Re: [strongSwan] Sudden issues with Windows 10 clients

2018-05-08 Thread Houman
Thank you both Christian and Jafar for the clear proposals. So yes, if I wanted to support Windows 10, iOS/OSX and Linux with the stronger set of encryption. Do I set *aes256-sha256-prfsha256-modp2048 *into *ike* only? Or both in *ike* and *esp*? This part wasn't quite clear to me. Yeah, I

Re: [strongSwan] Sudden issues with Windows 10 clients

2018-05-08 Thread Christian Salway
I don’t change the default ESP ciphers, only the IKE ones. I should probably look into them at some point. > On 8 May 2018, at 19:55, Houman wrote: > > Thank you both Christian and Jafar for the clear proposals. > > So yes, if I wanted to support Windows 10, iOS/OSX and

Re: [strongSwan] Sudden issues with Windows 10 clients

2018-05-08 Thread Jafar Al-Gharaibeh
Houman, No need to configure a prf, it is already assumed when you configured a DH group; so you can drop prfsha256. And as Christian suggested, if all your clients support strong encryption  drop all weak algorithms/proposals from  the server end i.e 3des, sha1, modp1024. I can't

Re: [strongSwan] multiple id for same ipsec peer

2018-05-08 Thread Tobias Brunner
Hi Marco, > I would like to ask if this swanctl.conf file is > equivalent to the above ipsec.conf: No, you just redefined the value of `id`. There is currently no exact equivalent for the `also` keyword in swanctl.conf, so you have to work with `include`. That is, you extract all the shared

Re: [strongSwan] starting strongswan without starter

2018-05-08 Thread Christian Salway
or completely ignore that because you just said no systemd :( Sorry! > On 8 May 2018, at 10:34, Christian Salway > wrote: > > and dont forget to enable the service > > systemctl enable

Re: [strongSwan] starting strongswan without starter

2018-05-08 Thread Christian Salway
To manually build StrongSwan, I use the following wget http://download.strongswan.org/strongswan.tar.bz2 tar xjvf strongswan.tar.bz2; cd strongswan* ./configure --prefix=/usr --sysconfdir=/etc \ --enable-systemd --enable-swanctl \ --disable-charon --disable-stroke --disable-scepclient \

Re: [strongSwan] Sudden issues with Windows 10 clients

2018-05-08 Thread Christian Salway
The problem with Windows (10 at least) is that it offers the weakest ciphers first, so you should remove sha1 and 3des. The minimum proposals you should have and which are compatible with Windows 10, OSX, IOS and Linux are the following. proposals = aes256-sha256-prfsha256-modp2048-modp1024

[strongSwan] starting strongswan without starter

2018-05-08 Thread Marco Berizzi
Hello everyone, I have compiled strongswan on slackware linux with: --disable-stroke and the starter is not builded anymore. Slackware is one the the few distro which is not (yet) systemd based. Which is the correct way to start strongswan without 'ipsec start' ?

Re: [strongSwan] starting strongswan without starter

2018-05-08 Thread Andreas Steffen
Hi Marco, you can put the following script https://github.com/strongswan/strongswan/blob/master/testing/hosts/default/etc/init.d/charon into /etc/init.d/ and either start and stop the charon daemon manually with service charon start|stop or put the a link to the script into the appropriate

[strongSwan] multiple id for same ipsec peer

2018-05-08 Thread Marco Berizzi
Hello everyone, I'm running strongswan 5.6.3dr1 on Slackware linux. On this strongswan box it is configured an ikev2 tunnel to a customer checkpoint R77.30 gateway. Sometimes, for an unknown reason, the checkpoint will try to initiate the IKE_SA, but instead of using its public ip address as the

Re: [strongSwan] multiple id for same ipsec peer

2018-05-08 Thread Christian Salway
id = customer_public id1 = 192.168.53.22 You have to use different id identities > On 8 May 2018, at 10:20, Marco Berizzi wrote: > > id = customer_public > id = 192.168.53.22

Re: [strongSwan] starting strongswan without starter

2018-05-08 Thread Christian Salway
and dont forget to enable the service systemctl enable strongswan-swanctl.service > On 8 May 2018, at 10:33, Marco Berizzi wrote: > > Hello everyone, > > I have compiled strongswan on slackware linux with: > > --disable-stroke > > and the

Re: [strongSwan] starting strongswan without starter

2018-05-08 Thread Tobias Brunner
Hi Marco, > Which is the correct way to start strongswan > without 'ipsec start' ? You could start charon directly (see e.g. the script from our testing environment that Andreas referenced). On the other hand, you could also just continue to use starter (i.e. build with --enable-stroke) and

Re: [strongSwan] starting strongswan without starter

2018-05-08 Thread Marco Berizzi
Hi Andreas, Hi everyone, thanks but there is no 'start-stop-daemon' on Slackware. I will keep building strongswan without the 'disable-stroke' as suggested by Tobias. As a suggestion, it would be beautiful to get starter working also without the presence of the /etc/ipsec.conf :-)

Re: [strongSwan] multiple id for same ipsec peer

2018-05-08 Thread Marco Berizzi
Hi Tobias, > There is currently no exact equivalent for > the `also` keyword in swanctl.conf a nice feature to add in a future relase :-)

Re: [strongSwan] Multiple ChildSA

2018-05-08 Thread Naveen Neelakanta
Hi All, I am using the ikev1, i see this multiple ChildSA INSTALLED , i have enabled make before break. I am not to reproduce this issue. But when this happens my traffic is effected. Below is the config that i am trying to reproduce. { "_ts": "2018-05-08T18:30:02.718Z", "_prog": "charon",