Hi Tobias,
Thank you for taking the time to reply to my request, How can I get the
same behavior for Per connection via vici.
I believe dropping the connection when global initiator_only is marked as
yes is done in Charon code and not via iptables .
Please guide me on the per-connection option if
Hi All,
I am using the vici plugin to configure strongswan and load and initiate
connection .
I see that we have a global " *initiator_only = yes/no* " configuration in
charon.conf, is it possible to configure this for per connection via vici,
so that the initiator is only responsible for initiati
ist-algs) and check how that could occur.
> Maybe file a bug with the project that maintains the library or something.
> It's up to you.
>
> Kind regards
>
> Noel
>
> Am 03.01.20 um 02:52 schrieb Naveen Neelakanta:
> > Hi Noel and Tobias,
> >
> >
Hi Noel and Tobias,
I saw my session was down and see the below message in strongswan logs
saying SPI allocation had failed, after restarting Charon, the session came
up. I was running as root. I believe the session was flapping if that is
the reason for the below message or are there other reason
Hi
I am seeing this continuous close and create for the childsa. My logs are
overrun, any clue on what might cause this and any way to prevent this from
happening?.
2019-08-11T05:43:45.275Z inf charon local1 @dGzD9B text:14[IKE]
CHILD_SA sl3childsa{300113} established with SPIs a4efb19d
Hi All,
I am using ikev1 main mode, after rekey, i see the below error message and
ike session goes to the connecting state. any clue to resolve this issue?
This happens only for ikev1.
message parsing failed", "_fac": "local1", "_level": "info" }
sl2: #14, CONNECTING, IKEv1, d429baf8c66ba5cf_
Hi All,
I see an issue where, when I unload a connection from the vici API, and
reload a connection, the old Sa's are not getting deleted immediately, but
I see a soft expire or 3077(sec).
src 10.24.18.209 dst 199.168.148.132
proto esp spi 0x36e072cf(920679119) reqid 1(0x0001) mode tunnel
rep
Thanks Tobias
The vulnerability is : ISAKMP endpoint allows short key lengths or insecure
encryption algorithms to be negotiated. This could allow remote attackers
to compromise the confidentiality and integrity of the data by decrypting
and modifying individual ESP and AH packets.
Thanks,
Naveen
Hi
Is there a configuration to avoid strongswan from responding to
unsolicited request
from scans, even when strongswan is not configured with an
endpoint configuration,
This was detected with PCI auditing tools
Thanks,
Naveen
Hi All,
When i send ping request with packet size larger that 1500 , i see on the
receiver side XfrmInStateProtoError counter increment , any clue on this.
Thanks,
Naveen
": "local1",
"_level": "info" }
{ "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid":
"@sBphOC", "text": "06[CFG]hw_offload = 0", "_fac": "local1", "
Hi
I have a ikev1 session up, however i also see multiple child SA, if leave
the seesion for a log run. Would like to understand on this scenario and
should i take any actions if these scenarios is seen .
sl1childsa: #726, reqid 368, INSTALLED, TUNNEL-in-UDP,
ESP:AES_CBC-128/HMAC_SHA1_96
installe
Thu, May 3, 2018 at 4:02 PM, Naveen Neelakanta <
naveen.b.neelaka...@gmail.com> wrote:
> Thank you Tobias
>
> On Thu, May 3, 2018 at 2:05 AM, Tobias Brunner
> wrote:
>
>> Hi Naveen,
>>
>> > I am using the vici plugin to handle the events and configure t
Thank you Tobias
On Thu, May 3, 2018 at 2:05 AM, Tobias Brunner
wrote:
> Hi Naveen,
>
> > I am using the vici plugin to handle the events and configure the
> > tunnels, however in case of errors like the "no proposal " or auth
> > failure, can this information be retrieved from vici messages .
>
Hi Noel,
I am using the vici plugin to handle the events and configure the tunnels,
however in case of errors like the "no proposal " or auth failure, can this
information be retrieved from vici messages .
That will help a lot for debugging, if this is already present please point
me to the infor
Thanks Tobias,
I changed the marking for the connections to be unique and changed also
added mark_in.
Now i see that ssh issue is also resolved , but need to get the return
tarffic routed to vti interface based on the marking.
Regards,
Naveen
On Fri, Mar 2, 2018 at 12:54 AM, Tobias Brunner
wro
Hi Noel,
Need some guidance on the below issues using strongswan .
1) The second connection with the below configuration fails .
config setup
conn %default
ikelifetime=8h
keylife=8h
rekeymargin=3m
keyingtries=2
keyexchange=ikev1
authby=
Hi Noel,
I am trying to ping vti interfaces, when i ping i see the traffic coming
back but i don't see it on ipsec0, however i see the traffic on eth3
interface after it is decrypted, don't see the same reaching ipsec0.
# tcpdump -ni eth3 icmp
tcpdump: verbose output suppressed, use -v or -vv fo
ur routes
> in the main routing table
> to keep it simple. As soon as you have a working setup, THEN you can start
> making changes.
>
> Kind regards
>
> Noel
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
>
>
> On 29.11.2017 09:16, N
Hi All,
Need some guidance and help in getting the traffic routed via VTI (
ipsec0 ) interface.I am using the VTI interface to just mark the
traffic and forward.
I am not able to get the traffic forwarding via VTI( ipsec0) interface
and getting the traffic marked, so that it gets protected.
i ha
Hi All,
Need some guidance and help in getting the traffic routed via VTI (
ipsec0 ) interface.I am using the VTI interface to just mark the
traffic and forward.
I am not able to get the traffic forwarding via VTI( ipsec0) interface
and getting the traffic marked, so that it gets protected.
i ha
Hi,
I would like to know how can i make use of loopback address inside
Linux NameSpace.
I have two veth pair lan0-lan1 and net0-net1 , lan1 and net1 are
attached to namespace.
net0 and lan0 are attached to root namespace.
Root Name Space
lan0-> 127.10.0.1
net0-> 127.11.0.1
Name Space TEST
lan1
Hi,
I would like to know how can i make use of loopback address inside Linux
NameSpace.
I have two veth pair lan0-lan1 and net0-net1 , lan1 and net1 are attached
to namespace.
net0 and lan0 are attached to root namespace.
Root Name Space
lan0-> 127.10.0.1
net0-> 127.11.0.1
Name Space TEST
lan1
Hello,
Is there a configuration to save the expired certificates received from
client.
Thanks,
Naveen
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Tue, Mar 22, 2016 at 8:02 PM, Naveen Neelakanta <
naveen.b.neelaka...@gmail.com> wrote:
> Hello,
>
> Is it possible to configure strongswan not to add the below default
> policy rules.
> I am running strong swan in TEST namespace on linux and i don't see
> the arp wor
dev vnet1 proto kernel scope link src 10.8.13.2
Let me know for any other information required.
Thanks
Naveen
On Wed, Mar 23, 2016 at 12:23 AM, Thomas Egerer wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> On March 23, 2016 4:02:48 AM GMT+01:00, Naveen Neelakanta
Hello,
Is it possible to configure strongswan not to add the below default
policy rules.
I am running strong swan in TEST namespace on linux and i don't see
the arp working from the root name space to namespace interface. I
would like to know why ARP between the root namespace and Test
namespace
Hi All,
I would like run strongswan in linux namespace between veth pair and
protect all the traffic from lan to wan traffic.I need some help in getting
routing between veth pairs of interfaces in the linux name space . I am
unable to route packets between to different veth pairs . I have the belo
Hi Noel,
I have a question w.r.t Strongswan vpn client .
If i configure the strongswan VPN client to get a virtual ip
from the server. The client gets a vitual ip and is added to
the "eth0 interface " my default interface and now eth0 has
a pulic IP and a private IP assigned, so actually there are
Hello ,
Can IPsec VPN and NAT be on the same device .
Should NAT be by passed if we have ipsec vpn enabled.
Just wanted to know if a router acts has a client and strongswan
is used has server, strongswan assigns a virtual ip . In this case
all the lan ip behind the router need to be source natted
Thanks Anderas,
I got it working.
Thanks
Naveen
On Sat, Sep 14, 2013 at 4:16 PM, Naveen Neelakanta wrote:
> Hi Andreas,
> I have changed the ipsec.secrets file and saw that secret values where
> read properly by both client and server,
> I still get the authentication Failure,
567890"
>
> if it is to be treated as a text string or
>
> 10.73.127.45 10.43.135.221 : PSK 0x1234567890abcdef
>
> if it is to be a HEX value or
>
> 10.73.127.45 10.43.135.221 : PSK 0s123456789abcxyzABCXYZ+/
>
> it it is to be interpreted as a Base64-encoded valu
Hi All,
I have installed both strongswan server and client .
I am trying the virtual ip scenario with PSK auth method, but the i am not
able to get it working with the attached configuration files used. Please
find the attached server and client configuration file.
I have installed the strongswan
Hi Martin,
I would keep ikev1and ikev2 , but how can i disable .
* updown: if you don't need leftfirewall/leftupdown options
* attr: if you don't set IKE attributes in strongswan.conf
* x509: openssl has its own (but simpler) certificate support
* constraints: if you don't n
Hi All,
i have compiled the latest strongswan with the configuration below and
installed the same
to a specific location,
Below are the steps followed.
# export DESTDIR=/local/mnt/workspace/NBN/VPN/STRONGSWAN/Latest/install/
#./configure CPPFLAGS=-Os --prefix=/usr --disable-rc2 --disable-md5
--
Hi,
I was using openswan for vpn client on linux, i was able to establish the
tunnels with
static ip address, however i could not find a way to get ip address assigned
from the server ip pool. Wanted to know if this is possible using openswan.
I was trying to have a pure ipsec vpn not tied with l2t
lowing line to configure strongSwan:
> ./configure --prefix=/usr \
> --sbindir=/usr/bin \
> --sysconfdir=/etc \
> --libexecdir=/usr/lib \
> --with-ipsecdir=/usr/lib/strongswan \
>
> This line will produce a working set of binaries
Hi
I am new to strongswan, I have been able to successfully establish tunnel
between to linux PC . How ever i want to reduce the size of the strongswan
image
and hence i have used the below compilation options .
" --disable-curl --disable-soup --disable-ldap \
--enable-gmp --disable
38 matches
Mail list logo