Hi,
1. I was going through the update SA code, I figured out that the
replay data for an SA is fetched separately from the other SA data,
however, while adding the updated SA replay value is sent with other
entries. What is the reason for this discrepancy.
That's due to a limitation of the
by adding 'dpdaction = restart'
and most likely 'dpddelay = time' to the config.
Regards,
Tobias
--
==
Tobias Brunner tob...@strongswan.org
strongSwan - the Linux VPN Solution! http
to an appropriate value).
Regards,
Tobias
From 3339a7e974eaa581678d3e57f1cc9c94924acecd Mon Sep 17 00:00:00 2001
From: Tobias Brunner tob...@strongswan.org
Date: Sat, 5 Jun 2010 09:50:07 +0200
Subject: [PATCH] Adding a remove_at method to the hash table in order to remove
items while enumerating them
Hi Graham,
If I get a chance, I'll try out your patch, this may take some weeks
to getting around to though.
Unfortunately, the patch contained a small bug. But I commited a
proper version to master on Monday (see [1]).
Regards,
Tobias
Hi Holger,
I've read the instructions at
http://wiki.strongswan.org/projects/strongswan/wiki/FreeBSD
As you've probably seen, this currently covers only FreeBSD 7.x and its NAT-T
patches. With the inclusion of NAT-T in FreeBSD 8 some details have changed.
For instance, the
--
==
Tobias Brunner tob...@strongswan.org
strongSwan - The Linux VPN Solution! http://www.strongswan.org
If we change the reserved fields to to zero for the same given test-case
it works fine.
Would it then be a parse issue?
It could be (the zeroed fields then not affecting the result). It would
really help if you could add enc 3 to charondebug in ipsec.conf and
rerun the failing test. That
Hi Richard,
The trace file is below.
Thanks, but the file seems to be incomplete (e.g. no chunk contents are
listed, IKE_AUTH is never mentioned etc.).
Regards,
Tobias
___
Users mailing list
Users@lists.strongswan.org
Hi Richard,
I found the reason for this failure. The only thing from the IKE_AUTH request,
that affects the computation of the AUTH value is the ID as in prf(Sk_px, IDx').
Now I somehow assumed IDx' is just the Identification Data of the IDx payload,
but it's not, IDx' is actually IDType |
Looks suspicious:
+return rekey - jitter * (random() / (RAND_MAX + 1.0));
@Tobias: What's the idea behind RAND_MAX + 1.0? Might this end in a
division by zero?
random() / (RAND_MAX + 1.0) returns a random floating point number in
the range [0, 1). The value of RAND_MAX depends on the
I am unable to find what __fixunsdfdi is.
child_cfg.c is indeed the line mentioned above.
Anyone who has any ideas?
__fixunsdfdi is a GCC-internal function which converts a double to an uint64.
It seems that an instruction in that function raises the SIGILL on your
platform. This suggests
Hi Holger,
are the patches needed for FreeBSD 8.1 support also integrated?
Yes.
Regards,
Tobias
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Hi Jiri,
Currently, negotiated traffic selectors are only applied on SPs.
Certain situations require them in SAs as well.
Example (taken from a previously failig ipv6ready IKEv2.EN.I.1.1.7.1 test
case):
...
This patch makes strongSwan set the negotiated TSs the SAs it creates.
Hi Jan,
#config setup
#nothing here
Just define
config setup
plutostart=no
and you should be fine.
Regards,
Tobias
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Hi Danny,
But why is PLUTO_NEXT_HOP not the leftnexthop=xx.xx.xx.xx or
leftnexthop=%defaultroute from my config?
Unfortunately, the left-/rightnexthop options were broken since 4.4.0.
I pushed a fix for it to master (see [1]).
Regards,
Tobias
Hi Michalle,
there will be a plain text of ICMP echo request (which decrypyt the
orignial ESP packet from my implementation) in the network.
You didn't write on which host you captured the packets with Wireshark. If it
was on the same host on which strongSwan was running then this behavior is
Hi Michalle,
I have other question about this. Why it only happens when the ESP
protects a Tunnel mode IP traffic.
I have never seen that plain text under the transport model.
Yes, this only happens with tunnel mode. I don't know the exact reason for it,
it's probably just a side effect of
Hi Jessie,
the keep-alive interval can actually be configured, although, not on a
per-connection basis, by setting the charon.keep_alive option in
strongswan.conf. Regarding the IPsecWindowSize option, keep in mind
that the maximum window size currently supported by the Linux kernel is
32, which
Hi David,
I added some notes to our wiki about the lifetime/rekeytime calculation:
http://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey
Regards,
Tobias
David Deng wrote:
Hi All,
When I Initiated some testing about the IPsec rekey mechanism, and I
found the rekey lifetime
Hi Peter,
Is there also an workaround for the strongSwan NetworkManager plugin?
There is no need for that, as the NetworkManager indirectly uses charon,
fixing charon fixes the NM plugin.
Regards,
Tobias
___
Users mailing list
Yatong Cui wrote:
Yet I cannot start the daemon because the system cannot identify any IPsec
stack.
That's not really a problem, the detection code is Linux specific and
not actually executed by the daemon, but by a wrapper tool called
starter. The daemon charon (with the proper plugin
Hi Richard,
Hi Tobias, was this ever included in strongswan. We are failing this test
while
undergoing USGv6 certification testing and would like to be able to have a
fix.
No, it has not yet been applied. The patch still fixes this particular
test case, so you may try applying it. But
Hi Benoit, Hi Andreas,
as Benoit already confirmed, this problem is related to using the
kernel-pfkey plugin in combination with pluto. I tried to reproduce the
behavior using Benoit's config and I was able to do so with the PF_KEY
interface, but not with the Netlink interface. Some
Hi Benoit,
If defaultTunnel is established first and t1 second, the strongSwan
server receives the traffic from the tunnel t1 but doesn't send back
packets through it. The traffic seems to always be routed to the
tunnel defaultTunnel. If t1 is established first and
defaultTunnel second,
like to invite fellow Nokia N900 owners to test
the two packages and vote for them accordingly on the respective
maemo.org pages ([1], [2]). Thanks in advance!
Best regards
Tobias Brunner, Martin Willi Andreas Steffen
The strongSwan Team
[1]http://maemo.org/packages/package_instance/view
Hi Mike,
The crash is in thread 08 in the DBG2 processing below, because the thread's
ike_sa value is set to the now-deleted ike_sa_t.
That's exactly what happened. The problem is that the IKE_SA is checked
out by one thread and then checked in by another, thus the thread local
IKE_SA is
Hi Antoine,
PS:The custom kernel is not yet built because I have planned to it after
compiling the entire android sources including strongswan. It should
normally won't be disturbing?
No, you can build that later without problem.
external/strongswan-4.5.1/src/libstrongswan/settings.c:23:18:
Hi Avinash,
target SharedLib: libcharon
(out/target/product/generic/obj/SHARED_LIBRARIES/libcharon_intermediates/LINKED/libcharon.so)
out/target/product/generic/obj/SHARED_LIBRARIES/libcharon_intermediates/daemon.o:
In function `daemon_create':
Hi Rajiv,
- is there a better way and a simple and elegant way to simulate 1000
tunnels (2000 SAs)?
Did you already have a look at the load-tester plugin [1]?
Regards,
Tobias
[1] http://wiki.strongswan.org/projects/strongswan/wiki/LoadTests
___
Hi Ujjal,
1) Is reauth=no has any effect or i am doing some wrong configuration
The reauth option allows to configure whether an IKE_SA is rekeyed or
reauthenticated once it is about to expire (ikelifetime/margintime). It
has no effect on other circumstances where a reauthentication might
Hi David,
iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp 10
iptables -t mangle -A OUTPUT -p icmp -m dscp --dscp 10 -j MARK --set-mark 10
If you add these rules on both sides. Then you also have to specify
mark=10 in both configs. You seem to have done so on the gateway but
not on
Hi,
Jul 23 12:41:28 lag3 charon: 03[CFG] issuer of fetched CRL 'C=US, ST=CO,
L=Denver, O=igvpn.com, CN=igvpn.com CA, E=i...@igvpn.com' does not match
CRL issuer '9b:00:ad:ef:3d:af:74:3b:72:6e:28:33:f5:33:4a:6a:e8:77:2e:bb'
It seems your CA certificate contains the X509v3 Subject Key
Hi Patricia,
I've tested strongswan-4.5.3rc2 and I still get the same behaviour.
I'm testing MOBIKE by sending CBR traffic from the initiator at a
rate of 45Kbps.
When I deactivate eth0 I obtain the behavior that you can see on one.png.
Then, I activate eth0 again and deactivate eth1
Hi Patricia,
I've test also with virtual IP's and I obtain the same behaviour :(
Ah, yes. The source route installed by charon only covers eth0 and its
default gateway.
Andreas, Martin, any ideas?
Regards,
Tobias
___
Users mailing list
iptables -A INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
Thus no plaintext packets should leave the VPN endpoint.
That's probably the best solution for now. The problem with the virtual
IP approach is
Hi Ujial,
Interface eth1 ipaddress is given as : 10.29.11.66 /16 and the viratual
ip address 10.29.11.67/16 http://10.29.11.67/16 . The tunnels as follows
1)10.29.11.66--10.29.11.36
2)10.29.11.67--10.29.11.36
This
Hi Patricia,
Can this packet be tunneled at that point? are initiator and responder
updating the SAs after the liveness test? I think this packet should not
be received through the tunnel until the handover process ends.
Is the return routability check activated by default? by who?
In the
Hi Peter, Martin,
[IKE] unable to allocate SPIs from kernel
Unfortunately, the stock N900 kernel does not support the required IPsec
modules. You'll have to install the kernel-power [1] package. It seems
that such a hint is missing on our wiki page, I'll fix that.
Hm, that's strange since
Hi Diego,
I forgot to clarify that route is inserted if compress=no. In
kernel_netlink_ipsec.c add_policy methed, the code checks if mode !=
MODE_TRANSPORT to insert to route.
Yes, if IPComp is enabled the actual IPsec SA uses transport mode in the kernel
as the inner IPComp SA
Hi Federico,
The problem comes when I try to patch the VPN frontend as written here:
http://wiki.strongswan.org/projects/strongswan/wiki/AndroidFrontend.
Did the patches apply cleanly? Look for .rej files.
The android source doesn’t compile anymore. I suspect it is because I am
using
Hi Federico,
I still get some .orig files after patching although no .rej file is
produced and no error messages are given when I patch.
Perhaps patch is aliased to 'patch -b' on your system (check with
'alias' in a console window).
Problem is that it looks like when I try to use the VPN,
What does not seem to be there instead is the charon service itself.
When I went in the adb shell and tried to start it, I got an error,
and noticed that in /system/bin/ of the running emulator, there is no
charon command at all.which would explain a lot. What can be the
cause? Is it
Now I don't understand why I should build a tarball just to extract
it again
Yes, that's strange, isn't it ;-) The reason for this is that building
the tarball also creates several generated files, which cannot be done
that easily directly inside the Android build system. These files are
But what about just copying the android.mk file from the source tree
inside the folder I get from extracting the
strongswan-4.2.9-stable-4853.tar.bz2 file instead? Would that work?
No, not really. There were quite a lot changes needed to make
strongSwan run on Android. Now, strongSwan 4.2.9
Hi Federico,
What else could it be? (just as a note I have note enabled anything
extra with the cryptographic API modules. )
It could very well be a problem with the algorithms. Which algorithms
are negotiated between the two hosts? Did you configure anything
special on the responder?
Hi Elmar,
I thought, this happens in the _updown-Script
It did but this is now done by the kernel-netlink plugin (see [1]).
Pluto still installs the source routes with the _updown script, though.
Now, the kernel-netlink plugin doesn't check if the rule already exists
and just installs it
Hi Mirko,
However, I found another problem, possibly related, which can be
reproduced as follows with Strongswan 4.6.0:
- setup the test scenario as in ikev2/net2net-cert (ignoring winnetou)
- replace the ethernet link between moon and sun by a serial line,
run PPP on it with the IP
Hi Rajiv,
Try adding an empty line between the third and fourth line of your
private key file, like this:
-BEGIN RSA PRIVATE KEY-
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,2FC8D750D505E922
D8p/CHn/F5PuiLtSIp9AWfZ9Iig9VQydF7uhCDgJKgOutYGj7PkoufOhFsJ+H7D1
Hi Rajiv,
00[LIB] key integrity tests failed
Seems like the gmp plugin has some issues with your key. It would help
if you could send us an example private key file causing this error.
Regards,
Tobias
___
Users mailing list
Hi Mirko,
I may be wrong, but I don't think it has been truncated.
No you were right, it was the complete log.
At 18:49:25, the route to 192.168.0.2 does exist,
but charon hasn't noticed it.
Well, charon does notice that the interface comes up again. But the
issue here is that the IP
Hi Rajiv,
When I use
openssl rsa -in mfcgw1key2.pem -check -noout
on my x86_64 machine with OpenSSL 0.9.8o I get
RSA key error: dmp1 not congruent to d
RSA key error: dmq1 not congruent to d
which is also the reason why our libgmp based plugin doesn't like the
keys,
Hi,
strongswan4-mod-kernel-klips - 4.5.2-1
Please try to remove this module from your build. The kernel-klips
plugin was done for a very specific (and rather old) KLIPS release. And
depending on whether your kernel actually includes the KLIPS patch or
not might never work. So, do you
Hi Alex,
Thank you for your help and suggestions guys, got it working with
OpenSwan.
Interesting. Would you care to share the config that enabled you to do
this with OpenSwan? Because I'm pretty sure L2TP/IPsec with destination
NAT (i.e. the responder behind a NAT) is currently not possible
Hello Zhen,
I have been trying to bring Strongswan 4.5.3 to Android
If possible, you should update to 4.6.1 as there are several Android
related improvements included in that release.
1. When I ran charon in adb shell, it started, but said: android plugin
failed to load, can't open android
Hi Deepika,
Does that mean that we will be having ipsec.conf file for Android as
well, in the same way we have for Linux.
Yes, it does. But you currently can't use the ipsec script, so you have
to use starter and stroke directly.
If that is the case, can somebody help me on how/where to
Hi Zhen,
If I used 4.6.1, is there any special configuration I need to enable to
build the starter and stroke when I build the Android?
Have a look at the top Android.mk. There you can uncomment the
strongswan_BUILD_STARTER line to enable the build of starter and stroke.
I assume I wouldn't
1. Doesn't seem that Charon loads the the ipsec.conf file.
What makes you say so? Do you get any errors? Where did you put the
file? Can you verify that it's there when you log into the emulator
with 'adb shell'? And is that path equal to what you configured in the
top Android.mk file as
Hi Chris,
If anyone could help me out in figuring out why:
A) the attr plugin doesn't seem to be working
I looked into that and it seems the attr plugin only supports IP
addresses and subnets as values (i.e. no strings or ints). The attr-sql
plugin [1] supports more types, so that might be
Hi Chris,
which iOS version do you use on your device? Because I just tried how
the VPN client behaves on an iPhone 3GS with iOS 5.0.1. And well, I can
save the password even without sending UNITY_SAVE_PASSWD (I did not try
what happens if I do, actually).
Hi Chris,
With this config, w/ and w/o UNITY_SAVE_PASSWD, I get prompted for XAuth
credentials on each VPN connect. The VPN connection is added through a
.mobileconfig file, using VPN on demand on the iOS side.
Ah, I didn't know this feature and I never actually used Apple's
configuration
Hi Diego,
First, what's your strongSwan version?
If you configure this:
conn LabMPLS-site1
...
leftid=@site1.example.com
leftcert=site1.pem
Do you by any chance see a log message like id 'site1.example.com' is
not confirmed by certificate, defaulting to 'C=AR, ...'
Hello Deepika,
eap_sim_plugin_create:*external/strongswan/src/libcharon/plugins/eap_sim/eap_sim_plugin.c:87:
error: undefined reference to 'simaka_manager_create'*
The files from libsimaka are included manually in the libcharon
Android.mk and some of the new files were missing. I pushed a fix
Hi Milton,
For some reasons, I don't see aes, hmac plugins on Nexus One device:
That's correct because the functionality of these plugins is provided by
the openssl plugin on Android.
Which I assume is the issue?
No, as these plugins provide functionality for the IKEv2 charon daemon
and work
Hi Milton,
Does libcharon process dns entries in the IKEv2 config payload?
I defined following in /etc/strongswan.conf
charon {
dns1 = 8.8.8.8
dns2 = 8.8.4.4
}
but the client does not appear to change local dns configuration.
The IKEv2 daemon charon currently only supports the
Hi Bill,
I want to use the gcm block cypher. (esp=aes128cgm16-sha256!)
I added gcm to the Android.mk in the strongswan_CHARON_PLUGINS list and
also added it to the Android.mk in src/libstrongswan.
The gcm plugin you activated with the above is for strongSwan internal
use with the key exchange
Hi,
When I try to add 'leftcert', I can no longer use PSK.
Well, what's the point of defining a certificate if you want to use a
pre-shared secret for authentication?
conn %default
...
leftcert=host_domain_tld.pem
leftid=@host.domain.tld
This gives me the following
Hi Eric,
However, when I specify a port value in the protoport designations (E.g.
leftprotoport=tcp/0 + rightprotoport=tcp/3260 OR leftprotoport=6/0 +
rightprotoport=6/3260 OR leftprotoport=tcp/any +
rightprotoport=tcp/3260), the IKE authentication fails due to a traffic
selector mismatch.
Hi Chester,
I am using strongswan-4.2.8, I have a question want to check you, does
this version have support IP range like 192.168.2.3-192.168.2.233 when
set to left|right side?
No, we currently don't support arbitrary address ranges. Such ranges
are simply mapped to the smallest subnet
17 00:00:00 2001
From: Tobias Brunner tob...@strongswan.org
Date: Wed, 8 Feb 2012 11:31:56 +0100
Subject: [PATCH] Charon ignores IKEv1 connections received via stroke.
---
src/libcharon/plugins/stroke/stroke_socket.c |6 ++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/src
When I try to add 'leftcert', I can no longer use PSK.
Well, what's the point of defining a certificate if you want to use a
pre-shared secret for authentication?
Most (all) of my connections will eventually use certificates, so the
plan was to put that in the %default section, so I don't
Hi Alexandre,
When running strongswan with the 3.2 kernel here is what i find in the logs:
Feb 8 16:56:11 shire charon: 16[KNL] unable to add policy 172.17.2.0/24
=== 172.20.0.0/23 out
Feb 8 16:56:11 shire charon: 16[KNL] unable to add policy 172.20.0.0/23
=== 172.17.2.0/24 in
Feb 8
Hi Simon,
From the syslog, it would seem once a possible candidate is picked (by
their order in ipsec.conf), the proposal
selection would not look at the other conns that are also
192.168.3.193...%any. Is this true?
Yes, the current selection algorithm is very simple and based solely on
the
Hi Chester,
If I want to add a parameter (like leftiprange,rightiprange) in
ipsec.conf, and I hope the parameters can be accepted by strongswan,
how can I implement it?
I'm not sure what you mean by I hope the parameters can be accepted by
strongSwan, but if you want to implement all of this
Hi Andreas,
Issuing an ipsec restart on the left end of the tunnel seems to kill
the connection and it won't come back until I issue an ipsec restart
on the right end as well.
You should check the log on the right to see what the problem is when
left tries to re-establish the connection.
Hi Gowri,
05[CFG] added configuration 'tahi_ikev2_test'
10[CFG] stroke message = -2036037751 bytes @ 0xfff80ede300
10[CFG] received stroke: route 'tahi_ikev2_test'
I'm unable to reproduce this even by forcing the length to a very large
value. On what architecture are you running this?
Hi,
the client is a roadwarrior and want get a virtual ip, from the log it
seems it got the virtual ip, however the ping from server to client does
not work.
Does it work in the opposite direction? Please also try to verify
whether it is the ICMP request or the response that gets lost.
Is
Hi Jason,
When building under the latest Debian Sid, I get the following error. Is this
a known issue?
This is due to the --enable-eap-tnc configure option used by the Debian
package. Enabling this plugin without enabling any of the tnccs plugins
doesn't make sense, and only the latter cause
Hi Deepika,
I'm trying to build the vstr library for strongswan on ICS.However, when
I give this build command, I'm getting the following error:
...
../include/fix.h:23: error: conflicting types for 'prctl'
I've updated the patch on the wiki with a fix for this problem [1].
Regards,
Tobias
Hi Mo,
Does that mean it cannot be done?
Recent kernel versions (= 2.6.33, I think) actually support a variable
truncation length. I added support for HMAC_MD5_128 and HMAC_SHA1_160,
which are both defined in RFC 4595 (see [1] for the patch). They are
not part of charon's default proposal, so
Hi Bill,
I’ve modified the Strongswan-4.6.1/Android.mk to include gcm in the
strongswan_CHARON_PLUGINS list and
I’ve also added
LOCAL_SRC_FILES += $(call add_plugin, gcm )
To the libstrongswan/Android.mk file.
Looks fine so far. A problem could be that the list of plugins to load
is
Hi Alex,
Is there a way to instruct strongswan to install the security policy
right upon starting?
Try auto=route. This installs the policies right away and if traffic
matches them the daemon will try to setup the appropriate IKE/IPsec SAs.
The installpolicy option is intended for MIPv6
It would be good if auto could have an option to both install the
policy and initiate negotiation (both route and start). I guess
this is not possible right now, isn't it?
No, there is no such option right now. It's usually not needed as
auto=route automatically initiates the negotiation if
Hi Simon,
Seems MOBIKE message processing needs to store the message's source IP
addr along with the other ADDITIONAL_IPV4_ADDRESS. Use ike_sa to
remember this address separately is not safe. It requires
code to add it in the additional_addresses list before it is overwritten
by
Hi Alex,
I was not aware of the strict flag at all. man ipsec.conf has no
info on that.
That's true for versions before 4.6.0. In the man page of later
versions and on our wiki page about ipsec.conf conn sections [1] this
flag is documented.
Regards,
Tobias
[1]
Hi Niccolò,
# bad subnet: leftsubnet=a:b:c:0300::/56,1.2.3.4/28 [non-ipv6 address
may not contain `:']
bad argument value in conn 'linode-linuxsystems'
### 1 parsing error (0 fatal) ###
while if I add the ipv4 subnet first I get not errors but it doesn't
tunnel the traffic toward
Hi Niccolò,
Thanks for the config.
conn A-B
...
leftsubnet=::/0
...
rightsubnet=1.2.3.32/28,a:b:c:0300::/56
That's not gonna work, as you have only an IPv6 subnet configured in
leftsubnet. Policies in the kernel are installed for the combination of
Hi Vilhelm,
config setup
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no
charondebug=asn 4, knl 4,mgr 4,ike 4,chd 4,net 4,enc 4
conn %default
auth=esp
authby=psk
esp=aes128ctr-aesxcbc!
ikelifetime=60m
keylife=20m
keyingtries=1
rekeymargin=3m
Hi Kim,
On our IPSec GW moon we can see following message repeatedly in our log
files:
Mar 19 11:02:45 moon charon: 14[NET] sending packet: from
192.168.2.17[4500] to sun[500]
Very strange. Due to the NAT this packet should actually be sent from
port 4500 to port
Hi Anand,
conn %default
ikelifetime=10m
keylife=5m
rekeymargin=3m
Not sure what exactly the problem is but I suspect it might be related
to the times you configured above (at least partially).
Please have a look at the wiki page documenting how rekey times are
calculated [1].
Hi Anand,
On my environment there is no support for kernel-netlink interface
for IPsec,
I have to use kernel-pfkey interface only as I have my hooks
registered in PFKEY to XFRM for IPsec.
I have tried latest versions of strongswan (4.5.1 and 4.5.3) both
resulted in kernel panic after
Hi Vilhelm,
It works though if you limit the debugging level and / or the number
of debugging options. I've reproduced this several times just to be
sure. Why is this?
The problem line was (in full):
charondebug=asn 3,knl 3,mgr 3,ike 3,chd 3,net 3,enc 3
It works if you change it so (e.g.)
Hi Peter,
With 4.4.0, this works great; here's a relevant snippet from pluto.log (after
all the certs have checked out):
| XAUTHInitRSA check passed with keyid
08:f4:bf:b9:2d:e8:da:89:48:51:70:dc:1a:e8:a8:93:33:02:a1:3c
...
Now when I use the same config on 4.5.2, I get a slightly
Hi Andreas,
Have a look at the last question in our FAQs [1].
i just learned that the tcpdump -E option can do something like what i want.
tcmpdump seems quite limited regarding the supported algorithms. You
could try to dump the packets with tcmpdump to a file and then analyze
them with
Hi Peter,
I'm attaching the full control+controlmore logs from both versions in
case anyone's interested (IP redacted). A diff shows them effectively
identical until after the full match lines.
Actually, I think that the problem is caused by an earlier difference in
the logs:
4.4.0:
loading
Hi Peter,
I see that both pluto and charon support the uniqueids option, which
ensures that each peer ID can only connect from one IP at a time. I
have a situation where some peers are generating multiple connections
from a single IP and the old ones are left hanging, generally until
they
Hello,
# ipsec stroke listcerts
List of X.509 End Entity Certificates:
altNames: 32.2.0.0
Any suggestion on how to proceed?
Yes, either update to at least 4.4.1 or apply the patch at [1].
Regards,
Tobias
[1] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=7a74295e
Hi Sanjay,
How is the frequency of IKE_SA_INIT request defined, I see in the logs
a request is sent at intervals of 4,8,13,23, 42 seconds.
Is this frequency customizable.
See, http://wiki.strongswan.org/projects/1/wiki/Retransmission.
Regards,
Tobias
Hi Eric,
I have a situation where ESP packets appear to be getting mangled on the
remote peer whenever I use SHA2-256-128 for Phase2 (ESP). I can
establish the SAs from the Strongswan to the remote peer no problem.
However, I get no packets returned after establishing the tunnel.
Not sure
Hi Anurag,
1) We are using StrongSwan charon [Linux strongSwan 4.3.1]
Just let me tell you that we don't really like to support such old
releases. It would great if you could try if this issue is still
present in 4.6.2.
3) After around 600 sec. from the start, IKE_SA re-keying
Hi Germano,
I've been trying to get scepclient to work with CISCO (IOS 15) for a
week, turned all debugging on and still no success.
CISCO fails with unable to open signed data when I request a
certificate (get ca cert works).
This is what I'm doing:
ipsec scepclient --out
1 - 100 of 1123 matches
Mail list logo