instructions are not detected.
Sep 21 16:04:08 vpngx kernel: AVX2 or AES-NI instructions are not detected.
You've been very helpful, thanks so much.
Alex
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
n someone help me with the
steps needed to create the host key and certificate?
I've read through the NSS HOWTO, and I don't understand :-(
Thanks,
Alex
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
his certificate cannot be found
in key database
certutil: unable to create cert (The private key for this certificate
cannot be found in key database)
Did I somehow screw up the process of creating the CA in the first place?
Thanks,
Alex
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
using certutil, it requires the working CA,
but that appears to be the problem I'm having, right?
Thanks,
Alex
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
at
changed to cause this.
On Tue, May 29, 2018 at 4:37 PM, Alex wrote:
> Hi,
>
> I have a fedora27 system with libreswan-3.23-1.fc27.x86_64 on the
> local side and libreswan-3.22-1.fc25.x86_64 on the remote side and
> having a problem with my site-to-site VPN. It was working un
Hi,
I realized I only sent this to you directly last time. I'm still
having trouble and hoped someone could help.
> The config file you posted used leftckaid= and you said you copied it to both
> sides which wouldn’t work. Can you confir you are trying only with
> leftrsasigkey and
Hi,
> > At least the second one was created on this host but has now
> > disappeared. How do I delete those broken keys without having to
> > remove the whole database? What could cause this to happen?
>
> certutil -F -d sql:/etc/ipsec.d -n 34127e44f0718fc6d6ad34c089db926e1bb4d7df
>
> use the
HI,
> > At least the second one was created on this host but has now
> > disappeared. How do I delete those broken keys without having to
> > remove the whole database? What could cause this to happen?
>
> certutil -F -d sql:/etc/ipsec.d -n 34127e44f0718fc6d6ad34c089db926e1bb4d7df
>
> use the
I don't understand this error:
Oct 8 22:30:01.939114: "oriontun" #3: IKEv2 mode peer ID is ID_FQDN:
'@arcade-orion'
Oct 8 22:30:01.939222: "oriontun" #3: Signature check (on
@arcade-orion) failed (wrong key?); tried *AwEAAePbb
Oct 8 22:30:01.939234: "oriontun" #3: Digital Signature
Hi,
I'm still trying to build a host-to-host vpn and it's now failing with
"Can't find the certificate or private key from the NSS CKA_ID". I
can't find any way to specify an explicit path, or even where it's
looking.
I found an old thread from Feb that indicated I should specify
---output
:33.289343: "oriontun" #5: IKE SA authentication request
rejected: AUTHENTICATION_FAILED
Googling any of these errors/warnings generally only reveal the lines
themselves from the source code. How do I find out what exactly was
the invalid syntax?
Thanks,
Alex
On Mon, Oct 8, 2018 at 10:
, perhaps
they wouldn't be filtered or otherwise dropped.
Is this possible? Do you have an idea of a config you could share?
Thanks,
Alex
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
Hi, I have a fedora29 system with libreswan-3.27-1.fc29.x86_64 and
shorewall and having some difficulty with building a net-to-net VPN to
a similar system with a dynamic IP.
If I configure leftsubnet=192.168.6.0/24 I can't reach any of the
other networks on the server side. If I configure
Hi,
> If you want a remote access vpn to access a remote subnet, use the
> remote access config with the addresspool. If you want a subnet to
> subnet, where one of the endpoints is on a dynamic IP, you want
> to use leftsubnet/rightsubnet and not addresspool= and just change
> the regular
000 "mysubnet":
192.168.1.0/24===68.192.251.223[@orion-wyckoff]---68.192.248.1...%any[@wyckoff-orion]===192.168.11.0/24;
unrouted; eroute owner: #0
The 192.168.1.0/24 network is on the server (left) side. The
192.168.11.0/24 is on the dynamic (rig
Hi,
> I've now tried to do it using RSA keys, but it has a problem with the
> "%any" statement:
I forgot to add the ipsec auto output that shows it has a problem with %any:
> config setup
> protostack=netkey
>
> conn mysubnet
> also=wyckofftun
>
Hi,
> note, i would remove the empty lines to prevent possible confusion with
> the config parser thinking a new section is starting.
>
> > # ipsec auto --up wyckofftun
> > 029 "wyckofftun": cannot initiate connection without knowing peer IP
>
> You cannot use right=%any and left=%defaultroute,
Hi,
Thanks so much for sticking with me here.
> > This is my config now:
> > conn host-to-host
> >left=orion.guardiandigital.com
> >leftid=@orion
> >leftsubnet=192.168.1.0/24
> >leftrsasigkey=0sAwEAAczgDWWfK4A83Q1e/fTYS2C...
> >right=%any
> >
Hi,
> > The tunnel is built, but I cannot reach either side from the other. I
> > can ping wyckoff from orion but not vice-versa, and I cannot reach any
> > of the internal networks from either endpoint. I'd like to be able to
> > reach each endpoint from the other, as well as the private
Hi,
On Sun, Jan 27, 2019 at 1:28 PM Paul Wouters wrote:
>
> On Sun, 27 Jan 2019, Alex wrote:
>
> > Yes, the tunnels have come up, but it appears no data is passing through
> > them:
> >
> > # ipsec whack --trafficstatus
> > 006 #6: "wyckofftun/1x
Hi, I'm trying to build a subnet-to-subnet VPN with libreswan-3.27 on
fedora28 and having some trouble. Should the subnets already exist on
the remote networks, or does libreswan create them? When I use the
config below, the networks disappear from the routing table and the
servers become
Hi,
> Hi, I'm trying to build a subnet-to-subnet VPN with libreswan-3.27 on
> fedora28 and having some trouble. Should the subnets already exist on
> the remote networks, or does libreswan create them? When I use the
> config below, the networks disappear from the routing table and the
> servers
Hi,
> >> Add left/rightsourceip. Note you only need it for the local end but there
> >> is no harm adding it for both ends. For subnet/subnet connections the
> >> routing table is not used (check out "ip xfrm policy" and "ip xfrm
> >> state"). You only get the routing entry if you use
Hi,
I'm sorry for all the emails, but I have more debugging info. This
message seems to be consistent with every system on which it fails:
133 "orion-arcade" #4: STATE_PARENT_I1: sent v2I1, expected v2R1
I have three systems in total for this part of the project - orion,
arcade and bwimail03.
Here is some additional debugging from pluto.log from bwimail03 where
this is failing:
Jan 29 20:36:53.923864: | checking keyid '@arcade' for match with '@arcade'
Jan 29 20:36:53.923867: | key issuer CA is '%any'
Jan 29 20:36:53.923870: | checking keyid '@bwimail03' for match with '@arcade'
Jan
Hi,
I'm now trying to build a tunnel between the server with the static IP
and another host with a static IP and the same libreswan on fedora,
but having a similar problem that I used to have with "wrong key?"
messages when I *know* I'm doing it right.
On bwimail03:
002 "bwimail03-arcade" #5:
Hi,
> > The endpoint is not behind NAT. It is laptops and desktops and phones
> > connected to the remote VPN gateway on a private network with a
> > dynamic IP. The gateway then uses NAT to allow them to communicate
> > with the Internet, of course.
>
> I'm still not fully clear what you are
Hi,
> > I'm still not fully clear what you are doing. Are the laptops and
> > desktops and phones on a LAN with NAT and there is a remote VPN gateway
> > somewhere else on the internet? If you then your right= should for sure
> > point to that remote VPN server DNS name or IP address on your
Hi,
> >> I'm still not fully clear what you are doing. Are the laptops and
> >> desktops and phones on a LAN with NAT and there is a remote VPN gateway
> >> somewhere else on the internet? If you then your right= should for sure
> >> point to that remote VPN server DNS name or IP address on your
Hi,
> left is the leftside of your paper diagram. Right is the rightside of
> your paper diagram. If you flip the paper, left becomes right, right
> becomes left. So in theory, you can use the identical configuration on
> both sides, and pluto will figure out if it is "left" or "right" on
> each
Hi,
I have libreswan-3.27 on fedora29 on both ends with 5.0.10 that's been
running fine for a while. Over the last few days, the connection on
the local side has inexplicably disconnected from one of its two
net-to-net peers.
Just running "ipsec auto --up " on the local side usually
brings it up
off)
https://pastebin.com/AZGVCF8c
This is the side with the fixed IP, also on a cable modem (orion):
https://pastebin.com/JFe4CPsd
On Fri, Oct 4, 2019 at 2:40 PM Alex wrote:
>
> Hi, back in May I reported an issue involving two cable modems and
> dropping the connections for no apparent reason.
Hi, back in May I reported an issue involving two cable modems and
dropping the connections for no apparent reason. I believe Paul said
it was a deadlock issue that would be fixed in 3.28, but it continues
today with 3.29 on fedora30.
The issue is that two systems, both of which are connected to
Hi,
Okay, I thought it was working, and maybe it was, but something
changed and now it's not working. The day after I thought I had it
working, I had a hard disk failure and had to completely reinstall and
rescue the config from the failed hard disk..I'm just confused and
hoped someone could
system.
On Wed, Jan 8, 2020 at 7:40 PM Alex wrote:
>
> Hi,
>
> Okay, I thought it was working, and maybe it was, but something
> changed and now it's not working. The day after I thought I had it
> working, I had a hard disk failure and had to completely reinstall and
> r
Hi,
I've made a few changes, but it still appears to be failing. From
wyckoff (right side):
Jan 5 08:53:35.989421: "orion-wyckoff/1x1": We cannot identify
ourselves with either end of this connection. 68.195.193.42 or
96.56.24.210 are not usable
Jan 5 08:50:42.782307: "orion-wyckoff/2x2" #1:
nd, then auto should be "add" at orion
> and can be "start" at wyckoff.
>
> Nick
>
> On 03/01/2020 21:57, Alex wrote:
>
> Hi,
> I've had a site-to-site VPN using libreswan built and working between
> two Optonline/Altice systems, one with a dynamic IP and
solution for me.
On Sat, Jan 4, 2020 at 9:28 PM Alex wrote:
>
> Hi,
>
> I managed to convince the admin to port forward both 4500 and 500,
> along with AH and ESP to my 10.201.2.2 IP from the static external
> 96.56.24.210 (wyckoff) IP but I still can't get it to work.
>
> Both
Hi,
> > I've made a few changes, but it still appears to be failing. From
> > wyckoff (right side):
> > Jan 5 08:53:35.989421: "orion-wyckoff/1x1": We cannot identify
> > ourselves with either end of this connection. 68.195.193.42 or
> > 96.56.24.210 are not usable
>
> If both ends are behind
S_CBC_256;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP1024
I don't know under what circumstances those messages were produced,
though, because I can't get it to do it again.
I've also located this mini-howto that does a great job of explaining
the steps as well as providing a reg
Hi,
> > Okay, adding leftsubnet=0.0.0.0/0 does enable me to ping the
> > 192.168.6.1 gateway, but I can't reach the 192.168.1.0/24 internal
> > network.
>
> Then that is really an issue of routing/nat/firewall on the VPN server.
> Check the vpn server works properly with: ping -I 192.168.6.1
Hi,
> > Is there documentation available on how to configure
> > it with libreswan?
>
> Yes, see our libreswan examples on the website.
I followed the examples outlined on this page, including importing the
pkcs12 file with ipsec and building an ipsec.conf for the VPN server.
Hi,
> The win10 laptop I am using is connected to our internal network on
> 192.168.1.35. The libreswan server has a public IP (which I've
> specified as the endpoint for the win10 client), but also is the
> Internet gateway for the win10 client as 192.168.1.1. Is it possible
> to connect to the
Hi,
I have a libreswan-4.1 install on fedora32 and would like to connect
some remote road warriors with Windows clients so I may connect them
to the corporate network to access our asterisk phone system.
What Windows client options are available for use with libreswan? Will
WireGuard work? Is
Hi,
I have a fedora32 system with libreswan connected to a few remote
sites and would now like to consider using Wireguard on Windows to
connect to our main office to be on its network so we can use the
asterisk phone system there with our Polycom phones or a softphone app
on Windows.
How can I
Hi,
> >> How can I tell what type of cert I'm using?
> >
> > openssl x509 -noout -text -in /your/cert.pem
>
> If you used certutil to generate the certificate directly inside the NSS
> database, you may have to export first, or use something like:
>
> certutil -L -d sql:/etc/ipsec.d -n
.195.111.42:500 remote=192.168.1.35:500
policy=ECDSA+IKEV2_ALLOW but ignoring ports
find_host_connection local=68.195.111.42:500 remote=192.168.1.35:500
policy=RSASIG+IKEV2_ALLOW but ignoring ports
find_host_connection local=68.195.111.42:500 remote=192.168.1.35:500
policy=PSK+IKEV2_ALLOW but ignoring ports
Thanks so much,
Alex
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
Hi,
> > Now Windows is saying "IKE failed to find valid machine certificate.
> > install a valid certificate" but I've rebuilt the entire thing,
> > deleted the old certs and inserted a new pk12 cert as I've done
> > before. This strongswan post appears to indicate that "Maybe Windows
> >
Hi,
> > certutil -S -c "Example CA" -n "win10client.example.com" \
> > -s "O=Example,CN=win10client.example.com" -k rsa \
> > -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," -1 -6 -8
> > "win10client.example.com"
>
> I see that the options -1 and -6 have no argument. Apparently this
>
Hi,
> Referring to that example:
>
> leftcert=vpn.example.com
> Here "vpn.example.com" must match the nickname of the server certificate
> in the NSS database, which you created with certutil. This is how
> libreswan knows which certificate to send to the client for server
> authentication.
=no
fragmentation=yes
esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null
Thanks,
Alex
On Thu, Dec 31, 2020 at 3:10 PM Alex wrote:
>
> Hi,
> Now that I have a working VPN for mobile users, I'm having trouble
> assigning IPs on our l
Hi Paul,
> > How does it then determine the default gateway and other stuff that would
> > normally be obtained by DHCP, such as an NTP server?
>
> Client and server agree on the src/dst parameters. eg the leftsubnet and
> rightsubnet options. If the vpn client receives a remote subnet of
>
Hi,
Now that I have a working VPN for mobile users, I'm having trouble
assigning IPs on our local network. I'm thinking this is the best
place to start, rather than a DHCP list without knowledge about how a
VPN works.
Our internal LAN is 192.168.1.0/24 and we're issuing leases for mobile
workers
Hi Manfred,
I got it to work subsequent to your email. I'll explain how I got it
to work, but my next issue is with DHCP.
> OK, so phase 1 passes.
> However, it still looks like Windows is sending multiple proposals,
> while when using Set-VpnConnectionIPsecConfiguration I think only one
>
Hi,
> Dec 31 13:53:06.342990: "ikev2-cp"[1] 172.58.239.44 #1: certificate
> verified OK: O=Example,CN=win10client.example.com
> Dec 31 13:53:06.343028: "ikev2-cp"[1] 172.58.239.44 #1: certificate
> subjectAltName extension does not match ID_IPV4_ADDR '172.58.239.44'
> Dec 31 13:53:06.343035:
Hi,
I'm using libreswan-4.11-1.fc37.x86_64 on two fedora37 hosts to try to
build a VPN between them. It was working fine for some days, but I believe
I changed something on one of the servers, not related to libreswan, that
caused it to stop working. It appears they're not communicating, like a
'm also not doing NAT-T so I suppose there wouldn't be any
port 4500.
Thanks,
Alex
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
Hi,
On Sun, Jun 4, 2023 at 12:19 PM Alex wrote:
>
>> Jun 4 11:49:48.969175: "mail03-polaris" #4: sent IKE_SA_INIT reply
>> {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
>> Jun 4 11:49:49.468301: "mail03-polaris" #4: received
M, "Paul Wouters" <p...@nohats.ca> כתב:
> On Thu, 18 Jan 2018, Alex K. wrote:
>
> What are the possible ways to bring a Libreswan VTI up?
>>
>> Let me elaborate the situation a little bit - I have a Libreswan 3.21
>> compiled from sources on Debian
nds in it.
Thank you, Paul
בתאריך 29 בינו' 2018 0:00, "Paul Wouters" <p...@nohats.ca> כתב:
> On Sat, 27 Jan 2018, Alex K. wrote:
>
> After a few days of running debugs, I finally found the culprit, it was
>> PFS (strangely enough, both sides agreed on
>> each oth
Hello everyone,
What are the possible ways to bring a Libreswan VTI up?
Let me elaborate the situation a little bit - I have a Libreswan 3.21
compiled from sources on Debian Stretch as. Anyhow, I have a basic VTI
setup according to the example on Libreswan website.
On system startup, everything
to
create another connection to allow remote hosts to access individual
hosts on the local network. Is that not necessary here?
My eventual goal is to allow it to reach the 192.168.1.0/24 corporate
LAN from the 192.168.6.0/24 IP it's assigned so it can communicate with
our asterisk server.
Th
62 matches
Mail list logo