Re: [strongSwan] Davici parsing of terminating an IKE connection

2018-06-26 Thread rajeev nohria
Thanks a lot..
Rajeev

On Tue, Jun 26, 2018 at 8:00 AM, Tobias Brunner 
wrote:

> > Question: Is there way to know when we parse response from Davici that
> > which conenction is deleted? If yes what parameter of davici we get
> > information? i see reqcb() parse the davici reponse.
>
> Two things:  1. Requests queued on the same connection are processed
> sequentially.  2. You can pass user data when queuing a request that's
> later passed to the callback.
>
> Regards,
> Tobias
>


Re: [strongSwan] TPM2.0 and ESAPI

2018-06-26 Thread Andreas Steffen
Cześć Piotr,

I've been aware of the emerging ESAPI which is indeed offering increased
security in the communication with the TPM 2.0 and [hopefully] easier
session handling but I wanted to wait for the 2.0.0 stable release,
which apparently happened 5 days ago.

Porting the strongSwan tpm plugin to ESAPI would be made much easier if
the tpm2-tools would also adopt the ESAPI session handling, thus
offering example code on how the new API is supposed to be used.

Pozdrowienia

Andreas

On 26.06.2018 08:35, Piotr Parus wrote:
> Hello!
> 
>  From the source code I see that when strongswan uses TPM2.0 chip it
> uses TSS System API (SAPI) without sessions. Does the strongswan
> maintainers have plans to switch to  Enhanced System API (ESAPI) which
> enables easier session handling and encrypting transmission on the wire
> to the TPM chip?
> 
> Best regards,
> 
> Piotr Parus
> 

-- 
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution!  www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[INS-HSR]==


Re: [strongSwan] Davici parsing of terminating an IKE connection

2018-06-26 Thread Tobias Brunner
> Question: Is there way to know when we parse response from Davici that
> which conenction is deleted? If yes what parameter of davici we get
> information? i see reqcb() parse the davici reponse.

Two things:  1. Requests queued on the same connection are processed
sequentially.  2. You can pass user data when queuing a request that's
later passed to the callback.

Regards,
Tobias


[strongSwan] Davici parsing of terminating an IKE connection

2018-06-26 Thread rajeev nohria
Scenario: Strongswan has established  multiple  IKE connections with
different peers.

Lets say we have three different connections. Out of those we plan to
delete two connections via initiating using davici terminate command.

Question: Is there way to know when we parse response from Davici that
which conenction is deleted? If yes what parameter of davici we get
information? i see reqcb() parse the davici reponse.

Thanks,
Rajeev


Re: [strongSwan] Stronswan to ignore IKE-SA-INIT response from a bogus IPv6 address

2018-06-26 Thread rajeev nohria
Hi Tobias,

Which  parameter to configure the specific remote IP address for a
connection, so that we can reject the messages from any other IP address?
 I am assuming we are talking about one of parameter in  swanctl.conf.

If we are talking about  connections..remote_addrs..
I did configure remote_addrs, that does not help in   Stronswan to ignore
IKE-SA-INIT response from a bogus IPv6 address.  Is iptables only way to
stop it.

Thanks,
Rajeev

On Wed, May 23, 2018 at 3:42 AM, Tobias Brunner 
wrote:

> Hi Rajeev,
>
> > I would
> > imagine it should be rejected.
>
> Why?  Unless you configure specific remote IP addresses for a connection
> there is no reason to reject messages from any IPs.
>
> Regards,
> Tobias
>