Hello,
I would like to change the encryption to support the following on iOS:
ikev2.ikeSecurityAssociationParameters.encryptionAlgorithm =
.algorithmAES256GCM
ikev2.ikeSecurityAssociationParameters.integrityAlgorithm = .SHA384
ikev2.ikeSecurityAssociationParameters.diffieHellmanGroup = .group19
Hello
I am trying to implement the customized crypto kernel AES module, which
should be used only to encrypt IPsec payloads.
How can I integrate it into strongswan?
The custom AES version should be used only for IPsec thats why this crypto
module cannot have the highest priority in kernel and
Hi Team,
I am trying to establish tunnel with my strongswan.
But after receiving IKE_AUTH response my local strongswan end (initiator)
rejects tunnel saying ' length of TRAFFIC_SELECTOR_SUBSTRUCTURE
substructure list invalid'.
And I am unable to get the reason for the same. Because I have
Hi Sandesh,
RSA signature-based authentication can only be broken if the
same RSA key is being used as for RSA encryption-based authentication
and this RSA key is broken applying the Bleichenbacher oracle to
RSA encryption-based authentication.
Since strongSwan does not implement RSA encryption,
rote the following to help explain this..
>
>
>
>
> https://www.linkedin.com/pulse/ike-brute-force-attack-explained-graham-bartlett/
>
>
>
> cheers
>
>
>
> *From: *Users on behalf of Sandesh
> Sawant
> *Date: *Monday, 3 September 2018 at 10:20
> *
To: "andreas.stef...@strongswan.org"
Cc: "users@lists.strongswan.org"
Subject: Re: [strongSwan] (no subject)
Hello Andreas,
Thanks for confirming that strongSwan isn't vulnerable to the mentioned attack.
However the report claims to have exploits for PSK and
Hello Andreas,
Thanks for confirming that strongSwan isn't vulnerable to the mentioned
attack.
However the report claims to have exploits for PSK and RSA signature based
authentication also... Quoting from the report abstract:
"We exploit a Bleichenbacher oracle in an IKEv1 mode, where RSA
Hi Sandesh,
strongSwan is not vulnerable to the Bleichenbacher oracle attack
since we did not implement the RSA encryption authentication variant
for IKEv1.
Best regards
Andreas
On 31.08.2018 10:53, Sandesh Sawant wrote:
> Hi all,
>
> I came across below news about a paper enlisting attacks
Hi all,
I came across below news about a paper enlisting attacks pertaining to IKE
protocol, and want to know whether the latest version of trongSwan stack is
vulnerable to the attacks mentioned in this paper:
https://www.ei.rub.de/media/nds/veroeffentlichungen/2018/08/13/sec18-felsch.pdf
Hi,
I currently have strongSwan server setup on a VPS host, and I'm also
running an adblocking DNS server (not exposed to internet) on this same
host. The server only has one interface and it has a public IP address
(e.g. 1.2.3.4). I'd like to configure strongSwan to hand out a DNS address
(for
Hi Sandesh
There's no POSTROUTING chain in the *filter table, so your command will never
work.
The table is probably *mangle, because *nat never gets packets with ctstate
INVALID.
You're probably missing something major here.
Please provide the information listed here[1] using the provided
Hi Noel,
Apologies for late response. The setup I was using had to be dismantled and
rebuilt. After further debugging it is found that this issue isn't related
to strongswan/xfrm behavior - it's related to firewall. The reason for the
VTI ping not going out of ipsec tunnel was a firewall rule:
Please provide the following data:
- Output of `iptables-save` of both hosts
- Output of `ip route show table all` of both hosts
- Output of `ip address` of both hosts
Kind regards
Noel
On 22.09.2017 07:17, Sandesh Sawant wrote:
> I have referred to following links and configured strongSwan to
I have referred to following links and configured strongSwan to establish a
route-based VPN tunnel between 2 Linux 4.4.57 boxes.
https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
https://wiki.strongswan.org/projects/strongswan/wiki/ReducedPrivileges
The data path used to work
However, swanctl -L shows conns multiple times
I couldn't reproduce this. Is there anything suspicious when invoking
swanctl --load-conns?
And please be aware: --list-conns enumerates all configurations it
finds, not only those loaded through swanctl itself. So if you still
have the same
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello list,
I'm using swanctl and could convert my ipsec.conf into swanctl.conf.
However, swanctl -L shows conns multiple times and swanctl -P doesn't show any
pool definitions.
Can anyone reproduce that problem?
Regards,
Noel Kuntze
- --
GPG
Hi,
10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
10[IKE] no IKE config found for 37.247.54.124...38.109.218.26, sending
NO_PROPOSAL_CHOSEN
10[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
left=%defaultroute
right=37.247.54.124
Can you
I run a number of linux boxes on various VPS providers that use IPsec
to connect tunnelled ip interfaces which then run OSPF.
This setup has work fine for a number of years.
Recently my systems seem to have upgraded from 5.0.4 to 5.1.1 and
everything has stopped working, a few connection will
HostA-GW1==GW2---HostB
HostA:
ipadress: 192.167.2.2/24
GW1:
ipaddress
etho: 192.167.2.180/24
eth1: 192.167.21.1/24
___
Users mailing list
Users@lists.strongswan.org
Hi,
I am using strongSwan on openwrt 10.0.3.1-rc4.
I am tryting to connect using using iphone and snow leopard using built in
cisco client, but I get the same error.
I am able to connect using ipsec/l2tp on both the devices. I am also able to
connect using cisco client using windows os.
I
...@hotmail.com
CC: users@lists.strongswan.org
Subject: Re: [strongSwan] (no subject)
Yeah, this is strange indeed. Have Elliptic Curves been enabled in
libcrypto.so-0.9.8e ? We know of some Linux distributions where this
hasn't been the case.
Regards
Andreas
On 21.10.2010 20:24, Michael Sneed
Hi,
I am having problems getting StrongSwan to use ECP algorithms. I built with:
./configure --prefix /usr --sysconfdir=/etc --libexecdir=/usr/libexec
--enable-openssl
But when I try to bring up a connection specifying:
ike=aes128-sha256-ecp256!
esp=aes128gcm16!
I get:
002 suiteB #1:
Yeah, this is strange indeed. Have Elliptic Curves been enabled in
libcrypto.so-0.9.8e ? We know of some Linux distributions where this
hasn't been the case.
Regards
Andreas
On 21.10.2010 20:24, Michael Sneed wrote:
Hi,
I am having problems getting StrongSwan to use ECP algorithms. I built
I am experiencing a problem connecting a Funkwerk EC VPN25 router (VPN Access
25 version V.7.4 Rev. 1 (Patch 11) with StrongSwan (Linux strongSwan
U4.3.2/K2.6.32-22-generic) gateway.
The (StrongSwan) gateway S has a fixed IP address, the router R has a
dynamic one, provided by DynDNS. After an
Hello Peter,
have you tried to set
right=r.dyndns.org
rightallowany=yes
or more concise
right=%r.dyndns.org
which will resolve the hostname r.dyndns.org during an ipsec update
allowing S to initiate the connection but will also accept any
changed IP address R as a responder. The
Hi,
I have opened the ports in the LANKOM.
Viele Grüße Jan
Von: Andreas Steffen [andreas.stef...@strongswan.org]
Gesendet: Samstag, 28. November 2009 14:58
An: Jan Luca Naumann
Cc: users@lists.strongswan.org
Betreff: Re: [strongSwan] Problems with
Hi Keith,
the problem is on the other side because the peer is not
responding. Do you have any logs from the peer side?
Andreas
Keith Smith wrote:
Hey folks,
I'm a complete newbie who has inherited this IpSec solution from my
predecessor.
I have two working tunnels and one which fails.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
28 matches
Mail list logo