Hi Tobias,
I am sorry for cross posting in dev group.
I found that it was a problem with version 5.1.3 of strongswan, The same
setup worked with 5.3.0 of strognswan. I have verified this twice, moving
up and down in strongswan versions. I have the LocalIdentifier in the CN
part of the SAN. The
Hi,
I am trying to make a connection from an iPad using ikev2 and am getting an
error "no trusted RSA public key found for '1-ios-test1-ikev2' when
strongswan tries to authenticate the cert. I cannot figure why I get this
error. The same works with Ikev1. Can someone please help?
I have followed
I figured out the problem. iOS does not send the CISCO-UNITY vendor ID if
XAuth is disabled in the profile.
-smk
On Mon, Nov 16, 2015 at 12:21 AM, SM K <sacho.p...@gmail.com> wrote:
> Hi,
>
> i am sorry to send this again, but I wanted to check if anyone has had
> experienc
Hi,
I am trying to test use of unity plugin in strongswan for connections from
iOS devices (iPhone/iPad). There is mention of this working in the forums.
But when i do a pcap on the IKEv1 connection request, I do not see the
CISCO UNITY vendor ID in the initial contact from the iOS device.
A
Hi,
Is it possible to have multiple firewalls connecting to a strongswan
instance with the same firewall. The certificate is used only for
authentication, and perhaps the ID is used identify each firewall. I
suspect the answer is no, because the ID is picked up from the certificate,
or has to be
This is a follow up on an earlier email I had sent to the group. I am
listing out some issues we saw when we tested with Cisco (a 891) and
Juniper (SRX) firewalls when the firewalls were initiating Main Mode
(ikev1) connections with multiple transforms in a proposal. This was in our
test setup. I
On Sun, Jun 28, 2015 at 11:53 PM, Martin Willi mar...@strongswan.org
wrote:
tiple auth methods, we'd have to
return all of them (for example using a bit-set), and use these methods
in main/aggressive_mode.c to select the appropriate
Hi Martin,
Thanx for the reply. Yes, I realized from the
Hi,
It seems that strongswan does not consider the authentication type in the
configuration when selecting proposals. I have a cisco device which is
configured with two transform proposals, one for rsa-sig and and one for
PSK. Strongswan is configured with a connection definition that uses PSK
Hi,
Is it possible to run strongswan from within a LxC or docker instance? Has
anyone been able to get this to work?
-sk
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Hi,
When testing strongswan performance, we saw that the performance differed
by a lot between an ubuntu server and a centos server, with everything else
being the same. We noticed that the CONFIG_XFRM_SUB_POLICY settings on the
two kernels were different. Ubuntu had it enabled and centos had it
Thank you Tobias, Option 1 (ignore a phase1 delete) worked for me.
regards,
SK
On Wed, Apr 15, 2015 at 12:43 AM, Tobias Brunner tob...@strongswan.org
wrote:
Hi,
Are IKEv1s are expected to break all connections before making a new one?
Or
Are they expected to make a new one before
Hi Tobias, Andreas,
Thank you for your reply. I have a few more questions inline.
On Tue, Apr 14, 2015 at 5:32 AM, Tobias Brunner tob...@strongswan.org
wrote:
I notice the problem when the cisco attempts reauthentication of phase1.
It seems that the existing phase1 is first down-ed before
Hi All,
I am seeing a problem with a cisco891 connected to strongswan 5.1.3 using
IKEv1. It seems like a cisco problem, but i did not see this problem with
strongswan 4.x matbe because the older strongswan handled it a different
way.
I notice the problem when the cisco attempts reauthentication
Hi,
I am having a problem with the virtual IP pool being exhausted when
connecting from an iOS device. I have the fix in
https://wiki.strongswan.org/issues/764 , but I am seeing the issue
mentioned by one of the users on the bug.
The leak is because the modecfg defined for the iOS device
23.03.2015 um 19:03 schrieb SM K:
Hi,
If I had two tunnels to my strongswan server, is there a way to
distinguish the packets coming out decrypted from the two tunnels via fw
marks? I would like to handle the traffic coming out of the two (or more)
tunnels differently in my netfilter hooks
Hi Martin,
Thank you very much for the reply. A few more questions.
I have seen this on boxes with aes-ni enabled and also disabled
The cipher suite chosen is AES-128
AES-NI is quite powerful and should allow you to increase your
throughput. However, running AES in GCM mode is
Hi,
I am trying to establish an IPSEC tunnel from the android strongswan app to
a gateway using a name as in xyz.mycompany.com. The authentication is
using certificates. The gateway certificate has a Subject Alt Name as
DNS:*.mycompany.com, DNS:mycompany.com .
This causes the android app to fail
is bad practice anyway. Thus xyz.mycompany.com does not match the
wildcard subjectAltName *.mycompany.com.
Regards
Andreas
On 07.08.2013 20:39, SM K wrote:
Hi,
I am trying to establish an IPSEC tunnel from the android strongswan app
to a gateway using a name as in xyz.mycompany.com
http
18 matches
Mail list logo