ossible?
>
> Regards, Nerijus
>
==========
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University
the Linux kernel
starting with 2.6.39.
http://www.strongswan.org/uml/testresults/ikev2/net2net-esn/
Best regards
Andreas Steffen, Tobias Brunner, Martin Willi
The strongSwan Team
======
Andre
ERNAL_IP4_DNS") in the Configuration payload to my SeGW, but
> strongSwan always includes only one attribute
> ("INTERNAL_IP4_ADDRESS"), any configuration I am missing here? I
> remember strongSwan used to be able to send multiple. I
11 17:06, Patricia de Noriega wrote:
> How I can bind that interface by means of the ipsec.conf file?
>
> Best regards,
>
> On 29 July 2011 16:51, Andreas Steffen <mailto:andreas.stef...@strongswan.org>> wrote:
>
> Would it help to bind the virtual IP do a dumm
in, any ideas?
>
> Regards,
> Tobias
==========
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Scien
tp://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=d7a59f19
> http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=f1c1965d
>
======
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN
fe80::215:17ff:fecc:4408 disappeared from eth3
> 05[KNL] interface eth3 deactivated
> 16[IKE] requesting address change using MOBIKE
> 16[ENC] generating INFORMATIONAL request 8 [ N(NO_ADD_ADDR) ]
> 16[IKE] checking path 10.xx.xx.197[4500]
>
>
>
>
> On Thu, Jul 28, 2011 at
gt; I wanted to check if this is an expected behavior or is a bug (known)
> in strongswan.
>
> Thanks,
> Vinay
==========
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!
000 "VPN": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
> rekey_fuzz: 100%; keyingtries: 0
> 000 "VPN": policy: PUBKEY+ENCRYPT+TUNNEL+PFS+UP; prio: 24,32;
> interface: wlan0;
> 000 "VPN": newest ISAKMP SA: #3; newest IPsec SA: #0;
>
gt; SPI: /ca075713_i /
> /
> /
> I have attached my ipsec.conf file if you may need to have a look. Also
> I have checked the sysctl variables for ip forwarding and enabled the
> ipv4 forwarding for all interfaces.
>
> Can you help whether the previously established CHILD_SA
Hello Daniel,
On 22.07.2011 17:56, Daniel Mentz wrote:
> Dear strongSwan team,
>
> thanks for the great work. I have some comments regarding the following
> change:
>
> On 07/19/2011 01:00 AM, Andreas Steffen wrote:
>> PASS and DROP shunt policie
Hello Thomas,
this NAT-T bug affects IKEv2 only.
Regards
Andreas
On 22.07.2011 09:15, Thomas Jarosch wrote:
> On Thursday, 21. July 2011 15:09:27 Andreas Steffen wrote:
>> Please be aware that a serious NAT-T bug was fixed in strongSwan
>> 4.5.1 and later versions which i
C_IKE_INVALID_POLICY)
> [1]04C0.1600::07/21/2011-11:51:50.419 [user]IkeConstructOakQMInitiator
> failed with HRESULT 0x80073625(ERROR_IPSEC_IKE_INVALID_POLICY)
> [1]04C0.1600::07/21/2011-11:51:50.419 [user]IkeConstructQM failed with
> HRESULT 0x80073625(ERROR_IPSEC_IKE_INVALID_POLICY)
> [1]04C0.1600
Swan
> listening only on port 500 (and using port 500 for connections);
> nat_traversal=yes moves the listening port and destination port to 4500.
> This is contrary to what my belief was how NAT Traversal works.
>
> Can you comment please?
>
> Regards,
> Holger
>
ication = no
> }
>
> Is the above block required in the strongswan.conf file?..
>
>
> Regards
>
> Arnab
======
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the
.EL and if we disable firewall.
>
> Regards
> Arnab
==========
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
v2/net2net-esn/
Please test the release candidate and give us a feedback.
ETA for the stable 4.5.3 release is end of July.
Kind regards
Andreas
======
Andreas Steffen andreas.stef...@strongswan.org
strongSwan -
166/
>
> / leftcert=/etc/ipsec.d/certs/hostB.pem/
>
> / right=172.19.2.101/
>
> / rightsubnet=0.0.0.0/0/
>
> / mark=20/
>
> / auto=add/
>
> / leftid=www.hostB.org/
>
> / rightid=www.hostA.org/
&g
, so I can't specify an IP address in the
>>> range, or similar, and I'm at a complete loss how to accomplish this
>>> now.
>>> 3) this is somewhat less. there's no way to specify a certificate
>>> attribute as hostname or other, anything except the "ik
y an IP address in the
> range, or similar, and I'm at a complete loss how to accomplish this now.
> 3) this is somewhat less. there's no way to specify a certificate
> attribute as hostname or other, anything except the "ikev2 identity"
> can't be pa
gt;
> Also is there any dependency on the kernel version for the
> support. Right now I have the kernel version 2.6.35
>
> Regards
> Arnab
==
Andreas Steffen
send such packets to?
>
> > mark_in=11
> > mark_out=10
>
> Using the same mark for in and out is probably simpler, you can set both
> marks by using:
>
> mark=10
>
> Regards
> Martin
>
>
>
>
>
> _
l 2011 12:32:42 +0200
>>
>> Hi Olivier,
>>
>> > authentication of 'CN=10.1.1.254, OU=TAC, O=Cisco, C=BE' with EAP
> successful
>> > constraint check failed: identity 'C=BE, O=CISCO, OU=TAC,
> CN=10.1.1.254' required
>>
>>
@lists.strongswan.org
> Subject: trying to configure strongswan to act like a windows7 client
> Date: Sun, 10 Jul 2011 11:57:57 +0200
>
> Hello,
>
>
> I would like to emulate a windows7 ikev2 client by using strongswan.
> Does anyone have an idea?
>
> Cheers,
x strongSwan, CN=strongSwan Root CA"
crl is valid: until Jun 13 17:32:37 2011
Regards
Andreas
On 07/07/2011 12:08 PM, Andreas Steffen wrote:
> Hello Fabrice,
>
> I'm testing the certificate_distribution_points table in the
> sql/multi-level-ca scenario, where moon n
.education.fr/agriates.crl');
>
> Logs at ipsec listall command execution in log joined file.
>
>
> Is there something wrong ?
>
> Regards,
> Fabrice
>
>
>
> ___
> Users mailing list
> Users@lists.strongswan.org
> https://li
ecause no connection is known for
> 53.33.152.45/32===192.168.178.3:4500:17/1701...19.24.143.13:19739[10.152.73.157]:17/0===10.152.73.157/32
> Jun 29 21:55:14 adelheid pluto[3943]: "nat-t"[2] 19.24.143.13:19739 #1:
> sending encrypted notification INVALID_ID_INFORMATION to 19.24.143
Oops, "install_routes" should of course be set to *no*.
BTW - a shunt can be removed with
ipsec unroute local-net
and added again with
ipsec route local-net
Regards
Andreas
On 06/29/2011 07:43 AM, Andreas Steffen wrote:
> Bonjour Fabrice,
>
> strongswan-4.5.3dr
onnière wrote:
> Hello Andreas
>
> Thanks for all what you do.
> I wait for this.
>
> Regards
> Fabrice
>
> Le 28/06/2011 11:04, Andreas Steffen a écrit :
>> Hello Fabrice,
>>
>> probably today I'm going to release a strongSwan snapshot with
>>
s with Cisco routers (e.g. 3640 )
> set up with a crypto isakmp policy of authentication : rsa_enc? Best
> regards Emil
>
> ________ From: Andreas Steffen
> [andreas.stef...@strongswan.org] Sent: Tuesday, June 28, 2011 5:20
> AM To: Salib, Emil H
t; mutually exclusive are they?
>
>
> Terry Hennessy
==========
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applicatio
es. Is there a way to set up a net2net with the 2409 public key
> encryption authentication method (where the ID and Nonce in the second and
> third
> ISKAMP (main mode) messages are encrypted) using StrongSwan?
> Thanks
> Emil
=========
e from ipsec.conf in file mode.
> I've directly set a value in ipsec_updown and it works like i want.
> With IKEv2 on sqlite database, can we configure this variable and does
> it take effect in ipsec_updown script ?
>>
>> Regards
>> Martin
>>
srtongSwan 4.5.0
>
>
> Thanks a lot for your help
==========
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and
gent xcbc hmac attr kernel-netlink resolve socket-raw stroke updown
> eap-identity eap-aka eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2
> Jun 22 14:07:29 gw charon: 00[JOB] spawning 16 worker threads
> Jun 22 14:07:29 gw charon: 09[CFG] received stroke: add connection
>
What is the preferred way
> to do this? Use iptables, mark the traffic and use tc rules
> that choose based on this mark instead?
>
> Thank you.
>
> --lyle
======
Andreas Steffen
this
> work?
>
> Thanks, Clifton
==========
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Appl
acket: from
> XX.XX.XX.68[4500] to YY.YY.YY.216[4500]
>
>>From this I'm guessing, that in fact I need a certificate,
> nevertheless. Is it possible to have the strongswan daemon relay the
> username to the freeradius daemon intact?
>
===
the policy? or is it mark are not visible with ip xfrm policy ls?
> Is the later is true how can I ensure mark in part of the policy?
>
> Best regards.
>
> P.S: Do you mind if I send my ifupdown sscript for kind of a validation
> from you?
>
> Le 15/06/2011 09:29, An
re. AFAICT, it outputs the nat and mangle table as well as the
> filter table.
>
> Thanks
> -Daniel
======
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!
06/15/2011 09:29 AM, Johannes Hubertz wrote:
Hallo zusammen,
On Wednesday 15 June 2011 08:59:52 Andreas Steffen wrote:
iptables-save shows all the rules but unfortunately without
the packet statistics
perhaps this helps?
iptables-save -c
Happy working
Johannes
t;
>
> Should be better... hopefully.
==========
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences
at and mangle table as well as the
> filter table.
>
> Thanks
> -Daniel
======
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and App
get
> encrypted.
>
> Any suggestions?
>
> Thanks,
> Clifton
==========
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Instit
bles and iproute... Unfortunately it
> doesn't... well at least it doesn't with my config.
>
> Did I missunderstood this options?
==
Andreas Steffen andreas.stef...@strongswan.org
strongSw
tual IP
>
> How comes it is different?
>
If moon's certificate is signed by a CA then you don't have to
import moon's cert via rightcert=. Just copy the CA certificate
into /etc/ipsec.d/cacerts and trust will be established into
moon.
Regards
Andreas
=
ftrsasigkey=/home/some1/ssl/pki/elronde.key
>>leftsourceip=%config
>> right=21.12.5.22
>>rightid=vpn.domain.tld
>>rightsubnet=172.20.0.0/23
>>auto=add
>>
>> when I type sudo ipsec up strongswan, connection seems to come u
on the number of CHILD SAs that can be
> created under a single IKE SA/Tunnel. If yes. Then what is the Max Number
> Thanks and Regards
> Sajal
======
Andreas Steffen andreas.stef...@strongswan.org
s
lto:esp.d798a9b8@10.46.155.153> included
> errno 3: No such process
> "conn65535" #3: max number of retransmissions (2) reached STATE_QUICK_R1
> "conn65535" #3: ERROR: netlink response for Del SA
> esp.bb700eae@10.46.155.153 <mailto:e
nd.
>
> Regards,
> Sandeep Malik
>
> On Fri, Jun 10, 2011 at 3:40 PM, Andreas Steffen
> mailto:andreas.stef...@strongswan.org>>
> wrote:
>
> Hello Malik,
>
> we are using policy_use_time, because the state_use_time gets set
> only once when
Oops, the correct syntax is
./configure --with-routing-table= \
[ --with-routing-table-number= ]
Andreas
On 10.06.2011 20:55, Andreas Steffen wrote:
> Hello,
>
> for IKEv1 and IKEv2 you can define the actual routing table
> and additionally the table priority du
serted!
>
> Thanks in advance
>
>
> --
> N.Chavoshi
>
> ___
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
--
========
be a scenario where in single policy have multiple SA's
> and one of the SA might be active while rest inactive but the DPD won't
> be triggered for inactive SA's as the policy use_time will keep on updating.
>
> Regards,
> Malik
--
=
06/08/2011 02:15 PM, Kamil Jońca wrote:
> Andreas Steffen
> writes:
>
>> Czesc Kamil,
>>
>> strongSwan uses ',' and '/' as reserved characters to separate
>> Relative Distinguished Names in an X.509 Distinguished Name.
>> Therefore CN=h
12:21+02:00 alfa charon: 16[CFG] looking for peer configs
> matching 192.168.200.200[%any]...80.50.55.206[C=PL, ST=Mazowieckie,
> O=kjonca.kjonca, OU=ipsec, CN=host/bambus@KJONCA]
> 2011-06-08T13:12:21+02:00 alfa charon: 16[CFG] no matching peer config found
> 2011-06-08
0.200.200.20...200.200.200.10
> net-ne.t: loc al: [200.200.200.20] uses pre-shared keey
> authenticationy
> remote: [200.2 00.200.1:0] uses 0any authentication
> net-net: child: 192.:168.2.0/24 === 192.168.12.0/24
> Security Associations:
> None
>
> Rega
mobike=no/
>
> /ike=3des-sha1-md5-modp1024!/
>
> /esp=aes128-3des-sha1-md5!/
>
> /conn net-net/
>
> /authby=secret/
>
> / left=200.200.200.10/
>
> /leftsubnet=192.168.1.0/24/
>
> /leftfirewall
efinitions are sufficients since the IPsec Policies
are set up pairwise in the kernel (both inbound and outbound).
> Regards,
> Hans-Kristian Bakke
>
>
>
>
> On Mon, May 30, 2011 at 09:17, Andreas Steffen
> wrote:
>> Hello Hans-Kristian,
>>
>> first I re
gt;
> When I run ipsec statusall dns1 gets to STATE_MAIN_I4 (ISAKMP SA
> ESTABLISHED) but the other ones doesn't seem to do anything.
> The DNS-traffic still goes out unencrypted.
>
> How can I replicate the ACL perfectly with strongswan?
>
> Mvh
>
> Hans-
/wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites
Best regards
Andreas Steffen, Martin Willi, Tobias Brunner
The strongSwan Team
==========
Andreas Steffen andreas.stef...@stron
|
> |+---+ |
> | EAP-Response/SIM/Challenge (AT_MAC) |
> |->|
> | |
> | EAP-Success |
> |<
psec.conf. the other
>> hosts' ipsec.conf is equivalent. there is always one initiator for
>> each connection.
>>
>
> ___________
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
s always one initiator for
>> each connection.
>>
>
> ___________
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
--
==
Andreas Steffen
this possible though a custom _updown script?
>
>
>
> Thank you,
>
> Mark Marwil
==========
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!
gt; I hope anybody can help me out or lead me in the right direction.
>
> Thank you in advance,
>
> Stefan
>
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Ins
certificates with an expiry date that far in
> the future on amd64?
>
> Thanks,
> Niels
======
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.st
y.z.t/a
>
>
>
> Do strongswan-4.2.8 have support it? In other way, does IP range is
> supported by strongswan? If not, then the IP range is in your plan?
>
>
>
> Thanks!
>
>
>
>
>
> Brian
>
--
as the following, without to set reauth=no.
>
> 1. IKE_SA_INIT
> 2. IKE_SA_INIT
> 3. IKE_AUTH
> 4. IKE_AUTH
> 5. INFORMATIONAL (deleting IKE_SA)
> 6. INFORMATIONAL (deleting IKE_SA confirm)
=======
bytes, 133s ago) esp.f0adaa0a@...125 (764 bytes, 132s ago); tunnel
> 000 #1: "vtest" STATE_MAIN_R3 (sent MR3, ISAKMP SA established)
>
> Maybe this asymmetric working comes from some unusual
> setting of the Cisco, and I won't be able to eliminate it
> without their coo
#
> ike=3des-md5-modp1024!
> esp=3des-md5!
> ikelifetime=86400
> pfs=no
>
> Can you help me to understand what happens?
> (Omitting the strict !s from the config doesn't help.)
> Regards
> Zoltan
>
>
ng Client Bob.
> Using a network sniffer I am able to see that Moon’s pings are being
> encapsulated, and Alice’s pings are being NATed but not encapsulated.
>
>
>
> Any suggestions?
>
>
>
> Thank you,
>
> Mark
=
additional routes for the payload
traffic?
Andreas
On 05/10/2011 03:07 PM, Pavel Arnošt wrote:
> It looks like that there are zeroes everywhere.
>
> --
> From: "Andreas Steffen"
> Sent: Tuesday, May 10, 2011 2:50 PM
> To: &quo
7.96.15).
>
> eth1 is external interface and eth0 is internal interface with IP
> 172.24.26.65 assigned:
>
> 2: eth0: mtu 1500 qdisc pfifo_fast qlen
> 1000
> link/ether 00:18:fe:32:56:08 brd ff:ff:ff:ff:ff:ff
> inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
> inet 172.24.26.65/26 brd 172.24.26.1
all.
> Do you have any idea what can be wrong?
> Thanks,
> Regards,
> Pavel Arnost
>
>
>
> ___
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
--
> URL:http://www.visec.info
> |-|
======
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - th
in about 10 days.
Kind regards
Andreas
==========
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
Univ
TREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR)
> N(MULT_AUTH) N(EAP_ONLY) ]
> May 9 23:11:26 vc2 charon: 15[NET] sending packet: from
> 10.58.113.118[4500] to 10.58.113.37[4500]
> May 9 23:11:30 vc2 charon: 09[IKE] retransmit 1 of request with message
> ID 1
> May 9 23:11
__
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
--
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN S
gt;
> config setup
> plutodebug=control
> charonstart=no
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev1
> authby=secret
>
> conn pskv1
> left=172.16.18.202
> leftfirewall=yes
&g
; http://wiki.strongswan.org/projects/strongswan/wiki/Win7Config
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Techno
On 05/05/2011 03:02 PM, Kamil Jońca wrote:
> Andreas Steffen
> writes:
>
> --8<---cut here---start->8---
>>
>> src 192.168.0.1 dst 192.168.0.100
>> proto comp spi 0xbdf9(48633) reqid 1(0x0001) mode tunnel
&g
2011-02-10 20:32:07
stats:
replay-window 0 replay 0 failed 0
Pozdrowiena
Andreas
On 05.05.2011 12:10, Kamil Jońca wrote:
>
> How can I check if compression directive works?
> KJ
======
Andrea
t; ps. Andreas Steffan, thank you for your response to my post a few weeks
> ago. That solved the problem.
>
>
>
> Terry Hennessy
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!
also in the connections other algorithms are defined.
> The Windows 7 client can't connect as a result of this.
> If I remove the strict flags everything works as intented.
>
> Is it only possible to have one global (even if defined inside a
> connection) single ike/esp definitio
o[6843]: |protocol ID: 1
> pluto[6843]: |SPI size: 0
> pluto[6843]: |Notify Message Type: INVALID_ID_INFORMATION
>
>
> On the remote side, traffic is directed to the host having a private IP
> address (192.168.230.3). How can I instruct StrongSw
no
> one has
> reported it. Doesn't anybody have any clue, at least? :)
==========
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
In
_part_enumerator = 0x508940 , clone =
> 0x508d00 , destroy = 0x508420 }
> (gdb) s
>
> Wie es beim Einlesen der config an welcher stelle warum dazu kommt,
> überblicke ich jetzt auf Anhieb leider noch nicht.
>
> Gruss
>
> Olaf
>
>
wall hitting the
>> right firewall. The only peculiarity may be that the left firewall
>> is within an Amazon cloud but I'm lead to believe this should not
>> stop the ipsec tunnel from building - please help if you can?
>> Regards, Neil.
-- fatal errors in config
>
>
>
> Version
> Linux strongSwan U4.4.1/K2.6.32-25-generic
>
> I've been reading in the mailing list, but couldn't found anything.
>
> Any idea?
>
> Ing Arturo Ochoa
> Blog: http://arturoochoa.wordpress.com
=
uthentication
> gateway: child: dynamic === dynamic
> Security Associations:
> none
>
>
> The charon.log snippet shows:
> --
> Apr 2 19:06:13 10[IKE] received end entity cert "CN=Node B,
> ST=Minnesota, C=US"
mmand.
>
> Maybe there are any other alternatives? I need to port one application
> that currently uses OpenSwan addcon feature to the Strongswan with
> minimal source code changes.
>
> Regards,
> Ansis
=========
.g., netkey and KLIPS. Thanks - John
==========
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rappe
is a duplicated packet)
> Mar 29 16:40:19 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
> Mar 29 16:40:23 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
> received Delete SA payload: del
HILD_SA. How will
> this happen? Can strongswan handle it, or should I use some other tool?
>
> I know these questions might be kind of silly, but please help me get a
> better idea of what I'm doing.
>
> Thanks and regards,
> Meera
==
Andrea
conn L2TP
> authby=psk
> pfs=no
> rekey=no
> type=tunnel
> esp=aes128-sha1
> ike=aes128-sha-modp1024
> left=192.168.1.10
> leftnexthop=%defaultroute
> #leftprotoport=17/%any
> leftprotoport=17/17
er machine, plus the
> OUTPUT chain on both is set to ACCEPT
>
> I'm not 100% sure I've answered your question - shout back if you need
> any more info
>
> Cheers
>
> Russ
>
==========
Andreas Steff
> I noticed you are using 'forceencaps=yes', so I think your traffic will not
> be ESP but UDP port 4500.
> Do you see any of those packets?+
> Cheers,
> Alexis
==========
Andreas Steffen an
ptype main
> src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
> dir 4 priority 0 ptype main
> src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
> dir 3 priority 0 ptype main
> src 0.0.0.0/0 <http://0.0.0.0/0> dst
Hello Alexis,
ipsec statusall does not show the configuration of PFS. But with
charondebug="cfg 2"
you can verify the PFS negotiation in the charon log.
Best regards
Andreas
On 03/18/2011 12:45 AM, Alexis Salinas wrote:
Hi All,
I'm wondering if someone knows how to check if PFS is enabled
chor.
>
> Could you please help me sort this out?
>
Consult the following link how to set up a simple PKI:
http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA
> Thanks in advance,
>
> Meera
Regards
Andreas
==
Andr
601 - 700 of 1348 matches
Mail list logo