[strongSwan] Strongswan Code Flow

Hi , I am going through the source code of strongswan and finding it difficult to understand because it uses an object oriented programming style in C. How to find the data flow in the source code?How to find the relationship between functions? How to find what functions call a specific

[strongSwan] IPsec/IKEv2 tunnels scalability issue with load-tester plugin (using strongSwan 5.0.4)

Hi All, We are using two Multi-Core MIPS 64 bit Processors. (One acts as an IKE initiator and another as an IKE responder). We are running strongswan in both systems. Both the systems have 1Gbps Ethernet cards, which are connected to 1 Gbps L2 switch. The Linux OS runs on all these cores. We have

Re: [strongSwan] IPsec/IKEv2 tunnels scalability issue with load-tester plugin (using strongSwan 5.0.4)

for your support and help. Regards, Chinmaya From: Martin Willi mar...@strongswan.org To: Chinmaya Dwibedy ckdwib...@yahoo.com Cc: users@lists.strongswan.org users@lists.strongswan.org Sent: Wednesday, August 7, 2013 12:39 PM Subject: Re: [strongSwan] IPsec

Re: [strongSwan] IPsec/IKEv2 tunnels scalability issue with load-tester plugin (using strongSwan 5.0.4)

. Regards, Chinmaya From: Martin Willi mar...@strongswan.org To: Chinmaya Dwibedy ckdwib...@yahoo.com Cc: users@lists.strongswan.org users@lists.strongswan.org Sent: Thursday, August 8, 2013 1:47 PM Subject: Re: [strongSwan] IPsec/IKEv2 tunnels scalability issue

[strongSwan] Unable to establish all the security associations with 2000 IPsec tunnels (using 5.0.4 strongswan and load-tester plugin)

Hi , I changed the “/proc/sys/net/core/xfrm_acq_expires” from 165 to 1000 seconds. What I understand, if an IKEv2 negotiation fails due to a timeout (during the IKE_AUTH exchange) after a successful IKE_SA_INIT exchange, then after the timeout (165s by default), charon will retry a new negotiation

[strongSwan] Issue with net-net scenario with load-tester plugin (using strongSwan 5.0.4)

Hi ,   I am using load-tester plugin to create one thousands of IPsec connections/tunnels. In our scenario two security gateways A (IKE initiator) and B (IKE responder) will connect the two subnets X and Y with each other through a VPN tunnel set up between the two gateways. I found, each IKE

Re: [strongSwan] Issue with net-net scenario with load-tester plugin (using strongSwan 5.0.4)

side to subnet 10.* host address range (10.0.0.1 - 10.255.255.254) on the initiator's side using load-tester plugin (strongswan 5.0.4)?.   Regards, Chinmaya From: Martin Willi mar...@strongswan.org To: Chinmaya Dwibedy ckdwib...@yahoo.com Cc: users

[strongSwan] How to configure the different proposal for different IPsec and measure the tunnel setup and teardown rate

Hi, I am using Load-tester plug-in (strongswan 5.0.4) to setup multiple IPSec tunnels. Is there any option available to configure the different proposal for different IPsec tunnels at the initiator host (in its strongswan.conf file) and responder host (in its ipsec.conf file)? In addition, is

[strongSwan] How to bypass the strongSwan's IPsec Linux kernel interface

Hi All, What I understand, the libhydra library contains daemon-specific code and plugins used by the Charon daemon. The kernel_ipsec_t structure is an interface to the ipsec subsystem of the kernel. This interface handles the communication with the kernel for SA and policy management e.g. adds

Re: [strongSwan] Performance issue with 20k IPsec tunnels (using 5.0.4 strongswan and load-tester plugin)

= no     }   ipsec.secrets @srv.strongswan.org %any : PSK strongSwan   Regards, Chinmaya From: Martin Willi mar...@strongswan.org To: Chinmaya Dwibedy ckdwib...@yahoo.com Cc: users@lists.strongswan.org users@lists.strongswan.org Sent: Thursday, September 19, 2013 4:56 PM

Re: [strongSwan] Performance issue with 25k IPsec tunnels (using 5.0.4 strongswan and load-tester plugin)

the real cause? Thanks in advance for your help and suggestions.   Regards, Chinmaya From: Martin Willi mar...@strongswan.org To: Chinmaya Dwibedy ckdwib...@yahoo.com Cc: users@lists.strongswan.org users@lists.strongswan.org Sent: Wednesday, September 25, 2013 1:10 PM

Re: [strongSwan] Performance issue with 25k IPsec tunnels (using 5.0.4 strongswan and load-tester plugin)

Hi Martin I think, my email missed your kind attention. I am stuck to move forward. Can you please guide me to proceed further? Thanks a lot in advance for your suggestion. Regards, Chinmaya   On Friday, October 4, 2013 12:26 PM, Chinmaya Dwibedy ckdwib...@yahoo.com wrote: Hi Martin, I did

[strongSwan] Crash issue with 1k IPsec tunnels (using 5.0.4 strongswan and load-tester plugin)

Hi, As a part of debugging session, I turned on --enable-lock-profiler option to know the cumulative time waited in each lock during daemon shutdown during shutdown  with 1000 IPsec Security Associations. But I find, the Charon IKEv2 daemon (at IKE initiator end ) is getting crashed. Here goes

[strongSwan] Issue with threads blockage in high load

Hi, I am doing scalability/load testing using 5.0.4 strongswan and load-tester plugin. I am debugging to figure out the potential bottleneck in high loads (25-30k IPsec connections). I find that, at IKE initiator ends, most of the threads are blocked forever in pthread_cond_timedwait (). Here

[strongSwan] Query on multiple instances of Charon daemon

Hi, We are using two Multi-Core MIPS64 Processors with 16 cnMIPS64 v2 cores (one acts as an IKE initiator and another as an IKE responder). We are running strongswan in both systems. Both the systems have 1Gbps Ethernet cards, which are connected to 1 Gbps L2 switch. The Wind River Linux runs

Re: [strongSwan] Query on multiple instances of Charon daemon

Thank you Martin for your valuable and prompt response. On Mon, 11/18/13, Martin Willi mar...@strongswan.org wrote: Subject: Re: [strongSwan] Query on multiple instances of Charon daemon To: Chinmaya Dwibedy ckdwib...@yahoo.com Cc: users

[strongSwan] Low tunnel setup speed with modp768 using the load tester plugin (strongswan 5.0.4)

Hi, I am using the load tester plugin (strongswan 5.0.4) to create 20K IPsec tunnels (without data traffic). I have disabled the logging and used pre-shared key authentication mechanism. What I understand, tunnel setup rate depends on how fast Diffie-Hellman exchange can be done and the group

[strongSwan] Is there any locking contention point using the load tester plugin (strongswan 5.0.4)?

Hi, With --enable-lock-profiler option, run with (#ipsec start --nofork) 100 IPsec tunnels without data traffic. Please note that, I have configured initiators and iterations to 10 in load-tester section of strongswan.config. I have disabled the logging and used pre-shared key authentication

[strongSwan] Does strongswan (5.0.4) support hardware encryption in userland (for IKE)?

Hi, Does strongswan (5.0.4) support hardware encryption in userland (for IKE)? If yes, what are the changes to be done to use the same? Regards, Chinmaya ___ Users mailing list Users@lists.strongswan.org

[strongSwan] Does strongswan (5.0.4) have any options to cache and reuse the diffie-hellman keys?

Hi, The  Diffe Hellman exchange consists of CPU-intensive operations like key-pair generation and shared-secret generation. Does  strongswan (5.0.4) have any options to cache and reuse the diffie-hellman keys for enhanced IKE setup rate?   Thanks in advance for your support and help.   Regards,

[strongSwan] Issue with ECDH group using load tester plugin (strongswan 5.0.4)

Hi All, I am using the load tester plugin (strongswan 5.0.4) to create thousands of IPsec tunnels. I find, the tunnel setup rate is to be 125-130 tunnels per second. To use the ECDH (foe enhanced setup rate), I built the strongswan with. /configure --prefix /usr --sysconfdir=/etc --enable-openssl

Re: [strongSwan] Issue with ECDH group using load tester plugin (strongswan 5.0.4)

Thanks Martin for your prompt response. Let me follow up your suggestions and try again.   On Friday, January 17, 2014 3:51 PM, Martin Willi mar...@strongswan.org wrote: Hi, Similarly checked the SSL ciphers supported via OpenSSL ciphers command but did not find the elliptic curve

Re: [strongSwan] Issue with ECDH group using load tester plugin (strongswan 5.0.4)

strongswan(5.0.4)'s load tester plugin. I am using Fedora Linux (kernel version: 2.6.33.3-85.fc13.i686). Please suggest if I am wrong or missing something. Thanks in advance for your support and response.   Regards, Chinmaya On Friday, January 17, 2014 3:55 PM, Chinmaya Dwibedy ckdwib...@yahoo.com

[strongSwan] cannot restore segment prot after reloc: Permission denied

Hi, I am getting the following issue i.e., [LIB] plugin 'openssl' failed to load /home/ChinmayaD/lib/IPsec/plugins/libstrongswan-openssl.so: cannot restore segment prot after reloc: Permission denied. During build, I have used the ./configure --prefix=/usr --sysconfdir=/etc/

[strongSwan] Build error when openssl plugin is enabled

Hi, I am cross-compiling strongswan (5.0.4) for Octeon without any issue. However the openssl plugin is activated with the following compilation option    ./configure  --enable-openssl –disable-gmp I get the following error in config.log.

Re: [strongSwan] Issue with ECDH group using load tester plugin (strongswan 5.0.4)

Hi Martin, I build the OpenSSL 1.0.0 with ECDH support and strongswan(5.0.4) with –enable-openssl and –enable-load-tester plugin support.   I installed both the packages in Wind River Linux.  However still strongwan complains that configured DH group ECP_224 not supported.   00[CFG]   loaded IKE

Re: [strongSwan] Issue with ECDH group using load tester plugin (strongswan 5.0.4)

Hi Martin, Thanks for your response. I would like to clarify that, I had cross compiled the strongSwan with openssl plugin against the new OpenSSL headers. Also I have given the appropriate path (in CFLAGS) to include the correct opensslconf.h. If I do  #ipsec listalgs | grep MODP, it gives the

[strongSwan] Is it possible to use APIs (supplied by Octeon Core Crypto Library ) instead of OpenSSL's API for faster tunnel setup rate

Hi, The Diffe Hellman exchange consists of CPU-intensive operations like key-pair generation and shared-secret generation. The Octeon Core Crypto Library provides API's on Octeon for Crypto acceleration. The following functions (provided by the Cavium) to perform the Diffie-Hellman Operations,

[strongSwan] Tunnel setup rate is very slow with ECDH (openssl) than MODP (gmp)

Hi , To use ECDH I did the followings for Multi-Core MIPS64 processor target 1. Cross-compiled OpenSSL 1.0.0 with ECDH support.   2. Cross-compiled strongswan (5.0.4) with –enable-openssl,--enable-load-tester --disable-gmp plugins. Notes: 1. The openssl-1.0.0 with the

Re: [strongSwan] Tunnel setup rate is very slow with ECDH (openssl) than MODP (gmp)

clarify whether it is a bug or I have missed something? Regards, Chinmaya On Thursday, January 30, 2014 2:29 PM, Chinmaya Dwibedy ckdwib...@yahoo.com wrote: Hi , To use ECDH I did the followings for Multi-Core MIPS64 processor target 1. Cross-compiled OpenSSL 1.0.0 with ECDH

Re: [strongSwan] Tunnel setup rate is very slow with ECDH (openssl) than MODP (gmp)

Thank you very much Tobias for your valuable suggestion and prompt response. On Thursday, January 30, 2014 7:01 PM, Tobias Brunner tob...@strongswan.org wrote: Hi Chinmaya, Program terminated with signal 6, Aborted. #0  0x00555abfbda0 in raise () from /lib64/libc.so.6 (gdb) bt

[strongSwan] Tunnel setup rate is slower with ECDH (openssl) than MODP (gmp) using strongswan (5.0.4) and load tester plugin

Hi, To use ECDH (for enhanced setup rate), I did the followings for Multi-Core MIPS64 processor target     1. Cross-compiled OpenSSL 1.0.0 with ECDH support.      2. Cross-compiled strongswan (5.0.4) with –enable-openssl,--enable-load-tester --disable-gmp plugins.   I installed both

[strongSwan] Issue with newly implemented DH backend using Octeon Core Crypto Library

Hi All, I have modified the strongswan (5.0.4) code so as to use the Octeon Core Crypto Library for DH operation and leverage the benefit of Crypto acceleration.  I have implemented the diffie_hellman_t interface for DH backend. Upon running, giving the following error message in console i.e.,

[strongSwan] Any hints to enhance the tunnel setup rate

Hi, I modified the strongswan (5.0.4) code to write a new DH backend i.e., implemented the diffie_hellman_t  interface so as to use Octeon Core Crypto Library APIs.   Run with 100k IPsec tunnels with DH group 1 (Encryption algo: AES and integrity algorithm: SHA1) and found the tunnel setup rate

[strongSwan] Need help to find out the exact piece of code which causes this performance issue

    Hi,  Changed the strongswan (5.0.4) code to implement the diffie_hellman_t  interface in order to use Octeon Core Crypto Library APIs.  Run the IPsec scenario in high loads with DH group 1 (Encryption algo: AES and integrity algorithm: SHA1) in Windriver Linux (on Octeon platform) and found

[strongSwan] Fw: Need help to find out the exact piece of code which causes this performance issue

On Wednesday, February 19, 2014 4:42 PM, Chinmaya Dwibedy ckdwib...@yahoo.com wrote:   Hi Martin, Hope this email of mine finds you in best of your health and spirit. I request your goodness to go thru the below email and provide your valuable feedback if possible. Thanking you in advance

[strongSwan] Question on HAVE_GCC_ATOMIC_OPERATIONS

Hi, The ref_put()/ref_get() are defined as macros if atomic instructions are supported. Will it improve the performance over the mutex verstion if gcc compiler and platform supports  __sync_fetch_and_add()/__sync_sub_and_fetch()? Regards, Chinmaya

[strongSwan] issue with modpnull Diffie-Hellman group

Hi , I am using the modpnull Diffie-Hellman gr to avoid the DH calculation overhead  (strongswan-5.0.4). But it is unable to establish the security association. Here goes the logs at IKE responder end. Can anyone please suggest what is the wrong?    11[CFG] received stroke: add connection

[strongSwan] Help needed to achieve 250+ tunnel negotiations per second using the strongswan (5.0.4) and load tester plugin

Hi All, I modified the strongswan (5.0.4) code to write a new DH using Octeon Core Crypto Library APIs.   Run with 200k IPsec tunnels with DH group 1 (Encryption algo: AES and integrity algorithm: SHA1) and found the tunnel setup rate to be 175-180 per second (approximately). Note that, with gmp

Re: [strongSwan] Help needed to achieve 250+ tunnel negotiations per second using the strongswan (5.0.4) and load tester plugin

Hi, Can anyone please respond to this email ? Thanks in advance for your support and help. Regards, Chinmaya On Tuesday, March 4, 2014 4:53 PM, Chinmaya Dwibedy ckdwib...@yahoo.com wrote: Hi All, I modified the strongswan (5.0.4) code to write a new DH using Octeon Core Crypto Library

[strongSwan] How to debug the decrease in setup rate under high load

Hi All, I am using the load tester plugin of strongswan (5.0.4) and running with 200k IPsec tunnels (DH group 1, Encryption algo: AES and integrity algorithm: SHA1). I am getting the following issue i.e. I find the setup rate to be 200+ till 190k IPsec tunnels but thereafter it drops to 100. In

[strongSwan] Retransmission issue under high load

Hi All, I am running with 200k IPsec tunnels. Although it can bring up all those tunnels successfully, I find, there are lots of retransmissions in charon.log. Jan 1 00:10:29 56[IKE] retransmit 1 of request with message ID 0 (IKE Initiator) Jan 1 00:10:45 49[IKE] received retransmit of request

[strongSwan] Issue with huge packets loss at IKE Responder under high load

Hi All, I am doing scalability/load test (250k IPsec tunnels) using load tester plugin strong swan 5.0.4). I have configured the number of threads to 32 at both the ends (IKE responder and IKE Initiator). At IKE Initiator end, if I increase the sender threads (i.e., initiators in load-tester

[strongSwan] Using multiple UDP sockets with SO_REUSEPORT option to increase high connection rate

Hi,   The struct receiver_t receives packets from the socket, performs light-weight parsing and adds them to the job queue. The receiver starts a thread, which reads on the blocking socket. A received packet is preparsed and a process_message_job is queued in the job queue. The processor picks a

Re: [strongSwan] Using multiple UDP sockets with SO_REUSEPORT option to increase high connection rate

Hi Martin, Thanks a lot Martin for your prompt response and valuable suggestion as well. I have configured the number of threads to 32 at both the ends (IKE responder and IKE Initiator). At IKE Initiator end, if I increase the sender threads (i.e., initiators in load-tester section) from 5

[strongSwan] Need to know the Cause behind the enhanced IKE tunnel setup rate

Hi Martin/All, I could able to achieve the IKE setup rate 400+ with 250k IPsec tunnels (Encryption algo: AES, DH group 1 and integrity algorithm: SHA1). There are no packet losses at both ends (checked via #netstat –s –udp and confirmed). The below changes were made which enhanced the setup

Re: [strongSwan] Need to know the Cause behind the enhanced IKE tunnel setup rate

Hi , Can anyone please respond to this email? Thanks in advance for your support. Regards, Chinmaya On Friday, April 4, 2014 4:23 PM, Chinmaya Dwibedy ckdwib...@yahoo.com wrote: Hi Martin/All, I could able to achieve the IKE setup rate 400+ with 250k IPsec tunnels (Encryption algo: AES

[strongSwan] Issue with Charon daemon’s Crash using 2 milli-second delay

Hi All, I am using the load tester plugin of strongswan (5.0.4) and running with 250k IPsec tunnels (DH group 1, Encryption algo: AES and integrity algorithm: SHA1).  We are using two Multi-Core MIPS64 Processors with 16 cnMIPS64 v2 cores (one acts as an IKE initiator and another as an IKE

Re: [strongSwan] Issue with Charon daemon’s Crash using 2 milli-second delay

: SHA1) per Octeon chip. But getting the crash issue after sometimes. Thank you in advance for your help and support. Regards, Chinmaya  On Monday, April 7, 2014 4:06 PM, Chinmaya Dwibedy ckdwib...@yahoo.com wrote: Hi All, I am using the load tester plugin of strongswan (5.0.4) and running

[strongSwan] Question on scheduled jobs

Hi, Under high load, the #ipsec statusall shows the job queue is empty (0/0/0/0) but scheduled shows more than 4+ always. The Scheduler schedules jobs for an execution in the future. The Scheduler has internally a heap in which he stores the scheduled jobs ordered by the time when they have

Re: [strongSwan] Question on scheduled jobs

Hi Martin, Can you please respond to this email ? Appreciate your support. Regards, Chinmaya On Friday, April 11, 2014 2:51 PM, Chinmaya Dwibedy ckdwib...@yahoo.com wrote: Hi, Under high load, the #ipsec statusall shows the job queue is empty (0/0/0/0) but scheduled shows more than 4

Re: [strongSwan] Question on scheduled jobs

Hi Martin, Thank you for the clarification. Regards, Chinmaya  On Monday, April 14, 2014 1:24 PM, Martin Willi mar...@strongswan.org wrote: Hi, Under high load, the #ipsec statusall shows the job queue is empty (0/0/0/0) but scheduled shows more than 4+ always. Does it mean that the

[strongSwan] Locking contention or delay in the Charon process under high load

Hi Martin, Using the pthread_setaffinity_np() API to put threads into different cores, I find the tunnel setup rate to be 400+ (maximum) without any packets loss at both ends.   Without setting processor affinity, only once core gets used (100%) and setup rate was found to be 250 (max). I think,

Re: [strongSwan] Locking contention or delay in the Charon process under high load

Thank you Martin for your early response. Let me analyze, optimize, enhance the setup rate.     On Monday, April 14, 2014 5:09 PM, Martin Willi mar...@strongswan.org wrote: Chinmaya, Using the pthread_setaffinity_np() API to put threads into different cores, I find the tunnel setup rate

[strongSwan] Question on logger

Hi, The log_ function is called for each log generated by Charon.  Will this function be called if I disable logging? Please clarify. Here is the logger configuration.  filelog {     /var/log/charon.log {     time_format = %b %e %T     append

[strongSwan] Is there any way to avoid read lock in high load?

Hi, I am running the IPsec scenario under high load (250k IPsec tunnels with 400+ tunnels per second ) using load tester plugin. I have disabled the logging and configured 64 threads at both the ends. But I find the vlog function is called even if there is no log to be generated by Charon. This

Re: [strongSwan] Is there any way to avoid read lock in high load?

Hi Tobias, Thank you for your fix and prompt response as well. Will apply this fix, test  and measure the increase in performance. Regards, Chinmaya   On Friday, May 2, 2014 12:58 PM, Tobias Brunner tob...@strongswan.org wrote: Hi Chinmaya, Even if nobody is listening for these logs, vlog

[strongSwan] Under high load, two IKE initiators send the IKE_SA_INIT requests with the same SPI

Hi All, I have modified the strongswan (5.0.4) code to write a new DH using Octeon Core Crypto Library APIs. Using the load tester plugin of strongswan (5.0.4), could able to achieve the 250k IPsec tunnels with 850+ tunnels per second. However I found that, some of the tunnels (approximately

[strongSwan] Under high load, two IKE initiators send the IKE_SA_INI​T requests with the same SPI

Hi Martin/All, Thanks for your valuable response. Using the atomic incrementation to avoid this race condition, I am getting better results. It means all the 250k IPsec tunnels are getting up (with 850+ TPS) except 10-20. Debugged the issue (why the 10-20 IPsec tunnels are not getting

[strongSwan] Issue with tunnel establishment under high load

Hi, Using the load tester plugin of strongswan (5.0.4), could able to achieve the 250k IPsec tunnels with 1000 tunnels per second. However I found that, some of the tunnels (approximately 10-20) were not getting up. Upon debugging found that, at IKE responder end, the checkout_by_message() of

Re: [strongSwan] Issue with tunnel establishment under high load

.   Regards, Chinmaya    On Tuesday, May 27, 2014 7:42 PM, Chinmaya Dwibedy ckdwib...@yahoo.com wrote: Hi, Using the load tester plugin of strongswan (5.0.4), could able to achieve the 250k IPsec tunnels with 1000 tunnels per second. However I found that, some of the tunnels

Re: [strongSwan] Issue with tunnel establishment under high load

Hi Martin/All, I think, my email missed your kind attention.  Thus I request your goodness to have a look into this and respond. Your help in this regard will be highly appreciated. Regards, Chinmaya  On Thursday, May 29, 2014 6:39 PM, Chinmaya Dwibedy ckdwib...@yahoo.com wrote: Hi

Re: [strongSwan] Issue with tunnel establishment under high load

:     {       ---;         ---;     ike_sa = ike_sa_create(id, FALSE, ike_version);         } //case ALREADY_DONE:   } Regards, Chinmaya On Monday, June 2, 2014 1:09 PM, Chinmaya Dwibedy ckdwib

[strongSwan] interoperability test between strongswan and iOS

Hi All, Has anyone done an interoperability test between strongswan  (running on Linux box) and  Cisco VPN Client or Cisco’s Anyconnect (running on iOS in iPAD) using IKEv2 and pre-shared key authentication mechanism? if yes, please provide me some pointers to configure and test. Regards,

[strongSwan] Issue with transmission of IKE DELETE INFORMATIONAL request messages during shutdown under high load

Hi,   Recently during my scalability testing of charon with strongswan version 5.0.4 and load tester plugin. I observed that after establishment of the tunnels (20,000 IPsec tunnels),  if I trigger the #ipsec stop command, it should suppose to send 20k IKE DELETE INFORMATIONAL  request

Re: [strongSwan] Issue with DES Encryption Algorithm

  Hi ,   Can anyone please respond to this email? Note that, I am using default gmp library and load tester plugin .   Regards, Chinmaya On Wednesday, August 13, 2014 6:05 PM, Chinmaya Dwibedy ckdwib...@yahoo.com wrote: Hi,  I am using the load tester plugin (strongswan 5.0.4

[strongSwan] Does strongswan-5.0.4 support the AH protocol?

  Hi,We are using the strongswan-5.0.4.What I understand, the KEv2 Charon daemon does not s does not implement AH butESP with authentication only is configurable (i.e., NULL encryption with anydata integrity algorithm). Since 5.1.1 the ah keyword (i.e., auth = esp | ah) canbe used to configure

Re: [strongSwan] Rekeying of Child SA when the Linux kernel has been bypassed

Hi Martin, Thank you for your suggestion and reference. Regards,Chinmaya On Wednesday, January 28, 2015 4:36 PM, Martin Willi mar...@strongswan.org wrote: Hi, Since I have bypassed the kernel , Can I do the followings in install function (defined in child_sa.c) for rekeying of

[strongSwan] How to measure the Phase 1 or Phase 2 rekeys Per Seconds

Hi, Is there any way to measure the Phase 1 or Phase 2 rekeys PerSeconds ? We need to to see system behavior under stressful conditionswhere large volumes of SA's are being rekeyed at the same time. Regards,Chinmaya___ Users mailing list

[strongSwan] Command-line program for IKE Responder

  Hi,The charon-cmd is a command-line program forIKE Initiator. Is there CLI application that acts as an IKE Responder? If no, Iam thinking to design a stand-alone application (which will act as a Responder)that will communicate with the IKEv2 Charon daemon. Will it be an issue if Iwill do the

[strongSwan] Creation of VICI socket fails (strongswan-5.2.2)

  Hi,Iam trying to use the swanctl utility (i.e., a commandline application to configure and control charon) (strongswan: 5.2.2) . I configuredthe /etc/swanctl/swanctl.conf file (On IKE Initiator end) and then upon tryingto initiate the connection  thru #swanctl--load-conns, it gives the

[strongSwan] How to avoid the parsing of strongswan.conf file and set the configuration options programmatically?

  Hi,I want toget rid of strongswan.conf file (which is installed /etc directory). Instead I wantto set the values programmatically. I have removed the /etc/strongswan.conf ,which is read by libstrongswan during library initialization. Furthermore Ihave written set_strongswan_conf_options()

Re: [strongSwan] How to avoid the parsing of strongswan.conf file and set the configuration options programmatically?

Thank you Martin for your valuable response. Let me go thru the charon-xpc under src/frontends/osx.   On Wednesday, April 22, 2015 7:28 PM, Martin Willi mar...@strongswan.org wrote: Hi,   set_strongswan_conf_options(lfile);   system(starter --daemon charon); You can't set

[strongSwan] no IKE config found error with VICI interface (strongswan-5.2.2)

      Hi,I havewritten a C program which uses the VICI to configure and control the IKE daemonCharon (at IKE Responder end). I have updated the request (of type vici_req_t)using the vici_add_key_value() and vici_add_key_valuef(),and send the same via vici_submit(load-conn command). It

[strongSwan] no IKE config found error with VICI interface (strongswan-5.2.2)

  Hi,I havewritten a C program which uses the VICI to configure and control the IKE daemonCharon (at IKE Responder end). I have updated the request (of type vici_req_t)using the vici_add_key_value() and vici_add_key_valuef(),and send the same via vici_submit(load-conn command). It says that,

Re: [strongSwan] no IKE config found error with VICI interface (strongswan-5.2.2)

code and the configuration you're loading. Mit freundlichen Grüßen/Regards, Noel Kuntze Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 13.04.2015 um 14:02 schrieb Chinmaya Dwibedy:       Hi, I have written a C program which uses the VICI to configure and control

Re: [strongSwan] Is there any way to specify/configure different initiator_tsr for each initiator?

Hi Martin,Thank youfor this information. We have modifiedthe strongswan (5.2.2) code to bypass the strongSwan's IPsec Linux kernelinterface. We do have on our own SPD and SAD table. As per the implementation,an SPD entry would contain the destination IP as selector field and uses thesame as a

[strongSwan] Getting Authentication Failure with swanctl tool using strongswan-5.2.2

  Hi,I am usingthe swanctl (command line interface) tool to configure the Charon daemon at IKEResponder. I have kept all the entries of  ipsec.conf and ipsec.secret file ( in /etcdirectory)  under comment. Here goes theconfiguration. /etc/ipsec.secrets(IKE Responder end):

[strongSwan] Issue with running starter/Charon as a non-root user (using strongSwan-5.2.2)

  Hi,I used thefollowing options during configure i.e., -with-user=cli --with-group=vpn--with-capabilities=native. I am using the Linux kernel version 2.6. I tried torun strongSwan and it's daemons under a non-root user. I created anew user and group for strongSwan, e.g.: groupadd vpn and

[strongSwan] Constrain checking fails while testing with IKEv2 certificate with EAP on an android device

HiAll, Iam using strongSwan VPN Client app  on anandroid device (VPN Client) and running strongswan-5.4.0 on Linux device (VPNServer on Virtual Machine).   Trying to establishan IKEv2/IPsec tunnel using Certificate with EAP authentication based onusername/password on client and pubkey on

Re: [strongSwan] Constrain checking fails while testing with IKEv2 certificate with EAP on an android device

Thankyou Tobias for your prompt response. The Gateway configuration for Android (strongSwanVPN Client) setting "IKEv2 Certificate + EAP (Username/Password)". Thuswe need to configure rightauth2=eap-md5 which was missing. This configures asecond authentication round using EAP after doing a first

[strongSwan] Issue with establishing VPN Connection using strongSwan App on Android device

Hi,  I am usingstrongSwan VPN Client google app in an android device (VPN Client) and runningstrongswan-5.4.0 on Linux device (VPN Server on Virtual Machine). I am tryingto establish an IKEv2/IPsec tunnel using EAP authentication based onusername/password (EAP-MD5) on client and pubkey on

Re: [strongSwan] Does strongSwan (5.4.0) detect the presence of the Intel QAT device and accelerate encryption?

Thank you Andreas for your response. Sent from Yahoo Mail on Android On Fri, May 13, 2016 at 1:18 PM, Andreas Steffen<andreas.stef...@strongswan.org> wrote: Hi Chinmaya On 13.05.2016 09:37, Chinmaya Dwibedy wrote: > Hi All, > > What I understand, in order to use

Re: [strongSwan] Issue with loading critical plugin features (using strongswan -5.2.2)

Tuesday, January 17, 2017 4:33 PM, Chinmaya Dwibedy <ckdwib...@yahoo.com> wrote: Hi, I am using the following configure options(using strongswan -5.2.2) ./configure --prefix=/opt/chinmaya/--sysconfdir=/opt/ chinmaya /etc --libdir=/opt/ chinmaya /lib--enable-load-tester --enable-ctr --enable-

[strongSwan] Issue with loading critical plugin features (using strongswan -5.2.2)

Hi, I am using the following configure options(using strongswan -5.2.2) ./configure --prefix=/opt/chinmaya/--sysconfdir=/opt/ chinmaya /etc --libdir=/opt/ chinmaya /lib--enable-load-tester --enable-ctr --enable-ccm --enable-gcm --enable-vici--enable-error-notify --enable-openssl While

[strongSwan] Can we configure the multiple IP pools of virtual IP addresses (using VICI of strongswan-5.2.2)?

Hi, We use the VICI to configure and controlthe IKE daemon Charon (at IKE Responder end) using strongswan-5.2.2. The load-conn() command is used to so as to load a single connection definition into thedaemon. The remote_addrs is configured to “any” to accept the IKE connectionrequest from

Re: [strongSwan] Can we configure the multiple IP pools of virtual IP addresses (using VICI of strongswan-5.2.2)?

Hi , Can anyone please respond to this email ? Regards,Chinmaya On Thursday, June 22, 2017 1:08 PM, Chinmaya Dwibedy <ckdwib...@yahoo.com> wrote: Hi, We use the VICI to configure and controlthe IKE daemon Charon (at IKE Responder end) using strongswan-5.2.2. The load-conn() c

Re: [strongSwan] Can we configure the multiple IP pools of virtual IP addresses (using VICI of strongswan-5.2.2)?

r ID. No idea about limitations of the number of pools. On 23.06.2017 07:32, Chinmaya Dwibedy wrote: > Hi , > > Can anyone please respond to this email ? > > Regards, > Chinmaya > > > On Thursday, June 22, 2017 1:08 PM, Chinmaya Dwibedy <ckdwib...@yahoo.com> >

Re: [strongSwan] How to disable NAT traversal with strongSwan VPN client app (on android device)?

Thank you Tobias for your prompt response. On Tuesday, June 13, 2017 1:14 PM, Tobias Brunner wrote: Hi Chinmaya, > I am using the strongSwan VPN client app (as an IKEv2 initiator) in my > android device. How can I disable NAT feature? Because by default, it >

[strongSwan] How to disable NAT traversal with strongSwan VPN client app (on android device)?

Hi, The https://wiki.strongswan.org/projects/strongswan/wiki/FAQsays that, NAT traversal cannot be disabled in the charon daemon and it can bedisabled (if there is no NAT device) by setting MOBIKE to no in ipsec.conf. I am using the strongSwan VPN client app (as an IKEv2 initiator)in my