The iked.conf, output/logs from iked running -v, and a description of
client setup would help.
Don't forget to include your PSK. :-)
On Thu, Sep 25, 2014 at 1:09 AM, Artem Falcon lo...@gero.in wrote:
Markus Wernig liste...@wernig.net:
...
But the client is unable to connect to the VPN GW,
Markus Wernig liste...@wernig.net:
...
But the client is unable to connect to the VPN GW, and I just can't find
out what's going wrong. Unfortunately there are two ways it is failing:
1) Client sends IKEv2 msg IKE_SA_INIT on Port 500, VPN GW replies with
IKE_SA_INIT and CertReq, *then
Hi all
To finish off this ancient thread, I've written up what it took to get
StrongSwan to play nicely with iked and to build a GRE tunnel over the
IPSec link:
http://markus.wernig.net/en/it/ip6tunnel.phtml
Any feedback is of course very welcome.
krgds /markus
On 08/13/2014 06:05 AM, Markus
On 08/10/2014 03:09 PM, Reyk Floeter wrote:
Just try to increase the number of vs to get more info, for example,
iked -dvv or iked -dvvv to get packet dumps.
Thanks for the hint. That brought some progress.
I've now switched back to -current and changed the client setup (I had
been using the
On Tue, Aug 12, 2014 at 11:39:11AM +0200, Markus Wernig wrote:
On 08/10/2014 03:09 PM, Reyk Floeter wrote:
Just try to increase the number of vs to get more info, for example,
iked -dvv or iked -dvvv to get packet dumps.
Thanks for the hint. That brought some progress.
I've now switched
On 08/12/2014 11:58 AM, Reyk Floeter wrote:
Operation not supported is from the kernel returning EOPNOTSUPP.
If any of the following sysctls are turned off and it is requested via
the PFKEYv2 socket, the kernel will return EOPNOTSUPP:
net.inet.esp.enable=1
net.inet.ah.enable=1
On 08/12/2014 12:33 PM, Markus Wernig wrote:
sadb_getspi: satype esp vers 2 len 10 seq 19 pid 25389
address_src: A.B.C.D
address_dst: 10.x.y.z
spirange: min 0x0100 max 0x
sadb_getspi: satype esp vers 2 len 10 seq 19 pid 25389
sa: spi 0xfe52d794
On 08/12/2014 05:39 PM, Markus Wernig wrote:
But really, I think this is the problem:
Aug 12 16:56:18 tunnel iked[22215]: ikev2_childsa_enable: loaded CHILD
SA spi 0xcb320247
Aug 12 16:56:18 tunnel iked[22215]: pfkey_flow: unsupported address family 0
Aug 12 16:56:18 tunnel iked[22215]:
On Tue, Aug 12, 2014 at 06:57:50PM +0200, Markus Wernig wrote:
On 08/12/2014 05:39 PM, Markus Wernig wrote:
But really, I think this is the problem:
Aug 12 16:56:18 tunnel iked[22215]: ikev2_childsa_enable: loaded CHILD
SA spi 0xcb320247
Aug 12 16:56:18 tunnel iked[22215]: pfkey_flow:
On 08/12/2014 07:19 PM, Reyk Floeter wrote:
Another reason for AF 0 could be the use of the keyword any in your
iked.conf. I thought we fixed that before to inherit the AF from the
peer, but try to use 0.0.0.0/0 instead of any for IPv4 and
something like ::/0 for IPv6.
Reyk
Yes, that
Finally found a rather awkward workaround:
1) On the VPN GW, set an ip alias from a different subnet
(192.168.100.1/24) on the primary interface
2) Set up iked.conf with
ikev2 ...
from 0.0.0.0/0 to 192.168.100.0/24
config address 192.168.100.0/24
config address
Hi all
I am trying to set up a ipsec tunnel with iked in a double NAT scenario:
Client -- NAT GW 1 -- Inet -- NAT GW 2 -- VPN GW
Client has 192.168.1.x, User is j...@doe.com
VPN GW has 10.x.y.z, hostname vpn.doe.com
NAT GW 1 does hide NAT to A.B.C.D
NAT GW 2 does static NAT for public GW IP,
Hi,
On Sun, Aug 10, 2014 at 02:48:42PM +0200, Markus Wernig wrote:
Hi all
I am trying to set up a ipsec tunnel with iked in a double NAT scenario:
Client -- NAT GW 1 -- Inet -- NAT GW 2 -- VPN GW
Client has 192.168.1.x, User is j...@doe.com
VPN GW has 10.x.y.z, hostname vpn.doe.com
13 matches
Mail list logo