it in tcpdump.org distribution.
what are those nasty effects?
On Sat, Mar 24, 2012 at 10:39 PM, Andreas Schuldei
schuldei+strongs...@spotify.com wrote:
hi!
i seem to remember that the ipsec implementation on openbsd provided a
virtual interface where i could connect with tcpdump and see all the
decrypted
hi!
i seem to remember that the ipsec implementation on openbsd provided a
virtual interface where i could connect with tcpdump and see all the
decrypted traffic to/from the host.
how can i do something similar with strongswan? any cool iptables
tricks to get to the decrypted traffic?
Hi!
now i ran strongswan 4.5.2 for two days and it looks more stable then
4.4.1 on our testbed.
however, even 4.5.2 died tonight. the connection between alvina and
sarah went down and attempts to reinitiate it failed.
i attache the output of grep alvina /var/log/daemon (on sarah) and vice
thanks!
/andreas
On Thu, May 26, 2011 at 12:51 PM, Andreas Schuldei
schuldei+strongs...@spotify.com wrote:
On Wed, May 25, 2011 at 8:49 AM, Andreas Schuldei
schuldei+strongs...@spotify.com wrote:
now i uploaded new logs from taylor and aldona. the two dropped their
SA sometimes after 2011-05
On Wed, May 25, 2011 at 8:49 AM, Andreas Schuldei
schuldei+strongs...@spotify.com wrote:
now i uploaded new logs from taylor and aldona. the two dropped their
SA sometimes after 2011-05-24T21:48:21 (that is the last good SA
negotiation i can see in the logs) and didnt manage to establish a new
On Tue, May 24, 2011 at 8:48 AM, Andreas Schuldei
schuldei+strongs...@spotify.com wrote:
On Mon, May 23, 2011 at 11:44 PM, Andreas Steffen
andreas.stef...@strongswan.org wrote:
Hello Andreas,
debugging these many connections might be easier using the
condensed /var/log/auth.log which has
of the peers not online yet or is the computing power of the
hosts so small that they cannot handle more than 4 IKE_SAs without
multiple retransmission rounds?
Regards
Andreas
On 05/23/2011 08:14 PM, Andreas Schuldei wrote:
the charon log files for these four hosts are available for download here
for almost a year now we have the infrastructure (configuration wise)
to be able to run ipsec between our servers in a full host-to-host
mash.
one important puzzle bit is the smooth deployment, though. it is
necessary to deploy it in small, controlled steps, and it is important
to be able to roll
In order to have fine grained control over the IPsec traffic in our
distributed network of host-to-host ipsec connections we would like to
create a ACLs-like system.
For example all servers should be able to talk to infrastructure hosts
(like DNS or backup servers).
Only the other storage
ah, and one server could be in several classes of machines (e.g.
search and storage)
On Thu, May 13, 2010 at 1:09 AM, Andreas Schuldei
schuldei+strongs...@spotify.com wrote:
In order to have fine grained control over the IPsec traffic in our
distributed network of host-to-host ipsec connections
In order to have fine grained control over the IPsec traffic in our
distributed network of host-to-host ipsec connections we would like to
create a ACLs-like system.
For example all servers should be able to talk to infrastructure hosts
(like DNS or backup servers).
Only the other storage
hi!
i want to deploy strongswan (in host-to-host mode) on servers which
are operating in several clusters. the plan is to secure both the
traffic within a cluster and between the clusters with ipsec. the
machines are in constant use.
how can i deploy ipsec without disrupting the traffic between
what happens?
this is an importan point. we need to get more performance (about
twice as much) out of these boxes then this.
On Tue, Dec 29, 2009 at 2:55 AM, Andreas Schuldei
schuldei+strongs...@spotify.com wrote:
so i configured ssh to bypass ipsec, set up ssh to use blowfish
encryption and set
the odd package size? MTU is 1500. there seems to be plenty of
space. this is ONE huge file transmitted via http.
On Tue, Dec 29, 2009 at 5:34 PM, Andreas Schuldei
schuldei+strongs...@spotify.com wrote:
i suspect there is some ipsec internal bottleneck there. with an other
long-running test we
-Michel Pouré jmpo...@free.fr:
Le mardi 29 décembre 2009 à 21:31 +0100, Andreas Schuldei a écrit :
now i switch the cipher to blowfish. as a result the percentage the
server spends in the kernel went down to 3.5%-4.9%. my guess is that
this is due to the quicker cipher.
the apache process which
http://marc.info/?l=linux-kernelm=126155699817914w=2
but i dont understand what the bottleneck is. can someone help me out?
On Tue, Dec 29, 2009 at 9:31 PM, Andreas Schuldei
schuldei+strongs...@spotify.com wrote:
now i switch the cipher to blowfish. as a result the percentage the
server spends
+mailinglists.strongs...@sent.com wrote:
Hi Andreas Schuldei,
Andreas Schuldei wrote:
On Sat, Dec 26, 2009 at 5:11 PM, Daniel Mentz
danielml+mailinglists.strongs...@sent.com wrote:
Hi Andreas Schuldei,
I guess that IKE traffic on port 500 is never protected by ESP because it
has its own protection which
On Mon, Dec 28, 2009 at 11:16 PM, Andreas Schuldei
schuldei+strongs...@spotify.com wrote:
Daniel, thank you VERY much!
when would be a good time to run those commands? are there hooks in
strongswan to call a script containing those commands? or are there
scripts on the system already where i
so i configured ssh to bypass ipsec, set up ssh to use blowfish
encryption and set up rshd on the test machine (which gave me
goosebumps).
r...@krista:~# time rcp bigfile teagan:
real0m8.738s
user0m0.008s
sys 0m7.188s
r...@krista:~# time scp bigfile teagan:
bigfile
hi!
now that i have ipsec in place, how do i replace ssh? i would like to
avoid double encryption, in order to not create extra work.
how well do rsh, rcp and friend perform? i see there is a package
rsh-redone-server (and client) in debian, working over inetd. does
anyone use those? did someone
On Fri, Dec 25, 2009 at 10:37 PM, Daniel Mentz
danielml+mailinglists.strongs...@sent.com wrote:
Andreas Schuldei wrote:
now that i have ipsec in place, how do i replace ssh? i would like to
avoid double encryption, in order to not create extra work.
I recommend not to replace ssh even
hi!
i would like to inititate my SAa just in time, meaning that they
should only set up the secure connection when there is real traffic,
not ahead of time.
background to that is that i want to do a full mash of host-to-host
transports, both within one site in order to get rid of firewalls per
On Thu, Dec 24, 2009 at 2:22 PM, Daniel Mentz
danielml+mailinglists.strongs...@sent.com wrote:
Hello Andreas Steffen,
this is an interesting topic. I'm wondering whether people should be advised
to add
dpdaction=hold
to their ipsec.conf.
what would that do?
I tried to setup a
the IPsec tunnel just in time.
Best regards
Andreas
Andreas Schuldei wrote:
hi!
i would like to inititate my SAa just in time, meaning that they
should only set up the secure connection when there is real traffic,
not ahead of time.
background to that is that i want to do a full mash of host
Hi!
here is a dump of the configuration of my two involved hosts. as far
as i can see my certificates are from the same ca and i dont use
strongswan 4.3 which aparently had problems with some DNs or so (I
found that in the mailinglist archive).
later on i want do do a full mash of hosts, how
hi!
i want to make my hosts within one /21 network talk ipsec with each
other directly (transport, not tunnel mode), with minimal
configuration effort.
I will create certificates for all of them and plan to allow
communication via ipsec only with those peers with certs from the same
CA (mine).
I
26 matches
Mail list logo