Re: [strongSwan] Strongswan and TPM

only for key storage in strongswan? If yes, which version of strongswan is the oldest that can be used for this? Best regards, John 2017-07-18 12:46 GMT+02:00 John Brown <jb20141...@gmail.com>: > Hi Tobias, > Thank you for your answer. I'm on the first stage of learning TPM but a

Re: [strongSwan] rightsubnet overlap

ave to use iptables marking then too. > > John Brown skrev > > > Thank you very much for an advice. It looks interesting but also adds > significant complexity to the solution. Did you find route based VPN > working for rightsubnet overlap scenario? > > I'm going

Re: [strongSwan] rightsubnet overlap

understand the solution you've proposed I can add priorities to the tunnels by adding a metrics to routes (and prefer conn1 over conn2). Am I correct? Best regards, John 2017-08-24 11:34 GMT+02:00 Vincent Bernat <ber...@luffy.cx>: > ❦ 24 août 2017 11:27 +0200, John Brown <jb20141.

[strongSwan] rightsubnet overlap

Hello all, I'm searching the net but cannot find reliable answer for problem: Is this possible in strongswan to have two connections with the same rightsubnet entry and prefer one connection over another? For example: ... conn1 ... rightsubnet=10.10.0.0/16 conn2 ...

[strongSwan] Accepting cert of unknown source

Hello all, I know this is security issue but because of some other factors in one particular case during setup we consider disabling root ca checking in strongswan during tunnel establishement process. In other words: strongswan is an IKEv2 initiatior. We would like to have tunnel established

Re: [strongSwan] How to retrieve remote certificates

valid signatures. > > I doubt that. What did you do to fix it? > > On 16.02.2017 09:25, John Brown wrote: > > Hi Tobias, > > Sorry for delay, I didn't notice your message. > > > > In the meantime my experiments has shown that the problem was not > associated with

Re: [strongSwan] How to retrieve remote certificates

Hi Tobias, Sorry for delay, I didn't notice your message. In the meantime my experiments has shown that the problem was not associated with certificates at all. This message about bad signature was a result of missing some strongswan basic plugins (so it was an unexpected strongswan installation

[strongSwan] How to retrieve remote certificates

Hi all, We have problems with certificate authentication and see "RSA signature verification failed: Bad signature" during strongswan connection try. We would like to retrieve all remote certificate chain to "manually" check this issue. Is this possible using strongswan (for example by enabling

Re: [strongSwan] how to use 'rightca' connection option?

, John 2016-11-25 14:46 GMT+01:00 John Brown <jb20141...@gmail.com>: > Hi Tobias, > I didn't notice this warning but I'm going to test not only this scenario > but also others, hoping that with your hints, I'll manage to set this up. > Thank you for your help! > > Regards,

Re: [strongSwan] how to use 'rightca' connection option?

any log or info accessible informing that rightca is checked during authentication process? Regards, John 2016-11-23 19:50 GMT+01:00 Andreas Steffen <andreas.stef...@strongswan.org>: > Hi John, > > could you send me a log file showing that a CA different from the CA > requested

[strongSwan] how to use 'rightca' connection option?

Hello all, I'm using Linux strongSwan U5.2.1/K3.4.112 and I'm trying to implement rightca option in ipsec.conf file but without a success. As far as I understand the documentation, if rightca contains DN of a certificate authority which lies in the trust path from the end device cert to rootca,

Re: [strongSwan] leftsubnet and loopback problem

2016-11-21 11:10 GMT+01:00 John Brown <jb20141...@gmail.com>: > > > 2016-11-21 11:03 GMT+01:00 Tobias Brunner <tob...@strongswan.org>: > >> Hi John, >> >> > ip address add dev lo 10.2.3.4/32 >> > ... >> > Nov 17 10:56:43 127 d

Re: [strongSwan] leftsubnet and loopback problem

2016-11-21 11:03 GMT+01:00 Tobias Brunner : > Hi John, > > > ip address add dev lo 10.2.3.4/32 > > ... > > Nov 17 10:56:43 127 daemon.info charon: 16[KNL] no local address found > in traffic selector 10.2.3.4/32 > > ... > > I'm using: Linux strongSwan U4.5.2/K3.4.113 > >

[strongSwan] leftsubnet and loopback problem

Hello all, Is this possible to set leftsubnet=10.2.3.4/32 and install this address on loopback interface? When I try to do this by: ip address add dev lo 10.2.3.4/32 and have leftsubnet=10.2.3.4/32 in connection configuration, I receive below logs: Nov 17 10:56:43 127 daemon.info charon:

[strongSwan] How to keep trying to connect even after NO_PROPOSAL_CHOSEN received?

Hello all, I have some problems with keeping my roadwarrior to keep trying to connect to vpn gateway forever. It works when vpn gateway is lost or when connection was fully established and was then lost. But I have problem with situation like that: vpn gateway has some bad config and beacuse of

Re: [strongSwan] seeking advice: pfs on creating a child_sa?

d save. So using pfs does not mean automatically that your data are safe. Regads, John 2016-03-04 9:18 GMT+01:00 Harald Dunkel <harald.dun...@aixigo.de>: > Hi John, > > On 03/01/2016 12:55 PM, John Brown wrote: > > Hi, > > > > I can give you two links with some sma

Re: [strongSwan] syntax error, unexpected $end, expecting NAME or NEWLINE or '}' [`]

Hi, Did you try to remove "include strongswan.d/charon/*.conf" line for testing? If swan would stops complaining in that scenario then you can add the line again and remove some/all *conf file from include directory to test. Then add some, etc. 2016-03-03 15:45 GMT+01:00 Nicolas Göddel

[strongSwan] OCSP & CA question

Hello all, I'm using ocsp for certificate checks and this works ok. But I have explicitly specified cacert parameter in ca section of ipsec.conf. CA chain may looks like this: (devcert)<-subca1<-subca2<...<-rootca. All of them are installed in /etc/ipsec.d/cacerts (with exception of devcert of

Re: [strongSwan] seeking advice: pfs on creating a child_sa?

Hi, I can give you two links with some small amount information about your question: http://www.juniper.net/documentation/en_US/junos12.1x46/topics/concept/vpn-security-phase-2-ipsec-proposal-understanding.html and

[strongSwan] Multiple CHILD_SA problem

Hi all, I am facing some problems with strongswan 4.5.2 or 5.2.1 (currenty tested) on debian wheezy (armel). One of these problems is having multiple CHILD_SA created under Security Association For example, fragment of the output from "ipsec statusall" taken from remote device looks like this: