Re: [strongSwan] Strongswan VPN Profile for Android.

[Tobias Brunner]

Hi Aanand,

> The link also refers to a file media type. I didn’t do
> anything specific to set the file’s media type. Could that be the reason
> why the import is failing?

Yep, most likely.  The next release will allow browsing for profile
files using the SAF.

> How do I set the media type for a file?

That depends on the tool/library you use to send the email (and if you
use a program maybe the system settings on the sending host e.g. if it
resolves MIME-types when attaching a file to an email).

Regards,
Tobias

Re: [strongSwan] charon unmet dependency on native android build

[Tobias Brunner]

Hi Nathan,

> Still no indication on why it fails when I look at the logs.

Probably glob(3) is not available.

Regards,
Tobias

Re: [strongSwan] MOBIKE task got stuck Strongswan version 5.3.2

[Tobias Brunner]

Hi Simon,

> It would seems MOBIKE tasks are not caused by interface up/down.
> Can you tell what events can trigger activation of MOBIKE task?

As I already wrote DPDs are also handled by MOBIKE tasks if both peers
support MOBIKE.  You could disable MOBIKE in the config if you don't
want to use it at all.

Regards,
Tobias

Re: [strongSwan] MOBIKE task got stuck Strongswan version 5.3.2

[Simon Chan]

Hi Tobias,

After customer added roam_events = no in config file,
problem still occurs on most of the tunnels.
It would seems MOBIKE tasks are not caused by interface up/down.
Can you tell what events can trigger activation of MOBIKE task?

I saw these in customer's syslog:

   - sending DPD request
   - generating INFORMATIONAL request 0 [ N(NATD_S_IP) N(NATD_D_IP) ]
   - no route found to reach peer, MOBIKE update deferred

I cannot reproduce such exchange in my lab. I got these logs:

   - sending DPD request
   - activating IKE_DPD task (may come from my own debug prints)
   - generating INFORMATION request 0 [ ]
   - sending packet: from  to 

Thanks,

Simon



On Fri, May 5, 2017 at 2:20 AM, Tobias Brunner 
wrote:

> Hi Simon,
>
> > 1. Any guesses on how MOBIKE task get stuck and won't timeout? Should
> > there be on-going re-tries?
>
> Read the log.
>
> > 2. I think charon is still sending keepalive messages to the peers with
> > MOBIKE task active, but no DPD is sent. This behavior seems to create
> > the situation that tunnels stay connect but they are really dead long
> ago.
>
> Could be the daemon thinks there is no valid path to reach the peer, so
> it deferred sending any messages until the network connectivity changes
> (again check the log for details).
>
> > 3. Following Q2, DPD won't do any good because the MOBIKE task seems to
> > have higher priority then delete. Is this behavior fixed in 5.5 recently
> > (issues/1410)?
>
> That issue is related to IKEv1.  The idea behind preferring MOBIKE tasks
> over others is that without a valid path to the peer there is no point
> in sending other messages and if the peer can't be reached, the MOBIKE
> exchange, whether it is an update or a DPD, will trigger the DPD action
> anyway.
>
> > 4. I need to support remote devices doing MOBIKE switch but I don't want
> > the VPN server in the office to perform MOBIKE switch. It is futile.
> > There is no secondary internet interface to switch to. Chaos ensure when
> > charon tries to find alternate paths on a 1000 tunnels.
>
> The MOBIKE task does not necessarily mean that this is an actual MOBIKE
> update.  With MOBIKE enabled between two peers DPDs are also handled by
> these tasks.
>
> > Can development team
> > members point out where I can tweak the source code to silently ignore
> > MOBIKE jobs? If I put mobike=no in ipsec.conf I think remote peers won't
> > be able to do MOBIKE switch.
>
> If the MOBIKE task is actually triggered by a network change you can
> avoid that by disabling charon.plugins.kernel-netlink.roam_events.
>
> Regards,
> Tobias
>
>

Re: [strongSwan] IPv6 Remote Access

[du...@comhem.se]

Hi Noel,

I have tried both command "ping" and "ping6". I can ping other local hosts and 
external IPv6-adresses with "ping6".
Unfortunately command "iptables6-save" and " sysctl -A | grep 
net.ipv6.conf.*forwarding" doesn't work on my Linux router (not found), but 
here are "ip6tables -L -v".

# ip6tables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target prot opt in out source   destination
0 0 DROP   all  anyany anywhere anywhere
 rt type:0 segsleft:0
   80 12467 ACCEPT all  anyany anywhere anywhere
 state RELATED,ESTABLISHED
0 0 ACCEPT ipv6-nonxtanyany anywhere 
anywhere length 40
0 0 shlimittcp  br0any anywhere anywhere
 tcp dpt:ssh state NEW
14952 1175K ACCEPT all  br0any anywhere anywhere
0 0 ACCEPT all  lo any anywhere anywhere
0 0 logaccept  ipv6-icmpanyany anywhere 
anywhere ipv6-icmp destination-unreachable
0 0 logaccept  ipv6-icmpanyany anywhere 
anywhere ipv6-icmp packet-too-big
0 0 logaccept  ipv6-icmpanyany anywhere 
anywhere ipv6-icmp time-exceeded
0 0 logaccept  ipv6-icmpanyany anywhere 
anywhere ipv6-icmp parameter-problem
0 0 logaccept  ipv6-icmpanyany anywhere 
anywhere ipv6-icmp echo-request
0 0 logaccept  ipv6-icmpanyany anywhere 
anywhere ipv6-icmp echo-reply
  522 37584 logaccept  ipv6-icmpanyany anywhere 
anywhere ipv6-icmptype 130
0 0 logaccept  ipv6-icmpanyany anywhere 
anywhere ipv6-icmptype 131
0 0 logaccept  ipv6-icmpanyany anywhere 
anywhere ipv6-icmptype 132
0 0 logaccept  ipv6-icmpanyany anywhere 
anywhere ipv6-icmp router-solicitation
0 0 logaccept  ipv6-icmpanyany anywhere 
anywhere ipv6-icmp router-advertisement
0 0 logaccept  ipv6-icmpanyany anywhere 
anywhere ipv6-icmp neighbour-solicitation
0 0 logaccept  ipv6-icmpanyany anywhere 
anywhere ipv6-icmp neighbour-advertisement
0 0 logaccept  ipv6-icmpanyany anywhere 
anywhere ipv6-icmptype 141
0 0 logaccept  ipv6-icmpanyany anywhere 
anywhere ipv6-icmptype 142
0 0 logaccept  ipv6-icmpanyany anywhere 
anywhere ipv6-icmptype 143
0 0 logaccept  ipv6-icmpanyany anywhere 
anywhere ipv6-icmptype 148
0 0 logaccept  ipv6-icmpanyany anywhere 
anywhere ipv6-icmptype 149
0 0 logaccept  ipv6-icmpanyany anywhere 
anywhere ipv6-icmptype 151
0 0 logaccept  ipv6-icmpanyany anywhere 
anywhere ipv6-icmptype 152
0 0 logaccept  ipv6-icmpanyany anywhere 
anywhere ipv6-icmptype 153
0 0 logaccept  tcp  anyany anywhere anywhere
 tcp dpt:webcache

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target prot opt in out source   destination
0 0all  vlan847 any 
2001:2002:5ae1:c206:5076:327e:xxx:xxx/128  anywhere
0 0 DROP   all  anyany anywhere anywhere
 rt type:0 segsleft:0
0 0 ACCEPT all  br0br0 anywhere anywhere
0 0 ACCEPT all  br1br1 anywhere anywhere
0 0 ACCEPT all  br2br2 anywhere anywhere
  410 21787 DROP   all  anyany anywhere anywhere
 state INVALID
 154K   98M ACCEPT all  anyany anywhere anywhere
 state RELATED,ESTABLISHED
0 0 DROP   all  6rd6rd anywhere anywhere
0 0 ACCEPT ipv6-nonxtanyany anywhere 
anywhere length 40
0 0 logaccept  ipv6-icmpanyany anywhere 
anywhere ipv6-icmp destination-unreachable
0 0 logaccept  ipv6-icmpanyany anywhere 
anywhere ipv6-icmp packet-too-big
0 0 logaccept  ipv6-icmpanyany anywhere 
anywhere ipv6-icmp time-exceeded
0 0 logaccept  ipv6-icmpanyany anywhere