Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT
Ok, thanks -Original Message- From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] Sent: Thursday, May 04, 2017 8:59 AM To: Modster, Anthony; users@lists.strongswan.org Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels Look for the list of variables in the large comments in the beginning of the updown script On 04.05.2017 17:48, Modster, Anthony wrote: > Hello Noel > ? can you provide the parameters I need to parse for up and down > > -Original Message- > From: Modster, Anthony > Sent: Thursday, May 04, 2017 8:47 AM > To: 'Noel Kuntze' ; > users@lists.strongswan.org > Subject: RE: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No > Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No > Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels > > ok > > -Original Message- > From: Noel Kuntze > [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] > Sent: Thursday, May 04, 2017 8:46 AM > To: Modster, Anthony ; > users@lists.strongswan.org > Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No > Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No > Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels > > 2. But you should check what event is it. And you obviously should tear down > the routes when the CHILD_SAs go down. > > On 04.05.2017 17:44, Modster, Anthony wrote: >> Hello Noel >> Just to be clear >> >> If using VICI, (1) do I attach the script during VICI config, or (2) >> run the script on the "event monitor" callback (when its called) >> >> -Original Message- >> From: Noel Kuntze >> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] >> Sent: Thursday, May 04, 2017 8:40 AM >> To: Modster, Anthony ; >> users@lists.strongswan.org >> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No >> Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No >> Reputation] multiple tunnels >> >> >> >> On 04.05.2017 17:27, Modster, Anthony wrote: >>> Hello Noel >>> >>> If I disable route installation. >>> >>> ? can a custom _updown script be used to set the route for each >>> tunnel >> Phew. I think you can, but you have to take care not to install duplicate >> routes. The hook you need to put your commands into, is called with each >> combination of subnets. >> >>> ? or can the "event monitor" callback be used to set the route for >>> each tunnel >> Yes, if you use VICI. You can script something with Python using the vici >> egg. >> >>> -Original Message- >>> From: Noel Kuntze >>> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] >>> Sent: Thursday, May 04, 2017 8:22 AM >>> To: Modster, Anthony ; >>> users@lists.strongswan.org >>> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No >>> Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels >>> >>> Nope. But you can disable the route installation from charon by setting >>> charon.install_routes to no. >>> You can't use the _updown script to manage routes. >>> >>> On 04.05.2017 17:17, Modster, Anthony wrote: Hello Noel ? is there a way to use _updown to set both routes (disabling Charon from setting the current route) -Original Message- From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] Sent: Thursday, May 04, 2017 4:12 AM To: Modster, Anthony ; users@lists.strongswan.org Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels Hello Anthony, I don't understand what you mean with that, but you could add a route to the remote peer with a higher MTU, if you can actually communicate over the other link with the IP on the other interface (the IP of another provider). If you can't do that, then this is not solvable. On 04.05.2017 02:02, Modster, Anthony wrote: > Hello Noel > We were thinking of changing the created via for eth1.13 (adding matric > info). > Then when ppp0 tunnel comes up, create another via for it. > > I think Charon does try to create a via for ppp0, but can't. > > -Original Message- > From: Noel Kuntze > [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] > Sent: Wednesday, May 03, 2017 4:45 PM > To: Modster, Anthony ; > users@lists.strongswan.org > Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No > Reputation] Re: [strongSwan] [SUSPECT EMAIL: No
Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tun
Hello Noel ? can you provide the parameters I need to parse for up and down -Original Message- From: Modster, Anthony Sent: Thursday, May 04, 2017 8:47 AM To: 'Noel Kuntze'; users@lists.strongswan.org Subject: RE: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels ok -Original Message- From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] Sent: Thursday, May 04, 2017 8:46 AM To: Modster, Anthony ; users@lists.strongswan.org Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels 2. But you should check what event is it. And you obviously should tear down the routes when the CHILD_SAs go down. On 04.05.2017 17:44, Modster, Anthony wrote: > Hello Noel > Just to be clear > > If using VICI, (1) do I attach the script during VICI config, or (2) > run the script on the "event monitor" callback (when its called) > > -Original Message- > From: Noel Kuntze > [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] > Sent: Thursday, May 04, 2017 8:40 AM > To: Modster, Anthony ; > users@lists.strongswan.org > Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No > Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No > Reputation] multiple tunnels > > > > On 04.05.2017 17:27, Modster, Anthony wrote: >> Hello Noel >> >> If I disable route installation. >> >> ? can a custom _updown script be used to set the route for each >> tunnel > > Phew. I think you can, but you have to take care not to install duplicate > routes. The hook you need to put your commands into, is called with each > combination of subnets. > >> >> ? or can the "event monitor" callback be used to set the route for >> each tunnel > > Yes, if you use VICI. You can script something with Python using the vici egg. > >> >> -Original Message- >> From: Noel Kuntze >> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] >> Sent: Thursday, May 04, 2017 8:22 AM >> To: Modster, Anthony ; >> users@lists.strongswan.org >> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No >> Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels >> >> Nope. But you can disable the route installation from charon by setting >> charon.install_routes to no. >> You can't use the _updown script to manage routes. >> >> On 04.05.2017 17:17, Modster, Anthony wrote: >>> Hello Noel >>> >>> ? is there a way to use _updown to set both routes (disabling >>> Charon from setting the current route) >>> >>> -Original Message- >>> From: Noel Kuntze >>> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] >>> Sent: Thursday, May 04, 2017 4:12 AM >>> To: Modster, Anthony ; >>> users@lists.strongswan.org >>> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No >>> Reputation] multiple tunnels >>> >>> Hello Anthony, >>> >>> I don't understand what you mean with that, but you could add a route to >>> the remote peer with a higher MTU, if you can actually communicate over the >>> other link with the IP on the other interface (the IP of another provider). >>> If you can't do that, then this is not solvable. >>> >>> On 04.05.2017 02:02, Modster, Anthony wrote: Hello Noel We were thinking of changing the created via for eth1.13 (adding matric info). Then when ppp0 tunnel comes up, create another via for it. I think Charon does try to create a via for ppp0, but can't. -Original Message- From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] Sent: Wednesday, May 03, 2017 4:45 PM To: Modster, Anthony ; users@lists.strongswan.org Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels Hello Anthony, As predicted, charon can't find an alternative network path: 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 12[KNL] interface eth1.13 deactivated 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 05[KNL] 192.168.1.134 disappeared from eth1.13 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] old path is not available anymore, try to find another 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] looking for a route to 76.232.248.210 ... 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] reauthenticating IKE_SA due to address change 2017 May 3
Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tun
ok -Original Message- From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] Sent: Thursday, May 04, 2017 8:46 AM To: Modster, Anthony; users@lists.strongswan.org Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels 2. But you should check what event is it. And you obviously should tear down the routes when the CHILD_SAs go down. On 04.05.2017 17:44, Modster, Anthony wrote: > Hello Noel > Just to be clear > > If using VICI, (1) do I attach the script during VICI config, or (2) > run the script on the "event monitor" callback (when its called) > > -Original Message- > From: Noel Kuntze > [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] > Sent: Thursday, May 04, 2017 8:40 AM > To: Modster, Anthony ; > users@lists.strongswan.org > Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No > Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No > Reputation] multiple tunnels > > > > On 04.05.2017 17:27, Modster, Anthony wrote: >> Hello Noel >> >> If I disable route installation. >> >> ? can a custom _updown script be used to set the route for each >> tunnel > > Phew. I think you can, but you have to take care not to install duplicate > routes. The hook you need to put your commands into, is called with each > combination of subnets. > >> >> ? or can the "event monitor" callback be used to set the route for >> each tunnel > > Yes, if you use VICI. You can script something with Python using the vici egg. > >> >> -Original Message- >> From: Noel Kuntze >> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] >> Sent: Thursday, May 04, 2017 8:22 AM >> To: Modster, Anthony ; >> users@lists.strongswan.org >> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No >> Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels >> >> Nope. But you can disable the route installation from charon by setting >> charon.install_routes to no. >> You can't use the _updown script to manage routes. >> >> On 04.05.2017 17:17, Modster, Anthony wrote: >>> Hello Noel >>> >>> ? is there a way to use _updown to set both routes (disabling >>> Charon from setting the current route) >>> >>> -Original Message- >>> From: Noel Kuntze >>> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] >>> Sent: Thursday, May 04, 2017 4:12 AM >>> To: Modster, Anthony ; >>> users@lists.strongswan.org >>> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No >>> Reputation] multiple tunnels >>> >>> Hello Anthony, >>> >>> I don't understand what you mean with that, but you could add a route to >>> the remote peer with a higher MTU, if you can actually communicate over the >>> other link with the IP on the other interface (the IP of another provider). >>> If you can't do that, then this is not solvable. >>> >>> On 04.05.2017 02:02, Modster, Anthony wrote: Hello Noel We were thinking of changing the created via for eth1.13 (adding matric info). Then when ppp0 tunnel comes up, create another via for it. I think Charon does try to create a via for ppp0, but can't. -Original Message- From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] Sent: Wednesday, May 03, 2017 4:45 PM To: Modster, Anthony ; users@lists.strongswan.org Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels Hello Anthony, As predicted, charon can't find an alternative network path: 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 12[KNL] interface eth1.13 deactivated 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 05[KNL] 192.168.1.134 disappeared from eth1.13 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] old path is not available anymore, try to find another 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] looking for a route to 76.232.248.210 ... 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] reauthenticating IKE_SA due to address change 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] reauthenticating IKE_SA sgateway1-gldl[1] 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] reauthenticating IKE_SA sgateway1-gldl[1] 2017 May 3 21:50:29+00:00 wglng-6 charon [info] 05[IKE] sending DPD request 2017 May 3 21:50:29+00:00 wglng-6 charon [info] 05[ENC] generating INFORMATIONAL request 23 [ ] 2017 May 3 21:50:29+00:00 wglng-6 charon [info] 05[NET] sending
Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels
2. But you should check what event is it. And you obviously should tear down the routes when the CHILD_SAs go down. On 04.05.2017 17:44, Modster, Anthony wrote: > Hello Noel > Just to be clear > > If using VICI, (1) do I attach the script during VICI config, or (2) run the > script on the "event monitor" callback (when its called) > > -Original Message- > From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] > Sent: Thursday, May 04, 2017 8:40 AM > To: Modster, Anthony; > users@lists.strongswan.org > Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] > Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] > multiple tunnels > > > > On 04.05.2017 17:27, Modster, Anthony wrote: >> Hello Noel >> >> If I disable route installation. >> >> ? can a custom _updown script be used to set the route for each tunnel > > Phew. I think you can, but you have to take care not to install duplicate > routes. The hook you need to put your commands into, is called with each > combination of subnets. > >> >> ? or can the "event monitor" callback be used to set the route for >> each tunnel > > Yes, if you use VICI. You can script something with Python using the vici egg. > >> >> -Original Message- >> From: Noel Kuntze >> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] >> Sent: Thursday, May 04, 2017 8:22 AM >> To: Modster, Anthony ; >> users@lists.strongswan.org >> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No >> Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels >> >> Nope. But you can disable the route installation from charon by setting >> charon.install_routes to no. >> You can't use the _updown script to manage routes. >> >> On 04.05.2017 17:17, Modster, Anthony wrote: >>> Hello Noel >>> >>> ? is there a way to use _updown to set both routes (disabling Charon >>> from setting the current route) >>> >>> -Original Message- >>> From: Noel Kuntze >>> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] >>> Sent: Thursday, May 04, 2017 4:12 AM >>> To: Modster, Anthony ; >>> users@lists.strongswan.org >>> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No >>> Reputation] multiple tunnels >>> >>> Hello Anthony, >>> >>> I don't understand what you mean with that, but you could add a route to >>> the remote peer with a higher MTU, if you can actually communicate over the >>> other link with the IP on the other interface (the IP of another provider). >>> If you can't do that, then this is not solvable. >>> >>> On 04.05.2017 02:02, Modster, Anthony wrote: Hello Noel We were thinking of changing the created via for eth1.13 (adding matric info). Then when ppp0 tunnel comes up, create another via for it. I think Charon does try to create a via for ppp0, but can't. -Original Message- From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] Sent: Wednesday, May 03, 2017 4:45 PM To: Modster, Anthony ; users@lists.strongswan.org Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels Hello Anthony, As predicted, charon can't find an alternative network path: 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 12[KNL] interface eth1.13 deactivated 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 05[KNL] 192.168.1.134 disappeared from eth1.13 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] old path is not available anymore, try to find another 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] looking for a route to 76.232.248.210 ... 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] reauthenticating IKE_SA due to address change 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] reauthenticating IKE_SA sgateway1-gldl[1] 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] reauthenticating IKE_SA sgateway1-gldl[1] 2017 May 3 21:50:29+00:00 wglng-6 charon [info] 05[IKE] sending DPD request 2017 May 3 21:50:29+00:00 wglng-6 charon [info] 05[ENC] generating INFORMATIONAL request 23 [ ] 2017 May 3 21:50:29+00:00 wglng-6 charon [info] 05[NET] sending packet: from 166.204.98.165[4500] to 76.232.248.210[4500] (96 bytes) 2017 May 3 21:50:29+00:00 wglng-6 charon [info] 13[NET] received packet: from 76.232.248.210[4500] to 166.204.98.165[4500] (96 bytes) 2017 May 3 21:50:29+00:00 wglng-6 charon [info] 13[ENC] parsed INFORMATIONAL response 23 [ ] 2017 May 3 21:50:31+00:00 wglng-6 charon [info] 15[IKE] retransmit 1 of request with message ID
Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels
Hello Noel Just to be clear If using VICI, (1) do I attach the script during VICI config, or (2) run the script on the "event monitor" callback (when its called) -Original Message- From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] Sent: Thursday, May 04, 2017 8:40 AM To: Modster, Anthony; users@lists.strongswan.org Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels On 04.05.2017 17:27, Modster, Anthony wrote: > Hello Noel > > If I disable route installation. > > ? can a custom _updown script be used to set the route for each tunnel Phew. I think you can, but you have to take care not to install duplicate routes. The hook you need to put your commands into, is called with each combination of subnets. > > ? or can the "event monitor" callback be used to set the route for > each tunnel Yes, if you use VICI. You can script something with Python using the vici egg. > > -Original Message- > From: Noel Kuntze > [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] > Sent: Thursday, May 04, 2017 8:22 AM > To: Modster, Anthony ; > users@lists.strongswan.org > Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No > Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels > > Nope. But you can disable the route installation from charon by setting > charon.install_routes to no. > You can't use the _updown script to manage routes. > > On 04.05.2017 17:17, Modster, Anthony wrote: >> Hello Noel >> >> ? is there a way to use _updown to set both routes (disabling Charon >> from setting the current route) >> >> -Original Message- >> From: Noel Kuntze >> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] >> Sent: Thursday, May 04, 2017 4:12 AM >> To: Modster, Anthony ; >> users@lists.strongswan.org >> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No >> Reputation] multiple tunnels >> >> Hello Anthony, >> >> I don't understand what you mean with that, but you could add a route to the >> remote peer with a higher MTU, if you can actually communicate over the >> other link with the IP on the other interface (the IP of another provider). >> If you can't do that, then this is not solvable. >> >> On 04.05.2017 02:02, Modster, Anthony wrote: >>> Hello Noel >>> We were thinking of changing the created via for eth1.13 (adding matric >>> info). >>> Then when ppp0 tunnel comes up, create another via for it. >>> >>> I think Charon does try to create a via for ppp0, but can't. >>> >>> -Original Message- >>> From: Noel Kuntze >>> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] >>> Sent: Wednesday, May 03, 2017 4:45 PM >>> To: Modster, Anthony ; >>> users@lists.strongswan.org >>> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No >>> Reputation] Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: >>> [SUSPECT EMAIL: No Reputation] multiple tunnels >>> >>> Hello Anthony, >>> >>> As predicted, charon can't find an alternative network path: >>> >>> 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 12[KNL] interface >>> eth1.13 deactivated >>> 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 05[KNL] >>> 192.168.1.134 disappeared from eth1.13 >>> 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] old path is >>> not available anymore, try to find another >>> 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] looking for a >>> route to 76.232.248.210 ... >>> 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] >>> reauthenticating IKE_SA due to address change >>> 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] >>> reauthenticating IKE_SA sgateway1-gldl[1] >>> 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] >>> reauthenticating IKE_SA sgateway1-gldl[1] >>> 2017 May 3 21:50:29+00:00 wglng-6 charon [info] 05[IKE] sending DPD >>> request >>> 2017 May 3 21:50:29+00:00 wglng-6 charon [info] 05[ENC] generating >>> INFORMATIONAL request 23 [ ] >>> 2017 May 3 21:50:29+00:00 wglng-6 charon [info] 05[NET] sending >>> packet: from 166.204.98.165[4500] to 76.232.248.210[4500] (96 bytes) >>> 2017 May 3 21:50:29+00:00 wglng-6 charon [info] 13[NET] received >>> packet: from 76.232.248.210[4500] to 166.204.98.165[4500] (96 bytes) >>> 2017 May 3 21:50:29+00:00 wglng-6 charon [info] 13[ENC] parsed >>> INFORMATIONAL response 23 [ ] >>> 2017 May 3 21:50:31+00:00 wglng-6 charon [info] 15[IKE] retransmit >>> 1 of request with message ID 95 >>> 2017 May 3 21:50:31+00:00 wglng-6 charon [info] 15[NET] sending >>> packet: from 192.168.1.134[500] to 76.232.248.210[500] (96 bytes) >>> 2017 May 3 21:50:31+00:00 wglng-6 charon [info] 04[NET] error >>> writing to socket: Invalid argument >>> >>> It can't send any packets though, because the
Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels
On 04.05.2017 17:27, Modster, Anthony wrote: > Hello Noel > > If I disable route installation. > > ? can a custom _updown script be used to set the route for each tunnel Phew. I think you can, but you have to take care not to install duplicate routes. The hook you need to put your commands into, is called with each combination of subnets. > > ? or can the "event monitor" callback be used to set the route for each tunnel Yes, if you use VICI. You can script something with Python using the vici egg. > > -Original Message- > From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] > Sent: Thursday, May 04, 2017 8:22 AM > To: Modster, Anthony; > users@lists.strongswan.org > Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] > Re: [SUSPECT EMAIL: No Reputation] multiple tunnels > > Nope. But you can disable the route installation from charon by setting > charon.install_routes to no. > You can't use the _updown script to manage routes. > > On 04.05.2017 17:17, Modster, Anthony wrote: >> Hello Noel >> >> ? is there a way to use _updown to set both routes (disabling Charon >> from setting the current route) >> >> -Original Message- >> From: Noel Kuntze >> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] >> Sent: Thursday, May 04, 2017 4:12 AM >> To: Modster, Anthony ; >> users@lists.strongswan.org >> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No >> Reputation] multiple tunnels >> >> Hello Anthony, >> >> I don't understand what you mean with that, but you could add a route to the >> remote peer with a higher MTU, if you can actually communicate over the >> other link with the IP on the other interface (the IP of another provider). >> If you can't do that, then this is not solvable. >> >> On 04.05.2017 02:02, Modster, Anthony wrote: >>> Hello Noel >>> We were thinking of changing the created via for eth1.13 (adding matric >>> info). >>> Then when ppp0 tunnel comes up, create another via for it. >>> >>> I think Charon does try to create a via for ppp0, but can't. >>> >>> -Original Message- >>> From: Noel Kuntze >>> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] >>> Sent: Wednesday, May 03, 2017 4:45 PM >>> To: Modster, Anthony ; >>> users@lists.strongswan.org >>> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No >>> Reputation] Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: >>> [SUSPECT EMAIL: No Reputation] multiple tunnels >>> >>> Hello Anthony, >>> >>> As predicted, charon can't find an alternative network path: >>> >>> 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 12[KNL] interface >>> eth1.13 deactivated >>> 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 05[KNL] >>> 192.168.1.134 disappeared from eth1.13 >>> 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] old path is >>> not available anymore, try to find another >>> 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] looking for a >>> route to 76.232.248.210 ... >>> 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] >>> reauthenticating IKE_SA due to address change >>> 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] >>> reauthenticating IKE_SA sgateway1-gldl[1] >>> 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] >>> reauthenticating IKE_SA sgateway1-gldl[1] >>> 2017 May 3 21:50:29+00:00 wglng-6 charon [info] 05[IKE] sending DPD >>> request >>> 2017 May 3 21:50:29+00:00 wglng-6 charon [info] 05[ENC] generating >>> INFORMATIONAL request 23 [ ] >>> 2017 May 3 21:50:29+00:00 wglng-6 charon [info] 05[NET] sending >>> packet: from 166.204.98.165[4500] to 76.232.248.210[4500] (96 bytes) >>> 2017 May 3 21:50:29+00:00 wglng-6 charon [info] 13[NET] received >>> packet: from 76.232.248.210[4500] to 166.204.98.165[4500] (96 bytes) >>> 2017 May 3 21:50:29+00:00 wglng-6 charon [info] 13[ENC] parsed >>> INFORMATIONAL response 23 [ ] >>> 2017 May 3 21:50:31+00:00 wglng-6 charon [info] 15[IKE] retransmit 1 >>> of request with message ID 95 >>> 2017 May 3 21:50:31+00:00 wglng-6 charon [info] 15[NET] sending >>> packet: from 192.168.1.134[500] to 76.232.248.210[500] (96 bytes) >>> 2017 May 3 21:50:31+00:00 wglng-6 charon [info] 04[NET] error >>> writing to socket: Invalid argument >>> >>> It can't send any packets though, because the address 192.168.1.134 isn't >>> bound to any active interface. >>> >>> That ends with this: >>> >>> 2017 May 3 21:50:50+00:00 wglng-6 charon [info] 07[ENC] parsed >>> INFORMATIONAL response 33 [ ] >>> 2017 May 3 21:50:51+00:00 wglng-6 charon [info] 12[IKE] giving up >>> after 5 retransmits >>> 2017 May 3 21:50:51+00:00 wglng-6 charon [info] 12[IKE] looking up >>> interface for virtual IP 20.20.20.6 failed >>> 2017 May 3 21:50:51+00:00 wglng-6 charon [info] 12[IKE] restarting >>> CHILD_SA sgateway1-gldl >>> 2017 May 3 21:50:51+00:00
Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels
Hello Noel If I disable route installation. ? can a custom _updown script be used to set the route for each tunnel ? or can the "event monitor" callback be used to set the route for each tunnel -Original Message- From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] Sent: Thursday, May 04, 2017 8:22 AM To: Modster, Anthony; users@lists.strongswan.org Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple tunnels Nope. But you can disable the route installation from charon by setting charon.install_routes to no. You can't use the _updown script to manage routes. On 04.05.2017 17:17, Modster, Anthony wrote: > Hello Noel > > ? is there a way to use _updown to set both routes (disabling Charon > from setting the current route) > > -Original Message- > From: Noel Kuntze > [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] > Sent: Thursday, May 04, 2017 4:12 AM > To: Modster, Anthony ; > users@lists.strongswan.org > Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No > Reputation] multiple tunnels > > Hello Anthony, > > I don't understand what you mean with that, but you could add a route to the > remote peer with a higher MTU, if you can actually communicate over the other > link with the IP on the other interface (the IP of another provider). If you > can't do that, then this is not solvable. > > On 04.05.2017 02:02, Modster, Anthony wrote: >> Hello Noel >> We were thinking of changing the created via for eth1.13 (adding matric >> info). >> Then when ppp0 tunnel comes up, create another via for it. >> >> I think Charon does try to create a via for ppp0, but can't. >> >> -Original Message- >> From: Noel Kuntze >> [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] >> Sent: Wednesday, May 03, 2017 4:45 PM >> To: Modster, Anthony ; >> users@lists.strongswan.org >> Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No >> Reputation] Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: >> [SUSPECT EMAIL: No Reputation] multiple tunnels >> >> Hello Anthony, >> >> As predicted, charon can't find an alternative network path: >> >> 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 12[KNL] interface >> eth1.13 deactivated >> 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 05[KNL] >> 192.168.1.134 disappeared from eth1.13 >> 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] old path is >> not available anymore, try to find another >> 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] looking for a route >> to 76.232.248.210 ... >> 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] >> reauthenticating IKE_SA due to address change >> 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] >> reauthenticating IKE_SA sgateway1-gldl[1] >> 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] >> reauthenticating IKE_SA sgateway1-gldl[1] >> 2017 May 3 21:50:29+00:00 wglng-6 charon [info] 05[IKE] sending DPD >> request >> 2017 May 3 21:50:29+00:00 wglng-6 charon [info] 05[ENC] generating >> INFORMATIONAL request 23 [ ] >> 2017 May 3 21:50:29+00:00 wglng-6 charon [info] 05[NET] sending >> packet: from 166.204.98.165[4500] to 76.232.248.210[4500] (96 bytes) >> 2017 May 3 21:50:29+00:00 wglng-6 charon [info] 13[NET] received >> packet: from 76.232.248.210[4500] to 166.204.98.165[4500] (96 bytes) >> 2017 May 3 21:50:29+00:00 wglng-6 charon [info] 13[ENC] parsed >> INFORMATIONAL response 23 [ ] >> 2017 May 3 21:50:31+00:00 wglng-6 charon [info] 15[IKE] retransmit 1 >> of request with message ID 95 >> 2017 May 3 21:50:31+00:00 wglng-6 charon [info] 15[NET] sending >> packet: from 192.168.1.134[500] to 76.232.248.210[500] (96 bytes) >> 2017 May 3 21:50:31+00:00 wglng-6 charon [info] 04[NET] error >> writing to socket: Invalid argument >> >> It can't send any packets though, because the address 192.168.1.134 isn't >> bound to any active interface. >> >> That ends with this: >> >> 2017 May 3 21:50:50+00:00 wglng-6 charon [info] 07[ENC] parsed >> INFORMATIONAL response 33 [ ] >> 2017 May 3 21:50:51+00:00 wglng-6 charon [info] 12[IKE] giving up >> after 5 retransmits >> 2017 May 3 21:50:51+00:00 wglng-6 charon [info] 12[IKE] looking up >> interface for virtual IP 20.20.20.6 failed >> 2017 May 3 21:50:51+00:00 wglng-6 charon [info] 12[IKE] restarting >> CHILD_SA sgateway1-gldl >> 2017 May 3 21:50:51+00:00 wglng-6 charon [info] 12[IKE] initiating >> IKE_SA sgateway1-gldl[3] to 76.232.248.210 >> 2017 May 3 21:50:51+00:00 wglng-6 charon [info] 12[IKE] initiating >> IKE_SA sgateway1-gldl[3] to 76.232.248.210 >> 2017 May 3 21:50:51+00:00 wglng-6 charon [info] 13[IKE] sending DPD >> request >> >> This continues until the end of the log. The interface eth1.13 doesn't come >> up in the logs after it was deactivated. >> >> The PCAPs
Re: [strongSwan] Tunnels with dynamic IP and another route issue
Okey, I will try some things out and see if it gets better. If not I will return with some logs :) I'm just thinking out loud here regarding Charon source route selection, because you proposed leaving out the "left"-parameter (defaulting to %any I think) and my router is multihomed, what about if I mangle the output packets on UDP port 500 through the right WAN interface routing table? Will that force charon traffic out the right interface too? Or maybe if I exlude all routing tables present on the gateway (except the one I want) in strongswan.conf, then that shoud force Charon to do source route lookups in this table only? I have made some completely different observations, I tried running Strongswan with libipsec instead of kernel modules and noticed two things. 1. The shunt policy doesn't work anymore, the route for local LAN gets created with dev ipsec0 (instead of br0). Is this a known bug? I had to add a manual route to table 220. 2. It's easier to route, maintain and so on because all traffic goes in/out on a dedicated interface (ipsec0), so no need for IP-tables policy matching. However, it's noticeable slower (througput) and when transferring traffic my routers almost hits 100% cpu load. Is this normal? With kernel modules I can reach double the througput (20 vs 50Mbps), however then the CPU is only around 50%. What do you think is the bottle neck here for achieving higher throughput? The remote endpoint? With Android Strongswan client it's even slower than that (tested on WiFi). Both sides of the WAN-connection in this case have 100Mbps, so that's ruled out. Den 2017-05-03 kl. 16:23, skrev Noel Kuntze: On 03.05.2017 13:51, Dusan Ilic wrote: By the way, it seems the order of shunt connections do matter. They don't. XFRM doesn't care about what order any policies are inserted, only the TS and the priority. If I put it at the end after all other connections the network gets completely cut off...looks like I have to put it directly after the 0.0.0.0 connection. Sounds like you have a race condition between charon and the software that gets your network connection(s) up. Make charon start after that software is done. I can't tell for certain though, because you don't share the logs. Noel Kuntze skrev On 02.05.2017 17:41, Dusan Ilic wrote: I see, thank you. Well, I seem to have random issues now with my new configuration. After restartin Strongswan sometiems it works, sometimes it don't Very unreliable. Sometimes it connects with right source interface, sometimes sending packet: from 0.0.0.0[500] to 94.x.x.x[500] (1316 bytes) and this won't work obviously. Why 0.0.0.0? When it connects from the right public WAN IP, sometimes it connects, sometimes just retransmittings a bunch of packets. Never had these problemse before, and I'm confused what's started causing them now. Read your logs and compare them. *Regarding shunt connections, does it matter in which order they are put in ipsec.conf? Like at the top, or the bottom and so on?* No. * * Den 2017-05-02 kl. 09:41, skrev Noel Kuntze: Yes, that's the reason why that happens. No, you need to start using another subnet. On 02.05.2017 02:02, Dusan Ilic wrote: I seem to have found the problem, it was on my local endpoint. The gateway have default IP-table rules in prerouting table dropping traffic entering any WAN-interface destined to a LAN-subnet, which I understand is normal as long as their isn't any IPsec involved :) Below exlude rule solves it. iptables -t mangle -I PREROUTING -d 10.1.1.0/26 -i $(nvram get wan3_ifname) -m policy --dir in --pol ipsec --proto esp -j ACCEPT Now routing everything over IP-sec tunnel works great, but instead a new issue have risen. My VPN remote access users cannot reach the internet anymore (or the local subnet for that matter) when the gateway are routing all traffic over another IPsec-tunnel, and from the LAN I cannot ping the VPN-client (Android Strongswan) either. I'm wildly guessing this is because my VPN-clients are getting IP's from the local subnet (rightsourceip=%dhcp), the same subnet that I have to create a passthrough connection for. Is this solvable in an easy way, or am I forced put my VPN-clients on a separate subnet? Den 2017-05-01 kl. 14:57, skrev Noel Kuntze: I can't help you further easily. You need to check what happens to the packets and what actually needs to happen. On 30.04.2017 23:25, Dusan Ilic wrote: I have added following on local router iptables -t nat -I POSTROUTING -s 10.1.1.0/26 -o vlan847 -m policy --dir out --pol ipsec --proto esp -j ACCEPT (before it was iptables -t nat -I POSTROUTING -s 10.1.1.0/26 -d 192.168.1.0/24 -o vlan847 -m policy --dir out --pol ipsec --proto esp -j ACCEPT) And on remote router iptables -I FORWARD -s 10.1.1.0/26 -j ACCEPT iptables -t nat -I POSTROUTING -s 10.1.1.0/26 -j MASQUERADE And now when the tunnel is up, internet doesnt work at all (all pings time out),
Re: [strongSwan] IPsec performance figures
Hello, On 04.05.2017 08:45, Martin Willi wrote: > Hi, > >> are there any reliable performance figures for IPsec throughput on >> x86_64 Linux machines? > Nothing I could reference here. I know of this: http://www.intel.ua/content/dam/www/public/us/en/documents/white-papers/aes-ipsec-performance-linux-paper.pdf > >> Is 10 GBit/s feasable? If yes, how? > On commodity hardware, maybe, but only if/when: > > * using AES-GCM with AESNI/CLMUL, which can handle ~1Gbit/s/core > * your NIC can separate traffic to multiple queues (8+), and each >queue has assigned a core to process its traffic > * you have multiple SAs and flows, so the flows can actually be >separated to queues (and cores) in both directions. > > If you can't effectively distribute traffic over NIC queues, you should > consider using pcrypt. Not sure if 10Gbit/s are possible, though. Pcrypt is actually just a bandaid and only adds marginal performance, in my experience. It isn't worth the effort. Making XFRM faster was discussed in Netdev 1.2. The relevant slides are visible in the corresponding video at the referenced time frame[1]. The speedup is an impressive increase from 3.8 Gbps to 5.7 Gbps in a setup with one flow and an impressive 115.6 Gbps with 16 bidirectional flows with all the patches and RSS. I think 10 GBit/s is definitively possible. Obviously even a lot more. With the patches, HW offload will also be supported generically. [1] https://www.youtube.com/watch?v=bCVc6o3JxK8 TIme: 7:00 Kind regards, Noel signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] [SUSPECT EMAIL: No Reputation] multiple tunnels
Hello Anthony, I don't understand what you mean with that, but you could add a route to the remote peer with a higher MTU, if you can actually communicate over the other link with the IP on the other interface (the IP of another provider). If you can't do that, then this is not solvable. On 04.05.2017 02:02, Modster, Anthony wrote: > Hello Noel > We were thinking of changing the created via for eth1.13 (adding matric info). > Then when ppp0 tunnel comes up, create another via for it. > > I think Charon does try to create a via for ppp0, but can't. > > -Original Message- > From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml@thermi.consulting] > Sent: Wednesday, May 03, 2017 4:45 PM > To: Modster, Anthony; > users@lists.strongswan.org > Subject: [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] > Re: [strongSwan] [SUSPECT EMAIL: No Reputation] Re: [SUSPECT EMAIL: No > Reputation] multiple tunnels > > Hello Anthony, > > As predicted, charon can't find an alternative network path: > > 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 12[KNL] interface eth1.13 > deactivated > 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 05[KNL] 192.168.1.134 > disappeared from eth1.13 > 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] old path is not > available anymore, try to find another > 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] looking for a route > to 76.232.248.210 ... > 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] reauthenticating > IKE_SA due to address change > 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] reauthenticating > IKE_SA sgateway1-gldl[1] > 2017 May 3 21:50:28+00:00 wglng-6 charon [info] 15[IKE] reauthenticating > IKE_SA sgateway1-gldl[1] > 2017 May 3 21:50:29+00:00 wglng-6 charon [info] 05[IKE] sending DPD request > 2017 May 3 21:50:29+00:00 wglng-6 charon [info] 05[ENC] generating > INFORMATIONAL request 23 [ ] > 2017 May 3 21:50:29+00:00 wglng-6 charon [info] 05[NET] sending packet: from > 166.204.98.165[4500] to 76.232.248.210[4500] (96 bytes) > 2017 May 3 21:50:29+00:00 wglng-6 charon [info] 13[NET] received packet: > from 76.232.248.210[4500] to 166.204.98.165[4500] (96 bytes) > 2017 May 3 21:50:29+00:00 wglng-6 charon [info] 13[ENC] parsed INFORMATIONAL > response 23 [ ] > 2017 May 3 21:50:31+00:00 wglng-6 charon [info] 15[IKE] retransmit 1 of > request with message ID 95 > 2017 May 3 21:50:31+00:00 wglng-6 charon [info] 15[NET] sending packet: from > 192.168.1.134[500] to 76.232.248.210[500] (96 bytes) > 2017 May 3 21:50:31+00:00 wglng-6 charon [info] 04[NET] error writing to > socket: Invalid argument > > It can't send any packets though, because the address 192.168.1.134 isn't > bound to any active interface. > > That ends with this: > > 2017 May 3 21:50:50+00:00 wglng-6 charon [info] 07[ENC] parsed INFORMATIONAL > response 33 [ ] > 2017 May 3 21:50:51+00:00 wglng-6 charon [info] 12[IKE] giving up after 5 > retransmits > 2017 May 3 21:50:51+00:00 wglng-6 charon [info] 12[IKE] looking up interface > for virtual IP 20.20.20.6 failed > 2017 May 3 21:50:51+00:00 wglng-6 charon [info] 12[IKE] restarting CHILD_SA > sgateway1-gldl > 2017 May 3 21:50:51+00:00 wglng-6 charon [info] 12[IKE] initiating IKE_SA > sgateway1-gldl[3] to 76.232.248.210 > 2017 May 3 21:50:51+00:00 wglng-6 charon [info] 12[IKE] initiating IKE_SA > sgateway1-gldl[3] to 76.232.248.210 > 2017 May 3 21:50:51+00:00 wglng-6 charon [info] 13[IKE] sending DPD request > > This continues until the end of the log. The interface eth1.13 doesn't come > up in the logs after it was deactivated. > > The PCAPs are pretty useless, because they don't show the problem. But ESP > traffic indeed flows through the different network interfaces. > Hmh. Curious! I wonder why that is. > > On 04.05.2017 01:25, Modster, Anthony wrote: >> Hello Noel >> >> I am resending the message and for files are compressed. >> >> -Original Message- >> From: Modster, Anthony >> Sent: Wednesday, May 03, 2017 2:55 PM >> To: 'Noel Kuntze' ; >> users@lists.strongswan.org >> Subject: RE: [SUSPECT EMAIL: No Reputation] Re: [strongSwan] [SUSPECT >> EMAIL: No Reputation] Re: [SUSPECT EMAIL: No Reputation] multiple >> tunnels >> >> Hello Noel >> >> 1. let me know if any of the files are missing (s/b 3) 2. let me know >> if the log levels are ok (our settings were more than support >> required) >> >> The following test and its results will be sent to strongswan for eveluation. >> >> bring up ethernet eth1.13 >> when interface comes up start, tcpdump -i eth1.13 -w >> test_restart_eth113.dat >> note: ipsec tunnel will start >> wait for tunnel >> bring up ppp0 >> when interface comes up start, tcpdump -i ppp0 -w >> test_restart_ppp0.dat wait for tunnel disconnect ethernet >> note: ppp0 will stop communicating >> wait for ppp0 to recover (about 9 mins) >> >>
Re: [strongSwan] IPsec performance figures
Hi, > are there any reliable performance figures for IPsec throughput on > x86_64 Linux machines? Nothing I could reference here. > Is 10 GBit/s feasable? If yes, how? On commodity hardware, maybe, but only if/when: * using AES-GCM with AESNI/CLMUL, which can handle ~1Gbit/s/core * your NIC can separate traffic to multiple queues (8+), and each queue has assigned a core to process its traffic * you have multiple SAs and flows, so the flows can actually be separated to queues (and cores) in both directions. If you can't effectively distribute traffic over NIC queues, you should consider using pcrypt. Not sure if 10Gbit/s are possible, though. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users