On 08/09/2011 11:38 AM, luxInteg wrote:
I am atttempting to use strongswan-4.5.2 after last playing with
strongswan-2.x. some years ago. I have this questions.
Which is the best way to generate certificates for strongswan?
Since you already played around with strongSwan, I assume that you
Dear strongSwan team,
thanks for the great work. I have some comments regarding the following
change:
On 07/19/2011 01:00 AM, Andreas Steffen wrote:
PASS and DROP shunt policies configurable by charon
---
The IKEv2 charon daemon supports
On 06/14/2011 11:59 PM, Andreas Steffen wrote:
usually the console.log shows the setup of the additional
iptables rules:
http://www.strongswan.org/uml/testresults45/ikev2/nat-two-rw-mark/console.log
Hi Andreas and Johannes,
thank you for your quick responses.
I took note of the fact that
I'm looking at the config example at
http://www.strongswan.org/uml/testresults45/ikev2/nat-two-rw-mark/index.html
and I'm wondering where I can find a complete list of all iptables rules
that are in effect.
iptables -L only displays the rules in the filter table. The rules
from the nat and
On 05/20/2011 08:45 AM, Richard Chan wrote:
Using wireshark and trying to sniff the cleartext packet, I can only see
incoming packets.
That's a peculiarity of the Linux kernel. Capture the (UDP encapsulated)
ESP packets and use wireshark to decrypt them. See
If there's a way to detect the setup it would be great if leftfirewall
automatically detects all rules for INPUT or FORWARD chain.
I believe that this is not doable because the rules in your
INPUT/FORWARD chain can be very complex, too complex for a general
solution. Even with the current
On 02/13/2011 12:42 PM, Rene Bartsch wrote:
On Sun, 13 Feb 2011 10:55:07 -0800, Daniel Mentz
danielml+mailinglists.strongs...@sent.com wrote:
On 02/13/2011 08:49 AM, Rene Bartsch wrote:
After removing leftfirewall=yes from ipsec.conf and adding the
incoming
FORWARD rule created
Andreas Steffen wrote:
Visit us at our booth 115 in hall 7.2b and attend the strongSwan
workshop which will be scheduled either on Friday June 11 or
Thursday June 10. We will post the exact time as soon as the
information becomes available.
Hi Andreas,
I'm excited about this workshop and I
Russ Cox wrote:
The tunnel has come up ok, but no traffic appears to be getting routed
through the tunnel.
Hi Ross,
could you please post the output of the following commands:
ip -4 a s
ip -4 r s t 0
iptables-save
Did you use tcpdump on both interfaces of the gateway in order to find
out
Andreas Steffen wrote:
in the default configuration the pluto daemon binds to the UDP ports 500
and 4500 whereas the charon daemon uses a raw socket with Linux
Socket Filter (LSF) rules filtering and forwarding IKE version 2
messages to the IKEv2 daemon. Thus it is no problem to use racoon
in
Peter Winterer wrote:
Hi Daniel,
Am 08.03.2010 10:02, schrieb Daniel Mentz:
Matthias Dahl wrote:
To tunnel all internet traffic, you'll need a 0.0.0.0/0 rightsubnet.
This however, includes your local network in the tunnel too.
One could consider this a bug. Most people certainly never
ABULIUS, MUGUR (MUGUR) wrote:
If rightca is specified then we only request certificates issued by rightca.
Otherwise we send certificate requests for all CAs contained in
/etc/ipsec.d/cacerts/
If rightca= is specified, then it is required that a certificate matching
the specified
DN to
Hi Vladimir,
I recommend not to depend on IPsec policies if you want to enforce that
no unencrypted traffic leaves the gateway and that no unprotected
traffic is accepted.
Use the policy match provided by iptables. Here's an example:
iptables -A FORWARD -m policy --dir out --pol ipsec -j
Hi Jana,
please go to
http://wiki.strongswan.org/projects/strongswan/wiki/IKEv1Examples
for IKEv1 Configuration Examples. PSK with XAUTH authentication and
virtual IP addresses or RSA with XAUTH authentication and virtual IP
addresse is probably the right one for you.
Please refer to
Hi Razza,
you need to setup your DSL/NAT Router to forward UDP datagrams destined
for ports 500 and 4500 to your strongSwan box.
You said that you want to allocate IP addresses for road warriors inside
the 192.168.10.0/24 range. This could be difficult to achieve. Can you
waive this
rather just buy Win 7.
I am happy with a different range, say 192.168.1.0/24
http://192.168.1.0/24 for the VPN users.
Kind regards,
On 19 February 2010 12:29, Daniel Mentz
danielml+mailinglists.strongs...@sent.com
mailto:danielml%2bmailinglists.strongs...@sent.com wrote:
Hi
ashish mahalka wrote:
establishes SA b/w the peers, it should over-write those discard
policies and install ipsec policies in the kernel. Is this possible ?
Hi Ashish,
sorry, but I do not like this idea much. With your design, both,
strongSwan and your shell scripts access the policy
I'm wondering if we should change the wiki page
http://wiki.strongswan.org/wiki/strongswan/IKEv2CipherSuites
so that it maps to
http://www.iana.org/assignments/ikev2-parameters
I'm focusing on Integrity Algorithms at this moment: I suggest to add
additional columns that refer to the
Hi Ashish,
did you try
auto=route
in ipsec.conf? strongSwan should then install the policies and leave
them installed if the connection goes down. An outgoing packet triggers
a negotiation of an appropriate SA.
It might also be worth having a look at the installpolicy parameter:
---QUOTE---
Patrick Ben Koetter wrote:
* Andreas Steffen andreas.stef...@strongswan.org:
the Debian/Ubuntu package is based on strongSwan 4.2.9 without any
augmentations. The ipsec.secrets include feature has always been in
the man pages because the IKEv1 pluto daemon supported it. We have just
recently
Patrick Ben Koetter wrote:
Jan 31 23:05:50 gw charon: 07[IKE] no private key found for 'C=DE, ST=Bayern,
L=Muenchen, O=State of Mind, OU=VPN, CN=gw.state-of-mind.de,
e...@state-of-mind.de'
This should be at least the current problem, right?
Correct. Please post the output of
ipsec
Hi Ashish,
here are my test results:
You can't use right=1.2.3.4 and right=%any at the same time i.e. you
can't specify an IP address for the remote end and use %any for the ID.
However, DN wildcards appear to work ok. I just spotted a typo in your
original mail:
rightid=C*, ST=*, O=*, OU=*,
the DN of the peer contains all the values( I
mean C, ST, O,...)
If possible, can you please test on your setup, if specifying
rightid=C=*, ST=*, O=*, OU=*, CN=*, E=* like this establishes the
connection.
Thanks in advance!
regards,
Ashish.
On 1/19/10, Daniel Mentz danielml
Hi Ashish,
thank you for the log files. The following lines which I copied from
pluto-host2.log are the most interesting:
conn1 #1: no suitable connection for peer 'C=IN, ST=KAR, O=WIPRO,
OU=NSN, CN=wipro.com, e=...@wipro.com'
conn1 #1: sending encrypted notification INVALID_ID_INFORMATION to
ashish mahalka wrote:
rightid=%any or rightid=C*, ST=*, O=*, OU=*, CN=*, E=*
I get an INVALID_ID_INFORMATION error.
Please provide more information than that. Please send the ipsec.conf
files of both peers. Plus the syslog output.
If one end-point receives an INVALID_ID_INFORMATION error,
Eldar Yusupov wrote:
How should I alter the strongSwan config? It seems to me that I've
specified that my subnet is 192.168.1.0/24 http://192.168.1.0/24 there.
Try
leftsubnet=0.0.0.0/0
I'm using Cisco VPN client at the moment, however I plan to change it later.
In any case I'd like to keep
ashish mahalka wrote:
I might further add here that host1 has only ipv4 support whereas host2
has both ipv4 and ipv6 support. I am not sure whether this information
does matter in the creation of the sockets for charon.
I remember that there was some kind of problem related to ipv4 and ipv6
Peter Daum wrote:
B is a Bintec VPN25 router with a dynamic address published via DynDNS.
A tries to bring the tunnel up. However, A fails since it tries to connect to
the OLD IP address. A ping from A to B shows that name resolution works
perfectly. So A seems to cache the old IP address
vivek bairathi wrote:
Actually my problem is I can't specify the directory. I don't want the
files for cacert to be picked from /etc/ipsec.d/cacerts/. I can only
specify filename as many other files are going to be there in that
directory, so for that I need the entry in ipsec.conf in the
vivek bairathi wrote:
If I have two ca certicficates then should I write the name of the file
of cacertificates like the following way:
ca Plane
cacert=/home/vivek/RootCert1.pem,/home/vivek/RootCert2.pem
crluri=/home/vivek/crl.pem
auto=add
You can store both ca
Kalaj wrote:
just want to use Cisco VPN client to connect Strongswan but failed.
Used x509 authentication and enable --cisco-quirks , maybe I made a
wrong certs or wrong conf,
can you guys give me some advices? Thanks.
Please provide more details that enable troubleshooting: log files and
Kalaj wrote:
conn %default
ikelifetime=60m
keylife=20m
keyexchange=ikev2
rekeymargin=3m
keyingtries=1
left=167.22.15.11
leftnexthop=167.22.15.1
leftcert=no2.crt
left...@test
leftsourceip=10.3.0.1
cisco[3] 218.240.6.69:56131 #3: policy does not allow XAUTHInitRSA
authentication. Attribute OAKLEY_AUTHENTICATION_METHOD
Not sure if that helps, but have a look at:
http://www.strongswan.org/docs/readme4.htm#section_14.6
Try adding
authby=xauthrsasig
xauth=server
-Daniel
The following log messages is most relevant:
cisco[5] 218.240.6.69:56413 #5: next payload type of ISAKMP Hash
Payload has an unknown value: 197
I can't tell why the Cisco VPN client sends this type of payload. 197 is
vendor specific. Only the strongSwan developers can help in that
situation.
ashish mahalka wrote:
Strongswan runs at the other end. i m not sure whether the packets where
reaching the other end or not. But one thing is sure, there was no
response from strongswan on the other end.
I'm afraid you have to find out whether the packets make it to the other
end. Are you
Hi Jessie,
I think you have to distinguish between transport mode and tunnel mode.
In tunnel mode, the UDP-encapsulated ESP packet contains a complete IP
packet. The outer IP header as well as the UDP header are simply
discarded in that case. The IP packet which is carried by ESP has its
own
ashish mahalka wrote:
Basically the requirement is like there are two conn sections in ipsec.conf.
One conn uses IKEv1 and the other uses IKEv2.
Is it possible for the host strongswan to have IKEv1 and IKEv2 SA
simultaneously with other strongswan peers ?
Yes, that is indeed possible.
Please
vivek bairathi wrote:
Some doubts regarding CERT mode:-
1. Is it necessary to know the CN of peer before establishing an IKE SA?
Generally speaking, no. It depends on your individual configuration. You
can setup strongSwan in a way that it accepts an arbitrary DN. Wildcard
matching is also
Andreas Steffen wrote:
| right=home.example.com
# bad addr: right=home.example.com [does not look numeric and name
lookup failed]
Well, if no default route exists then the host most probably is also
not able to resolve hostnames via DNS. Did you try if nslookup works
before starting the
Andreas Steffen wrote in his e-mail on dec 24:
.the IKEv2 charon daemon receives the FQDN as a
string via the stroke interface and does name resolution on the fly
shortly before actually negotiating the IPsec tunnel.
This appears not to work for me. The output of starter is as follows:
I tried to setup a strongSwan as a gateway for Windows 7 (MSCHAPv2). But
it did not work. After some time of troubleshooting, it turned out that
I failed to include the following parameters when running ./configure
--enable-eap-mschapv2
--enable-md4
The log file of strongSwan wasn't very
Hi Andreas Schuldei,
Andreas Schuldei wrote:
On Sat, Dec 26, 2009 at 5:11 PM, Daniel Mentz
danielml+mailinglists.strongs...@sent.com wrote:
Hi Andreas Schuldei,
I guess that IKE traffic on port 500 is never protected by ESP because it
has its own protection which is the IKE SA. So don't
Hi Andreas Schuldei,
I guess that IKE traffic on port 500 is never protected by ESP because
it has its own protection which is the IKE SA. So don't worry about IKE
traffic.
Regarding ssh I do understand the problem. What you might want to try
out is a passthrough setup like the one described
Andreas Schuldei wrote:
hi!
now that i have ipsec in place, how do i replace ssh? i would like to
avoid double encryption, in order to not create extra work.
Hi Andreas,
I recommend not to replace ssh even in the presence of IPsec. Accept the
fact that traffic is encrypted and
Hello Andreas Steffen,
this is an interesting topic. I'm wondering whether people should be
advised to add
dpdaction=hold
to their ipsec.conf.
I tried to setup a configuration that is similar to Andreas Schuldei's.
The thing that was special about my setup is that it uses an ADSL dialup
Jean-Michel Pouré wrote:
After compiling and installing strongswan 4.3.5,
ipsec pki does not work:
ipsec pki
/usr/sbin/ipsec: unknown IPsec command `pki' (`ipsec --help' for list)
Hi Jean-Michel,
after compiling strongswan, do you have an executable called pki in
strongswan-4.3.5/src/pki
Jean-Michel Pouré wrote:
Would it be possible for you to publish this page:
http://wiki.strongswan.org/wiki/strongswan/NetworkManager
In the IKEv2 examples:
http://wiki.strongswan.org/wiki/strongswan/IKEv2Examples
Hi Jean-Michel,
I'm not quite sure if I got your question right. Could you
Jean-Michel Pouré wrote:
There is no pki after a successful compilation.
My compilation line was:
1 cd strongswan-4.3.5
2 make clean
3 ./configure --disable-pluto --disable-tools --sysconfdir=/etc
--prefix=/usr --libexecdir=/usr/lib \
--disable-tools disable additional utilities
Dear Jean-Michel,
I'm glad that you take on the challenge and write a guide for beginners.
I guess that a lot of users will be grateful for your documentation.
Maybe you can continue the work of Ralf Spenneberg and update his IPsec
Howto at
http://www.ipsec-howto.org/
What about the note at
Robert Markula wrote:
If the subjectAltName = DNS:cray.home.ro, this would be cray.home.ro,
right?
Yes
And, one final question: if using the subjectAltName or the Subject DN,
what kind of Remote ID type would that be on the client side?
RCF_822_NAME or FQDN?
I guess it's ID_DER_ASN1_DN or
weiping deng wrote:
I initiate ping form HNB (192.168.253.88 --- virtual ip) to GW
(192.168.253.98- additional ip), but from tcpdump, I see:
Only the packages go through normal tunnel (172.19.2.118 - 172.19.2.247)
is ESP.
And
The packages go through virtual tunnel (192.168.253.88
Hi Graham,
could you please post the output of
ip xfrm policy
Hi Andreas,
I guess that the problem is a different one.
Graham uses two different source IP addresses depending on whether the
traffic is destined for the local subnet or any other host on the Internet.
He uses 192.168.50.154 as
weiping deng wrote:
How can I shutdown the NAT-T feature of IKEv2?
http://wiki.strongswan.org/wiki/strongswan/ConfigSetupSection
says
NAT traversal is always being active in IKEv2.
So I guess the answer is that you can't turn it off.
Please explain your motivation for turning it off. Do you
Hi David,
would you mind sharing the name of the other IKEv2 implementation you
are using. Other users might be able to take advantage of this
information. It's good to know with which implementations strongSwan
inter-operates with and what the reasons are if inter operation fails.
-Daniel
Hi Graham,
I believe Andreas is correct. I just tried this here with my own setup.
You can't depend on the MASQUERADE target if you want to source nat to
the gateway's virtual IP address. This is what the man page says about
MASQUERADE:
Masquerading is equivalent to specifying a mapping to
Joep Gommers wrote:
10.2.0.0/24 however is not a subnet in which the StrongS/WAN box
resides. It resides behind yet another VPN appliance. So the routing
table on the left side would include something like:
to 10.2.0.0/24 via 10.1.0.254 metric 1
However, StrongS/WAN refuses to create the
Jessie Liu wrote:
But If I add leftsourceip=%config in ipsec.conf, the SCTP packets will not go
through the tunnel, but ping packets will. ...If I remove
leftsrouceip=%config from ipsec.conf, the SCTP packets will flow through the
tunnel. Could you give me some hints what is
Hi Barry,
I can confirm the behavior of the linux kernel. You need to set up a
route to 192.168.2.0/24. It's not going to work otherwise. I understand
that this is confusing. The nexthop determined by the routing table is
irrelevant because an ESP and another IP header will be put in front of
Hi Tica,
Hi strongSwan core developers,
I just tried this kind of set up and it worked for me (although the
setup was a bit tricky).
Could you please provide us with more information regarding your setup.
Please post the following files:
ipsec.conf
Post the output of the following commands
Tica wrote:
Now I need to route all internet traffic through the VPN... the remote
office can only access internet through the main office structure.
Yes. strongSwan provides this functionality. Are you using IKEv1 or IKEv2?
Here's an example for IKEv1 you can take advantage of
Salut Jean-Paul!
A tcpdump on LAN interface Debian box shows the icmp request packets.
A tcpdump on Public interface Debian box shows no icmp request packet.
I have a similar setup here at our site. Regarding tcpdump you should see:
- An outgoing ESP packet. (icmp request encrypted)
- An
Please refer to Andreas' mail which you can find on
https://lists.strongswan.org/pipermail/users/2007-June/001874.html
This e-mail describes a very similar problem. You probably have to add
something like the following to your ipsec.conf:
conn pass
leftsubnet=172.16.0.16/29
Michael Camino wrote:
When i run a tracert from 10.0.3.1 to 10.0.2.1 it appears the traffic is
going out my router interface instead over the vpn interface.
First of all there's no such thing as a VPN interface. There used to be
one with KLIPS but with Linux 2.6 and the native IPsec stack
Andreas Steffen wrote:
As a workaround I recommend to use IPsec tunnel mode with NAT-T.
Windows XP's LT2P client can be configured to use tunnel mode
instead of the default transport mode.
But what's the virtual IP address of the windows box inside the tunnel
then? The same as its LAN
qhtf126 wrote:
I want to konw how to get the mooncert.pem and
Try
openssl req -x509 -days 1460 -newkey rsa:1024 -keyout moonKey.pem -out
mooncert.pem -subj /CN=moon/ -nodes
Check out
http://www.strongswan.org/docs/readme42.htm#section_3
Also familiarize yourself with the basics of Public
Hi Tilak,
I suspect that Andreas meant the log files output by strongswan. The
file you sent seems to be created by some tool called IxANVL -
Automated Network Validation Library (ANVL) which was built to verify
the correct implementation of network protocols.
So you are setting IxANVL at
Arun Raj wrote:
I am trying to bring multiple tunnels using PSK between same peers
Is this option available in strongswan
leftsubnet=192.168.10.0/24
rightsubnet=172.16.10.0/24
I guess you can specify multiple subnets with leftsubnet= and rightsubnet=
Here's a quote from the
Reza ISSANY wrote:
Both of these configurations stopped with a L2TP error on the XP client.
Frankly speaking I don't know why the XP client doesn't like the Quick
Mode response. Did you enable nat-transport with
./configure --enable-nat-transport
when building strongswan. I heard that this
Hi Bernd,
according to your network diagram you're (probably) using a
192.168.1.0/24 subnet to connect the router with the linux server.
The address of the router is 192.168.1.0 (although I'm not sure if this
is a valid IP address in this subnet) whereas the IP address of the
linux server is
Никоноров Григорий wrote:
Thank for advice. As i see Exponents for swan1,swan2 are identical but
different values of the modules! Wtf ?
Perhaps I did not properly create certificates
I guess that the public exponent is always 0x10001 because that makes
the verification of signatures more
Tica wrote:
Just replace:
1.1.1.1 = External IP - left
2.2.2.2 = External IP - right
192.168.0.0/24 = Internal IP - left
10.1.1.0/24 = Internal IP - right
left=1.1.1.1
leftid=1.1.1.1
leftsubnet=192.168.0.0/24
leftfirewall=yes
lefthostaccess=yes
Tica wrote:
I changed the watchguard edge configuration. but I'm getting this
message: max number of retransmissions (2) reached STATE_QUICK_I1. No
acceptable response to our first Quick Mode message: perhaps peer likes no
proposal
Can you provide us with the logfiles of the Watchguard Edge?
Tica wrote:
Mar 17 11:26:44 iked get_ipsec_pref: Unable to find channel info for
remote(200.111.111.111)
Hi Tica,
this seems to be the most important message to me: Unable to find
channel info for remote(200.111.111.111)
I did a web search and found an entry in some forum. Somebody was
abhishek kumar wrote:
i can't understand failed to create a builder for credential type
CRED_CERTIFICATE, subtype (1) in the syslog.
To me it seems like your PKI has problems. Why are you using C=IN,
O=rvce, CN=ajay as a CA? It should be a user certificate, right?
Maybe strongSwan has
Gbenga wrote:
Here is a good site on how to work OpenSSL:
http://www.madboa.com/geek/openssl/
Well, this site seems to have lots of information about OpenSSL although
it does not describe how to set up a CA. I did a web search and found
the following site
j.witvl...@mindef.nl wrote:
When trying to picture out the differences between tunnels, might this
be a nice scheme (probably highly-simplified)
Your document looks like an interesting way to visualize the protocol
stack. I've got some comments:
There's no BIND protocol. You're talking about
j.witvl...@mindef.nl wrote:
Mar 13 12:48:35 wt8510w pluto[7844]: client1: cannot initiate
connection with ID wildcards
Did you solve this problem already? If not, then try to get rid of ID
wildcards and specify the complete DN in leftid or rightid.
I guess your missing a comma in /etc/ipsec.conf on wt8510w:
rightid=C=nl, ST=zh, L=mld, O=ivent, OU=ric, CN=vpngateway E=* # id of
gateway
Insert , between CN=vpngateway and E=*. The correct line would be
rightid=C=nl, ST=zh, L=mld, O=ivent, OU=ric, CN=vpngateway, E=* # id
of gateway
The
Richard Whittaker wrote:
have Nortel Contivity Client installed, I was able to figure out this is
Mar 10 16:13:18 enterprise pluto[5202]: packet from 207.189.243.42:500:
af+type of ISAKMP Oakley attribute has an unknown value: 65535
Mar 10 16:13:18 enterprise pluto[5202]: packet from
Please post the syslog entries and ipsec.conf from host sun.
abhishek kumar wrote:
hello..
thank for your valuable suggestion. i rectify my problem but still i am not
able to establish Security Association
following are the results of ipsec listall at both end.
result of ipsec listall at
Richard Whittaker wrote:
Mar 11 12:35:13 enterprise pluto[31388]: roadwarrior-l2tp-updatedwin[3]
207.189.243.42:1429 #6: NAT-Traversal: Transport mode disabled due to
security concerns
I know little about how to use L2TP/IPsec on Windows but I found the
following piece of source code in
abhishek kumar wrote:
I did the same thing u told. but in that case it is showing same
received AUTHENTICATION_FAILED notify error.
Please post the logfiles and config files of the both peers like you did
before. I need to know *why* the authentication failed. You'll find that
information in
...@lists.strongswan.org] On Behalf Of Daniel Mentz
Sent: Tuesday, March 10, 2009 1:52 PM
To: Witvliet, J, CDC/IVENT/OPS/IS/PLS/SMP/HRM/RP1
Cc: h...@a-domani.nl; users@lists.strongswan.org
Subject: Re: [strongSwan] Still no suitable connection,was: Start
getting stronger...
Hi Hans,
did you specify
Richard Whittaker wrote:
ad...@host:/var/sslca# openssl pkcs12 -export -in rw.pem -inkey rw.key
-certfile demoCA/cacert.pem -out rw.p12
unable to load private key
Is rw.key in PEM format? Take a look inside rw.key. It should be a text
file and look something like
-BEGIN RSA PRIVATE
Adam French wrote:
Does anyone have any success getting a LAN-to-LAN tunnel up and working
with Juniper? The requirement has StrongSwan as the initiator and
Juniper as the Responder. I can get it to work with PSK authetication
and only when the initiator has a static IP. However, I have had
I discovered that the Astaro Security Gateway V7 which uses strongSwan
behind the scene sets
nocrsend=yes
which implies that the Astaro Gateway never sends a certificate request
even if it needs to obtain a certificate from the other end. This brakes
interoperability and forces me to set
Walid Aweiwi wrote:
but my problem is no route nor ping from RED server to BLUE.
Hi Walid,
could you please provide us with the output of the command
ip route list
It should contain something like
192.168.25.0/24 dev ppp0 scope link src 192.168.100.100
The outlook will look differently on
87 matches
Mail list logo