strongSwan

Ok, can we close the other tickes you opened then?

Yes. Please be so kind.

As is written there it either has to be contained in the subject DN or in a subjectAltName extension. So if you added the hostname as subjectAltName you can write whatever you like in the subject DN.

Important addition - if client use IP, not domain name, there has to be IP in DNS field !
Regarding such value (mentioned just above) sited in DN, meaning CN=server IP without San DNS=IP, as I remember, I did exploration of it and didn' t get working result at this iteration, instead I got 13801 error. Following, I drew a conclusion that only one variant is workable but met 2 conditions (server IP is at client connection properties) :
- San Dns must be anyway;
- San Dns must = server IP, not San IP=server IP is not enough in this case;
or 13801 error wait for you, not 13806 !
But you can additionally check wether CN=IP without San Dns=IP will be enough or not for server IP at client side.

IPsec tunnels on Linux do not create/require additional interfaces. IPsec processing is directly integrated into the network stack (you can see the SAs and policies with ip xfrm state and ip xfrm policy).

So, can you help me to organize the following net configuration with ikev2, perfectly working with ppp interfaces:
- vpn server IP is 192.168.0.254;
- lan IPs 192.168.0.1-199, 192.168.0.216-254;
- vpn clients gets vpn IPs from 192.168.0.200-215 as ran - remote access network;
- full proxy arping between lan and ran;
- full broadcast relay between lan and ran;
as following ran is transparent for lan and vise versa, that is actually lan+ran=lan - one lan.
- important thing: inpedendent interface, not wan, not lan, which could be using at restriction firewall policy, for example, I don' t want that ran client with IP 192.168.0.207 could not access as vpn server as whole lan by tcp protocol and 80 port or ping, other ran clients can and ran client 192.168.0.207 can use other protocols/ports; having ppp interface I could do so using iptables, specifing ppp as incoming/outgoing interface in access/drop rules.
At the moment I can not specify rightsourceip as 192.168.0.200-215, only as 192.168.0.200/28 = starting from 192.168.0.201.
Proxy arping and bcrelay as I saw works for a half only.
Vpn client is not accessible from lan clients by NetBios protocols (as example) , even there is no ping, only some lan clients are accessible from ran one.
And what interface should I use at Iptables to manage accessibility of vpn server/lan<->ran ?

Important addition - if client use IP, not domain name, there has to be IP in DNS field !

I was able to confirm this. Not sure why Microsoft does this, but they may internally treat the configured IP/hostname as FQDN whether it's an IP or not. I've added a note to Win7CertReq.

At the moment I can not specify rightsourceip as 192.168.0.200-215, only as 192.168.0.200/28 = starting from 192.168.0.201.

Yes, rightsourceip currently only accepts subnets, and the intention is to ignore the first (network ID) and last (broadcast) addresses. Your subnet of 192.168.0.200/28 is technically 192.168.0.192/28 with an offset, so you could configure 192.168.0.199/28 to get addresses from 192.168.0.200-.206. You may also define multiple pools, for instance:

    rightsourceip=192.168.0.199/28,192.168.0.208/29

Which gives you the IPs 192.168.0.200-.206 and 192.168.0.209-.214, which is a bit closer to your intended range. Also, because both addresses of a /31 pool are assignable to clients you could theoretically define eight /31 pools to make all addresses in your range assignable.

Theoretically it would be possible to create address pools based on ranges, as the in-memory pool already has a constructor for this. We'd just have to add code in the two config plugins (stroke, vici) to make this configurable.

I did some tests and noticed that the in-memory pool actually handles the upper limit incorrectly. In addition to the "broadcast" address one additional address is not assignable. What would also be nice is a check whether the base address of the pool equals the subnet ID, and if not, allow it to get assigned to clients. That is, for 192.168.0.200/28 the first assignable address would then actually be .200 because the subnet ID is .192, but for 192.168.0.192/28 the first address would still be .193. I pushed fixes for this to the mem-pool-fixes branch.

Proxy arping and bcrelay as I saw works for a half only.

What do you mean? Do you use the farp plugin?

And what interface should I use at Iptables to manage accessibility of vpn server/lan<->ran ?

You could filter based on the IP addresses of the clients as they are from a predefined range. Using policy matching (-m policy) also allows you to check if packets were received or are to be sent via an IPsec tunnel (see ForwardingAndSplitTunneling for a practical example). The updown script (source:src/_updown/_updown.in) also uses policy matching with the leftfirewall=yes option, which installs firewall rules for clients if a DROP policy for the INPUT/FORWARD chains is used. You could write your own version of the updown script (configurable with leftupdown) to add custom firewall rules when a client connects.

Yes, rightsourceip currently only accepts subnets, and the intention is to ignore the first (network ID) and last (broadcast) addresses. Your subnet of 192.168.0.200/28 is technically 192.168.0.192/28 with an offset, so you could configure 192.168.0.199/28 to get addresses from 192.168.0.200-.206. You may also define multiple pools, for instance:
Which gives you the IPs 192.168.0.200-.206 and 192.168.0.209-.214, which is a bit closer to your intended range. Also, because both addresses of a /31 pool are assignable to clients you could theoretically define eight /31 pools to make all addresses in your range assignable.
Theoretically it would be possible to create address pools based on ranges, as the in-memory pool already has a constructor for this. We'd just have to add code in the two config plugins (stroke, vici) to make this configurable.

It will be fine and will as easy and logical as at xl2tpd (regarding IPs assignmrnt) .

I did some tests and noticed that the in-memory pool actually handles the upper limit incorrectly. In addition to the "broadcast" address one additional address is not assignable. What would also be nice is a check whether the base address of the pool equals the subnet ID, and if not, allow it to get assigned to clients. That is, for 192.168.0.200/28 the first assignable address would then actually be .200 because the subnet ID is .192, but for 192.168.0.192/28 the first address would still be .193. I pushed fixes for this to the mem-pool-fixes branch.

Should I test it in my own also ?

Proxy arping and bcrelay as I saw works for a half only.

What do you mean? Do you use the farp plugin?

I use farp, as it is started as default, if installed.
As I know additional settings are not required for farp.
For a one half works: proxyarp is on at my OS installation, for example using NetBios is allowed to see and access lan client from ran (vpn) clients by name.
For other half doesn' t work: not all lan clients accessible from ran (vpn) at all, lan client can not even ping ran clients.
So, NetBios use proxyarp and bcrelay.
And I saw tcpdump for lan and wan interfaces with src=ran client IP: for lan is nothing, all packets went to/from wan interface, as following I assumed that wan interface is involved to ikev2 process but for NetBios broadcast packets have to go between interfaces: in case of xl2tpd: lan<->ppp, in case of ikev2: lan<->wan for vpn IPs, I listened to it in according I mentioned above while bcast packets went to wan iface, but there weren' t at lan, it wasn' t relaied.
From that I made conclusion that it works for 50 % or less.
May be I am wrong about ikev2 handling scheme. But how does it work ?
One more, at the moment lan clients can not even pinging vpn, s one and some lan clients can not be acessed by name from ran clients.

You could filter based on the IP addresses of the clients as they are from a predefined range. Using policy matching (-m policy) also allows you to check if packets were received or are to be sent via an IPsec tunnel (see ForwardingAndSplitTunneling for a practical example). The updown script (source:src/_updown/_updown.in) also uses policy matching with the leftfirewall=yes option, which installs firewall rules for clients if a DROP policy for the INPUT/FORWARD chains is used. You could write your own version of the updown script (configurable with leftupdown) to add custom firewall rules when a client connects.

Can you point to updown script examples ?

By the way, did you see [[http://www.mail-archive.com/users@lists.strongswan.org/msg08057.html]] ?

Theoretically it would be possible to create address pools based on ranges, as the in-memory pool already has a constructor for this. We'd just have to add code in the two config plugins (stroke, vici) to make this configurable.

It will be fine and will as easy and logical as at xl2tpd (regarding IPs assignmrnt) .

I've implemented this and merged the changes to master (see associated merge commit).

I did some tests and noticed that the in-memory pool actually handles the upper limit incorrectly. In addition to the "broadcast" address one additional address is not assignable. What would also be nice is a check whether the base address of the pool equals the subnet ID, and if not, allow it to get assigned to clients. That is, for 192.168.0.200/28 the first assignable address would then actually be .200 because the subnet ID is .192, but for 192.168.0.192/28 the first address would still be .193. I pushed fixes for this to the mem-pool-fixes branch.

Should I test it in my own also ?

I merged this fix to master with the changes above (see associated merge commit).

Proxy arping and bcrelay as I saw works for a half only.

What do you mean? Do you use the farp plugin?

I use farp, as it is started as default, if installed.
As I know additional settings are not required for farp.
For a one half works: proxyarp is on at my OS installation, for example using NetBios is allowed to see and access lan client from ran (vpn) clients by name.
For other half doesn' t work: not all lan clients accessible from ran (vpn) at all, lan client can not even ping ran clients.
So, NetBios use proxyarp and bcrelay.

What do you mean with "one half"? Half the clients? (If so, which half?) Half the time? Can this be reproduced somehow?

Anyway, you won't need "proxyarp" (what exactly are you referring to anyway) as the farp plugin already does respond to ARP requests for virtual IP addresses handed out to VPN clients.

Also, how does your config look like? How your firewall rules? It's definitely possible that all the hacks you did for L2TP on the same machine somehow interfere with IPsec handling via IKEv2.

Can you point to updown script examples ?

Have a look at the default script at source:src/_updown/_updown.in or one of the scripts in the source:testing/tests subfolders (e.g. source:testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown).

By the way, did you see [[http://www.mail-archive.com/users@lists.strongswan.org/msg08057.html]] ?

As mentioned there by Martin, and in our previous discussions, this is broken by design. And Linux already ignores header checksums so the patches are not relevant. Regarding the ports, these are not translated by the NAT as the original UDP header is encrypted (which is the problem if multiple clients are behind the same NAT and all use the same source port for L2TP). The difference between Windows 7 and iOS is apparently that the latter's L2TP client dynamically allocates a source port, while Window 7 always uses 1701 (thus causing conflicts).

What do you mean with "one half"? Half the clients? (If so, which half?) Half the time? Can this be reproduced somehow?

Meaning a half by quantity. But i can not find out what is caused that these clients do not work, but other ones work, I can not discover reason at the time.
Win 7 are as in working half as in non working; both halfs that is all work with l2tp/psk or l2tp/ipsec, with the same certs.

Also, how does your config look like? How your firewall rules? It's definitely possible that all the hacks you did for L2TP on the same machine somehow interfere with IPsec handling via IKEv2.

I have IPTables configured, again, l2tp is opened at it, I didn' t purposefully "open" IPTables for native ipsec. But I tested with almost fully disabled IPTables dropping rules. But there is no leftfirewall value at ipsec.conf.

One technical breakdown for me using native ipsec is that when ppp interface is up during l2tp connection is set, it I should say 'register' itself at Samba4 database (in particular ppp ip address) , and Samba4 knows about Vpn interface, about Vpn clients to handle requests but in case of ipsec there is no any registration at Samba4, how is it possible to set up such behaviour or to let know Samba4 about remote computers ?

One more question: if I have the following certificate chain: Root CA->Intermediate CA->Server and Client certificates, which certs should I 'put' to ipsec as to "server" side: Root CA, Intermediate CA, Server certs or one of CA (either Root or Intermediate) is not necessary ?
And which are necessary at clients side: Root CA, Intermediate CA, Clients certs or one of CA (either Root or Intermediate) is not necessary ?

By the way, did you see [[http://www.mail-archive.com/users@lists.strongswan.org/msg08057.html]] ?

As mentioned there by Martin, and in our previous discussions, this is broken by design. And Linux already ignores header checksums so the patches are not relevant. Regarding the ports, these are not translated by the NAT as the original UDP header is encrypted (which is the problem if multiple clients are behind the same NAT and all use the same source port for L2TP). The difference between Windows 7 and iOS is apparently that the latter's L2TP client dynamically allocates a source port, while Window 7 always uses 1701 (thus causing conflicts).

I saw it.
But I exampled SoftEther.
I tested it as l2tp/psk with Win XP and Win 7 simultaneous connections behind the same NAT, with built-in clients.
It worked. I didn' t test it as l2tp/cert, because it seems no fully support or partial support only for this configuration.
So, How do SoftEther handle multiple connections ?
Or SoftEther make one session for multiple connections ?
May be someone will look at SotfEther code to see hot it works (I am not high skilled programmer and even miidle skilled also) .