[GUIDA] strongSwan per IPsec su OpenWrt e Homeware

  • 103 Risposte
  • 2352 Visite

0 Utenti e 2 Visitatori stanno visualizzando questo topic.

Offline a1pollo

  • Membro Anziano
  • ***
  • 115
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #90 il: 27 Aprile 2020, 16:58 »
Quindi:
Codice: [Seleziona]
opkg list | grep strongswan | awk '{print $1}' | xargs opkg remove --force-removal-of-dependent-packages
opkg list | grep strongswan | awk '{print $1}' | xargs opkg remove --force-removal-of-dependent-packages
rimuove tutto, ripetuto due volte atrimenti rimane il pacchetto strongswan,poi manualmente rimuoviamo la cartella ipsec.d e i due files ipsec.*

Ho riprovato a reinstallare lo script, ho messo a posto il ddns "only.for.testing",lo script funziona,crea le chiavi avvia il demone :
Codice: [Seleziona]
:clap:
Mon Apr 27 16:20:35 2020 authpriv.info ipsec_starter[1306]: Starting strongSwan 5.6.3 IPsec [starter]...
Mon Apr 27 16:20:35 2020 daemon.err modprobe: ah4 is already loaded
Mon Apr 27 16:20:36 2020 daemon.err modprobe: esp4 is already loaded
Mon Apr 27 16:20:36 2020 daemon.err modprobe: ipcomp is already loaded
Mon Apr 27 16:20:36 2020 daemon.err modprobe: xfrm4_tunnel is already loaded
Mon Apr 27 16:20:36 2020 daemon.err modprobe: xfrm_user is already loaded
Mon Apr 27 16:20:36 2020 daemon.info charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.3, Linux 4.1.38, armv7l)
Mon Apr 27 16:20:36 2020 daemon.info charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Mon Apr 27 16:20:36 2020 daemon.info charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Mon Apr 27 16:20:36 2020 daemon.info charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Mon Apr 27 16:20:36 2020 daemon.info charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Mon Apr 27 16:20:36 2020 daemon.info charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Mon Apr 27 16:20:36 2020 daemon.info charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Mon Apr 27 16:20:36 2020 daemon.info charon: 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default connmark stroke updown xauth-generic dhcp
Mon Apr 27 16:20:36 2020 daemon.info charon: 00[JOB] spawning 16 worker threads
Mon Apr 27 16:20:36 2020 authpriv.info ipsec_starter[1306]: charon (1376) started after 60 ms
Mon Apr 27 16:23:44 2020 daemon.info odhcpd[2831]: Using a RA lifetime of 0 seconds on wl0_2
Mon Apr 27 16:23:52 2020 daemon.info charon: 00[DMN] signal of type SIGINT received. Shutting down
Mon Apr 27 16:23:52 2020 authpriv.info ipsec_starter[1306]: charon stopped after 200 ms
Mon Apr 27 16:23:52 2020 authpriv.info ipsec_starter[1306]: ipsec starter stopped
Mon Apr 27 16:23:52 2020 authpriv.info ipsec_starter[2396]: Starting strongSwan 5.6.3 IPsec [starter]...
Mon Apr 27 16:23:52 2020 daemon.err modprobe: ah4 is already loaded
Mon Apr 27 16:23:52 2020 daemon.err modprobe: esp4 is already loaded
Mon Apr 27 16:23:52 2020 daemon.err modprobe: ipcomp is already loaded
Mon Apr 27 16:23:52 2020 daemon.err modprobe: xfrm4_tunnel is already loaded
Mon Apr 27 16:23:52 2020 daemon.err modprobe: xfrm_user is already loaded
Mon Apr 27 16:23:52 2020 daemon.info charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.3, Linux 4.1.38, armv7l)
Mon Apr 27 16:23:52 2020 daemon.info charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Mon Apr 27 16:23:52 2020 daemon.info charon: 00[CFG]   loaded ca certificate "C=US, O=Technicolor, CN=CATechnicolor" from '/etc/ipsec.d/cacerts/caCert.pem'
Mon Apr 27 16:23:52 2020 daemon.info charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Mon Apr 27 16:23:52 2020 daemon.info charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Mon Apr 27 16:23:52 2020 daemon.info charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Mon Apr 27 16:23:52 2020 daemon.info charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Mon Apr 27 16:23:52 2020 daemon.info charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Mon Apr 27 16:23:52 2020 daemon.info charon: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/serverKey_only.for.testing.pem'
Mon Apr 27 16:23:52 2020 daemon.info charon: 00[CFG]   loaded EAP secret for remoteusername
Mon Apr 27 16:23:52 2020 daemon.info charon: 00[CFG] loaded 0 RADIUS server configurations
Mon Apr 27 16:23:52 2020 daemon.info charon: 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default connmark stroke updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic dhcp
Mon Apr 27 16:23:52 2020 daemon.info charon: 00[JOB] spawning 16 worker threads
Mon Apr 27 16:23:52 2020 authpriv.info ipsec_starter[2396]: charon (2415) started after 60 ms
Mon Apr 27 16:23:52 2020 daemon.info charon: 05[CFG] received stroke: add connection 'rwEAPMSCHAPV2'
Mon Apr 27 16:23:52 2020 daemon.info charon: 05[CFG]   loaded certificate "C=US, O=Technicolor, CN=only.for.testing" from 'serverCert_only.for.testing.pem'
Mon Apr 27 16:23:52 2020 daemon.info charon: 05[CFG] added configuration 'rwEAPMSCHAPV2'
Mon Apr 27 16:23:52 2020 daemon.info charon: 07[CFG] received stroke: add connection 'rwPUBKEYIOS'
Mon Apr 27 16:23:52 2020 daemon.info charon: 07[CFG]   loaded certificate "C=US, O=Technicolor, CN=only.for.testing" from 'serverCert_only.for.testing.pem'
Mon Apr 27 16:23:52 2020 daemon.info charon: 07[CFG] CA certificate "caCert.pem" not found, discarding CA constraint
Mon Apr 27 16:23:52 2020 daemon.info charon: 07[CFG] added configuration 'rwPUBKEYIOS'
Mon Apr 27 16:23:52 2020 daemon.info charon: 09[CFG] received stroke: add connection 'rwEAPTLSIOS'
Mon Apr 27 16:23:52 2020 daemon.info charon: 09[CFG]   loaded certificate "C=US, O=Technicolor, CN=only.for.testing" from 'serverCert_only.for.testing.pem'
Mon Apr 27 16:23:52 2020 daemon.info charon: 09[LIB]   opening '/etc/ipsec.d/certs/caCert.pem' failed: No such file or directory
Mon Apr 27 16:23:52 2020 daemon.info charon: 09[LIB] building CRED_CERTIFICATE - ANY failed, tried 1 builders
Mon Apr 27 16:23:52 2020 daemon.info charon: 09[CFG]   loading certificate from 'caCert.pem' failed
Mon Apr 27 16:23:52 2020 daemon.info charon: 09[CFG] added configuration 'rwEAPTLSIOS'
Mon Apr 27 16:23:52 2020 daemon.info charon: 11[CFG] received stroke: add connection 'rwPUBKEY'
Mon Apr 27 16:23:52 2020 daemon.info charon: 11[CFG]   loaded certificate "C=US, O=Technicolor, CN=only.for.testing" from 'serverCert_only.for.testing.pem'
Mon Apr 27 16:23:52 2020 daemon.info charon: 11[LIB]   opening '/etc/ipsec.d/certs/caCert.pem' failed: No such file or directory
Mon Apr 27 16:23:52 2020 daemon.info charon: 11[LIB] building CRED_CERTIFICATE - ANY failed, tried 1 builders
Mon Apr 27 16:23:52 2020 daemon.info charon: 11[CFG]   loading certificate from 'caCert.pem' failed
Mon Apr 27 16:23:52 2020 daemon.info charon: 11[CFG] added configuration 'rwPUBKEY'
Mon Apr 27 16:23:52 2020 daemon.info charon: 13[CFG] received stroke: add connection 'rwEAPTLS'
Mon Apr 27 16:23:52 2020 daemon.info charon: 13[CFG]   loaded certificate "C=US, O=Technicolor, CN=only.for.testing" from 'serverCert_only.for.testing.pem'
Mon Apr 27 16:23:52 2020 daemon.info charon: 13[LIB]   opening '/etc/ipsec.d/certs/caCert.pem' failed: No such file or directory
Mon Apr 27 16:23:52 2020 daemon.info charon: 13[LIB] building CRED_CERTIFICATE - ANY failed, tried 1 builders
Mon Apr 27 16:23:52 2020 daemon.info charon: 13[CFG]   loading certificate from 'caCert.pem' failed
Mon Apr 27 16:23:52 2020 daemon.info charon: 13[CFG] added configuration 'rwEAPTLS'
Ci sono degli errori, forse sulla configurazione ipsec.conf,troppe istanze?:
Codice: [Seleziona]
Mon Apr 27 16:23:52 2020 daemon.info charon: 11[CFG] received stroke: add connection 'rwPUBKEY'
Mon Apr 27 16:23:52 2020 daemon.info charon: 11[CFG]   loaded certificate "C=US, O=Technicolor, CN=only.for.testing" from 'serverCert_only.for.testing.pem'
Mon Apr 27 16:23:52 2020 daemon.info charon: 11[LIB]   opening '/etc/ipsec.d/certs/caCert.pem' failed: No such file or directory
Mon Apr 27 16:23:52 2020 daemon.info charon: 11[LIB] building CRED_CERTIFICATE - ANY failed, tried 1 builders
Mon Apr 27 16:23:52 2020 daemon.info charon: 11[CFG]   loading certificate from 'caCert.pem' failed
Mon Apr 27 16:23:52 2020 daemon.info charon: 11[CFG] added configuration 'rwPUBKEY'
Mon Apr 27 16:23:52 2020 daemon.info charon: 13[CFG] received stroke: add connection 'rwEAPTLS'
Mon Apr 27 16:23:52 2020 daemon.info charon: 13[CFG]   loaded certificate "C=US, O=Technicolor, CN=only.for.testing" from 'serverCert_only.for.testing.pem'
Mon Apr 27 16:23:52 2020 daemon.info charon: 13[LIB]   opening '/etc/ipsec.d/certs/caCert.pem' failed: No such file or directory
Mon Apr 27 16:23:52 2020 daemon.info charon: 13[LIB] building CRED_CERTIFICATE - ANY failed, tried 1 builders
Mon Apr 27 16:23:52 2020 daemon.info charon: 13[CFG]   loading certificate from 'caCert.pem' failed
Mon Apr 27 16:23:52 2020 daemon.info charon: 13[CFG] added configuration 'rwEAPTLS'

Su dhcp.conf si puo' aggiungere?:
Codice: [Seleziona]
# Derive user-defined    MAC address from hash of IKE identity.
    # identity_lease = no
    identity_lease = yes
Dovrebbe assegnare e rilasciare il fake mac sempre uguale allo stesso utente/certificato,cosi' da poterlo inserire sul dhcp della lan ed assegnare sempre lo stesso indirizzo, funziona l'ho gia' provato.

Poi come faccio a generare dopo lo script ulteriori certificati, o ad inserirli nello script? :help:

Offline FrancYescO

  • VIP
  • *****
  • 2379
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #91 il: 27 Aprile 2020, 17:51 »
immagino perch il caCert per la verifica lo vuole nella cartella certs, gli ho messo un symlink e aggiunto identity_lease

per altri client, scritto anche nello script stesso: cambi la riga
Codice: [Seleziona]
CLIENTNAMES="myvpnclient1"in qualcosa tipo
Codice: [Seleziona]
CLIENTNAMES="myvpnclient1 giuseppe peppino"

Sul 788 su cui stavo facendo quel casino c' un bellissimo postmortem quando provo a connettermi chissa che casino sto combinando:
Codice: [Seleziona]
Mon Apr 27 07:54:20 2020 daemon.info syslog: 00[CFG]   loaded EAP secret for remoteusername
Mon Apr 27 07:54:20 2020 daemon.info syslog: 00[CFG] sql plugin: database URI not set
Mon Apr 27 07:54:20 2020 daemon.info syslog: 00[CFG] loaded 0 RADIUS server configurations
Mon Apr 27 07:54:20 2020 daemon.info syslog: 00[CFG] HA config misses local/remote address
Mon Apr 27 07:54:20 2020 daemon.info syslog: 00[CFG] coupling file path unspecified
Mon Apr 27 07:54:20 2020 daemon.info syslog: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl sqlite attr kernel-netlink resolve socket-default socket-dynamic farp stroke smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck uci addrblock uMon Apr 27 07:54:20 2020 daemon.info syslog: 00[JOB] spawning 16 worker threads
Mon Apr 27 07:54:20 2020 daemon.info syslog: 01[DMN] thread 1 received 11
Mon Apr 27 07:54:20 2020 daemon.info syslog: 08[DMN] thread 8 received 11
Mon Apr 27 07:54:20 2020 daemon.info syslog: 08[LIB] no support for capturing backtraces
Mon Apr 27 07:54:20 2020 daemon.info syslog: 08[DMN] killing ourself, received critical signal
Mon Apr 27 07:54:20 2020 authpriv.info ipsec_starter[2963]: charon (3420) started after 960 ms
Mon Apr 27 07:54:20 2020 user.notice postmortem: core dump for pid 3420 file charon.3420.6.1587992060.core ignored due to system.coredump.action setting
Mon Apr 27 07:54:20 2020 authpriv.info ipsec_starter[2963]: reading stroke response failed
Mon Apr 27 07:54:20 2020 authpriv.info ipsec_starter[2963]: connecting to 'unix:///var/run/charon.ctl' failed: Connection refused
Mon Apr 27 07:54:20 2020 authpriv.info ipsec_starter[2963]: failed to connect to stroke socket 'unix:///var/run/charon.ctl'
Mon Apr 27 07:54:20 2020 authpriv.info ipsec_starter[2963]: connecting to 'unix:///var/run/charon.ctl' failed: Connection refused
Mon Apr 27 07:54:20 2020 authpriv.info ipsec_starter[2963]: failed to connect to stroke socket 'unix:///var/run/charon.ctl'
Mon Apr 27 07:54:20 2020 authpriv.info ipsec_starter[2963]: connecting to 'unix:///var/run/charon.ctl' failed: Connection refused
Mon Apr 27 07:54:20 2020 authpriv.info ipsec_starter[2963]: failed to connect to stroke socket 'unix:///var/run/charon.ctl'
Mon Apr 27 07:54:20 2020 authpriv.info ipsec_starter[2963]: connecting to 'unix:///var/run/charon.ctl' failed: Connection refused
Mon Apr 27 07:54:20 2020 authpriv.info ipsec_starter[2963]: failed to connect to stroke socket 'unix:///var/run/charon.ctl'
Mon Apr 27 07:54:20 2020 authpriv.info ipsec_starter[2963]: charon has died -- restart scheduled (5sec)
Mon Apr 27 07:54:25 2020 daemon.info syslog: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.3, Linux 3.4.11-rt19, mips)
Mon Apr 27 07:54:25 2020 daemon.info syslog: 00[CFG] disabling load-tester plugin, not configured
Mon Apr 27 07:54:25 2020 daemon.info syslog: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
Mon Apr 27 07:54:25 2020 daemon.info syslog: 00[LIB] failed to open /dev/net/tun: No such file or directory
Mon Apr 27 07:54:25 2020 daemon.info syslog: 00[KNL] failed to create TUN device
Mon Apr 27 07:54:25 2020 daemon.info syslog: 00[LIB] plugin 'kernel-libipsec': failed to load - kernel_libipsec_plugin_create returned NULL
Mon Apr 27 07:54:25 2020 daemon.info syslog: 00[CFG] attr-sql plugin: database URI not set
Mon Apr 27 07:54:25 2020 daemon.info syslog: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Mon Apr 27 07:54:25 2020 daemon.info syslog: 00[CFG]   loaded ca certificate "C=US, O=Technicolor, CN=CATechnicolor" from '/etc/ipsec.d/cacerts/caCert.pem'
Mon Apr 27 07:54:25 2020 daemon.info syslog: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Mon Apr 27 07:54:25 2020 daemon.info syslog: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Mon Apr 27 07:54:25 2020 daemon.info syslog: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Mon Apr 27 07:54:25 2020 daemon.info syslog: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Mon Apr 27 07:54:25 2020 daemon.info syslog: 00[CFG] loading secrets from '/etc/ipsec.secrets'

Offline LuKePicci

  • Global Moderator
  • VIP
  • *****
  • 2003
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #92 il: 27 Aprile 2020, 18:03 »
Codice: [Seleziona]
opening '/etc/ipsec.d/certs/caCert.pem'Non so perch va a cercarlo l dentro. Sulla vecchia versione che uso io lo prende da cacerts

identity_lease lo uso pure io, non l'ho mai messo perch per alcuni setup fa casino, tipo quando I client remoti usano come identity il loro ip pubblico e dallo stesso ip ci sono pi client o cose del genere, ora di preciso non ricordo. Penso che allo scopo che serve questo script conviene abilitarlo e vedere se qualcuno si lamenta.

Ricordatevi sempre il fix al modprobe indicato nei prerequisiti.

Offline a1pollo

  • Membro Anziano
  • ***
  • 115
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #93 il: 28 Aprile 2020, 09:57 »
"Ricordatevi sempre il fix al modprobe indicato nei prerequisiti."

Ma cosa fa' di preciso il fix?perche' non ho notato dei cambiamenti, infatti l'ultima volta che ho rimesso su' tutto (a gennaio) mi ero dimenticato di farlo, e tutto funziona tuttora.

Offline larsen64it

  • Esperto
  • ****
  • 1602
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #94 il: 28 Aprile 2020, 10:05 »
Penso che si riferiva alla compilazione, altrimenti usa insmod che su alcuni firmware non presente.

Offline LuKePicci

  • Global Moderator
  • VIP
  • *****
  • 2003
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #95 il: 28 Aprile 2020, 11:14 »
In pratica dovrebbe evitare l'apparire di quelli che nel log appaiono come errori ma in realt non lo sono relativi al modprobe di moduli gi caricati

Offline larsen64it

  • Esperto
  • ****
  • 1602
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #96 il: 28 Aprile 2020, 12:01 »
Ho controllato nella 5.6.3 c' la solita 201-kmodloader.patch ma qui sembra assente o ignorata.

Offline LuKePicci

  • Global Moderator
  • VIP
  • *****
  • 2003
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #97 il: 23 Maggio 2020, 03:03 »
Codice: [Seleziona]
[email protected]:/tmp# insmod bcmspu.ko && dmesg
[  301.979565] Creating CPU ring for queue number 2 with 256 packets descriptor=0xbef459f4, size_of_entry 16
[  301.979638] Done initializing Ring 2 Base=0xe0843000 End=0xe0844000 calculated entries= 256 RDD Base=c3f000K descriptor=0xbef459f4

[email protected]:~# lsmod | grep bcmspu
bcmspu                 19529  2
bdmf                 1231462 11 bcmspu,dhd,wfd,bcm_enet,pktrunner,bcmxtmrtdrv,bcm_spdsvc,rdpa_cmd,rdpa_mw,rdpa,rdpa_gpl
rdpa_gpl               15152 11 bcmspu,dhd,wfd,bcm_enet,pktrunner,bcm_ingqos,bcmxtmrtdrv,bcm_spdsvc,rdpa_cmd,rdpa_mw,rdpa

[email protected]:/tmp# ls /dev/spu*
/dev/spu0

[email protected]:/tmp# spuctl start

[email protected]:/tmp# cat /proc/crypto | grep -A 11 -B 2 bcmspu
name         : authenc(hmac(sha256),cbc(des))
driver       : authenc-hmac-sha256-cbc-des-spu
module       : bcmspu
priority     : 3000
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 8
ivsize       : 8
maxauthsize  : 32
geniv        : <built-in>

name         : authenc(hmac(sha256),cbc(des3_ede))
driver       : authenc-hmac-sha256-cbc-3des-spu
module       : bcmspu
priority     : 3000
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 8
ivsize       : 8
maxauthsize  : 32
geniv        : <built-in>

name         : authenc(hmac(sha256),cbc(aes))
driver       : authenc-hmac-sha256-cbc-aes-spu
module       : bcmspu
priority     : 3000
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 16
ivsize       : 16
maxauthsize  : 32
geniv        : <built-in>

name         : authenc(hmac(md5),cbc(des))
driver       : authenc-hmac-md5-cbc-des-spu
module       : bcmspu
priority     : 3000
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 8
ivsize       : 8
maxauthsize  : 16
geniv        : <built-in>

name         : authenc(hmac(md5),cbc(des3_ede))
driver       : authenc-hmac-md5-cbc-3des-spu
module       : bcmspu
priority     : 3000
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 8
ivsize       : 8
maxauthsize  : 16
geniv        : <built-in>

name         : authenc(hmac(md5),cbc(aes))
driver       : authenc-hmac-md5-cbc-aes-spu
module       : bcmspu
priority     : 3000
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 16
ivsize       : 16
maxauthsize  : 16
geniv        : <built-in>

name         : authenc(hmac(sha1),cbc(des))
driver       : authenc-hmac-sha1-cbc-des-spu
module       : bcmspu
priority     : 3000
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 8
ivsize       : 8
maxauthsize  : 20
geniv        : <built-in>

name         : authenc(hmac(sha1),cbc(des3_ede))
driver       : authenc-hmac-sha1-cbc-3des-spu
module       : bcmspu
priority     : 3000
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 8
ivsize       : 8
maxauthsize  : 20
geniv        : <built-in>

name         : authenc(hmac(sha1),cbc(aes))
driver       : authenc-hmac-sha1-cbc-aes-spu
module       : bcmspu
priority     : 3000
refcnt       : 3
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 16
ivsize       : 16
maxauthsize  : 20
geniv        : <built-in>

[email protected]:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.3, Linux 4.1.38, armv7l):
  uptime: 32 minutes, since May 23 02:26:31 2020
  malloc: sbrk 753664, mmap 0, used 312176, free 441488
  worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon test-vectors pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp gmpdh curve25519 agent xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default socket-dynamic connmark forecast farp stroke vici smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Listening IP addresses:
  192.168.43.254
...
Connections:
roadwarriorPUBKEY:  %any...%any  IKEv2
...
roadwarriorPUBKEY:   remote: uses public key authentication
roadwarriorPUBKEY:   child:  0.0.0.0/0 ::/0 === dynamic TUNNEL
roadwarriorEAPTLS:  %any...%any  IKEv2
...
roadwarriorEAPTLS:   remote: uses EAP_TLS authentication with EAP identity '%any'
roadwarriorEAPTLS:   child:  0.0.0.0/0 ::/0 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
...
roadwarriorEAPTLS[4]: IKEv2 SPIs: d903e4c411b5be67_i b7e8ca32f4ff6d94_r*, public key reauthentication in 2 hours
roadwarriorEAPTLS[4]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
roadwarriorEAPTLS{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cd60e89d_i 8bd7bc53_o
roadwarriorEAPTLS{1}:  AES_CBC_256/HMAC_SHA1_96, 271600951 bytes_i (254572 pkts, 37s ago), 156956715 bytes_o (177812 pkts, 37s ago), rekeying in 16 minutes
roadwarriorEAPTLS{1}:   0.0.0.0/0 ::/0 === 192.168.43.181/32

[email protected]:~# spuctl showstats
Encryption stats
     Ingress 177811
     Fallback 0
     Egress 175526
     Error 0
     Dropped 2285
Decryption stats
     Ingress 256429
     Fallback 0
     Egress 254571
     Error 0
     Dropped 1858

40 Mbit/s -> 100 Mbit/s  8)

https://www.speedtest.net/my-result/a/6100173352
« Ultima modifica: 23 Maggio 2020, 03:20 da LuKePicci »

Offline a1pollo

  • Membro Anziano
  • ***
  • 115
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #98 il: 23 Maggio 2020, 07:54 »
 :clap:

Ma da dove l'hai tirato fuori quel driver?
Io pensavo che invece, fossero tutti i drivers "crypto" non compilati per spu!

Devi assolutamente condividerlo! O:-)

Offline LuKePicci

  • Global Moderator
  • VIP
  • *****
  • 2003
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #99 il: 23 Maggio 2020, 10:07 »
Sulle vecchie 3.4 infatti cos, ma come dicevo qui su 4.1 invece quel driver abilitato come modulo, anche se mancante.

Devo sistemare qualcos'altro nella buildroot, quando mi sputa fuori il pacchetto fatto come si deve ve lo mando.

Offline LuKePicci

  • Global Moderator
  • VIP
  • *****
  • 2003
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #100 il: Ieri alle 20:44 »
Provate un po', occhio che con HMAC_SHA2_256_128 come hmac per ESP non funziona - nonostante sia apparentemente supportato.
Fate un ipsec statusall mentre il vostro attuale client connesso per verificare la ciphersuite ESP in uso ( l'ultima indicata nella penultima riga, non quella IKE du righe pi sopra) prima di installare il pacchetto. Se vedete che per ESP sta usando HMAC_SHA256_128 fate un downgrade a HMAC_SHA1_96 (che di default su windows 10), come qui:

Codice: [Seleziona]
roadwarriorPUBKEY[15]: IKEv2 SPIs: 1049a22142fd11fb_i 0383621c775e34f3_r*, public key reauthentication in 2 hours
roadwarriorPUBKEY[15]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
roadwarriorPUBKEY{620}:  INSTALLED, TUNNEL, reqid 7, ESP SPIs: c029f52a_i 5ff297e4_o
roadwarriorPUBKEY{620}:  AES_CBC_256/HMAC_SHA1_96, 2241665 bytes_i (9593 pkts, 0s ago), 10279421 bytes_o (10322 pkts, 0s ago), rekeying in 30 minutes
roadwarriorPUBKEY{620}:   0.0.0.0/0 ::/0 === 192.168.43.192/32

https://anonfiles.com/N8iecc3fo4/kmod-bcm63xx-tch-spu_4.1.38-1_brcm63xx-tch_ipk

PS: una volta installato il pacchetto il modulo si carica in automatico e lo vedete in lsmod | grep bcmspu
Per avviare l'engine dovete dare un spuctl start. Se volete che parta in automatico create un file /etc/config/hardwarecrypto e riempitelo cos:
Codice: [Seleziona]
config hardwarecrypto 'global'
        option enable '1'
« Ultima modifica: Ieri alle 20:49 da LuKePicci »

Offline a1pollo

  • Membro Anziano
  • ***
  • 115
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #101 il: Ieri alle 22:47 »
Ok, funziona, la velocita' varia da 80 a 95 Mbps su pc windows,ottimo!!
Ho controllato con htop mentre faceva lo speedtest e vanno a palla tutti e due i core(prima dell'installazione funzionava solo 1 core).
Grazie LuKe, hai fatto un'altro centro! :clap:
Non so' se hai visto i feed di @Marvel :clap: ha compilato strongswan con il pacchetto -full, ora "opkg install strongswan-full" installa tutti i pacchetti,provato e funziona(ci sono pacchetti in piu')


Codice: [Seleziona]
roadwarriorPUBKEY[61]: IKEv2 SPIs: 66025d9083c0d280_i 4974a258c0b2cc26_r*, public key reauthentication in 2 hours
roadwarriorPUBKEY[61]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
roadwarriorPUBKEY{62}:  INSTALLED, TUNNEL, reqid 34, ESP SPIs: c5fa17d8_i f34100d6_o
roadwarriorPUBKEY{62}:  AES_CBC_256/HMAC_SHA1_96, 40125139 bytes_i (32803 pkts, 0s ago), 3364435 bytes_o (22463 pkts, 0s ago), rekeying in 22 minutes
roadwarriorPUBKEY{62}:   0.0.0.0/0 ::/0 === 192.168.1.100/32

Offline LuKePicci

  • Global Moderator
  • VIP
  • *****
  • 2003
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #102 il: Ieri alle 23:37 »
Ho fatto un po' di progressi sulle ciphersuite di default da usare nelle config di strongswan. Le trovate sulla pagina della wiki di openwrt. Ora PFS opzionale e deciso dal client e aes128 preferito su aes256 in ESP. Resta solo l'inghippo che su questo acceleratore hmac sha2_256_128 non va, quindi rispetto alla guida qua dobbiamo per forza tenerci anche hman sha1_96 nella suite ESP

In aes128 se scarico tocca anche i 125 mgabit
Codice: [Seleziona]
Connecting to host 192.168.43.254, port 5201
[  4] local 192.168.199.169 port 41884 connected to 192.168.43.254 port 5201
[ ID] Interval           Transfer     Bandwidth       Retr  Cwnd
[  4]   0.00-1.00   sec  9.77 MBytes  82.0 Mbits/sec   17   93.5 KBytes
[  4]   1.00-2.00   sec  12.0 MBytes   101 Mbits/sec    0    158 KBytes
[  4]   2.00-3.00   sec  13.4 MBytes   112 Mbits/sec   13    166 KBytes
[  4]   3.00-4.00   sec  15.0 MBytes   126 Mbits/sec   21    161 KBytes
[  4]   4.00-5.00   sec  12.0 MBytes   101 Mbits/sec   31   85.6 KBytes
[  4]   5.00-6.00   sec  13.0 MBytes   109 Mbits/sec    0    159 KBytes
[  4]   6.00-7.00   sec  11.2 MBytes  93.8 Mbits/sec   24    132 KBytes
[  4]   7.00-8.00   sec  12.9 MBytes   108 Mbits/sec   41   92.1 KBytes
[  4]   8.00-9.00   sec  12.6 MBytes   106 Mbits/sec    0    161 KBytes
[  4]   9.00-10.00  sec  12.0 MBytes   101 Mbits/sec   25    103 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth       Retr
[  4]   0.00-10.00  sec   124 MBytes   104 Mbits/sec  172             sender
[  4]   0.00-10.00  sec   123 MBytes   103 Mbits/sec                  receiver

iperf Done.
« Ultima modifica: Oggi alle 01:13 da LuKePicci »

Offline FrancYescO

  • VIP
  • *****
  • 2379
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #103 il: Oggi alle 11:57 »
@LuKePicci ma dovrebbe as-is andare anche sui DGA TIM no? hai mica mai esplorato se wireguard possa portare ulteriori vantaggi (attualmente mi pare quello compilato da ansuel fa crashare il modem al load del modulo)?