Re: [strongSwan] routing traffic to site to site ipsec tunnel

Noel Thanks it works like a charm Sent from Mobile On 2014年12月19日, at 08:49, Eric Y. Zhang debian...@gmail.com wrote: hi Noel Thanks for responding.based on my understanding, 0.0.0.0/0--0.0.0.0 will pass all traffic to ipsec tunnel. there is no more steps after setting mark for those

Re: [strongSwan] Strongswan and VTI

I have a clue. If I add the following iptables rule : bob@hostB:~# sudo iptables -t mangle -A PREROUTING -p esp -s 192.168.42.32 -d 192.168.42.12 -j MARK --set-mark 15 I can see the ICMP packet but no answer from the loopback... root@hostB:~# tcpdump -nni eth0 esp or icmp tcpdump: verbose

[strongSwan] does Strongswan Android Playstore app using socket_dynamic or socket_default plugin

Dear All, Please let us know if Strongswan Android play store app uses which of the following plugins for socket writing. socket_default_plugin or socket_dynamic_plugin. I was trying to understand the data path and ran into this issue where there were two plugins to write information out.

Re: [strongSwan] roadwarrior as gateway, possible?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello Zesen, You do not need a virtual IP. Route 10.0.0.0/0 == 0.0.0.0/0 throught the tunnel and use a passthrough policy of 10.0.0.0/0 == 10.0.0.0/0 to allow local traffic. Make the hosts in the LAN use your old notebook as gateway for the

Re: [strongSwan] Strongswan 5.2.1 client problem - IKEv1 aggressive PSK+XAUTH with Virtual IP

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello MK, Please enable CISCO UNITY and ommit leftsubnet. If you use virtual IPs, those should be included in the traffic selector. leftsubnet defaults to %dynamic. %dynamic is replaced dynamically by either the received virtual IP or the the

Re: [strongSwan] Destination unreachable issue

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello Xin, You need to configure your firewall to allow UDP ports 500 and 4500 through, as well as the esp and ah protocols. StrongSwan does not send such ICMP messages to initiators. Mit freundlichen Grüßen/Regards, Noel Kuntze GPG Key ID:

Re: [strongSwan] does Strongswan Android Playstore app using socket_dynamic or socket_default plugin

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello Ravi The socket-dynamic plugin enables strongSwan to listen on an arbitrary port and not on udp ports 500 and 4500. That enables you to avoid having to use SNAT to masquerade IPsec traffic in cases the ports 500 and 4500 are blocked on a

Re: [strongSwan] Strongswan and VTI

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello Jeremie, Please read the thread at [1]. VTI tunnels have been discussed in great detail just a couple of days ago and made working. [1] https://lists.strongswan.org/pipermail/users/2014-December/007108.html Mit freundlichen

Re: [strongSwan] keyingtries = %forever not working

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello Vey, That is a known issue. As work around, I advise to use auto=route and dpd to restart connections. Use dpdaction=restart on one side and dpdaction=clear on the other side. Having dpdaction=restart on both sides will break the tunnel and

[strongSwan] Dynamic IP to VPS site-to-site

How can I use RSA authentication with X.509 certificates to setup ip tunnel between my PPPoE to VPS (which has fix IP)? Thanks Eric ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Strongswan site-to-site ssh session freeze after a few seconds

Hello. I have Strongswan running on a Debian 3.2.0-4. Server setup: eth0 with a local IP (192.168.1.12) and router gateway 192.168.1.1 (different Internet from eth1) eth1 is connected directly to the outside (not the .1.1 router) with a static public ip (for example, 63.12.1.34 – different