Tobias,
With a combination of setting the mark correctly and setting the traffic
selectors (I ended up using 0.0.0.0/0), I am now able to pass traffic through
the VTI.
Thanks for your help.
/Ryan
On 7/28/16, 10:05 AM, "Tobias Brunner" wrote:
Hi Ryan,
>
I’ve tried to force the key in the ipsec.conf connection entry by adding
“mark=100” into the connection. When acting as a responder, I didn’t have to
do this, strongSwan seems to choose a mark value for me.
With the “mark=100” set, I do see PLUTO_MARK_OUT and PLUTO_MARK_IN get set in
the
I'm trying to establish a VTI using strongSwan as an initiator, and am running
into some trouble. I've been able to use VTI's with strongSwan acting as a
responder (using a Cisco router as an initiator).
I'm running strongSwan 5.4.0 on Ubuntu 15.10 (Kernel 4.2.0-36-generic).
My ipsec.conf is
I’ve run into this issue before.
There is a thread I had found (shown below) that describes what the exact issue
is.
It’s indeed a bit odd it’s still present in the ARM 3.10 Kernel.
/Ryan
https://groups.google.com/forum/#!msg/fa.linux.kernel/RMS91WQXlUQ/MnNlkbzqJq0J
Currently the sha256
Assume that you have configured two separate IPsec connections in ipsec.conf.
Each client is authenticating via certificates, one to the first connection and
the other to the second.
If the clients are using certificates signed by private (but different) CA’s,
is there anyway currently to
Is this the relevant option?
left|rightca = | %same
the distinguished name of a certificate authority which is required to lie in
the trust path going from the
left|right participant's certificate up to the root certification authority.
%same means that the value configured for the other
Anreas,
Are there any limitations to just starting the charon daemon directly (versus
using the “ipsec” script)?
/Ryan
On 7/18/15, 6:26 AM, Andreas Steffen andreas.stef...@strongswan.org wrote:
Hi Ahmand,
no, just start charon itself:
/usr/libexec/ipsec/charon
If you have an Ubuntu
I am trying to configure a connection where I use an FQDN identifier for my
local ID, and an e-mail address for the remote identifier.
Both use the same domain name.
I have set a secret for each in ipsec.secrets, which I would like to be
asymmetric.
What I find, however, is that strongSwan is
, as they're shared.
Both sides know them.
Using different keys on either side gains no security whatsoever.
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 07.07.2015 um 21:23 schrieb Ruel, Ryan:
I am trying
I noticed that within starter, if charon happens to crash, starter will spawn a
new charon.
Is there any configuration options already existing in strongSwan to perform
some action if a crash is detected? Ideally, I’d like for my server to send a
crash e-mail.
Regards,
/Ryan
Any suggestions on this?
Is it necessary to run DPD and set the “dpdaction” and “closeaction” to restart
in order to maintain long lived connections?
I’m now finding that even with normal rekey intervals, if I leave the tunnel up
for a long period of time (even with traffic), I find that it’s
,
Would you kindly share a complete log, so we can see exactly what is
happening?
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 06.05.2015 um 12:27 schrieb Ruel, Ryan:
Any suggestions
I’ve been performing some rekey testing, and purposely configured low lifetimes
to force rekey’s to happen frequently in order to test the system.
I’m seeing that any rekey values less than 10m or so winds up causing issues,
such as tunnels completely down, or the outbound SA deleted on one
Is there a way to configure charon to generate a core dump to a configured path?
/Ryan
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
...@gmx.de]
Sent: Tuesday, April 21, 2015 8:58 AM
To: users@lists.strongswan.org
Subject: Re: [strongSwan] Configurable core dump path?
On 04/21/2015 02:47 PM, Ruel, Ryan wrote:
Is there a way to configure charon to generate a core dump to a configured
path?
/Ryan
Mukesh,
I believe the idea is that for IPv6, NAT will not be needed (that's the beauty
of having so much address space!).
Technically, sure, you could NAT IPv6. But why?
/Ryan
From: Mukesh Yadav write2mukes...@gmail.commailto:write2mukes...@gmail.com
Date: Wednesday, April 15, 2015 at 9:56
, Ruel, Ryan wrote:
Mukesh,
I believe the idea is that for IPv6, NAT will not be needed (that's the
beauty of having so much address space!).
Technically, sure, you could NAT IPv6. But why?
/Ryan
Ryan,
Perhaps the best reason to address this is that the exact same thing
would have been said
UDP-encapsulation for IPv6 tunnel even if NATT
is not detected..
Thanks
Mukesh
On 15 April 2015 at 19:45, Ruel, Ryan
rr...@akamai.commailto:rr...@akamai.com wrote:
Mukesh,
I believe the idea is that for IPv6, NAT will not be needed (that's the beauty
of having so much address space
18 matches
Mail list logo