Hi Anthony,
As I suspected, you use the same identity for the two end-entity
certificates that are signed by different intermediate CAs:
> ipsec pki –-print –i /etc/swanctl/x509/Org1.crt> subject: "CN=RA00017.auth,
> ..."
> issuer: "..., CN=TDY Test SCA 1"
> ...
> altNames:
Hi Sven,
> So the problem is known?
Not really, but maybe something changed that avoids the issue, and I
don't particularly fancy debugging old versions.
> Which version should I use at least. Will 5.6.3 be enough or
> should I use 5.7.1 instead?
If you consider updating, use the latest.
>
Hi,
> Dec 2 15:34:13 charon-custom: 11[ENC] generating IKE_SA_INIT request 0
> [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
> ...
> Dec 2 15:34:49 charon-custom: 10[ENC] parsed ID_PROT request 0 [ SA V V
> V V V V V V ]
strongSwan tries to initiate an IKEv2 connection, while the peer
Hi Dmitry,
> I would like to have a possibility to authenticate technical support
> users with local secrets (i.e. rightauth=eap-mschapv2) in case of RADIUS
> server unavailability. Is there a way to have 2 auth methods
> simultaneously for right=%any anyhow? Or maybe some fallback mechanism?
Hi Naveen,
> Is there a configuration to avoid strongswan from responding
> to unsolicited request from scans, even when strongswan is not
> configured with an endpoint configuration,
What kind of request is sent, what kind response? And what exactly
makes a request unsolicited?
Anyway, there
Hi Sven,
> I will send you a link to download it. If anybody want the log output too, to
> analyse
> it, I will send you the link.
Thanks. I was actually pretty sure you worked together with Marcel
Müller who opened #2840 last week (same problem, same version, German).
See my analysis there
Hi Naveen,
> The vulnerability is : ISAKMP endpoint allows short key lengths or
> insecure encryption algorithms to be negotiated. This could allow remote
> attackers to compromise the confidentiality and integrity of the data by
> decrypting and modifying individual ESP and AH packets.
I don't
Hi Giorgos,
> I am trying to connect my galaxy s9+ via the native IKEv2 client to a
> strong swan server of mine via IKEv2-PSK.
That's not exactly what you are doing. From the server's perspective
you are using a PSK only to authenticate the client (rightauth), the
server is authenticated with
Hi Anthony,
> ? can VICI be configured to load a specific SCA cert per VPN (would this help)
That doesn't make a difference. As mentioned, only the identity is
relevant on the client. So unless you can get the server to send a TLS
certificate request only for a specific intermediate CA you
Hi Sven,
> We are using strongSwan 5.6.2 on a Linux kernel 4.1.39.
Try using a newer strongSwan version.
> The installed policy (in this case) is the following:
>
> src 10.0.0.0/8 dst 192.168.3.67/32
> dir out priority 379519 ptype main
> tmpl src 217.6.20.66 dst 84.160.101.118
Hi,
> I dont understand how this is possible. Is there another lower-level
> routing table?
Yes and no. There are additional routing tables, which you won't see
with the old route command, use the `ip` command from the iproute2
package instead to see the routes installed by strongSwan in
Hi Anthony,
> For this setup are credential directory looks like this
> /media/sde1/certs/Org1:
> Org1.chain Org1.crt Org1.keyOrg1.sca1 Org1.ta
> /media/sde1/certs/Org2:
> Org2.chain Org2.crt Org2.keyOrg2.sca2 Org2.ta
>
> So we only load the "user cert" using VICI, were
Hi Thomas,
> Tunnel is established and for an unknown reason he delete the virtual ip and
> re establish tunnel.
Not for an unknown reason, the log tells you that the daemon sends a DPD
and a bunch of retransmits and gives up after 5 of them and then
reestablishes the SA (due to the DPD action
Hi Chris,
> So it
> almost seems like the StrongSwan client is blocking traffic while the
> VPN connection is being built (after phase 1).
It does. If there is an app or IP address that should bypass the VPN,
configure it in the advanced VPN profile settings.
Regards,
Tobias
Hi Sven,
> can nobody help me with this issue?
What more is there? You already had a look a the source code and found
it's not supported, so...
And regarding the first one, there is an in-memory certificate/CRL cache
(may be flushed with the `ipsec purge*` commands).
Regards,
Tobias
Hi Andrew,
> On BSD, a route based VPN has to be used, because it has no policy based
> implementation (as far as I know).
At least on FreeBSD that's not the case, i.e. it has policies just like
other IPsec implementations (including socket policies to whitelist the
IKE sockets). But for
Hi Michael,
> But does the
> client to a new DNS resolution if a FQDN is configured as the "right"
> parameter?
Yes.
Regards,
Tobias
Hi Jens,
> But after hours/days I have "hundreds" of these tunnels and they are
> getting more and more until I restart the deamon (on the client).
>
> Why does this happen?
>
> What would be the correct dpdaction or closeaction (if this is the problem).
If the connection is closed or the peer
Hi Moses,
> Apr 1 20:57:58 klick-001 charon: 11[IKE] expected a virtual IP
> request, sending FAILED_CP_REQUIRED
I guess reading is hard. Or is that message (that you explicitly marked
in your email) really that unclear?
Regards,
Tobias
Hi Roberts,
> Description: I want to set up 2000 IKEv2 cert based tunnels.
And you need to use separate private keys for each tunnel to identify
your peer/host?
> Problem: After applying the configuration, I see that load of private
> keys cannot finish as ipsec is restarting after 10s.
That
Hi Roberts,
> Ah, ok, you're suggesting to use a single private key and use it for the
> CSRs/Certificates?
That's what our load-tester plugin does [1].
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/LoadTests
Hi Brian,
> I am using `type=transport`
You can't use transport mode to tunnel traffic from IPs other than the
two hosts themselves (that's exactly what tunnel mode is for where the
complete IP packet, including the original header, is encapsulated),
unless, you use an additional tunneling
Hi Vijay,
> PLUGIN_PROVIDE(EAP_SERVER, type, vendor);
> -and-
> PLUGIN_PROVIDE(PEER_VENDOR, type, vendor);
>
> Macros are everywhere :)
No, the existing usages of e.g. EAP_SERVER are without vendor ID. The
identifiers when using a vendor ID are the ones I gave before
(EAP_SERVER_VENDOR and
Hi Felipe,
> How can I get the ID of a given IKE SA?
swanctl --list-sas
Regards,
Tobias
Hi Moses,
> Is the VPN tunnel complete without the private IP of the VPN
> server?
Sure, but it might depend on your use case.
Regards,
Tobias
Hi Vijay,
> I am specifically looking for help in understanding if StrongSwan has support
> to handle “EAP Expanded Type” with a non-zero “Vendor-Id” as defined in IETF
> rfc3748 Section 5.7.
It does.
> Are there any existing plugins that would serve the purpose?
There are many plugins that
Hi Moses,
> Security Associations (1 up, 0 connecting):
> ikev2-vpn[21]: ESTABLISHED 41 minutes ago, 102.1*9.2**.***[
> 102.1*9.2**.***]... 185.135.*.** [remoteprivate]
> ikev2-vpn[21]: IKEv2 SPIs: 0338f500edc84652_i 1ae30618408f64a4_r*,
> rekeying disabled
> ikev2-vpn[21]: IKE
Hi Tom,
> I do not see anywhere that I
> can specify which certificate the client should use for a given connection.
I think you can only do that with EAP-TLS (i.e. not with machine
certificates) where you might actually get prompted for a certificate if
there are multiple and the advanced VPN
Hi Brian,
VTI devices won't change anything. You can't use transport mode with
any IPs other than those of the endpoints (i.e. it doesn't work with
virtual IPs or arbitrary subnets - you have to use tunnel mode for
that). [1] might help to explain these modes to you.
Regards,
Tobias
[1]
Hi Kostya,
> Does IPSec in general and strongSwan in particular support certificate
> authentication with ECDSA keys?
Sure.
> -BEGIN EC PARAMETERS-
> Bgg.==
> -END EC PARAMETERS-
> -BEGIN EC PRIVATE KEY-
> MHcCA...yDpwQ==
> -END EC PRIVATE KEY-
Remove
Hi Marco,
> But all traffic is then routed over my home network (which is
> working but I only want to have the traffic for 192.168.178.0/24 routed
> over VPN).
You configured leftsubnet=0.0.0.0/0. If you only want to tunnel one
subnet, configure that (or do it on the other peer when it
Hi Michael,
> Any additional ideas?
Read the log on the Sophos side.
Regards,
Tobias
Hi,
> Is
> righhtca2 supposed to work with eap-tls and eap-identity connections?
rightca2 is for a second authentication round. Which is not what
happens with EAP-TLS (unless you actually use it in a second round after
e.g. a regular pubkey authentication). So maybe try rightca instead.
Hi Yogesh,
> Is Chinese Ascii characters allowed in subject of certificates used in
> authentication while negotiating the ipsec tunnel in ikev2 ?
I'd disagree that these are ASCII characters, but sure you can use
UTF8String as type for the RDNs in the subject DN.
> So can I configure this
Hi Kostya,
> It was the conf syntax I was after :)
>
> I now see it in the docs for swanctl.conf under "secrets.private
> section".
You only have to configure private keys in such sections if they are
password protected (and you can't or don't want to provide the password
interactively) or if
Hi Kostya,
> Hmm, there is no strongswan-swanctl service on Debian (buster / testing)...
There is if you install it [1].
> systemctl start strongswan
That's the legacy service provided by strongswan-starter (i.e. it starts
starter, which parses ipsec.conf etc.).
> Does this look like a Debian
Hi Kostya,
> Now I'm wondering if it's possible to uninstall this legacy service (which
> supports ipsec.conf format configuration files).
>
> apt-get remove strongswan-starter
Sure, go ahead.
> The following packages will be REMOVED:
> strongswan strongswan-charon strongswan-starter
>
>
Hi Moses,
Configure an IKE proposal that's accepted by your peer (you disabled log
message for cfg, so you didn't see the details of the proposal
negotiation). Most likely the problem is that modp1024 is proposed, a
DH group strongSwan doesn't include in its default IKE proposal anymore.
So to
Hi Moses,
> But now it gives the error that it didn't
> connect as the remote host did not resolve . :(
That doesn't sound like it's in any way related to your previous issue.
And until you fix that (DNS, firewall or whatever else the problem is)
the config updates or the log won't help as the
Hi,
> My iphone disconnects after a ikelifetyme but my windows and android
> clients are working fine.
> My configuration is at https://pastebin.com/NpeLJzjF
Your rekey settings are quite low. Anyway, without more information (in
particular logs that show what's happening with such a client) we
Hi Peter,
> Running the strongswan 5.7.2 testsuite, all tests passed except for the
> following:
> 412 tnccs-20-ev-pt-tls failed
> 419 tnccs-20-os failed
> 420 tnccs-20-os-pts failed
> 421 tnccs-20-pdp-eap failed
> 422 tnccs-20-pdp-pt-tls failed
> 424
Hi Chris,
>> So my question to you is why is the route being injected BEFORE the
>> tunnel is fully authenticated?
>
> It isn't. However, that MFA you use isn't integrated into the IKE
> authentication. So for the IKE client (and server) the IKE_SA is
> established successfully. I guess if
Hi Chris,
> Even if I
> exclude the app from the VPN, it still has to follow the routing table,
> correct? There aren't separate tables for the VPN and things excluded,
> right?
No there are. That's exactly how this exclusion is implemented (policy
routing, marks etc.). When an app is excluded
Hi Peter,
> Is there a wiki or instruction for this?
See [1].
> make-testing had:
> [FAIL] Connecting image to NBD device /dev/nbd0
>
> build-strongswan had:
> Root image /home/user/builddirmaster/build/images/root.qcow2 not found
No idea, never seen either message. Perhaps something with
Hi Peter,
> Any idea why there is no pkcs12 in the log message?
https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#Plugin-is-missing
Regards,
Tobias
Hi Derek,
> Originally I wanted to use p12 files with everything in them (CA cert,
> client cert, client key), but this created messiness on the Windows
> end.
As mentioned in the previous mail, the CA certificate that issued the
client and server certificates don't have to be the same (often
Hi Derek,
> (1) An IKEv2 profile importer for Windows 10, modeled on the
> strongSwan profile importer for Android:
> https://github.com/dcamero2016/vpn-importer
Nice idea. local.ca is wrong, though, it's the CA certificate to verify
the remote's certificate, it hasn't necessarily anything to
Hi Chris,
> So I guess the question is, what's the security risk here? I always knew
> that with PEAP, there is PKI as an outer method. What am I missing
> without that outer method encryption. Guess I need to read some more
One aspect is whether the EAP-MSCHAPv2 authentication is terminated
Hi Chris,
The NM plugin currently does not provide an option to configure the
expected AAA server identity. So the IKE identity is reused and
enforced. This will fail if the AAA server uses a different identity
during EAP-PEAP/(T)TLS:
> [IKE] authentication of 'CN=vpn.company.com' with RSA
Hi Mark,
> Can you help me get this connection to stay up?
I guess the "trick" of older *Swans (that use the pluto daemon) was that
they completely ignored IKEv1 DELETE payloads (strongSwan did so too
before 5.0.0). So unless you are willing to either use an old
unsupported strongSwan version,
Hi Anthony,
> ? does the latest version of strongswan provide better “checking of the
> peer certificate EU and EKU”
I guess you mean KU not EU. But what exactly do you mean with "better"?
The cRLSign KU bit is used in revocation checking (if a CRL is not
signed by the CA). And since 5.6.3,
Hi Doug,
> leftsubnet = 10.10.10.0/24 10.10.11.0/24 (and tried putting a comma in
> between them but it doesn't like that)
They are separated by commas (read the documentation/man page).
> Is there any way to have multiple subnets on my side on one line?
Depends on the IKE version (it works
Hi Anthony,
> ? is there a swanctl configuration setting, that if enable will allow an
> expired CRL to be used
In what way?
Regards,
Tobias
Hi Anthony,
> ? does this replace VICI, “event callbacks”
No.
Regards,
Tobias
Hi Anthony,
> ? is this true, that the StrongSwan does not check the peer certificate KU
> and EKU during the initial IPsec VPN connection
It's as I wrote in my previous mail.
Regards,
Tobias
Hi Anthony,
> We started using the ErrorNotifyPlugin.
>
> I have noticed that sometimes the charon.enfy does not get created.
Read the log, make sure the plugin is loaded and there were no errors.
Regards,
Tobias
Hi Aleksey,
You can't share a VTI device between multiple SAs that are associated
with the same IPsec policies (0.0.0.0/0 on both ends in your case). As
the policies are assigned the same mark (to associate them with the
VTI), the kernel couldn't decide into which SA traffic routed to the VTI
Hi Anthony,
> If a CRL comes in, then I think we would need to do the following:
> 1. create "authorities section" "crl_uirs = fill:///xxx" in swanctl.conf
> 2. --load-authorities
> 3. --load-creds
You don't need step 3 if you use file URIs, the CRL is fetched
dynamically during authentication
Hi Anthony,
> Item 1, if a new CRL is copied to the x509crl directory, "authorities
> section" not configured, ? will charon automatically re-load the CRL
No, swanctl --load-creds has to be called explicitly.
> Item 2, if a new CRL is copied to the "assigned location", and "authorities
>
Hi Anthony,
> ? for the CRL cases below, does the host need to "drop the connection" for
> the CRL updates
The new CRL will currently only have an effect on new connections. So
if the certificate of a peer who currently is connected is revoked, this
will not have an effect until that peer
Hi Aram,
> If this is my problem, I don’t understand why the same configuration results
> in different behavior now.
It's most likely not the same.
As the log tells you, the traffic selectors don't match. The fix is
simple: configure either 0.0.0.0/0 or 192.168.3.0/24 as remote
traffic
Hi Anthony,
> ? does charon reload the CRL during ( re-authentication and re-connection )
Not if a valid CRL is still stored in the in-memory cache (which can be
cleared via `ipsec purgecrls` or `swanctl --flush-certs -t x509_crl`).
> If new CRL’s arrive, ? will charon use them during (
Hi,
> Can swanctl ask interactively for the password if not inserted in the conf
> file?
It does prompt for passwords for private keys if they are not found in
the config. But it can't load shared secrets that way.
> Does this guide apply to swanctl too? Cause currently I'm root-only
>
>
Hi,
> 1) Is there a "more secure" way to store the per-user psk password in
> swanctl.conf file?
First, note that shared keys will be accessible in memory once loaded
into the daemon via VICI. So the question is whether you are concerned
with the actual storage, or with other attack vectors.
Hi Tomasz,
> There is a bug in the
> eap-aka-3gpp plugin implementation regarding updating of SQN.
> ...
> However, based on [1] the SQN (32 bits)
> is composed of two elements: SEQ
> + IND. SEQ is the actual sequence indicator, while IND is some kind of
> the index and normally it occupies 5
Hi Sven,
You explicitly disabled handling of INITIAL_CONTACT notifies with
uniqueids=never. So existing IKE_SAs with the same client identity will
not be terminated when a new IKE_SA is created, which also means the
existing virtual IP is not released. Since the same virtual IP can't be
Hi Yogesh,
> Whereas when i tried verifying the same set on strongswan version 5.6.3:
You need the openssl plugin to load ECDSA keys/certificates.
Regards,
Tobias
Hi Yogesh,
> So how does RSA certificate work without openssl plugin?
The gmp plugin (enabled by default) probably handles that.
Regards,
Tobias
Hi Joshua,
> How can I get this to work?
"pools" takes a list of strings, not a single identifier. So pass this
as `"pools": [ pool_id ],`.
Regards,
Tobias
Hi Florin,
> One more thing - when I run "ip tunnel add" I get this warning (I don't
> know whether it matters or not):
>
> ###
> [root@site1-vpn ~]# ip tunnel add gre0 local 10.0.1.254 remote
> 10.0.2.254 mode gre ttl 255
> ioctl: File exists
>
Hi Anthony,
> ? will our application be able to detect them using ether: VICI “event
> callbacks” or “ErrorNotifyPlugin”
Why not just try it?
> Inacceptable Constraint check failed
You can't detect that specific error but ERROR_NOTIFY_PEER_AUTH_FAILED
will be triggered.
> IKE AUTH response
Hi Stephan,
> This work as expected but all clients have to have certificates where the DN
> is part oft he same LDAP-tree
You could add multiple connections (using `also=`)
each with different remote identities.
> Is there a possibility to extend the authorization with group memebrship
>
Hi Harald,
>> Is a search domain actually required in your setup? Because, as I said,
>> there is no standardized IKEv2 attribute for it at all.
>>
>
> Yes, definitively. My colleages are used to openvpn and its NetworkManager
> plugin, supporting several "dhcp-options", including domain search
Hi Harald,
> using IKEv2 and NetworkManager I wonder how the DNS domain search
> attribute is supposed to be added to /etc/resolv.conf?
There is no such attribute for IKEv2.
> My attr.conf on the IPsec gateway says
>
> attr {
> dns = 10.0.122.9, 10.0.96.123, 10.0.96.124
> nbns =
Hi Guy,
> could you please advise what am I missing here, in order to enable the
> vici plugin,
See [1].
Regards,
Tobias
[1]
https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#Plugin-is-missing
Hi Lars,
> Got a roadwarrior/client connection where NAT-T isn't auto detected.
Why is that?
> I tried to solve this by forcing UDP encapsulation using forceencaps=yes and
> expected that NAT keep alive packets also where sent in order to keep the
> connection alive.
> But this doesn't seem
Hi Tomek,
> Thanks for your answer. The phone indicates the invalid value of SQN,
> see the logs below:
Check the implementation of resync() in your implementation of
simaka_card_t (and whatever it actually calls/does) for details on this.
That it initially fails could be due to how the SQNs
Hi,
> what is the problem here?!
Chances are the configured PSK is wrong. But you'd have to check the
log of the peer for details.
Regards,
Tobias
Hi Tomek,
> However, the
> phone didn't accept the new AUTN and sent synchronization failure again.
Does it report the reason why it does so?
> Do you have any idea why the phone is sending the
> AKA_SYNCHRONIZATION_FAILURE?
No. You should really check the logs there to see why it does.
> In
Hi Graham,
> Is it possible to send multiple IKEv2 proposals?
Sure, why do you think it's not? Refer to the man page or wiki
documentation for the configuration backend you are using.
> The use case being, one with combined mode ciphers and the other without.
The default "proposal" (for
Hi Brent,
> 1.) The named connection that listens (and serves as a tunneled gateway)
> on 203.0.113.1 should route through 203.0.113.1 to the RADIUS server,
> and 203.0.113.2 should route through 203.0.113.2 to the RADIUS server,
> so they get detected as unique NAS addresses. 203.0.113.2 should
Hi Jaehong,
> the StrongSwan select wrong selector and program xfrm incorrectly.
No, everything works as it's designed to. However, there are several
aspects that result in the "wrong" outcome in your case.
It starts with the ping utility that opens a UDP socket to determine
which local
Hi Alexander,
> installing new virtual IP 10.0.42.3
> created TUN device: tun0
> virtual IP 10.0.42.3 did not appear on tun0
You might have to increase the time strongSwan waits for the address to
appear (via charon.plugins.kernel-pfroute.vip_wait, defaults to 1000ms).
Regards,
Tobias
Hi Brent,
> what would that even be, the Called
> Station ID attribute?
Probably, as that contains the server's IP (and port, by default). See
[1] for details.
Regards,
Tobias
[1]
https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius#Attributes-sent-to-RADIUS-servers
Hi Peter,
This is your problem:
> Jul 22 20:26:15 ns1 charon: 13[CFG] selected peer config 'nix-conn'
Since neither IPs, identities, nor authentication methods are different
between the two connections and nix-conn is loaded before win10 (and the
IKE algorithm proposal is also acceptable), the
Hi Marwan,
> Is it possible to opt-out of the feature that multiple connections share
> the same virtual IP pools in the latest version of strongSwan?
Use swanctl.conf or use other plugins to provide overlapping IPs/pools.
Regards,
Tobias
Hi Stephen,
> Here are the details in full:
That fist log you posted is useless. It's not the daemon's log (you
configured logging to a separate file yourself in strongswan.conf).
Your problem now is the `authby` setting. Since the peer wants to do
XAuth you have to set it to `xauthpsk`
Hi Stephen,
> I have already advised the team that Aggressive
> mode with psk is unsafe.
If you are at it, they shouldn't use IKEv1 or L2TP (if they actually do)
anymore either.
Looks like you might now have to add leftsourceip=%config again (the
peer is apparently not ready yet to accept Quick
Hi Peter,
> I removed all other connections, unused proposals from server config. No
> success.
It has nothing to do with the server config. The client is behaving
strangely.
> Can I push a CHILD_SA timeout to win10 client, or tweak it in windos
> registry?
Push, no. Registry, no idea. But
Hi Stephen,
> I have tried with:
>
> # leftsourceip=%config
> modeconfig=pull
Leave both enabled to use a virtual IP. Comment both (as you tried) to
not use one.
> These both result with:
Please post the full logs.
Regards,
Tobias
Hi Peter,
According to the log the client uses two CREATE_CHILD_SA exchanges to
create duplicate CHILD_SAs for no apparent reason (they aren't
rekeyings, REKEY_SA notifies are missing, just duplicates). This
happens immediately after the initial SAs got created. At 20:00:52 the
original
Hi Stephen,
> Thank you for your helpful response.
>
> Unfortunately this has resulted in a similar outcome:
As I said, `leftsourceip=%config` might not be applicable if the goal is
to use L2TP.
Regards,
Tobias
Hi Stephen,
> modeconfig=push
You probably want to use `pull` here (at least if you actually want to
use a virtual IP and `leftsourceip=%config` is there on purpose - with
L2TP, which `left|rightprotoport` and your previous messages seem to
indicate, no virtual IPs are usually used).
Hi Stephen,
> Part Pull
The log/status doesn't seem to match that. There is no mode config
exchange in the log and the queued task given as QUICK_MODE. With
`pull` (that's actually the default) the client should send a mode
config request after XAuth.
Regards,
Tobias
Hi Stephen,
> I
> will send updates for push and pull separately. Sorry for all the emails...
Don't bother with `push`, it's definitely not the way to go.
The problem now are your either the ESP algorithm proposals and/or the
traffic selectors (`left|rightsubnet`). Start with
Hi Bidhan,
> I have used Split-Tunneling with IKEv2 and in Linux, mac client it works
> like a charm but in case of windows, routes are not pushed
> automatically. So currently, I have been pushing route manually in
> windows machine through a PowerShell script which I don't want to use
>
Hi Harald,
> The laptop should be able to ping 10.19.96.156 again, but
> 10.19.96.156 sends the echo reply to the "old" mac address
> known from the wired connection to the roadwarrior. The
> laptop can access other hosts in the 10.19.96.0/19 network,
> if they hadn't been accessed via the cable
Hi Jianjun,
According to the log, the configuration is not loaded when the peer is
trying to connect:
> 00[JOB] spawning 16 worker threads
> 05[NET] received packet: from 10.162.19.54[500] to 10.162.19.55[500]
> (660 bytes)
> 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
>
Hi Houman,
> Is there is a way to disconnect a specific strongswan user from the
> command line?
Not directly (at least not via vici, it might be possible via RADIUS,
depending on the RADIUS server).
> I have found the Vici plugin, but there is no documentation whatsoever.
What do you mean?
Hi Anthony,
> ? what are the possible fetcher plugins for CRLs and OCSP
Search for "fetcher" at [1].
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/PluginList
801 - 900 of 1123 matches
Mail list logo