On Fri, 10 May 2024, Phil Nightowl wrote:
This was the case up until the last change (see above) - which I can
roll back right away - but that did not work for me. I ended up with the
public IP as source address in the xfrm policy installed by libreswan
anyway. What I can further try is
On May 10, 2024, at 03:08, Phil Nightowl wrote:
>
>
>>
>>> There already is a
>>>
>>>leftsubnet=0.0.0.0/0
>>>rightsubnet=srv.ii.nn.tt/32
>>>
>>> in the roadwarrior's config. The config file of the server contains
>>>
>>>leftsubnet=srv.ii.nn.tt/32
>>>
On Thu, 9 May 2024, Phil Nightowl wrote:
Then be sure to have a leftsubnet= on your client or else it will try to
use the pre-NAT IP and your remote peer would likely not accept that.
There already is a
leftsubnet=0.0.0.0/0
rightsubnet=srv.ii.nn.tt/32
in the roadwarrior's
On Tue, 7 May 2024, Phil Nightowl wrote:
If NATing, disable it for the IPsec ip ranges ?
Unfortunately, this is not feasible due to ISP limitations. On the
roadwarrior end, it is not possible at all. On the server end, I
theoretically might try, but the odds are rather against me, I
On May 7, 2024, at 04:21, Phil Nightowl wrote:
>
>
>>
>> Can you share the "ipsec traffic" output after doing a few pings over
>> the tunnel? I have a feeling you might not actually have a plaintext
>> leak, you just think you do because of the way tcpdump hooks into
>> the kernel
On Mon, 6 May 2024, Phil Nightowl via Swan wrote:
After giving it a second look, a brief response to my original message. The
xfrm policies seem quite wrong after all:
Can you share the "ipsec traffic" output after doing a few pings over
the tunnel? I have a feeling you might not actually
On Sat, 20 Apr 2024, Andrew Cagney via Swan-commit wrote:
libipsecconf: rename internal enum AUTOSTART_ONDEMAND -> AUTOSTART_ROUTE
This is wrong. The libipsecconf names match the _keywords_ used by auto=
and auto=route has been long obsoleted for auto=ondemand.
consistent with other
New commits:
commit ca6cfbe2682dd18200672d05baf09daa75465d70
Author: Paul Wouters
Date: Wed Apr 10 21:59:05 2024 -0400
security: add CVE-2024-3652.txt
___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
New commits:
commit a9fd7976c1b2691a027edc73205595c76e0233ce
Author: Paul Wouters
Date: Mon Apr 15 12:40:02 2024 -0400
documentation: update CHANGES for v4.15
___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
On Mon, 1 Apr 2024, kumar priyankar via Swan wrote:
Issue is that my log space suddenly started getting filled up on the server,
when checked in syslog and
also in pcap, I saw only one message.
pluto: ERROR: recvmsg(,, MSG_ERRQUEUE) on eth0 failed (noticed before
read_packet) (attempt 9).
Sent using a virtual keyboard on a phone
> On Mar 28, 2024, at 17:24, antonio via Swan wrote:
>
> Hi,
>
> I’m trying to install libreswan 5.0rc2 on a debian bullseye but I got the
> error when trying to start it:
That seems a bug in unbound when compiled with nettle on Debian? Maybe dkg
On Wed, 27 Mar 2024, antonio via Swan wrote:
I’m trying to connect an android device using native vpn and libreswan version
5.0rc2, it looks like a simple connection host - host/subnet but it
doesn’t connect… got the following log:
Note that the logs provided do not yet indicate a
New commits:
commit 38b5ca55c4e8f0265da8a98e91cfb9bcc55d89b4
Author: Paul Wouters
Date: Mon Mar 11 22:09:05 2024 -0400
documentation: merge in v4.13/v4.14 CHANGES
___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
New commits:
commit e80ee435de583eebad690e91f3af4fd3e0f929c8
Author: Paul Wouters
Date: Mon Mar 11 17:47:37 2024 -0400
Bump to 5.0rc2
___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
New commits:
commit 2546f2783560b4e19dbbfc595d47e7f72547fe49
Author: Paul Wouters
Date: Sun Mar 10 19:25:41 2024 -0400
security: Added CVE-2024-2357.txt
___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
New commits:
commit d834d7660569fc95731bfd8bc475bf8af0321559
Author: Paul Wouters
Date: Sat Mar 9 18:10:06 2024 -0500
testing: clean some cruft comments
___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
New commits:
commit 98cdfe71c053dbd6f076bcccbbc998e4802826cf
Author: Paul Wouters
Date: Tue Mar 5 10:24:06 2024 -0500
documentation: fix man page for listen-tcp= default
___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
On Tue, 5 Mar 2024, Andrew Cagney via Swan-commit wrote:
Date: Mon Mar 4 20:15:11 2024 -0500
ikev2: drop and NOT sending notify
it's redundant and confusing vis:
"west-cuckold" #4: sent INFORMATIONAL request to delete IKE SA
"west-cuckold" #5: ESP traffic information:
> On Mar 4, 2024, at 05:24, Marc via Swan wrote:
>
> I think that is always such crappy excuse 'I do this for free ..'. If you are
> at some store and you see the owner give your kids some sweet that you saw
> previously fell on the floor. Would you accept his argument 'but it was for
>
On Thu, 29 Feb 2024, Marc via Swan wrote:
Where can I find a working and tested config, that offers vpn connectivity
with the os default clients of android, win10, win11, macos and ios? (maybe
put this on some wiki/example page)
Not sure there is one as the variations in systems are almost
On Fri, 1 Mar 2024, Phil Nightowl wrote:
still could not get it fixed so far. Is there perhaps an overview of the
testing configurations?
Not a real overview, but there is a list. Each of the entries has its
own description.txt file:
On Fri, 1 Mar 2024, Rolando Bermúdez Peña via Swan-dev wrote:
I have libresawn version "ibreswan-3.25-4.8.amzn2.0.2.x86_64" for a vpn in a
server.
I am trying to connect using IKEv2 from Mac clients.
From a Mac with Ventura it connects fine, from a Mac with Sonoma it does not
connect.
These
On Tue, 27 Feb 2024, Phil Nightowl wrote:
pluto[30425]: "remotesite"[1] 203.0.113.55 #2: responder established Child SA using #1;
IPsec tunnel [192.168.1.253-192.168.1.253:0-65535 0] -> [203.0.113.55-203.0.113.55:0-65535 0]
{ESPinUDP=>0x7522bc14 <0x80c5c828 xfrm=AES_GCM_16_256-NONE
On Tue, 27 Feb 2024, Brady Johnson via Swan-dev wrote:
We tried several changes to the client nmstate configuration. Setting "ipv4: dhcp:
false" caused a configuration error in nmstate.
We have created a bug for that and the nmstate team is working on it.
Then, we tried with the same client
New commits:
commit c040ce61a3899bc2df0fd8a18be8d6e4fb919696
Author: Paul Wouters
Date: Fri Feb 23 16:31:24 2024 -0500
testing: ikev2-05-basic-psk add global secrets
This re-uses the test to ensure the most specific secret is picked
irrespective of the location of the global
On Thu, 22 Feb 2024, Andrew Cagney via Swan-commit wrote:
New commits:
commit 8f2151aab6084561bdeb8c49206ee238b508eecc
Author: Andrew Cagney
Date: Thu Feb 22 10:58:13 2024 -0500
ikev2: drop code checking for NAT during IKE_INTERMEDIATE exchange
NAT happens during IKE_SA_INIT;
New commits:
commit d2ccd5d58f491bef3253151faf4c4bf253965bd4
Author: Paul Wouters
Date: Wed Feb 21 15:03:44 2024 -0500
testing: update forgotten west.console.txt for addconn-37-nic-offload
___
Swan-commit mailing list
New commits:
commit 6c8b02569f7270266bc1e51661b5c761c584c804
Author: Paul Wouters
Date: Wed Feb 21 14:21:29 2024 -0500
testing: add test to addconn-37-nic-offload for encapsulation=yes
commit b1957720206ff006c87b5471faa9c7a371432469
Author: Paul Wouters
Date: Wed Feb 21 13:43:06 2024
On Wed, 21 Feb 2024, Phil Nightowl wrote:
Server conf:
conn remotesite
left=%defaultroute
leftcert=server
leftsubnet=192.168.1.253/32
right=%any
rightaddresspool=192.0.2.0/24
auto=add
ikev2=yes
authby=rsasig
leftid=%fromcert
rightid=%fromcert
New commits:
commit 1cd6ead3160c5449201035b47360e8c36184ad7e
Author: Paul Wouters
Date: Wed Feb 21 13:28:26 2024 -0500
pluto: If connection is NAT'ed abort on nic-offload=packet
No known hardware currently supports offloading with encapsulation.
On initiator, we can abort
New commits:
commit b8d327f911da6e1c672dea25c19c04da11209769
Author: Paul Wouters
Date: Wed Feb 21 12:29:47 2024 -0500
documentation: minor update to libreswan(7) man page
Resolves: https://github.com/libreswan/libreswan/issues/1469
___
New commits:
commit 481c0eb7957d3ad8e1f744cb8f2434a1f596d5e1
Author: Paul Wouters
Date: Wed Feb 21 11:55:11 2024 -0500
cleanup: remove configs/st which is a copy of portexcludes.conf.in
___
Swan-commit mailing list
On Wed, 21 Feb 2024, hr...@inmail.cz wrote:
Subject: Re: [Swan] Possible to setup multiple connections, partly behind NAT?
If you have NAT, then you no longer have a host-to-host connection. What
internal IPs should be used? Some end has to hand out an IP address for
the other end to use.
I see this commit:
commit f198add4b08640d1b67aef19168998070b65b725
Author: Andrew Cagney
Date: Tue Feb 20 20:25:33 2024 -0500
ikev2: when responding to labeled TS don't search for a connection
only possible match is the IKE SAs (note that at this point
the Child SA is sharing
On Tue, 20 Feb 2024, Phil Nightowl wrote:
Subject: Re: [Swan] Possible to setup multiple connections, partly behind NAT?
Should I remove the leftsubnet/rightsubnet options altogether?
Yes.
After doing that, I tried to connect from remotehost1.privlan to
server.privlan - which now should
Try without reauth=yes ?Also your super short timeouts might cause weird things too.PaulSent using a virtual keyboard on a phoneOn Feb 19, 2024, at 10:36, John Crisp via Swan wrote:
Hi,
be grateful
for some help!
Trying to
figure out what is
On Thu, 15 Feb 2024, Phil Nightowl wrote:
conn headq
left=%defaultroute
leftcert=remotehost1
leftid=%fromcert
right=198.51.100.33
rightid=%fromcert
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
What are you trying to do here? Where does 0.0.0.0/0 live? It cannot
live at both
On Fri, 16 Feb 2024, Brady Johnson via Swan-dev wrote:
Subject: Re: [Swan-dev] What does "missing v2CP reply" mean?
Would it be more helpful to enable debug logging? Or is there some other test
that could be done
to figure this out?
It seems your peer has not been configured to hand out IP
No, again the IKEv2 protocol uses EAP for any external authentication
mechanism, so it would need to use an existing EAP method. While EAP-mschapv2
could be used, libreswan doesn’t support that yet.
The pam-authorize=yes method is only a method to reject a connection based on
remote ID, not to
On Wed, 14 Feb 2024, David Valiente via Swan wrote:
I have a requirement where VPN users are to authenticate against Google through
SAML.
Authentication MUST be done via SAML, no oauth.
This I guess would be some kind of EAP method? I know of no other
authentication method specified for
On Wed, 14 Feb 2024, Mamta Gambhir wrote:
I have no issues now with nic-offload=packet , but do see issues with
communication when I use same subnet in the two
private-or-clear sections.
Above had worked for me in the past on both interfaces.
You mean without nic-offload?
I am now using
On Tue, 13 Feb 2024, Phil Nightowl wrote:
conn headq
left=%defaultroute
leftcert=remotehost1
leftid=%fromcert
right=198.51.100.33
rightid=%fromcert
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
What are you trying to do here? Where does 0.0.0.0/0 live? It cannot
live at both
On Sat, 10 Feb 2024, Tuomo Soini via Swan wrote:
On Fri, 9 Feb 2024 23:35:39 +0100
Phil Nightowl via Swan wrote:
I am used to utilise X.509, so I have leftid=%fromcert everywhere.
Does the above mean that I should use something like
right=%any
rightid="CN=*.privlan,O=MyOrg,C=CA" ?
On Fri, 9 Feb 2024, Phil Nightowl wrote:
Without these, you would only match a single left and right IP/32, and
when using right=%any that would become 0.0.0.0/32 which is a single IP
address.
Please forgive me, I still don't get it, To me, it seems that even if those
subnets are single IPs
On Fri, 9 Feb 2024, Phil Nightowl wrote:
Along your advice, I changed the config files on host1.privlan (applicable
to any host on my 192.168.1.x except server.privlan). SSH access is fixed,
the config on host1.privlan does not use opportunistic encryption any longer
and works fine. Adding
New commits:
commit d300ead77078a338efa0ce7964c4822aa933bbc0
Author: Paul Wouters
Date: Thu Feb 8 20:55:27 2024 -0500
documentation: remove alsoflip= mentions
commit 81fa930d8935eda428da53762063cd55e8a6a927
Author: Paul Wouters
Date: Thu Feb 8 20:53:30 2024 -0500
pluto: Do not run
On Thu, 8 Feb 2024, Phil Nightowl wrote:
I would try 4.12.
Can you tell me that this is not strictly required to make it work? Of
course, I am going to upgrade at some point - but It will make my life much
easier if I don't have to do it on all hosts involved and right now.
No I can't
On Wed, 7 Feb 2024, Phil Nightowl via Swan wrote:
I am failing to configure multiple simultaneous connections with
part of the clients behind NAT and part not (though not sure to what extent
is *that* the main issue). Before elaborating thoroughly, can anyone please
tell if the following
On Wed, 7 Feb 2024, Marc wrote:
This is a win10 client. What problem do I have here?
Feb 6 21:47:42 test2 pluto[1]: "vpn-ikev2-crt"[32] x.x.x.x #320:
1:ESP=AES_GCM_C_128+AES_GCM_C_256-NONE-MODP2048-ENABLED+DISABLED
so we received a proposal like: esp=aes_gcm128,aes_gcm256 with DH14
but
On Wed, 7 Feb 2024, Marc via Swan wrote:
This is a win10 client. What problem do I have here?
Feb 6 21:47:42 test2 pluto[1]: "vpn-ikev2-crt"[32] x.x.x.x #320:
1:ESP=AES_GCM_C_128+AES_GCM_C_256-NONE-MODP2048-ENABLED+DISABLED
so we received a proposal like: esp=aes_gcm128,aes_gcm256 with
50 matches
Mail list logo