Hello Phil,
> Client 1 send the packet addressed for 8.8.4.4, and the server receives it.
> Now the server doesn't know about the routing tables on client 1: it only
> knows it has this packet addressed to 8.8.4.4. How does the server know a
> packet for 8.8.4.4 should go through client 2?
It
Hi
I have a ikev1 session up, however i also see multiple child SA, if leave
the seesion for a log run. Would like to understand on this scenario and
should i take any actions if these scenarios is seen .
sl1childsa: #726, reqid 368, INSTALLED, TUNNEL-in-UDP,
ESP:AES_CBC-128/HMAC_SHA1_96
On Fri, May 4, 2018 at 7:57 AM Arab Abdulla wrote:
> Dear Admins!
>
> Please help. Can't make work routing. I have net scheme:
> IPSEC Client 1 <--> IPSEC Server <--> IPSEC Client 2
>
> IPSEC IPs of computers:
> Server: 10.1.1.1
> Client 1: 10.1.2.1
> Client 2: 10.1.3.1
>
Hi Tobias,
> So you're using IKEv1 now? (Was IKEv2 in your original mail, and you
> should definitely prefer that if you can.)
yes this is another customer. I should have opened another thread.
> Different IKE proposals. With ipsec.conf the default proposal(s) are
> added to whatever you
It's designed for a very specific use case, but if you install it in a
sandbox somewhere, you can get a feel for the powershell scripts and
other bits that are used to configure the clients.
It's all wrapped around Strongswan, so you can transfer the
functionality to your own setup, if you
We are working with very locked down systems so wouldn’t be able to install
that software unfortunately but will have a look out of interest,
Thanks
> On 4 May 2018, at 13:15, Tom Rymes wrote:
>
>> On 05/04/2018 3:45 AM, Christian Salway wrote:
>> Thanks to Dirk Hartmann and
Hi Marco,
> Here are the two outputs:
>
> (non working)
> [IKE] initiating Main Mode IKE_SA cbt[494] to 31.169.105.210
> [ENC] generating ID_PROT request 0 [ SA V V V V V ]
> [NET] sending packet: from 205.223.229.254[500] to 31.169.105.210[500] (180
> bytes)
So you're using IKEv1 now? (Was
On 05/04/2018 3:45 AM, Christian Salway wrote:
Thanks to Dirk Hartmann and his scripting idea, The simplest way to add
a VPN connection to Windows 10 that includes the routing to the internal
IP, is by running the following commands in PowerShell commands. This
also enables strong ciphers
Hi Tobias,
> The other end sends that notify back because it couldn't authenticate
> the initiator, so check the log there.
Unfortunately I have no access to the other ipsec peer.
I have also tried with another customer and I'm getting
the same behavior.
Here are the two outputs:
(non working)
Hi Marian,
> I checked it.
>
> Fedora 28:5.6.2-2
> Ubuntu 18.04: 5.6.2-1
>
> Both behave the same.
You can't compare these version numbers, only 5.6.2 is from upstream,
the stuff afterwards depends on the distribution (this is different for
Ubuntu and Debian as the Ubuntu packages are
Hi Marco,
> [ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> [IKE] received AUTHENTICATION_FAILED notify error
The other end sends that notify back because it couldn't authenticate
the initiator, so check the log there.
Regards,
Tobias
Hi Darren,
>>> Just noting that https://download.strongswan.org/osx/ shows no current
>>> Mac native app builds. It's not mentioned at
>>> https://wiki.strongswan.org/projects/strongswan/wiki/MacOSX so I'm
>>> curious if these builds are no longer being done.
>>
>> See [1].
>
> Thanks! Would a
Hi Marian,
> recent versions of NetworkManager-strongswan plugin cannot parse DNS
> settings correctly.
That's a known issue and it's not related to the plugin but the
charon-nm backend (i.e. the fix is on top of strongSwan 5.6.2, not the
NM plugin 1.4.x). See [1], and [2] for the fix (Debian's
On Thu, May 3, 2018 at 2:03 AM, Tobias Brunner wrote:
> > Just noting that https://download.strongswan.org/osx/ shows no current
> > Mac native app builds. It's not mentioned at
> > https://wiki.strongswan.org/projects/strongswan/wiki/MacOSX so I'm
> > curious if these
> mobike = no
> By the way I don't understand why strongswan is
> sending packets to 4500/udp.
Ok I found that "mobike = no" change the swap to the 4500/udp
However, I don't understand why the psk authentication is failing.
--On Friday, May 04, 2018 07:55:11 AM +0100 Christian Salway
wrote:
not sure if it was a bad copy paste but you need a space after
-PassThru
Set-VPNConnectionIPsecConfiguration -ConnectionName "my-vpn"
-AuthenticationTransformConstants SHA256128
Dear Admins!
Please help. Can't make work routing. I have net scheme:
IPSEC Client 1 <--> IPSEC Server <--> IPSEC Client 2
IPSEC IPs of computers:
Server: 10.1.1.1
Client 1: 10.1.2.1
Client 2: 10.1.3.1
I can ping 10.1.3.1 from 10.1.2.1, traffic goes through 10.1.1.1. It works.
I need to make
Hi all,
recent versions of NetworkManager-strongswan plugin cannot parse DNS
settings correctly.
--
Detailed description of the bug
I upgraded two of my work computers:
from Ubuntu 17.10 to Ubuntu 18.04
and
from Fedora 27 to
Thanks to Dirk Hartmann and his scripting idea, The simplest way to add a VPN
connection to Windows 10 that includes the routing to the internal IP, is by
running the following commands in PowerShell commands. This also enables
strong ciphers (MODP2048)
This is for a username/password VPN
Wow !
You are right. I opened the file in a text editor now and I saw the
entire folder (or whatever they call this branch in the windoze world).
Thanks for the warning. I didn't know windows could be that stupid when
I explicitly clicked on only one key.
On 2018-05-04 18:43, Christian
not sure if it was a bad copy paste but you need a space after -PassThru
Set-VPNConnectionIPsecConfiguration -ConnectionName "my-vpn"
-AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256
-EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup
Still working on this issue so a quick morning update.
I've figured that in the request IKE_AUTH is the client telling strongSwan what
it supports as "information".
# Win10 supports ADDR(1) DNS(3) NBNS(4) SRV ADDR6(8) DNS6(10) SRV6
# OSX supports ADDR DHCP(6) DNS MASK(2) ADDR6
--On Friday, May 04, 2018 04:53:29 PM +1200 flyingrhino
wrote:
Hi,
Just to keep a complete record of this for other people who may
search the list archive for this solution:
The solution was to create a windows registry key:
Path:
Be careful when you do the export as it exports all the other values in the
same key. You should keep just the NegotiateDH2048_AES256
The contents of the exported key should look as follows
Windows Registry Editor Version 5.00
Hi,
Just to keep a complete record of this for other people who may search the list
archive for this solution:
The solution was to create a windows registry key:
Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters
Key: NegotiateDH2048_AES256
Type: DWORD 32bit
Value:
25 matches
Mail list logo