -disable-md5 -disable-sha1 -disable-sha2 \
-disable-fips-prf -disable-gmp -enable-openssl -enable-agent \
-enable-eap-gtc -enable-eap-md5 -enable-eap-mschapv2 -enable-eap-identity
make
# install
make install6. Configure a new ipsec tunnel - see the Linux strongSwan Clients example in the Algo page: https://github.com/trailofbits/algo. This example works well to get the tunnel configured. This is basically a case of copying some Algo created certificates from step 1 onto the NEO2 and modifying a few ipsec specific /etc config files
7. Modify the MSS for the tunnel on the NEO2 by adjusting the MSS via /etc/strongswan.d/charon/kernel-netlink.conf and set mss = 1280
8. Bring the tunnel up i.e. ipsec up <conection_name>
9. Perform a ping down the tunnel and verify it works i.e. ping google.com
10. Install curl i.e. apt install curl
11. Attempt to perform a curl call down the tunnel and verify it hangs and fails i.e. curl google.com
Steps to setup tcpdump for ipsec traffic capture for analysis in wireshark and further information is included in the strongswan issue: https://wiki.strongswan.org/issues/2351 ... ue_id=2352
Thanks for any help
Joe