[strongSwan] support of IP addresses and ports as traffic selectors
Hi, I had a doubt regarding the support of IP addresses and ports as traffic selectors. For example:- I have following SPD Entry. All the entries are using same security association: S.No.Source IP Destination IP Src Port Dst Port SA Ptr 11.1.1.12.2.2.2 100 100 1 21.1.1.12.2.2.2 200 200 1 31.1.1.13.3.3.3 300 300 1 41.1.1.13.3.3.3 400 400 1 Please Note: Entries 12 and 34 have same Src/Dst Ip Pair So, Is it possible to have a SINGLE Security Association for protecting traffic of all 4 policies above. If yes then how to specify the same in ipsec.conf Also, does it hold true for both IKEv1(pluto) and IKEv2(charon) Thanks and Regards, Vivek ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] esp=null-sha1-modp1024,null-null
Hi, Is the following esp line, valid configuration? conn west-east esp=null-sha1-modp1024,null-null Does it mean: add null-sha1-modp1024 and null-null to the default list of proposals to be negotiated? How do I know what the default list proposal list is? Regards, Dimitrios Siganos ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] esp=null-sha1-modp1024,null-null
Hi Dimitrios, yes, this means that esp=null-sha1-modp1204 is added to the default list defined by http://wiki.strongswan.org/repositories/entry/strongswan/src/charon/config/proposal.c#L865 esp=null-null is not a valid configuration, since we do not accept a null integrity algorithm. If you want to send a single proposal without the default list then you can use the '!' strict character: esp=null-sha1-modp1204! Kind regards Andreas Dimitrios Siganos wrote: Hi, Is the following esp line, valid configuration? conn west-east esp=null-sha1-modp1024,null-null Does it mean: add null-sha1-modp1024 and null-null to the default list of proposals to be negotiated? How do I know what the default list proposal list is? Regards, Dimitrios Siganos == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] question about the EAP-SIM authentication
Hi Martin, Excuse me. I have one question about the EAP-SIM authentication. When I read the code of EAP-SIM authentication, I found RAND was read from triplet.dat rather than received from Server. And I refer to some materials for EAP-SIM authentication, and found RAND is an input parameter (received from server) for SIM which will be used to calculate SRES and KC (through A3 and A8 algorithm) and I don't know why the RAND is also treated as a output from SIM (triplet.dat) in strongswan implementation. Look forward to your answer.Thanks. Best Regards, David ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
