Re: [strongSwan] Davici parsing of terminating an IKE connection

Let me know if I am incorrect , user_data is the last parameter in the davici_queue? 1) Now Is it right practice to add few more elements in tester stucture to passed in call back function? These additional elements can be used to mange the response of deleting the connections. 2) If there

Re: [strongSwan] Davici parsing of terminating an IKE connection

Thanks a lot.. Rajeev On Tue, Jun 26, 2018 at 8:00 AM, Tobias Brunner wrote: > > Question: Is there way to know when we parse response from Davici that > > which conenction is deleted? If yes what parameter of davici we get > > information? i see reqcb() parse the davici reponse. > > Two

[strongSwan] Davici parsing of terminating an IKE connection

Scenario: Strongswan has established multiple IKE connections with different peers. Lets say we have three different connections. Out of those we plan to delete two connections via initiating using davici terminate command. Question: Is there way to know when we parse response from Davici that

Re: [strongSwan] Stronswan to ignore IKE-SA-INIT response from a bogus IPv6 address

Hi Tobias, Which parameter to configure the specific remote IP address for a connection, so that we can reject the messages from any other IP address? I am assuming we are talking about one of parameter in swanctl.conf. If we are talking about connections..remote_addrs.. I did configure

Re: [strongSwan] Stronswan to ignore IKE-SA-INIT response from a bogus IPv6 address

For following scenario, is it Strongswan bug? Responder IP address is *fc00:cada:c406::200. *But if reply come from even different IPv6 address everything goes successful like nothing is wrong. In following case IKE_SA_INIT response came from *fc00:cada:c406::500. *I would imagine it should

[strongSwan] Stronswan to ignore IKE-SA-INIT response from a bogus IPv6 address

I use Davici Interface with Strongswan 5.5 Is there way to Stronswan to ignore IKE-SA-INIT response from a bogus IPv6 address? Strongswan replies to all the IKE-SA-INIT receive from all IP addresses. thanks, Rajeev

Re: [strongSwan] Cleaning up SAs

jeev On Fri, Apr 27, 2018 at 5:08 PM, Phil Frost <p...@postmates.com> wrote: > Does dpdaction=clear do what you need? > > > On Fri, Apr 27, 2018, 10:11 rajeev nohria <rajnoh...@gmail.com> wrote: > >> I am using Strongswan5.5.0 and using Davici interface. Is th

[strongSwan] Cleaning up SAs

I am using Strongswan5.5.0 and using Davici interface. Is there way (any options) to delete the SA immediately if peer goes down instead of going through retries? Any help is appreciated. I could not find anything so far.. Thanks, Rajeev

[strongSwan] DAVICI related question

In DAVICI, what are the events and what are they for? I see davici_register and davici_unregister function. I am looking for events like certificate failed or certificate revoked or IKEv2 connection failed. I do see it is in log but I would like to receive those events so that code can react to

Re: [strongSwan] Strongswan 5.5 - no private key found-

Thanks, Based on response i was able to resolve my issue. I was removing "/" when reading the subject. -Rajeev On Fri, Feb 9, 2018 at 11:02 AM, Tobias Brunner wrote: > Hi Rajeev, > > > Using DAVICI, I did make sure local.id is "C=US, > > O=ARRIS Group, Inc., OU=DCA

Re: [strongSwan] Strongswan 5.5 - no private key found-

Let me know I can send you more information. On Thu, Feb 8, 2018 at 12:19 PM, rajeev nohria <rajnoh...@gmail.com> wrote: > > > Now I am getting the following error and not able to resolve this for > sometime. Any inkling is helpful here. > > > Using DAVICI, I did make

[strongSwan] Strongswan 5.5 - no private key found-

Now I am getting the following error and not able to resolve this for sometime. Any inkling is helpful here. Using DAVICI, I did make sure local.id is "C=US, O=ARRIS Group, Inc., OU=DCA Remote Device Certificate, CN=FF:FF:05:E6:E7:80" What else I be missing? writing RSA key 11[CFG] loaded

Re: [strongSwan] Strongswan 5.5

integrity tests of > the gpm plugin. How did you create the private RSA key? > > Regards > > Andreas > > On 07.02.2018 04:43, rajeev nohria wrote: > > > > > > I am getting following error. > > > > writing RSA key > > 11[LIB] key integrity tests fai

[strongSwan] Strongswan 5.5

I am getting following error. writing RSA key 11[LIB] key integrity tests failed 11[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 8 builders What could be wrong? I verified the certificate and private key from following site and they matched.

Re: [strongSwan] Question related to ESP_TFC_PADDING_NOT_SUPPORTED

means local is also not using TFC padding? Why would local would send msg with TFC when TFC disabled by default. I have tried tfc_padding = 0 in configuration and get the same message. Just trying to understand.. On Wed, Jan 10, 2018 at 10:51 AM, rajeev nohria <rajnoh...@gmail.com> wr

[strongSwan] Question related to ESP_TFC_PADDING_NOT_SUPPORTED

I am trying to understand if ESP_TFC_PADDING_NOT_SUPPORTED means Local is using the TFC. I am getting ESP_TFC_PADDING_NOT_SUPPORTED msg from remote. Is that means local is using the TFC. On local I have to configured tfc_padding and by default it is disabled. If by default it is disabled why

Re: [strongSwan] No private key found

PEM format files.. On Tue, Dec 12, 2017 at 9:33 AM, rajeev nohria <rajnoh...@gmail.com> wrote: > This is at originator side where we are seeing the issue.. > > ~# ipsec listcerts > > List of X.509 End Entity Certificates > > subject: "C=US, O=ARRIS G

Re: [strongSwan] No private key found

Let me know if you need more info.. On Mon, Dec 11, 2017 at 2:45 PM, rajeev nohria <rajnoh...@gmail.com> wrote: > Please find the key and config. I am using davici so I am printing the > configuration from log as commands are executing. > > Load-Connection command >

Re: [strongSwan] No private key found

at 10:39 AM, Jafar Al-Gharaibeh <ja...@atcorp.com> wrote: > Can you share your config/secret files ? > > --Jafar > > > On 12/11/2017 9:17 AM, rajeev nohria wrote: > > Anyone can help in this issue, I have setup the id with Subject id. Still > have this issue. Is any

Re: [strongSwan] No private key found

Anyone can help in this issue, I have setup the id with Subject id. Still have this issue. Is anything else I am missing? Thanks, Rajeev On Tue, Nov 14, 2017 at 12:44 PM, rajeev nohria <rajnoh...@gmail.com> wrote: > > Not sure what is wrong here, Can you let me know if

[strongSwan] No private key found

Not sure what is wrong here, Can you let me know if I am missing something here. 16[KNL] creating acquire job for policy fc00:cada:c406:607::1001/128[tcp/43005] === fc00:cada:c406::200/128[tcp/8190] with reqid {2} 2017-11-13 15:58:56,001-HalTransport.py-94-INFO-Start a agent transport

Re: [strongSwan] no matching peer config found

I figured out, one of certificate was not loaded. Fixed it and working now. On Mon, Oct 9, 2017 at 10:36 AM, rajeev nohria <rajnoh...@gmail.com> wrote: > I am using swanctl, and having "no matching peer config found" issue. > > Please find logs and swanctl.conf

[strongSwan] no matching peer config found

I am using swanctl, and having "no matching peer config found" issue. Please find logs and swanctl.conf in this email. Thanks, Rajeev 9[NET] received packet: from fc00:cada:c402:607::1001[500] to 2017::5002[500] (264 bytes) 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)

Re: [strongSwan] No private key found

I resolved the issue by setting up id properly. Thanks for the direction. On Fri, Oct 6, 2017 at 8:37 AM, rajeev nohria <rajnoh...@gmail.com> wrote: > Anderas, > > Thanks for reply. I am using davici interface instead of swanctl.conf. I > do set the id as id: fc00:c

Re: [strongSwan] No private key found

fine the following in swanctl.conf: > > local { >auth = pubkey >certs = myCert.pem > } > > This first causes the private key to be found automatically based > on the fingerprint of the public key contained in the certificate and > the ID to be set to the subject disting

[strongSwan] No private key found

I have seen this issue before and fixed it. But this time I am not able to figure you. Let me know if anyone see issue or any suggestion. Thanks in advance. Problem: Getting error while initiating the connection. *[IKE] no private key found for 'fc00:cada:c404:607::1001'* *11[IKE] no private

[strongSwan] PSK-IKEv2- DAVICI

Following capture is taken on responder side. Can you give any idea what could be wrong? 15[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] 15[CFG] looking for peer configs matching 2001:2016:0:1::23e[2001:2016:0

Re: [strongSwan] Error while running Charon

Ok, I will register on the issue tracker. On Thu, Oct 27, 2016 at 2:37 PM, Noel Kuntze <n...@familie-kuntze.de> wrote: > On 27.10.2016 20:34, rajeev nohria wrote: > > > > I am getting similar to following issue. Not sure how it was resolved. > > https://wiki

Re: [strongSwan] Error while running Charon

(-h) show usage information libgcc_s.so.1 must be installed for pthread_cancel to work Aborted On Wed, Oct 19, 2016 at 2:43 PM, rajeev nohria <rajnoh...@gmail.com> wrote: > Thomas, > > I tired both way and did not help. Not sure what I could be missing. In > foll

Re: [strongSwan] Error while running Charon

/projects/strongswan/wiki/Strongs > wandirectory > > > On 10/18/2016 04:37 PM, rajeev nohria wrote: > >> Noel, >> >> I still having issue after going through many hit and trial method to >> fix this, >> >> root@Xilinx-ZCU102-2016_1:~# charon >> 00[DMN] S

Re: [strongSwan] Error while running Charon

Noel, I still having issue after going through many hit and trial method to fix this, root@Xilinx-ZCU102-2016_1:~# charon 00[DMN] Starting IKE charon daemon (strongSwan 5.5.0, Linux 4.4.0, aarch64) 00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet dependency: NONCE_GEN

Re: [strongSwan] Strongswan 5.4 issue using certificates

I am all set after adding libatomic.so.1 in lib directory. On Tue, Oct 4, 2016 at 3:05 PM, rajeev nohria <rajnoh...@gmail.com> wrote: > Andreas, > > Thank you for all your help. I have compiled the Strongswan with > petalinux . Whenever I run the charon I get t

Re: [strongSwan] Strongswan 5.4 issue using certificates

blob. > > Regards > > Andreas > > On 15.09.2016 21:20, rajeev nohria wrote: > > Anderas, > > > > When using davici- > > For the loading of private rsa keys, that has to be loaded like the > > certificate? > > > > Thanks, > >

Re: [strongSwan] Strongswan 5.4 issue using certificates

Anderas, When using davici- For the loading of private rsa keys, that has to be loaded like the certificate? Thanks, Rajeev On Thu, Sep 15, 2016 at 3:19 PM, rajeev nohria <rajnoh...@gmail.com> wrote: > Anderas, > > For the loading of private rsa keys, that has to

Re: [strongSwan] Strongswan 5.4 issue using certificates

r the vici socket using davici. > > Regards > > Andreas > > On 04.08.2016 05:03, rajeev nohria wrote: > > Thanks Andreas, > > > > It worked, I know started to implement in Davici. I had PSK working in > > Davici. With certificates, I am having following

Re: [strongSwan] Strongswan 5.4 issue using certificates

oy the Root CA > certificate on both hosts. > > Best regards > > Andreas > > On 01.08.2016 21:24, rajeev nohria wrote: > > > > I was able to establish IKE connection using PSK but when using pubkey I > > am not able to able to establish the IKE connection. > >

[strongSwan] Using davici API

I have very simple config file and trying to implement the same with DAVICI APIs. Please find attached file for config and its implementation. Not sure what is wrong, any insight would help me. Tester.c file is also compiled with cmd.c. Thanks, Rajeev /* * Copyright (C) 2015 CloudGuard Software

Re: [strongSwan] trap not found, unable to acquire reqid

Noel, I was able to install policy using swanctl --install and a packet from data plane was able to trigger the SAs. Thanks for you help. Rajeev On Mon, Jun 13, 2016 at 1:24 PM, rajeev nohria <rajnoh...@gmail.com> wrote: > Noel, > I am using Strongswan 5.4 with swanctl.conf and str

Re: [strongSwan] trap not found, unable to acquire reqid

Noel, I am using Strongswan 5.4 with swanctl.conf and strongswan.conf. There is no option for auto=route. Is there anything equivalent? Thanks, Rajeev On Mon, Jun 6, 2016 at 10:15 AM, Noel Kuntze <n...@familie-kuntze.de> wrote: > On 06.06.2016 14:28, rajeev nohria wrote: > > &

Re: [strongSwan] Strongswan[5.4.0] unix:///var/run/charon.vici

++ > then consider the DAVICI library: > > https://github.com/strongswan/davici/blob/master/README.md > > Regards > > Andreas > > On 11.05.2016 13:50, rajeev nohria wrote: > > Andreas, > > > > I appreciate helping me out. Now I am making progress with Charon

Re: [strongSwan] trap not found, unable to acquire reqid

t. > > And there's still the VICI API to charon that you can use to dynamically > load and unload any configuration. > > On 02.06.2016 19:26, rajeev nohria wrote: > > Noel, > > > > We are planning to install SA and policies dynamically. We don't want to > use t

[strongSwan] DAVICI example

Does anyone has example of DAVICI code example and willing to share? Rajeev ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] trap not found, unable to acquire reqid

I added manual entries for policy using "ip xfrm policy" both at receptor and initiator. Both are host and IP address of 10.13.199.185 and 10.13.199.130. Initiator: sudo ip xfrm policy add src 10.13.199.185 dst 10.13.199.130 dir out tmpl src 10.13.199.185 dst 10.13.199.130 proto esp reqid

[strongSwan] strongSwan [ no trusted RSA public key found for '10.13.199.185']

I am testing between two Ubuntus. We are using Strongswan 5.4.0. with certificate and keys in swanctl/x509, swanctl/x509ca and swanctl/rsa. I could not figure how to resolve this. I am creating certificates using ipsec pki as an example on strongSwan website. Is it anything obvious I am

Re: [strongSwan] Strongswan[5.4.0] unix:///var/run/charon.vici

> If you intend to write your management application in C or C++ > then consider the DAVICI library: > > https://github.com/strongswan/davici/blob/master/README.md > > Regards > > Andreas > > On 11.05.2016 13:50, rajeev nohria wrote: > > Andreas, > > > > I

Re: [strongSwan] Strongswan[5.4.0] unix:///var/run/charon.vici

ig --enable-systemd > > and enable and start the strongswan-swanctl service. > > BTW - in order to use the vici socket you must be root. Thus > > sudo swanctl --load-conn > > Best regards > > Andreas > > > On 09.05.2016 16:34, rajeev nohria wrote: > &g

Re: [strongSwan] Strongswan[5.4.0] unix:///var/run/charon.vici

tef...@strongswan.org> wrote: > Hi Rajeev, > > try running charon in the foreground: > >sudo /usr/local/libexec/ipsec/charon > > and check for error messages in the console window. > > Cheers Andreas > > On 11.05.2016 11:53, rajeev nohria wrote: > >> Andreas,

Re: [strongSwan] Strongswan[5.4.0] unix:///var/run/charon.vici

ocess status > (ps aux | grep charon)? > > Regards > > Andreas > > On 05/11/2016 04:04 AM, rajeev nohria wrote: > > Thanks Andreas, > > > > I ran the charon and also copied the charon script file to /etc/init.d. > > Now when I run sudo swanctl --load-c

[strongSwan] Strongswan[5.4.0] unix:///var/run/charon.vici

I am new user of Strongswan and running 5.4.0. After creating certificates and configuring two Ubuntu m/c with Strongswan 5.4.0. I try to create connection as following and get error. Please advise, how to resolve following issue? $swanctl --load-conn connecting to 'unix:///var/run/charon.vici'