Hi,
> Fixed below codesonar warning.
> isprint() is invoked here with an argument of signed type char, but
> only has defined behavior for int arguments that are either
> representable as unsigned char or equal to the value of macro EOF(-
> 1).
>
> To avoid this unexpected behaviour, typecasted c
Hi,
> If I have "leftsubnet=172.30.0.0/16,0.0.0.0/0", the server leaks
> memory - available memory decreases steadily until all memory+swap
> are consumed and the server needs to be rebooted. No processes are
> using this memory - the sum of all shared + RSS is much lower than
> what htop reports
Hi Ben,
> First, maybe autogen could detect this missing gperf right at the
> beginning and tell the user?
./autogen.sh is just a wrapper for autogen -i these days, so it won't
help users calling that directly.
Doing such a check in ./configure is no option, as gperf is not
required for an ordin
> Where is configure shell in the git?
As with most autotools based packages, ./configure is generated and
therefore not part of git. When building from git sources, you'll have
to generate it using autoreconf.
Alternatively, use the distribution tarballs from [1], which include
the generated f
Hi Anthony,
> [...] and he didmention the possibility for using DAVICI.
> mention the possibility for using DAVICI. The problem at the time was
> Andreas lost the support person for this module. So we decided not to
> take the risk.
I don't think there is much of an issue here. I definitely will
Hi Peter
> So, am I correct to assume that you guys usually evaluate the output
> of `ipsec statusall`
Preferably I'd do that over vici [1], as it provides a much better
interface for various languages to query tunnel status or re-initiate
tunnels.
> Do you simply send pings to remote systems "b
Hi,
> are there any reliable performance figures for IPsec throughput on
> x86_64 Linux machines?
Nothing I could reference here.
> Is 10 GBit/s feasable? If yes, how?
On commodity hardware, maybe, but only if/when:
* using AES-GCM with AESNI/CLMUL, which can handle ~1Gbit/s/core
* your NIC
Hi,
> How exactly do these kind of kind of multipath routes compare to
> multiple routes with different priorities/metrics? In your case you
> have multiple paths with the same weight, how is the actual
> nexthop/interface chosen by the kernel?
The nexthop of a multipath route is selected random
Hi,
> > The following is my Strongswan servers routing table (default
> > routes).
> > nexthop via 90.225.x.x dev vlan845 weight 1
> > nexthop via 10.248.x.x dev ppp1 weight 256
> > nexthop via 85.24.x.x dev vlan847 weight 1
> > nexthop via 46.195.x.x dev ppp0 w
(one of which is quite old - running a dual core netburst
P4 @2.8, the other two are VMs on decent hardware, all of which have no
load) are hitting walls at 300mb/s
On a Netburst architecture you can't expect more; it does not have any
acceleration for AES-GCM.
but can hit 980mb/s unencrypted
Hi,
> I believe the only real way to do this is via a kernel module using
> the CrytpoAPI. It then has to be registered with the OS and
> strongStwan and can then be used by specifying esp=
Yes, that is correct. For an example you may take a look at the
patchset that implements the ChaCha20Pol
Hi,
> There is no appreaciable load on any of the systems
> during throughput testing.
Please note that IPsec is usually processed in soft IRQ, so have a look
at the "si" field in top. If you are CPU bound, "perf" is very powerful
in analyzing the bottleneck on productive systems. If you are not
Hi John,
> The IKEv1 connections use pubkey & xauth-pam authentication:
> Is there a migration path for IKEv2 connections that makes sense? I see
> there is an eap-gtc module that supports pam but it's not clear in the
> documentation how to configure this to use a specific pam_service.
EAP is
Hi Peter,
> If the hash is on SOURCE IP then won’t it potentially hash to a
> different segment depending on the direction of the message?
Yes. The current code does not enforce a return path over the same
segment, so a connection might return over the other node. You'll have
to consider that if
Hi,
> From behind NAT only one client is able to connect at a time. If one remote
> access vpn in up second vpn connection is failed connect.
The Windows L2TP/IPsec client uses transport mode to secure L2TP. A
gateway can't distinguish two clients behind the same NAT without some
tricks, as they
Hi,
> I would like to know if there exist any two-factor combination where
> one of them is RADIUS, either IKEv1 or IKEv2, which works with Windows
> (Win7 and above) native VPN client.
AFAIK Windows does not support RFC4739. In IKEv1 there is a proprietary
extension called AuthIP in Windows, but
Hi,
> [...] when the cisco initiates a connection with both the
> transforms, the RSA-SIG being first in the list, strongswan replies back
> with a proposal that contains RSA-SIG, because it is the first in the list,
> even though the connection is defined as PSK.
> Is this a bug and is there a
Hi,
> Is there any way that i could use user/password inside eap-ttls tunnel?
> windows clients are able to initiate IKE tunnel with eap-ttls and
> user+password as their authentication protocol and I'm trying to use
> Strongswan as my server side.
strongSwan EAP-TTLS currently does not support
> Can you please share the ipsec configuration files that you used on x86
> architecture, so that we can check if we are missing any generic or
> architecture specific dependencies.
Our test suite features a regression test for the forecast plugin, see
[1].
Regards
Martin
[1]https://www.strongs
Hi,
> OpenWrt daemon.info charon: 15[CFG] forecast iptables commit failed: Invalid
> argument
Please check that your kernel supports the MARK target and the udp/esp
matches.
What architecture is OpenWRT running on? Not unlikely that it is an
alignment issue, I didn't test the plugin beyond x86/
> Even at these rates, the CPU did not appear to be very busy. We had one at
> 85%
> occupied but that was the one running nuttcp.
On the outgoing path, the Linux kernel usually accounts ESP encryption
under the process that sends traffic using a socket send() call. So
these 85% probably includ
Hi,
> I can see the multiple kworker threads spread across all 12 cores in
> these fairly high powered systems but I am still dropping packets and
> performance is not much improved.
If all your cores are processing traffic, then pcrypt probably works as
it should.
What does "fairly high powered
> why it wasn't sending identity before but does sent it now?
The client now offers EAP authentication by omitting the AUTH payload in
the first IKE_AUTH exchange. This allows the server to trigger the
EAP-Identity exchange, followed by EAP-MSCHAPv2.
> and why does authentication fail?
The cli
Hi,
> What I don't understand is why it is failing on EAP identity when I clearly
> defined 'eap_identity=%any'
> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(MULT_AUTH) ]
> parsed IKE_AUTH requ
Hi Holger,
> server requested EAP_AKA authentication (id 0x00)
> EAP method not supported, sending EAP_NAK
> loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
> nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem open
> ssl xcbc cmac hmac ctr ccm gcm attr kernel-ne
Gerd,
> you are probably aware of the recent Weak DH / Logjam attack on
> Diffie-Hellman,
> see: https://weakdh.org/
Yes. Our TLS stack as server uses at least MODP2048, so is not directly
affected. I've queued a fix to reject groups smaller 1024-bit as client,
subject for the next release, see
> As per the implementation, an SPD entry would contain the destination
> IP as selector field and uses the same as a key to search the SPD
> table.
I don't think this will work; The remote selector does not have to be
unique per CHILD_SA/policy. Having multiple CHILD_SAs having the same
remote s
Hi,
> all CHILD SAs will have the same traffic selector (i.e., 40.0.0.1/8)
> on responder side, as proposed by initiator. Is there any way to
> specify/configure different initiator_tsr for each initiator?
Currently all initiators use the same subnet as defined with
initiator_tsr. So no, there is
Hi,
> ca section1
> cacert=/usr/local/etc/ipsec.d/cacerts/CA.pem
> 6. After removing this and executing "ipsec update" we expect that the
> SA will not get established as the end which does not have root CA of
> peer will reject the IKE_AUTH.
All CA certificates placed under the cacerts
> I don't really get how I'm supposed to use leftid, am I supposed to find a
> string-ASN.1 converter ?
No, you define a string representation of your identity. strongSwan
detects the identity type, and tries to convert it to the appropriate
binary encoding (ASN.1 in the case of a DN).
While you
Hi,
> 1) [...]
> For example my certificate subjet is :
> C=FR, ST=Région Parisienne, L=Paris, OU=Org, CN=1.Org,
> E=jacques.moni...@gmail.com
> but when I do ipsec listall I have :
> C=FR, ST=R?gion Parisienne, L=Paris, OU=Org, CN=1.Org,
> E=jacques.moni...@gmail.com
Converting Distinguished N
Hi Lars,
> Is it possible to have different cipher suites for all the "conn"
> parameters in ipsec.conf?
Yes. But for IKE proposals, algorithm selection happens very early in
the exchange, before any peer identity gets exchanged. This is because
these details are explicitly protected under the a
Emeric,
> It seems to be related to: https://wiki.strongswan.org/issues/839#note-1
It is, and as discussed in that ticket, is a consequence of the
pair-wise (un-)installation of SAs.
To properly fix this issue, we would have to defer outbound SA
installation/activation as exchange responder to t
> So what is the added benefit of having two PSKs, since IKEv2 explicitly
> allows that compared to IKEv1?
While it is allowed in IKEv2, I don't see much benefit from doing that.
RFC 7296 says:
> In particular, the initiator may be using a shared key while the
> responder may have a public sign
Hi,
> It seems to me (I found some hints but no real doc) that you have to
> specify the direction like this:
>
> lefthost righthost : PSK rightpsk
> righthost lefthost : PSK leftpsk
This can work, but I don't think that it must in all cases. The lookup
function for shared keys takes
Hi,
> set_strongswan_conf_options(lfile);
> system("starter --daemon charon");
You can't set options in the current process, and then expect that these
options get inherited to a child process spawned using system() or any
exec*() function.
If you want to set strongswan.conf options programa
Hi,
> Please can you advise whether StrongSWan can support Multicast
> Dissemination Protocol (MDP) ?
strongSwan does not provide any form of explicit support for that
protocol. Possible that you can use strongSwan as building block to
secure MPD traffic, but I've no experience with that.
Regard
Hi,
> Is there a way I can avoid this and specify the path to
> the library files and the package folder currently present in
> lib/ipsec/ as compared to the old version where it was stored directly
> in lib/.
Yes, have a look at the --with-ipsecdir, --with-ipseclibdir and
--with-plugindir option
Hi,
> Does %dynamic work in net2net? Or only in road-warrior scenarios?
If any has been negotiated, %dynamic resolves to the virtual IP for that
endpoint. If not, it resolves to the IKE endpoint address. It can be
used in either scenario, but has a slightly different behavior.
Regards
Martin
__
Hi Noel,
> >>> foo=collections.OrderedDict(strongswan.list_sas())
> ValueError: need more than 1 value to unpack
list_sas() returns a generator over SA dictionaries, an iterable over a
list. Creating a dictionary from that does not make much sense, as there
in no key for the value. Instead, you
Hi,
> How we can add custom Algorithm for ESP in Strongswan 4.6.4.
ESP is usually handled by the kernel, so you'll have to implement your
algorithm there. On Linux, you'll have to provide your algorithm through
the Linux Crypto API.
Once that is done, you need to define a transform identifier an
Hi,
> The issue that I'm facing is that SA on Strongswan side is up but stuck in
> "IN-NEG” status on Cisco side (Response is outside of window received 0x1,
> expect 0x2 <= mess_id < 0x2).
> 16[ENC] parsed IKE_AUTH request 1 [ V IDi CERT CERTREQ ... ]
[...]
> 16[IKE] IKE_SA csr-swan[1] establish
Hi,
> Is there a mechanism to change the level of required log to 'debug', so
> that they will get automatically redirected to /var/log/debug.
No, charon currently always logs with LOG_INFO. With strongswan.conf you
can control the facility only (using the auth or daemon section).
Regards
Martin
> Please let me know if there is a fix for openssl since changing the
> load order of plugin is not recommended.
If you are using OpenSSL 1.0.2a, you might try the strongSwan fix
provided at [1].
Regards
Martin
[1]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=openssl-hmac
___
Hi Luka,
> I have just found out, that recent openssl 1.0.2 commit
> 929b0d70c19f60227f89fac63f22a21f21950823
> breaks hmac when using openssl plugin for hmac functions
This commit prevents the pre-initialization with an empty key we use to
avoid any non-initialized use of HMAC_Update(). Most li
Hi Ken,
> Not sure if keeping the current DNS servers installed is the best
> approach, maybe we should remove the previous servers. But we
> currently just add them to have them as a fallback.
I've pushed a new build [1] based on 5.3.0-rc1 that instead of appending
the servers to the list, it re
Hi Richard,
> If we add ff00::/8 to rightsubnet [...] the Router Solicitation and
> Router Advertisement packets pass correctly. The client gets a default
> route, and everything works. However, when we try to connect the VPN
> from a second client, it fails to connect because of duplicate traffic
Hi Michael,
> 1. users should authenticate with a certificate (optional, but planned for
> the future) (Certificate is checked by StrongSwan)
> 2. users should authenticate against our active directory via freeRadius
> (username + password)
> 3. users should also enter an OTP (send as SMS by the
Hi,
> i need to change the host certificate (/etc/ipsec.d/certs/xxx.pem
Certificates from the ipsec.d/certs directory do not get loaded
implicitly, but get referenced in your ipsec.conf conn definition. Use
"ipsec update" or "ipsec reload" to reload the connection, refer to the
manpage for detail
Hi Chris,
> leftsubnet=10.72.0.0/16,192.168.1.0/24,, ip subnet/29>
> On Windows 7 and Windows 8 we can only access the private ip subnets
> after connecting to strongswan. We have to add manually routes to
> access the public ip subnet via the tunnel. Is this a known limitation
> of Windows ("rou
> ESN support must be negotiated, as defined in RFC 4304, 2.2.1:
This of course is RFC 4303 (ESP), sorry for the confusion.
Regards
Martin
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Hi,
> The wiki mentions this ESN support is only for IKEv2. Is it so?
Yes.
> As per my understanding this ESN feature refers to sequence
> numbers in ESP. So why is this support dependent on version of IKE?
ESN support must be negotiated, as defined in RFC 4304, 2.2.1:
>To support high-sp
Hi Fabrice,
> But when i execute "ipsec statusall" command, it replies :
> "reading from socket failed: Permission denied"
>
> When i suppress "/etc/apparmor.d/usr.lib.ipsec.stroke" AppArmor
> profile, the command replies correctly.
We don't ship any AppArmor profiles from upstream, so you most
Hi,
> 1. Is it possible to use port other than 4500 for NAT-T UDP
>encapsulation. If yes how can I configure it ?
Yes, with the "port_nat_t" option in strongswan.conf, refer to [1] for
details.
To initiate a connection to a host with non-default ports, use the
ipsec.conf rightikeport option.
Yves,
> When we generate a new version of these files we issue an ipsec reload
> (not just update). I'd expect that to kill connections that are not
> relevant anymore, but this is not the case ipsec statusall shows them
> still as defined and up and running.
"ipsec reload" by design does not aff
Hi,
> During our testing with IKEv2, we found that the 1st packet(IKE_SA_INIT) does
> not have any information on vendor ID payload which is a MUST criteria as
> per the RFC.
>
> As per the RFC 3947.
>
> “In the first two messages of Phase1, the vendor id payload for this
> specification MUST b
Ken,
> Are there any issues with DNS & StrongSwan Mac OS X app?
The osx-attr plugin prepends the negotiated DNS servers to the currently
configured ones. You may check with scutil if that works as expected.
Not sure if keeping the current DNS servers installed is the best
approach, maybe we sh
Hi,
> As per the description of vulnerabilities in above links, the
> vulnerability is only applicable and will lead to crash in pluto IKE
> daemon alone. Charon is not mentioned.
You should apply these fixes even if using charon only, the
libstrongswan code is used by charon. Not sure where this
Hi Tom,
> Is there a reason that, when using two Strongswan endpoints, one would
> not choose reauth=no?
Yes. Reauthentication re-evaluates authentication credentials, checks
the certificate status or rechecks permissions in the AAA backend.
IKE_SA rekeying, as used with reauth=no, only refreshe
Hi Steffen,
> Strongswan 5.2.2 on linux (centos 6) IKEv2 configuration for windows
> clients I have the following problem:
> My more specific question is why is the outgoing UDP packet size
> greater than the MTU size on the interface?
In an IKE_AUTH response, the large part of the message is pr
Hi,
> Is it essential for both nodes to receive all the ESP packets?
Yes.
> Cannot be ESP sequence numbers synchronized through the HA plugin?
No, this is not how the HA plugin works. ESP sequence numbers move very
fast, making a synchronization in userland difficult.
You may try to synchroniz
Hi,
> 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> ]
> 13[NET] sending packet: from 10.1.186.35[500] to 10.1.186.174[500] (432 bytes)
> 17[KNL] WFP MM failure: 10.1.186.35/32 === 10.1.186.174/32, 0x3601,
> filterId 0
Have you disabled the IKEEXT Windows IK
Hi,
Sorry for my previous mail, this time with some content:
> I have only started running into this since we started using more than
> one subnet in the left side of the connection.
> leftsubnet=10.176.0.0/13,10.130.0.0/16
> rightsubnet=192.168.0.0/16
> Iona-VPN-FW[1]: IKE
On Sam, 2015-03-07 at 21:52 +, Tormod Macleod wrote:
> Hello,
>
> I'm getting the above error when rekeying. I think it might be related to
> issue #431? I've tried the workaround of setting reauth=no but this did not
> resolve the issue. I have only started running into this since we start
Noel,
> I would like to know how the performance of strongswan/Linux is with
> about 1000 established tunnels and ~3000 (XFRM) policies.
I think XFRM policy lookup in the kernel scales fine, handling ~3000
policies shouldn't be a problem at all.
> How much traffic can be forwarded? Is the perfor
> Then you should check if ClusterIP works as expected, and both on the
> inbound and outbound paths the ESP packets hit both nodes.
To clarify, on the outbound path this of course is plain traffic subject
to ESP encapsulation.
Regards
Martin
___
User
Aleksey,
> when I test failover [...], traffic won't flow through standby
> node until rekey on child SA is done
To me this sound like an ESP sequence number issue. I assume you have
patched your kernel to include our ClusterIP IPsec extensions, as
discussed at [1]. You may find some never patche
> I will try to more quickly produce the crash by setting ikelifetime.
> Is there a recommended (or minimum) value?
You may set it to 30s or so, but make sure to adjust
rekeymargin/rekeyfuzz accordingly.
> (gdb) p *cert
> $4 = {get_type = 0xd30fe0, get_subject = 0x7f5e631a9ed8 ,
> has_subject
Ken,
> The initiator received signal 6 (SIGABRT) after eight hours of operation.
Actually, the offending signal is SIGSEGV (11). charon catches that,
prints a backtrace, and then calls abort() to terminate itself.
> I have a ~182MB core file from the initiator. How can I get it to you?
I don't
Hi Tom,
> 1.) Since IKEv2 does not use DPD, should one omit the dpdaction
> directives from ipsec.conf for a connection using IKEv2?
While IKEv2 does not use DPD, it provides a very similar mechanism
called liveness checks. The dpdaction and dpddelay keywords work for
both IKEv1 and IKEv2 in str
Hi Ken,
> 09[DMN] thread 9 received 11
> 09[LIB] dumping 2 stack frame addresses:
> 09[LIB] /lib64/libpthread.so.0 @ 0x7fb8fd3ab000 [0x7fb8fd3ba710]
> 09[LIB] -> sigaction.c:0
> 09[LIB] /lib64/libc.so.6 @ 0x7fb8fce13000 [0x7fb8fd1a2ed8]
> 09[LIB] -> interp.c:0
> 09[DMN] killing oursel
> My understanding was ip address assignment to interface can happen
> later after child SA is negotiated with tunnel end point using the
> virtual ip stored in the Strongswan internal data structures.
No, this won't work. Negotiating the CHILD_SA installs IPsec SAs and
policies to the kernel, al
Hi,
> StrongSwan V5.2.0 is configured to be an IPsec VPN gateway on a Linux
> machine. A Mac laptop connects to it using the native Mac OS X
> v10.10.2 Cisco IPsec VPN client. The connection is established and
> works well for roughly 6,516 seconds (1 hour, 48 minutes, 36 seconds;
> or ~108 minu
Hi,
> What is the need for activate the TASK_IKE_CONFIG before
> TASK_CHILD_CREATE.
While these tasks get executed during the same exchange(s) with an
IKE_AUTH piggybacked CHILD_SA, the order is still important. If a
virtual IP is negotiated, this must be done beforehand. The CHILD_SA
IPsec pol
> Of not is Section 3.12.1: Dead Peer Detection is implemented only for
> server-to-server site-to-site-tunnel mode IPsec tunnels on Windows
> Server 2012 and Windows Server 2012 R2. Dead Peer Detection is not
> implemented on Windows 8 or Windows 8.1 for IKEv2-based VPN (that is,
> VPN Reconn
Kindly asking to keep the discussion on the list, thanks.
> > IKEv2 supports certificate authentication without EAP, which is much
> > simpler and faster.
>
> Would I be able to do this with the StrongSwan applet for Mac OS X ?
No, the strongSwan OS X App currently supports EAP-MSCHAPv2 only us
Hi,
> Can I support different types of authentication method simultaneously
> for IKEv2? i.e. can I support both PEAP-MSCHAPv2 and EAP-TLS at the same
> time ?
As initiator/client, you can configure leftauth=eap without a method to
authenticate with whatever the responder offers.
On the respond
Hi Ryan,
> I have an application scenario where I need to test Nested IPsec Tunnels.
> I googled and came up with some old threads talking about how this isn't
> supported with strongSwan unless I use two boxes, or a VM to route the
> traffic through again. Is this still the case?
Yes, this is
Hi James,
> Here's the log with error...
> 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR) SA TSi TSr
> N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
> 08[NET] sending packet: from server.external.ip[4500] to
> client.external.ip[15546] (2204 bytes)
> 11[NET] received packet: from
Hi Sam,
> 1) Is there alternative for 'leftfirewall=yes' in the VICI interface to
> automatically setup iptables rules?
There is no option for the default updown script, but you may manually
specify "ipsec _updown" in the CHILD_SA "updown" configuration option.
> 2) What is the syntax for loadin
Hi,
> In that particular configuration (no monitoring/heartbeat) stopping
> charon on the active node should clear the connections on the remote
> gateway (OK) and on the other node (not OK), right?
The active node will delete the IKE_SA, and send a close event to the
passive node.
If you are no
> When charon is stopped on one of the nodes, DELETE are sent to the remote
> hosts:
Actually, it should not if it has an active heartbeat connection with
the other node. If a node knows that another node is active, it should
deactivate all responsible segments locally before shutting down, and
Hi Denis
> 07[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
> 07[NET] sending packet: from 179.179.179.179[4500] to 46.211.133.122[39592]
> (1660 bytes)
> 07[ENC] generating TRANSACTION request 2234314252 [ HASH CPRQ(X_USER X_PWD) ]
> 07[NET] sending packet: from 179.179.179.179[4500] to 46.
Hi,
> Is there a way to configure a device to connect to a gateway [ eg
> 10.1.1.254]. If that gateway fails [ detected via DPD],it would
> connect to 10.1.1.253 [ his backup gateway]?
No, specifying fallback addresses is currently not implemented in
strongSwan.
> I've tried with right=10.1.1.
Hi,
> I am wondering how the specification of multiple addresses in the left|right
> option works.
> right=134.111.75.171,134.111.75.172
The right option can take multiple addresses, but only to match the
connection when responding to initiators.
> For example, how many kernel policies I shou
Hi,
> Your fix to use the ordered dictionary worked perfectly. Thank you very
> much. It is now accepting vpn connections.
Great. I'll check how we can mention that issue in the documentation.
> Regarding the `vips` configuration, I thought that it was the replacement
> for the `rightsourceip` o
Hi,
> I'm trying to setup strongswan 5.2 but am experiencing problems where the
> leftside can't seem to connect to the right side and keeps retransmitting
> the request till it times out.
Most likely this is a connectivity or firewalling issue. You should
check where that IKE_SA_INIT message get
Hi,
> rightid=001122334455667788
> *IDir '62.43.189.77' does not match to '001122334455667788*'
Your Sonicwall uses '62.43.189.77' as its identity. Your strongSwan
configuration strictly requires '0011223344556677880' as defined by
rightid. Either change your Sonicwall or your strongSwan configu
> Are you using the Python library? I think ruby gets this right, as it is
> guaranteed that "Hashes enumerate their values in the order that the
> corresponding keys were inserted.". Probably not true for Python.
Maybe using collections.OrderedDict to define your tree helps.
Regards
Martin
___
Sam,
> test: remote: uses XAuth authentication: any
> test: remote: [C=US, O=xx, CN=test] uses public key authentication
The order of remote authentication rounds is wrong; XAuth follows public
key, not vice-versa.
As your config tree looks correct, most likely the order of
authenticatio
Hi,
> I have attempted to create the same configuration using a call to the VICI
> with this dictionary:
Have you tried to configure that in swanctl.conf to avoid any problems
with your "dictionary"? Here such an XAuth configuration works fine when
defined in swanctl.conf.
> This keeps returning
Hi,
> I am not observing init script to configure ipsec.conf and
> ipsec.secrets from /etc/config/strongswan configuration file. Is this
> available in any patch or in any other release? where can I find the
> init script for it?
We don't provide any init scripts from upstream (beside some syst
Hi Akash,
> no TLS peer certificate found for
> '223456789123...@nai.epc.mnc213.mcc090.3gppnetwork.org', skipping client
> authentication
> EAP_TLS method failed
As the TLS stack does not find a usable certificate with a private for
your ID, it skips client authentication. Your server most like
Hi,
> My new setup uses MD5 passwords in Radius, while my old config used
> NT-hash. It seems now with radius-eap I have problems authenticating
> against the MD5 passwords. It is using eap-mschapv2 and it seems it is
> not a supported combination -
This can't work, a server verifying clients wit
Hi Milen,
> 07[IKE] initiating EAP_IDENTITY method (id 0x00)
> 07[IKE] peer supports MOBIKE
> 07[IKE] authentication of '[...]' (myself) with RSA signature successful
> 07[IKE] sending end entity cert "[...]"
> 07[ENC] generating IKE_AUTH response 1 [IDr CERT AUTH EAP/REQ/ID ]
> 07[NET] sending pa
Hi Daniel,
> [...] think of a typical Site-to-Site scenario where Subnets are
> protected by their respective gateways.
>
> However, the expert told me that it is possible to use Transport Mode
> instead of Tunnel Mode for this scenario a well.
As the endpoints that communicate from within the s
Hi Ryan,
> I’m trying to build strongSwan without Kernel dependencies. I’d like
> to use something like the lib-ipsec module (but modified), to receive
> the child SA’s for use on a crypto processor.
strongSwan has different kernel backends. If you don't want to use one
of ours, you might provid
Hi,
> How to send IDi and DN separately such that DN doesn't overwrite IDi?
strongSwan requires that the IDi matches one of the identities in the
certificate, and enforces that if it does not. To use a different ID,
you should include that ID as subjectAltName in your certificate.
If you really
Hi Thomas,
> is it possible to uses strongswan with eap-ttls and pap?
EAP-TTLS in strongSwan currently supports tunneling other EAP methods
only. PAP is not an EAP method, but a different protocol for password
authentication. Plain (non-EAP) PAP, CHAP or MSCHAP is not supported in
our EAP-TTLS im
Hi Pavan,
> My question is whether INITIAL_CONTACT notification can be sent in
> IKE_AUTH response? If yes, in which condition this notification will be
> sent by responder?
Theoretically yes, but strongSwan never sends INITIAL_CONTACT as
responder, only as initiator.
While sending the notify as
1 - 100 of 1132 matches
Mail list logo
