Hi,
IKE_SA 1[1] established between
10.227.110.112[lmu55]...216.177.93.234[lmudiag]
generating QUICK_MODE request 1438687057 [ HASH SA No ]
sending packet: from 10.227.110.112[4500] to 216.177.93.234[4500] (204 bytes)
sending retransmit 1 of request message ID 1438687057, seq 4
sending
Hi,
I want to route all the traffic originating from android device to be
tunneled through the gateway using the tun0 interface.
The Android App does no narrowing itself, that happens on the responder
only. To tunnel all traffic from the Android device, set
leftsubnet=0.0.0.0/0 on the
Hello Björn,
As you can see i tried to do that with eap, but didn`t get it to work.
didn't work is not a failure description that allows us to help.
I'd try to start with a simple setup terminating EAP-MSCHAPv2 at the
Gateway, no RADIUS involved.
strongswan-5.1.0 # ./configure --enable-pem
Hi Axel,
In charon log (ike=2) this looks like this:
Oct 22 23:11:54 06[IKE] initiating Main Mode IKE_SA dorn[35] to ccc.ddd.70.155
Oct 22 23:11:54 08[IKE] initiating Main Mode IKE_SA dorn[45] to ccc.ddd.70.155
Oct 22 23:11:54 13[IKE] initiating Main Mode IKE_SA dorn[37] to ccc.ddd.70.155
XAuth-EAP method backend not supported: radius
listplugins shows that I have the required plugins enabled:
Probably something is wrong with your eap-radius configuration. Do you
see the following log entry during startup?
loaded 1 RADIUS server configuration
If not, please check that your
Hi Kris,
Hi, I saw log 'installing 8.8.8.8 as DNS server...', but in my 10.9
system, the DNS still the old ones, is this a known issue?
charon currently appends the new DNS servers to the existing ones, so
the system can try both. This might make sense as fallback one some
setups, but I'll
Hi Hans,
I added multiple certificates OU=groupname to the cert store, hoping
that Windows would ask me which one to use, with no luck.
I assume you are using Machine Certificates to authenticate the clients?
I'm not aware of a way to enforce a specific certificate in IKE
authentication.
What
Hi,
gmpn_addmul_1 function in libgmp.so.3.4.1 consumes most of the CPU
cycles on both the Linux systems
Yes, this was to expect; DH computation is the most expensive task.
Do I need to use the Libgcrypt instead of GMP library?
Probably that won't help, GMP is likely the fastest DH backend
Hello Martin,
thank you for your response.
First:
I know that does not work would not help anybody, but i send an email
to the list so time ago
describing what was really the problem. As i did not get an respond i
would like to start with a
more easy configuration.
So not to the error
Error 13801 ike authentication credentials are unacceptable...
07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
07[NET] sending packet: from 456.456.456.456[4500] to
Most likely the Windows client does not accept the server certificate.
Make sure that you have:
* a
The Fedora packages won't work on RHEL or CentOS, but EPEL packages will:
http://pkgs.org/download/strongswan .
-Original Message-
From: Martin Willi [mailto:mar...@strongswan.org]
Sent: Thursday, October 24, 2013 2:14 AM
To: Farid Farid
Cc: users@lists.strongswan.org
Subject: Re:
Hi,
I am trying to replace a Juniper device with strongSwan and migrate a few
hundred IPsec tunnels in the process. The good thing is that all tunnels
are ikev1/net2net_psk, the bad thing is that I don't control the other
peers. This makes any troubleshooting process more cumbersome.
One issue
Hi Martin,
Could you post a more complete log (all levels 1) to see where these
initiates come from?
You mean:
charon {
filelog {
/var/log/charon.log {
time_format = %b %e %T
append = no
flush_line = yes
dmn=1
mgr=1
Is there any hope of running IKE and the IPsec tunnel mode from a network
where internet access is only permitted through a HTTP proxy?
Many proxies allow the HTTP CONNECT method, usually for connection to an
external host listening on port 443. Many people leave their ssh servers
listening on
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Robert,
IPsec can be tunneled over any protocol (as any protocol can), but I have yet
to see a piece of software that does that.
IPsec is a vpn by itself and tunnelling it through http/tcp will deteriorate
the service's performance, hence
15 matches
Mail list logo
