Not by any chance bug #86?
Try also setting leftnexthop=%defaultroute.
On 06/05/2014 21:23, Nels Lindquist
wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 5/6/2014 1:38 PM, Paul Wouters wrote:
can you provide a plutodebug=all
a
full fix.
Regards,
Nick
On 2014-05-07 09:09, Wolfgang Nothdurft wrote:
> Am 06.05.2014 23:09, schrieb Nick Howitt:
>
>> Not by any chance bug #86 <https://bugs.libreswan.org/show_bug.cgi?id=86
>> [1]>? Try also setting leftnexthop=%defaultroute.
>
> I thin
i?id=86 [1] --- Comment #30 from Nick
>> Howitt 2014-05-08 13:48:35 EEST --- This is where I am
>> a little confused. I patched the source by hand and recompiled the rpm. I
>> then installed the rpm with a -Uvh --force as it is the same version number
>> as I was runni
On 11/05/2014 16:25, Paul Wouters
wrote:
On Sun, 11 May 2014, Ahmed Shabana wrote:
I did what you suggest below and get the
below error ,
You know we offer precompiled packages for RHEL6 at
eswan in
epel now. I'll bring them up to date later today
Sent from my iPhone
On May 11, 2014, at 12:18, Nick Howitt <n...@howitts.co.uk>
wrote:
On 11/05/2014 16:
Paul,
It compiled OK and looks like it works correctly with my two PSK conns
and it appears to fix Bug 86 so I'm happy. Other than set it running
I've done no other testing.
I have noticed in the logs that there are few bits (4?) of debug output
but that is trivial.
Thanks,
Nick
On 2014-
It does rather look like Networkmanager is trying to use a PSK, but the
other thing is if you use aggressive mode (which it looks like you are
receiving) you must specify ike and phase2alg as they are not negoiated.
Nick
On 2014-08-07 06:57, Gareth Williams wrote:
I've been trying to get Libr
On 2014-09-11 16:43, Paul Wouters wrote:
On Thu, 11 Sep 2014, Thomas Geulig wrote:
Subject: Re: [Swan] NetKey vs KLIPS
Am 11.09.2014 um 17:04 schrieb Lennart Sorensen:
Certainly simple with netkey. Also netkey can use the kernel crypto
drivers for hardware crypto which I don't think klips
Paul,
After 3.10 was released you did not immediately compile the binaries
so I compiled my own with the following mini script:
#!/bin/bash
Version=3.10
TARGET=x86_64
cd $HOME/rpmbuild/SOURCES
wget https://download.libreswan.org/l
On Sep 13, 2014, at 12:34, Nick Howitt <n...@howitts.co.uk>
wrote:
Paul,
After 3.10 was released you did not immediately compile the
binaries so I compiled my own with the following mini
the changelog.
Thanks,
Nick
On 02/10/2014 19:45, Nick Howitt wrote:
In your own rhel6 x64 repo - https://download.libreswan.org/binaries/rhel/6/x86_64/libreswan-3.10-1.el6.src.rpm
and it was your compiled rpm served by yum https://download.libreswa
Why are you using l2tp and not just plain IPsec? Also why are you
using transport mode? Which Draytek are you using? I am not sure if
they support transport mode. I don't think my 2820 and 2710 do.
Shouldn't right be the public IP of the Draytek or %any if the
Drayte
't know libreswan (or any of the
various *swans) very well and used the aforementioned script
because I needed a quick and dirty VPN setting up.
Thanks.
Darren.
On 4 Dec 2014, at 18:25, Nick Howitt <
Unless it has changed recently "ipsec auto --add ..." does not reread
the secrets file you you'll probably also have to do an "ipsec secrets".
I'd do it before the "ipsec auto ..." to get the secrets into place
before the conn is added.
Nick
On 2014-12-11 13:28, Ted Toth wrote:
This is actua
With that config you will not be able to ping to or from either
gateway through the VPN but you should be able to ping from LAN to
LAN. To ping to or from a gateway, please add left/rightsourceip as
your gateway's LAN IP.
Also have you set any firewall rules for the
-j RETURN # Left Side
-I POSTROUTING -s 10.2.0.0/16 -d 10.1.0.0/16 -j RETURN # Right Side
then tried testing with:
ping -c 4 -I 10.1.10.1 10.2.10.1
but still no response and no drops logged :(
Thanks, Phil
- Original Message -
From: "Nick Howitt"
To: "Phil Daws" , swan@l
connect to that IP. This is without the left/right source ip.
Getting closer, to understand this, and hopefully working :)
Thank, Phil
- Original Message -----
From: "Nick Howitt"
To: "Phil Daws"
Cc: swan@lists.libreswan.org
Sent: Saturday, 17 January, 2015 16:09:50
Subj
What sort of VPN are you attaching to GW1? Do devices on that VPN
get a route to 10.2.10.0/24 via 10.1.10.1?
Also you will need to set up an extra subnet in your ipsec VPN which
shows 172.16.10.0/24 being at GW1. Check out the left/rightsubnets parameter.
Are 10
Hi,
I'm trying to see if I can set up a VPN with Windows Phone 8.1 and
I've fallen over before even getting as far as the phone. I cannot
get Libreswan to read the certificate I created. I've used the
instructions at https://libreswan.org/wiki/Using_NSS_with_libreswa
Matt,
Thanks. That was it.
Do you know anything about setting up Windoze Phone?
Nick.
On 27/01/2015 21:25, Matt Rogers wrote:
On 01/27, Nick Howitt wrote:
002 forgetting secrets
002 loading secrets from "
Hi Bob,
Do you have a tunnel from your roadwarrior to Libreswan for the subnet
192.168.0.0/24? I don't know the Windows client (or any ikev2 details
therefore my knowledge is entirely theoretical)so I don't know if you
can use left/rightsubnets in Libreswan or if you have to define two
differ
Hi Bob,
As soon as you mention transport mode I am lost as I've never used
it or got my mind round it so I don't understand it. Ditto
passthrough conns, so you could be way ahead of me. If I were doing
it, I'd use tunnel mode.
I've done something slightly si
Hi Paul,
When 3.14 was released I started looking for the el6 binaries. I
believe you've stopped hosting them as they are now normally found
on epel, but it looks like the el6 package has failed to build on
epel. Do you know if this is going to be fixed?
I e
Do you need to use the "hold" state? Can you set DPD action to clear
the conn so it renegotiates?
Nick
On 16/09/2015 10:25, Tony Whyman wrote:
Looking at the Wiki, there is the following statement:
"When connections rekey,
I've no idea, but I thought "hold" was only for only fixed IP's.
On 16/09/2015 10:31, Tony Whyman wrote:
I could certainly try that. Would that force a DNS refresh?
On 16/09/15 10:30, Nick Howitt wrote:
Have you see this: https://download.libreswan.org/binaries/
On 15/11/2015 10:22, Bentzy Sagiv
wrote:
Hi,
I've successfully managed to build libreswan in Ubuntu and
to create a .deb file.
Installation through dpkg
On 11/12/2015 19:19, Paul Wouters
wrote:
On Thu, 10 Dec 2015, Tony Whyman wrote:
The thread on converting from Openswan to
Libreswan reminded me of the following script that I have added
to all my Ubuntu systems w
Have a look at
/etc/dhcp/dhclient-exit-hooks. The only thing is, when I tried
using it in a very basic way, it triggered every time
the lease was renewed. There may be options only to trigger on
IP change. I stopped looking at that point as my
Hi,
I've just upgraded to 3.16 and I thought I'd have a go at IKEv2 on a
road warrior but I'm stuck with the NSS/certificates bit. I'm trying
to use information gleaned from the Wiki,
and use certificates already generated on the server for the server
and for OpenVPN.
On 21/12/2015 22:30, Paul Wouters
wrote:
On Mon, 21 Dec 2015, Nick Howitt wrote:
I've just upgraded to 3.16 and I thought
I'd have a go at IKEv2 on a road warrior but I'm stuck with the
N
That seems excessive. I am getting about 70kB/d/conn for a LAN-LAN
connection with key lives of 1h and 8h. What do you have in "conn
setup" in ipsec.conf?
As a secondary question, does your system use rsyslog?
Nick
On 22/12/2015 22:46, ChenHao wrote:
Don't you now need a different form of the certutil command for the nss
database? (sql:/etc/ipsec.d instead of etc/ipsec.d)
Nick
On 2016-02-22 02:05, Paul Wouters wrote:
On Sun, 21 Feb 2016, Alex wrote:
Can I just leave out the subnet declarations where they're not
necessary?
Yes.
Also,
Sorry, forgot to reply to all.
Don't you now need a different form of the certutil command for the nss
database? (sql:/etc/ipsec.d instead of etc/ipsec.d)
Nick
On 2016-02-22 02:05, Paul Wouters wrote:
On Sun, 21 Feb 2016, Alex wrote:
Can I just leave out the subnet declarations where the
Use left/rightsubnets instead of left/rightsubnet. Check the man page for
ipsec.conf.
On 2 March 2016 13:44:29 GMT+00:00, Antonio Silva
wrote:
>Hi,
>
>i've the following setup
>
> wan1/lan1 <--- VPN --->wan2/lan2
>lanA - serverAserverB - lanB
>
>
You should be able to use an iptables rule something like:
iptables -I POSTROUTING -t nat {traffic_identifier} -j SNAT --to-source
10.27.89.0/24
I'm not sure if --to-source should be 10.27.89.0-10.27.89.255.
The problem is the {traffic_identifier}. The easy solution would be to
use "-d remot
Firewall rules?
On 2016-05-10 16:05, Frank wrote:
Hi,
I’m trying to setup an ipsec connection from a recent centos7 box to a
pfSense with strongSwan (charon), as a test before connecting to a
remote ciscoASA.
SA's seem up.
I can't get traffic to the other side (host on 192.168.211.2 or .12):
Try:
iptables -t nat -I POSTROUTING -m policy --dir out --pol
ipsec -j ACCEPT
Nick
On 10/05/2016 19:25, Frank wrote:
Hi,
The ping still gives the same:
ping -I 192.168.1.2 192.168.211.2
PING 192.168.211.2 (192.168.211.2) from 192.168.1.2
Hi,
There is a permission error with the el6 binary,
https://download.libreswan.org/binaries/rhel/6/x86_64/libreswan-3.18-1.el6.x86_64.rpm.
It returns a 403 - Forbidden
Regards,
Nick
On 27/07/2016 15:34, The Libreswan Project wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Release
Hi,
With my Draytek I use auto=add, ike=aes256-sha1;modp2048 and
phase2alg=aes256-sha1. I think if you do auto=start the Draytek tries to
make 2 connections, one as initiator and one as responder and gets
confused, but I have not looked at it in ages.
If your system uses rsyslogd you can eas
Following this thread, wouldn't it be better to have Libreswan ignore
any non-compatible settings when vti-routing=no, and perhaps log
warnings when the conn is loaded, rather than rely on a note on the wiki
which is liable to get overlooked?
Nick
On 2016-09-27 11:45, Reuben Farrelly wrote:
Don't have any blank lines in a conn definition.
On 2 November 2016 02:54:43 GMT+00:00, Ian Barnes wrote:
>Hi All,
>
>I'm having huge issues setting up an IPSec tunnel from a Libreswan
>system
>to Huawei VRP device and was hoping someone could assist me in
>pinpointing
>what the error is
>
>Here
mote which I'll
forward on as soon as I get it.
Regards
Ian
On Wed, Nov 2, 2016 at 9:22 AM, Nick Howitt
wrote:
Don't have any blank lines in a conn definition.
On 2 November 2016 02:54:43 GMT+00:00, Ian Barnes
wrote:
Hi All,
I'm having huge issues setting up an IPSec tunnel fro
ny difference - but it didnt. The connection itself never
gets established, it just sits pending phase 2 and then stops
after 10 attempts.
Cheers
Ian
On Wed, Nov 2, 2016 at 10:26 AM Nick Howitt mailto:n...@howitts.co.uk>> wrote:
How long is the connection run
Hi Paul,
Many thanks for the update.
I tried using yum update to update from the libreswan repo into ClearOS
7.2 and it found nothing in the el7 repo. Looking at the files there,
from the file names it looks like the binary rpm there has been set as
7.3 only, as is the source. Is this correct
wrote:
That's 3.19 with initial CREATE_CHILD_SA support
Sent from my iPhone
On Jan 16, 2017, at 12:48, Nick Howitt wrote:
Oh Yuck. It is now showing. It was not yesterday even though I could see it in
the repo when browsing it:
[root@server ~]# yum clean all && yum lis
On 2017-02-23 21:40, Paul Wouters wrote:
On Thu, 23 Feb 2017, Adam Tauno Williams wrote:
I am attempting to setup an IPSec VPN with an openStack cloud provider
[Catalyst].
I seem to get through Phase#1 [IKE] but no matter what I try in the
config file I cannot get past Phase#2.
Usually tha
Ahh, but as I pointed out at the time, as you put
https://download.libreswan.org/binaries/rhel/7/x86_64/libreswan-3.20-0.1.dr1.el7.centos.x86_64.rpm
into your el7 repo, this will automatically install over 3.19 if you
have automatic updates enabled.
Nick
On 09/0
Hi Paul,
The libreswan el7 repo is giving a 403:
[root@server ~]# yum update libreswan
Loaded plugins: clearcenter-marketplace, fastestmirror
libreswan| 2.9
kB 00:00
libreswan/7/x86_64/primary_db
Hi Paul,
That's working now, thanks.
Nick
On 23/03/2017 17:49, Paul Wouters
wrote:
On Thu, 23 Mar 2017, Nick Howitt wrote:
The libreswan el7 repo is giving a 403:
Fixe
Hi Paul,
I've trying to set up a very basic IKEv2+PSK conn from Android 5.0.1 to
libreswan 3.20 but it is giving errors:
conn test
type=tunnel
authby=secret
auto=add
left=82.19.158.192
leftsourceip=172.17.2.1
leftsubnet=172.17.2.0/24
right=%any
rightid=@nick
salifetime=1h
ikelifetime
On Apr 28, 2017, at 13:06, Nick Howitt wrote:
Hi Paul,
I've trying to set up a very basic IKEv2+PSK conn from Android 5.0.1 to libreswan 3.20 but it is giving errors:
conn test
type=tunnel
authby=secret
auto=add
left=82.19.158.192
leftsourceip=172.17.2.1
leftsubnet=172.17.2.0/24
righ
e. It looks like it chooses a proposal
but then says it does not.
Regards,
Nick
On 28/04/2017 18:23, Nick Howitt wrote:
Thanks. I guessed that but I copied and pasted them so I am not sure
why. I'll try again.
Regards,
Nick
On 28/04/2017 18:09, Paul Wouters wrote:
It means your PSK
.
Regards,
Nick
On 28/04/2017 19:43, Nick Howitt wrote:
OK, I've tried a simpler PSK for the moment and I get past that
bit.
Now I get a no proposal chosen and I can't find a way out. Leaving
them empty does not work and I ca
a working VPN solution,
I can't afford to give any more time to it.
Regards,
Nick
On 09/05/2017 05:25, Paul Wouters
wrote:
On Mon, 8 May 2017, Nick Howitt wrote:
I got the following to connect:
Hi All,
I've just noticed something similar. I have a conn with auto=add and
rekey=no:
conn PaulIn
type=tunnel
authby=secret
dpdtimeout=120
dpddelay=30
auto=add
left=%defaultroute
leftsourceip=172.17.2.1
leftsubnet=172.17.2.0/24
leftid=@Nick
right=%any
rightsubnet=192.168.30.0/24
s
is set to clear, it should never rekey.
Regards,
Nick
On 22/06/2017 19:57, Paul Wouters
wrote:
On Thu, 22 Jun 2017, Nick Howitt wrote:
I've just noticed something similar. I
have a conn with auto=add and
On 22/06/2017 21:07, Paul Wouters
wrote:
On Thu, 22 Jun 2017, Nick Howitt wrote:
Originally the "roadwarrior" set up was
that one end would never initiate or rekey. This was done with
auto=add and rek
e the
correct conn rekeying every 50min or so, but libreswan also initiates to
the old IP address every 1min 4s. It does not happen all the time as the
remote IP address changed again last night without any issues.
I've restarted ipsec with plutodebug=all.
Regards,
Nick
On 22/06/2017 21:24, N
.d/ipsec.*.conf
HTH,
Nick
On 23/06/2017 17:53, Nick Howitt wrote:
Hi Paul,
I've had another look at the logs I sent directly to you yesterday,
and it looks like the change of the remote IP successfully
renegotiated the conn initiated by the other end (Draytek). It is just
our end wh
Hi,
Whoever was coming in from 74.217.90.250 (Ashburn, VA?) to download the
log file, please remove the trailing "." from the URL you are using and
try again. I've unbanned your IP.
Regards,
Nick
On 30/06/2017 17:07, Nick Howitt wrote:
Hi Paul,
I sent you a message dire
connection.
Jun 26 18:18:31: "PaulIn"[2] 79.71.154.43 #77: DPD: could not find newest
phase 1 state - initiating a new one
I guess the fix is easy.
-antony
On Fri, Jun 30, 2017 at 05:07:07PM +0100, Nick Howitt wrote:
Hi Paul,
I sent you a message directly a few days ago but I guess i
Hi Paul,
Libreswan updated last night and now fails to start:
Aug 10 20:36:49 server addconn: /usr/libexec/ipsec/addconn: symbol
lookup error: /usr/libexec/ipsec/addconn: undefined symbol:
ub_ctx_create_event
Aug 10 20:36:49 server systemd: ipsec.service: control process exited,
code=exited s
of the
rpm's they were compiled into the libreswan repo.
Regards,
Nick
On 10/08/2017 20:49, Paul Wouters
wrote:
Recompile unbound with libevent support.
Sent from my iPhone
On Aug 10, 2017, at 15:46, Nick Howitt wrote:
Hi
o there is no
requirement in the libreswan rpm for unbound >= 1.5.0 either as
that would have stopped it from installing.
On 10/08/2017 21:27, Paul Wouters
wrote:
On Thu, 10 Aug 2017, Nick Howitt wrote:
Presumably then th
.so.5. I' not sure even where to find the el7.centos
packages on the download site. Presumably the repos are looking
somewhere else. I'll have to dig further.
On 10/08/2017 21:35, Nick Howitt wrote:
Sorry, but I did not build the files. Libr
Thanks. Look forward to it. At least my VPN is not mission critical
- just inter-family.
On 10/08/2017 21:56, Paul Wouters
wrote:
On Thu, 10 Aug 2017, Nick Howitt wrote:
I tell a slight lie. I have
libreswan-3.21-1
Hi Paul,
It is all looking good now and I can see the same files in libreswan
downloads as yum installs.
Thanks,
Nick
On 10/08/2017 22:51, Paul Wouters
wrote:
On Thu, 10 Aug 2017, Nick Howitt wrote
Hi Paul,
This updated last night but it is only an rc. Do you know why rc's are
being pushed to the main repo? Does this mean you recommend running with
the repo disabled and only update manually once you get a release e-mail?
Regards,
Nick
___
Swa
I don't know how to set up what you want but here are a few clarifications:
1 - left and right can be either end! Perhaps a better terminology for
you to understand is "end1" and "end2". libreswan will work out which is
the local and which is the remote end from things like the leftip.
Typicall
Hi Paul,
I've been playing around with leftsubnet and leftsubnets to see if
either leftsubnet can be used for multiple subnets (it can't) or if
leftsubnets can be used for a single subnet (it can with or without the
braces). Is there any disadvantage of using leftsubnets for a single
subnet a
2018 09:26, Nick Howitt wrote:
Hi Paul,
I've been playing around with leftsubnet and leftsubnets to see if
either leftsubnet can be used for multiple subnets (it can't) or if
leftsubnets can be used for a single subnet (it can with or without
the braces). Is there any disadvantage
Hi Paul,
ClearOS comes with the following automatic rules to allow traffic to
pass through the tunnel using packet marking:
iptables -I PREROUTING -t mangle -p esp -j MARK --set-mark 0x64
iptables -I INPUT -m mark --mark 0x64 -d my_wan_IP -j ACCEPT #
necessary for incoming traffic
Hi Tuomo,
Thanks. Replies are in-line. The devs have realised the existing rules
are old/legacy and need revisiting. I am just investigating to see if I
can get ahead of the game.
Nick
On 03/04/2018 08:13, Tuomo Soini wrote:
On Mon, 2 Apr 2018 09:06:29 +0100
Nick Howitt wrote:
Hi Paul
Have you seen the AWS set up section on the wiki at
https://libreswan.org/wiki/Interoperability#The_elastic_IP_and_the_RFC1918_native_IP_address,
noting the configuration of the loopback interface?
Nick
On 29/04/2018 23:19, Paul Connolly wrote:
thanks so much for the response. Below is the le
Hi Paul,
Thanks for the update. I can see the file in the el7 repo but yum does
not pick it up.
Regards,
Nick
On 28/06/2018 00:40, The Libreswan Project wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
The Libreswan Project has released libreswan-3.25
This is a major bugfix release
Hi Paul,
In the conn you can use left=%defaultroute which automatically picks up
your left IP. There does not seem to be an equivalent in the secrets
file or am I missing something? I can use an FQDN or I can set %any to
get round it but %any has other side effects like limiting you to one
se
On 04/07/2018 16:03, Paul Wouters
wrote:
On Wed, 4 Jul 2018, Nick Howitt wrote:
In the conn you can use left=%defaultroute
which automatically picks up your left IP. There does not seem
to be an equivalent in the
Use the left/rightsourceip - but only relevant at the local end.
On 16/08/2018 13:43, Bruno de Paula Larini wrote:
Hi list!
What would be the correct way to make Libreswan host connections go
through the tunnel (considering it isn't its own default gateway, of
course)?
I'm using Libreswan 3
AFAIK the first and second work. At a guess the third might. Try it
and see if you connections instantiate as expected.
On 27/09/2018 15:41, Eugeniy Khvastunov
wrote:
Hi all!
What is r
A bit of a sideways jump, but have you done the AWS set up for
elastic IP's -
https://libreswan.org/wiki/Interoperability#The_elastic_IP_and_the_RFC1918_native_IP_address
Nick
On 08/10/2018 01:12, rayv33n wrote:
Oct 8 11:04:09.025208: | parent_init v2 state object not
found
Oct 8 11:04:09.025506: | found policy =
RSASIG+ENCRYPT+TUNNEL+PFS+FAIL1+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
(private#0.0.0.0/0)
Rather than restart ipsec which restarts all conns, can you do it on
a per-conn basis using the "ipsec auto delete/replace/add/start"
commands?
On 10/10/2018 15:38, Whit Blauvelt
wrote:
Hi,
What's best practice for restarting a connection when the
10/10/2018 16:08, Whit Blauvelt
wrote:
On Wed, Oct 10, 2018 at 03:58:19PM +0100, Nick Howitt wrote:
Rather than restart ipsec which restarts all conns, can you do it on a per-conn
basis using the "ipsec auto delete/replace/add/start" commands?
Your link is broken.
Have you tries looking at the Libreswan's site Configuration
Examples https://libreswan.org/wiki/Configuration_examples?
If you need help you'll have to post your configuration at each end
from /etc/ipsec.conf and any included files.
On 09/01
** Resending as it went out as HTLM and got scrubbed from the
message digest. **
Your link is broken.
Have you tries looking at the Libreswan's site Configuration
Examples https://libreswan.org/wiki/Configuration_examples?
If you need help you'll have to post you
** Resending as it went out as HTLM and got scrubbed from the message
digest. **
Your link is broken.
Have you tries looking at the Libreswan's site Configuration Examples
https://libreswan.org/wiki/Configuration_examples?
If you need help you'll have to post your configuration at each end from
Are you trying to do a LAN-LAN connection? If so you don't want anything
to do with l2tp or xauth. Have a look at the examples I linked you to
earlier on the libreswan web site. What you have here is for roadwarriors.
NIck
On 10/01/2019 16:31, Antonios Katsouros wrote:
yes its there!!!
this
@lists.libreswan.org <mailto:swan-ow...@lists.libreswan.org>
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Swan digest..."
Today's Topics:
1. Re: Help!! (Paul Wouters)
2. Re: Help!! (Antonios Katsouros)
3. Re: Help!! (N
Try adding a line "interfaces=%defaultroute" to config setup.
On 23/01/2019 16:04, Alex wrote:
Hi,
I've now tried to do it using RSA keys, but it has a problem with the
"%any" statement:
I forgot to add the ipsec auto output that shows it has a problem with %any:
config setup
prot
Left and Right don't really matter. Libreswan will work out which is
which. Some conventions say Left=Local but it does not have to. You can
also do Left=HQ and Right=somewhere-else-or-roadwarriorc then you can
(sometimes) just copy the config file from HQ to remote and it will work.
Why does
# ipsec auto --up wyckofftun
029 "wyckofftun": cannot initiate connection without knowing peer IP
You cannot use right=%any and left=%defaultroute, as then libreswan
cannot determine whether it is supposed to be "right" or "left".
I've used it for years and mention it each time you make this
On 24/01/2019 04:01, Paul Wouters wrote:
On Wed, 23 Jan 2019, Alex wrote:
I'm still not fully clear what you are doing. Are the laptops and
desktops and phones on a LAN with NAT and there is a remote VPN gateway
somewhere else on the internet? If you then your right= should for sure
point to
On 24/01/2019 19:44, Paul Wouters wrote:
It changes things slightly. If you are on dynamic IP but your machine
does have its DNS name updated when its IP address changes, then you
can use right=@DNSNAME and left=@DNSNAME and when the connection fails
(eg you enable DPD) then the DNS name will
On 25/01/2019 03:23, Paul Wouters
wrote:
On Thu, 24 Jan 2019, Nick Howitt wrote:
It changes things slightly. If you are on dynamic IP but your
machine
does have its
On 26/01/2019 03:58, Paul Wouters wrote:
On Fri, 25 Jan 2019, Alex wrote:
The dynamic IP does have a hostname that travels with any IP change
(courtesy of freedns.afraid.org), so this should mean I can use left
to mean local (orion) and right to mean remote (wyckoff) on both
sides, keeping t
On 26/01/2019 16:22, Paul Wouters wrote:
On Jan 26, 2019, at 03:54, Nick Howitt wrote:
all the tunnels seem to have come up, so likely this is now related to
NAT or MASQUERADING rules. Or forwarding rules, or those nodes not
having a gateway pointing to the VPN server for those remote
, Paul Wouters
wrote:
On Sat, 26 Jan 2019, Nick Howitt wrote:
It would be nice if we could extend
that functionality to cover all
combinatory cases with a multiple
leftsourceip=1.2.3.4,5.6.7.8 but we
On 27/01/2019 21:30, Alex wrote:
Hi,
On Sun, Jan 27, 2019 at 1:28 PM Paul Wouters wrote:
On Sun, 27 Jan 2019, Alex wrote:
Yes, the tunnels have come up, but it appears no data is passing through them:
# ipsec whack --trafficstatus
006 #6: "wyckofftun/1x1", type=ESP, add_time=1548605279,
.co.uk' at load time: illegal
(non-DNS-name) character in name
002 added connection description "nick-ikev2"
Thanks
Nick
On 25/01/2019 08:20, Nick Howitt wrote:
On 25/01/2019 03:23, Paul Wouters
wrote:
Hi Paul,
Can you clarify port usage? Does ipsec always have to be from
udp:500 to udp:500 or can it be form high ports? Similarly, for NAT
traffic is it to/from udp:4500 or can the from be from high ports?
(I know there is also ESP and AH)
Thanks,
Nick
__
1 - 100 of 133 matches
Mail list logo