://docs.strongswan.org/docs/6.0/config/retransmission.htm
Ok. Does this mean that dpddelay and dpdtimeout obsolete?
What about dpdaction=restart, will this remain in ipsec.conf?
Kind regards
René
On 20.10.22 10:45, Noel Kuntze wrote:
Hi Rene,
With IKEv2 the global ikev2 timeouts are used.
Change
Hi Rene,
With IKEv2 the global ikev2 timeouts are used.
Change charon.retransmit_base, charon.retransmit_jitter,
charon.retransmit_limit, charon.retransmit_timeout, charon.retransmit_tries as
required to achieve the desired timeout.
See
Hi Kamil,
Configure debug logging exactly as specfied in Github issue 196[1] and then
take a look at the log.
It should contain the route strongSwan tries to install.
You can (and if the reason the route can not be installed is valid) disable
route installation by strongSwan if the routing
Hello René,
Yes, if the networks overlapped then that was the right solution.
It was not clear to me that they were just from the email.
Kind regards
Noel
On 10.10.22 22:33, Rene Maurer wrote:
On 10.10.2022 Noel Kuntze wrote:
Please provide the output of `ipsec statusall` as well as `ip x p
Hi René,
Please provide the output of `ipsec statusall` as well as `ip x p`. Also, what
are your firewall rules (iptables-save, nft list ruleset).
Kind regards
Noel
On 10.10.22 15:44, Rene Maurer wrote:
Hi
I am using strongSwan U5.4.0/K4.4.107 (embedded device).
The ipsec tunnel is
Hi all,
Dpd and nat keepalive only work on IKE layer, not on the CHILD_SAs that you
want.
Use auto=route, then bring up the tunnel manually once. Auto=route makes
strongswan install trap policies for the traffic. That should improve
reliability.
The newest release brought a new value for
0.0.0.0/0
dir in priority 39
tmpl src dst
proto esp reqid 1 mode tunnel
Those are policies that match all traffic.
Maybe `ip -d x p` shows the marks if any are set.
Kind regards
Noel
Am 24.01.22 um 21:09 schrieb Carlos G Mendioroz:
Noel Kuntze @ 24/1/2022 16:55 -0300 dixit
Hello John,
I am not aware of if the kernel tracks the assigned TCP MSS of the connections
it knows of.
Conntrack does not have that information. So it's a good question why exactly
that happens.
Can you double check if there is not maybe something like a local proxy running
that could
be
Hi,
Have you tried ipsec stroke rereadsecrets? (Btw, better switch to swanctl)
Kind regards
Noel
Am 06.10.21 um 16:54 schrieb Philip Veale:
So about a week about, one of the CAs in the chain Let'sEncrypt use (DST Root
CA X3) expired. This shouldn't have been a problem for most clients, as it
Hi Arvind,
What am I doing wrong ?
You're not reading logs. That's what you're doing wrong.
Please follow the HelpRequests[1] article on the wiki.
Kind regards
Noel
[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
Am 01.10.21 um 18:10 schrieb Arvind Agaranallur
Kuntze
*Sent:* Friday, September 3, 2021 4:44 PM
*To:* Tiago Stoco; Noel Kuntze; Tobias Brunner; users@lists.strongswan.org
*Subject:* Re: [strongSwan] IPSec route
el Kuntze
*Sent:* Thursday, September 2, 2021 6:08 PM
*To:* Tiago Stoco; Noel Kuntze; Tobias Brunner; users@lists.strongswan.org
*Subject:* Re: [strongSwan] IPSec route based VPN - VTI interface
m:* Noel Kuntze
*Sent:* Wednesday, September 1, 2021 1:23 AM
*To:* Tiago Stoco; Noel Kuntze; Tobias Brunner; users@lists.strongswan.org
*Subject:* Re: [strongSwan] IPSec route based VPN - VTI interface TX Errors
No
Hello Chasing,
Make sure the configuration and the secrets is actually loaded (swanctl -q).
Is server_publicip == serveraddr?
Kind regards
Noel
Am 20.08.21 um 02:02 schrieb Chasing Vega:
Hi
I have a server which is public and accepts IPsec and am trying to connect to
it through strong
My
Hello Jason,
You're entirely on your own there.
The project does not support such old versions in any capacity.
Kind regards
Noel
Am 21.08.21 um 09:54 schrieb Jason Choi:
I used StrongSwan-4.2.17 and tried to set up host-host configuration following the
explanation from
Hello John,
There must be more going on.
strongSwan configuration does not influence DNS resolution in any way.
Kind regards
Noel
Am 29.08.21 um 15:38 schrieb John Serink:
Hello:
We are running the following on a Teltonika RUT-950 router:
root@CORS144:~# ipsec --version
Linux strongSwan
:* Noel
Hello Tiago,
And, I have moved the route for the VTI to table 220 because it seems to be the
right way to config routed based IPSec VPN.
[root@arch-linux ~]# ip rule
0: from all lookup local
220:from all lookup 220
32766: from all lookup main
32767: from all lookup default
Don't
s not answer my question, so I modify my question. Everything
is loaded via VICI , nothing is loaded with ipsec commands or with
configuration files.
Does the application need both commands when all certificates and CRLs are
installed via VICI?
PhilT
Public
-Original Message-
Fr
Hello Lorenzo,
Looks like the log is truncated between 08:04:33 and 08:10:03.
Please provide complete logs, and get logs from the other peer.
See the HelpRequests article on the wiki for useful debug levels[1].
Kind regards
Noel
[1]
Hi Philip,
CRLs are Certificate Revocation Lists.
They're not secrets.
Kind regards
Noel
Am 04.08.21 um 14:29 schrieb Taylor, Philip (Space & Defence):
I am looking at some old application code that executes the command “ipsec
purgecrls” and then sends the VICI command clear-creds.
Man
Hello Jody,
Please provide the output of `iptables-save`, and the output of `ipsec
statusall` once you tried to access the internet, but while the client is still
connected.
Kind regards
Noel
Am 02.08.21 um 20:26 schrieb Jody Whitesides:
Having trouble trying to understand why VPN would
this for me I would
appreciate it.
Dave
Noel Kuntze wrote: Hello David,
strongSwan by default builds policy based tunnels, not route based tunnels.
Thus no interface is needed or created.
Read up on how IPsec works on the wiki to get an understanding for it.
GUI indicators are not inherently rela
Hello Lewis,
That is because the Android app can only reasonably support tunnel mode with
virtual IPs.
See the wiki article[1] for it, please.
Kind regards
Noel
[1] https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClient
Am 22.07.21 um 15:31 schrieb Lewis Robson:
Hi all,
I am
Hello Lew,
How exactly are you testing the tunnel?
Also, please provide the output of iptables-save.
Kind regards
Noel
Am July 5, 2021 7:28:19 AM UTC schrieb Lewis Shobbrook
:
>Hi Guys,
>I have an IKEv2 tunnel that is established and up, but I am unable to
>route any packets across it.
>All
Hello David,
strongSwan by default builds policy based tunnels, not route based tunnels.
Thus no interface is needed or created.
Read up on how IPsec works on the wiki to get an understanding for it.
GUI indicators are not inherently related to if any tunnel exists, or works.
Kind regards
Noel
Set "Request an inner IP address".
Am 28.06.21 um 15:55 schrieb David H Durgee:
Michael Schwartzkopff wrote:
On 28.06.21 15:34, David H Durgee wrote:
Michael Schwartzkopff wrote:
On 28.06.21 13:44, David H Durgee wrote:
I added that package and got further this time:
(...)
Jun 28 07:33:58
Hi David,
Jun 28 07:33:58 Z560 charon-nm: 06[IKE] received FAILED_CP_REQUIRED notify, no
CHILD_SA built
You need to set NetworkManager to request a virtual IP.
Kind regards
Noel
Am 28.06.21 um 13:44 schrieb David H Durgee:
I added that package and got further this time:
Jun 28 07:33:57
That version number scheme is compromised of the strongSwan version (left part
of the /)
and the version number of the *currently running kernel* (right part of the /).
The right part is of no relevance to the code run by strongSwan. It's a legacy
thing.
You're strongly encouraged to switch to
EY, DAVID BRIAN:
Hello, I've resent this a couple of times over the last few weeks with no
response. Appreciate that you may be too busy, just let me know if that's the
case so that I know you received it and then I wont send any further follow ups.
Thx.
Dave Finley
df1...@att.com
(630) 719-43
with running the swanctl -c and swanctl -q then swanctl -i
--child host-host
it is the correct way?
Regards,
Hoss
On Friday, May 28, 2021, 07:48:13 AM PDT, Noel Kuntze
wrote:
Hello Hoss,
What do you expect to happen?
What exactly did you do up to this point?
Kind regards
Noel
Am 27.05.21 um 19:20
Hello Hoss,
What do you expect to happen?
What exactly did you do up to this point?
Kind regards
Noel
Am 27.05.21 um 19:20 schrieb H Yavari:
Hi to all,
I did a simple configuration based on test samples for two ec2 on AWS, but
nothing happens between the two machines. What I am missing?
Hello Harald,
You can obviously do it, but don't need it, unless you use stateful firewall
rules or accounting using conntrack.
Kind regards
Noel
Am 27.05.21 um 14:49 schrieb Harald Dunkel:
Hi folks,
I wonder if it is reasonable to use connection tracking for
500/udp and 4500/udp in the
:
2.3.8.1 : PSK"abcde"
Stelle : PSK abcde
(2.3.8.1 being the fortigate public ip)
- Original Message -
From: "Noel Kuntze"
To: "Lorenzo Milesi" , "users"
Sent: Wednesday, May 26, 2021 4:24:31 PM
Subject: Re: [strongSwan] Unable to find
Hi Lorenzo,
You are the victim of a typo.
righid=Stelle
Should be rightid.
Kind regards
Noel
Am 26.05.21 um 16:18 schrieb Lorenzo Milesi:
Hi.
I'm (still) trying to configure a tunnel between a StrongSwan 5.6.2 (Ubuntu
18.04) host and a Fortigate device. I finally came up with a
e 3 implies?
--karuna
On Wed, May 12, 2021 at 10:15 AM Noel Kuntze
wrote:
the strace isn't useful because starter is doing the reading and loading of the
config. "ipsec" only tells starter to do that.
Please run dos2unix on the config files on the server and check if
the strace isn't useful because starter is doing the reading and loading of the config.
"ipsec" only tells starter to do that.
Please run dos2unix on the config files on the server and check if that helps.
Am 12.05.21 um 18:49 schrieb Karuna Sagar Krishna:
Ah yes, that is probably because I
this change manually to ipsec.conf, ran `sudo ipsec update` but the status
has not changed and I'm not able to ping the nodes.
--karuna
On Tue, May 11, 2021 at 5:13 PM Noel Kuntze
wrote:
Oh. Right. You need to add auto=add to the configs. In your case, it's
probably good if you'd change your
, May 11, 2021 at 4:17 PM Noel Kuntze
wrote:
Hi, please verify that the config file is actually used. For example add a
deliberate syntax error. Like just garbage on a line. Check if the daemon
and/or ipsec complains about that.
Am 12.05.21 um 01:15 schrieb Karuna Sagar Krishna
.net>[11]:
IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net
<http://hn0-kkafka.p0gi1uxxaaeebnlz4hfuq0bvkf.dx.internal.cloudapp.net>{3}:
INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c73ba254_i c0ffd04a_
Alright, found it.
Please verify that it's the actual ipsec.conf that is loaded because there also
aren't any errors regarding config files logged.
What happens when you run "ipsec update" or "ipsec reload" from the terminal?
Kind regards
Noel
Am 12.05.21 um 01:09 schrie
.
--karuna
On Tue, May 11, 2021 at 2:54 PM Noel Kuntze
wrote:
Hi,
Full logs please, as shown on the HelpRequests[1] page on the wiki.
Also, it's strongly recommended to use swanctl instead if possible. That's
the better configuration backend.
Kind regards
Noel
[1] https
Hi,
Full logs please, as shown on the HelpRequests[1] page on the wiki.
Also, it's strongly recommended to use swanctl instead if possible. That's the
better configuration backend.
Kind regards
Noel
[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
Am 11.05.21 um 23:50
Hi,
Provide output of iptables-save please.
Kind regards
Noel
Am 01.05.21 um 12:43 schrieb Edvinas Kairys:
Hello,
I've established BGP connection from my Centos Linux box to Amazon VPC - using this
guide:
Set connections..send_cert=yes
Exactly as shown in the generated conn. It's not present in the faulty
configuration.
Am 26.04.21 um 21:01 schrieb bls s:
I use nearly the same. Here’s the complete connection definition for iOS as
generated by my pistrong strongSwan management tool:
Hello Rafael,
The app does not support that.
Generally, because the Android app uses the same source code with just an
Android specific UI and some extra plugins, the restrictions are at the very least those
of the base software (strongSwan). strongSwan doesn't support VPNs inside
VPNs either
Hello Volodymyr,
The attributes are unhandled because there is no handler registered for it in
the code.
You can extend the updown plugin to handle those attributes but it's unlikely
your changes
would be merged because the updown plugin is considered deprecated.
Kind regards
Noel
Am
Hi,
It means rekeying was supposed to happen in the past.
Beyond, I do not know.
Kind regards
Noel
Am 31.03.21 um 12:45 schrieb Marco Berizzi:
Hello everyone,
I have encountered that the output of 'swanctl -l' sometimes returns a negative
value on the rekeying time. Does it have any sort of
Hello Gregory,
Your log already gives the clues.
(15) mschap: WARNING: No Cleartext-Password configured. Cannot create
NT-Password
(15) mschap: WARNING: No Cleartext-Password configured. Cannot create
LM-Password
(15) mschap: Creating challenge hash with username: testuser
(15) mschap:
to address
this case ?
Thanks,
Regards,
Venu
On Thu, 21 Jan 2021 at 10:37, Noel Kuntze
wrote:
Hello Venu,
That is still the case.
Kind regards
Noel
Am 21.01.21 um 05:52 schrieb Venumadhav Josyula:
> Hi Tobias,
>
> In 'Issue #964', you
Hello Venu,
That is still the case.
Kind regards
Noel
Am 21.01.21 um 05:52 schrieb Venumadhav Josyula:
Hi Tobias,
In 'Issue #964', you mentioned it was not intended for high volume traffic. Is
this still the case in lastest strongswan too. Meaning we have vpp based stack,
where we want to
Hi all,
Please provide logs as shown on the HelpRequests page[1] on the wiki.
Kind regards
Noel
[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
Am 18.01.21 um 12:44 schrieb Volodymyr Litovka:
Hi George,
I don't remember exactly Cisco's commands to configure
Hi,
Set remote and local IKE ports to something else than 500 and NON-ESP markers
are set automatically, so NAT-T is then on by default, so to say. Just start
off with port 4510. No need to float up. :)
Kind regards
Noel
Am 08.01.21 um 15:09 schrieb Michael Schwartzkopff:
Hi,
I have two
no impact?
> 2) are there ways to work around this issue in order to achieve what I'm
> trying to achieve - detect IKE rekeying rather than downing connection to
> avoid unnecessary changes to network?
>
> Thank you.
>
> On 18.11.2020 11:36, Noel Kuntze wrote:
>> Hi,
&
Hello Victor,
Please provide a log as shown on the HelpRequests[1] page.
Kind regards
Noel
[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
Am 13.11.20 um 04:13 schrieb Victor Sudakov:
> Dear Colleagues,
>
> What's the reason for strongSwan to create (sometimes) multiple
Hi,
strongSwan doesn't handle that well as of now.
It might change in the future at some point.
Kind regards
Noel
Am 13.11.20 um 09:08 schrieb Christoph Harder:
> Hello everyone,
>
> I'm using Strongswan on FreeBSD and wanted to ask if it is possible to have a
> tunnel initiated by both
Hi,
Please at least provide a full log as shown on the HelpRequests[1] page.
Kind regards
Noel
[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
Am 16.11.20 um 15:46 schrieb Udo Pokojski:
> Hello,
>
>
> I am trying to set up an IPSEC-Tunnel authenticated by certificates.
Hi,
Please provide all information as shown on the HelpRequests[1] page, as well as
the stacktrace.
Kind regards
Noel
[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
Am 18.11.20 um 10:01 schrieb Liam Schönberg:
> Hi,
>
> I'm encountering the situation where Charon
Hi,
VICI acquires locks to do some stuff, which the updown script also does when it
executes to save you the trouble of having to manually/externally serialize all
the things you want to do in the updown script.
TL;DR: Don't do that, you get a deadlock with the updown script plugin.
Kind
me know if there are any issues with it.
Kind regards
Noel
[1] https://gitlab.com/Thermi/ipsec2swanctl
--
Noel Kuntze
IT security consultant
GPG Key ID: 0x0739AD6C
Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
signature.asc
Description: OpenPGP digital signature
to the
corresponding host's networks.
That way the VIP will be inside the TSs and negotiation will succeed.
You probably don't want to use libipsec though but XFRM in policy mode, or
configure a route based IPsec tunnel.
What do you actually want to do?
Kind regards
Noel
Am 05.11.20 um 21:46 schri
Hello Lejeczek,
kernel-libipsec (which is required to be loaded for libipsec to be usable)
creates a tun interface itself. You can not prescribe it to use one.
> mode = pass
That disables all IPsec processing for traffic that matches the policies. You
probably don't want to do that.
Hello George,
Please share a complete log as shown on the HelpRequests page on the wiki.
Use the filelogger at the bottom of it.
Kind regards
Noel
Am 05.11.20 um 20:20 schrieb george:
> Hi Strongswan users!
>
> This is my first post. I have problems to use ECDSA
> certificates with
ontaining them?
> Or should the key be somehow encoded and put as string in the swanctl.conf
> file?
> The documentation isn't totally clear about it and tells me the pubkeys
> configuration is for raw keys (does it mean file names of pem/der encoded
> keys?).
>
> Thank you
mation?
>
> https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
>
> Cheers,
> TK
>
> On 10/25/2020 4:59 PM, Noel Kuntze wrote:
>> Hi Tom,
>>
>> The routes in table 220 are only used to tell the kernel which source IP to
>> use for s
Hello Rajiv,
> 1. What exactly are these "kernel traps installed? Can we view what traps are
> installed?
They're just IPsec policies without a state.
> 3. So are these routes in table-220 correlated and mapped to the kernel-traps?
No. The routes are only added if the source IP needs to be
Hi Christoph,
Specify the keys using connections..local.pubkeys and
connections..remote.pubkeys.
Afterwards, check the output and the log file (best if you enable debug logging
like shown on the HelpRequests page)
to see if the public keys were loaded and the private keys, too.
Kind regards
Hi Tom,
The routes in table 220 are only used to tell the kernel which source IP to use
for sending packets to a remote network.
They aren't part of XFRM and only tangentially pertain IPsec.
Also, routes are only added if they are required, so those routes in table 220
are not necessarily
Hi,
Configure your own side with lower reauth and rekey times than the other peer.
Currently the other peer tries to reauth which fails because you're using the
insecure aggressive mode. strongSwan by default rejects other peers'
authentication requests if they're using aggressive mode.
A
keyingtries
Am October 11, 2020 4:56:59 PM UTC schrieb Volodymyr Litovka :
>Colleagues,
>
>how to configure strongSwan to continuously try to reconnect in case of
>network failure?
>
>My current settings are:
>
>charon {
> close_ike_on_child_failure = yes
> retry_initiate_interval = 30
>
Hello Leroy,
Routes in table 220 are only added when needed now (might be later, but the
existence of any is not a suitable indicator of any success or failure, what
the IKE daemon reports is what you should look at).
What is the actual issue?
Kind regards
Noel
Am 08.10.20 um 19:40 schrieb
Hi,
Sorry for the mistake.
Kind regards
Noel
Am 28.09.20 um 11:52 schrieb Tobias Brunner:
> Hi,
>
>> up-client is called for each combination of remote ts and local ts
>> components, as is down-client, when a CHILD_sa is established/destroyed.
>> So when a CHILD_SA is rekeyed, both are
Am 28.09.20 um 11:35 schrieb lejeczek:
>
>
> On 28/09/2020 10:05, Noel Kuntze wrote:
>> Hi,
>>
>> up-client is called for each combination of remote ts and local ts
>> components, as is down-client, when a CHILD_sa is established/destroyed.
>> So when
Hello,
Please provide all information as listed on the HelpRequests[1] page.
Kind regards
Noel
[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
Am 27.09.20 um 16:36 schrieb strongswan@it-beheer.eu:
> Hello everyone,
>
> I am having problems getting an ip range over a
Hi,
up-client is called for each combination of remote ts and local ts components,
as is down-client, when a CHILD_sa is established/destroyed.
So when a CHILD_SA is rekeyed, both are called in the order the CHILD_SAs are
negotiated/destroyed.
Kind regards
Noel
Am 28.09.20 um 10:58 schrieb
I did it a couple of times. Not that that specific piece of information would
help you in any way.
Am 15.09.20 um 15:40 schrieb Dominik Reusser:
> The security group settings should be fine. It does work with open swan with
> the same credentials.
>
> Am Di., 15. Sept. 2020 um 08:47 Uhr
For completeness, if you were to configure an AH CHILD_SA, you'd use the "ah="
parameter instead of the "esp=" parameter.
Kind regards
Noel
Am 06.09.20 um 00:16 schrieb Leroy Tennison:
> Thank you, I appreciate the reply.
>
> Harriscomputer
>
> *Leroy Tennison
> *Network Information/Cyber
; And thanks for pointing to charon.retransmit* parameters - yes, this is what
> I was looking for.
>
> Thank you!
>
> On 12.06.2020 12:59, Noel Kuntze wrote:
>> Hi Volodymyr,
>>
>> I disagree. That "prevention" enables a better user experience during
>
is it possible to manage delay
> pattern of DPD messages and/or their qty? If admin (e.g. me) knows and
> understands what he is doing, this can solve an issue, shortening time to
> detection of dead peer.
>
> Thanks.
>
> On 12.06.2020 11:18, Noel Kuntze wrote:
>> H
Hi Volodymyr,
I'd configure your RADIUS server to use DAE and allow new connections, thus
simply disconnecting existing clients with the same account when a client
authenticates as that account.
Kind regards
Noel
Am 11.06.20 um 22:41 schrieb Volodymyr Litovka:
> Colleagues, hi,
>
> as
was change leftsubnet=192.168.40.32/30.
>
> Now I need to get the route working which is another problem to be solved.
>
> Cheers!
>
> On 10/6/2020 12:48 pm, Noel Kuntze wrote:
>> Hi Liong,
>>
>> I'm pretty sure you can solve this little puzzle by yourself.
roup, No. 12, Jalan Udang Harimau 2, Kepong Business
> Park, 51200. Kuala Lumpur
> WEB : www.revenue.com.my <http://www.revenue.com.my/>
> (http://www.revenue.com.my/)
> WEB : www.revpay.com.my <http://www.revpay.com.my/>
> (http://www.revpay.com.my/)
>
> On 10/6
Hi Liong,
> Jun 9 17:14:32 uatvpngateway charon: 07[CFG] looking for peer configs
> matching 10.15.66.10[%any]...1.2.3.4[1.2.3.4]
rightid=1.2.3.4
Kind regards
Noel
Am 09.06.20 um 11:27 schrieb Liong Kok Foo:
> Hi,
>
> I am new to strongswan and have not had much experience setting up VPN
Hi Kuna,
> I want to check above network ping but the ping is blocked at my internal
> network so I can not
> ping to node b.
That statement is pretty ambiguous and without corresponding explanation. Keep
in mind that your own interpretation of your collected data is flawed because
you
Hello Micahel,
xfrm_acq_expires is the time the kernel holds an acquire event before it drops
it.
The kernel only sends one acquire event for a policy, not several ones. When it
receives packets with a matching policy but without a corresponding IPsec SA,
it checks if it already sent an acquire
Hello Michael,
It might be that both sides use auto=route or auto=start and initiated in
parallel and uniqueids=no is set, so duplicate SAs are not deleted.
That is pure speculation though. ;)
Kind regards
Noel
Am 31.05.20 um 09:44 schrieb Michael Schwartzkopff:
> Hi,
>
>
> we have a
Hello,
Yes, you can do that. Looks like you still need to install the package
(whichever that is) for the eap-radius plugin.
See the FAQ[1].
[1] https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#Plugin-is-missing
Kind regards
Noel
Am 27.05.20 um 10:17 schrieb Клеусов Владимир
Hi,
You can't have duplicate/identical policies. At all. There's generally
something broken in your setup.
Kind regards
Noel
Am 28.05.20 um 18:56 schrieb korsar...@gmail.com:
> Hello,
> I have 2 endpoints with 2 IP addresses on the each side. I established 2
> connections between them with
Hi,
The other peer has some problem with it. Review its logs.
> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Kind regards
Noel
Am 09.05.20 um 16:20 schrieb Jim Geurts:
> Hi,
>
> I'm new to the world of strongswan and vpns in general, so I apologize if
> this is answered elsewhere. I
Hi,
Make sure the iptables chain policies are all set to Accept.
Flushing the ruleset does not reset the chain policies.
Kind regards
Noel
Am 28.04.20 um 15:18 schrieb Philippe Marrot:
> Not firewall issue, I tried without and other static site to ste tunnels are
> working.
signature.asc
first though and specifically, just getting google.com. That page is
quite small and should work fine. Loading a picture from Instagram probably
fails. PMTUD didn't work with Instagram's CDN last time I checked.
Kind regards
Noel
Am 21.04.20 um 22:39 schrieb Narendra Joshi:
> Noel Kun
Hi,
Those are likely all false leads.
It's likely to be an MTU/MSS problem, which is described on the wiki[1].
Kind regards
Noel
[1]
https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#MTUMSS-issues
Am 21.04.20 um 20:38 schrieb Narendra Joshi:
> Hi,
>
> I have
or agent responsible for delivering this message to
> a named recipient, please notify us immediately, and permanently destroy this
> message and any copies you may have. Warning: Email may not be secure unless
> properly encrypted.
>
> -Original Message-
> From: Makarand
Hi,
AFAIR it doesn't/can't. I'm not sure though. You'd have to check.
Kind regards
Noel
Am 01.04.20 um 19:26 schrieb mnli...@frimail.net:
> Hi,
>
> But the NetworkManager plugin could prompt for a passcode couldn't it?
>
> Best regards,
>
> /Mikael
>
> On 20
:
> OK,
>
> Thanks anyway for the quick reply.
>
> The Juniper has IKEv2 support and the RSA SecurID box has a built-in radius
> server
> so maybe that is the way to go with this.
>
> Thanks again,
>
> /Mikael
>
> On 2020-04-01 18:30, Noel Kuntze wrote:
>&
Hi,
There's just no frontend to ask dynamically for such credentials yet. You'd
need to implement that, then you can dynamically prompt for the passcode (after
hooking up X_CODE the same way as X_USER is). Other than that, there are no
provisions for X_CODE or anything else. The code base
Hi,
Some things:
1) Your tunnel only protects traffic between exactly two IP addresses
(XXX.XXX.166.2/32 and 10.10.10.1/32), which is probably not what you want.
Looks like the remote peer narrows the TS to the IP addresses instead of the
networks you want.
Did you configure the exact networks
'.
Am 25.03.20 um 16:13 schrieb Dafydd Tomos:
> On 25/03/2020 14:50, Noel Kuntze wrote:
>>> server-to-aws: 10.100.15.1...y.y.y.y IKEv1, dpddelay=15s
>>> I ended up adding an interface for 10.100.15.1 as that what appears to be
>>> required.
>> The conn is conf
> server-to-aws: 10.100.15.1...y.y.y.y IKEv1, dpddelay=15s
> I ended up adding an interface for 10.100.15.1 as that what appears to be
> required.
The conn is configured for x.x.x.x, not 10.100.15.1. strongSwan doesn't need
such an address.
Set left=x.x.x.x.
Am 25.03.20 um 15:47 schrieb
Hi,
Configure debug logging as shown on the HelpRequests[1] page and post it.
Kind regards
Noel
[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
Am 25.03.20 um 15:13 schrieb Dafydd Tomos:
> Hi,
>
> I am using strongSwan to connect to a supplier's VPN, but am having
1 - 100 of 1212 matches
Mail list logo
