Re: [strongSwan] Can't make routing work to pass Internet traffic

Hello Phil, > Client 1 send the packet addressed for 8.8.4.4, and the server receives it. > Now the server doesn't know about the routing tables on client 1: it only > knows it has this packet addressed to 8.8.4.4. How does the server know a > packet for 8.8.4.4 should go through client 2? It

[strongSwan] Multiple ChildSA

Hi I have a ikev1 session up, however i also see multiple child SA, if leave the seesion for a log run. Would like to understand on this scenario and should i take any actions if these scenarios is seen . sl1childsa: #726, reqid 368, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA1_96

Re: [strongSwan] Can't make routing work to pass Internet traffic

On Fri, May 4, 2018 at 7:57 AM Arab Abdulla wrote: > Dear Admins! > > Please help. Can't make work routing. I have net scheme: > IPSEC Client 1 <--> IPSEC Server <--> IPSEC Client 2 > > IPSEC IPs of computers: > Server: 10.1.1.1 > Client 1: 10.1.2.1 > Client 2: 10.1.3.1 >

Re: [strongSwan] ipsec.conf working vs swanctl.conf not working

Hi Tobias, > So you're using IKEv1 now?  (Was IKEv2 in your original mail, and you > should definitely prefer that if you can.) yes this is another customer. I should have opened another thread. > Different IKE proposals.  With ipsec.conf the default proposal(s) are > added to whatever you

Re: [strongSwan] DHCP!

It's designed for a very specific use case, but if you install it in a sandbox somewhere, you can get a feel for the powershell scripts and other bits that are used to configure the clients. It's all wrapped around Strongswan, so you can transfer the functionality to your own setup, if you

Re: [strongSwan] DHCP!

We are working with very locked down systems so wouldn’t be able to install that software unfortunately but will have a look out of interest, Thanks > On 4 May 2018, at 13:15, Tom Rymes wrote: > >> On 05/04/2018 3:45 AM, Christian Salway wrote: >> Thanks to Dirk Hartmann and

Re: [strongSwan] ipsec.conf working vs swanctl.conf not working

Hi Marco, > Here are the two outputs: > > (non working) > [IKE] initiating Main Mode IKE_SA cbt[494] to 31.169.105.210 > [ENC] generating ID_PROT request 0 [ SA V V V V V ] > [NET] sending packet: from 205.223.229.254[500] to 31.169.105.210[500] (180 > bytes) So you're using IKEv1 now? (Was

Re: [strongSwan] DHCP!

On 05/04/2018 3:45 AM, Christian Salway wrote: Thanks to Dirk Hartmann and his scripting idea,  The simplest way to add a VPN connection to Windows 10 that includes the routing to the internal IP, is by running the following commands in PowerShell commands.  This also enables strong ciphers

Re: [strongSwan] ipsec.conf working vs swanctl.conf not working

Hi Tobias, > The other end sends that notify back because it couldn't authenticate > the initiator, so check the log there. Unfortunately I have no access to the other ipsec peer. I have also tried with another customer and I'm getting the same behavior. Here are the two outputs: (non working)

Re: [strongSwan] Newest Linux distributions ignore provided DNS settings and provide "garbage" IP addresses instead

Hi Marian, > I checked it. > > Fedora 28:5.6.2-2 > Ubuntu 18.04: 5.6.2-1 > > Both behave the same. You can't compare these version numbers, only 5.6.2 is from upstream, the stuff afterwards depends on the distribution (this is different for Ubuntu and Debian as the Ubuntu packages are

Re: [strongSwan] ipsec.conf working vs swanctl.conf not working

Hi Marco, > [ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] > [IKE] received AUTHENTICATION_FAILED notify error The other end sends that notify back because it couldn't authenticate the initiator, so check the log there. Regards, Tobias

Re: [strongSwan] Up to date macOS native app builds

Hi Darren, >>> Just noting that https://download.strongswan.org/osx/ shows no current >>> Mac native app builds. It's not mentioned at >>> https://wiki.strongswan.org/projects/strongswan/wiki/MacOSX so I'm >>> curious if these builds are no longer being done. >> >> See [1]. > > Thanks! Would a

Re: [strongSwan] Newest Linux distributions ignore provided DNS settings and provide "garbage" IP addresses instead

Hi Marian, > recent versions of NetworkManager-strongswan plugin cannot parse DNS > settings correctly. That's a known issue and it's not related to the plugin but the charon-nm backend (i.e. the fix is on top of strongSwan 5.6.2, not the NM plugin 1.4.x). See [1], and [2] for the fix (Debian's

Re: [strongSwan] Up to date macOS native app builds

On Thu, May 3, 2018 at 2:03 AM, Tobias Brunner wrote: > > Just noting that https://download.strongswan.org/osx/ shows no current > > Mac native app builds. It's not mentioned at > > https://wiki.strongswan.org/projects/strongswan/wiki/MacOSX so I'm > > curious if these

Re: [strongSwan] ipsec.conf working vs swanctl.conf not working

> mobike = no > By the way I don't understand why strongswan is > sending packets to 4500/udp. Ok I found that "mobike = no" change the swap to the 4500/udp However, I don't understand why the psk authentication is failing.

Re: [strongSwan] Windows gives error 13868: Policy match error but Linux connect works

--On Friday, May 04, 2018 07:55:11 AM +0100 Christian Salway wrote: not sure if it was a bad copy paste but you need a space after -PassThru Set-VPNConnectionIPsecConfiguration -ConnectionName "my-vpn" -AuthenticationTransformConstants SHA256128

[strongSwan] Can't make routing work to pass Internet traffic

Dear Admins! Please help. Can't make work routing. I have net scheme: IPSEC Client 1 <--> IPSEC Server <--> IPSEC Client 2 IPSEC IPs of computers: Server: 10.1.1.1 Client 1: 10.1.2.1 Client 2: 10.1.3.1 I can ping 10.1.3.1 from 10.1.2.1, traffic goes through 10.1.1.1. It works. I need to make

[strongSwan] Newest Linux distributions ignore provided DNS settings and provide "garbage" IP addresses instead

Hi all, recent versions of NetworkManager-strongswan plugin cannot parse DNS settings correctly. -- Detailed description of the bug I upgraded two of my work computers: from Ubuntu 17.10 to Ubuntu 18.04 and from Fedora 27 to

Re: [strongSwan] DHCP!

Thanks to Dirk Hartmann and his scripting idea, The simplest way to add a VPN connection to Windows 10 that includes the routing to the internal IP, is by running the following commands in PowerShell commands. This also enables strong ciphers (MODP2048) This is for a username/password VPN

Re: [strongSwan] Windows gives error 13868: Policy match error but Linux connect works

Wow ! You are right. I opened the file in a text editor now and I saw the entire folder (or whatever they call this branch in the windoze world). Thanks for the warning. I didn't know windows could be that stupid when I explicitly clicked on only one key. On 2018-05-04 18:43, Christian

Re: [strongSwan] Windows gives error 13868: Policy match error but Linux connect works

not sure if it was a bad copy paste but you need a space after -PassThru Set-VPNConnectionIPsecConfiguration -ConnectionName "my-vpn" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup

Re: [strongSwan] DHCP!

Still working on this issue so a quick morning update. I've figured that in the request IKE_AUTH is the client telling strongSwan what it supports as "information". # Win10 supports ADDR(1) DNS(3) NBNS(4) SRV ADDR6(8) DNS6(10) SRV6 # OSX supports ADDR DHCP(6) DNS MASK(2) ADDR6

Re: [strongSwan] Windows gives error 13868: Policy match error but Linux connect works

--On Friday, May 04, 2018 04:53:29 PM +1200 flyingrhino wrote: Hi, Just to keep a complete record of this for other people who may search the list archive for this solution: The solution was to create a windows registry key: Path:

Re: [strongSwan] Windows gives error 13868: Policy match error but Linux connect works

Be careful when you do the export as it exports all the other values in the same key. You should keep just the NegotiateDH2048_AES256 The contents of the exported key should look as follows Windows Registry Editor Version 5.00

Re: [strongSwan] Windows gives error 13868: Policy match error but Linux connect works

Hi, Just to keep a complete record of this for other people who may search the list archive for this solution: The solution was to create a windows registry key: Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters Key: NegotiateDH2048_AES256 Type: DWORD 32bit Value: