Re: [strongSwan] Small Problems with 5.2
Hi Dirk, Not sure why the behavior changed between 5.1.3 and 5.2.0 in this regard; likely that it is related to the replaced ipsec.conf parser. It's probably the new parser. Checking the logs on the gateway running 5.1.3 I discovered that the rightsendcert = never wasn't honoured for any connection. Windows 7 eap clients received a cert request too. So your suggestion to remove this option from our config should be no problem. Intriguing. Could you send me the complete config file that manifests this difference in behavior? Thanks, Tobias ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Small Problems with 5.2
Hi Tobias, --On Wednesday, July 16, 2014 10:48:30 AM +0200 Tobias Brunner tob...@strongswan.org wrote: Not sure why the behavior changed between 5.1.3 and 5.2.0 in this regard; likely that it is related to the replaced ipsec.conf parser. It's probably the new parser. Checking the logs on the gateway running 5.1.3 I discovered that the rightsendcert = never wasn't honoured for any connection. Windows 7 eap clients received a cert request too. So your suggestion to remove this option from our config should be no problem. Intriguing. Could you send me the complete config file that manifests this difference in behavior? sure The normal ipsec.conf includes all *.conf files in the connections directory. The files in this directory are named: 0_all_w7_eapmschap.conf which I attached as its holds the rightsendcert = never. One file 98_partner1.conf. The rest are subnet related config files named 172.xx.xx-name.conf I added one too. Best regards Dirk ipsec.conf Description: Binary data 0_all_w7_eapmschap.conf Description: Binary data 98_partner1.conf Description: Binary data 172.25.22-abt1.conf Description: Binary data ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Small Problems with 5.2
Hi Dirk, Not sure why the behavior changed between 5.1.3 and 5.2.0 in this regard; likely that it is related to the replaced ipsec.conf parser. It's probably the new parser. Checking the logs on the gateway running 5.1.3 I discovered that the rightsendcert = never wasn't honoured for any connection. Windows 7 eap clients received a cert request too. So your suggestion to remove this option from our config should be no problem. Intriguing. Could you send me the complete config file that manifests this difference in behavior? sure The normal ipsec.conf includes all *.conf files in the connections directory. The files in this directory are named: 0_all_w7_eapmschap.conf which I attached as its holds the rightsendcert = never. One file 98_partner1.conf. The rest are subnet related config files named 172.xx.xx-name.conf I added one too. Thanks a lot. It's definitely caused by the new parser. The difference is the order in which included files are handled. I wasn't fully aware of this, but apparently the old parser stored the included files (as returned by glob) on a stack and then parsed them beginning from the top. So the example files were read in this order: ipsec.conf before include 98_partner1.conf 172.25.22-abt1.conf 0_all_w7_eapmschap.conf ipsec.conf after include Which is probably exactly the opposite of what you intended to achieve with those number prefixes. So with the old parser the win7eapmschap config was the last one passed to charon, and thus never got used for the early IKE phase where the left|rightsendcert option applies and the IP addresses and IKE version are used to find a matching config. The new parser handles included files in alphabetical order (i.e. reversed in comparison), which means the win7eapmschap config is now the first one passed to charon. Regards, Tobias ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Sizing information
Hello- Is there any information out there regarding sizing guidelines? Thanks, Alex ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
