Re: [strongSwan] NixOS test

On 31 August 2017 at 19:40, Noel Kuntze wrote: > The aborting of the initation is a deliberate design decision. That is > because this is a configuration error of the remote peer. > Use auto=route to get the kernel and charon to try to establish

Re: [strongSwan] NixOS test

Hi, The aborting of the initation is a deliberate design decision. That is because this is a configuration error of the remote peer. Use auto=route to get the kernel and charon to try to establish a matching CHILD_SA for the traffic matching the TS. There are many more failure cases than just

Re: [strongSwan] NixOS test

I've now changed the testScript[1] to first start moon, wait for the strongswan-swanctl service to start and then start carol. Using this setup it's almost guaranteed that moon has loaded the connection before carol initiates the connection. In the process of debugging this I did discover the

[strongSwan] How to set local_ts to exclude one special ip in a subnet?

I have read the wiki about swanctl.conf, but have not found a good solution. e.g. I have a subnet 172.22.0.0/16, and a special ip 172.22.22.22 who does not want to run into ipsec tunnel. Does StrongSwan support '-'? like this: local_ts = 172.22.0.1-172.22.22.21,172.22.22.23-172.22.255.255 Is

Re: [strongSwan] How to set local_ts to exclude one special ip in a subnet?

Hi, > Is there any easy way? Define a passthrough policy for that IP (mode=pass). Regards, Tobias

[strongSwan] How to set local_ts to exclude one special ip in a subnet?

I have read the wiki about swanctl.conf, but have not found a good solution. e.g. I have a subnet 172.22.0.0/16, and a special ip 172.22.22.22 who does not want to run into ipsec tunnel. Does StrongSwan support '-'? like this: local_ts = 172.22.0.1-172.22.22.21,172.22.22.23-172.22.255.255 Is

Re: [strongSwan] Strongswan and TPM

Hi John, currently strongSwan supports signature keys residing in the NVRAM of the TPM 2.0, only. These can be accessed using the object handle range 0x8101. Private keys stored in the NVRAM of the TPM 2.0 have the big advantage that you can wipe the hard disk or SSD without irretrievably

Re: [strongSwan] NixOS test

Ok after studying this part of the log a bit further: https://gist.github.com/basvandijk/a2de93d8c93ce925838c1dbf2ee1d925#file-strongswan-swanctl-test-failure-log-L1428:L1459 I see that the following is going on: 1. moon has started charon-systemd but hasn't loaded the connection yet 2. carol

Re: [strongSwan] Strongswan and TPM

Hi Tobias/Hi all, After some reading I have a conclusion that TPM 2.0 can only be used with strongswan 5.5.2 or newer. The example that the strongswan wiki provides shows storing the keys inside the tpm (as far as I understand the example correctly). But all the tpm sources I've read states that

Re: [strongSwan] NixOS test

I also included the log of a successful test run: https://gist.github.com/basvandijk/a2de93d8c93ce925838c1dbf2ee1d925#file-strongswan-swanctl-test-success-log On 31 August 2017 at 09:09, Bas van Dijk wrote: > I noticed that my test succeeds most of the time but I just

Re: [strongSwan] NixOS test

I noticed that my test succeeds most of the time but I just observed a test run where carol keeps trying to ping alice but fails each time. The following line from the test log[1] seems suspect: carol# [ 4.538963] charon-systemd[716]: received NO_PROPOSAL_CHOSEN notify error I haven't looked