Hmmm,
in fact, very strange collection of cipher suites the
strongSwan Android client is proposing:
received proposals: ESP:
AES_CBC_128/AES_CBC_192/AES_CBC_256/
3DES_CBC/BLOWFISH_CBC_256/
HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/
NO_EXT_SEQ
I'm not aware that libipsec would support
Hi Andreas,
in fact, very strange collection of cipher suites the
strongSwan Android client is proposing:
received proposals: ESP:
AES_CBC_128/AES_CBC_192/AES_CBC_256/
3DES_CBC/BLOWFISH_CBC_256/
HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/
NO_EXT_SEQ
I'm not aware that libipsec would
Hi Tobias,
yes I would strongly advocate a specific proposal for
Android clients using libipsec, restricted to AES combined
with SHA1/SHA2.
And we should definitively add HMAC_SHA2_256_128 to
our default ESP proposal, putting it in front of
AES_XCBC_96 and HMAC_MD5_96.
Andreas
On 27.09.2012
Hi David,
The first was some simple compile errors which I think I fixed in the
attached patch.
Thanks, applied to master.
On startup I get the following messages:
00[DMN] Starting IKE charon daemon (strongSwan 5.0.1rc1, FreeBSD
9.0-RELEASE-p4, amd64)
00[KNL] unable to set UDP_ENCAP:
Hi Guru,
My primary goal is to disable the replay protection. In
strongswan.conf, if I set the replay_window = 0 (or any value =
32), I see the replay window to be stuck at 32 (when seen with setkey
-D).
You couldn't configure the replay window to be below the default of 32
via
Hi,
Whether Certificate signing using SHA256 is supported in Strongswan.
strongSwan can use and verify certificates signed with SHA256, and it
can issue certificates using SHA256 with our pki tool.
src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
switch
I tried doing this a couple of times and did succeed with configuring a
StrongSwan client connecting to a Cisco ASA 5510 in IKEv1/PSK Main Mode. What
works at present is the IKEv1/PSK Aggressive mode. I am no Cisco expert, so its
possible (pointed by endre that it works as well over freenode
I just went through this same problem -- still struggling with routing but seem
to habe the connection.
What's the Cisco config and you ipsec.conf?
Neeraj Sharma kaj...@live.in wrote:
I tried doing this a couple of times and did succeed with configuring a
StrongSwan client connecting to a
Hi,
Please try to keep the discussion on the list.
Could you please once again confirm the problem scenario I have
pointed in the first mail?
Is it because of Certificate corruption or Is it failed, because there
is no support in Strongswan?
If you are talking about the error:
08[LIB]
We have an issue configuring Strongswan to a Cisco router.
The connection is made, but I'm not getting the routing correct. There
are multiple networks behind the router on the remote side (operated by
a vendor) and we need to snat the IP's we come from to match their
assigned range (so it
On 27 September 2012 04:04, Tobias Brunner tob...@strongswan.org wrote:
Hi Guru,
My primary goal is to disable the replay protection. In
strongswan.conf, if I set the replay_window = 0 (or any value =
32), I see the replay window to be stuck at 32 (when seen with setkey
-D).
You couldn't
This probably is not a strongswan issue, as it is the Linux kernel
that crashes. But, I felt the wider community may have seen this and
have some opinions on how to avoid it.
My ipsec.conf summary is as follows:
esp=aes128gcm12-modp1024
ike=aes-sha1-modp1024
type=transport
When I use the
I can replicate this as well - usually in 2-5 hours with 3.2.23 and 3.4.11,
on 82571EB NICs and a E3-1270 CPU. I don't have a full call trace yet (need
to set up a serial console first) but the last 25 lines of mine look pretty
similar to yours.
I'm using tunnel mode, not transport, with
Hi Tobias,
I am also seeing this UDP_ENCAP error in 5.0.1rc1 on my Red Hat Enterprise
Linux 5.6 machine. I did not see it in the 5.0.0 release, so looks like this
error is new in 5.0.1 and is happening not only on the FreeBSD:
Sep 27 11:44:53 sit-iwf charon: 00[DMN] Starting IKE charon daemon
On 27 September 2012 11:13, Robert Woodcock
robert.woodc...@cobaltmortgage.com wrote:
I can replicate this as well - usually in 2-5 hours with 3.2.23 and 3.4.11,
on 82571EB NICs and a E3-1270 CPU. I don't have a full call trace yet (need
to set up a serial console first) but the last 25 lines
15 matches
Mail list logo