Hi,
> Is it possible for a user space program, registered with XFRM, to delete
> policies that charon adds?
Yes.
> Will that create some errors in charon in subsequent processing?
Charon expects a policy, so deleting will fail. As charon uses
refcounting to handle CHILD_SAs with identical polic
Hi,
> I can not find the daemon.log on moon side.
charon by default logs to the DAEMON syslog facility. But it depends on
your syslogger configuration to which file syslogger logs to.
> The moon side is Fedora Core 9 Linux.
Our (rather old) Fedora box uses /var/log/daemon.
Regards
Martin
___
Andreas,
Thanks a lot for your help. I have doubt the time difference, but not checked
the timezone. I have root permission, I will change the system time.
Roger
> -Original Message-
> From: Andreas Steffen [mailto:andreas.stef...@strongswan.org]
> Sent: Thursday, August 27, 2009 1:37 P
Hi Roger,
you have a time synchronisation problem on your linux boxes.
The certificate you generated starts to be valid (notBefore) on
Aug 27 13:45:47 UTC 2009
The current time on moon is not known but on sun it is
Aug 27 10:10:11 (Shandong local time).
Since in China you are ahead of UTC by a
Andreas,
Thanks for your detail explanation.
One more question. I can not find the daemon.log on moon side. Seems like it is
not generated. Then how can I generate it? The moon side is Fedora Core 9 Linux.
Roger
> -Original Message-
> From: Andreas Steffen [mailto:andreas.stef...@stron
Roger,
as Martin mentioned in his previous mail, a stupid bug was introduced
some time back in the strongSwan 4.3 branch that incorrectly encodes
the email address in a left|rightid="" statement. There are
the following workarounds:
1) Don't use email RDNs in DNs since they are bad practice anywa
Hi,
I am trying IPSec with StrongSwan on two Linux. The example is
http://www.strongswan.org/uml/testresults43/ikev2/host2host-cert/
Currently I see a problem " no trusted RSA public key found". I do not know
why it is reported. My certificate sunCert.pem looks good. And the CA is shared
for
Martin,
I can pass authentication now after I set subjectAltName, but I always failed
when I use the DN. Curious what is wrong.
Thanks,
Roger
> -Original Message-
> From: users-boun...@lists.strongswan.org [mailto:users-
> boun...@lists.strongswan.org] On Behalf Of Zhang, Long (Roger)
>
Martin,
Thanks for your reply.
I tried with the full DN, but still failed :-(
I tried with DN "C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org,
e=...@alcatel-lucent.com" and "C=CN, ST=Shandong, O=ALU, OU=RD,
CN=moon.strongswan.org, emailaddress=m...@alcatel-lucent.com" and combination
Hi Andreas:
Is it possible for a user space program, registered with XFRM, to delete
policies that charon adds?
Will that create some errors in charon in subsequent processing?
When does charon delete policies?
What happens if charon tries to delete a policy (that it previously added)
that i
ipsec statusall
shows the connection definitions.
Andreas
Yong Choo wrote:
>
> Will the charon's log show the auto-detected ipv4 .vs. ipv6 per connection?
>
> I looked at the daemon.log & auth.log example but did not see. Perhaps I
> need to enable more charon debug level?
>
> Yong Choo wrote
Will the charon's log show the auto-detected ipv4 .vs. ipv6 per connection?
I looked at the daemon.log & auth.log example but did not see. Perhaps I
need to enable more charon debug level?
Yong Choo wrote:
> Auto Detect! The Best!
> Thank You!
>
> Andreas Steffen wrote:
>> Hi Yong Choo,
>>
>> w
Auto Detect! The Best!
Thank You!
Andreas Steffen wrote:
> Hi Yong Choo,
>
> we don't use the --ipv4, --ipv6, --tunnelipv4, and --tunnelipv6
> options at all. I think they are FreeS/WAN legacy and should be
> removed from our man pages.
>
> Both strongSwan pluto and strongSwan charon detect IPv4 a
Hi Yong Choo,
we don't use the --ipv4, --ipv6, --tunnelipv4, and --tunnelipv6
options at all. I think they are FreeS/WAN legacy and should be
removed from our man pages.
Both strongSwan pluto and strongSwan charon detect IPv4 and IPv6
addresses automatically, so you don't have to give any explici
Hi all,
I want to enable charon and disable pluto in order to limit to IKEv2
without 'mobike'.
When I enable charon in ipsec.conf,
- does charon support only ipv6?
(It was not clear whether this is the default behavior for 'charon' in
the description http://www.strongswan.org/index.htm)
- I rea
Hi,
there is no established IPsec SA between the two hosts. You must
start the IKE negotiation with the command
ipsec up host-host
if the setting in ipsec.conf is auto=add or change the setting
to auto=start which will start the negotiation automatically.
Regards
Andreas
Sushil Chaudhari wrot
Hello Everyone,
I am trying to establish static SA between two hosts. But when I run the
command ipsec status, it gives me
r...@sushil:/etc# ipsec status
000 "host-host": 192.168.1.143[C=us, ST=ma, O=mzeal, OU=op,
CN=192.168.1.143]---192.168.1.1...192.168.1.124[C=us, O=mzeal,
CN=192.168.1.124
Dear Andreas,
Thanks for reply.
There was problem with packet encapsulation.
Now, it is working fine.
Regards,
Sunilkumar
On Wed, Aug 26, 2009 at 12:20 PM, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:
> Hi,
>
> dropped ESP packets will not appear in the strongSwan logs because
> the
Hi Roger,
> peerid sun.strongswan.org not confirmed by certificate, defaulting to
> subject DN: C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org,
> e=...@alcatel-lucent.com
strongSwan requires the peer ID to be contained in the certificate
(either the complete DN, or as a subjectAltName,
Hi,
I am trying IPSec with StrongSwan on two Linux. The example is
http://www.strongswan.org/uml/testresults43/ikev2/host2host-cert/
Currently I see a problem "no matching peer config found" from daemon.log. I
think the problem is in the ipsec.conf righted and leftid, I tried many ways,
but i
But your private key seems to be protected by a passphrase:
> [r...@localhost reqs]# openssl rsa -in hostKey.pem -noout -text
> Enter pass phrase for hostKey.pem:
> Private-Key: (1024 bit)
You must add this passphrase to the key entry in ipsec.secrets:
: RSA /etc/ipsec.d/reqs/hostKey.pem ""
Re
Andreas,
I added the passphrase to private key in ipsec.secrets, it works now. Curious
it works now, I tried this way this morning.
[r...@localhost etc]# cat ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA /etc/ipsec.d/reqs/hostKey.pem "123456"
Thanks,
Roger
> -Or
Andreas,
Thanks for your reply.
I checked the modulus of the private key and the certificate. They are matched.
Below is my execution output.
[r...@localhost etc]# ipsec listcerts
List of X.509 End Entity Certificates:
subject: "C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org,
e=m
23 matches
Mail list logo
