Re: [strongSwan] traffic shaping on tunnels
no one? hi list, setup is strongswan 4.1.11 running on a linux box with kernel 2.6.24.3 since the not ipsec-related traffic gets higher on this box, i wanted to know which is the easiest way to do some traffic shaping like reserve x mbit for tunnel A, y mbit for tunnel B etc. and let re remaining bandwidth be used by other services, so that there is an individual defined guaranteed minimum bandwith for the active tunnels? if this question is some kind of off-topic, please can someone point me to the right direction/place? thanks in advance martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] anti-replay window size?
Hello, currently the kernel interface method add_sa() of the IKEv2 daemon sets the replay window size to a constant value of 32: http://wiki.strongswan.org/repositories/entry/strongswan/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c#L965 whereas in the kernel interface method netlink_add_sa() of the IKEv1 daemon the size is configurable: http://wiki.strongswan.org/repositories/entry/strongswan/src/pluto/kernel_netlink.c#L606 but in kernel.c where netlink_add_sa() is called, the value is set invariably to 32, too: Best regards Andreas Yong Choo wrote: Is there a way of controlling anti-replay window size although I understand that strongswan supports it. I reviewed the man page of ipsec.conf but there is no mention of it. == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] unable to allocate SPIs from kernel
Can someone please help me with this unable to allocate SPIs from kernel message? On Tue, Aug 18, 2009 at 3:34 PM, Deva Pandiandeva.pand...@gmail.com wrote: Hi, I am an ipsec beginner. I installed strongswan 4.3.3 on my FC10/FC11 machines and tried to setup a host-host tunnel. But I get the following error. Googling it and searching for it in strongswan wiki didn't give any results. [r...@localhost ~]# ipsec restart Stopping strongSwan IPsec... Starting strongSwan 4.3.3 IPsec [starter]... [r...@localhost ~]# ipsec up host-host initiating IKE_SA host-host[1] to 10.40.128.14 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from 10.47.20.20[500] to 10.40.128.14[500] received packet: from 10.40.128.14[500] to 10.47.20.20[500] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] authentication of 'moon.strongswan.org' (myself) with pre-shared key establishing CHILD_SA host-host unable to allocate SPIs from kernel Can someone please help me. I tried rebuilding the kernel with the ipsec options mentioned in the doc. But I still see the error. Thanks. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users