Re: [strongSwan] VTI's as initiator?

Tobias, With a combination of setting the mark correctly and setting the traffic selectors (I ended up using 0.0.0.0/0), I am now able to pass traffic through the VTI. Thanks for your help. /Ryan On 7/28/16, 10:05 AM, "Tobias Brunner" wrote: Hi Ryan, >

Re: [strongSwan] VTI's as initiator?

I’ve tried to force the key in the ipsec.conf connection entry by adding “mark=100” into the connection. When acting as a responder, I didn’t have to do this, strongSwan seems to choose a mark value for me. With the “mark=100” set, I do see PLUTO_MARK_OUT and PLUTO_MARK_IN get set in the

[strongSwan] VTI's as initiator?

I'm trying to establish a VTI using strongSwan as an initiator, and am running into some trouble. I've been able to use VTI's with strongSwan acting as a responder (using a Cisco router as an initiator). I'm running strongSwan 5.4.0 on Ubuntu 15.10 (Kernel 4.2.0-36-generic). My ipsec.conf is

Re: [strongSwan] Confusing SHA256 truncation

I’ve run into this issue before. There is a thread I had found (shown below) that describes what the exact issue is. It’s indeed a bit odd it’s still present in the ARM 3.10 Kernel. /Ryan https://groups.google.com/forum/#!msg/fa.linux.kernel/RMS91WQXlUQ/MnNlkbzqJq0J Currently the sha256

[strongSwan] Limiting a connection to a specific CA?

Assume that you have configured two separate IPsec connections in ipsec.conf. Each client is authenticating via certificates, one to the first connection and the other to the second. If the clients are using certificates signed by private (but different) CA’s, is there anyway currently to

Re: [strongSwan] Limiting a connection to a specific CA?

Is this the relevant option? left|rightca = | %same the distinguished name of a certificate authority which is required to lie in the trust path going from the left|right participant's certificate up to the root certification authority. %same means that the value configured for the other

Re: [strongSwan] Using just charon

Anreas, Are there any limitations to just starting the charon daemon directly (versus using the “ipsec” script)? /Ryan On 7/18/15, 6:26 AM, Andreas Steffen andreas.stef...@strongswan.org wrote: Hi Ahmand, no, just start charon itself: /usr/libexec/ipsec/charon If you have an Ubuntu

[strongSwan] Configuring asymmetric PSK's?

I am trying to configure a connection where I use an FQDN identifier for my local ID, and an e-mail address for the remote identifier. Both use the same domain name. I have set a secret for each in ipsec.secrets, which I would like to be asymmetric. What I find, however, is that strongSwan is

Re: [strongSwan] Configuring asymmetric PSK's?

, as they're shared. Both sides know them. Using different keys on either side gains no security whatsoever. Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 07.07.2015 um 21:23 schrieb Ruel, Ryan: I am trying

[strongSwan] Perform action on crash?

I noticed that within starter, if charon happens to crash, starter will spawn a new charon. Is there any configuration options already existing in strongSwan to perform some action if a crash is detected? Ideally, I’d like for my server to send a crash e-mail. Regards, /Ryan

Re: [strongSwan] Frequent rekey causes lost tunnel after about 30 minutes

Any suggestions on this? Is it necessary to run DPD and set the “dpdaction” and “closeaction” to restart in order to maintain long lived connections? I’m now finding that even with normal rekey intervals, if I leave the tunnel up for a long period of time (even with traffic), I find that it’s

Re: [strongSwan] Frequent rekey causes lost tunnel after about 30 minutes

, Would you kindly share a complete log, so we can see exactly what is happening? Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 06.05.2015 um 12:27 schrieb Ruel, Ryan: Any suggestions

[strongSwan] Frequent rekey causes lost tunnel after about 30 minutes

I’ve been performing some rekey testing, and purposely configured low lifetimes to force rekey’s to happen frequently in order to test the system. I’m seeing that any rekey values less than 10m or so winds up causing issues, such as tunnels completely down, or the outbound SA deleted on one

[strongSwan] Configurable core dump path?

Is there a way to configure charon to generate a core dump to a configured path? /Ryan ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Configurable core dump path?

...@gmx.de] Sent: Tuesday, April 21, 2015 8:58 AM To: users@lists.strongswan.org Subject: Re: [strongSwan] Configurable core dump path? On 04/21/2015 02:47 PM, Ruel, Ryan wrote: Is there a way to configure charon to generate a core dump to a configured path? /Ryan

Re: [strongSwan] Query reg UDP encapsulation for IPv6

Mukesh, I believe the idea is that for IPv6, NAT will not be needed (that's the beauty of having so much address space!). Technically, sure, you could NAT IPv6. But why? /Ryan From: Mukesh Yadav write2mukes...@gmail.commailto:write2mukes...@gmail.com Date: Wednesday, April 15, 2015 at 9:56

Re: [strongSwan] Query reg UDP encapsulation for IPv6

, Ruel, Ryan wrote: Mukesh, I believe the idea is that for IPv6, NAT will not be needed (that's the beauty of having so much address space!). Technically, sure, you could NAT IPv6. But why? /Ryan Ryan, Perhaps the best reason to address this is that the exact same thing would have been said

Re: [strongSwan] Query reg UDP encapsulation for IPv6

UDP-encapsulation for IPv6 tunnel even if NATT is not detected.. Thanks Mukesh On 15 April 2015 at 19:45, Ruel, Ryan rr...@akamai.commailto:rr...@akamai.com wrote: Mukesh, I believe the idea is that for IPv6, NAT will not be needed (that's the beauty of having so much address space