Re: [Swan] How to re-enable IKEv1 on Rocky linux 9 / RHEL9?
On Mon, 8 Apr 2024 17:03:49 +0300 Viktor Keremedchiev via Swan wrote: > Hello, > > On rocky linux 9 I’m not able to get IKEv1 working, > libreswan-4.12-1.el9.x86_64 from EPEL repository. > > I have created and enabled crypto-policy module that allows it > explicitly crypto-policies/policies/modules/IKEV1.pmod > protocol@IKE = IKEv1 IKEv2 That is not needed at all. > As per the relevant config I have > ikev1-policy=accept ikev1-policy is config setup option, not connection option. > I have also commented out in /etc/ipsec.conf > #etc/crypto-policies/back-ends/libreswan.config Commenting out crypto-policy include means you have necessary algorithms enabled for ikev1. > But I still get following in the /var/log/pluto.log > > packet from 213………...500: ignoring IKEv1 packet as policy is set to > silently drop all IKEv1 packets Yes. Because your "config setup" section doesn't have "ikev1-policy=accept" -- Tuomo Soini Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/> ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
[Swan-commit] Changes to ref refs/heads/main
New commits: commit cd7995b4eb68ccf98ec7c658cb5706b0d6f6ccf1 Author: Tuomo Soini Date: Thu Apr 4 01:03:32 2024 +0300 building: allow overriding SD_TYPE ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit ffbb450dd90bafc8cb978b9babfa0986eaf513c1 Author: Tuomo Soini Date: Thu Apr 4 00:48:28 2024 +0300 packaging: update packaging for new systemd notify code ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 92b10bf4168b3fa63466b5538a6dbc547b0f3e02 Author: Tuomo Soini Date: Fri Feb 23 15:43:35 2024 +0200 testing: update output for _updown.xfrm resolv.conf update Match d042e99c0557ca4e365a2c7ef479eaf0368755a2 commit d042e99c0557ca4e365a2c7ef479eaf0368755a2 Author: Tuomo Soini Date: Fri Feb 23 15:42:15 2024 +0200 _updown.xfrm: allow update of libreswan created resolv.conf ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
Re: [Swan-dev] What does "missing v2CP reply" mean?
On Fri, 16 Feb 2024 16:12:20 +0100 Brady Johnson via Swan-dev wrote: > I included the configuration in the original email, and it did not > include "narrowing", nor "leftmodecfgclient". I'll check if either of > those are set by default. My guess is that "dhcp" in NetworkManager configuration might cause this. > Would it have been better to send this email to "Libreswan users"? Maybe? -- Tuomo Soini Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/> ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
Re: [Swan] Possible to setup multiple connections, partly behind NAT?
On Fri, 9 Feb 2024 23:35:39 +0100 Phil Nightowl via Swan wrote: > I am used to utilise X.509, so I have leftid=%fromcert everywhere. > Does the above mean that I should use something like > > right=%any > rightid="CN=*.privlan,O=MyOrg,C=CA" ? That won't work. Wildcard can only match whole label. So this would work: rightid="C=CA, O=MyOrg, CN=*" Note: order of fields must actually match the order libreswan shows them and all labels in certificate must be present, and I expect the label order I wrote is what libreswan shows in "ipsec auto --listpubkeys" -- Tuomo Soini Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/> ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 50e30dd92838239b23f06f9ba161b33d569a1c3e Author: Tuomo Soini Date: Wed Jan 31 17:49:26 2024 +0200 building: use correct trnsformation for ipsec.conf ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
Re: [Swan] LibreSWAN and IPv6 Link Local addresses
On Tue, 16 Jan 2024 21:17:41 -0500 William Atwood wrote: > 1) I know that Libreswan does not support %zone identifiers > associated with Link-Local (LL) addresses, and it appears from your > experience that Strongswan does not either. I also know that > Libreswan insists that an endpoint address must be "Global". Global is only used when adding IP for XFRM interface for route-based IPsec vpn. And because this is route-based, this can't be LL-address. We told you multiple times that this doesn't affect LL address handling. And we can't really implement support for LL addresses on linux before XFRM/IPsec stack supports it. -- Tuomo Soini Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/> ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
Re: [Swan-dev] Libreswan 5.0 RC1 IPv6 ULA not accepted
On Mon, 15 Jan 2024 13:23:58 -0500 Bill Atwood wrote: > Here is the result of the status command, on Ritchie (running 5.0 > RC1): > > dev@Ritchie:~$ sudo ipsec status | grep interface > [sudo] password for dev: > using kernel interface: xfrm > interface lo UDP [::1]:4500 > interface lo UDP [::1]:500 > interface lo UDP 127.0.0.1:4500 > interface lo UDP 127.0.0.1:500 > interface enp4s0 UDP 132.205.9.46:4500 > interface enp4s0 UDP 132.205.9.46:500 > interface enp5s4 UDP 132.205.9.50:4500 > interface enp5s4 UDP 132.205.9.50:500 > interface enp5s5 UDP 132.205.9.53:4500 > interface enp5s5 UDP 132.205.9.53:500 > interface virbr0 UDP 192.168.123.1:4500 > interface virbr0 UDP 192.168.123.1:500 > "RITA6c": conn_prio: 128,128; interface: ; metric: 0; mtu: unset; > sa_prio:auto; sa_tfc:none; > dev@Ritchie:~$ Is this directly from bootup of the machine? Reason could be your network configuration. Libreswan requires network-online.target before startup. But if you don't have setting for IPV6 address to be required on your interface, network-online.target finisheds before you have IPv6 address on the interface and so there is no ipv6 address when libreswan starts, yet. -- Tuomo Soini Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/> ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
Re: [Swan] how/where to configure list of 'valid' certs
On Sun, 14 Jan 2024 15:31:00 + Marc wrote: > > > > strangely this: > > > > rightid="O=Example,CN=android13client.example.com" > > and > > rightid="CN=android13client.example.com" These two shouldn't work. Depending on your certificate subject only first or second can work. > > > > allows access, however > > > > rightid="CN=*.example.com" This can't match because you can't match part of subject label. So you can only match rightid="CN=*" - and if this matches your cert, first example on previous one couldn't match your certificate because it has label "O=Example" which is not matched. -- Tuomo Soini Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/> ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
Re: [Swan-dev] Libreswan 5.0 RC1 IPv6 ULA not accepted
On Sat, 13 Jan 2024 16:56:29 -0500 Bill Atwood wrote: > (continued from " 5.0 RC1 connection not found", with changed > subject, because this is a new error). > > After renaming RITA6C to RITA6C.conf, I ran: > > sudo ipsec add RITA6c > > which reported that an IPsec connection had been established. > > However: > > ip addr show > > did *not* show the new interface. Subsequently running There is no interfaces for IPsec with XFRM by default. So your test worked just fine without any problems. -- Tuomo Soini Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/> ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
Re: [Swan-dev] Libreswan 5.0 RC1 Suggested Documentation Fixes
On Sat, 13 Jan 2024 14:02:57 -0500 Bill Atwood wrote: > this one has not (or at least it was not fixed before RC1 was > released). Thank you for your comments. These are all fixed in git main and will be in RC2. > 3. Further down under the same heading, it says: > "Run `ipsec verify` to determine if your system misses any of the > requirements. This will also tell you if any of the kernel sysctl > values needs changing." > Either the "verify" command needs to be re-installed, or these two > sentences need to be removed. Thanks for these. Now suggestions to run verify has been removed from README.md. -- Tuomo Soini Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/> ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 79ee4c9c0a8d6f8a9c68c971862cec9e347b5e51 Author: Tuomo Soini Date: Fri Jan 12 16:39:46 2024 +0200 testing/ikev2-xfrmi-16-rekey: update output for silenced warning ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit fc528a0dc0ecd9290b7b26fb6c51059e1bcee343 Author: Tuomo Soini Date: Thu Jan 11 20:59:15 2024 +0200 _updown.xfrm: update copyright commit c7e7a1939e13b90f9725a6960d033c5675e130fb Author: Tuomo Soini Date: Thu Jan 11 20:58:47 2024 +0200 _updown.xfrm: ignore warning for already existing ip rule ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit f597e632d6f7923fb679bb77a6ec77423ec1c926 Author: Tuomo Soini Date: Fri Dec 29 01:03:39 2023 +0200 documentation/man: fix pluto option name ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 98177b4e11d8d5e143d4677e2d46db8dfb99ae69 Author: Tuomo Soini Date: Thu Dec 28 17:41:48 2023 +0200 testing: remove unused dopluto script ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 68a5cf41a81811e88a031dc0b6fecb0cd72dc77d Author: Tuomo Soini Date: Thu Dec 28 12:02:35 2023 +0200 documentation/man: remove non-existing --cltbase option ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 2b8eaee310537fe13031cc62eec04016f54503d2 Author: Tuomo Soini Date: Wed Dec 27 00:04:51 2023 +0200 documentation/man: cleanup formatting ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 8728bc0f5ded1debd339a173c32c55333f343332 Author: Tuomo Soini Date: Tue Dec 26 23:01:25 2023 +0200 documentation/man: fix IPSEC_CONFDDIR transformation also remove some left-over remap= ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 7e9a51bed10dc7ca560d2fd9c66a51a810902595 Author: Tuomo Soini Date: Tue Dec 26 19:46:52 2023 +0200 scripts: nftables is our default, handle it first ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 68fa702d41803d669f10fdd0de29344cef3b43bd Author: Tuomo Soini Date: Mon Dec 25 23:00:51 2023 +0200 building: when USE_NFLOG is disabled, disable it really Also make it sure things work without firewall support being build in. ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit a4e9301679572479e1d091ded6051a59d8d18dcc Author: Tuomo Soini Date: Mon Dec 25 22:15:36 2023 +0200 building: fix logics in sanity check ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit efc5cfefd2c7f3c2df418b7141b956ca1da41158 Author: Tuomo Soini Date: Mon Dec 25 22:14:13 2023 +0200 building: add sanity check for USE_CAT and USE_NFLOG ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 1b08bddaca3582d27b21a7dd601fe4da5f72a3c3 Author: Tuomo Soini Date: Mon Dec 18 23:19:10 2023 +0200 README.md: update documentation for 5.x ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 3090c1a5e6a6ce51f0727d1f2be00bdb8cfaaf30 Author: Tuomo Soini Date: Mon Dec 18 20:25:26 2023 +0200 documentation/man: ipsec.conf.5 clarify ah= and esp= for phase2alg ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 0c044c2265dd872febc0f4808573548d09b6e3e0 Author: Tuomo Soini Date: Mon Dec 18 20:05:55 2023 +0200 documentation/man: ipsec.conf.5: clean phase2alg= away ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 6301568cc9103b38af40a8f433db4b977386d2f8 Author: Tuomo Soini Date: Mon Dec 18 19:48:05 2023 +0200 documentation/man: ipsec.conf.5 formatting cleanup commit b8cbe936a7076083acce082164756f487f7cc4a2 Author: Tuomo Soini Date: Mon Dec 18 17:50:56 2023 +0200 documentation/man: ipsec.conf.5: restore dpdtimeout for ikev1 commit ffa3e65f8e36bc09ab7e96e7f656a018cd3194b6 Author: Tuomo Soini Date: Mon Dec 18 17:50:32 2023 +0200 documentation/man: ipsec.conf.5: clarify dpddelay relationships ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 5f31cf9b15d6327b44773f27a19fdb7c31c31eb2 Author: Tuomo Soini Date: Mon Dec 18 17:16:47 2023 +0200 documentation/man: remove pfsgroup= from man page Option was never valid for Libreswan ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit a72f1fc28d3381f64022050ade9213331dcf3730 Author: Tuomo Soini Date: Wed Dec 6 18:03:53 2023 +0200 documentation/man: Don't generate manpage for internal commands ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit a7abf8310c5549713da81db6e4681e4bed758a50 Author: Tuomo Soini Date: Wed Dec 6 17:54:02 2023 +0200 documentation/man: remove null documentation from internal scripts ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 0d54b305761c6f02d8e4550e8af3c6025034c828 Author: Tuomo Soini Date: Wed Dec 6 16:02:16 2023 +0200 documentation/man: fix refname so that man pages get correct file name ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 1290947d401a9e63b9e001546642b13d9fc0d041 Author: Tuomo Soini Date: Mon Dec 4 21:12:01 2023 +0200 documentation/man: libreswan.7: cleanup ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 4556e092d298446ebafec47d4d018af246352660 Author: Tuomo Soini Date: Fri Dec 1 21:35:53 2023 +0200 vendoridcheck: fix usage to point to correct command ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 7c6afbd2b7cadd80c0d23ec08b546b87ebeddc1a Author: Tuomo Soini Date: Thu Nov 30 20:48:40 2023 +0200 documentation/man: fix transformation for IPSEC_SECRETS ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit c22cff7ed764934a1e5fbc661292097bdd958a82 Author: Tuomo Soini Date: Thu Nov 30 16:56:25 2023 +0200 documentation/man: cleanup ipsec_pluto.8 commit a009c5f1f56753a47d908bdc337848e1f87df696 Author: Tuomo Soini Date: Thu Nov 30 16:33:30 2023 +0200 documentation/man: ipsec_pluto.8, Remove unnecessary formatting ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 7e674e6ffe20ee4a125654be5196bf2756058681 Author: Tuomo Soini Date: Thu Nov 30 16:25:02 2023 +0200 documentation/man: ipsec_barf.8, use common way to list files ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit ad7c43bd7e9f3ef577e8b5ab3e20be2f8f942e68 Author: Tuomo Soini Date: Thu Nov 30 16:20:03 2023 +0200 documentation/man ipsec_barf.8 remove spaces so that html won't have them ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 2d010f93c437ceef92771eb21fbd4a88bee1dbcb Author: Tuomo Soini Date: Thu Nov 30 01:12:23 2023 +0200 documentation/man: remove references to ipsec_ttodata.3, we don't ship man pages for internal functions ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 9bdbb729c2e52c11e2de77c5a63a8cca218755d8 Author: Tuomo Soini Date: Wed Nov 29 22:09:01 2023 +0200 documentation/man: do not remove spaces when converting to html commit 9c63116a953398ceee7b0d4709da445cbb457448 Author: Tuomo Soini Date: Wed Nov 29 22:04:37 2023 +0200 documentation/man: ipsec_barf.8: really fix file links commit 20f424f2688acac3fbb9745857782a0679ccddd4 Author: Tuomo Soini Date: Wed Nov 29 21:58:23 2023 +0200 documentation/man: add links to generated man html commit 049ddffbd44892649771ba959c9ee4414efb2a14 Author: Tuomo Soini Date: Wed Nov 29 21:45:45 2023 +0200 documentation/man: remove references to ipsec_verify.8 commit 9cad5d63f4f5ba6cdc6c9178920c9ad233ca681c Author: Tuomo Soini Date: Wed Nov 29 21:43:04 2023 +0200 man: fix link to actual page commit da0aef346c35527bd1dd1cd21a9ecde75b9131b9 Author: Tuomo Soini Date: Wed Nov 29 21:39:53 2023 +0200 documentation/man: add missing , commit 87bc5eea6af7a445d02a8928bb5d29b9884f7996 Author: Tuomo Soini Date: Wed Nov 29 21:34:53 2023 +0200 documentation: remove ipsec_look.8 reference, look was removed commit 51947304ae4ab084d6a5e34a327d8825c98f21c9 Author: Tuomo Soini Date: Wed Nov 29 21:32:38 2023 +0200 building: create ipsec_listcerts.8 man page commit d9896adff1721654010c89cf5927f492318b9967 Author: Tuomo Soini Date: Wed Nov 29 21:25:16 2023 +0200 ipsec_barf.8: fix file names ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit c19280815ef59a952bf38195b508c88c35204a14 Author: Brady Johnson Date: Tue Nov 28 10:31:46 2023 +0100 Update ipsec briefconnectionstatus man page. Signed-off-by: Brady Johnson Signed-off-by: Tuomo Soini ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit dd81eb37c1578ee17eccb306753f3be671e0954e Author: Tuomo Soini Date: Mon Nov 27 22:13:02 2023 +0200 ipsec: add man page for briefconnectionstatus ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit b9590bab80c29e440861386c38f505cf38efe222 Author: Tuomo Soini Date: Thu Nov 23 00:00:29 2023 +0200 remove typoed extra files ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit ec5138ad38ef46d151cededa23c2e90f90f0d0b7 Author: Tuomo Soini Date: Tue Nov 21 22:19:51 2023 +0200 ipsec.service: remove special handling of exit status 12 41bc653d9cdd9ba648be740b6d7ad678d9072ba3 removed need for this ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
Re: [Swan] VPN IKEv2 client reporting syntax errors in libexec/ipsec/_updown.xfrm
On Wed, 1 Nov 2023 19:11:03 +0100
Mirsad Todorovac wrote:
> Hi,
>
> This diff seems to fix the syntax error issue:
> git blame gives commit 32c87516189f6 and 32c87516189f6 as the cause
> of the problem.
Thank you, that bashism has now been fixed.
> About the
>
> up-client output: /usr/local/libexec/ipsec/_updown.xfrm: 432: cannot
> create /etc/resolv.conf: Permission denied
>
> I don't have a clue.
>
> Now I get a different output:
>
> $ sudo ipsec up grf
> 181 "grf"[1] 161.53.83.3 #1: initiating IKEv2 connection
> 181 "grf"[1] 161.53.83.3 #1: sent IKE_SA_INIT request to
> 161.53.83.3:500 182 "grf"[1] 161.53.83.3 #1: sent IKE_AUTH request
> {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
> 003 "grf"[1] 161.53.83.3 #1: initiator established IKE SA;
> authenticated peer '4096-bit RSASSA-PSS with SHA2_512' digital
> signature using peer certificate '@magrf-ipv4.grf.hr' issued by CA
> 'CN=GRF-UNIZG CA, O=GRF-UNIZG' 002 "grf"[1] 161.53.83.3 #2: received
> INTERNAL_IP4_ADDRESS 192.168.100.10 002 "grf"[1] 161.53.83.3 #2:
> received INTERNAL_IP4_DNS 10.0.0.101 002 "grf"[1] 161.53.83.3 #2:
> received INTERNAL_IP4_DNS 1.0.0.1 002 "grf"[1] 161.53.83.3 #2:
> up-client output: updating resolvconf 002 "grf"[1] 161.53.83.3 #2:
> up-client output: /usr/local/libexec/ipsec/_updown.xfrm: 432: cannot
> create /etc/resolv.conf: Permission denied 004 "grf"[1] 161.53.83.3
> #2: initiator established Child SA using #1; IPsec tunnel
> [192.168.100.10-192.168.100.10:0-65535 0] ->
> [0.0.0.0-255.255.255.255:0-65535 0] {ESPinUDP/ESN=>0x4ef1e1f7
> <0x36c8942c xfrm=AES_GCM_16_256-NONE NATD=161.53.83.3:4500
> DPD=passive} $
Pluto only works if it can manipulate /etc/resolv.conf, That is: we
don't have any support for systemd-resolved. No systemd-resolved user
has provided patches to add support.
--
Tuomo Soini
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
[Swan-commit] Changes to ref refs/heads/main
New commits: commit b96e4597f258a722aafcab98ddd19912a0c9af0c Author: Tuomo Soini Date: Wed Nov 1 22:38:11 2023 +0200 _updown.xfrm: Fix bashism in _updown.xfrm Reported by Mirsad Todorovac ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit ce8dd125766c5fdbc941e0f6590155bb4294d36c Author: Tuomo Soini Date: Wed Nov 1 19:52:23 2023 +0200 unbound: save root.key in unbound format ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 9f9c75c0fc93d77fb60f89ac2020c15074f04678 Author: Tuomo Soini Date: Fri Oct 27 23:15:18 2023 +0300 building: error out if both USE_IPTABES and USE_NFTABLES are set commit a4d9d316da38b8945fe42b3fc5444b83c6ff3245 Author: Tuomo Soini Date: Fri Oct 27 23:14:51 2023 +0300 building: only enable USE_NFTABLES by default on linux if USE_IPTABLES is not set ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit db5e125eaf59b6f43d01940f3053f8e72826d1f4 Author: Tuomo Soini Date: Fri Oct 20 12:53:55 2023 +0300 packaging/rpm: switch to SPDX format License tag ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 07286ffe542320e8e5eb29cba7d3b4a77e276575 Author: Tuomo Soini Date: Fri Oct 20 12:21:53 2023 +0300 Fix build on older gcc. "a label can only be part of a statement and a declaration is not a statement" ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 4556e7c8b9ba88be5bcbd4e1b076d1a778c211af Author: Daiki Ueno Date: Thu Oct 12 22:06:10 2023 +0900 ipsec: support ipsec setup commands with per-command help This adds --help and --dry-run to the subcommands redirected to ipsec setup, i.e., ipsec start/stop/restart. Signed-off-by: Daiki Ueno Signed-off-by: Tuomo Soini ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit c34a5e847336e3c272051eedf8999092c9ffc625 Author: Tuomo Soini Date: Wed Oct 4 23:37:07 2023 +0300 building: error out for HAVE_IPTABLES and HAVE_NFTABLES ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 74b840bf1b8343d400ef6c8ec14a550598c214c6 Author: Tuomo Soini Date: Mon Sep 25 23:57:09 2023 +0300 building: use @@VAR@@ consistently for all transformations commit e6610fe6dbe9bf9acc70a3c1d5a796ceedc8e9d3 Author: Tuomo Soini Date: Mon Sep 25 23:48:56 2023 +0300 building: remove unused transformations commit afd05592f39ae645a90c413f0f4fc8caaf6a84c2 Author: Tuomo Soini Date: Mon Sep 25 23:21:48 2023 +0300 building: change HAVE_*TABLES to USE_*TABLES More consistent with reset of config.mk Make variables. #1288 Also report which features are enabled. ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit cada69f99261d5f70736ff5e5a747176711e8293 Author: Tuomo Soini Date: Fri Sep 15 19:05:09 2023 +0300 testing: fixup test outputs for removed _stackmanager ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit d04c8afc51d8f3822890ee6577d441bda3d3d04c Author: Tuomo Soini Date: Fri Sep 15 10:00:35 2023 +0300 CHANGES: update for _stackamanger commit 528bcc688b0d72777eb2a15aba9a171cf92418a7 Author: Tuomo Soini Date: Fri Sep 15 09:56:33 2023 +0300 _stackmanager: stop using _stackmanager which is not needed any more ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 91f71d133eaf12e5da5992296ed667af11160cd2 Author: Tuomo Soini Date: Wed Sep 6 09:49:20 2023 +0300 CHANGES: update ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
Re: [Swan] Guidance for "complex multi CA certificate situations"
On Fri, 18 Aug 2023 12:45:37 -0600 Nels Lindquist wrote: > Hi, all. > > While we transition from certificates signed by our expiring internal > CA, I'd like to be able to use client certificates signed by either > the old or new CA for VPN access. > So... can leftca/rightca take multiple values? Can there be multiple > parallel connection definitions with different certificates/CAs for > the same functionality? Or something else entirely? If you omit leftca and rightca any valid ca from your nss db is ok which is normally what you want. Only if you have extra ca certs you want to trust for single connection only you are in trouble and you need to duplicate all your connections with different local certificate and rightca=%same... Some vpn clients only allow gateway to have certificate signed by same ca so you might be forced to duplicate your connections for transition anyway because your gw certificate must match client certificate ca in this case. -- Tuomo Soini Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/> ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 30d37a2e92fd3d2299aa9decb87dedc89145bfc9 Author: Tuomo Soini Date: Fri Jun 30 00:06:13 2023 +0300 ipsec: fix merge failure ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 7fc6614e30d2fad375ec9229ae3c9fe945a288a0 Author: Tuomo Soini Date: Thu Jun 29 21:24:12 2023 +0300 ipsec: add "ipsec checkconfig" for config validation ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit ff0537a9187463fc0e6f4abb3083cff3dbbe1a3c Author: Tuomo Soini Date: Thu Jun 29 16:28:16 2023 +0300 ipsec_add.8: Clarify wording ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 031e709688951a637cc169428ce1173cdbc4e5a5 Author: Tuomo Soini Date: Thu Jun 29 16:26:00 2023 +0300 ipsec add: support --checkconfig option Relates to github issue # ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 5874275fd09ed370effe407d912ff02991fb6967 Author: Tuomo Soini Date: Fri Jun 16 18:14:18 2023 +0300 fix build for 32-bit ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 3a78cb81f73559da21eeaddaf34ab730a802a8de Author: Tuomo Soini Date: Wed Jun 14 23:18:50 2023 +0300 server.c: pretty up ikev1 policy ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 39148951eaba13c8026b2a8cd1cf22c9e81e7d60 Author: Tuomo Soini Date: Mon May 8 22:23:36 2023 +0300 config.mk: update copyright ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit a3c637e727e838d1718e86d1beb82e684c0db0ca Author: Tuomo Soini Date: Mon May 8 19:48:28 2023 +0300 CHANGES: fix config variable in 3.19 changelog commit c8758a47c688b25c4b05a17216cb549f3303850b Author: Tuomo Soini Date: Mon May 8 19:47:00 2023 +0300 building: unify path transformations to use @@VAR@@ Before both @VAR@ and @@VAR@@ were mixed for different variables commit 2a3cfbd961220b853bd467b3a5fc59fcb988f837 Author: Tuomo Soini Date: Mon May 8 19:36:10 2023 +0300 config: remove FINALLOGROTATEDDIR from tranforms, it was already deprecated ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 674a3ec1af87214bda490d7ce7c820c3ab1ce302 Author: Tuomo Soini Date: Fri May 5 13:22:11 2023 +0300 ipsec: add connectionstatus sub-command ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit fc27cae2959c0435f71b698e859d450c945b57ec Author: Paul Wouters Date: Thu Apr 13 22:37:48 2023 -0400 Added CVE-2023-30570.txt commit cd7161c3a1dfff4e11afbce973e64ebedab3f9be Author: Tuomo Soini Date: Thu May 4 00:56:27 2023 +0300 CHANGES: add v4.11 release ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit e3bc8196c3659c9a88843d64b4ac274f9e699e0e Author: Tuomo Soini Date: Tue May 2 16:17:03 2023 +0300 ipsec: fix error messages for firewall ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit f9232817adc2cb6e324c94ad8b6d1d5f03d93601 Author: Tuomo Soini Date: Mon Apr 24 19:37:37 2023 +0300 ipsec.conf.5: remove non-breaking spaces, those break html formatting ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 7b04e4772c42685791af5bbafc3a3b649816a60c Author: Tuomo Soini Date: Mon Apr 24 16:16:12 2023 +0300 ipsec_pluto.8: fill in correct rundir ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 620fa2f61c221f14b9ab6f68fa80d6b774154dc3 Author: Tuomo Soini Date: Mon Apr 24 16:12:44 2023 +0300 CHANGES: document docbook xml format update commit 06b4766a81e46ffbf159cacf4f97f5223ce2413c Author: Tuomo Soini Date: Mon Apr 24 16:10:03 2023 +0300 verify.8.xml: update to docbook xml V4.5 commit 4b01c5dc2d0705a88aabfd73e115dabfd5c1ed83 Author: Tuomo Soini Date: Mon Apr 24 16:08:05 2023 +0300 showroute.8.xml: update to docbook xml V4.5 commit f7753465131c0e5eab6c61d5ecf93c3b545c3cac Author: Tuomo Soini Date: Mon Apr 24 16:05:54 2023 +0300 show.8.xml: update to docbook xml V4.5 commit e5ec7173b9bd64cf90be377a110bdb5af28f6bcd Author: Tuomo Soini Date: Mon Apr 24 16:03:51 2023 +0300 look.8.xml: update to docbook xml V4.5 commit 47fa9c58169c90732f598560c491369835e304cf Author: Tuomo Soini Date: Mon Apr 24 16:01:19 2023 +0300 _updown.bsd.8.xml: update to docbook xml V4.5 commit 74885f5fe3352b51140bc8df67594fccbe3d4907 Author: Tuomo Soini Date: Mon Apr 24 15:58:41 2023 +0300 ecdsasigkey.8.xml: update to docbook xml V4.5 commit 6ae55b0e111cc198d43266ec9930fb7b080831bc Author: Tuomo Soini Date: Mon Apr 24 15:53:14 2023 +0300 showhostkey.8.xml: update to docbook xml V4.5 commit 84e010e653e74b432e9af3d0c74f5586958dbb6c Author: Tuomo Soini Date: Mon Apr 24 15:47:22 2023 +0300 setup.8.xml: update to docbook xml V4.5 commit fb9046fff2496eb7bede6e8648bb341e92ab7523 Author: Tuomo Soini Date: Mon Apr 24 15:44:39 2023 +0300 rsasigkey.8.xml update to docbook xml V4.5 commit c32f41628fa5266b2854cc0f2634ef8b09fbbd44 Author: Tuomo Soini Date: Mon Apr 24 15:39:22 2023 +0300 readwriteconf.8.xml: update to docbook xml V4.5 commit e9054bc4085dcda5964a8636a72ed7b1c749d4a1 Author: Tuomo Soini Date: Mon Apr 24 15:37:24 2023 +0300 portexcludes.8.xml: update to docbook xml V4.5 commit 39cdbc95b015e403dc2ba189e00df646e7982247 Author: Tuomo Soini Date: Mon Apr 24 15:33:30 2023 +0300 ipsec_pluto.8: update to docbook xml V4.5 Also remove references to ipsec auto commit c880ff706b8761fae4da1e4a0a8205c77abbea5d Author: Tuomo Soini Date: Mon Apr 24 14:13:34 2023 +0300 newhostkey.8.xml: update to docbook xml V4.5 commit 3ff5c217bc2dc70d5f1e362b74a8d0e22b4b953b Author: Tuomo Soini Date: Mon Apr 24 14:05:53 2023 +0300 letsencrypt.8.xml: update to docbook xml V4.5 commit cdc8b8a0459130475c4269031f71e0c6936edad1 Author: Tuomo Soini Date: Mon Apr 24 13:56:51 2023 +0300 barf.8.xml: update to docbook xml V4.5 commit 109781b5541211204687f2764627faa65bdefe1b Author: Tuomo Soini Date: Mon Apr 24 13:34:53 2023 +0300 addconn.8.xml: update to docbook xml V4.5 Remove --rootdir option which is not known by utility commit df6f093b82cb71ed180c7c22408926f646390a5f Author: Tuomo Soini Date: Mon Apr 24 13:11:35 2023 +0300 _updown.8.xml: update to docbook V4.5 commit ce11a9d2d5e79b14b098253386f3f0e8ded8f665 Author: Tuomo Soini Date: Mon Apr 24 12:42:15 2023 +0300 _unbound-hook.8.xml: update to docbook xml V4.5 commit 8ffc3f677896418da25eb222cdc1a315fbff22eb Author: Tuomo Soini Date: Mon Apr 24 12:39:11 2023 +0300 _stackmanager.8.xml: update to docbook xml V4.5 commit bff523ab6535206c7b1fac62434367871465ca6e Author: Tuomo Soini Date: Mon Apr 24 12:32:07 2023 +0300 _secretcensor.8.xml: update to docbook xml V4.5 commit 5554782d979a829def2acda3330d6fc975d3ef65 Author: Tuomo Soini Date: Mon Apr 24 12:18:31 2023 +0300 _plutorun.8: update to docbook xml V4.5 commit a51e807dbe9c934df784b52e858dcff36c32ec8c Author: Tuomo Soini Date: Mon Apr 24 12:10:00 2023 +0300 _ipsec_crl: update man page to docbook xml V4.5 commit 5fdb5bc4d34cd4cfba5c69a41122ce409035e112 Author: Tuomo Soini Date: Mon Apr 24 12:04:10 2023 +0300 libswan: update docbook xml to V4.5 commit 94bc3b44ea2e41ed1aff09821cc1aff9dc02b28f Author: Tuomo Soini Date: Mon Apr 24 11:44:53 2023 +0300 configfiles: update man pages to docbook xml 4.5 ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 4171b7b1edcac96bd3b782412c919aa0a4c66a5b Author: Tuomo Soini Date: Mon Apr 24 10:52:27 2023 +0300 man-pages: update to docbook xml v4.5 ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
Re: [Swan-dev] Fedora 38 breaks egrep and fgrep
On Sat, 22 Apr 2023 12:05:30 -0400 (EDT) "D. Hugh Redelmeier" wrote: > They each spit a diagnostic saying that they are going away. Not so > great for scripts. We only had egrep in testing, fixed all of that to be grep -E. -- Tuomo Soini Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/> ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
[Swan-commit] Changes to ref refs/heads/main
New commits: commit abd1cdf7eaebb3e02af9892fe76b073df071327c Author: Tuomo Soini Date: Sun Apr 23 23:01:13 2023 +0300 testing: egrep has been deprecated, replace with "grep -E" ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 10ed96e2423f38fc84dbd49653fd17ee818c4ccb Author: Tuomo Soini Date: Fri Apr 21 18:25:07 2023 +0300 ipsec: add auto deprecation warning ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit a5f20bb942e986d9097e0a61c0a8a0502d20e3fa Merge: 2fdce0bc3d 58c1cd978f Author: Tuomo Soini Date: Fri Apr 21 17:59:38 2023 +0300 Merge branch 'deprecate-auto' commit 58c1cd978fb7a56e4fb40dfaa0f88be80c0f75ca Author: Tuomo Soini Date: Fri Apr 21 17:28:40 2023 +0300 ipsec: fix option position switch to work in correct places commit 99dd477685776ce1372651684fd569cbd193f789 Author: Tuomo Soini Date: Fri Apr 21 17:10:57 2023 +0300 CHANGES: change is in ipsec, not in auto commit 2abc52143a0afcafb7afe1615a95073ff4b279a5 Author: Tuomo Soini Date: Fri Apr 21 17:04:47 2023 +0300 ipsec: fix options in different order commit 8c3f65226229b3f469742460b38e166d12450565 Author: Tuomo Soini Date: Fri Apr 21 16:47:45 2023 +0300 testing: change ikev2-initiate-template-01 to use documented command order This fixes auto command to work new compatibility layer commit 92e4b5f8784d784d34f62a8dbe3d684240ffda7c Author: Tuomo Soini Date: Thu Apr 20 20:08:00 2023 +0300 ipsec: showstates has been implemented, not warning any more commit 282b78846a5a7704c867fbbba6696f7dc5bd4ef1 Author: Tuomo Soini Date: Thu Apr 20 20:06:19 2023 +0300 ipsec_vfychain.8: add a man page commit c43b6f614dfc00cf7cc3efc9a117b95a96fa4a8e Author: Tuomo Soini Date: Thu Apr 20 19:56:32 2023 +0300 ipsec_modutil.8: add a man page commit 2c577e9328821b64bd1f42ea08b29a271cb1b527 Author: Tuomo Soini Date: Thu Apr 20 19:50:39 2023 +0300 ipsec: add ipsec modutil commit c6951a6c0d5c25e4654445f5802f28bd93fb155d Author: Tuomo Soini Date: Thu Apr 20 19:30:30 2023 +0300 ipsec_crlutil.8: add a man page commit e6c0fd82a1c39ef1ae3bcba41fc5907c70bcdbc8 Author: Tuomo Soini Date: Thu Apr 20 18:04:03 2023 +0300 ipsec: remove --dry-run from ipsec_nsscmd to fix spaces in options commit 65201f82388f01b03c75b27ff191c484fa9d32a9 Author: Tuomo Soini Date: Thu Apr 20 17:09:13 2023 +0300 testing: ikev2-delete-02, change to use --showstates instead of deprecated --statestatus commit 228b67fae3ab676db7c7b90d0bdf986778c47b08 Author: Tuomo Soini Date: Thu Apr 20 17:06:54 2023 +0300 ipsec: add undocumented --statestatus for testing commit fe5ce9e75ad54aa51a0225171751c69443a1c68b Author: Tuomo Soini Date: Tue Apr 18 21:10:11 2023 +0300 ipsec: remove auto and ipsec from command blacklist Those two utilities are no more installed into ipsec directory commit 1b5ad42d32d85aebf3dc969555a8c252625e8144 Author: Tuomo Soini Date: Tue Apr 18 01:43:46 2023 +0300 ipsec.8: remove self from SEE ALSO commit accd701d239f6d76d29214937d37156ff5aae53c Author: Tuomo Soini Date: Mon Apr 17 21:49:18 2023 +0300 copyright update commit b6259ea3fe21aaccb9223cf2d0c489a7bf233131 Author: Tuomo Soini Date: Mon Apr 17 21:40:36 2023 +0300 ipsec: add missing reference entries commit 5ceb0373114b5c69564959a39fad820a51740c22 Author: Tuomo Soini Date: Mon Apr 17 17:52:39 2023 +0300 ipsec: fixup formatting of ipsec.8 man page commit df0456b4f462abeee1eba5861983e083f1d46013 Author: Tuomo Soini Date: Mon Apr 17 14:51:29 2023 +0300 CHANGES: document auto and initsystem changes commit 2a8e0c741dc9f2dc27b833eb714fe093f038c1fd Author: Tuomo Soini Date: Mon Apr 17 14:42:26 2023 +0300 initsystems: use checknss, checknflog, stopnflog Some initscripts used older --command variants. commit d5fd761d97202ebbb58d19c3acfa5d0bc7caa3a1 Author: Tuomo Soini Date: Mon Apr 17 12:10:48 2023 +0300 ipsec: add new redirect command commit a4b9a8c1c86f0adf5146d4076fb42d558c0d9cbf Author: Tuomo Soini Date: Sun Apr 16 18:13:29 2023 +0300 ipsec_add.8: remove reference to self commit 82466bbbd1e9882e9b66688252f1b37862ee5c60 Author: Tuomo Soini Date: Sun Apr 16 18:13:13 2023 +0300 ipsec.8: rewrite commit bdc1230b67dd2bcd051c88757872184454004fe7 Author: Tuomo Soini Date: Sun Apr 16 17:45:23 2023 +0300 ipsec: add directory option with alias --directory commit 756efbe9a7be5d0b35ab4316013f2a3446600728 Author: Tuomo Soini Date: Sun Apr 16 12:45:47 2023 +0300 ipsec: update man pages commit e3f79d8027608899e6a7030d048b45614e8930a5 Author: Tuomo Soini Date: Sun Apr 16 12:42:32 2023 +0300 ipsec_up.8: add a man page commit 08cfac82b63d647a900ecb1dabe5d18348a3758a Author: Tuomo Soini Date: Sun Apr 16 12:33:54 2023 +0300 ipsec_unroute.8: add a man page commit 202f4cd472af40bdf40d5661d9223eee67806115 Author: Tuomo Soini Date: Sun Apr 16 12:25:29 2023 +0300 ipsec_trafficstatus.8: add a man page commit f531fc9ff522f95c423a75a25d33af1663294d86 Author: Tuomo Soini Date: Sun Apr 16 12:21:44 2023 +0300 ipsec_stop.8: add a man page commit a34f8067d1c1dd759ecf4672d880469974996931 Author: Tuomo Soini Date: Sun Apr 16 12:03:29 2023 +0300 ipsec_status.8: add a man page commit 4f4f123d3d92f017bfe95c3f9e910ca0cc2c93cf Author: Tuomo Soini Date: Sun Apr 16 11:58:18 2023 +0300
[Swan-commit] Changes to ref refs/heads/main
New commits: commit c4d0f2439f60eb5ea3b44ff4af2e1cd401e277a4 Author: Tuomo Soini Date: Tue Apr 18 16:33:28 2023 +0300 initiate.c: remove extra whitespaces ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 433b6f613b52b2849895f7a7a916e49f63aab6a6 Author: Tuomo Soini Date: Wed Apr 12 09:24:45 2023 +0300 configs: remove non-existing dpdaction manpage part ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
Re: [Swan] no EE-cert in chain Issue
On Thu, 6 Apr 2023 16:00:31 +0530 Gayathri Manoj wrote: > Hi All, > > We have upgraded the libreswan version from 3.20 to 3.25 and getting > the below errors. > > " Mar 31 00:03:21.870077: "71170605222_x509" #1672: X509: *no EE-cert > in chain!* > Mar 31 00:03:21.870105: "71170605222_x509" #1672: X509: *Certificate > rejected for this connection* > Mar 31 00:03:21.870119: "71170605222_x509" #1672: X509: CERT payload > bogus or revoked > Mar 31 00:03:21.870151: "71170605222_x509" #1672: sending encrypted > notification INVALID_ID_INFORMATION to 10.77.32.99:500" > > In our cert is having the below extension > > *X509v3 Basic Constraints: critical > * > > *CA:TRUE* > > Please let us know is it due to our certificate issue. With the same > certificate it worked for the system where the libreswan version is > 3.20. > When we upload the CA signed certificate with web server template then > no issues. > > Please let us know is it due to libreswan limitation or the > certificate issue. Self-signed certificates (CA-certificates) should not be used as vpn certificates. You should use proper server/client certificates instead. Older versions of libreswan don't have same level of certificate verification as later ones. -- Tuomo Soini Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/> ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
[Swan-commit] Changes to ref refs/heads/main
New commits: commit b278e107e067f79df94ef6b8d44e9844043b11b2 Author: Tuomo Soini Date: Mon Apr 3 16:46:58 2023 +0300 ipsec_pluto.8: point at github, not old bugs.libreswan.org ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit bc329960accf3eca2ffd235a22cc3891b053fbe4 Author: Tuomo Soini Date: Sun Apr 2 19:08:45 2023 +0300 ipsec: support --name parameter for whack ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 7bd20ea23bcdd63899e413fc8b9385a9c6d4f4fa Author: Tuomo Soini Date: Wed Mar 29 22:21:17 2023 +0300 makefiles: fixup xmlto -o option, that is a directory ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 3ef1be81105a64561f7a86ea7a340a6bd9908a22 Author: Tuomo Soini Date: Sat Mar 4 10:55:03 2023 +0200 README.md: Update documentation for make rpm Also remove fipscheck information about RHEL7 because nss was upgraded there commit 43a53f44105a29cda9421b4d6f851925efd53f41 Author: Tuomo Soini Date: Sat Mar 4 10:54:47 2023 +0200 Makefile: use full name of rpmdev-spectool ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 99c52cb4c79626f6f88411756a5c5dec81f31af3 Author: Tuomo Soini Date: Wed Mar 1 16:48:10 2023 +0200 CHANGES: add v4.10 ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 84c48b291dbf5ecc1d6cd3abe9492f3217a5cda2 Author: Tuomo Soini Date: Mon Feb 13 12:39:26 2023 +0200 building: fix build on older gcc ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit af862734450e92fac21723483d0e83f09328249a Author: Tuomo Soini Date: Wed Dec 14 22:38:10 2022 +0200 _updown.xfrm: add address family check for route nexthop nexthop must be same address family as traffic selector ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 82dae55cb0d16a112d30b2f95c6daf4e3888019d Author: Tuomo Soini Date: Fri Nov 4 01:21:59 2022 +0200 mk/config.mk: handle more deprecated variables ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 8f74437fc1afef02a2c176be34e8feccc99219f1 Author: Tuomo Soini Date: Fri Nov 4 00:54:25 2022 +0200 _updown.xfrm: make sure new search string is at the beginning ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit e948ec63b2a37151448385e7a5ea295ab4af4259 Author: Tuomo Soini Date: Mon Oct 31 23:05:44 2022 +0200 install: fix installation of ipsec command ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 07f175084815acdadcdc23ff2917cf2d0dc033bf Author: Tuomo Soini Date: Sun Oct 30 10:53:30 2022 +0200 install: install configs from original files instead of examples With this change we could make installing examples optional ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 2818088fe7a6455f3861ad16e08ab2d984e511c0 Author: Tuomo Soini Date: Sun Oct 30 01:03:25 2022 +0300 installing: fix installation of ipsec.conf ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
Re: [Swan] Libreswan 4.8 IPv6 connection problem: "The parameter is incorrect"
On Thu, 20 Oct 2022 08:55:43 +0200 Mirsad Todorovac wrote: > On 10/5/2022 4:18 PM, Mirsad Goran Todorovac wrote: > > > > P.S. > > > > Forgot to mention, the VPN client is Windows 10 Professional > > version 21H2: > > > > Kind regards, > > > > mt > > > > On 5.10.2022. 15:58, Mirsad Goran Todorovac wrote: > >> Hi all, > >> > >> Our VPN worked well until we moved to IPv6, and now it works only > >> with IPv6 disabled, > >> which is not practical (change of network settings resets all > >> Putty terminal and all ssh connections > >> among others ... ). > >> > >> The configuration is as follows: > >> > >> conn MYCONN-ikev2-ipv6-cp > >> # The server's actual IP goes here - not elastic IPs > >> left=2001:b68:2:2600::3 > >> leftcert=magrf.grf.hr > >> leftid=@magrf.grf.hr > >> leftsendcert=always > >> leftsubnet=0::/0 > >> leftrsasigkey=%cert > >> # Clients > >> right=%any > >> # your addresspool to use - you might need NAT rules if > >> providing full internet to clients > >> rightaddresspool=fd00:2600:1000:/64 Your addresspool is too big. If I remember correctly, maximum size is 96 bits. > >> # optional rightid with restrictions > >> # rightid="O=GRF-UNIZG,CN=win7client.grf.hr" > >> rightca=%same > >> rightrsasigkey=%cert > >> # > >> # connection configuration > >> # DNS servers for clients to use > >> modecfgdns=2001:b68:2:2600::3,2606:4700:4700::1001 > >> narrowing=yes > >> # recommended dpd/liveness to cleanup vanished clients > >> dpddelay=30 > >> dpdtimeout=120 dpdtimeout is not valid with ikev2. > >> dpdaction=clear > >> auto=add > >> ikev2=insist > >> rekey=no > >> # Set ikelifetime and keylife to same defaults windows has > >> # ikelifetime=8h > >> # keylife=2h > >> ms-dh-downgrade=yes This is not needed any more, Windows 10+ have been fixed to allow dh14 or dh19 without downgrade on rekey. And I must say I haven't tested windows 10 with ipv6 yet so there might unseen issues. With libreswan I've been using dual stack IPsec for some years, with ipv4 over ipv4 + ipv6 over ipv6. That works, but windows wants ipv4 + ipv6 over ipv6 or ipv4 which is not yet supported. -- Tuomo Soini Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/> ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
Re: [Swan] Libreswan version 4.8 abort when connecting with ikev1 xauth with psk
On Thu, 13 Oct 2022 15:35:58 +0100 António Silva wrote: > Found a commit that could be the fix for this issue: > > https://github.com/libreswan/libreswan/commit/bfd380014944b7efb3fbc181129bd34769993d3f > > Trying it now. If you need a quick fix, correct commit is https://github.com/libreswan/libreswan/commit/fa25a8da29091b582a9f45cd1757ed53c95e508e The commit you found is just better diagnostics for the issue. -- Tuomo Soini Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/> ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
[Swan-commit] Changes to ref refs/heads/main
New commits: commit f68c34fabecb0f8972c674906e4df02394bdbbc6 Author: Tuomo Soini Date: Thu Oct 6 17:12:37 2022 +0300 CHANGES: more exact wording ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 2e2ad56f3228d864cb89d3c765f7a1a10c121d64 Author: Tuomo Soini Date: Thu Oct 6 17:10:37 2022 +0300 packaging/rhel: remove libreswan-prelink.conf which is no more needed ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 19dde63b102d2af204ec1bfe6c5b87250bc6c997 Author: Tuomo Soini Date: Thu Oct 6 09:17:49 2022 +0300 packaging/rhel7: require new nss to use NSS for ikev1 KDF ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 2755be470f825563b03f6896a5db47d97eaab289 Author: Tuomo Soini Date: Fri Sep 30 10:41:17 2022 +0300 packaging: fedora add BuildRequires: systemd We need systemctl on install ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 9a42e9f74690d9e158b4d4840225f0589b8a7519 Author: Tuomo Soini Date: Thu Sep 8 01:40:45 2022 +0300 packaging/rhel: remove disabling LTO Not needed after 1bf686ddb483a59546101911a04e44bc263038f6 ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit f21a4f6ebed82141f40f2f39b0530ef8c62c3f3b Author: Tuomo Soini Date: Tue Sep 6 22:06:33 2022 +0300 packaging/rhel: disable lto on older releases ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit f979aae6dfc9a6da08b6521e1458157b4bea1fca Author: Tuomo Soini Date: Thu Sep 1 22:42:59 2022 +0300 packaging/rpm: remove old work-arounds which are not needed any more ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 2a0863e1ce54bc9cae5f01c92274e8afac7eb16d Author: Tuomo Soini Date: Mon Aug 29 22:35:41 2022 +0300 packaging/fedora: opt-out from lto pluto will crash on crypto selftest if lto is enabled. Also remove redundant relro flags ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
