Hi Jessie,
you can write a libstrongswan crypto plugin which makes
use of the hardware accelerator for IKE. You can use the existing
VIA padlock plugin as a model for your plugin:
http://wiki.strongswan.org/repositories/browse/strongswan/src/libstrongswan/plugins/padlock
Best regards
Andreas
J
Hi all,
I have some questions about cryptographic offload engines.
I have kernel drivers provided by vendor's BSP so that the drivers register
the supported algorithms with the Linux crypto subsystem.
These algorithms provide ESP offload in the native IPsec stack (NETKEY)
and layer 2 Kasumi
ashish mahalka wrote:
> Strongswan runs at the other end. i m not sure whether the packets where
> reaching the other end or not. But one thing is sure, there was no
> response from strongswan on the other end.
I'm afraid you have to find out whether the packets make it to the other
end. Are yo
I use Cisco vpn client 5.0.
On Thu, Jan 7, 2010 at 3:18 AM, Daniel Mentz
wrote:
> The following log messages is most relevant:
>
> "cisco"[5] 218.240.6.69:56413 #5: next payload type of ISAKMP Hash Payload
> has an unknown value: 197
>
> I can't tell why the Cisco VPN client sends this type of pa
The following log messages is most relevant:
"cisco"[5] 218.240.6.69:56413 #5: next payload type of ISAKMP Hash
Payload has an unknown value: 197
I can't tell why the Cisco VPN client sends this type of payload. 197 is
vendor specific. Only the strongSwan developers can help in that
situation.
I removed user/password pairs in /etc/ipsec.secrets 'cause cisco
vpn client only support x509 authentication... no user/password options.
On Thu, Jan 7, 2010 at 2:35 AM, Daniel Mentz
wrote:
> Kalaj wrote:
>>
>> "cisco"[2] 218.240.6.69:49983 #2: peer requested 2147483 seconds which
>> exceeds our
Hello Daniel,
Strongswan runs at the other end. i m not sure whether the packets where
reaching the other end or not. But one thing is sure, there was no response
from strongswan on the other end.
Let me know if you require some new info.
regards,
Ashish
On Thu, Jan 7, 2010 at 12:12 AM, Daniel
ashish mahalka wrote:
> One more thing I wanted to ask : if I don't know the DN of the peer
> certificate, can i mention my rightid as %any (as I have done here)
I guess the trick is not to include rightid= at all.
In the log file you provided I can see charon retransmitting the initial
message
Kalaj wrote:
> "cisco"[2] 218.240.6.69:49983 #2: peer requested 2147483 seconds which
> exceeds our limit 86400 seconds
> "cisco"[2] 218.240.6.69:49983 #2: lifetime reduced to 86400 seconds
> (todo: IPSEC_RESPONDER_LIFETIME notification)
Please provide more debug output. I guess further syslog mes
add
authby=xauthrsasig
xauth=server
the statusall became like below, but vpn client error, Reason 401: An
unrecognized error occurred while establishing the VPN connection.
000 Status of IKEv1 pluto daemon (strongSwan 4.3.6dr5):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:4500
000
> "cisco"[3] 218.240.6.69:56131 #3: policy does not allow XAUTHInitRSA
> authentication. Attribute OAKLEY_AUTHENTICATION_METHOD
Not sure if that helps, but have a look at:
http://www.strongswan.org/docs/readme4.htm#section_14.6
Try adding
authby=xauthrsasig
xauth=server
-Daniel
__
Thanks Daniel, here it it.
000 Status of IKEv1 pluto daemon (strongSwan 4.3.6dr5):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 167.22.15.11:4500
000 interface eth0/eth0 167.22.15.11:500
000 interface eth0/eth0 10.0.0.1:45
Kalaj wrote:
> conn %default
> ikelifetime=60m
> keylife=20m
> keyexchange=ikev2
> rekeymargin=3m
> keyingtries=1
> left=167.22.15.11
> leftnexthop=167.22.15.1
> leftcert=no2.crt
> left...@test
> leftsourceip=10.3.0.1
>
thanks guys, I switched to pluto, now it's the error like:
| preparse_isakmp_policy: peer requests PUBKEY+XAUTHRSASIG+XAUTHSERVER
authentication
packet from 218.240.6.69:59481: initial Main Mode message received on
167.22.15.11:500 but no connection has been authorized with
policy=PUBKEY+XAUTHRSAS
strongSwan has two apps, pluto for ikev1 and charon for ikev2, so you can't
have plutostart=no and get ikev1 to work
-Original Message-
From: users-boun...@lists.strongswan.org
[mailto:users-boun...@lists.strongswan.org] On Behalf Of Kalaj
Sent: Wednesday, January 06, 2010 9:09 AM
To: Ma
just try ikev1, but still the same error.
On Wed, Jan 6, 2010 at 11:02 PM, Martin Willi wrote:
> Hi,
>
>> plutostart=no
>> keyexchange=ikev2
>
> I'm not aware of any Cisco VPN client that speaks IKEv2. You'll have to
> setup pluto and define a IKEv1 connection.
>
> Regards
> Mart
Hi,
> plutostart=no
> keyexchange=ikev2
I'm not aware of any Cisco VPN client that speaks IKEv2. You'll have to
setup pluto and define a IKEv1 connection.
Regards
Martin
___
Users mailing list
Users@lists.strongswan.org
https://lists.s
my ipsec.conf
config setup
crlcheckinterval=180
nat_traversal=yes
charonstart=yes
strictcrlpolicy=no
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
keyexchange=ikev2
rekeymargin=3m
keyingtries=1
left=
Kalaj wrote:
> just want to use Cisco VPN client to connect Strongswan but failed.
> Used x509 authentication and enable --cisco-quirks , maybe I made a
> wrong certs or wrong conf,
> can you guys give me some advices? Thanks.
Please provide more details that enable troubleshooting: log files and
Hi all, I am new to Strongswan,
just want to use Cisco VPN client to connect Strongswan but failed.
Used x509 authentication and enable --cisco-quirks , maybe I made a
wrong certs or wrong conf,
can you guys give me some advices? Thanks.
Bests,
-Kalaj
__
20 matches
Mail list logo