Re: [strongSwan] except certain protocols from IPsec encryption

ossible? > > Regards, Nerijus > ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University

[strongSwan] ANNOUNCE: strongswan-4.5.3 released

the Linux kernel starting with 2.6.39. http://www.strongswan.org/uml/testresults/ikev2/net2net-esn/ Best regards Andreas Steffen, Tobias Brunner, Martin Willi The strongSwan Team ====== Andre

Re: [strongSwan] Question on sending "INTERNAL_IP4_SUBNET" in CFG

ERNAL_IP4_DNS") in the Configuration payload to my SeGW, but > strongSwan always includes only one attribute > ("INTERNAL_IP4_ADDRESS"), any configuration I am missing here? I > remember strongSwan used to be able to send multiple. I

Re: [strongSwan] MOBIKE

11 17:06, Patricia de Noriega wrote: > How I can bind that interface by means of the ipsec.conf file? > > Best regards, > > On 29 July 2011 16:51, Andreas Steffen <mailto:andreas.stef...@strongswan.org>> wrote: > > Would it help to bind the virtual IP do a dumm

Re: [strongSwan] MOBIKE

in, any ideas? > > Regards, > Tobias ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Scien

Re: [strongSwan] MOBIKE

tp://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=d7a59f19 > http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=f1c1965d > ====== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN

Re: [strongSwan] VPN connection issue on changing port speed to 10 Mbps (from 1000 Mbps)

fe80::215:17ff:fecc:4408 disappeared from eth3 > 05[KNL] interface eth3 deactivated > 16[IKE] requesting address change using MOBIKE > 16[ENC] generating INFORMATIONAL request 8 [ N(NO_ADD_ADDR) ] > 16[IKE] checking path 10.xx.xx.197[4500] > > > > > On Thu, Jul 28, 2011 at

Re: [strongSwan] VPN connection issue on changing port speed to 10 Mbps (from 1000 Mbps)

gt; I wanted to check if this is an expected behavior or is a bug (known) > in strongswan. > > Thanks, > Vinay ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!

Re: [strongSwan] strongswan to lancom. No ip via ike-configmode

000 "VPN": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; > rekey_fuzz: 100%; keyingtries: 0 > 000 "VPN": policy: PUBKEY+ENCRYPT+TUNNEL+PFS+UP; prio: 24,32; > interface: wlan0; > 000 "VPN": newest ISAKMP SA: #3; newest IPsec SA: #0; >

Re: [strongSwan] Regarding Site-to-Site Tunnel for IPSec

gt; SPI: /ca075713_i / > / > / > I have attached my ipsec.conf file if you may need to have a look. Also > I have checked the sysctl variables for ip forwarding and enabled the > ipv4 forwarding for all interfaces. > > Can you help whether the previously established CHILD_SA

Re: [strongSwan] [strongSwan-dev] PASS and DROP shunt policies

Hello Daniel, On 22.07.2011 17:56, Daniel Mentz wrote: > Dear strongSwan team, > > thanks for the great work. I have some comments regarding the following > change: > > On 07/19/2011 01:00 AM, Andreas Steffen wrote: >> PASS and DROP shunt policie

Re: [strongSwan] NAT Traversal - Issues in understanding

Hello Thomas, this NAT-T bug affects IKEv2 only. Regards Andreas On 22.07.2011 09:15, Thomas Jarosch wrote: > On Thursday, 21. July 2011 15:09:27 Andreas Steffen wrote: >> Please be aware that a serious NAT-T bug was fixed in strongSwan >> 4.5.1 and later versions which i

Re: [strongSwan] PSK Windows Vista/7 to NATted strongswan problems

C_IKE_INVALID_POLICY) > [1]04C0.1600::07/21/2011-11:51:50.419 [user]IkeConstructOakQMInitiator > failed with HRESULT 0x80073625(ERROR_IPSEC_IKE_INVALID_POLICY) > [1]04C0.1600::07/21/2011-11:51:50.419 [user]IkeConstructQM failed with > HRESULT 0x80073625(ERROR_IPSEC_IKE_INVALID_POLICY) > [1]04C0.1600

Re: [strongSwan] NAT Traversal - Issues in understanding

Swan > listening only on port 500 (and using port 500 for connections); > nat_traversal=yes moves the listening port and destination port to 4500. > This is contrary to what my belief was how NAT Traversal works. > > Can you comment please? > > Regards, > Holger >

Re: [strongSwan] IKEv2 Over IPv6

ication = no > } > > Is the above block required in the strongswan.conf file?.. > > > Regards > > Arnab ====== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the

Re: [strongSwan] IKEv2 Over IPv6

.EL and if we disable firewall. > > Regards > Arnab ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications

[strongSwan] ANNOUNCE: strongswan-4.5.3rc1 released

v2/net2net-esn/ Please test the release candidate and give us a feedback. ETA for the stable 4.5.3 release is end of July. Kind regards Andreas ====== Andreas Steffen andreas.stef...@strongswan.org strongSwan -

Re: [strongSwan] CHILD_SA can't setup with the configuration of MARK keywords

166/ > > / leftcert=/etc/ipsec.d/certs/hostB.pem/ > > / right=172.19.2.101/ > > / rightsubnet=0.0.0.0/0/ > > / mark=20/ > > / auto=add/ > > / leftid=www.hostB.org/ > > / rightid=www.hostA.org/ &g

Re: [strongSwan] ipsec detection on isc dhcpd

, so I can't specify an IP address in the >>> range, or similar, and I'm at a complete loss how to accomplish this >>> now. >>> 3) this is somewhat less. there's no way to specify a certificate >>> attribute as hostname or other, anything except the "ik

Re: [strongSwan] ipsec detection on isc dhcpd

y an IP address in the > range, or similar, and I'm at a complete loss how to accomplish this now. > 3) this is somewhat less. there's no way to specify a certificate > attribute as hostname or other, anything except the "ikev2 identity" > can't be pa

Re: [strongSwan] IKEv2 Over IPv6

gt; > Also is there any dependency on the kernel version for the > support. Right now I have the kernel version 2.6.35 > > Regards > Arnab == Andreas Steffen

Re: [strongSwan] Multiple tunnels between same peer

send such packets to? > > > mark_in=11 > > mark_out=10 > > Using the same mark for in and out is probably simpler, you can set both > marks by using: > > mark=10 > > Regards > Martin > > > > > > _

Re: [strongSwan] trying to configure strongswan to act like a windows7 client

l 2011 12:32:42 +0200 >> >> Hi Olivier, >> >> > authentication of 'CN=10.1.1.254, OU=TAC, O=Cisco, C=BE' with EAP > successful >> > constraint check failed: identity 'C=BE, O=CISCO, OU=TAC, > CN=10.1.1.254' required >> >>

Re: [strongSwan] trying to configure strongswan to act like a windows7 client

@lists.strongswan.org > Subject: trying to configure strongswan to act like a windows7 client > Date: Sun, 10 Jul 2011 11:57:57 +0200 > > Hello, > > > I would like to emulate a windows7 ikev2 client by using strongswan. > Does anyone have an idea? > > Cheers,

Re: [strongSwan] Strongswan 4.5.1 sqlite database crl URI

x strongSwan, CN=strongSwan Root CA" crl is valid: until Jun 13 17:32:37 2011 Regards Andreas On 07/07/2011 12:08 PM, Andreas Steffen wrote: > Hello Fabrice, > > I'm testing the certificate_distribution_points table in the > sql/multi-level-ca scenario, where moon n

Re: [strongSwan] Strongswan 4.5.1 sqlite database crl URI

.education.fr/agriates.crl'); > > Logs at ipsec listall command execution in log joined file. > > > Is there something wrong ? > > Regards, > Fabrice > > > > ___ > Users mailing list > Users@lists.strongswan.org > https://li

Re: [strongSwan] Help Connecting Strongswan to iPhone

ecause no connection is known for > 53.33.152.45/32===192.168.178.3:4500:17/1701...19.24.143.13:19739[10.152.73.157]:17/0===10.152.73.157/32 > Jun 29 21:55:14 adelheid pluto[3943]: "nat-t"[2] 19.24.143.13:19739 #1: > sending encrypted notification INVALID_ID_INFORMATION to 19.24.143

Re: [strongSwan] Strongswan 4.5.1 sqlite database passthrough

Oops, "install_routes" should of course be set to *no*. BTW - a shunt can be removed with ipsec unroute local-net and added again with ipsec route local-net Regards Andreas On 06/29/2011 07:43 AM, Andreas Steffen wrote: > Bonjour Fabrice, > > strongswan-4.5.3dr

Re: [strongSwan] Strongswan 4.5.1 sqlite database passthrough

onnière wrote: > Hello Andreas > > Thanks for all what you do. > I wait for this. > > Regards > Fabrice > > Le 28/06/2011 11:04, Andreas Steffen a écrit : >> Hello Fabrice, >> >> probably today I'm going to release a strongSwan snapshot with >>

Re: [strongSwan] IKEv1 - Authentication Methods - RFC 2409 Public Key Encryption support in Strongswan

s with Cisco routers (e.g. 3640 ) > set up with a crypto isakmp policy of authentication : rsa_enc? Best > regards Emil > > ________ From: Andreas Steffen > [andreas.stef...@strongswan.org] Sent: Tuesday, June 28, 2011 5:20 > AM To: Salib, Emil H

Re: [strongSwan] TNCCS-2.0 - radius

t; mutually exclusive are they? > > > Terry Hennessy ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applicatio

Re: [strongSwan] IKEv1 - Authentication Methods - RFC 2409 Public Key Encryption support in Strongswan

es. Is there a way to set up a net2net with the 2409 public key > encryption authentication method (where the ID and Nonce in the second and > third > ISKAMP (main mode) messages are encrypted) using StrongSwan? > Thanks > Emil =========

Re: [strongSwan] Strongswan 4.5.1 sqlite database passthrough

e from ipsec.conf in file mode. > I've directly set a value in ipsec_updown and it works like i want. > With IKEv2 on sqlite database, can we configure this variable and does > it take effect in ipsec_updown script ? >> >> Regards >> Martin >>

Re: [strongSwan] Question on sending "INTERNAL_IP4_DNS" in CFG

srtongSwan 4.5.0 > > > Thanks a lot for your help ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and

Re: [strongSwan] Pretty urgent: Removed user still able to connect

gent xcbc hmac attr kernel-netlink resolve socket-raw stroke updown > eap-identity eap-aka eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 > Jun 22 14:07:29 gw charon: 00[JOB] spawning 16 worker threads > Jun 22 14:07:29 gw charon: 09[CFG] received stroke: add connection > &#

Re: [strongSwan] question on prioritizing traffic with iproute2 tc and strongswan

What is the preferred way > to do this? Use iptables, mark the traffic and use tc rules > that choose based on this mark instead? > > Thank you. > > --lyle ====== Andreas Steffen

Re: [strongSwan] Problem sending a packet out a raw socket over IPsec

this > work? > > Thanks, Clifton ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Appl

Re: [strongSwan] strongswan and a windows7 client without cert

acket: from > XX.XX.XX.68[4500] to YY.YY.YY.216[4500] > >>From this I'm guessing, that in fact I need a certificate, > nevertheless. Is it possible to have the strongswan daemon relay the > username to the freeradius daemon intact? > ===

Re: [strongSwan] strongswan routing

the policy? or is it mark are not visible with ip xfrm policy ls? > Is the later is true how can I ensure mark in part of the policy? > > Best regards. > > P.S: Do you mind if I send my ifupdown sscript for kind of a validation > from you? > > Le 15/06/2011 09:29, An

Re: [strongSwan] Test framework not showing iptables rules in tables other than 'filter'

re. AFAICT, it outputs the nat and mangle table as well as the > filter table. > > Thanks > -Daniel ====== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!

Re: [strongSwan] Test framework not showing iptables rules in tables other than 'filter'

06/15/2011 09:29 AM, Johannes Hubertz wrote: Hallo zusammen, On Wednesday 15 June 2011 08:59:52 Andreas Steffen wrote: iptables-save shows all the rules but unfortunately without the packet statistics perhaps this helps? iptables-save -c Happy working Johannes

Re: [strongSwan] strongswan routing

t; > > Should be better... hopefully. ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences

Re: [strongSwan] Test framework not showing iptables rules in tables other than 'filter'

at and mangle table as well as the > filter table. > > Thanks > -Daniel ====== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and App

Re: [strongSwan] Help with fowarding an IP packet on a VPN connection

get > encrypted. > > Any suggestions? > > Thanks, > Clifton ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Instit

Re: [strongSwan] strongswan routing

bles and iproute... Unfortunately it > doesn't... well at least it doesn't with my config. > > Did I missunderstood this options? == Andreas Steffen andreas.stef...@strongswan.org strongSw

Re: [strongSwan] strongswan client configuration

tual IP > > How comes it is different? > If moon's certificate is signed by a CA then you don't have to import moon's cert via rightcert=. Just copy the CA certificate into /etc/ipsec.d/cacerts and trust will be established into moon. Regards Andreas =

Re: [strongSwan] strongswan client configuration

ftrsasigkey=/home/some1/ssl/pki/elronde.key >>leftsourceip=%config >> right=21.12.5.22 >>rightid=vpn.domain.tld >>rightsubnet=172.20.0.0/23 >>auto=add >> >> when I type sudo ipsec up strongswan, connection seems to come u

Re: [strongSwan] Limit on Max Number of CHILD SA (VPN) under an IKE Tunnel

on the number of CHILD SAs that can be > created under a single IKE SA/Tunnel. If yes. Then what is the Max Number > Thanks and Regards > Sajal ====== Andreas Steffen andreas.stef...@strongswan.org s

Re: [strongSwan] Strongswan ikev1 any-any protect policy

lto:esp.d798a9b8@10.46.155.153> included > errno 3: No such process > "conn65535" #3: max number of retransmissions (2) reached STATE_QUICK_R1 > "conn65535" #3: ERROR: netlink response for Del SA > esp.bb700eae@10.46.155.153 <mailto:e

Re: [strongSwan] Query regarding DPD with Linux

nd. > > Regards, > Sandeep Malik > > On Fri, Jun 10, 2011 at 3:40 PM, Andreas Steffen > mailto:andreas.stef...@strongswan.org>> > wrote: > > Hello Malik, > > we are using policy_use_time, because the state_use_time gets set > only once when

Re: [strongSwan] By default strongswan inserts related routes to routing table 220!!

Oops, the correct syntax is ./configure --with-routing-table= \ [ --with-routing-table-number= ] Andreas On 10.06.2011 20:55, Andreas Steffen wrote: > Hello, > > for IKEv1 and IKEv2 you can define the actual routing table > and additionally the table priority du

Re: [strongSwan] By default strongswan inserts related routes to routing table 220!!

serted! > > Thanks in advance > > > -- > N.Chavoshi > > ___ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users -- ========

Re: [strongSwan] Query regarding DPD with Linux

be a scenario where in single policy have multiple SA's > and one of the SA might be active while rest inactive but the DPD won't > be triggered for inactive SA's as the policy use_time will keep on updating. > > Regards, > Malik -- =

Re: [strongSwan] Error 13801 in windows

06/08/2011 02:15 PM, Kamil Jońca wrote: > Andreas Steffen > writes: > >> Czesc Kamil, >> >> strongSwan uses ',' and '/' as reserved characters to separate >> Relative Distinguished Names in an X.509 Distinguished Name. >> Therefore CN=h

Re: [strongSwan] Error 13801 in windows

12:21+02:00 alfa charon: 16[CFG] looking for peer configs > matching 192.168.200.200[%any]...80.50.55.206[C=PL, ST=Mazowieckie, > O=kjonca.kjonca, OU=ipsec, CN=host/bambus@KJONCA] > 2011-06-08T13:12:21+02:00 alfa charon: 16[CFG] no matching peer config found > 2011-06-08

Re: [strongSwan] unable to allocate SPIs from kernel

0.200.200.20...200.200.200.10 > net-ne.t: loc al: [200.200.200.20] uses pre-shared keey > authenticationy > remote: [200.2 00.200.1:0] uses 0any authentication > net-net: child: 192.:168.2.0/24 === 192.168.12.0/24 > Security Associations: > None > > Rega

Re: [strongSwan] unable to allocate SPIs from kernel

mobike=no/ > > /ike=3des-sha1-md5-modp1024!/ > > /esp=aes128-3des-sha1-md5!/ > > /conn net-net/ > > /authby=secret/ > > / left=200.200.200.10/ > > /leftsubnet=192.168.1.0/24/ > > /leftfirewall

Re: [strongSwan] Replicate Cisco like ACL with strongswan

efinitions are sufficients since the IPsec Policies are set up pairwise in the kernel (both inbound and outbound). > Regards, > Hans-Kristian Bakke > > > > > On Mon, May 30, 2011 at 09:17, Andreas Steffen > wrote: >> Hello Hans-Kristian, >> >> first I re

Re: [strongSwan] Replicate Cisco like ACL with strongswan

gt; > When I run ipsec statusall dns1 gets to STATE_MAIN_I4 (ISAKMP SA > ESTABLISHED) but the other ones doesn't seem to do anything. > The DNS-traffic still goes out unencrypted. > > How can I replicate the ACL perfectly with strongswan? > > Mvh > > Hans-

[strongSwan] ANNOUNCE: strongswan-4.5.2 released

/wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites Best regards Andreas Steffen, Martin Willi, Tobias Brunner The strongSwan Team ========== Andreas Steffen andreas.stef...@stron

Re: [strongSwan] EAP-SIM Identity Request/Response

| > |+---+ | > | EAP-Response/SIM/Challenge (AT_MAC) | > |->| > | | > | EAP-Success | > |<

Re: [strongSwan] problems with charon in 4.4.1

psec.conf. the other >> hosts' ipsec.conf is equivalent. there is always one initiator for >> each connection. >> > > ___________ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] problems with charon in 4.4.1

s always one initiator for >> each connection. >> > > ___________ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users -- == Andreas Steffen

Re: [strongSwan] DHCP over IPsec

this possible though a custom _updown script? > > > > Thank you, > > Mark Marwil ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!

Re: [strongSwan] Struggling with Windows 7 IkeV2 - Error 13806

gt; I hope anybody can help me out or lead me in the right direction. > > Thank you in advance, > > Stefan > == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Ins

Re: [strongSwan] wrong expiry date on amd64?

certificates with an expiry date that far in > the future on amd64? > > Thanks, > Niels ====== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.st

Re: [strongSwan] IP range support

y.z.t/a > > > > Do strongswan-4.2.8 have support it? In other way, does IP range is > supported by strongswan? If not, then the IP range is in your plan? > > > > Thanks! > > > > > > Brian > --

Re: [strongSwan] Users Digest, Vol 16, Issue 20

as the following, without to set reauth=no. > > 1. IKE_SA_INIT > 2. IKE_SA_INIT > 3. IKE_AUTH > 4. IKE_AUTH > 5. INFORMATIONAL (deleting IKE_SA) > 6. INFORMATIONAL (deleting IKE_SA confirm) =======

Re: [strongSwan] Cisco brings up the tunnel, but Linux not --- AH only

bytes, 133s ago) esp.f0adaa0a@...125 (764 bytes, 132s ago); tunnel > 000 #1: "vtest" STATE_MAIN_R3 (sent MR3, ISAKMP SA established) > > Maybe this asymmetric working comes from some unusual > setting of the Cisco, and I won't be able to eliminate it > without their coo

Re: [strongSwan] Cisco brings up the tunnel, but Linux not --- AH only

# > ike=3des-md5-modp1024! > esp=3des-md5! > ikelifetime=86400 > pfs=no > > Can you help me to understand what happens? > (Omitting the strict !s from the config doesn't help.) > Regards > Zoltan > >

Re: [strongSwan] nat-before-esp with virtual ip

ng Client Bob. > Using a network sniffer I am able to see that Moon’s pings are being > encapsulated, and Alice’s pings are being NATed but not encapsulated. > > > > Any suggestions? > > > > Thank you, > > Mark =

Re: [strongSwan] Migration from Openswan to Strongswan

additional routes for the payload traffic? Andreas On 05/10/2011 03:07 PM, Pavel Arnošt wrote: > It looks like that there are zeroes everywhere. > > -- > From: "Andreas Steffen" > Sent: Tuesday, May 10, 2011 2:50 PM > To: &quo

Re: [strongSwan] Migration from Openswan to Strongswan

7.96.15). > > eth1 is external interface and eth0 is internal interface with IP > 172.24.26.65 assigned: > > 2: eth0: mtu 1500 qdisc pfifo_fast qlen > 1000 > link/ether 00:18:fe:32:56:08 brd ff:ff:ff:ff:ff:ff > inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0 > inet 172.24.26.65/26 brd 172.24.26.1

Re: [strongSwan] Migration from Openswan to Strongswan

all. > Do you have any idea what can be wrong? > Thanks, > Regards, > Pavel Arnost > > > > ___ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users --

Re: [strongSwan] ipsec policy?

> URL:http://www.visec.info > |-| ====== Andreas Steffen andreas.stef...@strongswan.org strongSwan - th

[strongSwan] ANNOUNCE: strongswan-4.5.2rc1 released

in about 10 days. Kind regards Andreas ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications Univ

Re: [strongSwan] Strongswan - no tunnel, but no errors in log either :(

TREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) > N(MULT_AUTH) N(EAP_ONLY) ] > May 9 23:11:26 vc2 charon: 15[NET] sending packet: from > 10.58.113.118[4500] to 10.58.113.37[4500] > May 9 23:11:30 vc2 charon: 09[IKE] retransmit 1 of request with message > ID 1 > May 9 23:11

Re: [strongSwan] IKEv2 fails IKE_SA_INIT response

__ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN S

Re: [strongSwan] strongSwan IKEv1 question

gt; > config setup > plutodebug=control > charonstart=no > > conn %default > ikelifetime=60m > keylife=20m > rekeymargin=3m > keyingtries=1 > keyexchange=ikev1 > authby=secret > > conn pskv1 > left=172.16.18.202 > leftfirewall=yes &g

Re: [strongSwan] Compression - how to check it?

; http://wiki.strongswan.org/projects/strongswan/wiki/Win7Config == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Techno

Re: [strongSwan] Compression - how to check it?

On 05/05/2011 03:02 PM, Kamil Jońca wrote: > Andreas Steffen > writes: > > --8<---cut here---start->8--- >> >> src 192.168.0.1 dst 192.168.0.100 >> proto comp spi 0xbdf9(48633) reqid 1(0x0001) mode tunnel &g

Re: [strongSwan] Compression - how to check it?

2011-02-10 20:32:07 stats: replay-window 0 replay 0 failed 0 Pozdrowiena Andreas On 05.05.2011 12:10, Kamil Jońca wrote: > > How can I check if compression directive works? > KJ ====== Andrea

Re: [strongSwan] fatal TLS alert 'handshake failure'

t; ps. Andreas Steffan, thank you for your response to my post a few weeks > ago. That solved the problem. > > > > Terry Hennessy == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!

Re: [strongSwan] Strict flag with different algorithms in multiple connection configurations

also in the connections other algorithms are defined. > The Windows 7 client can't connect as a result of this. > If I remove the strict flags everything works as intented. > > Is it only possible to have one global (even if defined inside a > connection) single ike/esp definitio

Re: [strongSwan] INVALID_ID_INFORMATION

o[6843]: |protocol ID: 1 > pluto[6843]: |SPI size: 0 > pluto[6843]: |Notify Message Type: INVALID_ID_INFORMATION > > > On the remote side, traffic is directed to the host having a private IP > address (192.168.230.3). How can I instruct StrongSw

Re: [strongSwan] Windows Vista/7 issue

no > one has > reported it. Doesn't anybody have any clue, at least? :) ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org In

Re: [strongSwan] pluto verneint Gleichheit von leftID und rigthID

_part_enumerator = 0x508940 , clone = > 0x508d00 , destroy = 0x508420 } > (gdb) s > > Wie es beim Einlesen der config an welcher stelle warum dazu kommt, > überblicke ich jetzt auf Anhieb leider noch nicht. > > Gruss > > Olaf > >

Re: [strongSwan] strongswan inactive

wall hitting the >> right firewall. The only peculiarity may be that the left firewall >> is within an Amazon cloud but I'm lead to believe this should not >> stop the ipsec tunnel from building - please help if you can? >> Regards, Neil.

Re: [strongSwan] Help with this: unknown keyword 'plutoopts'

-- fatal errors in config > > > > Version > Linux strongSwan U4.4.1/K2.6.32-25-generic > > I've been reading in the mailing list, but couldn't found anything. > > Any idea? > > Ing Arturo Ochoa > Blog: http://arturoochoa.wordpress.com =

Re: [strongSwan] no matching peer config found

uthentication > gateway: child: dynamic === dynamic > Security Associations: > none > > > The charon.log snippet shows: > -- > Apr 2 19:06:13 10[IKE] received end entity cert "CN=Node B, > ST=Minnesota, C=US"

Re: [strongSwan] Are there any Strongswan alternatives for OpenSwan's "addcon"?

mmand. > > Maybe there are any other alternatives? I need to port one application > that currently uses OpenSwan addcon feature to the Strongswan with > minimal source code changes. > > Regards, > Ansis =========

Re: [strongSwan] KLIPS and iptables policy match

.g., netkey and KLIPS. Thanks - John ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rappe

Re: [strongSwan] IPAD via NATed firewall doesn't work

is a duplicated packet) > Mar 29 16:40:19 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1: > sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500 > Mar 29 16:40:23 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1: > received Delete SA payload: del

Re: [strongSwan] What to do once the CHILD_SA is established?

HILD_SA. How will > this happen? Can strongswan handle it, or should I use some other tool? > > I know these questions might be kind of silly, but please help me get a > better idea of what I'm doing. > > Thanks and regards, > Meera == Andrea

Re: [strongSwan] Help Connecting Strongswan to iPhone

conn L2TP > authby=psk > pfs=no > rekey=no > type=tunnel > esp=aes128-sha1 > ike=aes128-sha-modp1024 > left=192.168.1.10 > leftnexthop=%defaultroute > #leftprotoport=17/%any > leftprotoport=17/17

Re: [strongSwan] Packets not being encapsulated

er machine, plus the > OUTPUT chain on both is set to ACCEPT > > I'm not 100% sure I've answered your question - shout back if you need > any more info > > Cheers > > Russ > ========== Andreas Steff

Re: [strongSwan] Packets not being encapsulated

> I noticed you are using 'forceencaps=yes', so I think your traffic will not > be ESP but UDP port 4500. > Do you see any of those packets?+ > Cheers, > Alexis ========== Andreas Steffen an

Re: [strongSwan] Packets not being encapsulated

ptype main > src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0> > dir 4 priority 0 ptype main > src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0> > dir 3 priority 0 ptype main > src 0.0.0.0/0 <http://0.0.0.0/0> dst

Re: [strongSwan] IKEv2 PFS status

Hello Alexis, ipsec statusall does not show the configuration of PFS. But with charondebug="cfg 2" you can verify the PFS negotiation in the charon log. Best regards Andreas On 03/18/2011 12:45 AM, Alexis Salinas wrote: Hi All, I'm wondering if someone knows how to check if PFS is enabled

Re: [strongSwan] getting error "expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed"

chor. > > Could you please help me sort this out? > Consult the following link how to set up a simple PKI: http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA > Thanks in advance, > > Meera Regards Andreas == Andr

<    2   3   4   5   6   7   8   9   10   11   >