Re: [strongSwan] strict crl policy
Hi, Double check two things: 1 - Make sure the revocation plugin is loaded, use "ipsec statusall" 2- Make sure the crl is loaded, use " ipsec listcrls" --Jafar On 9/24/2021 3:14 PM, Modster, Anthony wrote: Hello Does setting strict CRL policy to yes still work ? The CRL’s for TA and SCA are removed. Was expecting the VPN tunnel not to make a connection. strongSwan 5.8.2 # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup charondebug="ike 2,cfg 2" strictcrlpolicy=yes # uniqueids = no Teledyne Confidential; Commercially Sensitive Business Data
[strongSwan] strict crl policy
Hello Does setting strict CRL policy to yes still work ? The CRL's for TA and SCA are removed. Was expecting the VPN tunnel not to make a connection. strongSwan 5.8.2 # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup charondebug="ike 2,cfg 2" strictcrlpolicy=yes # uniqueids = no Teledyne Confidential; Commercially Sensitive Business Data security-env03-charon.log Description: security-env03-charon.log
[strongSwan] problem with setup for android connecting in
Hi all, trying to re create our strongswan setup on a new server, we had a working proof of concept but the old server was scrapped. We had some files copied for the config that unfortunately arent working for some reason now. also, with charon debug we are not receiving logs for some reason, nothing in journalctl to help either? the scenario server with an external facing IP hosting strongswan (no firewall currently for testing setup) clients connecting in via mobile strongswan with certificate and EAP so that they can be on the network, the plan is to have it so that any phone traffic routes through here and any other traffic doesnt. we have done the local server as the ca for testing, and copied the ca cert to the phone, however it wont connect, as theres no logs server side this doesnt help (but a tcpdump when trying to connect shows: isakmp: isakmp: parent_sa ikev2_init[I] admin prohibited filter, length 556 phone logs show: unable to terminate ike_sa, peer not responding I here is the config file that i named "android working" from the old server that isnt working now. (there are duplicate entries of right send cert, should this be never?, aso for the right auth, what should i be expecting my .secrets file to look like?) config setup charondebug="ike 1, knl 1, cfg 0" uniqueids=no conn ikev2-vpn auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes dpdaction=clear dpddelay=300s rekey=no left=%any leftid=my-servers-external-ip leftcert=the-server-cert leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightsendcert=always rightauth=pubkey authby=pubkey #rightauth=eap-mschapv2 rightsourceip=10.10.10.0/24 rightdns=8.8.8.8,8.8.4.4 rightsendcert=never eap_identity=%identity ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! any help much appreciated thankyou kindly
Re: [strongSwan] docker strongswan image
Hi Anthony, here is a ready-made strongSwan 5.9.3 docker image: https://hub.docker.com/repository/docker/strongx509/strongswan and here the Dockerfile with which it was built: https://github.com/strongX509/docker/tree/master/strongswan The Ubuntu 20.04 image used doesn't come equipped with systemd, so we just start the charon daemon in the background. If you need additional strongSwan plugins then just extend the ./configure command in the Dockerfile. ./configure --prefix=/usr --sysconfdir=/etc --disable-defaults \ --enable-charon --enable-ikev2 --enable-nonce --enable-random \ --enable-openssl --enable-pkcs1 --enable-pkcs8 --enable-pkcs12\ --enable-pem --enable-x509 --enable-pubkey --enable-constraints \ --enable-pki --enable-socket-default --enable-kernel-netlink \ --enable-eap-identity --enable-eap-md5 --enable-eap-dynamic \ --enable-eap-tls --enable-updown --enable-vici --enable-drbg \ --enable-swanctl --enable-silent-rules && \ Best regards Andreas On 24.09.21 02:15, Modster, Anthony wrote: Hello Is there information on creating a Docker Strongswan image ? Thanks Teledyne Confidential; Commercially Sensitive Business Data == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org strongSec GmbH, 8952 Schlieren (Switzerland) ==