Re: [strongSwan] regarding reauthenticating IKE_SA due to address change

Hi Ujjal, 1) Is reauth=no has any effect or i am doing some wrong configuration The reauth option allows to configure whether an IKE_SA is rekeyed or reauthenticated once it is about to expire (ikelifetime/margintime). It has no effect on other circumstances where a reauthentication might

Re: [strongSwan] Problem About Dscp Support in scenario of end to end tunnel

Hi David, iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp 10 iptables -t mangle -A OUTPUT -p icmp -m dscp --dscp 10 -j MARK --set-mark 10 If you add these rules on both sides. Then you also have to specify mark=10 in both configs. You seem to have done so on the gateway but not on

Re: [strongSwan] Help, charon: 03[CFG] issuer of fetched CRL does not match CRL issuer

Hi, Jul 23 12:41:28 lag3 charon: 03[CFG] issuer of fetched CRL 'C=US, ST=CO, L=Denver, O=igvpn.com, CN=igvpn.com CA, E=i...@igvpn.com' does not match CRL issuer '9b:00:ad:ef:3d:af:74:3b:72:6e:28:33:f5:33:4a:6a:e8:77:2e:bb' It seems your CA certificate contains the X509v3 Subject Key

Re: [strongSwan] Help, charon: 03[CFG] issuer of fetched CRL does not match CRL issuer

Thanks Tobias, But how can I add X509v3 Authority Key Identifier extension to my CRLs? Please help. my openssl.cnf -- [ server ] basicConstraints=CA:FALSE nsCertType = server nsComment = Server

Re: [strongSwan] Help, charon: 03[CFG] issuer of fetched CRL does not match CRL issuer

Thank you, Tobias. That is some part of my openssl.cnf, but I use your suggestion to uncomment this line in my openssl.cnf, everything is ok now. # crl_extensions = crl_ext Thank you again. -- Best Regards Jacky -Original Message- From: Tobias Brunner [mailto:tob...@strongswan.org]

Re: [strongSwan] Regarding Site-to-Site Tunnel for IPSec

Hi Arnab, why do you want to have two identical CHILD_SAs? Usually the latest CHILD_SA is used to transport traffic, the other being becoming idle. Regards Andreas On 07/25/2011 03:28 PM, Arnab Bakshi wrote: Hi Andreas, One question regarding the tunnel mode: I have the

Re: [strongSwan] strongswan to lancom. No ip via ike-configmode

Hello Andre, IKE info: IKE-CFG: Attribute INTERNAL_IP4_ADDRESS len 0 skipped I don't know why the LANCOM VPN router doesn't want to assign a virtual IP address although it gets a request. Regards Andreas On 07/27/2011 03:07 PM, Andre wrote: Hi, I'm trying to get a stronswan based vpn

[strongSwan] VPN connection issue on changing port speed to 10 Mbps (from 1000 Mbps)

Hi, I am facing a problem with my VPN connection. When the port speed is changed from 1000 Mbps to 10 Mbps, the remote systems connected through VPN are not pinging. But, if the VPN is restarted, then ping succeeds. I am using strongswan-4.2.17-1. I wanted to check if this is an expected

Re: [strongSwan] VPN connection issue on changing port speed to 10 Mbps (from 1000 Mbps)

Hello Vinay, I'm not aware of any known bug. Does the interface go away during the speed change? Does the strongSwan log show any warnings that the interface disappeared and reappeared? BTW - strongSwan 4.2.17 is very ancient. Regards Andreas On 28.07.2011 19:20, Vinay Kalkoti wrote: Hi,

Re: [strongSwan] VPN connection issue on changing port speed to 10 Mbps (from 1000 Mbps)

When I restart the network service, I see the following message. eth2 interface speed is set to 10 Mbps and is causing the network problem. I couldn't make much from the logs. 11[IKE] checking path 10.xx.xx.197[4500] - 128.221.252.65[4500] 11[NET] sending packet: from 10.xx.xx.197[4500] to

Re: [strongSwan] VPN connection issue on changing port speed to 10 Mbps (from 1000 Mbps)

Hello Vinay, from the logs I see that strongSwan is trying to re-establish the connection using the IKEv2 MOBIKE protocol after the interface disappears and reappears but MOBIKE seems to fail. Could you either disable MOBIKE (mobike=no) or upgrade to strongSwan 4.5.2 which has a much improved