only for key storage in strongswan? If yes, which version of
strongswan is the oldest that can be used for this?
Best regards,
John
2017-07-18 12:46 GMT+02:00 John Brown <jb20141...@gmail.com>:
> Hi Tobias,
> Thank you for your answer. I'm on the first stage of learning TPM but a
ave to use iptables marking then too.
>
> John Brown skrev
>
>
> Thank you very much for an advice. It looks interesting but also adds
> significant complexity to the solution. Did you find route based VPN
> working for rightsubnet overlap scenario?
>
> I'm going
understand the solution you've
proposed I can add priorities to the tunnels by adding a metrics to routes
(and prefer conn1 over conn2). Am I correct?
Best regards,
John
2017-08-24 11:34 GMT+02:00 Vincent Bernat <ber...@luffy.cx>:
> ❦ 24 août 2017 11:27 +0200, John Brown <jb20141.
Hello all,
I'm searching the net but cannot find reliable answer for problem:
Is this possible in strongswan to have two connections with the same
rightsubnet entry and prefer one connection over another?
For example:
...
conn1
...
rightsubnet=10.10.0.0/16
conn2
...
Hello all,
I know this is security issue but because of some other factors in one
particular case during setup we consider disabling root ca checking in
strongswan during tunnel establishement process. In other words: strongswan
is an IKEv2 initiatior. We would like to have tunnel established
valid signatures.
>
> I doubt that. What did you do to fix it?
>
> On 16.02.2017 09:25, John Brown wrote:
> > Hi Tobias,
> > Sorry for delay, I didn't notice your message.
> >
> > In the meantime my experiments has shown that the problem was not
> associated with
Hi Tobias,
Sorry for delay, I didn't notice your message.
In the meantime my experiments has shown that the problem was not
associated with certificates at all. This message about bad signature was a
result of missing some strongswan basic plugins (so it was an unexpected
strongswan installation
Hi all,
We have problems with certificate authentication and see "RSA signature
verification failed: Bad signature" during strongswan connection try. We
would like to retrieve all remote certificate chain to "manually" check
this issue. Is this possible using strongswan (for example by enabling
,
John
2016-11-25 14:46 GMT+01:00 John Brown <jb20141...@gmail.com>:
> Hi Tobias,
> I didn't notice this warning but I'm going to test not only this scenario
> but also others, hoping that with your hints, I'll manage to set this up.
> Thank you for your help!
>
> Regards,
any log or info accessible informing that rightca is checked
during authentication process?
Regards,
John
2016-11-23 19:50 GMT+01:00 Andreas Steffen <andreas.stef...@strongswan.org>:
> Hi John,
>
> could you send me a log file showing that a CA different from the CA
> requested
Hello all,
I'm using Linux strongSwan U5.2.1/K3.4.112 and I'm trying to implement
rightca option in ipsec.conf file but without a success.
As far as I understand the documentation, if rightca contains DN of a
certificate authority which lies in the trust path from the end device cert
to rootca,
2016-11-21 11:10 GMT+01:00 John Brown <jb20141...@gmail.com>:
>
>
> 2016-11-21 11:03 GMT+01:00 Tobias Brunner <tob...@strongswan.org>:
>
>> Hi John,
>>
>> > ip address add dev lo 10.2.3.4/32
>> > ...
>> > Nov 17 10:56:43 127 d
2016-11-21 11:03 GMT+01:00 Tobias Brunner :
> Hi John,
>
> > ip address add dev lo 10.2.3.4/32
> > ...
> > Nov 17 10:56:43 127 daemon.info charon: 16[KNL] no local address found
> in traffic selector 10.2.3.4/32
> > ...
> > I'm using: Linux strongSwan U4.5.2/K3.4.113
>
>
Hello all,
Is this possible to set leftsubnet=10.2.3.4/32 and install this address on
loopback interface?
When I try to do this by:
ip address add dev lo 10.2.3.4/32
and have leftsubnet=10.2.3.4/32 in connection configuration, I receive
below logs:
Nov 17 10:56:43 127 daemon.info charon:
Hello all,
I have some problems with keeping my roadwarrior to keep trying to connect
to vpn gateway forever. It works when vpn gateway is lost or when
connection was fully established and was then lost.
But I have problem with situation like that: vpn gateway has some bad
config and beacuse of
d save. So using pfs does not mean
automatically that your data are safe.
Regads,
John
2016-03-04 9:18 GMT+01:00 Harald Dunkel <harald.dun...@aixigo.de>:
> Hi John,
>
> On 03/01/2016 12:55 PM, John Brown wrote:
> > Hi,
> >
> > I can give you two links with some sma
Hi,
Did you try to remove "include strongswan.d/charon/*.conf" line for
testing? If swan would stops complaining in that scenario then you can add
the line again and remove some/all *conf file from include directory to
test. Then add some, etc.
2016-03-03 15:45 GMT+01:00 Nicolas Göddel
Hello all,
I'm using ocsp for certificate checks and this works ok. But I have
explicitly specified cacert parameter in ca section of ipsec.conf. CA chain
may looks like this: (devcert)<-subca1<-subca2<...<-rootca. All of them are
installed in /etc/ipsec.d/cacerts (with exception of devcert of
Hi,
I can give you two links with some small amount information about your
question:
http://www.juniper.net/documentation/en_US/junos12.1x46/topics/concept/vpn-security-phase-2-ipsec-proposal-understanding.html
and
Hi all,
I am facing some problems with strongswan 4.5.2 or 5.2.1 (currenty tested)
on debian wheezy (armel). One of these problems is having multiple CHILD_SA
created under Security Association
For example, fragment of the output from "ipsec statusall" taken from
remote device looks like this:
20 matches
Mail list logo