lients.conf*
client 0.0.0.0 {
secret = 123456
nas_type= other
shortname = 0.0.0.0
require_message_authenticator = no
}
On Wed, Nov 15, 2017 at 7:55 AM, Michael Schwartzkopff <m...@sys4.de> wrote:
> Am 15.11.2017 um 08:24 schrieb Ho
Schwartzkopff <m...@sys4.de> wrote:
> Am 15.11.2017 um 09:58 schrieb Houman:
> > Hallo Michael,
> >
> >
> > Thanks for your reply. Indeed I should have checked the radius log. It
> > seems the shared secret is incorrect, but there do match in configs as
(username,attribute,op,VALUE) VALUES
('houman','Cleartext-Password',':=','test123');
When I try to connect from my MacBook into the StrongSwan server I get this
log. It looks promising but eventually, it says initiating EAP_RADIUS
method failed.
I'm not quite sure if this has failed due a bad
ght be interested following articles:
> http://www.linuxvirtualserver.org/software/ipvs.html
> https://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability
>
> Anvar Kuchkartaev
> an...@anvartay.com
> *From: *Houman
> *Sent: *lunes, 13 de noviembre de 2017 04:19 p.
Thanks,
Houman
Hello,
Until a week ago a user with Windows 10 had no issue connecting to the
StrongSwan server. But now out of the blue, he can't connect to the
StrongSwan server anymore.
The log on the server is:
May 7 12:31:06 vpn-p1 charon: 08[IKE] received proposals inacceptable
May 7 12:31:06 vpn-p1
have already set [NegotiateDH2048_AES256] in Windows 10.
Many Thanks,
Houman
On 8 May 2018 at 08:40, Christian Salway <christian.sal...@naimuri.com>
wrote:
> The problem with Windows (10 at least) is that it offers the weakest
> ciphers first, so you should remove sha1 and 3des.
>
I suspect
this is the case.
Many Thanks for your help,
Houman
On 11 May 2018 at 16:00, Jafar Al-Gharaibeh <ja...@atcorp.com> wrote:
> 1) The log shows that while it took a couple of attempts to establish and
> IKE SA, it was eventually up with and ESP Child SA as well. So, as far as I
ngs for iOS 10+, OSX and Windows 10?
* ike=aes256-sha256-modp2048!*
* esp=aes256-sha256,aes256-sha1,3des-sha1!*
Many Thanks for your help,
Houman
Btw here is the log when he is trying to connect:
May 11 07:55:16 vpn-server charon: 02[NET] received packet: from
109.230.xxx.xx[500] to 172.31.xxx.xxx[5
%any
rightauth=eap-mschapv2
eap_identity=%any
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.10.10.0/24
rightsendcert=never
Please let me know if you see any obvious problem. But I strongly believe
they have blocked the IKEV2 traffic...
Many Thanks,
Houman
On 9 May 2018 at 15:40, Jafar
=${VPNIPPOOL}
rightsendcert=never
Merry Christmas and thank you,
Houman
oses 100KB on daily basis?
When the month or day has passed, then the user should be allowed access
again.
Which config file do I have to edit?
Many Thanks for your advice,
Houman
=${VPNIPPOOL}
rightsendcert=never
Merry Christmas and thank you,
Houman
I had the exact same problem. I couldn't connect via iOS 11.2.6 on iPhone
X. After upgrading to iOS 11.3 I can connect to StrongSwan again without
having touched any configuration.
Although it could be that the OS was somehow stuck and the hard restart
after update "cleared" it up. I should
2,208.67.220.220
rightsourceip=${VPNIPPOOL}
rightsendcert=never
Many Thanks,
Houman
Hi,
I have setup a StrongSwan VPN server but when I try to watch Netflix over
it, Netflix recognises that I'm using a VPN and doesn't play the movie.
Is there any way to configure StrongSwan to avoid that? I did some research
that the trick lies in the DNS rather than VPN.
I'm still researching
Is there any trusted source for StrongSwan on Ubuntu 18.04?
I was hoping to keep to date with the latest stable release.
Many Thanks,
Hey guys,
I wonder if this email went through and someone has an idea why this is
happening.
Many Thanks,
Houman
On Fri, 29 Mar 2019 at 17:04, Houman wrote:
> Hello,
>
> Please help me with this, as I'm completely stuck.
>
> Windows 10 can connect to my StrongSwan server. But
Hello,
Please help me with this, as I'm completely stuck.
Windows 10 can connect to my StrongSwan server. But the IP address doesn't
change to the VPN. It still shows the local IP address. Accordingly blocked
websites remain blocked.
config setup
strictcrlpolicy=yes
uniqueids=never
conn
Hello,
Is there a way to check for the health of the VPN server? Is there a port I
could potentially ping and expect certain return value that indicates the
VPN is still up and running?
Many Thanks,
Houman
-radius
eap_identity=%any
rightdns=208.67.222.222,208.67.220.220
rightsourceip=10.10.10.0/24
rightsendcert=never
Many Thanks,
Houman
Hello,
I've set up strongSwan U5.6.2/K4.15.0-43-generic on Ubuntu 18.04. It works
very well.
However is there any way to improve connection or loss of when moving from
cellular 4G to WiFi / WiFi to 4G?
I thought that IKEv2 could do that seamlessly?
Many Thanks,
. . . . . . . . . . . : 208.67.222.222
208.67.220.220
NetBIOS over Tcpip. . . . . . . . : Enabled
Many Thanks,
Houman
On Tue, 2 Apr 2019 at 16:09, Felipe Arturo Polanco
wrote:
> Hi,
>
> Do an ipconfig /all in windows and check that you have an 10.10.10.
IP address at what time? We would
like to ban users like this in future.
>From Freeradius we get to see the acctstartdate, acctupdatedate and
acctstopdate but there is no way to relate this to their activities.
Many Thanks,
Houman
or rather feed them into a
local LogStash? I wonder which one is faster and less resource hungry.
Many Thanks,
Houman
On Mon, 15 Apr 2019 at 19:26, Noel Kuntze
wrote:
> Hello Houman,
>
> No, that is not a layer that strongSwan or freeradius does have access to.
> You need to log
0.10.0/18>
,*which comes
down to *16384*.
Many Thanks,
Houman
On Mon, 10 Jun 2019 at 10:35, Noel Kuntze
wrote:
> Hello Houman,
>
> Easily. Add a couple of zeros. And you don't need that much memory.
>
> Kind regards
> Noel
>
> Am 10.06.19 um 10:51 schrieb Houma
ith 32 Gb RAM? Are 512 users doable on this server above?
I think *10.10.10.0/23 <http://10.10.10.0/23> *means 512 IPs can be
allocated. Do you agree that this IP pool for strongswan makes sense?
Many Thanks,
Houman
inet6 fe80::780e:63ff:fe78:bab7/64 scope link
valid_lft forever preferred_lft forever
Please let me if you need to see anything else,
Many Thanks,
Houman
of any reason why this could happen
out of the blue.
Many Thanks,
Houman
cp.offset": 0,
"tcp.reserved": 0,
"tcp.urg": 0,
"tcp.ack": 0,
"tcp.psh": 0,
"tcp.rst": 0,
"tcp.syn": 1,
"tcp.fin": 0,
"tcp.res1": 0,
"tcp.res2": 3,
"tcp.csum": 26423,
"o
way?
Many Thanks,
Houman
balancer endpoint? I suppose nothing
stops me of having two database/replication in this scenario to make it
more resilient, isn't it?
Many Thanks,
Houman
On Wed, 21 Aug 2019 at 08:52, Michael Schwartzkopff wrote:
> Am 21.08.19 um 08:20 schrieb Houman:
> > Hello,
> >
> >
rn self.streamed_request("list-conns", "list-conn",
filters)
But I'm stuck as I don't know how to set that. There must be some kind of
documentation for this right?
I suppose once I have the actual SA, I could pass it to terminate().
Many Thanks,
Houman
check (username,attribute,op,VALUE) VALUES
('houman','Monthly-Usage','<',100);
This works, however, once the limit has been reached, he continues to
remain connected, nothing forces him out. Only if he disconnects and tries
to connect again, he would be prevented. I was thinking t
oes what you think it does. It is a _local_ tool.
> Perhaps the "abuse notification" you received is a phishing attack?
>
> Hae a look at the manual page:
>
> http://manpages.ubuntu.com/manpages/trusty/man8/netstat.8.html
>
> ________
> Fro
g-level 6
iptables -A specific-rule-set -p tcp --syn -j syn-flood
iptables -A specific-rule-set -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j
port-scan
Any suggestions, please?
Many Thanks,
Houman
to achieve this or do you agree to this approach?
Many Thanks,
Houman
Hi Andreas,
Thank you very much. That worked nicely, much easier than I thought it
would be.
The difference between INSTALLED (519) and ESTABLISHED (520) was nearly the
same in my case. What is the main difference between them in this context?
Many Thanks,
Houman
On Wed, 31 Jul 2019 at 11
.xx.xxx[4500] (368 bytes)
Jul 17 21:31:08 de-fsn-2 charon: 13[CFG] looking for peer configs matching
136.243.xxx.xxx[de-fsn-2.x.net]...94.206.xxx.xxx[VPN]
Jul 17 21:31:08 de-fsn-2 charon: 13[CFG] selected peer config
'Falkenstein-2'
Many Thanks,
Houman
ftsendcert=always
leftsubnet=0.0.0.0/0, ::/0
right=%any
rightid=%any
rightauth=eap-radius
eap_identity=%any
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.10.10.0/17,fdd2:54c4:4c90:1::300/113
leftfirewall=no
Many Thanks,
Houman
On Thu, 18 Jul 2019 at 07:42, Noel Kuntze
wrote:
>
ny Thanks,
Houman
On Thu, 18 Jul 2019 at 08:07, Noel Kuntze
wrote:
> Hello Houman,
>
> Those are not *routing* tables. Those are your *iptables* rules.
>
> Kind regards
>
> Noel
>
> Am 18.07.19 um 09:02 schrieb Houman:
> > Hello Noel,
> >
> > You're right.
Hello Noel,
It works! I tested it for 24 hours and not a single issue anymore. Thank
you very much for your help.
For the record, this is the file I have edited.
/etc/strongswan.d/charon.conf
I uncommented the line *install_routes = yes* and changed it to *install_routes
= no*
Thanks,
Houman
server?
Many Thanks,
Houman
Hello Volodymyr,
Thank you for your email. I think DPI goes a step too far for privacy
reasons. But I'm happy to go down the route of blocking well-known trackers.
Is there a way to obtain the list from somewhere?
Many Thanks,
Houman
On Sun, 29 Sep 2019 at 16:35, Volodymyr Litovka wrote
Hello,
I would like to block VPN users from using torrents. I'm not sure if this
is something that can be done in StrongSwan settings, maybe there is a way
through IPTables to achieve this?
Any advice would be appreciated,
Many Thanks,
Houman
tc/apt/sources.list
apt-key adv --keyserver keys.gnupg.net --recv-key 0x41382202
apt update
apt full-upgrade -y
Is there something similar for StrongSwan, where I could seamlessly upgrade
it to the latest version? Or is the only way to download and compile the
binary?
Many Thanks,
Houman
0.0.0.0:42481 to 127.0.0.1:3799
length 28
(4) User-Name = "houman"
(4) Sent Accounting-Response Id 178 from 127.0.0.1:1813 to 127.0.0.1:51530
length 0
(4) Finished request
(4) Cleaning up request packet ID 178 with timestamp +6
Waking up in 2.1 seconds.
(4) Clearing existing : att
to 'houman'
Oct 15 12:09:27 stag-1 charon: 05[IKE] assigning virtual IP
:54c4::1::301 to peer 'houman'
Oct 15 12:09:27 stag-1 charon: 05[IKE] CHILD_SA stag-1{26} established with
SPIs c8a04ba5_i 041b28de_o and TS 0.0.0.0/0 ::/0 === 10.10.10.1/32
xxx:54c4:4c90:1::301/128
Oct 15 12:09:27
0.0/12 -j REJECT
iptables -A FORWARD -d 192.168.0.0/16 -j REJECT
Or am I oversimplifying this?
Many Thanks,
Houman
On Mon, 14 Oct 2019 at 13:02, Noel Kuntze
wrote:
> Hello Houman,
>
> Depends on if you have a whitelist or blacklist rule set.
>
> With the ruleset you have provided
SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS
--set-mss 1360
COMMIT
On Mon, 14 Oct 2019 at 11:14, Houman wrote:
> Hello Noel,
>
> Thanks for your solution, I just tried it:
>
> iptables -I FORWARD 2 -m conntrack --ctstate NEW -m hashlimit
> --hashlimit-mode srcip --ha
ans?
Many Thanks,
Houman
On Wed, 31 Jul 2019 at 14:51, Noel Kuntze
wrote:
> Hello Houman,
>
> A "netscan" attack isn't actually anything worthy of an abuse email.
> It's not part of a benign usage pattern of a VPN service, but it itself
> isn't illegal or anything.
-j REJECT
iptables -A FORWARD -o $INET_IFACE -d 192.168.0.0/16 -j REJECT
Do you agree with this? Or is it rather unnecessary for a StrongSwan server?
Thanks,
Houman
On Mon, 14 Oct 2019 at 14:00, Noel Kuntze
wrote:
> Hello Houman,
>
> You can do that. I wonder though why that is
2019
The latter doesn't stop the VPN, but I won't know it really prevents
someone from running netscan until someone tries a new attempt again. :)
What do you think?
Many Thanks,
Houman
On Mon, 14 Oct 2019 at 17:05, Noel Kuntze
wrote:
> Hello Houman,
>
> Depends on what exactly you
/strongswan.service.d
echo "[Service]
StandardOutput=null
" > /etc/systemd/system/strongswan.service.d/override.conf
Many Thanks,
Houman
,
iptables may be the only choice.
Please get in touch with me, if you have the experience and can help out,
Many Thanks,
Houman
rightauth=eap-radius
eap_identity=%any
rightdns=${DNS1},${DNS2}
rightsourceip=${VPNIPPOOL},${VPNIP6POOL}
leftfirewall=no
But I can't connect, what do I have to change to make this possible,
please?
Thanks
Houman
=always
leftsubnet=0.0.0.0/0, ::/0
right=%any
rightid=%any
rightauth=eap-radius
eap_identity=%any
rightdns=${DNS1},${DNS2}
rightsourceip=${VPNIPPOOL},${VPNIP6POOL}
leftfirewall=no
But I can't connect, what do I have to change to make this possible,
please?
Thanks
Houman
proposal:
IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256
Oct 15 15:17:03 de-fsn-x charon: 15[IKE] DH group ECP_256 unacceptable,
requesting ECP_256
Is that another plugin that I need to compile? Why is that DH group
unacceptable?
Many Thanks,
Houman
Hello Tobias,
Thank you for your reply. Excellent, now I understand.
If I compile WolfSSL into /usr/local/lib and then compile StrongSwan
with --enable-wolfssl. Will StrongSwan automatically pick up the latest
WolfSSL lib like that?
Or do I need to set a path as well?
Many Thanks,
Houman
e --prefix=/usr --sysconfdir=/etc --enable-eap-radius
--enable-eap-identity --enable-systemd --enable-swanctl --enable-gcm
--enable-aesni --enable-wolfssl
make install
Thank you,
Houman
On Thu, 15 Oct 2020 at 19:31, Houman wrote:
> Hello Tobias,
>
> Thank you for your reply. Excellen
not be found.
Did I have to use the flag --enable-systemd when compiling? And
everything would be in the right place?
I'm on Ubuntu 20.04. Any other advice along the way is much appreciated,
Thank you,
Houman
fingers)? :-)
Many Thanks,
Houman
.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
Where do I disable it then?
Many Thanks,
Houman
On Mon, 6 Jul 2020 at 10:08, Tobias Brunner wrote:
> Hi Houman,
>
> > We have two types of servers. Same users are doing ok on servers with
> >
to see which operation failed
May you please elaborate a bit more how to change the log level for knl? In
which config do I do that?
Many Thanks,
Houman
On Mon, 6 Jul 2020 at 09:20, Tobias Brunner wrote:
> Hi,
>
> > I'm seeing a strange error in StrongSwan U5.8.2/K5.4.0-39-generic
at I might cause new problems. What do you think? Maybe I should live
with that error. After all, it happens only 5 times a day. What is the most
sensible thing to do?
Many Thanks,
Houman
On Mon, 6 Jul 2020 at 11:12, Tobias Brunner wrote:
> Hi Houman,
>
> > I could disable *forc
.pem
leftsendcert=always
leftsubnet=0.0.0.0/0, ::/0
right=%any
rightid=%any
rightauth=eap-radius
eap_identity=%any
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.10.10.0/17,fdd2:54c4:4c90:1::300/113
leftfirewall=no
Any idea what this could be?
Many Thanks,
Houman
Hello,
This worked fine in StrongSwan 5.7.2 on Ubuntu 19.10.
But Strongswan 5.8.2 on Ubuntu 20.04 seems to be missing it
systemctl status strongswan
Unit strongswan.service could not be found.
What am I missing please?
Thanks,
Houman
Hello,
I'm new to Docker and was wondering where I could find the official
StrongSwan docker image?
There isn't any official version on docker hub and most of the
community stuff is fairly outdated. If there isn't any, what is the best
way to make my own?
Thank you for advice,
Houman
Hi Andreas,
Thank you, that's very helpful.
On Sun, 28 Jun 2020 at 17:29, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:
> Hi Houman,
>
> I created a strongSwan 5.8.4 image a couple of months ago for a
> a tutorial so it builds only a limited number of pl
: crypto_static <= p256-64.c
> Task :app:buildNative FAILED
Any suggestions, please?
Many Thanks,
Houman
Hi Tobias,
Thank you so much. I got it working.
I needed only this last step: git clone git://
git.strongswan.org/android-ndk-boringssl.git -b ndk-static openssl
to execute from src/frontends/android/app/src/main/jni/
Superb!
Kind Regards,
Houman
On Thu, 29 Oct 2020 at 07:39, Tobias
e I need to copy BoringSSL sources in
app/src/main/jni/openssl as explained in the second paragraph in
the README.ndk? But where is this path? I don't see it in the StrongSwan
directory hierarchy.
Many Thanks,
Houman
:5237:bf63::/64
Many thanks,
Houman
D,ESTABLISHED -j ACCEPT
-A OUTGOING -m hashlimit --hashlimit-upto 5/sec --hashlimit-burst 5
--hashlimit-mode srcip,dstip --hashlimit-name NETSCANv6 --hashlimit-dstmask
64 -j ACCEPT
COMMIT
IPv6 doesn't need NAT. So what is here unreachable?
Thanks,
Houman
On Sun, 14 Nov 2021 at 23:26, N
inet6 2a01:4f8:c17:1f2d:cafe::123/128 scope global
valid_lft forever preferred_lft forever
inet6 2a01:4f8:c17:1f2d::1/128 scope global
valid_lft forever preferred_lft forever
inet6 fe80::9400:ff:fef1:6bcb/64 scope link
valid_lft forever preferred_lft forever
Please let me know if you need anything else. Much appreciated.
Thank you,
Houman
75 matches
Mail list logo