On Sat, 20 Apr 2024, Andrew Cagney via Swan-commit wrote:
libipsecconf: rename internal enum AUTOSTART_ONDEMAND -> AUTOSTART_ROUTE
This is wrong. The libipsecconf names match the _keywords_ used by auto=
and auto=route has been long obsoleted for auto=ondemand.
consistent with other
New commits:
commit ca6cfbe2682dd18200672d05baf09daa75465d70
Author: Paul Wouters
Date: Wed Apr 10 21:59:05 2024 -0400
security: add CVE-2024-3652.txt
___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
https://lists.libreswan.org
New commits:
commit a9fd7976c1b2691a027edc73205595c76e0233ce
Author: Paul Wouters
Date: Mon Apr 15 12:40:02 2024 -0400
documentation: update CHANGES for v4.15
___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
https
On Mon, 1 Apr 2024, kumar priyankar via Swan wrote:
Issue is that my log space suddenly started getting filled up on the server,
when checked in syslog and
also in pcap, I saw only one message.
pluto: ERROR: recvmsg(,, MSG_ERRQUEUE) on eth0 failed (noticed before
read_packet) (attempt 9).
Sent using a virtual keyboard on a phone
> On Mar 28, 2024, at 17:24, antonio via Swan wrote:
>
> Hi,
>
> I’m trying to install libreswan 5.0rc2 on a debian bullseye but I got the
> error when trying to start it:
That seems a bug in unbound when compiled with nettle on Debian? Maybe dkg
On Wed, 27 Mar 2024, antonio via Swan wrote:
I’m trying to connect an android device using native vpn and libreswan version
5.0rc2, it looks like a simple connection host - host/subnet but it
doesn’t connect… got the following log:
Note that the logs provided do not yet indicate a
New commits:
commit 38b5ca55c4e8f0265da8a98e91cfb9bcc55d89b4
Author: Paul Wouters
Date: Mon Mar 11 22:09:05 2024 -0400
documentation: merge in v4.13/v4.14 CHANGES
___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
https
New commits:
commit e80ee435de583eebad690e91f3af4fd3e0f929c8
Author: Paul Wouters
Date: Mon Mar 11 17:47:37 2024 -0400
Bump to 5.0rc2
___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
New commits:
commit 2546f2783560b4e19dbbfc595d47e7f72547fe49
Author: Paul Wouters
Date: Sun Mar 10 19:25:41 2024 -0400
security: Added CVE-2024-2357.txt
___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
https://lists.libreswan.org
New commits:
commit d834d7660569fc95731bfd8bc475bf8af0321559
Author: Paul Wouters
Date: Sat Mar 9 18:10:06 2024 -0500
testing: clean some cruft comments
___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
https://lists.libreswan.org
New commits:
commit 98cdfe71c053dbd6f076bcccbbc998e4802826cf
Author: Paul Wouters
Date: Tue Mar 5 10:24:06 2024 -0500
documentation: fix man page for listen-tcp= default
___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
https
On Tue, 5 Mar 2024, Andrew Cagney via Swan-commit wrote:
Date: Mon Mar 4 20:15:11 2024 -0500
ikev2: drop and NOT sending notify
it's redundant and confusing vis:
"west-cuckold" #4: sent INFORMATIONAL request to delete IKE SA
"west-cuckold" #5: ESP traffic information:
> On Mar 4, 2024, at 05:24, Marc via Swan wrote:
>
> I think that is always such crappy excuse 'I do this for free ..'. If you are
> at some store and you see the owner give your kids some sweet that you saw
> previously fell on the floor. Would you accept his argument 'but it was for
>
On Thu, 29 Feb 2024, Marc via Swan wrote:
Where can I find a working and tested config, that offers vpn connectivity
with the os default clients of android, win10, win11, macos and ios? (maybe
put this on some wiki/example page)
Not sure there is one as the variations in systems are almost
On Fri, 1 Mar 2024, Phil Nightowl wrote:
still could not get it fixed so far. Is there perhaps an overview of the
testing configurations?
Not a real overview, but there is a list. Each of the entries has its
own description.txt file:
On Fri, 1 Mar 2024, Rolando Bermúdez Peña via Swan-dev wrote:
I have libresawn version "ibreswan-3.25-4.8.amzn2.0.2.x86_64" for a vpn in a
server.
I am trying to connect using IKEv2 from Mac clients.
From a Mac with Ventura it connects fine, from a Mac with Sonoma it does not
connect.
These
On Tue, 27 Feb 2024, Phil Nightowl wrote:
pluto[30425]: "remotesite"[1] 203.0.113.55 #2: responder established Child SA using #1;
IPsec tunnel [192.168.1.253-192.168.1.253:0-65535 0] -> [203.0.113.55-203.0.113.55:0-65535 0]
{ESPinUDP=>0x7522bc14 <0x80c5c828 xfrm=AES_GCM_16_256-NONE
On Tue, 27 Feb 2024, Brady Johnson via Swan-dev wrote:
We tried several changes to the client nmstate configuration. Setting "ipv4: dhcp:
false" caused a configuration error in nmstate.
We have created a bug for that and the nmstate team is working on it.
Then, we tried with the same client
New commits:
commit c040ce61a3899bc2df0fd8a18be8d6e4fb919696
Author: Paul Wouters
Date: Fri Feb 23 16:31:24 2024 -0500
testing: ikev2-05-basic-psk add global secrets
This re-uses the test to ensure the most specific secret is picked
irrespective of the location of the global
On Thu, 22 Feb 2024, Andrew Cagney via Swan-commit wrote:
New commits:
commit 8f2151aab6084561bdeb8c49206ee238b508eecc
Author: Andrew Cagney
Date: Thu Feb 22 10:58:13 2024 -0500
ikev2: drop code checking for NAT during IKE_INTERMEDIATE exchange
NAT happens during IKE_SA_INIT;
New commits:
commit d2ccd5d58f491bef3253151faf4c4bf253965bd4
Author: Paul Wouters
Date: Wed Feb 21 15:03:44 2024 -0500
testing: update forgotten west.console.txt for addconn-37-nic-offload
___
Swan-commit mailing list
Swan-commit
New commits:
commit 6c8b02569f7270266bc1e51661b5c761c584c804
Author: Paul Wouters
Date: Wed Feb 21 14:21:29 2024 -0500
testing: add test to addconn-37-nic-offload for encapsulation=yes
commit b1957720206ff006c87b5471faa9c7a371432469
Author: Paul Wouters
Date: Wed Feb 21 13:43:06 2024
On Wed, 21 Feb 2024, Phil Nightowl wrote:
Server conf:
conn remotesite
left=%defaultroute
leftcert=server
leftsubnet=192.168.1.253/32
right=%any
rightaddresspool=192.0.2.0/24
auto=add
ikev2=yes
authby=rsasig
leftid=%fromcert
rightid=%fromcert
New commits:
commit 1cd6ead3160c5449201035b47360e8c36184ad7e
Author: Paul Wouters
Date: Wed Feb 21 13:28:26 2024 -0500
pluto: If connection is NAT'ed abort on nic-offload=packet
No known hardware currently supports offloading with encapsulation.
On initiator, we can abort
New commits:
commit b8d327f911da6e1c672dea25c19c04da11209769
Author: Paul Wouters
Date: Wed Feb 21 12:29:47 2024 -0500
documentation: minor update to libreswan(7) man page
Resolves: https://github.com/libreswan/libreswan/issues/1469
New commits:
commit 481c0eb7957d3ad8e1f744cb8f2434a1f596d5e1
Author: Paul Wouters
Date: Wed Feb 21 11:55:11 2024 -0500
cleanup: remove configs/st which is a copy of portexcludes.conf.in
___
Swan-commit mailing list
Swan-commit
On Wed, 21 Feb 2024, hr...@inmail.cz wrote:
Subject: Re: [Swan] Possible to setup multiple connections, partly behind NAT?
If you have NAT, then you no longer have a host-to-host connection. What
internal IPs should be used? Some end has to hand out an IP address for
the other end to use.
I see this commit:
commit f198add4b08640d1b67aef19168998070b65b725
Author: Andrew Cagney
Date: Tue Feb 20 20:25:33 2024 -0500
ikev2: when responding to labeled TS don't search for a connection
only possible match is the IKE SAs (note that at this point
the Child SA is sharing
On Tue, 20 Feb 2024, Phil Nightowl wrote:
Subject: Re: [Swan] Possible to setup multiple connections, partly behind NAT?
Should I remove the leftsubnet/rightsubnet options altogether?
Yes.
After doing that, I tried to connect from remotehost1.privlan to
server.privlan - which now should
Try without reauth=yes ?Also your super short timeouts might cause weird things too.PaulSent using a virtual keyboard on a phoneOn Feb 19, 2024, at 10:36, John Crisp via Swan wrote:
Hi,
be grateful
for some help!
Trying to
figure out what is
On Thu, 15 Feb 2024, Phil Nightowl wrote:
conn headq
left=%defaultroute
leftcert=remotehost1
leftid=%fromcert
right=198.51.100.33
rightid=%fromcert
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
What are you trying to do here? Where does 0.0.0.0/0 live? It cannot
live at both
On Fri, 16 Feb 2024, Brady Johnson via Swan-dev wrote:
Subject: Re: [Swan-dev] What does "missing v2CP reply" mean?
Would it be more helpful to enable debug logging? Or is there some other test
that could be done
to figure this out?
It seems your peer has not been configured to hand out IP
No, again the IKEv2 protocol uses EAP for any external authentication
mechanism, so it would need to use an existing EAP method. While EAP-mschapv2
could be used, libreswan doesn’t support that yet.
The pam-authorize=yes method is only a method to reject a connection based on
remote ID, not to
On Wed, 14 Feb 2024, David Valiente via Swan wrote:
I have a requirement where VPN users are to authenticate against Google through
SAML.
Authentication MUST be done via SAML, no oauth.
This I guess would be some kind of EAP method? I know of no other
authentication method specified for
On Wed, 14 Feb 2024, Mamta Gambhir wrote:
I have no issues now with nic-offload=packet , but do see issues with
communication when I use same subnet in the two
private-or-clear sections.
Above had worked for me in the past on both interfaces.
You mean without nic-offload?
I am now using
On Tue, 13 Feb 2024, Phil Nightowl wrote:
conn headq
left=%defaultroute
leftcert=remotehost1
leftid=%fromcert
right=198.51.100.33
rightid=%fromcert
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
What are you trying to do here? Where does 0.0.0.0/0 live? It cannot
live at both
On Sat, 10 Feb 2024, Tuomo Soini via Swan wrote:
On Fri, 9 Feb 2024 23:35:39 +0100
Phil Nightowl via Swan wrote:
I am used to utilise X.509, so I have leftid=%fromcert everywhere.
Does the above mean that I should use something like
right=%any
rightid="CN=*.privlan,O=MyOrg,C=CA" ?
On Fri, 9 Feb 2024, Phil Nightowl wrote:
Without these, you would only match a single left and right IP/32, and
when using right=%any that would become 0.0.0.0/32 which is a single IP
address.
Please forgive me, I still don't get it, To me, it seems that even if those
subnets are single IPs
On Fri, 9 Feb 2024, Phil Nightowl wrote:
Along your advice, I changed the config files on host1.privlan (applicable
to any host on my 192.168.1.x except server.privlan). SSH access is fixed,
the config on host1.privlan does not use opportunistic encryption any longer
and works fine. Adding
New commits:
commit d300ead77078a338efa0ce7964c4822aa933bbc0
Author: Paul Wouters
Date: Thu Feb 8 20:55:27 2024 -0500
documentation: remove alsoflip= mentions
commit 81fa930d8935eda428da53762063cd55e8a6a927
Author: Paul Wouters
Date: Thu Feb 8 20:53:30 2024 -0500
pluto: Do not run
On Thu, 8 Feb 2024, Phil Nightowl wrote:
I would try 4.12.
Can you tell me that this is not strictly required to make it work? Of
course, I am going to upgrade at some point - but It will make my life much
easier if I don't have to do it on all hosts involved and right now.
No I can't
On Wed, 7 Feb 2024, Phil Nightowl via Swan wrote:
I am failing to configure multiple simultaneous connections with
part of the clients behind NAT and part not (though not sure to what extent
is *that* the main issue). Before elaborating thoroughly, can anyone please
tell if the following
On Wed, 7 Feb 2024, Marc wrote:
This is a win10 client. What problem do I have here?
Feb 6 21:47:42 test2 pluto[1]: "vpn-ikev2-crt"[32] x.x.x.x #320:
1:ESP=AES_GCM_C_128+AES_GCM_C_256-NONE-MODP2048-ENABLED+DISABLED
so we received a proposal like: esp=aes_gcm128,aes_gcm256 with DH14
but
On Wed, 7 Feb 2024, Marc via Swan wrote:
This is a win10 client. What problem do I have here?
Feb 6 21:47:42 test2 pluto[1]: "vpn-ikev2-crt"[32] x.x.x.x #320:
1:ESP=AES_GCM_C_128+AES_GCM_C_256-NONE-MODP2048-ENABLED+DISABLED
so we received a proposal like: esp=aes_gcm128,aes_gcm256 with
That is strongswan, not libreswan.
Libreswan does not support eap-mschapv
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
You can try setting a different ikeport if both ends support it, or you can try
TCP on 4500 if both ends support it.
Paul
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
New commits:
commit dbebd05ce620bbe5bc462f3ed0d984f9e59ec18a
Author: Paul Wouters
Date: Fri Feb 2 21:40:37 2024 -0500
documentation: update seccomp man page entry of ipsec.conf
commit 5c58697d75f141ebfeb1b5ab2a0bf30be9b8
Author: Paul Wouters
Date: Fri Feb 2 21:30:02 2024 -0500
On Wed, 31 Jan 2024, Marc wrote:
I am using this libreswan setup[1]
I was wondering what would be the best practice to assign the same ip (from the
rightaddresspool) to a client using a specific certificate. Maybe based on this
rightid=%fromcert?
It's on our TODO list, see
On Wed, 31 Jan 2024, Marc wrote:
Subject: [Swan] win10 (/ win11?) client user certs instead of machine
Is there a way to setup libreswan[1] in such a way it matches more windows
defaults.
Currently I have to distribute some powershell scripts that set "Use machine
certificates"
On Tue, 23 Jan 2024, David Valiente wrote:
Thanks, Paul that worked!
Great!
Now, one of my particular requirements is to have libreswan run in FIPS mode
FIPS disables algorithms that windows uses, so the native windows client is not
an option.
Yes it can do RSA-SHA2, but you need to
On Mon, 22 Jan 2024, Andrew Cagney wrote:
Also, please use separate commits for code and test cases in the future.
Except this wasn't my mess.
I was dealing with a commit that, once it became clear was broken,
should have been quickly reverted, followed by an incomplete trickle
of test
On Mon, 22 Jan 2024, Andrew Cagney wrote:
commit b575e15e80bcf0924bc96e3e7420092becedc42a
Author: Andrew Cagney
Date: Mon Jan 22 13:32:01 2024 -0500
Reapply "pluto: warn if loaded connection ended up unoriented" et.al.
Log failed orient() during connection load using RC_LOG and not
On Mon, 22 Jan 2024, David Valiente wrote:
I am trying to get a windows client connected to the VPN.
Linux client works just fine with the same configuration, its just the windows
client giving me crap.
conn tcc-server
left=172.14.0.28
leftcert=my-domain
leftid=@my-domain
New commits:
commit 441236b9aecf5094c45736cd1ae2b9406a2cfe73
Author: Paul Wouters
Date: Mon Jan 22 16:25:21 2024 -0500
testing: update TFC test cases to properly show TFC is set
This is to confirm the fix for
https://github.com/libreswan/libreswan/issues/1569
commit
New commits:
commit 8d39780969fe29941deb855993789a0a0abe47f9
Author: Paul Wouters
Date: Sun Jan 21 19:43:30 2024 -0500
testing: add whack-04-route-route to TESTLIST
commit b4d847721e285a585d080cc6f68655589beeb699
Author: Paul Wouters
Date: Sun Jan 21 19:43:09 2024 -0500
testing
New commits:
commit acf150b5b39bdf2cf9c9ba9604efa08dfcac4d65
Author: Paul Wouters
Date: Fri Jan 19 14:06:45 2024 -0500
testing: fixup dynamic-iface-01 for orient log line
commit e00873e8ad67b16e897cd0025ab3921efba3c857
Author: Paul Wouters
Date: Fri Jan 19 12:32:30 2024 -0500
New commits:
commit 5decbc7a5be448fc351653b8cb664d7b76d53080
Author: Paul Wouters
Date: Thu Jan 18 21:57:31 2024 -0500
testing: fixup addconn-20-conn-default
___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
https
New commits:
commit efaf8421734914130a4bd35b72950fa92a4e8808
Author: Paul Wouters
Date: Thu Jan 18 21:54:09 2024 -0500
testing: fixup addconn-34-encap-proto for orienting log line
___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
New commits:
commit 6ab359275cbeefd0267e9207dfe286a42f195b79
Author: Paul Wouters
Date: Thu Jan 18 20:11:52 2024 -0500
testing: update orient and addconn testcases for new orient msg
commit be1b45921a0a5dfae2c7f26f108404374935eb96
Author: Paul Wouters
Date: Thu Jan 18 18:36:57 2024
New commits:
commit c53c0b6c784a841261a715a40a8ad5ed922dc59b
Author: Paul Wouters
Date: Thu Jan 18 16:49:24 2024 -0500
pluto: change esp-hw-offload= to nic-offload= in logs
___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
https
New commits:
commit 495403a498696d8bf36544621b21e34b8908e3a5
Author: Paul Wouters
Date: Thu Jan 18 16:46:51 2024 -0500
pluto: renane detect_offload() functions to nic_detect_offload()
commit 9c09d13fa2b758d3f653752579f9c0b9f8cf4021
Author: Paul Wouters
Date: Thu Jan 18 16:44:30 2024
On Jan 18, 2024, at 11:09, Andrew Cagney wrote:
>
> New commits:
> commit 726d9e3aa77feac5c26e13ad497b743b41149387
> Author: Andrew Cagney
> Date: Thu Jan 18 08:34:49 2024 -0500
>
>ikev2: drop redundant TRANSPORT vs TUNNEL conflict check
>
>... in
On Thu, 18 Jan 2024, Andrew Cagney wrote:
Then the config parameter and whack options should both be renamed to
(the horrible) esp-hw-offload=
Someone seeing esp-hw-offload=crypto is going to look for that text in
our documentation and usage messages, not nic-offload=
But it might be called
On Wed, 17 Jan 2024, Andrew Cagney wrote:
Much better - keeping with one log line for establishing the child. BTW,
{ESP/ESN... esp-hw-offload=packet ...}
could be reduced further to:
{ESP/ESN... nic-offload=packet ...}
so the field matches the config file name, or even:
{ESP/ESN...
New commits:
commit ec028da78d9cbcfd004d009a02fc82ecbe7a5a14
Author: Paul Wouters
Date: Wed Jan 17 19:42:43 2024 -0500
pluto: tweak logging and ipsec traffic for HW offload
Don't log/whack:
"test" #1: initiator established IKE SA; authenticated peer using
aut
New commits:
commit c637914bfb68055d3d3a9927f8b1290669711a82
Author: Paul Wouters
Date: Tue Jan 16 18:34:52 2024 -0500
testing: fix addconn-37-nic-offload and add comment to description.txt
___
Swan-commit mailing list
Swan-commit
On Jan 16, 2024, at 13:51, Marc wrote:
>
> Working with the CA of the example on this page[1]
>
> certutil -S -x -n "Example CA" -s "O=Example,CN=Example CA" \
> -k rsa -g 4096 -v 12 -d sql:${HOME}/tmpdb -t "CT,," -2
>
> certs xxx.example.com are accepted however aaa..example.com seem to
On Tue, 16 Jan 2024, Marc wrote:
Subject: [Swan] multiple vpn host certificates
Is it possible to use voor the vpn server multiple certificates, so people can
dial into
vpn.domain1.org
vpn.domain2.org
Yes, you use seperate conns for that unless all those domains are listed
on the same
New commits:
commit fc3013aaf90a54ef1f1321c89be30091bcb187c3
Author: Paul Wouters
Date: Tue Jan 16 10:15:25 2024 -0500
testing: update addconn-37-nic-offload
___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
https
New commits:
commit 1d09af8cde61f12db1826b427d76360c9faf9812
Author: Paul Wouters
Date: Tue Jan 16 10:13:45 2024 -0500
testing: remove ikev2-26-nic-offload-no-hw-auto
the option is no longer supported.
___
Swan-commit mailing list
Swan
New commits:
commit 9c6af054b0902ecea9fb0d159f23f6d1eb7aeff4
Author: Paul Wouters
Date: Tue Jan 16 09:50:18 2024 -0500
documentation: add a note about delayed traffic counters with packet offload
___
Swan-commit mailing list
Swan-commit
New commits:
commit 7db75995d0b24edf320fcca0a99c5d9522f14f67
Author: Paul Wouters
Date: Mon Jan 15 20:42:10 2024 -0500
pluto: remove nic-offload=auto
It is complicated to make this work as we need to load the policy
matching for crypto or packet offload before we know
On Mon, 15 Jan 2024, Marc wrote:
with such a config
leftsubnet=192.168.21.0/24
rightaddresspool=192.168.21.200-192.168.21.210
This can’t really work. Where does the 192.16821.201 live? It’s both on left
and on right.
No ip's are either on the left or on the right.
That is not
On Jan 15, 2024, at 14:50, Marc wrote:
>
>
>>
>>>
>>>
> the arping is only sending 10, then quits and 7 seconds after that the ping
> stalls.
Oh I see you did not mix up the terms ping and arping.
>
>>>
> with such a config
> leftsubnet=192.168.21.0/24
>
itiator established IKE SA; authenticated peer '2048-bit
> RSASSA-PSS with SHA2_512' digital signature using peer certificate 'CN=Tarjan
> certificate' issued by CA 'CN=ConU CSE HSPL'
> "RITA6c" #2: initiator established Child SA using #1; IPsec tunnel
> [fd51:20d9:5ad2:b::2
On Sat, 13 Jan 2024, Bill Atwood wrote:
I suggest the following changes to README.md:
1. Under the heading "Building for REM based systems", line 3. "spce"
-> "spec"
2. Under the heading "Compiling the userland and IKE daemon manually in
/usr/local", the first line is "make programs",
On Sun, 14 Jan 2024, Marc wrote:
Subject: [Swan] thought I had connection with arping
If I do a ping from the ipsec client to the host, it stalls.
When I execute in the libreswan container this command
arping -c 10 -i eth1 -S 192.168.x.3 192.168.11.15
The ipsec client can ping the host but
On Sun, 14 Jan 2024, Marc wrote:
Subject: [Swan] letsencrypt: Added "ipsec letsencrypt" command
should
ipsec letsencrypt
not be replaced with
ipsec acme
No, because the command is specific to LetsEncrypt and its Root CA
certificates and download URLs and API.
Paul
On Mon, 15 Jan 2024, Tuomo Soini wrote:
On Mon, 15 Jan 2024 13:23:58 -0500
Bill Atwood wrote:
Here is the result of the status command, on Ritchie (running 5.0
RC1):
dev@Ritchie:~$ sudo ipsec status | grep interface
[sudo] password for dev:
using kernel interface: xfrm
interface lo UDP
On Mon, 15 Jan 2024, Marc wrote:
On windows there is a command certutil -revoke, but on el7 I do not have this.
So I was wondering how certs are put on this crl in the db.
I probably do not really get the concept here, this certutil is new to me.
Revocation is basically a signed serial
You use rightid= and match using x509 wildcards. Eg place those you want to
connect in the same Organizarional Unit OU=foo and match the variable part with
*, eg CN=*
Sent using a virtual keyboard on a phone
> On Jan 14, 2024, at 08:30, Marc wrote:
>
>
> Currently I am using
>
New commits:
commit 3352ae704c1e2aedd9a4b87365d7d2de703840b6
Author: Paul Wouters
Date: Wed Jan 10 14:14:13 2024 -0500
Revert "pluto: scrubbing keys from memory just before the return"
This reverts commit c0d4e4f1a3e419dc471da485a16161
New commits:
commit c0d4e4f1a3e419dc471da485a16161caef944fba
Author: Paul Wouters
Date: Wed Jan 10 12:58:09 2024 -0500
pluto: scrubbing keys from memory just before the return
___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
https
New commits:
commit 375fd77468e0128ec52f646e201bdd5b6a48535a
Author: Paul Wouters
Date: Tue Jan 9 21:56:46 2024 -0500
testing: update ikev2-26-nic-offload-no-hw-*
Since tunnel mode is now blocked from loading, convert test cases
to transport mode.
commit
New commits:
commit b32b987cf6b5dc41e38dd0b422b74caac4993636
Author: Paul Wouters
Date: Tue Jan 9 20:38:29 2024 -0500
pluto: fixup against 158dfb081fb735c
___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
https://lists.libreswan.org
New commits:
commit 9931fdada3b534689674760751352bcc098eef19
Author: Paul Wouters
Date: Tue Jan 9 20:26:11 2024 -0500
testing: added ikev2-26-nic-offload-no-hw-*
commit a7b6806930f7a2c49e6a2eeb36f3d922ce130494
Author: Paul Wouters
Date: Tue Jan 9 20:14:22 2024 -0500
pluto: tweak
New commits:
commit 9b19d9fc3933c085415caf7e26baf6af9d1b8f74
Author: Paul Wouters
Date: Tue Jan 9 10:48:00 2024 -0500
whack: also change nic-offload default to no
___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
https
New commits:
commit 2fb2fb766e7a5551f5aee6bc87843de1d75a3d61
Author: Paul Wouters
Date: Mon Jan 8 15:54:16 2024 -0500
testing: update status output for new nic-offload=no default
___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
https
This likely depends on the crypto policies set.
And yes 1024 is probably no longer allowed.
You can try: update-crypto-policies —set LEGACY
but better to generate new stronger keys.
Paul
Sent using a virtual keyboard on a phone
> On Jan 8, 2024, at 12:38, Praveen Chavan wrote:
>
>
> Hi,
Sent using a virtual keyboard on a phoneBegin forwarded message:From: swan-dev-boun...@lists.libreswan.orgDate: January 8, 2024 at 12:38:45 ESTTo: swan-dev-ow...@lists.libreswan.orgSubject: Auto-discard notificationThe attached message has been automatically discarded.--- Begin Message ---
Hi,
I
New commits:
commit 3be6424fb35ade0f587c1998119c967613513f3d
Author: Paul Wouters
Date: Mon Jan 8 09:44:51 2024 -0500
libipsecconf: change nic-offload= defaults
- Set default to "no", as unexpected problems might arise, eg
not supporting tunnel mode.
- Chang
New commits:
commit 0d76f3c2c1aece7cbed155e0e5ce0ff5ee7a2ed3
Author: Paul Wouters
Date: Mon Jan 1 21:07:40 2024 -0500
testing: remove ikev2-x509-31-wifi-assist
It was wip. It no longer tests anything useful, as the properly
configured test is under ikev2-x509-31-wifi-assist
New commits:
commit 2ddd6c9a0cc9309bd492d5767c936b2afddbd758
Author: Paul Wouters
Date: Mon Jan 1 21:07:40 2024 -0500
testing: remove ikev2-x509-31-wifi-assist
It was wip. It no longer tests anything useful, as the properly
configured test is under ikev2-x509-31-wifi-assist
New commits:
commit 9a3b13641e6c00a678787b84b09b488fdb24a10a
Author: Paul Wouters
Date: Mon Jan 1 20:14:21 2024 -0500
testing: sanitize new warning away
Delete "WARNING: ipsec auto has been deprecated" from output.
This is needed to keep git bisect
New commits:
commit d10e9e8a7b9d58f6d90c9601e1c5538a7930cf3b
Author: Paul Wouters
Date: Sat Dec 30 11:00:50 2023 -0500
testing: forgot to git add console output for ikev2-xfrmi-15-interface-ip
commit 8116a49394886f306dee7572bbb87d6fe0a7b223
Author: Paul Wouters
Date: Sat Dec 30 10:22
New commits:
commit 3d67fb249dd6a60d2b7b655678c7a246a1c9e65d
Author: Paul Wouters
Date: Sat Dec 30 10:08:31 2023 -0500
testing: fix strongswan sanitizer from f4b4619b9e6
___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
https
New commits:
commit 1309f5fb035b76d2774b4db32f8c66a2e129bb2a
Author: Paul Wouters
Date: Fri Dec 29 22:16:45 2023 -0500
testing: fixup some ikev2-xfrmi testcases for sanitizers
eg no more tcpdump.sh error and no more "left promiscuous
New commits:
commit b740a34b4b34c8b147457ad61767ed1a6cf347bb
Author: Paul Wouters
Date: Fri Dec 29 22:10:16 2023 -0500
testing: updates TESTLIST
The following tests now pass:
ikev2-xfrmi-15-interface-ip
ikev2-xfrmi-16-rekey
interop-ikev2-strongswan-14-delete-sa
New commits:
commit c512e62d19240bbc2d0837d459d23c58ad83c57b
Author: Paul Wouters
Date: Wed Dec 27 12:03:38 2023 -0500
building: remove IPSEC_CONNECTION_LIMIT option
This hardcoded a maximum number of connections that could
be established. It has been untested for years
On Tue, 26 Dec 2023, Andrew Cagney wrote:
Are you sure about this:
@@ -600,7 +601,9 @@ static bool ikev2_set_internal_address(struct
pbs_in *cp_a_pbs,
selector_from_address(ip),
"CAT: scribbling on end while ignoring TS");
}
- } else if (connection_requires_tss(cc) == NULL) {
+ }
1 - 100 of 4454 matches
Mail list logo
