Re: [strongSwan] How to ignore incoming IKE_SA_INIT to StrongSwan system
Any suggestions on ways to configure strongSwan to allow it to be the initiator but not the responder? Thanks, Stephen From: users-bounces+stephen.pisano=alcatel-lucent@lists.strongswan.org [mailto:users-bounces+stephen.pisano=alcatel-lucent@lists.strongswan.org] On Behalf Of Eduardo Torres Sent: Wednesday, May 18, 2011 8:47 PM To: users@lists.strongswan.org Subject: Re: [strongSwan] How to ignore incoming IKE_SA_INIT to StrongSwan system Forgot to add, the target of this is to have the strongswan system to be the only initiator of the IKE_SA Thanks and Regards Eduardo M. Torres On 5/18/2011 8:44 PM, Eduardo Torres wrote: Hi StrongSwan team, I have the following configuration: StrongSwan in one peer and Fortinet Security Gateway is the other peer, both running IKEv2. I want to know if it is possible to configure StrongSwan (in ipsec.conf or strongwan.conf) to ignore any IKE_INIT_SA request from the Fortinet or other security gateway. Any help is appreciated. Thanks in advance Eduardo M. Torres ___ Users mailing list Users@lists.strongswan.orgmailto:Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] problems with charon in 4.4.1
On Tue, May 24, 2011 at 8:48 AM, Andreas Schuldei schuldei+strongs...@spotify.com wrote: On Mon, May 23, 2011 at 11:44 PM, Andreas Steffen andreas.stef...@strongswan.org wrote: Hello Andreas, debugging these many connections might be easier using the condensed /var/log/auth.log which has the following entries: http://www.strongswan.org/uml/testresults45/ikev2/dpd-restart/carol.auth.log the auth.log was still huge on taylor. i attempted to start from a clean slate today and did this on all machines in the test bed: /etc/init.d/ipsec stop rm -f /var/run/charon.pid /var/run/starter.pid /var/run/charon.ctl /etc/init.d/ipsec stop logrotate -f /etc/logrotate.conf ip xfrm policy flush /etc/network/if-up.d/ssh-outside-ipsec # this adds xfrm policy for port 500UDP and ssh traffic to NOT go through ipsec /etc/init.d/ipsec start and again taylor got immediate problems with the three hosts, just like yesterday. We dont have additional firewall rules that limit traffic between these hosts. Other hosts in the ash.spotify.net domain dont have problems either. Can something else get confused? is there more state somewhere? do i need to unload the xfrm modules? the connections between hosts, once turned bad, remained bad until i rebooted the machines in question. since then (last few hours) it works nicely. but rebooting is not a real option, of course. and connections going into a state that is unrecoverable is not so good, either. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] EAP-SIM Identity Request/Response
Hi, Martin, Hi, Andreas, Hi, all I am testing EAP-SIM with strongSwan as the client against a Security Gateway. I wonder if strongSwan supports the EAP-SIM authentication mechanism defined in 3GPP TS43.318V7.5.0. The difference between this EAP-SIM scheme and a standard one defined in RFC4186 is that this scheme omits the EAP-Identity Request/Response exchange at the beginning of the authentication procedure. The EAP-Identity is included in the IDi sent from the client to the SeGW in the first IKE-AUTH message. So the first EAP payload the client receives is a EAP-Request/SIM/Start (instead of EAP-Request/Identity in the standard case). Can you please tell me if the above EAP-SIM scheme is supported by strongSwan? If it is, is there any special configuration involved? If it's not supported, do you think how complicated the changes would be to support it? Can you kindly point to me to the files that would be involved if I want to implement this support? Thanks very much RFC 4186 EAP-SIM:strongSwan (client)SeGW (Authenticator)| EAP-Request/Identity | |-| | | | EAP-Response/Identity| |-| | | | EAP-Request/SIM/Start (AT_VERSION_LIST) | |-| | | | EAP-Response/SIM/Start (AT_NONCE_MT, AT_SELECTED_VERSION)| |-| | | | EAP-Request/SIM/Challenge (AT_RAND, AT_MAC)| |-| |Peer runs GSM algorithms, verifies| |AT_MAC and derives session keys | |+---+ | | EAP-Response/SIM/Challenge (AT_MAC) | |-| | | | EAP-Success | |-| ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users