Re: [strongSwan] Strongswan VPN Profile for Android.
Hi Aanand, > The link also refers to a file media type. I didn’t do > anything specific to set the file’s media type. Could that be the reason > why the import is failing? Yep, most likely. The next release will allow browsing for profile files using the SAF. > How do I set the media type for a file? That depends on the tool/library you use to send the email (and if you use a program maybe the system settings on the sending host e.g. if it resolves MIME-types when attaching a file to an email). Regards, Tobias
Re: [strongSwan] charon unmet dependency on native android build
Hi Nathan, > Still no indication on why it fails when I look at the logs. Probably glob(3) is not available. Regards, Tobias
Re: [strongSwan] MOBIKE task got stuck Strongswan version 5.3.2
Hi Simon, > It would seems MOBIKE tasks are not caused by interface up/down. > Can you tell what events can trigger activation of MOBIKE task? As I already wrote DPDs are also handled by MOBIKE tasks if both peers support MOBIKE. You could disable MOBIKE in the config if you don't want to use it at all. Regards, Tobias
Re: [strongSwan] MOBIKE task got stuck Strongswan version 5.3.2
Hi Tobias, After customer added roam_events = no in config file, problem still occurs on most of the tunnels. It would seems MOBIKE tasks are not caused by interface up/down. Can you tell what events can trigger activation of MOBIKE task? I saw these in customer's syslog: - sending DPD request - generating INFORMATIONAL request 0 [ N(NATD_S_IP) N(NATD_D_IP) ] - no route found to reach peer, MOBIKE update deferred I cannot reproduce such exchange in my lab. I got these logs: - sending DPD request - activating IKE_DPD task (may come from my own debug prints) - generating INFORMATION request 0 [ ] - sending packet: from to Thanks, Simon On Fri, May 5, 2017 at 2:20 AM, Tobias Brunnerwrote: > Hi Simon, > > > 1. Any guesses on how MOBIKE task get stuck and won't timeout? Should > > there be on-going re-tries? > > Read the log. > > > 2. I think charon is still sending keepalive messages to the peers with > > MOBIKE task active, but no DPD is sent. This behavior seems to create > > the situation that tunnels stay connect but they are really dead long > ago. > > Could be the daemon thinks there is no valid path to reach the peer, so > it deferred sending any messages until the network connectivity changes > (again check the log for details). > > > 3. Following Q2, DPD won't do any good because the MOBIKE task seems to > > have higher priority then delete. Is this behavior fixed in 5.5 recently > > (issues/1410)? > > That issue is related to IKEv1. The idea behind preferring MOBIKE tasks > over others is that without a valid path to the peer there is no point > in sending other messages and if the peer can't be reached, the MOBIKE > exchange, whether it is an update or a DPD, will trigger the DPD action > anyway. > > > 4. I need to support remote devices doing MOBIKE switch but I don't want > > the VPN server in the office to perform MOBIKE switch. It is futile. > > There is no secondary internet interface to switch to. Chaos ensure when > > charon tries to find alternate paths on a 1000 tunnels. > > The MOBIKE task does not necessarily mean that this is an actual MOBIKE > update. With MOBIKE enabled between two peers DPDs are also handled by > these tasks. > > > Can development team > > members point out where I can tweak the source code to silently ignore > > MOBIKE jobs? If I put mobike=no in ipsec.conf I think remote peers won't > > be able to do MOBIKE switch. > > If the MOBIKE task is actually triggered by a network change you can > avoid that by disabling charon.plugins.kernel-netlink.roam_events. > > Regards, > Tobias > >
Re: [strongSwan] IPv6 Remote Access
Hi Noel, I have tried both command "ping" and "ping6". I can ping other local hosts and external IPv6-adresses with "ping6". Unfortunately command "iptables6-save" and " sysctl -A | grep net.ipv6.conf.*forwarding" doesn't work on my Linux router (not found), but here are "ip6tables -L -v". # ip6tables -L -v Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all anyany anywhere anywhere rt type:0 segsleft:0 80 12467 ACCEPT all anyany anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT ipv6-nonxtanyany anywhere anywhere length 40 0 0 shlimittcp br0any anywhere anywhere tcp dpt:ssh state NEW 14952 1175K ACCEPT all br0any anywhere anywhere 0 0 ACCEPT all lo any anywhere anywhere 0 0 logaccept ipv6-icmpanyany anywhere anywhere ipv6-icmp destination-unreachable 0 0 logaccept ipv6-icmpanyany anywhere anywhere ipv6-icmp packet-too-big 0 0 logaccept ipv6-icmpanyany anywhere anywhere ipv6-icmp time-exceeded 0 0 logaccept ipv6-icmpanyany anywhere anywhere ipv6-icmp parameter-problem 0 0 logaccept ipv6-icmpanyany anywhere anywhere ipv6-icmp echo-request 0 0 logaccept ipv6-icmpanyany anywhere anywhere ipv6-icmp echo-reply 522 37584 logaccept ipv6-icmpanyany anywhere anywhere ipv6-icmptype 130 0 0 logaccept ipv6-icmpanyany anywhere anywhere ipv6-icmptype 131 0 0 logaccept ipv6-icmpanyany anywhere anywhere ipv6-icmptype 132 0 0 logaccept ipv6-icmpanyany anywhere anywhere ipv6-icmp router-solicitation 0 0 logaccept ipv6-icmpanyany anywhere anywhere ipv6-icmp router-advertisement 0 0 logaccept ipv6-icmpanyany anywhere anywhere ipv6-icmp neighbour-solicitation 0 0 logaccept ipv6-icmpanyany anywhere anywhere ipv6-icmp neighbour-advertisement 0 0 logaccept ipv6-icmpanyany anywhere anywhere ipv6-icmptype 141 0 0 logaccept ipv6-icmpanyany anywhere anywhere ipv6-icmptype 142 0 0 logaccept ipv6-icmpanyany anywhere anywhere ipv6-icmptype 143 0 0 logaccept ipv6-icmpanyany anywhere anywhere ipv6-icmptype 148 0 0 logaccept ipv6-icmpanyany anywhere anywhere ipv6-icmptype 149 0 0 logaccept ipv6-icmpanyany anywhere anywhere ipv6-icmptype 151 0 0 logaccept ipv6-icmpanyany anywhere anywhere ipv6-icmptype 152 0 0 logaccept ipv6-icmpanyany anywhere anywhere ipv6-icmptype 153 0 0 logaccept tcp anyany anywhere anywhere tcp dpt:webcache Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0all vlan847 any 2001:2002:5ae1:c206:5076:327e:xxx:xxx/128 anywhere 0 0 DROP all anyany anywhere anywhere rt type:0 segsleft:0 0 0 ACCEPT all br0br0 anywhere anywhere 0 0 ACCEPT all br1br1 anywhere anywhere 0 0 ACCEPT all br2br2 anywhere anywhere 410 21787 DROP all anyany anywhere anywhere state INVALID 154K 98M ACCEPT all anyany anywhere anywhere state RELATED,ESTABLISHED 0 0 DROP all 6rd6rd anywhere anywhere 0 0 ACCEPT ipv6-nonxtanyany anywhere anywhere length 40 0 0 logaccept ipv6-icmpanyany anywhere anywhere ipv6-icmp destination-unreachable 0 0 logaccept ipv6-icmpanyany anywhere anywhere ipv6-icmp packet-too-big 0 0 logaccept ipv6-icmpanyany anywhere anywhere ipv6-icmp time-exceeded 0 0 logaccept ipv6-icmpanyany anywhere