Re: [strongSwan] Query regarding a particular scenario
Hi Andreas/Martin/Tobias, Request you to please provide your comments for the mail below. Regards, Vivek On Wed, Jul 14, 2010 at 11:55 AM, vivek bairathi bairathi.vi...@gmail.comwrote: Hi All, I have a query regarding a scenario. *The scenario is as following*:- *My implementation:* On changing of a parameter in ipsec.conf I first bring down the SA, update the configuration and then bring it up again. *Scenario: *When I connect to a Security Gateway(SGW), I make an SA and start the traffic flow. but if in between the configuration changes on my side I bring down the SA. Now as the traffic is still flowing through Security Gateway(SGW) It will again create an SA before the updation of the new configuration in the strongswan ikev2 stack which is wrong. As, now the SA has been created with wrong configuration. *Q.* Do we have any parameter in IKEv2 stack which says that no more connections are taken after a particular number of connections? If yes then whats the parameter name? If no then can you tell me how to resolve this problem? Thanks for your help in advance. Regards, Vivek ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Issue in creating the Strongswan setup
Hi, I've just created a strongswan setup in my machine and tried to run charon. I'm getting the following error when trying to start charon. 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.4.1rc2) 00[KNL] listening on interfaces: 00[KNL] eth0 00[KNL] 10.6.11.178 00[KNL] fe80::219:b9ff:fedd:74d0 00[KNL] eth1 00[KNL] 191.168.68.3 00[KNL] 193.168.68.1 00[KNL] 194.168.68.1 00[KNL] 193.168.68.2 00[KNL] 194.168.68.2 00[KNL] fe80::219:b9ff:fedd:74d2 00[KNL] received netlink error: Address family not supported by protocol (97) 00[KNL] unable to create IPv6 routing table rule Any idea why this is happening. *This is my ip-sec configuration*: conn net-to-net authby=secret left=194.168.68.1 # Local vitals leftsubnet=193.168.68.1/32 # leftnexthop=%defaultroute # correct in many situations right=192.168.10.1# Remote vitals rightsubnet=197.168.68.35/32# right...@ab.example.com# rightnexthop=%defaultroute # correct in many situations auto=start # authorizes but doesn't start this *My secret file content is* : 193.168.68.1 197.168.68.35 : PSK 123456789012345 Please let me know if there is any configuration error. Thanks, Shibin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Issue in creating the Strongswan setup
Hi, 00[KNL] unable to create IPv6 routing table rule Seems that your kernel does not support multiple IPv6 routing tables (IPV6_MULTIPLE_TABLES). Enable this option in the kernel if you need full IPv6 support. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] ipv6ready IKEv2_Self_Test v1.0.3 failing with strongSwan
Hi, I have been trying to run the ipv6ready IKEv2_Self_Test against strongSwan on SLES 11 SP1, as part of our preparation for the USGv6 certification. I have encountered numerous problems. Below, I am listing a few examples where I manged to pinpoint the problem. The problem always turned out to be in the IKEv2 test scripts, not strongSwan. Unfortunately, the IKEv2_Self_Test is part of the USGv6 test specifications: http://w3.antd.nist.gov/usgv6/test-specifications.html http://w3.antd.nist.gov/usgv6/TSTs/IKEv2_v1.0_C.html The current (and also mandated by USGv6) version of the test tool is 1.0.3. Since then, a new (v1.1.0) ipv6ready IKEv2 test specification has been published: http://www.ipv6ready.org/docs/Phase2_IKEv2_Conformance_Latest.pdf However, the test tool is not yet (publicly?) available. The first problem I actually debugged turned to be an issue already known to the ipv6ready guys. The tests get confused by strongSwan obeying: initiator SHOULD include as the first traffic selector in each of TSi and TSr a very specific traffic selector including the addresses in the packet triggering the request. [RFC 4306]. See http://www.tahi.org/users/mail-list/201005.month/1691.html strongSwan does this sice commit a13c013b. I reverted that for further testing. The new v1.1.0 test specification has removed many of the test cases that I see failing in the 1.0.3 version (good! the ones I looked into fail for totally bogus reasons). I list all the failures below, the tests removed in v1.1.0 are marked with an asterisk: 12 *Test IKEv2.EN.I.1.1.3.4: Close Connection when receiving INITIAL_CONTACT 13 *Test IKEv2.EN.I.1.1.3.5: Sending Liveness check 14 Test IKEv2.EN.I.1.1.3.6: Sending Delete Payload for IKE_SA 15 *Test IKEv2.EN.I.1.1.3.7: Sending Delete Payload for CHILD_SA 16 *Test IKEv2.EN.I.1.1.3.8: Sending Liveness check with unprotected messages 17 Test IKEv2.EN.I.1.1.4.1 Part A: Invalid payload type 1 18 Test IKEv2.EN.I.1.1.4.1 Part B: Invalid payload type 32 19 Test IKEv2.EN.I.1.1.4.1 Part C: Invalid payload type 49 20 Test IKEv2.EN.I.1.1.4.1 Part D: Invalid payload type 255 21 Test IKEv2.EN.I.1.1.4.2 Part A: Invalid payload type 1 22 Test IKEv2.EN.I.1.1.4.2 Part B: Invalid payload type 32 23 Test IKEv2.EN.I.1.1.4.2 Part C: Invalid payload type 49 24 Test IKEv2.EN.I.1.1.4.2 Part D: Invalid payload type 255 26 Test IKEv2.EN.I.1.1.5.2: Interaction of COOKIE and INVALID_KE_PAYLOAD 27 Test IKEv2.EN.I.1.1.5.3: Interaction of COOKIE and INVALID_KE_PAYLOAD with unoptimized Responder 28 Test IKEv2.EN.I.1.1.6.1 Part A: Encryption Algorithm ENCR_AES_CBC 29 *Test IKEv2.EN.I.1.1.6.1 Part B: Encryption Algorithm ENCR_AES_CTR 30 Test IKEv2.EN.I.1.1.6.1 Part C: Pseudo-random Function PRF_AES128_XCBC 31 Test IKEv2.EN.I.1.1.6.1 Part D: Integrity Algorithm AUTH_AES_XCBC_96 32 Test IKEv2.EN.I.1.1.6.1 Part E: D-H Group Group 14 33 Test IKEv2.EN.I.1.1.6.2 Part A: Encryption Algorithm ENCR_AES_CBC 34 Test IKEv2.EN.I.1.1.6.2 Part B: Encryption Algorithm ENCR_AES_CTR 35 Test IKEv2.EN.I.1.1.6.2 Part C: Encryption Algorithm ENCR_NULL 36 Test IKEv2.EN.I.1.1.6.2 Part D: Integrity Algorithm AUTH_AES_XCBC_96 37 Test IKEv2.EN.I.1.1.6.2 Part E: Integrity Algorithm NONE 38 Test IKEv2.EN.I.1.1.6.2 Part F: Extended Sequence Numbers 39 Test IKEv2.EN.I.1.1.6.3 Part A: Multiple Encryption Algorithms 40 Test IKEv2.EN.I.1.1.6.3 Part B: Multiple Pseudo-random Functions 41 Test IKEv2.EN.I.1.1.6.3 Part C: Multiple Integrity Algorithms 42 Test IKEv2.EN.I.1.1.6.3 Part D: Multiple D-H Groups 44 Test IKEv2.EN.I.1.1.6.5 Part A: Multiple Encryption Algorithms 45 Test IKEv2.EN.I.1.1.6.5 Part B: Multiple Integrity Algorithms 46 Test IKEv2.EN.I.1.1.6.5 Part C: Multiple Extended Sequence Numbers 47 Test IKEv2.EN.I.1.1.6.6: Sending Multiple Proposals 48 Test IKEv2.EN.I.1.1.6.7: Receipt of INVALID_KE_PAYLOAD 49 *Test IKEv2.EN.I.1.1.6.8: Receipt of NO_PROPOSAL_CHOSEN 50 Test IKEv2.EN.I.1.1.6.9: Response with inconsistent SA Proposal for IKE_SA 52 Test IKEv2.EN.I.1.1.6.11 Part A: Receiving IKE_SA_INIT response with INVALID_KE_PAYLOAD 53 Test IKEv2.EN.I.1.1.6.11 Part B: Receiving IKE_SA_INIT response with INVALID_KE_PAYLOAD 54 Test IKEv2.EN.I.1.1.6.12: Creating an IKE_SA without a CHILD_SA 55 Test IKEv2.EN.I.1.1.7.1: Narrowing the range of members of the set of traffic selectors 56 *Test IKEv2.EN.I.1.1.8.1 Part A: INVALID_IKE_SPI Different IKE_SA Initiator's SPI 57 *Test
