strongx509 / docker Goto Github PK

View Code? Open in Web Editor NEW

35.0 35.0 17.0 264 KB

A collection of docker image build files

Dockerfile 47.95% Shell 52.05%

docker's People

Contributors

Stargazers

Watchers

Forkers

mrbluecoat spcomb trentapple herbertgh imhun p-heeb bluelongs at-corp solistz yusha-baba narte-swi tallinn1960 ag68 hduoduo ndducnha dablyo cyberstormdotmu

docker's Issues

question about your docker image

Hello,

do you also route the two subnets inbetween? I cannot see any iptables change or other added routings.

its about strongwan:
[
strongswan: A strongSwan 5.x IKEv2 Daemon with a VICI interface
](https://github.com/strongX509/docker/tree/master/strongswan)

A question about certificate generation

Excuse me, when I try to generate some certificates using the /scripts/gen_certs.sh script, I was able to get the key and certificate file, but the terminal prompts the following message

plugin 'plugins:': failed to load - plugins:_plugin_create not found and no plugin file available

Is this normal, if not, how to solve it, I look forward to getting your reply, thanks!

Bug with CHILD_SA net{1} selected proposal

Why is the selected proposal for the CHILD_SA 1 (net) the following?

04[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
04[IKE] CHILD_SA net{1} established with SPIs cd5c1aef_i cb0c1fd9_o and TS 10.3.0.1/32 === 10.1.0.0/24

The rekeying of first Child SA fixes this :
12[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/CURVE_25519/NO_EXT_SEQ/KE1_KYBER_L3/KE2_BIKE_L3/KE3_HQC_L3

Again, the proposal from Carol is :
net {
remote_ts = 10.1.0.0/16
esp_proposals = aes256-sha256-x25519-ke1_kyber3-ke2_bike3-ke3_hqc3
rekey_time = 20m
}

Compatibility issues with iOS

I noticed issues using your sample setup when attempting to connect an iOS client to the vpn-server.

I used your Docker-compose file with the following modifications:

services:
  vpn-server:
      ports:
      - "500:500/udp"
      - "4500:4500/udp"
  command: /charon

and was able to connect with the Android StrongSwan-Client using the eap-setup for jane with the docker host as the Strongswan server after importing caCert.pem into the client.

The Docker host is a Mac mini M1. I built the strongswan:5.9.10 image from the Dockerfile you provided as there is an amd64 image only on Docker hub.

However, using the same credentials in iOS on a IKEv2 VPN connection using the built-in vpn stack does not connect.

The first thing I needed to do was to remove all the server proposal from the server configuration file as iOS IKEv2 does not support Curve25519.

It changed the server log, but not the outcome: iOS doesn't connect. This is, what I see in the charon server log:

12[NET] received packet: from 192.168.0.1[36785] to 192.168.0.2[500] (604 bytes)
2023-05-10T16:37:18.546651552Z 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
2023-05-10T16:37:18.548211510Z 12[IKE] 192.168.0.1 is initiating an IKE_SA
2023-05-10T16:37:18.550500510Z 12[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2023-05-10T16:37:18.559234677Z 12[IKE] local host is behind NAT, sending keep alives
2023-05-10T16:37:18.559674135Z 12[IKE] remote host is behind NAT
2023-05-10T16:37:18.561551635Z 12[IKE] sending cert request for "C=CH, O=Cyber, CN=Cyber Root CA"
2023-05-10T16:37:18.562556677Z 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
2023-05-10T16:37:18.562691468Z 12[NET] sending packet: from 192.168.0.2[500] to 192.168.0.1[36785] (481 bytes)
2023-05-10T16:37:18.590461135Z 10[NET] received packet: from 192.168.0.1[34243] to 192.168.0.2[4500] (512 bytes)
2023-05-10T16:37:18.607463593Z 10[ENC] unknown attribute type INTERNAL_DNS_DOMAIN
2023-05-10T16:37:18.607518718Z 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
2023-05-10T16:37:18.607526677Z 10[CFG] looking for peer configs matching 192.168.0.2[server.strongswan.org]...192.168.0.1[192.168.178.65]
2023-05-10T16:37:18.607529260Z 10[CFG] selected peer config 'rw'
2023-05-10T16:37:18.607531843Z 10[IKE] peer requested EAP, config unacceptable
2023-05-10T16:37:18.607572302Z 10[CFG] switching to peer config 'psk'
2023-05-10T16:37:18.607617468Z 10[IKE] peer requested EAP, config unacceptable
2023-05-10T16:37:18.607804510Z 10[CFG] switching to peer config 'eap'
2023-05-10T16:37:18.608085135Z 10[IKE] initiating EAP_IDENTITY method (id 0x00)
2023-05-10T16:37:18.608100218Z 10[IKE] peer supports MOBIKE
2023-05-10T16:37:18.608104385Z 10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
2023-05-10T16:37:18.609484843Z 10[IKE] authentication of 'server.strongswan.org' (myself) with ECDSA-384 signature successful
2023-05-10T16:37:18.609494343Z 10[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
2023-05-10T16:37:18.609517635Z 10[NET] sending packet: from 192.168.0.2[4500] to 192.168.0.1[34243] (208 bytes)
2023-05-10T16:37:18.647225135Z 11[NET] received packet: from 192.168.0.1[36785] to 192.168.0.2[500] (604 bytes)
2023-05-10T16:37:18.647365635Z 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
2023-05-10T16:37:18.647376510Z 11[IKE] 192.168.0.1 is initiating an IKE_SA
2023-05-10T16:37:18.647379343Z 11[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2023-05-10T16:37:18.649942760Z 11[IKE] local host is behind NAT, sending keep alives
2023-05-10T16:37:18.649978135Z 11[IKE] remote host is behind NAT
2023-05-10T16:37:18.649983885Z 11[IKE] sending cert request for "C=CH, O=Cyber, CN=Cyber Root CA"
2023-05-10T16:37:18.650095885Z 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
2023-05-10T16:37:18.650147177Z 11[NET] sending packet: from 192.168.0.2[500] to 192.168.0.1[36785] (481 bytes)
2023-05-10T16:37:18.671030177Z 04[NET] received packet: from 192.168.0.1[34243] to 192.168.0.2[4500] (512 bytes)
2023-05-10T16:37:18.675534677Z 04[ENC] unknown attribute type INTERNAL_DNS_DOMAIN
2023-05-10T16:37:18.675565885Z 04[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
2023-05-10T16:37:18.675807135Z 04[CFG] looking for peer configs matching 192.168.0.2[server.strongswan.org]...192.168.0.1[192.168.178.65]
2023-05-10T16:37:18.675958427Z 04[CFG] selected peer config 'rw'
2023-05-10T16:37:18.676040052Z 04[IKE] peer requested EAP, config unacceptable
2023-05-10T16:37:18.676054135Z 04[CFG] switching to peer config 'psk'
2023-05-10T16:37:18.676098010Z 04[IKE] peer requested EAP, config unacceptable
2023-05-10T16:37:18.676107093Z 04[CFG] switching to peer config 'eap'
2023-05-10T16:37:18.676130552Z 04[IKE] initiating EAP_IDENTITY method (id 0x00)
2023-05-10T16:37:18.676165718Z 04[IKE] peer supports MOBIKE
2023-05-10T16:37:18.676173510Z 04[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
2023-05-10T16:37:18.676676802Z 04[IKE] authentication of 'server.strongswan.org' (myself) with ECDSA-384 signature successful
2023-05-10T16:37:18.676746552Z 04[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
2023-05-10T16:37:18.676751677Z 04[NET] sending packet: from 192.168.0.2[4500] to 192.168.0.1[34243] (208 bytes)
12[IKE] sending keep alive to 192.168.0.1[34243]
2023-05-10T16:40:04.542322628Z 10[IKE] sending keep alive to 192.168.0.1[34243]
2023-05-10T16:40:14.485466383Z 11[JOB] deleting half open IKE_SA with 192.168.0.1 after timeout
2023-05-10T16:40:14.542242841Z 04[JOB] deleting half open IKE_SA with 192.168.0.1 after timeout

with charon obviously believing everything is fine so far. But it isn't, as iOS fails IKE_AUTH with the follwoing error message in the console log:

[IKE_AUTH R resp1 41B3D8345D768F97-3507BD311A29426C] Initiator packet authentication method 
    Payload Type = Auth
    Authentication Protocol = ECDSA384
    Authentication Data = {length = 96, bytes = 0x2b518e94 396c3e64 30cd6138 36b5f633 ... 2048de42 a5fba569 } does not match proposal RSASignature

Using a psk setup, this time for [email protected], things aren't better:

06[NET] received packet: from 192.168.0.1[46115] to 192.168.0.2[500] (604 bytes)
2023-05-10T16:44:41.446711131Z 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
2023-05-10T16:44:41.446804715Z 06[IKE] 192.168.0.1 is initiating an IKE_SA
2023-05-10T16:44:41.447076256Z 06[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2023-05-10T16:44:41.455897507Z 06[IKE] local host is behind NAT, sending keep alives
2023-05-10T16:44:41.456139965Z 06[IKE] remote host is behind NAT
2023-05-10T16:44:41.457515090Z 06[IKE] sending cert request for "C=CH, O=Cyber, CN=Cyber Root CA"
2023-05-10T16:44:41.457671048Z 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
2023-05-10T16:44:41.457681882Z 06[NET] sending packet: from 192.168.0.2[500] to 192.168.0.1[46115] (481 bytes)
2023-05-10T16:44:41.499648673Z 16[NET] received packet: from 192.168.0.1[56226] to 192.168.0.2[4500] (532 bytes)
2023-05-10T16:44:41.506007923Z 16[ENC] parsed IKE_AUTH request 1 [ EF(1/2) ]
2023-05-10T16:44:41.506045215Z 16[ENC] received fragment #1 of 2, waiting for complete IKE message
2023-05-10T16:44:41.506049007Z 08[NET] received packet: from 192.168.0.1[56226] to 192.168.0.2[4500] (116 bytes)
2023-05-10T16:44:41.506051382Z 08[ENC] parsed IKE_AUTH request 1 [ EF(2/2) ]
2023-05-10T16:44:41.506053382Z 08[ENC] received fragment #2 of 2, reassembled fragmented IKE message (576 bytes)
2023-05-10T16:44:41.506091882Z 08[ENC] unknown attribute type INTERNAL_DNS_DOMAIN
2023-05-10T16:44:41.506363423Z 08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
2023-05-10T16:44:41.506376798Z 08[CFG] looking for peer configs matching 192.168.0.2[server.strongswan.org]...192.168.0.1[[email protected]]
2023-05-10T16:44:41.506379840Z 08[CFG] selected peer config 'rw'
2023-05-10T16:44:41.506542632Z 08[IKE] tried 1 shared key for 'server.strongswan.org' - '[email protected]', but MAC mismatched
2023-05-10T16:44:41.506553048Z 08[IKE] peer supports MOBIKE
2023-05-10T16:44:41.506556590Z 08[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
2023-05-10T16:44:41.506558882Z 08[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
2023-05-10T16:44:41.506728423Z 08[NET] sending packet: from 192.168.0.2[4500] to 192.168.0.1[56226] (80 bytes)
2023-05-10T16:44:41.538636465Z 13[NET] received packet: from 192.168.0.1[46115] to 192.168.0.2[500] (604 bytes)
2023-05-10T16:44:41.538945340Z 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
2023-05-10T16:44:41.539221590Z 13[IKE] 192.168.0.1 is initiating an IKE_SA
2023-05-10T16:44:41.539622090Z 13[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2023-05-10T16:44:41.544329840Z 13[IKE] local host is behind NAT, sending keep alives
2023-05-10T16:44:41.544370173Z 13[IKE] remote host is behind NAT
2023-05-10T16:44:41.544410298Z 13[IKE] sending cert request for "C=CH, O=Cyber, CN=Cyber Root CA"
2023-05-10T16:44:41.544577465Z 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
2023-05-10T16:44:41.544608007Z 13[NET] sending packet: from 192.168.0.2[500] to 192.168.0.1[46115] (481 bytes)
2023-05-10T16:44:41.564534423Z 09[NET] received packet: from 192.168.0.1[56226] to 192.168.0.2[4500] (532 bytes)
2023-05-10T16:44:41.572366465Z 09[ENC] parsed IKE_AUTH request 1 [ EF(1/2) ]
2023-05-10T16:44:41.572392840Z 09[ENC] received fragment #1 of 2, waiting for complete IKE message
2023-05-10T16:44:41.572624507Z 15[NET] received packet: from 192.168.0.1[56226] to 192.168.0.2[4500] (116 bytes)
2023-05-10T16:44:41.572656840Z 15[ENC] parsed IKE_AUTH request 1 [ EF(2/2) ]
2023-05-10T16:44:41.572794882Z 15[ENC] received fragment #2 of 2, reassembled fragmented IKE message (576 bytes)
2023-05-10T16:44:41.572807757Z 15[ENC] unknown attribute type INTERNAL_DNS_DOMAIN
2023-05-10T16:44:41.573112632Z 15[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
2023-05-10T16:44:41.573130548Z 15[CFG] looking for peer configs matching 192.168.0.2[server.strongswan.org]...192.168.0.1[[email protected]]
2023-05-10T16:44:41.573135965Z 15[CFG] selected peer config 'rw'
2023-05-10T16:44:41.573140257Z 15[IKE] tried 1 shared key for 'server.strongswan.org' - '[email protected]', but MAC mismatched
2023-05-10T16:44:41.573144465Z 15[IKE] peer supports MOBIKE
2023-05-10T16:44:41.573148257Z 15[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
2023-05-10T16:44:41.573152132Z 15[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
2023-05-10T16:44:41.573166548Z 15[NET] sending packet: from 192.168.0.2[4500] to 192.168.0.1[56226] (80 bytes)

iOS-Konsole:

[IKE_AUTH R resp1 FB08308C2E619307-B7724B5BF4ED8941] Initiator auth received notify error Error Domain=NEIKEv2ProtocolErrorDomain Code=24 "AuthenticationFailed" UserInfo={NSDebugDescription=AuthenticationFailed}

Are there issues with the config files for the docker container or is this an issue for strongswan itself ? Maybe I should hop over to the strongswan rep and file the issue there?

Unable to start the charon

Hello, when I follow the readme step by step to set up the strongswan, the following problem comes when I enter the docker and execute ./charon.
Any advises for solving this problem. Thanks.

00[DMN] Starting IKE charon daemon (strongSwan 6.0dr10, Linux 3.10.0-1127.18.2.el7.x86_64, x86_64)
00[LIB] loaded plugins: charon random nonce x509 constraints pubkey pkcs1 pkcs8 pkcs12 pem openssl frodo oqs drbg kernel-netlink resolve socket-default vici updown
00[JOB] spawning 16 worker threads
00[DMN] executing start script 'creds' (swanctl --load-creds)
13[CFG] loaded certificate 'C=CH, O=Cyber, CN=[email protected]'
05[DMN] thread 5 received 4
05[LIB] dumping 2 stack frame addresses:
05[LIB] /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7f7e06253000 [0x7f7e062683c0]
sh: 1: addr2line: not found
05[LIB] ->
05[LIB] /lib/liboqs.so.0 @ 0x7f7e04e49000 (KeccakP1600_Initialize+0x0) [0x7f7e057d4640]
sh: 1: addr2line: not found
05[LIB] ->
dumping 2 stack frame addresses:
/lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7f7e06253000 [0x7f7e062683c0]
sh: 1: addr2line: not found
->
/lib/liboqs.so.0 @ 0x7f7e04e49000 (KeccakP1600_Initialize+0x0) [0x7f7e057d4640]
sh: 1: addr2line: not found
->
05[DMN] killing ourself, received critical signal
Aborted (core dumped)

netlink error: Protocol not supported (93)

Hi,

I'm running the strongx509/strongswam image on Windows Subsystem for Linux (WSL) (ubuntu 20.04). When configuring a connection using ESP with transport mode everything worked fine. IKE_SA and CHILD_SA were successfully created, and traffic were protected using ESP.

children {
   psk {
      remote_ts = 192.168.0.3/32
      local_ts = 192.168.0.2/32
      esp_proposals = aes128gcm16
      dpd_action = trap
      mode = transport
   }
}

However when I change from ESP to AH (i.e. replacing "esp_proposals = aes128gcm16" with "ah_proposals = sha256"), I get an error when trying to create the CHILD_SA.

9[ENC] parsed CREATE_CHILD_SA request 2 [ SA No TSi TSr ]
09[CFG] selected proposal: AH:HMAC_SHA2_256_128/NO_EXT_SEQ
09[KNL] received netlink error: Protocol not supported (93)
09[KNL] unable to add SAD entry with SPI c473461b (FAILED)
09[KNL] received netlink error: Protocol not supported (93)
09[KNL] unable to add SAD entry with SPI cd62469f (FAILED)
09[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
09[IKE] failed to establish CHILD_SA, keeping IKE_SA
09[KNL] deleting policy 10.3.0.1/32 === 10.1.0.0/24 in failed, not found
09[KNL] deleting policy 10.3.0.1/32 === 10.1.0.0/24 fwd failed, not found
09[ENC] generating CREATE_CHILD_SA response 2 [ N(NO_PROP) ]

Any idea what the problem can be?

Thankful for help,
Mårten

Unable to create netlink socket: Protocol not supported (93)

Hi there! I tried to run the docker script for pq-strongswan and spin up moon container. However, after attaching to it and run ./charon, I see the following error:

00[DMN] Starting IKE charon daemon (strongSwan 6.0dr13, Linux 5.10.76-linuxkit, x86_64)
00[KNL] unable to create netlink socket: Protocol not supported (93)
00[NET] installing IKE bypass policy failed
00[NET] installing IKE bypass policy failed
00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
00[NET] installing IKE bypass policy failed
00[NET] installing IKE bypass policy failed
00[NET] enabling UDP decapsulation for IPv4 on port 4500 failed
00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet dependency: CUSTOM:kernel-ipsec
00[KNL] netlink write error: Operation not supported
00[KNL] unable to create IPv4 routing table rule
00[KNL] netlink write error: Operation not supported
00[KNL] unable to create IPv6 routing table rule
00[LIB] failed to load 1 critical plugin feature
00[DMN] initialization failed - aborting charon
00[KNL] netlink write error: Operation not supported
00[KNL] netlink write error: Operation not supported

The interesting thing is that I'm using an Apple Silicon mac and I have this issue. When I switch to an Intel chip mac, the exact same docker container runs just fine without complaining this line. I'm wondering what might be wrong here...

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.