hi All,
We are having this issue with route addition. Eth3 is loop back interface. Any
clues why?
Oct 18 14:26:46 ubuntu-28 charon: 07[CFG] selected proposal:
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQOct 18 14:26:46 ubuntu-28 charon:
07[KNL] getting SPI for reqid {1}Oct 18 14:26:46 ubuntu-28
On 18.10.2016 22:11, Brian O'Connor wrote:
>
> So, for forwarded traffic (as distinct from locally source packets), I
> understand the packet to
> flow through the mangle and nat postrouting chains twice, and the other
> iptables
> output chains for raw, mangle, nat and filter tables only once
Noel,
I note your last message clearly emphasised that packets from a local process
are processed twice
via the output path of the graphic.
So, for forwarded traffic (as distinct from locally source packets), I
understand the packet to
flow through the mangle and nat postrouting chains twice,
On 18.10.2016 21:43, Brian O'Connor wrote:
> I think I have the decryption process clear but was not clear on the iptables
> processing for
> encrypted packets. From what you said, it looks like the NAT-T header is
> added after the
> iptables processing of an outbound encrypted packet, on the
Thank you, Noel.
I am trying to understand how the inner and outer IP headers for tunneled IPsec
packets
are processed by iptables, to help troubleshoot an anomalous situation I found.
I think I have the decryption process clear but was not clear on the iptables
processing for
encrypted
On 18.10.2016 21:27, Noel Kuntze wrote:
> Hello Brian,
>
> On 18.10.2016 21:05, Brian O'Connor wrote:
>
>> > 1. Where in the diagram is NAT-T de-capsulation performed?
> XFRM lookup.
Err actually xfrm decode.
>> >
>> > 2. Where in the diagram is NAT-T encapsulation performed?
> XFRM
Hello Brian,
On 18.10.2016 21:05, Brian O'Connor wrote:
> 1. Where in the diagram is NAT-T de-capsulation performed?
XFRM lookup.
>
> 2. Where in the diagram is NAT-T encapsulation performed?
XFRM lookup.
>
> 3. Does the NAT-T UDP header have to be removed so the iptables IPsec
>
Hello,
The commonly quoted packet flow diagram at [1] does not show where NAT-T is
implemented for
IPsec MOBIKE. Questions are:
1. Where in the diagram is NAT-T de-capsulation performed?
2. Where in the diagram is NAT-T encapsulation performed?
3. Does the NAT-T UDP header have to
Rajeev,
I guess, the config option '--enable-monolithic' option
builds charon with all plugins compiled into one binary
blob. Try and remove this option. Then remove the
load_modular option from your strongwan.conf, or place
the configuration snippets in your file system as
described in [1].
Noel,
I still having issue after going through many hit and trial method to fix
this,
root@Xilinx-ZCU102-2016_1:~# charon
00[DMN] Starting IKE charon daemon (strongSwan 5.5.0, Linux 4.4.0, aarch64)
00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet
dependency: NONCE_GEN
Hi
I was using the make before break feature of strongswan to avoid packet
loss in one of our implementation.
We have an ipsec offload hardware that forwards packets encrypted/decrypted
using IPSec policies and SAs.
These SAs and policies are configured by intercepting the strongswan
messages to
11 matches
Mail list logo