Hi Peter
> So, am I correct to assume that you guys usually evaluate the output
> of `ipsec statusall`
Preferably I'd do that over vici [1], as it provides a much better
interface for various languages to query tunnel status or re-initiate
tunnels.
> Do you simply send pings to remote systems
Hi,
On Fri, Jun 09, 2017 at 09:11:27PM +0200, Noel Kuntze wrote:
> Besides DPD, there's no standard that charon implements for that. I am
> also not aware of any that uses CHILD_SAs.
alright, too bad. :-/
So, am I correct to assume that you guys usually evaluate the output of
`ipsec statusall`
Hello Peter,
On 09.06.2017 11:46, Peter Hofmann wrote:
> Hi,
>
> we're running various Ubuntu systems with StrongSwan 5.1 or 5.3. Each
> system connects to exactly one IPSec/IKE peer. We usually don't know
> what kind of peer that is -- is it also running StrongSwan, is it a
> hardware firewall,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Tom,
Why don't you simply allow all traffic over the tunnel or to and from hosts
that use protocols that need conntrack helpers?
- --
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146
On Mon Sep 28 19:37:21 2015, Tom Rymes wrote:
> And I already put my foot in my mouth. I meant to specify that I was
> referring to the conntrack NAT helpers for specific protocols, not
> connection tracking in general.
>
> > On Sep 28, 2015, at 7:22 PM, Tom Rymes wrote:
> >
>
I am sure that this is a dumb question that will reveal my lack of
sophisticated networking skills, but here goes anyway:
We have used a number of Linux Firewall distributions that have issues with
connection tracking (NAT) and StrongSwan IPSec tunnels.
Specifically, issues arise with SIP
And I already put my foot in my mouth. I meant to specify that I was referring
to the conntrack NAT helpers for specific protocols, not connection tracking in
general.
> On Sep 28, 2015, at 7:22 PM, Tom Rymes wrote:
>
> I am sure that this is a dumb question that will reveal
All,
Looking for best practices on the most secure settings that can be used.
I've scoured the net and found very little in terms of which settings
are most secure and in which combination.
I saw a recommendation on a site that recommended the following settings:
conn %default
Hi James,
here are the default proposals for the ike and esp algorithms
if you don't define them explictly:
carol charon: 04[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
Andreas - this is tremendously useful. Many thanks for the quick reply!
On Wed, Apr 1, 2015 at 6:49 PM, Andreas Steffen
andreas.stef...@strongswan.org wrote:
Hi James,
here are the default proposals for the ike and esp algorithms
if you don't define them explictly:
carol charon: 04[CFG]
10 matches
Mail list logo