Re: [strongSwan] [patch] add support for --disable-threads
On Tuesday, 2. December 2008 10:05:10 you wrote: Thanks, applied to [4735]. I slightly modified the patch that this option affects pluto only. I think it might be somewhat confusing for a user if --disable-threads completely removes IKEv2 support. Fine with me. I thought threads are needed for charon... The strongswan download page still links to the old CVS repository. As the revision number indicated the source is maintained via SVN, I quickly found the trac link while searching the mailinglist archive ;-) Thomas ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] received netlink error: Invalid argument (22)
Thank you for your response. Well, I was testing this: http://www.strongswan.org/uml/testresults42/openssl/ike-alg-ecp-low/ Example configurations must be wrong then. Martin Willi napsal(a): Hi, carol# ipsec up home received TS_UNACCEPTABLE notify, no CHILD_SA built Carol proposes leftsubnet=10.20.5.46/16 rightsubnet=10.20.5.46/16 , but moon accepts leftsubnet=10.20.5.46/16 only. Not defining a subnet results in a host2host tunnel. Do you really want to include a subnet on the client side? dave# ipsec up home received netlink error: Invalid argument (22) unable to install source route for 10.0.3.3 The tunnel should be OK, just the route is missing. We use a separate routing table (220) to install our routes, probably support for additional tables is missing in your kernel. Double-check if your kernel supports multiple routing tables [1], or set the routing_table option to 0 for the main table (not recommended, see [2]). Regards Martin [1]http://trac.strongswan.org/wiki/KernelModules [2]http://trac.strongswan.org/wiki/strongswanConf ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] received netlink error: Invalid argument (22)
Hi, carol# ipsec up home received TS_UNACCEPTABLE notify, no CHILD_SA built Carol proposes leftsubnet=10.20.5.46/16 rightsubnet=10.20.5.46/16 , but moon accepts leftsubnet=10.20.5.46/16 only. Not defining a subnet results in a host2host tunnel. Do you really want to include a subnet on the client side? dave# ipsec up home received netlink error: Invalid argument (22) unable to install source route for 10.0.3.3 The tunnel should be OK, just the route is missing. We use a separate routing table (220) to install our routes, probably support for additional tables is missing in your kernel. Double-check if your kernel supports multiple routing tables [1], or set the routing_table option to 0 for the main table (not recommended, see [2]). Regards Martin [1]http://trac.strongswan.org/wiki/KernelModules [2]http://trac.strongswan.org/wiki/strongswanConf ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] [patch] add missing include
Hi Thomas, attached patch fixes a small compile error of struct tm not being defined. Applied to [4733], thanks. Best regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] updown script failure?
There seems to be a problem with iptables: charon: 09[CHD] updown: iptables: Unknown error 18446744073709551615 charon: 09[CHD] updown: iptables: Unknown error 18446744073709551615 Which kernel and which iptables version are you using? Are you able to insert an IPsec policy iptables rule manually? iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT $S_MY_PORT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT Just replace all script parameters by their actual values. The VPN_LOGGING information seems to be correct: vpn: + [EMAIL PROTECTED] 10.10.0.1/32 == 65.x.x.138 -- 63.x.x.205 == 0.0.0.0/0 generated by logger -t $TAG -p $FAC_PRIO \ + $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT Best regards Andreas [EMAIL PROTECTED] wrote: Hi, have a problem with my strongswan set up. It looks like the insertion of a firewall rule by the updown script seems to be failing. The log messaging i am getting is not giving me a lot to go on... (my loglevel is set to 5 for CHD) I am hoping someone has seen this issue before or could recommend a troubleshooting way forward. Thanks -Dan C. General FYI Kernel=2.6.9-42.0.3 No issues on startup Using EAP SIM Authentication Public IP addresses have been 'modified' in log below strongswan-4.2.5 Log Message on tunnel initiation charon: 09[AUD] IKE_SA rw-eapsim-131000123601[1] established between [EMAIL PROTECTED] charon: 09[IKE] peer requested virtual IP %any charon: 09[IKE] assigning virtual IP 10.10.0.1 to peer charon: 09[CHD] updown: iptables: Unknown error 18446744073709551615 charon: 09[CHD] updown: iptables: Unknown error 18446744073709551615 vpn: + [EMAIL PROTECTED] 10.10.0.1/32 == 65.x.x.138 -- 63.x.x.205 == 0.0.0.0/0 charon: 09[AUD] CHILD_SA rw-eapsim-abc{1} established with SPIs c2cb37d5_i 33908b00_o and TS 0.0.0.0/0 === 10.10.0.1/32 Log Message on Strongswan shutdown charon: 01[CHD] running updown script: 21 PLUTO_VERSION='1.1' PLUTO_VERB='down-client' PLUTO_CONNECTION='rw-eapsim-abc' PLUTO_INTERFACE='eth0' PLUTO_REQID='2' PLUTO_ME='63.x.x.205' PLUTO_MY_ID='sgw.xxx.com' PLUTO_MY_CLIENT='0.0.0.0/0' PLUTO_MY_CLIENT_NET='0.0.0.0' PLUTO_MY_CLIENT_MASK='0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='65.x.x.138' PLUTO_PEER_ID='[EMAIL PROTECTED]' PLUTO_PEER_CLIENT='10.10.0.1/32' PLUTO_PEER_CLIENT_NET='10.10.0.1' PLUTO_PEER_CLIENT_MASK='32' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' ipsec _updown iptables charon: 01[CHD] updown: iptables: Bad rule (does a matching rule exist in that chain?) charon: 01[CHD] updown: iptables: Bad rule (does a matching rule exist in that chain?) vpn: - [EMAIL PROTECTED] 10.10.0.1/32 == 65.57.245.138 -- 63.80.235.205 == 0.0.0.0/0 ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users -- == Andreas Steffen [EMAIL PROTECTED] strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users