Masquerading strongswan ipsec ikev2 RAS clients

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












I've a VPS in sweden and I want to establish an IKEv2 RAS connection.
The connection is established and a valid SA was created.



Now I want to masquerade the traffic for 0.0.0.0/0 through the wan interface.
I've tried it (as usual) with



# iptables -t nat -A POSTROUTING -s 10.9.0.0/16 -o venet0 -m policy --dir out --pol ipsec -j ACCEPT
# iptables -t nat -A POSTROUTING -s 10.9.0.0/16 -o venet0 -j MASQUERADE


but it seems that the traffic is not really masqueraded, because the packets never reach the destination.



Output of tcpdump:



# tcpdump icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
16:25:50.153272 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 1, length 64
16:25:50.153328 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 1, length 64
16:25:51.154079 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 2, length 64
16:25:51.154126 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 2, length 64
16:25:52.050239 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 10347, seq 0, length 64
16:25:52.050837 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 10347, seq 0, length 64
16:25:52.168143 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 3, length 64
16:25:52.168188 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 3, length 64


I think the thing is the type of interface...
I am caught in an OpenVZ VM and there is no default route:



# ip route show
default dev venet0 scope link


Output of ipsec statusall



# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 2.6.32-042stab127.2, x86_64):
 uptime: 2 minutes, since Apr 28 16:19:45 2018
 malloc: sbrk 1466368, mmap 0, used 348064, free 1118304
 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
 loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Virtual IP pools (size/online/offline):
 10.9.0.110/16: 145/1/0
Listening IP addresses:
 XXX.XXX.XXX.XXX
 XXXX:XXXX:XXXX::XXXX
Connections:
 rw-test: %any...%any IKEv2
 rw-test: local: [sweden] uses pre-shared key authentication
 rw-test: remote: [testuser@sweden] uses pre-shared key authentication
 rw-test: child: 0.0.0.0/0 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
 rw-test[1]: ESTABLISHED 2 minutes ago, XXX.XXX.XXX.XXX[sweden]...XXX.XXX.XXX.XXX[testuser@sweden]
 rw-test[1]: IKEv2 SPIs: 8f084b68e20909d1_i 94a565274cecd493_r*, pre-shared key reauthentication in 53 minutes
 rw-test[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
 rw-test1: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cc5c3401_i 1e30ba5a_o
 rw-test1: AES_CBC_256/HMAC_SHA1_96, 336 bytes_i (4 pkts, 24s ago), 0 bytes_o, rekeying in 12 minutes
 rw-test1: 0.0.0.0/0 === 10.9.0.110/32


This is my ipsec.conf



# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
 charondebug="ike 4, knl 4, cfg 4"

conn %default
 compress=no
 type=tunnel
 ikelifetime=60m
 keylife=20m
 rekeymargin=3m
 keyingtries=1
 keyexchange=ikev2
 ike=aes256-sha1-modp2048,3des-sha1-modp1024!
 esp=aes256-sha1,3des-sha1!
 left=%any
 leftsubnet=0.0.0.0/0
 leftid=@sweden
 leftfirewall=yes
 rightdns=8.8.8.8,8.8.4.4
 authby=secret



conn rw-test
 right=%any
 rightid=testuser@sweden
 rightsourceip=10.9.0.110/16
 auto=add


Has someone an idea how to handle that?




networking routing ipsec strongswan




share|improve this question



















  • Looks OK. IP forwarding is enabled? ICMP isn't blocked somewhere else? (i.e. you can actually ping 8.8.4.4 when doing so directly on the server from XXX.XXX.XXX.XXX?)
    – ecdsa
    Apr 30 at 8:40










  • Is enabled, icmp works
    – papayawhip
    Apr 30 at 10:35














up vote
0
down vote

favorite












I've a VPS in sweden and I want to establish an IKEv2 RAS connection.
The connection is established and a valid SA was created.



Now I want to masquerade the traffic for 0.0.0.0/0 through the wan interface.
I've tried it (as usual) with



# iptables -t nat -A POSTROUTING -s 10.9.0.0/16 -o venet0 -m policy --dir out --pol ipsec -j ACCEPT
# iptables -t nat -A POSTROUTING -s 10.9.0.0/16 -o venet0 -j MASQUERADE


but it seems that the traffic is not really masqueraded, because the packets never reach the destination.



Output of tcpdump:



# tcpdump icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
16:25:50.153272 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 1, length 64
16:25:50.153328 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 1, length 64
16:25:51.154079 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 2, length 64
16:25:51.154126 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 2, length 64
16:25:52.050239 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 10347, seq 0, length 64
16:25:52.050837 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 10347, seq 0, length 64
16:25:52.168143 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 3, length 64
16:25:52.168188 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 3, length 64


I think the thing is the type of interface...
I am caught in an OpenVZ VM and there is no default route:



# ip route show
default dev venet0 scope link


Output of ipsec statusall



# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 2.6.32-042stab127.2, x86_64):
 uptime: 2 minutes, since Apr 28 16:19:45 2018
 malloc: sbrk 1466368, mmap 0, used 348064, free 1118304
 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
 loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Virtual IP pools (size/online/offline):
 10.9.0.110/16: 145/1/0
Listening IP addresses:
 XXX.XXX.XXX.XXX
 XXXX:XXXX:XXXX::XXXX
Connections:
 rw-test: %any...%any IKEv2
 rw-test: local: [sweden] uses pre-shared key authentication
 rw-test: remote: [testuser@sweden] uses pre-shared key authentication
 rw-test: child: 0.0.0.0/0 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
 rw-test[1]: ESTABLISHED 2 minutes ago, XXX.XXX.XXX.XXX[sweden]...XXX.XXX.XXX.XXX[testuser@sweden]
 rw-test[1]: IKEv2 SPIs: 8f084b68e20909d1_i 94a565274cecd493_r*, pre-shared key reauthentication in 53 minutes
 rw-test[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
 rw-test1: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cc5c3401_i 1e30ba5a_o
 rw-test1: AES_CBC_256/HMAC_SHA1_96, 336 bytes_i (4 pkts, 24s ago), 0 bytes_o, rekeying in 12 minutes
 rw-test1: 0.0.0.0/0 === 10.9.0.110/32


This is my ipsec.conf



# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
 charondebug="ike 4, knl 4, cfg 4"

conn %default
 compress=no
 type=tunnel
 ikelifetime=60m
 keylife=20m
 rekeymargin=3m
 keyingtries=1
 keyexchange=ikev2
 ike=aes256-sha1-modp2048,3des-sha1-modp1024!
 esp=aes256-sha1,3des-sha1!
 left=%any
 leftsubnet=0.0.0.0/0
 leftid=@sweden
 leftfirewall=yes
 rightdns=8.8.8.8,8.8.4.4
 authby=secret



conn rw-test
 right=%any
 rightid=testuser@sweden
 rightsourceip=10.9.0.110/16
 auto=add


Has someone an idea how to handle that?




networking routing ipsec strongswan




share|improve this question



















  • Looks OK. IP forwarding is enabled? ICMP isn't blocked somewhere else? (i.e. you can actually ping 8.8.4.4 when doing so directly on the server from XXX.XXX.XXX.XXX?)
    – ecdsa
    Apr 30 at 8:40










  • Is enabled, icmp works
    – papayawhip
    Apr 30 at 10:35












up vote
0
down vote

favorite









up vote
0
down vote

favorite











I've a VPS in sweden and I want to establish an IKEv2 RAS connection.
The connection is established and a valid SA was created.



Now I want to masquerade the traffic for 0.0.0.0/0 through the wan interface.
I've tried it (as usual) with



# iptables -t nat -A POSTROUTING -s 10.9.0.0/16 -o venet0 -m policy --dir out --pol ipsec -j ACCEPT
# iptables -t nat -A POSTROUTING -s 10.9.0.0/16 -o venet0 -j MASQUERADE


but it seems that the traffic is not really masqueraded, because the packets never reach the destination.



Output of tcpdump:



# tcpdump icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
16:25:50.153272 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 1, length 64
16:25:50.153328 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 1, length 64
16:25:51.154079 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 2, length 64
16:25:51.154126 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 2, length 64
16:25:52.050239 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 10347, seq 0, length 64
16:25:52.050837 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 10347, seq 0, length 64
16:25:52.168143 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 3, length 64
16:25:52.168188 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 3, length 64


I think the thing is the type of interface...
I am caught in an OpenVZ VM and there is no default route:



# ip route show
default dev venet0 scope link


Output of ipsec statusall



# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 2.6.32-042stab127.2, x86_64):
 uptime: 2 minutes, since Apr 28 16:19:45 2018
 malloc: sbrk 1466368, mmap 0, used 348064, free 1118304
 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
 loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Virtual IP pools (size/online/offline):
 10.9.0.110/16: 145/1/0
Listening IP addresses:
 XXX.XXX.XXX.XXX
 XXXX:XXXX:XXXX::XXXX
Connections:
 rw-test: %any...%any IKEv2
 rw-test: local: [sweden] uses pre-shared key authentication
 rw-test: remote: [testuser@sweden] uses pre-shared key authentication
 rw-test: child: 0.0.0.0/0 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
 rw-test[1]: ESTABLISHED 2 minutes ago, XXX.XXX.XXX.XXX[sweden]...XXX.XXX.XXX.XXX[testuser@sweden]
 rw-test[1]: IKEv2 SPIs: 8f084b68e20909d1_i 94a565274cecd493_r*, pre-shared key reauthentication in 53 minutes
 rw-test[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
 rw-test1: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cc5c3401_i 1e30ba5a_o
 rw-test1: AES_CBC_256/HMAC_SHA1_96, 336 bytes_i (4 pkts, 24s ago), 0 bytes_o, rekeying in 12 minutes
 rw-test1: 0.0.0.0/0 === 10.9.0.110/32


This is my ipsec.conf



# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
 charondebug="ike 4, knl 4, cfg 4"

conn %default
 compress=no
 type=tunnel
 ikelifetime=60m
 keylife=20m
 rekeymargin=3m
 keyingtries=1
 keyexchange=ikev2
 ike=aes256-sha1-modp2048,3des-sha1-modp1024!
 esp=aes256-sha1,3des-sha1!
 left=%any
 leftsubnet=0.0.0.0/0
 leftid=@sweden
 leftfirewall=yes
 rightdns=8.8.8.8,8.8.4.4
 authby=secret



conn rw-test
 right=%any
 rightid=testuser@sweden
 rightsourceip=10.9.0.110/16
 auto=add


Has someone an idea how to handle that?




networking routing ipsec strongswan




share|improve this question











I've a VPS in sweden and I want to establish an IKEv2 RAS connection.
The connection is established and a valid SA was created.



Now I want to masquerade the traffic for 0.0.0.0/0 through the wan interface.
I've tried it (as usual) with



# iptables -t nat -A POSTROUTING -s 10.9.0.0/16 -o venet0 -m policy --dir out --pol ipsec -j ACCEPT
# iptables -t nat -A POSTROUTING -s 10.9.0.0/16 -o venet0 -j MASQUERADE


but it seems that the traffic is not really masqueraded, because the packets never reach the destination.



Output of tcpdump:



# tcpdump icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
16:25:50.153272 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 1, length 64
16:25:50.153328 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 1, length 64
16:25:51.154079 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 2, length 64
16:25:51.154126 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 2, length 64
16:25:52.050239 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 10347, seq 0, length 64
16:25:52.050837 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 10347, seq 0, length 64
16:25:52.168143 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 3, length 64
16:25:52.168188 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 3, length 64


I think the thing is the type of interface...
I am caught in an OpenVZ VM and there is no default route:



# ip route show
default dev venet0 scope link


Output of ipsec statusall



# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 2.6.32-042stab127.2, x86_64):
 uptime: 2 minutes, since Apr 28 16:19:45 2018
 malloc: sbrk 1466368, mmap 0, used 348064, free 1118304
 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
 loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Virtual IP pools (size/online/offline):
 10.9.0.110/16: 145/1/0
Listening IP addresses:
 XXX.XXX.XXX.XXX
 XXXX:XXXX:XXXX::XXXX
Connections:
 rw-test: %any...%any IKEv2
 rw-test: local: [sweden] uses pre-shared key authentication
 rw-test: remote: [testuser@sweden] uses pre-shared key authentication
 rw-test: child: 0.0.0.0/0 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
 rw-test[1]: ESTABLISHED 2 minutes ago, XXX.XXX.XXX.XXX[sweden]...XXX.XXX.XXX.XXX[testuser@sweden]
 rw-test[1]: IKEv2 SPIs: 8f084b68e20909d1_i 94a565274cecd493_r*, pre-shared key reauthentication in 53 minutes
 rw-test[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
 rw-test1: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cc5c3401_i 1e30ba5a_o
 rw-test1: AES_CBC_256/HMAC_SHA1_96, 336 bytes_i (4 pkts, 24s ago), 0 bytes_o, rekeying in 12 minutes
 rw-test1: 0.0.0.0/0 === 10.9.0.110/32


This is my ipsec.conf



# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
 charondebug="ike 4, knl 4, cfg 4"

conn %default
 compress=no
 type=tunnel
 ikelifetime=60m
 keylife=20m
 rekeymargin=3m
 keyingtries=1
 keyexchange=ikev2
 ike=aes256-sha1-modp2048,3des-sha1-modp1024!
 esp=aes256-sha1,3des-sha1!
 left=%any
 leftsubnet=0.0.0.0/0
 leftid=@sweden
 leftfirewall=yes
 rightdns=8.8.8.8,8.8.4.4
 authby=secret



conn rw-test
 right=%any
 rightid=testuser@sweden
 rightsourceip=10.9.0.110/16
 auto=add


Has someone an idea how to handle that?





networking routing ipsec strongswan





share|improve this question










share|improve this question




share|improve this question









asked Apr 28 at 20:35









papayawhip

11




11











  • Looks OK. IP forwarding is enabled? ICMP isn't blocked somewhere else? (i.e. you can actually ping 8.8.4.4 when doing so directly on the server from XXX.XXX.XXX.XXX?)
    – ecdsa
    Apr 30 at 8:40










  • Is enabled, icmp works
    – papayawhip
    Apr 30 at 10:35
















  • Looks OK. IP forwarding is enabled? ICMP isn't blocked somewhere else? (i.e. you can actually ping 8.8.4.4 when doing so directly on the server from XXX.XXX.XXX.XXX?)
    – ecdsa
    Apr 30 at 8:40










  • Is enabled, icmp works
    – papayawhip
    Apr 30 at 10:35















Looks OK. IP forwarding is enabled? ICMP isn't blocked somewhere else? (i.e. you can actually ping 8.8.4.4 when doing so directly on the server from XXX.XXX.XXX.XXX?)
– ecdsa
Apr 30 at 8:40




Looks OK. IP forwarding is enabled? ICMP isn't blocked somewhere else? (i.e. you can actually ping 8.8.4.4 when doing so directly on the server from XXX.XXX.XXX.XXX?)
– ecdsa
Apr 30 at 8:40












Is enabled, icmp works
– papayawhip
Apr 30 at 10:35




Is enabled, icmp works
– papayawhip
Apr 30 at 10:35















active

oldest

votes











Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);








 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f440647%2fmasquerading-strongswan-ipsec-ikev2-ras-clients%23new-answer', 'question_page');

);

Post as a guest






















active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes










 

draft saved


draft discarded


























 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f440647%2fmasquerading-strongswan-ipsec-ikev2-ras-clients%23new-answer', 'question_page');

);

Post as a guest
































































-

Popular posts from this blog

How to check contact read email or not when send email to Individual?

Image
Clash Royale CLAN TAG #URR8PPP up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Sep 26 at 0:12 ToanLuong 49 9 add a comment  |  up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Se
Read more

Bahrain

Image
For other uses, see Bahrain (disambiguation). Sovereign island state in the Persian Gulf Kingdom of Bahrain مملكة البحرين   (Arabic) Mamlakat al-Baḥrayn Flag Coat of arms Anthem:  نشيد البحرين الوطني Bahrainona Our Bahrain Location of   Bahrain    (circled in red) Capital and largest city Manama 26°13′N 50°35′E  /  26.217°N 50.583°E  / 26.217; 50.583 Official languages Arabic Ethnic groups (2010 [1] ) 50.7% Arab (46% Bahrani, 4.7% other Arabs) 45.5% Asian 1% European 1.2% Others Religion Islam Demonym(s) Bahraini Government Unitary constitutional monarchy • King Hamad bin Isa Al Khalifa • Crown Prince Salman bin Hamad bin Isa Al Khalifa • Prime Minister Khalifa bin Salman Al Khalifa Legislature National Assembly • Upper house Consultative Council • Lower house Council of Representatives Independence • Declared Independence [2] 14 August 1971 • from United Kingdom [1] 15 August 1971 • Admitted to the United Nations 21 September 1971 • Kingdom of Bahrain 14 February 2002
Read more

Postfix configuration issue with fips on centos 7; mailgun relay

Image
Clash Royale CLAN TAG #URR8PPP up vote 0 down vote favorite I am trying to setup postfix to relay all mail generated on the local machine via SMTP to a mailgun relay. I have used the mailgun relay before with success on an ubuntu server, but I am migrating to a Centos 7 server which I will be running in FIPS mode. There error log is below, slightly sanitized. I have a small enough network that I choose to have each machine reach out to mailgun individually (this the loopback-only, 127.0.0.0/8 restrictions) and no firewall open port allowing smtp in to the machine. I assume the FIPS mode (and with it disabling of MD5) is causing problems, but I don't know how to overcome it or if it is even possible for tls_fprint to use some supported hash such as sha256 or sha512. However, the relay=none is slightly concerning since I have relayhost set, but perhaps that is because the smtp process is failing? Any help would be appreciated! postconf -n: alias_database = hash:/etc/alia
Read more