ipv4 ipv6 mtu mss size

In this case we have an gre tunnel inside an ikev2 tunnel inside an pppoe tunnel :-)


Get ipv4 mss with Linux host


Size 1339 error

ping -4 -n -c 2 -M do -s 1339 www.google.com
PING www.google.com (xxx.xxx.xxx.xxx) 1339(1367) bytes of data.
ping: local error: Message too long, mtu=1366
ping: local error: Message too long, mtu=1366

--- www.google.com ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1027ms

Size 1338 good

ping -4 -n -c 2 -M do -s 1338 www.google.com
PING www.google.com (xxx.xxx.xxx.xxx) 1338(1366) bytes of data.
76 bytes from xxx.xxx.xxx.xxx: icmp_seq=1 ttl=52 (truncated)
76 bytes from xxx.xxx.xxx.xxx: icmp_seq=2 ttl=52 (truncated)

--- www.google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 31.926/31.966/32.006/0.040 ms

How to calculate ipv4 mss

ICMPv4 header size ([IPv4 + ICMP] [20 +8]) = 28
MTU ([Size + ICMPv4] [1338 + 28]) = 1366
IPv4TCP header size ([IPv4 + TCP] [20 +20]) = 40
TCP-MSS ([MTU – IPv4TCP] [1366 – 40]) = 1326


Mikrotik ipv4 tcp-mss clamping example

/ip firewall mangle
add action=change-mss chain=forward new-mss=1326 passthrough=yes protocol=tcp src-address=xxx.xxx.xxx.xxx tcp-flags=syn tcp-mss=1327-65535
add action=change-mss chain=forward dst-address=xxx.xxx.xxx.xxx new-mss=1326 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1327-65535


Get ipv6 mss with Linux host


Size 1319 error

ping -6 -n -c 2 -M do -s 1319 www.google.com

PING www.google.com(xxx:xxx:xxx:xxx::xxx) 1319 data bytes

--- www.google.com ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1004ms

Size 1318 good

ping -6 -n -c 2 -M do -s 1318 www.google.com
PING www.google.com(xxx:xxx:xxx:xxx::xxx) 1318 data bytes
76 bytes from xxx:xxx:xxx:xxx::xxx: icmp_seq=1 ttl=52 (truncated)
76 bytes from xxx:xxx:xxx:xxx::xxx: icmp_seq=2 ttl=52 (truncated)

--- www.google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 31.501/31.733/31.966/0.292 ms

How to calculate ipv6 mss

ICMPv6 header size ([IPv6 + ICMP] [40 +8]) = 48
MTU ([Size + ICMPv6] [1318 + 48]) = 1366
IPv6TCP header size ([IPv6 + TCP] [40 +20]) = 60
TCP-MSS ([MTU – IPv6TCP] [1366 – 60]) = 1306


Mikrotik ipv6 tcp-mss clamping example

/ipv6 firewall mangle
add action=change-mss chain=forward new-mss=1306 passthrough=yes protocol=tcp src-address=xxx:xxx:xxx:xxx::xxx/120 tcp-flags=syn tcp-mss=1307-65535
add action=change-mss chain=forward dst-address=xxx:xxx:xxx:xxx::xxx/120 new-mss=1306 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1307-65535

Have fun!

IPSec Road Warrior Strongswan 5.8 IKEv2 swanctl Mikrotik RSA Auth

Hi,
here my Strongswan road-warrior config using Archlinux

/etc/swanctl/conf.d/somename.conf

connections {	
	somename {
		local_addrs  = %any
		remote_addrs = gw.domain.tld
		vips = %any
		version = 2
		proposals = aes256-sha256-modp2048
		dpd_timeout=120s
		rekey_time=1d
      
		local {
			auth = pubkey
			certs = cert_export_work_crt.pem
			id = "work@gw.domain.tld"
		}
		remote {
			auth = pubkey
			id = "CN=gw.domain.tld"
		}
		children {
			somename {
				#start_action = start
				remote_ts = 192.168.223.0/24
				esp_proposals = aes256-sha256-modp2048
				dpd_action=start
				life_time=8h
			}
		}
	}
}

secrets {
	rsa-somename {
		file = cert_export_work_private.pem
	}
}

Save your private key to

/etc/swanctl/private/cert_export_work_private.pem

Save your certificate to

/etc/swanctl/x509/cert_export_work_crt.pem

Save your ca-certificate to

/etc/swanctl/x509ca/cert_export_ca.pem

Start and stop your vpn connection via

systemctl restart strongswan

swanctl --initiate --child somename

swanctl --terminate --child somename

Have fun!

freeradius 3.0 ubuntu 18.04 with daloradius mikrotik ikev2 eap-radius wireless

Hi

First of all setup your favorite php sql webserver


apt install php-db php-gd git freeradius freeradius-mysql

cd /var/www/web001/htdocs 
git clone https://github.com/lirantal/daloradius.git

We have to import the freeradius 3.0 mysql schema first. Daloradius does only have freeradius 2.0 compatible sql schemas.

cat /etc/freeradius/3.0/mods-config/sql/main/mysql/schema.sql | mysql -u radius -p radius

Now we import the daloradius sql schema without freeradius 2.0 sql schemas

cat /var/www/web001/htdocs/daloradius/contrib/db/mysql-daloradius.sql | mysql -u radius -p radius

here my freeradius mysql setup

cd /etc/freeradius/3.0/mods-enabled
ln -s ../mods-available/sql

vim sql

driver = "rlm_sql_mysql"
dialect = "mysql"
server = "localhost"
port = 3306
login = "radius"
password = "abcdefg"
radius_db = "radius"
read_clients = yes

here my changes to eap (eap for authenticating mikrotik wireless via wpa2 enterprise and mikrotik ikev2 eap radius)

vim /etc/freeradius/3.0/mods-enabled/eap

eap {
...
#ikev2 eap radius
default_eap_type = peap
...
}
tls-config tls-common {
private_key_file = path_to_your_ssl_private_key
certificate_file = path_to_your_ssl_certificate
ca_file = path_to_your_ssl_cabundle
}

I use rapidssl server certificate.

https://support.microsoft.com/en-ph/help/814394/certificate-requirements-when-you-use-eap-tls-or-peap-with-eap-tls


here my changes to the “default” site

cd /etc/freeradius/3.0/sites-enabled
vim default

authorize {
...
auth_log
...
sql
}

accounting {
...
sql
...
}

session {
...
sql
...
}

post-auth {
...
reply_log
sql
...
}

session {
...
sql
...
}

here my bulk radius settings

cd /etc/freeradius/3.0

vim radiusd.conf

log {
...
auth = yes
...
auth_badpass = yes
...
}

https://wiki.freeradius.org/guide/SQL-HOWTO-for-freeradius-3.x-on-Debian-Ubuntu

you have to create a systemd override for the freeradius unit. otherwise freeradius won’t start correctly if mysql is not running.

systemctl edit freeradius

[Unit]
After=network.target mysql.service

setup daloradius config

vim /var/www/web001/htdocs/daloradius/library/daloradius.conf.php

CONFIG_DB_USER
CONFIG_DB_PASS
CONFIG_DB_NAME

Have fun!

Mikrotik RouterOS 6.38 IKEv2 Strongswan RSA Auth howto

Hi there,

a) setup clock of your routerboard

/system ntp client set primary-ntp=192.168.223.2
/system clock set time-zone-name=Europe/Vienna

b) generate certificates

/certificate add common-name="paranoids.at Root CA" name=ca     
/certificate sign ca ca-crl-host=192.168.223.106
/certificate add common-name=test.paranoids.at subject-alt-name=IP:test.paranoids.at key-usage=tls-server name=server1
/certificate sign server1 ca=ca
/certificate add common-name=client1@test.paranoids.at key-usage=tls-client name=client1
/certificate sign client1 ca=ca

c) configure your server

/export compact                                                      
# jan/06/2017 12:21:49 by RouterOS 6.38
#
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp2048
/ip pool
add name=pool1 ranges=192.168.33.0/27
/ip ipsec mode-config
add address-pool=pool1 address-prefix-length=32 name=test
/ip address
add address=192.168.99.1/24 interface=ether2 network=192.168.99.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dns static
add address=192.168.223.106 name=test
/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=server1 dh-group=modp2048 enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=port-strict hash-algorithm=sha256 \
    mode-config=test passive=yes
/ip ipsec policy
set 0 dst-address=192.168.33.0/27 src-address=0.0.0.0/0

d) export client certificates

/certificate export-certificate ca
/certificate export-certificate client1 export-passphrase=1234567890

e) import client certificates to strongswan (file ending is important)

 scp admin@192.168.223.106:/cert_export_client1.crt .
 scp admin@192.168.223.106:/cert_export_client1.key .
 scp admin@192.168.223.106:/cert_export_client1.key .
 mv cert_export_ca.crt /etc/ipsec.d/cacerts/cert_export_ca.pem
 mv cert_export_client1.crt /etc/ipsec.d/certs/cert_export_client1.pem
 mv cert_export_client1.key /etc/ipsec.d/private/cert_export_client1.pem

f) configure strongswan properly

/etc/ipsec.conf

conn test
 keyexchange=ikev2
 ike=aes256-sha256-modp2048
 esp=aes256-sha256-modp2048
 ikelifetime = 24h
 lifetime = 30m
 dpddelay = 120s
 left=%defaultroute
 leftsourceip=%config
 leftcert=cert_export_client1.pem
 leftid=client1@test.paranoids.at
 leftfirewall=yes
 right=192.168.223.106
 rightsubnet=192.168.99.0/24
 rightid="CN=test.paranoids.at" 
 auto=add

/etc/ipsec.secrets

: RSA cert_export_client1.pem "1234567890"

g) fire up your vpn

:~# systemctl restart strongswan
:~# ipsec up test

Resources:
https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2Examples
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Ikev2_Server_Setup

Hint:
For strongswan under Debian Jessie you have to remove the passphrase from the private key!
For Android set Server-Identity: CN=test.paranoids.at!

Have fun!

sstp client linux howto

Hi  There

Here some nice howto to get SSTP client for Linux to run:

1)Download deb or rpm or compile yourself:

http://sstp-client.sourceforge.net/

2)Install deb or rpm or binary
(in my case install deb for ubuntu)

dpkg -i libsstp-client0_1.0.9_amd64.deb
dpkg -i sstp-client_1.0.9_amd64.deb

3)Configure ppp manager
sudo su
3.1) you may want your targets reachable over your sstp tunnel, therefore we need to setup some routes

vim /etc/ppp/ip-up.d/route
#!/bin/bash
NET="1.1.1.1/24 x.x.x.x/24"
GW="192.168.x.5"

if (ip addr show | grep -q $GW) then
        for PREF in $NET
        do
                route add -net $PREF gw $GW
        done
fi
chmod 755 /etc/ppp/ip-up.d/route

3.2) we need to store your credentials in chap-secrets file

vim /etc/ppp/chap-secrets
bla-user.name   *       passwordtopsecret

3.3)we need to add a ppp peer

vim /etc/ppp/peers/youpeername
#
# Put this file in /etc/ppp/peers/sstp-test, the name should be the same as 
#   for remotename, linkname, and ipparam. Update the url for the server as a part
#   of the pty statement, and finally update your username.
#
# Make sure your user 'kendo' have an appropriate entry in /etc/ppp/chap-secrets.
# Example:
#  #client              server  secret                  IP addresses
#  kendo                *       xxxxxxx                 *
#  'DOMAIN\\kendo'      *       xxxxxxx
#
# Connect to sstp-test peer:
#   sudo pon sstp-test
#
remotename      fqdn-of-your-vpn-peer
linkname        fqdn-of-your-vpn-peer
ipparam         fqdn-of-your-vpn-peer
pty             "sstpc --save-server-route --cert-warn --ipparam fqdn-of-your-vpn-peer --log-level 0 --nolaunchpppd fqdn-of-your-vpn-peer"
name            bla-user.name
plugin          sstp-pppd-plugin.so
sstp-sock       /var/run/sstpc/sstpc-fqdn-of-your-vpn-peer
usepeerdns
#require-mppe
require-mschap-v2
noauth
lock
refuse-pap
refuse-eap
refuse-chap
refuse-mschap
nobsdcomp
nodeflate
persist

# Uncomment this if you want additional debug in your /var/log/messages
# debug

4)fire it up

pon youpeername

Have fun!