Re: [strongSwan] strongswan with ocf or hardware accelator

support hardware acceleration? Yes, linux ESP uses the linux kernel crypto api, which can support hardware acceleration. Look at the talitos driver in the linux kernel for an example. Beware that the linux crypto api is actively developed as we speak and is constantly changing. Dimitrios Sig

Re: [strongSwan] encryption of packets failing

NAGARAJAN, ANIL (ANIL) wrote: > > Hi All, > > > > I am trying to establish SA for site-to-site with ikev2. I am using > strongswan4.3.5. > > I have added connection and brought up the connection using stroke > message framework. > > SA gets established. > > > > However when I try to send pack

Re: [strongSwan] Need help reviewing a tutorial on smartcards

François Pérou wrote: > On Fri, 2010-04-09 at 11:35 +0100, Dimitrios Siganos wrote: > >> It sounds right. But obviously that depends on default directory >> settings and ipsec.conf configuration. You can also use absolute >> pathnames. I do that sometimes to si

Re: [strongSwan] charon IKEv2 usb smartcard dongle integration

These are comments I received about the topic on a different thread. François Pérou wrote: > On Fri, 2010-04-09 at 00:51 +0100, Dimitrios Siganos wrote: > >> "charon IKEv2 usb smartcard dongle integration" >> <http://www.mail-archive.com/users@lis

Re: [strongSwan] Need help reviewing a tutorial on smartcards

ecause our questions, although related, are not on the same topic. Regards, Dimitrios Siganos ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Need help reviewing a tutorial on smartcards

ive.com/users@lists.strongswan.org/msg01798.html> Dimitrios Siganos François Pérou wrote: > Dear friends, > > I am writing a tutorial on smartcards for strongSwan: > http://www.gooze.eu/howto/using-strongswan-with-smart-cards > > I cannot configure roadwarrior Carol with smartcards:

[strongSwan] charon IKEv2 usb smartcard dongle integration

to pay for this. Obviously a ready made solution would be ideal but if we will have to develop it ourselves. Regards, Dimitrios Siganos ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] bare minimum required kernel modules/version

No, the IPv6 related modules are not necessary but you have to have linux-2.6.29 or above. Look at this thread for more details and workaround for earlier kernels: I am using 2.6.28 and I worked around the problem by applying

Re: [strongSwan] Ikev2 on initiator side and ikev1 on responder side

ashish mahalka wrote: > In the ipsec.conf file for Initiator, keyexchange is specified as > ikev2 whereas for the Responder it is specified as ikev1. But still i > am able to establish a ikev2 association between the two peers. > The keyexhange setting has no effect on the responder. keyexchang

Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1

Sucha Singh wrote: > Hi Andreas, > > Reviewing the above settings I added the following line to the ipsec.conf: > > ike=3des-sha1-md5-modp1024 > > I then get the following errors: > > 002 "test" #1: initiating Main Mode > 003 "test" #1: no IKE algorithms for this connection (check ike algorithm >

Re: [strongSwan] installing DNS server %any to /etc/resolv.conf

pened then 'in' is leaked. Regards, Dimitrios Siganos Martin Willi wrote: > Hi, > > >> I am assuming it is a mis-configuration or bug. >> > > Maybe both. It seems that your client requests a DNS server, but your > server returns an empty or a 0.0.0.0 addres

Re: [strongSwan] installing DNS server %any to /etc/resolv.conf

I should add that we are not trying to use DNS. As far as we can see, we are not setting any DNS settings, in ipsec.conf or strongswan.conf, in neither the gateway nor the client. Dimitrios Siganos wrote: > Hi, > > I am getting this strange log when I setup a strongswan tunnel > in

[strongSwan] installing DNS server %any to /etc/resolv.conf

bug. The IPsec gateway is a: Linux strongSwan U4.2.11/K2.6.28-11-generic The IPsec client is a: Linux strongSwan U4.3.3/K2.6.28 Regards, Dimitrios Siganos ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo

Re: [strongSwan] Access to local subnet when tunnel up

I can think of another option might might make the whole setup cleaner. Introduce another route table (e.g. 219), which has priority over the table 220, and has the route for the local network. To setup that you need to look at the "ip rule" commands. This way, no matter what charon/pluto do, t

[strongSwan] charon: how to determine minimum number of threads

Is a single threaded mode possible, realistically, or would it require complete re-engineering of charon? Regards, Dimitrios Siganos ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] ip xfrm state / ip xfrm policy

Busybox doesn't have iproute2. They have a simple utility that "looks and feels" like iproute2 and it doesn't have support for xfrm and many other features of iproute2. You'll need to download the proper iproute2 package. Dimitrios Siganos Jessie Liu wrote: > H

[strongSwan] esp=null-sha1-modp1024,null-null

Hi, Is the following esp line, valid configuration? conn west-east esp=null-sha1-modp1024,null-null Does it mean: add null-sha1-modp1024 and null-null to the default list of proposals to be negotiated? How do I know what the default list proposal list is? Regards, Dimitrios Siganos

Re: [strongSwan] ARM and I386 ?

received critical signal Regards, Dimitris Dimitrios Siganos wrote: > I also have a problem on the arm platform. I am cross compiling from > Linux/Intel to arm platform. > The latest release that works for me is 4.3.3. I don't know if have the > same problem. I am investigating right

Re: [strongSwan] ARM and I386 ?

I also have a problem on the arm platform. I am cross compiling from Linux/Intel to arm platform. The latest release that works for me is 4.3.3. I don't know if have the same problem. I am investigating right now. Dimitrios Siganos Nguyễn Hoàng Anh wrote: > Hi Andreas and all

Re: [strongSwan] esalg: No test for authenc(hmac(sha1), cbc(aes)) (authenc(hmac(sha1-generic), cbc(aes-generic)))

I have found out that the message is coming from the linux kernel and not from charon as I thought. It comes from the function: int alg_test(const char *driver, const char *alg, u32 type, u32 mask) I still don't know if it something to worry about though. Regards, Dimitrios Siganos Dimi

Re: [strongSwan] one question about the Subjectid and SubjectAltName of two peers

I am not expert at these things, but as I understand it, the protocols EAP-SIM and EAP-AKA do not use X.509 certificates for authentication. Hence, what you are doing doesn't make much sense for these protocols. Dimitrios Siganos weiping deng wrote: > Hi Both, > > I hav

[strongSwan] esalg: No test for authenc(hmac(sha1), cbc(aes)) (authenc(hmac(sha1-generic), cbc(aes-generic)))

ful scheduling reauthentication in 3351s maximum IKE_SA lifetime 3531s IKE_SA test[1] established between 10.224.2.101[C=AU, ST=Some-State, L=London, O=Internet Widgits Pty Ltd, CN=east]...10.224.2.100[C=AU, ST=Some-State, L=London, O=Internet Widgits Pty Ltd, CN=west] Regards, Dimitrios Si

Re: [strongSwan] IPSEC_CONFDIR does not work?

d depend on the behaviour of all the other scripts/binaries, which I don't know. Dimitrios Siganos Zhang, Long (Roger) wrote: > Hi, > > I want to put all configuration file under my directory. Then I exported > IPSEC_CONFDIR, but seems the IPSEC_CONFDIR does not work. Not sure

Re: [strongSwan] a particular ``no trusted third party'' setup with X.509

Oops. I fell into the trap of thinking small scale. If you are talking about large scale installations then your way is probably recommended. Dimitrios Siganos Dimitrios Siganos wrote: > Ivan Shmakov wrote: > >> Consider, e. g., two sites which are going to esta

Re: [strongSwan] a particular ``no trusted third party'' setup with X.509

ny known deficiencies? > Self-signed certificates would apply to other protocols that use certificate based authentication. Straight rsa keys and shared passwords, wouldn't. Regards, Dimitrios Siganos ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] IPv4 only and minimal kernel modules

apply the disable-iaf-tunnels patch to charon, (this patch will brake v6/v4 mixed operation) Can you confirm that this is correct and complete? I plan to stick with 2.6.28 because changing kernel would require a lot of discussions and testing. Regards, Dimitrios Siganos _

[strongSwan] IPv4 only and minimal kernel modules

quot; match support Cryptographic API Select algorithms you want to use... If we only want Ipv4 support, can this required kernel modules list be shortened? It seems that I I remove all of the Ipv6 modules the IPsec doesn't work so there is some dependency. Can you tell what it is? Re

Re: [strongSwan] Problem signing the certificate by CA

g it is wrong. I am guessing that you need to set dir like this (absolute path): dir = /etc/ssl You had it set as : ./etc/dir, which is relative to the current working directory (probably not what you intended). Regards, Dimitrios Siganos Sushil Chaudhari wrote: > Hi Everyone, >

Re: [strongSwan] BUG: DN with email

Yes, it does fix it. Thank you. I noticed that you commited some more changes related to email OIDs. Are they important? Should I get those too? I am referring to <http://wiki.strongswan.org/repositories/revision/strongswan/fc0ed07c1f44d56ac9a5353c23e4cd79ee2594dd>. Regards, Dimitrios S

[strongSwan] bashism in ipsec script

The ipsec script has the following bashism (line 324 of ipsec script, git commit 333b461aa689c29197dadb2a15abc3ccade0c89a): loop=$(($loop - 1)) This doesn't work on my embedded board running busybox msh. I suggest changing the live above, to: loop=`expr $loop - 1` to make it more portable. R

[strongSwan] BUG: DN with email

ds-ubuntu-disk charon: 04[CFG] added configuration 'host2' # Note the line: Aug 18 15:44:59 ds-ubuntu-disk charon: 04[CFG] peerid C=UK, CN=host2, emailaddress=ho...@somewhere.com not confirmed by certificate, defaulting to subject DN: C=UK, CN=host2, e=ho...@so