Re: [strongSwan] Best practices regarding monitoring

Hi Peter > So, am I correct to assume that you guys usually evaluate the output > of `ipsec statusall` Preferably I'd do that over vici [1], as it provides a much better interface for various languages to query tunnel status or re-initiate tunnels. > Do you simply send pings to remote systems

Re: [strongSwan] Best practices regarding monitoring

Hi, On Fri, Jun 09, 2017 at 09:11:27PM +0200, Noel Kuntze wrote: > Besides DPD, there's no standard that charon implements for that. I am > also not aware of any that uses CHILD_SAs. alright, too bad. :-/ So, am I correct to assume that you guys usually evaluate the output of `ipsec statusall`

Re: [strongSwan] Best practices regarding monitoring

Hello Peter, On 09.06.2017 11:46, Peter Hofmann wrote: > Hi, > > we're running various Ubuntu systems with StrongSwan 5.1 or 5.3. Each > system connects to exactly one IPSec/IKE peer. We usually don't know > what kind of peer that is -- is it also running StrongSwan, is it a > hardware firewall,

Re: [strongSwan] Best practices for connection tracking and IPSec

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello Tom, Why don't you simply allow all traffic over the tunnel or to and from hosts that use protocols that need conntrack helpers? - -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146

Re: [strongSwan] Best practices for connection tracking and IPSec

On Mon Sep 28 19:37:21 2015, Tom Rymes wrote: > And I already put my foot in my mouth. I meant to specify that I was > referring to the conntrack NAT helpers for specific protocols, not > connection tracking in general. > > > On Sep 28, 2015, at 7:22 PM, Tom Rymes wrote: > > >

[strongSwan] Best practices for connection tracking and IPSec

I am sure that this is a dumb question that will reveal my lack of sophisticated networking skills, but here goes anyway: We have used a number of Linux Firewall distributions that have issues with connection tracking (NAT) and StrongSwan IPSec tunnels. Specifically, issues arise with SIP

Re: [strongSwan] Best practices for connection tracking and IPSec

And I already put my foot in my mouth. I meant to specify that I was referring to the conntrack NAT helpers for specific protocols, not connection tracking in general. > On Sep 28, 2015, at 7:22 PM, Tom Rymes wrote: > > I am sure that this is a dumb question that will reveal

[strongSwan] best practices?

All, Looking for best practices on the most secure settings that can be used. I've scoured the net and found very little in terms of which settings are most secure and in which combination. I saw a recommendation on a site that recommended the following settings: conn %default

Re: [strongSwan] best practices?

Hi James, here are the default proposals for the ike and esp algorithms if you don't define them explictly: carol charon: 04[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,

Re: [strongSwan] best practices?

Andreas - this is tremendously useful. Many thanks for the quick reply! On Wed, Apr 1, 2015 at 6:49 PM, Andreas Steffen andreas.stef...@strongswan.org wrote: Hi James, here are the default proposals for the ike and esp algorithms if you don't define them explictly: carol charon: 04[CFG]