[strongSwan] reg: ikev2 notification message in response to received invalid spi message.
Hi ppl, I need some clarification in the following statement of ikev2 rfc4306 in section 1.5: If an encrypted IKE packet arrives on port 500 or 4500 with an unrecognized SPI, it could be because the receiving node has recently crashed and lost state or because of some other system malfunction or attack. If the receiving node has an active IKE_SA to the IP address from whence the packet came, it MAY send a notification of the wayward packet over that IKE_SA in an INFORMATIONAL exchange. In the above statement, the particular part it MAY send a notification of the wayward packet is not clear about whether that notification should be sent as REQUEST or RESPONSE? How strongswan is implemented in this case? it will send Notification as Response or Request or it wont send any notification? Any help is appreciated. Thanks, ...Balaji.J ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Kernel-netlink issue
Hi, 1. I was going through the update SA code, I figured out that the replay data for an SA is fetched separately from the other SA data, however, while adding the updated SA replay value is sent with other entries. What is the reason for this discrepancy. That's due to a limitation of the XFRM API the kernel provides. Unfortunately, the sequence numbers are not included in the response to a XFRM_MSG_GETSA request. These are therefore fetched using a separate XFRM_MSG_GETAE request. On the other hand, the kernel accepts the sequence numbers as part of an XFRM_MSG_NEWSA or XFRM_MSG_UPDSA request. 2. We did not find the query_sa function called from any place in the code, is this function redundtant. It is and it was removed in 4.2.9. 3. Once IKE stack detects that it is behinf NAT, does it still accept packets at port 500. Yes. Regards, Tobias ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] strongSwan + iPhone
Hi Andreas! * Andreas Steffen andreas.stef...@strongswan.org [2009-07-13 14:40]: I think any further analysis of the strongSwan log does not give additional information. Upon the reception of the XAUTH request, the iPhone client should return its username/password. Is there any prompt on the client or are there any error messages available? The message was Unable to verify the server certificate (or similar). It turned out that the iPhone is too stupid to get the CA certificate out of a PKCS12 file that was used to bring the user certificate + key to the phone. You have to add the CA certificate manually *sigh* :( Thanks for your help! -- Regards, Wolfram Schlich wschl...@gentoo.org Gentoo Linux * http://dev.gentoo.org/~wschlich/ ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] reg: ikev2 notification message in response to received invalid spi message.
At 3:04 PM +0530 7/14/09, Balaji J wrote: I need some clarification in the following statement of ikev2 rfc4306 in section 1.5: Decloaking for a moment: IKEv2 developers should strongly consider implementing from http://tools.ietf.org/html/draft-ietf-ipsecme-ikev2bis instead of from RFC 4306. The former has many clarifications, such as on the topic of this thread. --Paul Hoffman, Director --VPN Consortium ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users