New commits:
commit e349e8640d8c913dd4298101d2375b7b5f8a21b9
Author: Andrew Cagney
Date: Sun Jan 14 21:52:34 2024 -0500
routing: handle ESTABLISH_IKE_SA, UNROUTED_INBOUND, PERMANENT
see:
routing: unhandled ESTABLISH_IKE_SA, UNROUTED_INBOUND, PERMANENT #1536
New commits:
commit 8063fff9d74b53bfd3ba777a9d918ecfd589336b
Author: Andrew Cagney
Date: Sun Jan 14 21:52:03 2024 -0500
testing: update ikev1-29-quick-restart
___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
On 14 January 2024 16:14:55 CET, Marc wrote:
>Or is there some sort of certificate revoke file I can configure somewhere?
Check Certificate Revocation Lists in the documentation.
https://www.openssl.org/docs/man3.0/man1/openssl-crl.html
https://libreswan.org/man/ipsec.conf.5.html
--
Sent
If I do a ping from the ipsec client to the host, it stalls.
When I execute in the libreswan container this command
arping -c 10 -i eth1 -S 192.168.x.3 192.168.11.15
The ipsec client can ping the host but after 7 seconds, the ping stalls again.
Anyone had something like this?
should
ipsec letsencrypt
not be replaced with
ipsec acme
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
managed to get it working by adding the arping to updown script
arping -c2 -i ${PLUTO_INTERFACE} -S {PLUTO_PEER_CLIENT} 192.168.x.x
>
> leftsubnet=192.168.x.0/24
> rightaddresspool=192.168.x.1-192.168.x.10
>
> Is this even possible?
>
>
>
> >
> > This looks as to be expected for the ip of
leftsubnet=192.168.x.0/24
rightaddresspool=192.168.x.1-192.168.x.10
Is this even possible?
>
> This looks as to be expected for the ip of the ipsec client/peer:
>
> :/etc/ipsec.d# ipsec showroute -4 192.168.x.3
> publicip publicgwip 192.168.x.3
>
> However execute the same command for a
This looks as to be expected for the ip of the ipsec client/peer:
:/etc/ipsec.d# ipsec showroute -4 192.168.x.3
publicip publicgwip 192.168.x.3
However execute the same command for a local host I get the same result.
:/etc/ipsec.d# ipsec showroute -4 192.168.x.15
publicip publicgwip
If I do a ping on the ipsec client, I can see it arrive on the destination host
with a tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:51:25.694274 IP 192.168.x.3 > 192.168.x.15: ICMP
New commits:
commit 46a4a5eafcb0a121a1e1a2da7e1d3c33ad7b8c5c
Author: Andrew Cagney
Date: Sun Jan 14 11:48:18 2024 -0500
testing: update ikev1-29-quick* tests
___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
New commits:
commit 282422a0c7738c3f8e526a7bf72d536d01140f10
Author: Andrew Cagney
Date: Sun Jan 14 11:46:13 2024 -0500
ipsec unroute: down all connections before unrouting
fix:
routing: unhandled UNROUTE, UNROUTED_INBOUND, PERMANENT #1531
why, other than a lack of
>
> strangely this:
>
> rightid="O=Example,CN=android13client.example.com"
> and
> rightid="CN=android13client.example.com"
>
> allows access, however
>
> rightid="CN=*.example.com"
>
> does not (on android strongswan client)
should be this of course (sorry my 2nd day on libreswan)
strangely this:
rightid="O=Example,CN=android13client.example.com"
and
rightid="CN=android13client.example.com"
allows access, however
rightid="CN=*.example.com"
does not (on android strongswan client)
But this does not really solve my problem. When I issue certs for
On Sat, 13 Jan 2024 at 18:13, Bill Atwood wrote:
>
> ??
>
> I do not understand your reply.
Offhand, it looks like the connection should match:
conn RITA6c
left=fd51:20d9:5ad2:b::2
leftid="CN=Ritchie Certificate"
leftrsasigkey=%cert
leftcert=RIcert
right=fd51:20d9:5ad2:b::1
New commits:
commit ff207984d4d37dc53e6143a6f0c58bf3aff68f0c
Author: Andrew Cagney
Date: Sat Jan 13 21:34:19 2024 -0500
terminate: selectively print "terminating SAs using this connection"
Only print the message when there are SAs that need terminating.
commit
You use rightid= and match using x509 wildcards. Eg place those you want to
connect in the same Organizarional Unit OU=foo and match the variable part with
*, eg CN=*
Sent using a virtual keyboard on a phone
> On Jan 14, 2024, at 08:30, Marc wrote:
>
>
> Currently I am using
>
Currently I am using
rightca="Example CA"
I would expand this with only a list of certificates that is allowed to
connect. How/where/what is best to do this? Can this list be documented in the
secrets file?
___
Swan mailing list
17 matches
Mail list logo
