Re: [strongSwan] Handling of outgoing packets when CHILD_SA is rekeyed

2009-09-02 Thread Martin Willi
Hi,

 When a CHILD_SA is rekeyed, there is a time when SAD will have two SA
 entries corresponding to the CHILD_SA that is rekeyed.

Yes, you'll have two overlapping CHILD_SAs during rekeying.

 how do we know which SA Entry is to be used out of the 2 Entries.

The kernel usually uses the newer SA for outgoing packets, but accepts
incoming packets on both SAs. 

Regards
Martin

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users


Re: [strongSwan] IPv4 only and minimal kernel modules

2009-09-02 Thread Dimitrios Siganos
Martin Willi wrote:
 It seems that if I remove all of the Ipv6 modules the IPsec doesn't work 
 

 Make sure to have at least a 2.6.29 kernel, apply the kernel patch [1]
 or use the workaround patch for strongSwan (attached, breaks mixed v4/v6
 tunnels).

 Regards
 Martin

 [1]http://kerneltrap.org/mailarchive/linux-netdev/2008/11/25/4231304
   
I am using kernel 2.6.28. If I understand well, my options are:

1) upgrade to kernel 2.6.29 and apply patch [1] from above, to the linux 
kernel.

2) stick with kernel 2.6.28 and apply the disable-iaf-tunnels patch to 
charon, (this patch will brake v6/v4 mixed operation)

Can you confirm that this is correct and complete?

I plan to stick with 2.6.28 because changing kernel would require a lot 
of discussions and testing.

Regards,
Dimitrios Siganos
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users


[strongSwan] strongswan + redhat

2009-09-02 Thread Johannes Rußek
Hello list,
I'm happy to report that RHEL 5.4 finally ships a fixed kernel so that 
the issue with strongswan and especially DPD and ipsec status are gone.
Johannes
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users


[strongSwan] Kernel NETKEY issue with charon

2009-09-02 Thread ServerAlex
Hello,
I'm currently installing strongSwan on an embedded internet router. I
loaded all necessary modules before running ipsec start. After ipsec
start (charon only) these ipsec-related modules are loaded (manually
or by ipsec start):

Module  Size  Used byTainted: P
deflate 2826  0
twofish 8012  0
twofish_common 45187  1 twofish
serpent24166  0
blowfish9297  0
ecb 3063  0
sha256  9422  0
xfrm_user  23474  0
xfrm4_tunnel1932  0
ipcomp  6066  0
esp46637  0
ah4 5581  0
af_key 34747  0
xfrm4_mode_transport 1944  0
xfrm4_mode_tunnel   2592  0
ipip9620  0
tunnel4 2579  2 xfrm4_tunnel,ipip
hmac4076  0
crypto_hash 1508  1 hmac
sha12317  0
md5 4815  0
cbc 4046  0
blkcipher   4679  2 ecb,cbc
des19392  0
aes29627  0
cryptomgr   2807  0
crypto_algapi  11055  13
deflate,twofish,serpent,blowfish,ecb,sha256,hmac,sha1,md5,cbc,des,aes,cryptomgr


But when I start my connection now, it gives me this error message:
IKE_SA bla[1] established between [X]...[Y]
installing new virtual IP 10.3.0.1
received netlink error: Function not implemented (89)
unable to add SAD entry with SPI c9146f03
received netlink error: Function not implemented (89)
unable to add SAD entry with SPI cfab2a52
unable to install inbound and outbound IPsec SA (SAD) in kernel

Syslog records this:
Sep  3 00:14:36 router daemon.info syslog: 14[CFG] received stroke:
initiate 'bla'
Sep  3 00:14:36 router daemon.info syslog: 12[IKE] establishing CHILD_SA bla
Sep  3 00:14:36 router authpriv.info syslog: 12[IKE] establishing CHILD_SA bla
Sep  3 00:14:36 router daemon.info syslog: 12[KNL] getting SPI for reqid {2}
Sep  3 00:14:36 router daemon.info syslog: 12[KNL] sending
XFRM_MSG_ALLOCSPI: = 248 bytes @ 0x7ddff768
Sep  3 00:14:36 router daemon.info syslog: 12[KNL]0: F8 00 00 00
16 00 01 00 CE 00 00 00 8B 0A 00 00  
Sep  3 00:14:36 router daemon.info syslog: 12[KNL]   16: 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00  
Sep  3 00:14:36 router daemon.info syslog: 12[KNL]   32: 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00  
Sep  3 00:14:36 router daemon.info syslog: 12[KNL]   48: 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00  
Sep  3 00:14:36 router daemon.info syslog: 12[KNL]   64: 00 00 00 00
00 00 00 00 A9 FE 02 01 00 00 00 00  
Sep  3 00:14:36 router daemon.info syslog: 12[KNL]   80: 00 00 00 00
00 00 00 00 00 00 00 00 32 00 00 00  2...
Sep  3 00:14:36 router daemon.info syslog: 12[KNL]   96: 55 0E D9 3E
00 00 00 00 00 00 00 00 00 00 00 00  U..
Sep  3 00:14:36 router daemon.info syslog: 12[KNL]  112: 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00  
Sep  3 00:14:36 router daemon.info syslog: 12[KNL]  128: 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00  
Sep  3 00:14:36 router daemon.info syslog: 12[KNL]  144: 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00  
Sep  3 00:14:36 router daemon.info syslog: 12[KNL]  160: 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00  
Sep  3 00:14:36 router daemon.info syslog: 12[KNL]  176: 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00  
Sep  3 00:14:36 router daemon.info syslog: 12[KNL]  192: 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00  
Sep  3 00:14:36 router daemon.info syslog: 12[KNL]  208: 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00  
Sep  3 00:14:36 router daemon.info syslog: 12[KNL]  224: 02 00 00 00
02 00 01 00 00 00 00 00 00 00 00 00  
Sep  3 00:14:36 router daemon.info syslog: 12[KNL]  240: 00 00 00 C0
FF FF FF CF  
Sep  3 00:14:36 router daemon.info syslog: 12[KNL] got SPI c7868684
for reqid {2}
Sep  3 00:14:36 router daemon.info syslog: 12[ENC] generating
CREATE_CHILD_SA request 2 [ SA No TSi TSr ]
Sep  3 00:14:36 router daemon.info syslog: 12[NET] sending packet:
from 169.254.2.1[4500] to 85.14.217.62[4500]
Sep  3 00:14:36 router daemon.info syslog: 16[NET] received packet:
from 85.14.217.62[4500] to 169.254.2.1[4500]
Sep  3 00:14:36 router daemon.info syslog: 16[ENC] parsed
CREATE_CHILD_SA response 2 [ SA No TSi TSr ]
Sep  3 00:14:36 router daemon.info syslog: 16[KNL] adding SAD entry
with SPI c7868684 and reqid {2}
Sep  3 00:14:36 router daemon.info syslog: 16[KNL]   using encryption
algorithm AES_CBC with key size 128
Sep  3 00:14:36 router daemon.info syslog: 16[KNL]   using integrity
algorithm HMAC_SHA1_96 with key size 160
Sep  3 00:14:36 router daemon.info syslog: 16[KNL] sending

[strongSwan] does strongSwan support Solaris

2009-09-02 Thread Zhang, Long (Roger)
Hi,

I see strongSwan has been ported to support FreeBSD, seems like it is not 
supported on Solaris. Is there a plan to port it to Solaris?

Thanks,
Roger

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users